Cloud Service Agreement
Effective as of JUNE 11th, 2024
This Cloud Service Agreement (this “Agreement”) is an agreement between you (“Customer”) and Lookback Group, Inc. (“Lookback”) (collectively, the “Parties”), and governs your access to and use of Lookback’s SaaS (software-as-a-service) platform and related services. Your use of and access to the Lookback Platform (as defined below) is conditioned upon your compliance with this Agreement and all applicable laws.
By clicking the “Subscribe” button on the checkout flow or by using the Lookback Platform (defined below), you agree to be bound by this Agreement, all exhibits, order forms, and incorporated policies. If you don’t agree to be bound by this Agreement, do not use the Lookback Platform. If you are accessing and using the Lookback Platform on behalf of a company (such as your employer) or other legal entity, you represent and warrant that you have the authority to bind that entity to this Agreement. In that case, “you,” “your,” or “Customer” will refer to that entity.
1. DEFINITIONS AND BACKGROUND.
1.1 “Authorized User” means a Collaborator or an Observer.
1.2 “Collaborator” means an employee, consultant or independent contractor of Customer (and, if Customer is an agency that provides services to clients, of Customer’s clients) who (i) has received login and password credentials to access and use the Lookback Platform and (ii) is registered online and has created or been assigned to a Collaborator account to access and use the Lookback Platform.
1.3 “Customer Materials” means projects, comments, Sessions and other content uploaded to the Lookback Platform by Customers pursuant to this Agreement.
1.4 “End User” means any individual who accesses the Lookback Platform, including but not limited to Collaborators, Observers, and Participants.
1.5 “Effective Date” means the date on which Customer signs up for the Lookback Platform, including agreeing to the terms of this Agreement and providing a valid payment method.
1.6 “Intellectual Property Rights” means patent rights (including patent applications and disclosures), inventions, copyrights, trade secrets, know-how, data and database rights, mask work rights, and any other intellectual property rights recognized in any country or jurisdiction in the world.
1.7 “Lookback Platform” means the website(s) located at lookback.io including all subdomains, and the Lookback software applications, browser extensions or mobile applications we provide, as well as related services provided by Lookback in accordance with this Agreement.
1.8 “Observer” means an employee, consultant or independent contractor of Customer (and, if Customer is an agency that provides services to clients, of Customer’s clients) who (i) has received login and password credentials to access and use the Lookback Platform and (ii) is registered online and has created or been assigned to an Observer account to access and use the Lookback Platform.
1.9 “Order Form” means the form detailing the purchase the Customer wants to make. For self-checkout Customers, it refers to the pricing and renewal details described on https://lookback.com/pricing, and for manual purchases it is a separate document attached to the Customer’s Agreement.
1.10 “Participant” means an individual, authorized by Customer, who, via the Lookback Platform, provides feedback for or participates in a test of an application, website, prototype, or other method of interaction.
1.11 “Session” means a recording or live stream, created or enabled by the Lookback Platform, of a Participant’s interaction with an application, website, prototype, or other software.
1.12 “Upgrades” means with respect to the Lookback Platform, upgrades, updates, bug fixes and releases.
The Lookback Platform is built to help our customers build fantastic user experiences. It does so by letting customers have a better understanding of and visibility into the experiences and emotions of users (called Participants).
Sessions are viewable by customers in real-time and/or after-the-fact through the Lookback Platform. A customer’s “Collaborators” or “Observers” watch and collaborate around the Sessions and add Customer Materials.
Lookback does not provide Participants. However, the Lookback Platform allows for easy management of Participants, as well as a way for Customers to invite Participants to join user experience Sessions. Although all customers manage their relationships with Participants, all End Users (including Observers, Collaborators, and Participants) are bound by the Lookback Terms of Use, available at https://lookback.com/terms, which detail acceptable conduct on and uses of the Lookback Platform, may be updated from time to time, and are hereby incorporated into this Agreement by reference. The Lookback Terms of Use are not meant to conflict with the terms of this Agreement, but if they do, the terms of this Agreement will control.
2. USE OF THE LOOKBACK PLATFORM.
2.1 Account. In order to access and use the Lookback Platform, Authorized Users will need to register with Lookback and create an account (“Account”). Customer will not allow any person or entity other than its employees, consultants or independent contractor of Customer (or, if Customer is an agency that provides services to clients, Customer’s clients) to become Authorized Users and use the Lookback Platform on Customer’s behalf. Customer must ensure that all Authorized Users comply with the Lookback Terms of Use and the terms and conditions of this Agreement.
Lookback may suspend or terminate any Authorized User’s access to the Lookback Platform upon notice to Customer, in the event that Lookback reasonably determines that such Authorized User violated the Terms of Use or this Agreement. Customer will, and will require all Authorized Users to, use all reasonable means to secure usernames and passwords, hardware and software used to access the Lookback Platform in accordance with customary security protocols. Each account for the Lookback Platform may only be accessed and used by the specific Authorized User for whom such account is created. Customer is responsible for all activities that occur under any Account associated with Customer’s Account.
Customer will promptly notify Lookback of any unauthorized use of or access to the Lookback Platform. Customer acknowledges Lookback’s Copyright Policy, located at https://lookback.com/dmca. Lookback will not be liable for any losses caused by unauthorized use of an Authorized User’s Account.
2.2 Grant of License. Subject to Customer’s compliance with the terms and conditions of this Agreement, including Customer’s payment of all Fees (as defined below) then due and payable under this Agreement, Lookback grants to Customer a non-exclusive, non-assignable, non-transferable (except as specified herein), worldwide, limited license during the Term: (a) to use, and allow Customer’s Authorized Users to use the Lookback Platform for Customer’s internal business purposes; (b) to use the Lookback Platform solely for purposes of enabling Sessions in accordance with the terms of this Agreement; and (c) to allow Participants invited by Customer to participate in Sessions.
2.3 License Restrictions. Except as expressly authorized in this Agreement, Customer will not, nor will it permit any third party, to: (a) copy or modify any part of the Lookback Platform; (b) distribute, transfer, sublicense, lease, lend or rent all or any part of the Lookback Platform to any third party; (c) except as expressly allowed in this Agreement, use the Lookback Platform on behalf of a third party; (d) make the Lookback Platform available to any non-Authorized Users or non-Participants through any means, including, but not limited to, by uploading any part of the Lookback Platform to a network or file-sharing service or through any hosting, application services provider, service bureau, software-as-a-service (SaaS) or any other type of services; (e) download, display, distribute and/or upload Sessions other than via the Lookback Platform, or the Lookback player available from the Lookback website for commercial or any other purposes, to third parties who are not Authorized Users; (f) allow access to or use of the Lookback Platform by anyone other than Authorized Users; (g) allow more than one (1) Authorized User to use or share the same Account; (h) interfere or disrupt the Lookback Platform by transmitting any worms, viruses, spyware, malware or any other code of a destructive or disruptive nature through the Lookback Platform; or (i) disassemble, decompile or reverse engineer the Lookback Platform, except to the extent such restriction is prohibited by applicable law.
2.4 Limited Rights. Customer’s rights in the Lookback Platform will be limited to those expressly granted in this Agreement. Lookback reserves all rights and licenses in and to the Lookback Platform not expressly granted to Customer under this Agreement.
2.5 Feedback. Customer may provide Lookback with feedback, comments and suggestions for improvements to the Lookback Platform (the “Feedback”). All Feedback that Customer provides to Lookback will be the sole and exclusive property of Lookback. Except to the extent the Feedback contains any of Customer’s Confidential Information, Customer hereby grants Lookback a perpetual, irrevocable, royalty-free and fully-paid up license to use and exploit all Feedback in connection with Lookback’s business purposes, including, without limitation, the testing, development, maintenance and improvement of the Lookback Platform.
2.6 Ownership. Customer expressly acknowledges that, as between Lookback and Customer, Lookback and its licensors own all worldwide right, title and interest in and to the Lookback Platform, including all worldwide Intellectual Property Rights embodied therein. Customer will not delete or in any manner alter the copyright, trademark or other proprietary rights notices appearing on the Lookback Platform as delivered to Customer. As between Lookback and Customer, Lookback expressly acknowledges that Customer owns all worldwide right, title and interest to the content of the Sessions and Customer Materials, including all worldwide Intellectual Property Rights embodied therein. Customer hereby grants Lookback a non-exclusive, worldwide, royalty-free right and license to use, host, reproduce, display, perform, modify the Customer Materials solely for the purpose of hosting, operating, improving and providing the Lookback Platform. For the avoidance of doubt, unless otherwise mutually agreed to in writing by Lookback and Customer, in no event will Lookback be granted any license, title, or access to the content of the Sessions, nor will Lookback attempt to access the content of the Sessions for any other purpose than resolving issues affecting the Services and/or other Customers.
3. PAYMENT.
3.1 Fees. Customer will pay Lookback the non-refundable fees set forth in the applicable Order Form in accordance with the terms therein (“Fees”) and without offset or deduction. Except as otherwise provided in the relevant Order Form, Lookback will issue annual invoices to Customer during the Term, and Customer will pay all amounts set forth on any such invoice no later than thirty (30) days after the date of such invoice. If Customer has signed up for automatic billing, Lookback will charge Customer’s selected payment method (such as a credit card, debit card, gift card/code, or other method available in Customer’s home country) for any Fees on the applicable payment date, including any applicable taxes. If Lookback cannot charge Customer’s selected payment method for any reason (such as expiration or insufficient funds), Customer remains responsible for any uncollected amounts, and Lookback will attempt to charge the payment method again as Customer may update its payment method information. In accordance with local law, Lookback may update information regarding Customer’s selected payment method if provided such information by Customer’s financial institution.
3.2 Payment Terms. Customers are responsible for paying the fees in the Order Form. All payments due to Lookback must be made in U.S. dollars or any other currency agreed upon by the parties. Any charges for add-ons are due within thirty (30) days following the start of each of the successive 3 month periods of the Term or Renewal Term, beginning on the Effective Date. Customer will pay all invoices in full, without reduction or setoff of any kind. Customer’s payment obligations are non-cancelable and Customer’s payments are non-refundable. If Customer fails to make any payment when due, late charges will accrue at the rate of 1.5% per month or, if lower, the highest rate permitted by applicable law and Lookback may suspend Services until all payments are made in full. Customer will reimburse Lookback for all reasonable costs and expenses incurred (including reasonable attorneys’ fees) in collecting any late payments or interest.
3.3 Taxes. All Fees payable under this Agreement are net amounts and are payable in full, without deduction for taxes or duties of any kind. Customer will be responsible for, and will promptly pay, all taxes and duties of any kind (including, but not limited to, sales, use and withholding taxes) associated with this Agreement or use of the Lookback Platform, as applicable, except for taxes and duties imposed on Lookback’s income. Without limiting the foregoing, in the event that Customer is required to deduct or withhold any taxes from the amounts payable to Lookback hereunder, Customer will pay an additional amount, so that Lookback receives the amounts due to it hereunder in full, as if there were no withholding or deduction.
4. WARRANTIES.
4.1 Representation and Warranty. Customer represents and warrants that (i) it has obtained and will obtain and continue to have, during the Term, all necessary rights, authority and licenses for the access to and use of the Customer Materials (including any personal data provided or otherwise collected pursuant to Customer’s privacy policy) as contemplated by this Agreement; and (ii) Lookback’s use of the Customer Materials in accordance with this Agreement will not violate any applicable laws or regulations or cause a breach of any agreement or obligations between Customer and any third party.
4.2 Disclaimers. Lookback does not warrant that the Lookback Platform will meet Customer’s requirements or will operate in the combinations that Customer may select for use, that the operation of the Lookback Platform will be error-free or uninterrupted, or that all the Lookback Platform’s errors will be corrected. EXCEPT AS STATED IN THIS AGREEMENT, LOOKBACK EXPRESSLY DISCLAIMS ALL OTHER WARRANTIES, EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, AND ANY WARRANTIES ARISING OUT OF COURSE OF DEALING, USAGE OF TRADE. NO ADVICE OR INFORMATION, WHETHER ORAL OR WRITTEN, OBTAINED FROM LOOKBACK OR ELSEWHERE WILL CREATE ANY WARRANTY NOT EXPRESSLY STATED IN THIS AGREEMENT.
5. INDEMNIFICATION.
5.1 Indemnity by Lookback. Lookback will indemnify, defend and hold Customer and its officers, employees and agents harmless from and against any third-party claims, liabilities, damages, losses and expenses, including without limitation, reasonable attorney’s fees and costs (collectively, the “Losses”), arising out of or in any way connected with any claim or action brought against Customer to the extent that it is based upon a claim that the Lookback Platform, as provided by Lookback to Customer under this Agreement and used within the scope of this Agreement, infringes any Intellectual Property Rights of a third party.
5.2 Indemnity by Customer. Customer agrees to indemnify, defend and hold Lookback harmless from and against any claims, liabilities, damages, losses and expenses, including without limitation, reasonable attorney’s fees and costs, arising out of or in any way connected with:
(i) Customer’s, or its Authorized Users’ or Participants’ use of the Lookback Platform, including, without limitation, (A) any claim that the Customer Materials infringe, misappropriate or otherwise violate any third party’s intellectual property, privacy, or other rights; or (B) any claim that the use, provision, transmission, display or storage of Customer Materials violates any applicable law, rule or regulation;
(ii) any of Customer’s products or services developed using the Lookback Platform; and
(iii) use of the Lookback Platform by Customer or its Authorized Users in a manner that is not in accordance with this Agreement including, without limitation, any breach of the license restrictions in Section 2.3.
In each case, Customer will indemnify and hold harmless Lookback against any Losses resulting from such claim.
5.3 Injunctions. If Customer’s use of the Lookback Platform hereunder is, or in Lookback’s opinion is likely to be, enjoined due to the type of claim specified in Section 5.1 above, Lookback will, at its sole option and expense: (a) procure for Customer the right to continue using such Lookback Platform under the terms of this Agreement; (b) replace or modify such part of the Lookback Platform so that it is non-infringing and substantially equivalent in function and performance to the enjoined Lookback Platform; or (c) if options (a) and (b) above cannot be accomplished despite Lookback’s reasonable efforts, then Lookback may terminate Customer’s rights and Lookback’s obligations hereunder with respect to such Lookback Platform.
5.4 Exclusions. Notwithstanding the terms of Section 5.1, Lookback will have no liability for any infringement or misappropriation claim to the extent that it results from: (a) unauthorized modifications to the Lookback Platform made by a party other than Lookback, if a claim would not have occurred but for such modifications; (b) the combination, operation or use of the Lookback Platform with equipment, devices, software or data not supplied by Lookback, if a claim would not have occurred but for such combination, operation or use; (c) Customer’s failure to install, use or accept Upgrades, update or modify the Lookback Platform at no additional charge to avoid a claim; (d) Customer’s use of the Lookback Platform other than in accordance with this Agreement, or (e) Customer’s breach of this Agreement, negligence, willful misconduct or fraud.
5.5 Indemnification Procedures. The party seeking defense and indemnity (the “Indemnified Party”) will promptly (and in any event no later than thirty (30) days after becoming aware of facts or circumstances that could reasonably give rise to any claim) notify the other party (the “Indemnifying Party”) of the claim for which indemnity is being sought, and will reasonably cooperate with the Indemnifying Party in the defense and/or settlement thereof. The Indemnifying Party will have the sole right to conduct the defense of any claim for which the Indemnifying Party is responsible hereunder (provided that the Indemnifying Party may not settle any claim without the Indemnified Party’s prior written approval unless the settlement is for a monetary amount, unconditionally releases the Indemnified Party from all liability without prejudice, does not require any admission by the Indemnified Party, and does not place restrictions upon the Indemnified Party’s business, products or services). The Indemnified Party may participate in the defense or settlement of any such claim at its own expense and with its own choice of counsel or, if the Indemnifying Party refuses to fulfill its obligation of defense, the Indemnified Party may defend itself and seek reimbursement from the Indemnifying Party.
6. CONFIDENTIALITY.
6.1 Definition. “Confidential Information” means any business or technical information of Lookback or Customer that, if disclosed in writing, is marked “confidential” or “proprietary” at the time of disclosure, or, if disclosed orally, is identified as “confidential” or “proprietary” at the time of disclosure, or under the circumstances a person exercising reasonable business judgment would understand to be confidential or proprietary. For clarity, the Lookback Platform will be deemed the Confidential Information of Lookback and the Customer Materials will be deemed the Confidential Information of Customer. The terms and conditions of this Agreement will be deemed the Confidential Information of both parties, but may be disclosed on a confidential basis to a party’s advisors, attorneys, actual or bona fide potential acquirers, investors or other sources of funding (and their respective advisors and attorneys) for due diligence purposes.
6.2 Use and Disclosure Restrictions. Neither party will use the other party’s Confidential Information except as necessary for the performance of this Agreement or will disclose such Confidential Information to any third party except to those of its employees and subcontractors who have a bona fide need to know such Confidential Information for the purpose of performing this Agreement; provided that each such employee and subcontractor is subject to a written agreement that includes binding use and disclosure restrictions that are at least as protective as those set forth herein. Each party will use reasonable efforts to maintain the confidentiality of all such Confidential Information in its possession or control, but in no event less than the efforts that such party ordinarily uses with respect to its own proprietary information of similar nature and importance.
6.3 Exceptions. The obligations and restrictions in Section 6.2 will not apply to any information that: (a) is or becomes generally known to the public through no fault of or breach of this Agreement by the receiving party; (b) is rightfully known by the receiving party at the time of disclosure of such information by the disclosing party; (c) is independently developed by the receiving party without use of the disclosing party’s Confidential Information; (d) the receiving party rightfully obtains from a third party who has the right to disclose such information without breach of any confidentiality obligation to the disclosing party; (e) is required to be disclosed pursuant to the order or requirement of a court, administrative agency, or other governmental body, provided that the party required to make such a disclosure gives reasonable notice to the other party to contest such order or requirement; or (f) is required to be disclosed under applicable securities regulations. Further, neither party will be restricted from disclosing the other party’s Confidential Information, on a confidential basis, to (i) its legal or professional financial advisors or (ii) present or future providers of venture capital and/or potential private investors in or acquirers of the receiving party.
7. YOUR DATA.
7.1 Your Data. Although Lookback operates as a data controller for any contact information you upload to create your Customer account, Lookback operates as a “processor” or “service provider” for any personal data you or your Participants upload on the Lookback Platform in connection with this Agreement. Terms applicable to our processing of personal information are included in the Data Protection Addendum, attached to this agreement as Exhibit A.
8. LIMITATION OF LIABILITY.
8.1 Total Liability. EXCEPT FOR BREACHES OF CONFIDENTIALITY AND AMOUNTS OWED TO THIRD PARTIES IN CONNECTION WITH INDEMNIFICATION OBLIGATIONS, IN NO EVENT WILL EITHER PARTY’S TOTAL LIABILITY TO THE OTHER PARTY ARISING OUT OF THIS AGREEMENT FROM ALL CAUSES OF ACTION AND UNDER ALL THEORIES OF LIABILITY EXCEED THE AMOUNT CUSTOMER PAID TO LOOKBACK UNDER THIS AGREEMENT DURING THE TWELVE (12) MONTHS PRECEDING A CLAIM FOR DAMAGES, REGARDLESS OF THE LEGAL OR EQUITABLE THEORY ON WHICH THE CLAIM OR LIABILITY IS BASED, AND WHETHER OR NOT THE PARTY WAS ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE.
8.2 Exclusion of Damages. EXCEPT FOR BREACHES OF CONFIDENTIALITY AND AMOUNTS OWED TO THIRD PARTIES IN CONNECTION WITH INDEMNIFICATION OBLIGATIONS, IN NO EVENT WILL EITHER PARTY BE LIABLE FOR ANY SPECIAL, INCIDENTAL, PUNITIVE OR CONSEQUENTIAL DAMAGES (INCLUDING LOSS OF USE, DATA, BUSINESS OR PROFITS) OR FOR THE COST OF PROCURING SUBSTITUTE PRODUCTS OR SERVICES ARISING OUT OF OR IN CONNECTION WITH THIS AGREEMENT, WHETHER SUCH LIABILITY ARISES FROM ANY CLAIM BASED UPON CONTRACT, WARRANTY, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY OR OTHERWISE, AND WHETHER OR NOT SUCH PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE. THE PARTIES HAVE AGREED THAT THESE LIMITATIONS WILL SURVIVE AND APPLY EVEN IF ANY LIMITED REMEDY SPECIFIED IN THIS AGREEMENT IS FOUND TO HAVE FAILED OF ITS ESSENTIAL PURPOSE.
9. TERM AND TERMINATION.
9.1 Term. The Agreement will commence on the Effective Date and will remain in effect for a period of one (1) year thereafter (the “Initial Term”). Such Initial Term will automatically renew for additional, successive one (1) year periods unless terminated via the mechanism described in the applicable Order Form (each, a “Renewal Term”). The Initial Term and the Renewal Term(s) will collectively be referred hereto as the “Term.”
9.2 Termination for Breach. Each party will have the right to terminate this Agreement (or as to Lookback only, any Lookback Platform license) if the other party breaches any material term of this Agreement and fails to cure such breach within thirty (30) days following written notice thereof.
9.3 Effect of Termination. Termination of this Agreement terminates all Lookback Platform access and licenses granted hereunder. Upon termination of this Agreement, each party will promptly destroy or return to the other party all Confidential Information of the other party in its possession or control (except for copies maintained in accordance with such party’s archival backup procedures). No expiration or termination will affect Customer’s obligation to pay all Fees that may have become due or otherwise accrued through the effective date of expiration or termination, or entitle Customer to any refund.
9.4 Survival. The rights and obligations of the parties contained in Sections 1, 2.4, 2.5, 2.6, 4.2, 5, 6, 8, 9.3, 9.4, and 10 will survive any termination or expiration of this Agreement.
10. GENERAL.
10.1 Assignment. Neither party may assign or transfer this Agreement, in whole or in part, by operation of law or otherwise, without the other party’s prior written consent; provided, however, that either party has the right to assign or transfer this Agreement to a non-competitor of the other party, in its sole discretion, without the other party’s prior written consent, to a surviving entity in the case of a merger, acquisition, divestiture, corporate reorganization or sale of all or substantially all of its assets. A merger, change of control or other combination by operation of law will be deemed such an assignment. Subject to the foregoing, this Agreement will bind and inure to the benefit of each party’s permitted successors and assigns.
10.2 Governing Law and Jurisdiction. This Agreement will be governed by and construed in accordance with the laws of the State of California without giving effect to any principles of conflict of laws that would lead to the application of the laws of another jurisdiction. The parties expressly agree that the United Nations Convention on Contracts for the International Sale of Goods will not apply. Any legal action or proceeding arising under this Agreement will be brought exclusively in the federal or state courts located in Santa Clara County, California, and the parties hereby irrevocably consent to the personal jurisdiction and venue therein.
10.3 Non-Exclusive Remedy. Except as expressly set forth in this Agreement, the exercise by either party of any of its remedies under this Agreement will be without prejudice to its other remedies under this Agreement or otherwise.
10.4 Severability. If for any reason a court of competent jurisdiction finds any provision of this Agreement invalid or unenforceable, that provision of the Agreement will be enforced to the maximum extent permissible and the other provisions of this Agreement will remain in full force and effect.
10.5 Waiver. The failure by either party to enforce any provision of this Agreement will not constitute a waiver of future enforcement of that or any other provision. No waiver of any provision of this Agreement will be effective unless it is in writing and signed by the party granting the waiver.
10.6 Notices. Lookback may provide any notice to Customer under this Agreement by: (i) posting a notice on Lookback’s website and/or mobile application; or (ii) sending a message to the administrative email address(es) then associated with Customer’s Account. Notices Lookback provides by posting on Lookback’s website and/or mobile application will be effective upon posting, and notices Lookback provides by email will be effective on the date the email was sent with without a bounce back message if sent during normal business hours of the receiving party, and on the next business day if sent after normal business hours of the receiving party. It is Customer’s responsibility to keep its email address(es) current. Customer will be deemed to have received any email sent to the email address then associated with Customer’s account when Lookback sends the email, whether or not Customer actually receives the email. If Customer has any questions regarding this Agreement please contact Lookback via email at legal@lookback.io.
10.7 Force Majeure. Neither party will be responsible or liable to the other party for any failure or delay in its performance under this Agreement (except for the payment of money) due to causes beyond its reasonable control, including, but not limited to, labor disputes, strikes, internet outages, lockouts, war, terrorism, riot, or shortage of or inability to obtain energy, raw materials or supplies, telecommunications failure or degradation, pandemics, epidemics, public health emergencies, governmental orders and acts (including government-imposed travel restrictions and quarantines), material changes in law, war, terrorism, riot, or acts of God (each a “Force Majeure”). In the event of a Force Majeure, the party that is unable to perform or whose performance is delayed will promptly notify the other party of the Force Majeure and will use its commercially reasonable efforts to resume performance.
10.8 Relationship of Parties. The parties to this Agreement are independent contractors and this Agreement will not establish any relationship of partnership, joint venture, employment, franchise, or agency between the parties. Neither party will have the power to bind the other or incur obligations on the other’s behalf without the other’s prior written consent. No provision of this Agreement is intended to confer any rights, benefits, remedies, obligations, or liabilities hereunder upon any person other than the parties and their respective successors and assigns.
10.9 Export Control. Customer agrees to comply fully with all relevant export laws and regulations of the United States (“Export Laws”) to ensure that neither the Lookback Platform, nor any direct product thereof are: (a) exported or re-exported directly or indirectly in violation of Export Laws; or (b) used for any purposes prohibited by the Export Laws, including but not limited to nuclear, chemical, or biological weapons proliferation.
10.10 Publicity. Customer hereby grants Lookback a limited, non-exclusive, royalty-free license to use and display Customer’s name, designated trademarks and associated logos (the “Customer Marks”) during the Term in connection with (i) the hosting, operation and maintenance of the Lookback Platform; and (ii) Lookback’s marketing and promotional efforts for its products and services, including by publicly naming Customer as a customer of Lookback and case studies. All goodwill and improved reputation generated by Lookback’s use of the Customer Marks inures to the exclusive benefit of Customer. Lookback will use the Customer Marks in the form stipulated by Customer and will conform to and observe such standards as Customer prescribes from time to time in connection with the license granted hereunder.
10.11 Entire Agreement. This Agreement constitutes the complete and exclusive understanding and agreement between the parties regarding its subject matter and supersedes all prior or contemporaneous agreements or understandings, written or oral, relating to its subject matter. This Agreement may be amended or modified only by a written document executed by duly authorized representatives of the parties. The parties have read, agree to, and have executed this Agreement as of the Effective Date.
10.12 Equitable Relief. Each party agrees that a breach or threatened breach by such party of any of its obligations under Section 6 or, in the case of Customer, Section 2.3, would cause the other party irreparable harm and significant damages for which there may be no adequate remedy under law and that, in the event of such breach or threatened breach, the other party will have the right to seek immediate equitable relief, including a restraining order, an injunction, specific performance and any other relief that may be available from any court, without any requirement to post a bond or other security, or to prove actual damages or that monetary damages are not an adequate remedy. Such remedies are not exclusive and are in addition to all other remedies that may be available at law, in equity or otherwise.
10.13 Subcontracting. Lookback may use subcontractors, and other third-party providers (“Subcontractors”) in connection with the performance of its own obligations hereunder as it deems appropriate; provided that Lookback remains responsible for the performance of each such Subcontractor. Notwithstanding anything to the contrary in this Agreement, with respect to any third-party vendors including any hosting (e.g. AWS) or payment vendors (e.g. PayPal), Lookback will use commercially reasonable efforts to guard against any damages or issues arising in connection with such vendors, but will not be liable for the acts or omissions of such third-party vendors except to the extent that it has been finally adjudicated that such damages or issues are caused directly from the gross negligence or willful misconduct of Lookback.
DATA PROTECTION ADDENDUM
- Subject Matter and Duration.
- Subject Matter. This Addendum reflects the parties’ commitment to abide by Data Protection Laws concerning the Processing of Company Personal Data in connection with Service Provider’s execution of the Agreement. All capitalized terms that are not expressly defined in this Addendum will have the meanings given to them in the Agreement. If and to the extent language in this Addendum or any of its Exhibits conflicts with the Agreement, this Addendum shall control.
- Duration and Survival. This Addendum will become legally binding upon the effective date of the Agreement or upon the date that the parties sign this Addendum if it is completed after the effective date of the Agreement. Service Provider will Process Company Personal Data until the relationship terminates as specified in the Agreement.
- Definitions.
For the purposes of this Addendum, the following terms and those defined within the body of this Addendum apply.
“Company Personal Data” means Personal Data Processed by Service Provider on behalf of Company.
“Data Protection Laws” means all applicable data privacy, data protection, and cybersecurity laws, rules and regulations to which the Company Personal Data are subject. “Data Protection Laws” may include, but are not limited to, the California Consumer Privacy Act of 2018 (“CCPA”); the EU General Data Protection Regulation 2016/679 (“GDPR”) and its respective national implementing legislations; the Swiss Federal Act on Data Protection; the United Kingdom General Data Protection Regulation; and the United Kingdom Data Protection Act 2018 (in each case, as amended, adopted, or superseded from time to time).
“Personal Data” has the meaning assigned to the term “personal data” or “personal information” under applicable Data Protection Laws.
“Process” or “Processing” means any operation or set of operations which is performed on Personal Data or sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
“Security Incident(s)” means the breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Company Personal Data attributable to Service Provider.
“Services” means the services that Service Provider performs under the Agreement.
“Subprocessor(s)” means Service Provider’s authorized vendors and third-party service providers that Process Company Personal Data. - Processing Terms for Company Personal Data.
- Documented Instructions. Service Provider shall Process Company Personal Data to provide the Services in accordance with the Agreement, this Addendum, any applicable Statement of Work, and any instructions agreed upon by the parties. Service Provider will, unless legally prohibited from doing so, inform Company in writing if it reasonably believes that there is a conflict between Company’s instructions and applicable law or otherwise seeks to Process Company Personal Data in a manner that is inconsistent with Company’s instructions.
- Authorization to Use Subprocessors. To the extent necessary to fulfill Service Provider’s contractual obligations under the Agreement, Company hereby authorizes Service Provider to engage Subprocessors.
- Service Provider and Subprocessor Compliance. Service Provider agrees to (i) enter into a written agreement with Subprocessors regarding such Subprocessors’ Processing of Company Personal Data that imposes on such Subprocessors data protection requirements for Company Personal Data that are consistent with this Addendum; and (ii) remain responsible to Company for Service Provider’s Subprocessors’ failure to perform their obligations with respect to the Processing of Company Personal Data.
- Right to Object to Subprocessors. Where required by Data Protection Laws, Service Provider will notify Company by emailing Company’s Designated POC and updating our website prior to engaging any new Subprocessors that Process Company Personal Data and allow Company ten (10) days to object. If Company has legitimate objections to the appointment of any new Subprocessor, the parties will work together in good faith to resolve the grounds for the objection.
- Confidentiality. Any person authorized to Process Company Personal Data must contractually agree to maintain the confidentiality of such information or be under an appropriate statutory obligation of confidentiality.
- Personal Data Inquiries and Requests. Where required by Data Protection Laws, Service Provider agrees to provide reasonable assistance and comply with reasonable instructions from Company, at Company’s expense, related to any requests from individuals exercising their rights in Company Personal Data granted to them under Data Protection Laws.
- Sale of Company Personal Data Prohibited. Service Provider shall not sell Company Personal Data as the term "sell" is defined by the CCPA.
- Data Protection Impact Assessment and Prior Consultation. Where required by Data Protection Laws, Service Provider agrees to provide reasonable assistance at Company’s expense to Company where, in Company’s judgement, the type of Processing performed by Service Provider requires a data protection impact assessment and/or prior consultation with the relevant data protection authorities.
- Demonstrable Compliance. Service Provider agrees to provide information reasonably necessary to demonstrate compliance with this Addendum upon Company’s reasonable request.
- Service Optimization. Where permitted by Data Protection Laws, Service Provider may Process Company Personal Data: (i) for its internal uses to build or improve the quality of its services; (ii) to detect Security Incidents; and (iii) to protect against fraudulent or illegal activity.
- Aggregation and De-Identification. Service Provider may: (i) compile aggregated and/or de-identified information in connection with providing the Services provided that such information cannot reasonably be used to identify Company or any data subject to whom Company Personal Data relates (“Aggregated and/or De-Identified Data”); and (ii) use Aggregated and/or De-Identified Data for its lawful business purposes.
- Cross-Border Transfers of Company Personal Data.
- Cross-Border Transfers of Company Personal Data. Company authorizes Service Provider and its Subprocessors to transfer Company Personal Data across international borders, including from the European Economic Area, Switzerland, and/or the United Kingdom to the United States.
- Service Provider Data Transfer Impact Assessment Questionnaire. Service Provider agrees that it has provided true, complete, and accurate responses to the Service Provider Data Transfer Impact Assessment Questionnaire attached hereto as Exhibit A.
- EEA, Swiss, and UK Controller to Processor Standard Contractual Clauses. If Company Personal Data originating in the European Economic Area, Switzerland, and/or the United Kingdom is transferred by Company to Service Provider in a country that has not been found to provide an adequate level of protection under applicable Data Protection Laws, the parties agree that the transfer shall be governed by the Controller to Processor Standard Contractual Clauses (Module Two) attached hereto as Exhibit B. The parties agree that: (i) the certification of deletion required by Clause 8.5 and Clause 16(d) of the Controller to Processor Standard Contractual Clauses will be provided upon Company’s written request; (ii) the measures Service Provider is required to take under Clause 8.6(c) of the Controller to Processor Standard Contractual Clauses will only cover Service Provider’s impacted systems; (iii) the audit described in Clause 8.9 of the Controller to Processor Standard Contractual Clauses shall be carried out in accordance with Section 7 of this Addendum; (iv) Service Provider may engage Subprocessors using European Commission Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council or any other adequacy mechanism provided that such adequacy mechanism complies with applicable Data Protection Laws and such use of Subprocessors shall not be considered a breach of Clause 9 of the Controller to Processor Standard Contractual Clauses; (v) the termination right contemplated by Clause 14(f) and Clause 16(c) of the Controller to Processor Standard Contractual Clauses will be limited to the termination of the Controller to Processor Standard Contractual Clauses, in which case, the corresponding Processing of Company Personal Data affected by such termination shall be discontinued unless otherwise agreed by the parties; (vi) unless otherwise stated by Service Provider, Company will be responsible for communicating with data subjects pursuant to Clause 15.1(a) of the Controller to Processor Standard Contractual Clauses; (vii) the information required under Clause 15.1(c) will be provided upon Company’s written request; and (viii) notwithstanding anything to the contrary, Company will reimburse Service Provider for all costs and expenses incurred by Service Provider in connection with the performance of Service Provider’s obligations under Clause 15.1(b) and Clause 15.2 of the Controller to Processor Standard Contractual Clauses without regard for any limitation of liability set forth in the Agreement. Each party’s execution of the Agreement shall be considered a signature to the Controller to Processor Standard Contractual Clauses to the extent that the Controller to Processor Standard Contractual Clauses apply hereunder.
- Company Data Transfer Impact Assessment Questionnaire. By executing the Agreement, Company agrees that the responses to the Company Data Transfer Impact Assessment Questionnaire attached hereto as Exhibit C are true, complete, and accurate.
- EEA, Swiss, and UK Processor to Controller Standard Contractual Clauses. If Company Personal Data originating in the European Economic Area, Switzerland, and/or the United Kingdom is transferred by Service Provider to Company in a country that has not been found to provide an adequate level of protection under applicable Data Protection Laws, the parties agree that the transfer shall be governed by the Processor to Controller Standard Contractual Clauses (Module Four), attached hereto as Exhibit D. The parties agree that: (i) the information required by Clause 8.1(d) of the Processor to Controller Standard Contractual Clauses will be provided upon Company’s written request, and (ii) the audit described in Clause 8.3(b) of the Processor to Controller Standard Contractual Clauses shall be carried out in accordance with Section 7 of this Addendum. Each party’s execution of the Agreement shall be considered a signature to the Processor to Controller Standard Contractual Clauses to the extent that the Processor to Controller Standard Contractual Clauses apply hereunder.
- Data Transfer Impact Assessment Outcome. Taking into account the information and obligations set forth in this Addendum and, as may be the case for a party, such party’s independent research, to the parties’ knowledge, the Company Personal Data originating in the European Economic Area, Switzerland, and/or the United Kingdom that is transferred pursuant to the attached Standard Contractual Clauses to a country that has not been found to provide an adequate level of protection under applicable Data Protection Laws is afforded a level of protection that is essentially equivalent to that guaranteed by applicable Data Protection Laws.
- Technical and Organizational security measures.
- Security and privacy policy
- Service Provider’s security policy covers security in human resources, physical security, access control, acceptable use, software development, incident management, device security, and compliance with laws and regulations. It’s approved by management and communicated to the staff. Service Provider has a CISO who is responsible for the policy. The policy is reviewed at least yearly by the security team.
- As part of Service Provider’s security and privacy policy Service Provider maintains the following controls:
- Written internal policies for safe handling and protection of data.
- Yearly internal audits of the security and privacy policy.
- A training program for the staff to ensure they are familiar with the security and privacy policy.
- Background screening of employees.
- Industry standard protection of servers and networks.
- Applying the principle of least privilege for sensitive data and systems.
- Protected access logs for sensitive data and systems.
- A process to ensure third parties are capable of protecting sensitive data.
- Processes to identify and address security and privacy incidents in a timely fashion.
- A change management process with reviews for networks and systems.
- A risk assessment program where we regularly review the threats to the company and how they can be addressed.
- Personnel security
- All employees undergo training on security and privacy. This training includes device security, password and 2FA management, physical security, malware protection, network security, incident reports and acceptable device use.
- All access to systems are granted based on the principle of least privilege. There are processes to revoke access when it’s no longer needed, be it because of new assignments or because the person is no longer working with Service Provider.
- Before hiring new employees Service Provider performs an identity verification, a financial background check and a criminal record check.
- Networks
- Service network. Service Provider runs its production systems in a segregated network in a AWS VPC. The network is divided in public and private subnets. Ports that are not required to operate the service are closed and administrative access to the servers is only possible from our corporate network.
All traffic between Service Provider’s systems and client accessible services, like web applications and applications for recording, is encrypted using TLS 1.2 or higher. - Corporate network. The corporate network is protecting internal resources like databases and servers, etc. It’s accessible via an encrypted VPN tunnel that requires two-factor authentication. Only registered devices with the required security measures installed are allowed to access the corporate network.
- Service network. Service Provider runs its production systems in a segregated network in a AWS VPC. The network is divided in public and private subnets. Ports that are not required to operate the service are closed and administrative access to the servers is only possible from our corporate network.
- Servers
- Service Provider’s servers run on AWS EC2. They are built and hardened using a standard build program. As part of the hardening Service Provider will typically remove and disable non-essential services, disable default accounts and passwords, disable password based authentication, disable ssh access, setup log forwarding to a centralized logging system, scan for known vulnerabilities, and prevent the applications from spawning additional processes.
- Service Provider will run vulnerability scans daily and can roll out patches for critical vulnerabilities outside of the regular patching schedule. Patches can be tested in an isolated testing environment before being rolled out to production. Employees are signed up to mailing lists regarding new security issues.
- Data and Storage
- Industry standard encryption shall be used for data in transit and at rest.
- Data segregation
Application level logic is used to determine who can see what data. Data is tied to an organization and if you are not a member of an organization you cannot see any of the organization’s data. - Backups
The database is backed up by the database service provider. Files are backed up by AWS.
- Logging
- Service Provider will log server events, including authentication, privileged system calls and data access. Logs shall be sent to a centralized environment with limited access. Sensitive logs shall be encrypted, protected from modification and stored at least a year.
- Administrative access
- Login to servers shall require asymmetric keys over SSH, or be disabled.
- Personnel with access to accounts at third party providers such as AWS have individual user accounts with 2FA. Service Provider shall have processes in place to audit and revoke access to the systems within 24 hours of someone leaving their position.
- Clients
- Workstations at Service Provider are registered and monitored centrally. They are configured according to a standard that includes full disk encryption, secure configuration of VPN, anti malware programs that are centrally managed, secure administrative passwords and screen locking that activates within a few minutes of inactivity.
- Updates are installed automatically by the built in patching mechanism in the OS. Security staff follow mailing lists to be up to date on vulnerabilities and when necessary action is taken to protect the systems, e.g. in case patches for new vulnerabilities haven’t been released yet.
- Development
- Development is performed through a process that involves planning, coordination, implementation, review, testing and follow up after deployment.
- The planning and coordination steps involve stakeholders from different departments, including security. Complex systems or complex changes are implemented by more than one developer, and/or reviewed by senior developers. Security related changes are always reviewed.
- Service Provider performs a range of testing depending on the size and complexity of the changes. It involves automated tests, and may also involve testing in an isolated testing environment, as well as internal and external user research/beta testing.
- All code is kept in a secure version management system.
- Technical security testing
Service Provider will contract third party security firms to perform penetration tests on a yearly basis. It’s a white box test covering applications, systems and networks, including both manual and automatic testing. Any findings are tracked and resolved by the security team.
- Security and privacy policy
- Security Incidents.
Notice. Upon becoming aware of a Security Incident, Service Provider agrees to provide written notice without undue delay and within the time frame required under Data Protection Laws to Company’s Designated POC. Where possible, such notice will include all available details required under Data Protection Laws for Company to comply with its own notification obligations to regulatory authorities or individuals affected by the Security Incident. - Audits.
Company Audit. Where Data Protection Laws afford Company an audit right, Company (or its appointed representative) may carry out an audit of Service Provider’s policies, procedures, and records relevant to the Processing of Company Personal Data. Any audit must be: (i) conducted during Service Provider’s regular business hours; (ii) with reasonable advance notice to Service Provider; (iii) carried out in a manner that prevents unnecessary disruption to Service Provider’s operations; and (iv) subject to reasonable confidentiality procedures. In addition, any audit shall be limited to once per year, unless an audit is carried out at the direction of a government authority having proper jurisdiction. - Company Personal Data Deletion.
Data Deletion. At the expiry or termination of the Agreement, Service Provider will delete all Company Personal Data (excluding any back-up or archival copies which shall be deleted in accordance with Service Provider’s data retention schedule), except where Service Provider is required to retain copies under applicable laws, in which case Service Provider will isolate and protect that Company Personal Data from any further Processing except to the extent required by applicable laws. - Company’s Obligations.
Company represents and warrants that: (i) it has complied and will comply with Data Protection Laws; (ii) it has provided data subjects whose Company Personal Data will be Processed in connection with the Agreement with a privacy notice or similar document that clearly and accurately describes Company’s practices with respect to the Processing of Company Personal Data; (iii) it has obtained and will obtain and continue to have, during the term, all necessary rights, lawful bases, authorizations, consents, and licenses for the Processing of Company Personal Data as contemplated by the Agreement; and (iv) Service Provider’s Processing of Company Personal Data in accordance with the Agreement will not violate Data Protection Laws or cause a breach of any agreement or obligations between Company and any third party. - Processing Details.
- Subject Matter. The subject matter of the Processing is the Services pursuant to the Agreement.
- Duration. The Processing will continue until the expiration or termination of the Agreement.
- Categories of Data Subjects. Data subjects whose Company Personal Data will be Processed pursuant to the Agreement.
- Nature and Purpose of the Processing. The purpose of the Processing of Company Personal Data by Service Provider is the performance of the Services pursuant to the Agreement.
- Types of Company Personal Data. Company Personal Data that is Processed pursuant to the Agreement.
- Contact Information.
- Company and Service Provider agree to designate a point of contact for urgent privacy and security issues (a “Designated POC”). The Designated POC for Company is the representative who registers for the Service. The Designated POC for Service Provider is legal@lookback.io.
EXHIBIT A TO THE DATA PROTECTION ADDENDUM
SERVICE PROVIDER DATA TRANSFER IMPACT ASSESSMENT QUESTIONNAIRE
This Exhibit A forms part of the Addendum. Capitalized terms not defined in this Exhibit A have the meaning set forth in the Addendum.
- What countries will Company Personal Data that is transferred outside of the European Economic Area, Switzerland, and/or the United Kingdom be stored in or accessed from? If this varies by region, please specify each country for each region.
- Answer: Service Provider will process Company Personal Data globally, including in the United States and Canada.
- What are the categories of data subjects whose Company Personal Data will be transferred outside of the European Economic Area, Switzerland, and/or the United Kingdom?
- Answer: Company’s Authorized Users and End Users, as defined in the Agreement.
- What are the categories of Company Personal Data transferred outside of the European Economic Area, Switzerland, and/or the United Kingdom?
- Answer: For Company’s Authorized Users, the data includes contact and login information and information regarding usage of the platform, as defined in Service Provider’s Privacy Policy.
Personal Data collected from End Users will depend on how Company and its Authorized Users use the Services pursuant to the Agreement, but may include:
1. video from device screens,
2. audio from device microphones,
3. gestures and touches (or mouse movements and clicks) performed on the device,
4. the front facing camera (capturing the user’s face),
5. participant’s first name, last name and email address as provided by them,
6. metadata about the device used to record with (model, OS version, etc.).
- Answer: For Company’s Authorized Users, the data includes contact and login information and information regarding usage of the platform, as defined in Service Provider’s Privacy Policy.
- Will any Company Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences be transferred outside of the European Economic Area, Switzerland, and/or the United Kingdom? If so, are there any restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures?
- Answer: While the Services are not intended to process sensitive information as outlined above, Company’s Authorized Users or End Users may reveal this information in connection with their use of the Lookback Platform.
- What business sector is Service Provider involved in?
- Answer: Analytics.
- Broadly speaking, what are the services to be provided and the corresponding purposes for which Company Personal Data is transferred outside of the European Economic Area, Switzerland, and/or the United Kingdom?
- Answer: Analysis and optimization of Company’s online offerings through testing and feedback with Authorized Users and End Users. Company Personal Data is transferred outside of the EEA, Switzerland, and the United Kingdom to enable processing and to allow Company End Users to participate from anywhere in the world.
- What is the frequency of the transfer of Company Personal Data outside of outside of the European Economic Area, Switzerland, and/or the United Kingdom? E.g., is Company Personal Data transferred on a one-off or continuous basis?
- Answer: Continuous throughout the term of the Agreement.
- When Company Personal Data is transferred outside of the European Economic Area, Switzerland, and/or the United Kingdom to Service Provider, how is it transmitted to Service Provider? Is the Company Personal Data in plain text, pseudonymized, and/or encrypted?
- Answer: See Section 5 of the Addendum.
- What is the period for which the Company Personal Data will be retained, or, if that is not possible, the criteria used to determine that period?
- Answer: Company Personal Data will be retained throughout the Term of the Agreement, unless a longer retention period is required to protect Service Provider’s legal rights.
- Please list the Subprocessors that will have access to Company Personal Data that is transferred outside of the European Economic Area, Switzerland, and/or the United Kingdom:
- Answer: See this article.
- Is Service Provider subject to any laws in a country outside of the European Economic Area, Switzerland, and/or the United Kingdom where Company Personal Data is stored or accessed from that would interfere with Service Provider fulfilling its obligations under the attached Standard Contractual Clauses? For example, FISA Section 702. If yes, please list these laws.
- Answer: Service Provider’s HQ is in the United States and is therefore likely subject to United States law. As of the effective date of the Addendum, no court has found Service Provider to be eligible to receive process issued under the laws contemplated by Question 11, including FISA Section 702, and no such court action is pending.
- Has Service Provider ever received a request from public authorities for information pursuant to the laws contemplated by Question 11 above (if any)? If yes, please explain.
- Answer: No.
- Has Service Provider ever received a request from public authorities for Personal Data of individuals located in European Economic Area, Switzerland, and/or the United Kingdom? If yes, please explain.
- Answer: No.
- What safeguards will Service Provider apply during transmission and to the processing of Company Personal Data in countries outside of the European Economic Area, Switzerland, and/or the United Kingdom that have not been found to provide an adequate level of protection under applicable Data Protection Laws?
- Answer: Those safeguards set forth in the Addendum.
EXHIBIT B TO THE DATA PROTECTION ADDENDUM
This Exhibit B forms part of the Addendum.
CONTROLLER TO PROCESSOR STANDARD CONTRACTUAL CLAUSES
SECTION I
Clause 1
Purpose and scope
(a) The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) for the transfer of personal data to a third country.
(b) The Parties:
(i) the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter ‘entity/ies’) transferring the personal data, as listed in Annex I.A (hereinafter each ‘data exporter’), and
(ii) the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A (hereinafter each ‘data importer’)
have agreed to these standard contractual clauses (hereinafter: ‘Clauses’).
(c) These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.
(d) The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.
(e) To the extent applicable hereunder, these Clauses also apply mutatis mutandis to the Parties’ processing of personal data that is subject to the Swiss Federal Act on Data Protection. Where applicable, references to EU Member State law or EU supervisory authorities shall be modified to include the appropriate reference under Swiss law as it relates to transfers of personal data that are subject to the Swiss Federal Act on Data Protection.
(f) To the extent applicable hereunder, these Clauses, as supplemented by Annex III, also apply mutatis mutandis to the Parties’ processing of personal data that is subject to the UK Data Protection Laws (as defined in Annex III).
Clause 2
Effect and invariability of the Clauses
(a) These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46(2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.
(b) These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.
Clause 3
Third-party beneficiaries
(a) Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:
(i) Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;
(ii) Clause 8.1(b), 8.9(a), (c), (d) and (e);
(iii) Clause 9(a), (c), (d) and (e);
(iv) Clause 12(a), (d) and (f);
(v) Clause 13;
(vi) Clause 15.1(c), (d) and (e);
(vii) Clause 16(e);
(viii) Clause 18(a) and (b).
(b) Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.
Clause 4
Interpretation
(a) Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.
(b) These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.
(c) These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.
Clause 5
Hierarchy
In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.
Clause 6
Description of the transfer(s)
The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.
Clause 7 – Optional
Docking clause – Omitted
SECTION II – OBLIGATIONS OF THE PARTIES
Clause 8
Data protection safeguards
The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.
MODULE TWO: Transfer controller to processor
8.1 Instructions
(a) The data importer shall process the personal data only on documented instructions from the data exporter. The data exporter may give such instructions throughout the duration of the contract.
(b) The data importer shall immediately inform the data exporter if it is unable to follow those instructions.
8.2 Purpose limitation
The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I. B, unless on further instructions from the data exporter.
8.3 Transparency
On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including the measures described in Annex II and personal data, the data exporter may redact part of the text of the Appendix to these Clauses prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand the its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information. This Clause is without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.
8.4 Accuracy
If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to erase or rectify the data.
8.5 Duration of processing and erasure or return of data
Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the data exporter and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).
8.6 Security of processing
(a) The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter ‘personal data breach’). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.
(b) The data importer shall grant access to the personal data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
(c) In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify the data exporter without undue delay after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the breach including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
(d) The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer.
8.7 Sensitive data
Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter ‘sensitive data’), the data importer shall apply the specific restrictions and/or additional safeguards described in Annex I.B.
8.8 Onward transfers
The data importer shall only disclose the personal data to a third party on documented instructions from the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union (in the same country as the data importer or in another third country, hereinafter ‘onward transfer’) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:
(i) the onward transfer is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;
(ii) the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 Regulation of (EU) 2016/679 with respect to the processing in question;
(iii) the onward transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or
(iv) the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person.
Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.
8.9 Documentation and compliance
(a) The data importer shall promptly and adequately deal with enquiries from the data exporter that relate to the processing under these Clauses.
(b) The Parties shall be able to demonstrate compliance with these Clauses. In particular, the data importer shall keep appropriate documentation on the processing activities carried out on behalf of the data exporter.
(c) The data importer shall make available to the data exporter all information necessary to demonstrate compliance with the obligations set out in these Clauses and at the data exporter’s request, allow for and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non- compliance. In deciding on a review or audit, the data exporter may take into account relevant certifications held by the data importer.
(d) The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice.
(e) The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request.
Clause 9
Use of sub-processors
MODULE TWO: Transfer controller to processor
(a) The data importer has the data exporter’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least ten (10) days in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.
(b) Where the data importer engages a sub-processor to carry out specific processing activities (on behalf of the data exporter), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those binding the data importer under these Clauses, including in terms of third-party beneficiary rights for data subjects. The Parties agree that, by complying with this Clause, the data importer fulfils its obligations under Clause 8.8. The data importer shall ensure that the sub-processor complies with the obligations to which the data importer is subject pursuant to these Clauses.
(c) The data importer shall provide, at the data exporter’s request, a copy of such a sub-processor agreement and any subsequent amendments to the data exporter. To the extent necessary to protect business secrets or other confidential information, including personal data, the data importer may redact the text of the agreement prior to sharing a copy.
(d) The data importer shall remain fully responsible to the data exporter for the performance of the sub-processor’s obligations under its contract with the data importer. The data importer shall notify the data exporter of any failure by the sub-processor to fulfil its obligations under that contract.
(e) The data importer shall agree a third-party beneficiary clause with the sub-processor whereby – in the event the data importer has factually disappeared, ceased to exist in law or has become insolvent – the data exporter shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.
Clause 10
Data subject rights
MODULE TWO: Transfer controller to processor
(a) The data importer shall promptly notify the data exporter of any request it has received from a data subject. It shall not respond to that request itself unless it has been authorised to do so by the data exporter.
(b) The data importer shall assist the data exporter in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679. In this regard, the Parties shall set out in Annex II the appropriate technical and organisational measures, taking into account the nature of the processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required.
(c) In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions from the data exporter.
Clause 11
Redress
(a) The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject.
MODULE TWO: Transfer controller to processor
(b) In case of a dispute between a data subject and one of the Parties as regards compliance with these Clauses, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them.
(c) Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to:
(i) lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work, or the competent supervisory authority pursuant to Clause 13;
(ii) refer the dispute to the competent courts within the meaning of Clause 18.
(d) The Parties accept that the data subject may be represented by a not-for-profit body, organisation or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679.
(e) The data importer shall abide by a decision that is binding under the applicable EU or Member State law.
(f) The data importer agrees that the choice made by the data subject will not prejudice his/her substantive and procedural rights to seek remedies in accordance with applicable laws.
Clause 12
Liability
MODULE TWO: Transfer controller to processor
(a) Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.
(b) The data importer shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data importer or its sub-processor causes the data subject by breaching the third-party beneficiary rights under these Clauses.
(c) Notwithstanding paragraph (b), the data exporter shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data exporter or the data importer (or its sub- processor) causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter and, where the data exporter is a processor acting on behalf of a controller, to the liability of the controller under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable.
(d) The Parties agree that if the data exporter is held liable under paragraph (c) for damages caused by the data importer (or its sub-processor), it shall be entitled to claim back from the data importer that part of the compensation corresponding to the data importer’s responsibility for the damage.
(e) Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.
(f) The Parties agree that if one Party is held liable under paragraph (e), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its/their responsibility for the damage.
(g) The data importer may not invoke the conduct of a sub-processor to avoid its own liability.
Clause 13
Supervision
MODULE TWO: Transfer controller to processor
(a) Where the data exporter is established in an EU Member State, the following section applies: The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority.
Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679, the following section applies: The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority.
Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679, the following section applies: The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.
(b) The data importer agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Clauses. In particular, the data importer agrees to respond to enquiries, submit to audits and comply with the measures adopted by the supervisory authority, including remedial and compensatory measures. It shall provide the supervisory authority with written confirmation that the necessary actions have been taken.
SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES
Clause 14
Local laws and practices affecting compliance with the Clauses
MODULE TWO: Transfer controller to processor
(a) The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.
(b) The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:
(i) the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;
(ii) the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards;
(iii) any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.
(c) The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.
(d) The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.
(e) The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a).
(f) Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.
Clause 15
Obligations of the data importer in case of access by public authorities
MODULE TWO: Transfer controller to processor
15.1 Notification
(a) The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it:
(i) receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or
(ii) becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.
(b) If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.
(c) Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.).
(d) The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.
(e) Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses.
15.2 Review of legality and data minimisation
(a) The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).
(b) The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request.
(c) The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.
SECTION IV – FINAL PROVISIONS
Clause 16
Non-compliance with the Clauses and termination
(a) The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.
(b) In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).
(c) The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:
(i) the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;
(ii) the data importer is in substantial or persistent breach of these Clauses; or
(iii) the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.
In these cases, it shall inform the competent supervisory authority of such non- compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.
(d) Personal data that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall at the choice of the data exporter immediately be returned to the data exporter or deleted in its entirety. The same shall apply to any copies of the data. The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.
(e) Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.
Clause 17
Governing law
MODULE TWO: Transfer controller to processor
These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third- party beneficiary rights. The Parties agree that this shall be the law of Sweden.
Clause 18
Choice of forum and jurisdiction
MODULE TWO: Transfer controller to processor
(a) Any dispute arising from these Clauses shall be resolved by the courts of an EU Member State.
(b) The Parties agree that those shall be the courts of Ireland.
(c) A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence.
(d) The Parties agree to submit themselves to the jurisdiction of such courts.
APPENDIX
ANNEX I
A. LIST OF PARTIES
MODULE TWO: Transfer controller to processor
Data exporter(s):
Name: Company.
Address: As set forth in the Notices section of the Agreement.
Contact person’s name, position and contact details: Company’s Designated POC.
Activities relevant to the data transferred under these Clauses: As set forth in Exhibit A.
Role (controller/processor): Controller.
Data importer(s):
Name: Service Provider.
Address: As set forth in the Notices section of the Agreement.
Contact person’s name, position and contact details: Service Provider’s Designated POC.
Activities relevant to the data transferred under these Clauses: As set forth in Exhibit A.
Role (controller/processor): Processor.
B. DESCRIPTION OF TRANSFER
MODULE TWO: Transfer controller to processor
Categories of data subjects whose personal data is transferred
As set forth in Exhibit A.
Categories of personal data transferred
As set forth in Exhibit A.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
As set forth in Exhibit A.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
As set forth in Exhibit A.
Nature of the processing
As set forth in Exhibit A.
Purpose(s) of the data transfer and further processing
As set forth in Exhibit A.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
As set forth in Exhibit A.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
As set forth in Exhibit A.
C. COMPETENT SUPERVISORY AUTHORITY
MODULE TWO: Transfer controller to processor
The supervisory authority mandated by Clause 13. If no supervisory authority is mandated by Clause 13, then the Swedish Data Protection Commission (DPC), and if this is not possible, then as otherwise agreed by the parties consistent with the conditions set forth in Clause 13.
ANNEX II
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
MODULE TWO: Transfer controller to processor
Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
Data importer shall implement and maintain appropriate technical and organisational measures designed to protect personal data in accordance with section 5 of the Addendum.
Pursuant to Clause 10(b), data importer will provide data exporter assistance with data subject requests in accordance with the Addendum.
ANNEX III
Standard Data Protection Clauses to be issued by the Commissioner under S119A(1) Data Protection Act 2018
UK Addendum to the EU Commission Standard Contractual Clauses
Date of this Addendum:
- The Clauses are dated as of the same date as the Addendum.
Background:
- The Information Commissioner considers this Addendum provides appropriate safeguards for the purposes of transfers of personal data to a third country or an international organisation in reliance on Articles 46 of the UK GDPR and, with respect to data transfers from controllers to processors and/or processors to processors. This Addendum forms part of and supplements the Clauses to which it is attached. If personal data originating in the United Kingdom is transferred by data exporter to data importer in a country that has not been found to provide an adequate level of protection under UK Data Protection Laws, the Parties agree that the transfer shall be governed by the Clauses as supplemented by this Addendum.
Interpretation of this Addendum
- Where this Addendum uses terms that are defined in the Annex those terms shall have the same meaning as in the Annex. In addition, the following terms have the following meanings:
This Addendum This UK Addendum to the EU Commission Standard Contractual Clauses. The Annex The Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021. UK Data Protection Laws All laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018. UK GDPR The United Kingdom General Data Protection Regulation, as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018. UK The United Kingdom of Great Britain and Northern Ireland. - This Addendum shall be read and interpreted in the light of the provisions of UK Data Protection Laws, and so that if fulfils the intention for it to provide the appropriate safeguards as required by Article 46 UK GDPR.
- This Addendum shall not be interpreted in a way that conflicts with rights and obligations provided for in UK Data Protection Laws.
- Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Addendum has been entered into.
Hierarchy
- In the event of a conflict or inconsistency between this Addendum and the provisions of the Clauses or other related agreements between the Parties, existing at the time this Addendum is agreed or entered into thereafter, the provisions which provide the most protection to data subjects shall prevail.
Incorporation of the Clauses
- This Addendum incorporates the Clauses which are deemed to be amended to the extent necessary so they operate:
- for transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter’s processing when making that transfer; and
- to provide appropriate safeguards for the transfers in accordance with Articles 46 of the UK GDPR Laws.
- The amendments required by Section 8 above, include (without limitation):
- References to the “Clauses” means this Addendum as it incorporates the Clauses.
- Clause 6 Description of the transfer(s) is replaced with:
“The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.”
- References to “Regulation (EU) 2016/679” or “that Regulation” are replaced by “UK Data Protection Laws” and references to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK Data Protection Laws.
- References to Regulation (EU) 2018/1725 are removed.
- References to the “Union”, “EU” and “EU Member State” are all replaced with “UK.”
- Clause 13(a) and Part C of Annex II are not used; the “competent supervisory authority” is the Information Commissioner.
- Clause 17 is replaced to state “These Clauses are governed by the laws of England and Wales.”
- Clause 18 is replaced to state:
“Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”
EXHIBIT C TO THE DATA PROTECTION ADDENDUM
COMPANY DATA TRANSFER IMPACT ASSESSMENT QUESTIONNAIRE
This Exhibit C forms part of the Addendum. Capitalized terms not defined in this Exhibit C have the meaning set forth in the Addendum.
Throughout the term of the Agreement, Company will promptly notify Service Provider’s Designated POC within ten (10) business days if there are material changes to the responses set forth in this Exhibit C following the effective date of the Agreement and work with Service Provider to update Company’s responses set forth in this Company Data Transfer Impact Assessment Questionnaire.
- What countries will Company Personal Data that is transferred outside of the European Economic Area, Switzerland, and/or the United Kingdom be stored in or accessed from by Company? If this varies by region, please specify each country for each region.
- Answer: Those countries where Company conducts its business activities which may include, but are not limited to, the United States.
- What are the categories of data subjects whose Company Personal Data will be transferred outside of the European Economic Area, Switzerland, and/or the United Kingdom?
- Answer: Data subjects whose Company Personal Data will be provided by Service Provider pursuant to the Processor to Controller Standard Contractual Clauses which may include, but are not limited to, those data subjects contemplated by Service Provider’s response to Question 2, Exhibit A.
- What are the categories of Company Personal Data transferred outside of the European Economic Area, Switzerland, and/or the United Kingdom?
- Answer: Company Personal Data that will be provided by Service Provider pursuant to the Processor to Controller Standard Contractual Clauses which may include, but is not limited to, the Company Personal Data contemplated by Service Provider’s response to Question 3, Exhibit A.
- Will any Company Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences be transferred outside of the European Economic Area, Switzerland, and/or the United Kingdom? If so, are there any restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures?
- Answer: No.
- What is the nature and purpose for which Company Personal Data is transferred outside of the European Economic Area, Switzerland, and/or the United Kingdom by Service Provider to Company?
- Answer: Company Personal Data is transferred outside of the European Economic Area, Switzerland, and/or the United Kingdom so that Company can operate its business.
- What is the frequency of the transfer of Company Personal Data outside of outside of the European Economic Area, Switzerland, and/or the United Kingdom? E.g., is Company Personal Data transferred on a one-off or continuous basis?
- Answer: Company Personal Data is transferred by Service Provider to Company in accordance with the standard functionality of the Services or as otherwise agreed upon by the parties.
- When Company Personal Data is transferred outside of the European Economic Area, Switzerland, and/or the United Kingdom to Company, how is it transmitted to Company? Is the Company Personal Data in plain text, pseudonymized, and/or encrypted?
- Answer: Company Personal Data is transferred and made available to Company directly through the Services, accessible only to Company’s authorized users.
- What is the period for which the Company Personal Data will be retained, or, if that is not possible, the criteria used to determine that period?
- Answer: Company will retain Company Personal Data in accordance with the applicable Company privacy notice or policy that governs such Company Personal Data.
- Please list the Company subprocessors that will have access to Company Personal Data that is transferred outside of the European Economic Area, Switzerland, and/or the United Kingdom.
- Answer: Those subprocessors involved in the operation of Company’s business.
- Is Company subject to any laws in a country outside of the European Economic Area, Switzerland, and/or the United Kingdom where Company Personal Data is stored or accessed from that would interfere with Company fulfilling its obligations under the Processor to Controller Standard Contractual Clauses? For example, FISA Section 702. If yes, please list these laws.
- Answer: As of the effective date of the Agreement, no court has found Company to be eligible to receive process issued under the laws contemplated by Question 10, including FISA Section 702 and no such court action is pending.
- Has Company ever received a request from public authorities for information pursuant to the laws contemplated by Question 10 above (if any)? If yes, please explain.
- Answer: No.
- Has Company ever received a request from public authorities for Personal Data of individuals located in European Economic Area, Switzerland, and/or the United Kingdom? If yes, please explain.
- Answer: No.
EXHIBIT D TO THE DATA PROTECTION ADDENDUM
This Exhibit D forms part of the Addendum.
PROCESSOR TO CONTROLLER STANDARD CONTRACTUAL CLAUSES
SECTION I
Clause 1
Purpose and scope
(a) The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) for the transfer of personal data to a third country.
(b) The Parties:
(i) the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter ‘entity/ies’) transferring the personal data, as listed in Annex I.A (hereinafter each ‘data exporter’), and
(ii) the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A (hereinafter each ‘data importer’)
have agreed to these standard contractual clauses (hereinafter: ‘Clauses’).
(c) These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.
(d) The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.
(e) To the extent applicable hereunder, these Clauses also apply mutatis mutandis to the Parties processing of personal data that is subject to the Swiss Federal Act on Data Protection. Where applicable, references to EU Member State law or EU supervisory authorities shall be modified to include the appropriate reference under Swiss law as it relates to transfers of personal data that are subject to the Swiss Federal Act on Data Protection.
(f) To the extent applicable hereunder, these Clauses, as supplemented by Annex II, also apply mutatis mutandis to the Parties processing of personal data that is subject to the UK Data Protection Laws (as defined in Annex II).
Clause 2
Effect and invariability of the Clauses
(a) These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46(2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.
(b) These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.
Clause 3
Third-party beneficiaries
(a) Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:
(i) Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;
(ii) Clause 8.1 (b) and Clause 8.3(b);
(v) Clause 13;
(vi) Clause 15.1(c), (d) and (e);
(vii) Clause 16(e);
(viii) Clause 18.
(b) Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.
Clause 4
Interpretation
(a) Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.
(b) These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.
(c) These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.
Clause 5
Hierarchy
In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.
Clause 6
Description of the transfer(s)
The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.
Clause 7 – Optional
Docking clause – Omitted
SECTION II – OBLIGATIONS OF THE PARTIES
Clause 8
Data protection safeguards
The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.
MODULE FOUR: Transfer processor to controller
8.1 Instructions
(a) The data exporter shall process the personal data only on documented instructions from the data importer acting as its controller.
(b) The data exporter shall immediately inform the data importer if it is unable to follow those instructions, including if such instructions infringe Regulation (EU) 2016/679 or other Union or Member State data protection law.
(c) The data importer shall refrain from any action that would prevent the data exporter from fulfilling its obligations under Regulation (EU) 2016/679, including in the context of sub-processing or as regards cooperation with competent supervisory authorities.
(d) After the end of the provision of the processing services, the data exporter shall, at the choice of the data importer, delete all personal data processed on behalf of the data importer and certify to the data importer that it has done so, or return to the data importer all personal data processed on its behalf and delete existing copies.
8.2 Security of processing
(a) The Parties shall implement appropriate technical and organisational measures to ensure the security of the data, including during transmission, and protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access (hereinafter ‘personal data breach’). In assessing the appropriate level of security, they shall take due account of the state of the art, the costs of implementation, the nature of the personal data, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects, and in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner.
(b) The data exporter shall assist the data importer in ensuring appropriate security of the data in accordance with paragraph (a). In case of a personal data breach concerning the personal data processed by the data exporter under these Clauses, the data exporter shall notify the data importer without undue delay after becoming aware of it and assist the data importer in addressing the breach.
(c) The data exporter shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
8.3 Documentation and compliance
(a) The Parties shall be able to demonstrate compliance with these Clauses.
(b) The data exporter shall make available to the data importer all information necessary to demonstrate compliance with its obligations under these Clauses and allow for and contribute to audits.
Clause 9
Use of sub-processors – Omitted
Clause 10
Data subject rights
MODULE FOUR: Transfer processor to controller
The Parties shall assist each other in responding to enquiries and requests made by data subjects under the local law applicable to the data importer or, for data processing by the data exporter in the EU, under Regulation (EU) 2016/679.
Clause 11
Redress
(a) The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject.
Clause 12
Liability
MODULE FOUR: Transfer processor to controller
(a) Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.
(b) Each Party shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages that the Party causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter under Regulation (EU) 2016/679.
(c) Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.
(d) The Parties agree that if one Party is held liable under paragraph (c), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its/their responsibility for the damage.
(e) The data importer may not invoke the conduct of a processor or sub-processor to avoid its own liability.
Clause 13
Supervision – Omitted
SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES
Clause 14
Local laws and practices affecting compliance with the Clauses
MODULE FOUR: Transfer processor to controller (this clause is only applicable where the EU processor combines the personal data received from the third country-controller with personal data collected by the processor in the EU)
(a) The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.
(b) The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:
(i) the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;
(ii) the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards;
(iii) any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.
(c) The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.
(d) The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.
(e) The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a).
(f) Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.
Clause 15
Obligations of the data importer in case of access by public authorities
MODULE FOUR: Transfer processor to controller (this clause is only applicable where the EU processor combines the personal data received from the third country-controller with personal data collected by the processor in the EU)
15.1 Notification
(a) The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it:
(i) receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or
(ii) becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.
(b) If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.
(c) Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.).
(d) The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.
(e) Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses.
15.2 Review of legality and data minimisation
(a) The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).
(b) The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request.
(c) The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.
SECTION IV – FINAL PROVISIONS
Clause 16
Non-compliance with the Clauses and termination
(a) The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.
(b) In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).
(c) The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:
(i) the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;
(ii) the data importer is in substantial or persistent breach of these Clauses; or
(iii) the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.
In these cases, it shall inform the competent supervisory authority of such non- compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.
(d) Personal data collected by the data exporter in the EU that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall immediately be deleted in its entirety, including any copy thereof. The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.
(e) Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.
Clause 17
Governing law
MODULE FOUR: Transfer processor to controller
These Clauses shall be governed by the law of a country allowing for third-party beneficiary rights. The Parties agree that this shall be the law of Ireland.
Clause 18
Choice of forum and jurisdiction
MODULE FOUR: Transfer processor to controller
Any dispute arising from these Clauses shall be resolved by the courts of Ireland.
ANNEX I
A. LIST OF PARTIES
MODULE FOUR: Transfer processor to controller
Data exporter(s):
1. Name: Service Provider.
Address: As described in the Addendum.
Contact person’s name, position and contact details: As described in the Addendum
Activities relevant to the data transferred under these Clauses: As described in the Addendum
Signature and date: As described in the Addendum
Role (controller/processor): Processor
2. Data importer(s):
Name: Company.
Address: As described in the Addendum
Contact person’s name, position and contact details: As described in the Addendum
Activities relevant to the data transferred under these Clauses: As described in the Addendum
Signature and date: As described in the Addendum
Role (controller/processor): Controller
B. DESCRIPTION OF TRANSFER
MODULE FOUR: Transfer processor to controller
Categories of data subjects whose personal data is transferred
As described in Exhibit C
Categories of personal data transferred
As described in Exhibit C
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
As described in Exhibit C
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
As described in Exhibit C
Nature of the processing
As described in Exhibit C
Purpose(s) of the data transfer and further processing
As described in Exhibit C
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
As described in Exhibit C.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
As described in Exhibit C
ANNEX II
Standard Data Protection Clauses to be issued by the Commissioner under S119A(1) Data Protection Act 2018
UK Addendum to the EU Commission Standard Contractual Clauses
The terms of Exhibit B, Annex III also apply to this Exhibit D.