Data processing agreement
1 The customer agreeing to these terms (“Customer”), and Talarian S.à.r.l. (“Supplier”), have entered into an agreement under which Supplier has agreed to provide certain Services, which may be amended from time to time (the “Agreement”).
2 This Data Processing Agreement and its appendices (the “DPA”), which is between Supplier and Customer (each, a “Party”, and together, “the Parties”), forms part of the Agreement and is the Parties’ agreement related to Supplier’s processing of Customer Personal Data. This DPA might be updated from time to time and will be effective and replace any previously applicable data processing agreement as from the Effective Date (as defined below). To the extent of any conflict or inconsistency between the terms of this DPA and the remainder of the Agreement, the terms of this DPA will govern. Definitions are provided in Section 27. For clarity, this DPA terms apply only to the processing of Customer Personal Data in environments controlled by Supplier and Supplier's Subprocessors. This includes Customer Personal Data sent to Supplier by Services but does not include Customer Personal Data that remains on Customer's premises or in any Customer selected third party operating environments.
3 The Parties acknowledge and agree that (a) under the Data Protection Legislation, Supplier is a Data Processor of Customer Personal Data listed in Appendix 1, (b) Customer subscribing to Supplier's Services may be a Data Controller or Data Processor, as applicable, of Customer Personal Data and (c) each Party will comply with the obligations applicable to it under the Data Protection Legislation with respect to the Processing of that Customer Personal Data. However, Supplier is not responsible for compliance with any laws or regulations applicable to Customer or Customer’s industry. Supplier is not responsible for determining whether Customer’s data includes information subject to any specific law or regulation.
4 Details on categories of data processed and data subjects concerned, Processing operations, location of Processing, and purpose and duration of Processing are provided in Appendix 1.
5 Duration. This DPA will take effect on the Effective Date and, notwithstanding expiry of the Term, remains in effect until, and automatically expire upon, deletion of all Customer Personal Data by Supplier as described in this DPA.
6 Scope. The Parties acknowledge and agree that the Data Protection Legislation will apply to the Processing of Customer Personal Data if: (a) the Processing is carried out in the context of the activities of an establishment of Customer in the territory of the EEA/Switzerland/the United Kingdom; and/or (b) the Customer Personal Data relates to Data Subjects who are in the EEA/Switzerland/the United Kingdom and the Processing relates to the offering of goods or services in the EEA/Switzerland/the United Kingdom or the monitoring of their behaviour in the EEA/Switzerland/the United Kingdom.
7 Non-European Data Protection Legislation. The Parties acknowledge and agree that Non-European Data Protection Legislation may also apply to the Processing of Customer Personal Data. Except to the extent this DPA states otherwise, the terms of this DPA will apply irrespective of whether the Data Protection Legislation or Non-European Data Protection Legislation applies to the Processing of Customer Personal Data by Supplier. If Non-European Data Protection Legislation applies to either Party’s Processing of Customer Personal Data, the Parties acknowledge and agree that the relevant Party will comply with any obligations applicable to it under that legislation with respect to the Processing of that Customer Personal Data.
8 Third-party Data Controller. If the Data Protection Legislation applies to the Processing of Customer Personal Data and Customer is a Data Processor acting under the instructions of a third-party Data Controller, Customer warrants to Supplier that Customer’s instructions and actions with respect to that Customer Personal Data, including its appointment as Data Processor have been authorized by the Third Party Data Controller and shall provide evidence thereof.
9 Customer’s Instructions. By entering into this DPA, Customer instructs Supplier to Process Customer Personal Data only in accordance with the Data Protection Legislation and/or Non-European Data Protection Legislation, as applicable and analytics: (a) to provide the Services and related technical support; (b) as further specified by Customer or required by Customer’s use of the Services and related technical support; (c) as documented in the form of the Agreement, including this DPA; and (d) as further documented in any other legitimate and written instructions given by Customer and acknowledged by Supplier as constituting instructions for purposes of this DPA. As from the Effective Date, Supplier will comply with the Customer’s instructions provided in this Section, including with regard to Personal Data transfers, in accordance with Section 21. Supplier shall not process, transfer, modify, amend or alter Customer Personal Data or disclose or permit the disclosure of the Customer Personal Data to any third-party other than in accordance with the Customer’s instructions (whether in the Agreement or otherwise) unless (i) EU law or EU Member State law to which Processor is subject requires other Processing of Customer Personal Data by Supplier, in which case Supplier will inform Customer prior to implement the Processing (unless that law prohibits Processor from doing so on important grounds of public interest) via the Notification Email Address or (ii) a law enforcement authority requires disclosure of Customer Personal Data by Supplier, in which case Supplier agrees to inform the Customer of any notice, inquiry or investigation by such Supervisory Authority with respect to Customer Personal Data. Supplier agrees to immediately inform the Customer if, in its opinion, an instruction infringes the applicable Data Protection Legislation. Customer represents, warrants and covenants that it has and shall maintain throughout the term all necessary rights, consents and authorizations to provide the Customer Data to Supplier and to authorize Supplier to use, disclose, retain and otherwise process that Customer Data as contemplated by this DPA.
10 Deletion During Term. Supplier will enable Customer to delete Customer Personal Data during the Term in a manner consistent with the functionality of the Services. If Customer or an End User uses the Services to delete any Customer Personal Data during the Term and the Customer Personal Data cannot be recovered by Customer or an End User, this use will constitute a Customer’s Instruction to Supplier to delete the relevant Customer Personal Data from Supplier’s Systems in accordance with applicable Data Protection Legislation. Supplier will comply with this instruction as soon as reasonably practicable and within a maximum period of ninety (90) days, unless EU or EU Member State law requires or justifies that such Customer Personal Data be retained by Supplier for a longer period of time. By way of exception, Supplier and/or its Subprocessors may continue to process information derived from Customer Data that has been aggregated or stored in a manner that does not identify individuals or customers to improve Supplier and/or its Subprocessors systems and services.
11 Deletion on Term Expiry. Subject to Section 12 (Deferred Deletion Instructions), upon expiry of the Term, Customer shall instruct Supplier to delete all Customer Personal Data (including existing copies) from Supplier’s Systems in accordance with applicable Data Protection Legislation. Processor will comply with this Instruction as soon as reasonably practicable and within a maximum period of 90 days, unless EU or EU Member State law requires or justifies that such Customer Personal Data be retained by Processor for a longer period of time. Without prejudice to Section 20 (Data Subjects Rights and Requests) Customer acknowledges and agrees that Customer will be responsible for exporting, before the Term expires, any Customer Data it wishes to retain afterwards. By way of exception, Supplier and/or its Subprocessors may continue to process information derived from Customer Data that has been aggregated or stored in a manner that does not identify individuals or customers to improve Supplier and/or its Subprocessors systems and services.
12 Deferred Deletion Instruction. To the extent any Customer Personal Data covered by the deletion instruction described in Section 11 (Deletion on Term Expiry) is also processed, when the Term under Section 11 expires, in relation to an agreement between Customer and Supplier having a continuing Term, such deletion instruction will only take effect with respect to such Customer Personal Data when the continuing Term expires. For clarity, in the event of a Deferred Deletion Instruction, this DPA will continue to apply to such Customer Personal Data until its deletion by Supplier.
13 Supplier Security Measure. Supplier will implement and maintain technical and organizational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access as described in Appendix 2 (the “Security Measures”). As described in Appendix 2, the Security Measures include measures to help ensure ongoing confidentiality, integrity, availability and resilience of Supplier’s Systems, restore timely access to Customer Personal Data following a Data Incident and regular testing of effectiveness. Supplier may update or modify the Security Measures in Appendix 2 from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services or Supplier’s Systems. Customer acknowledges that Customer Data will be hosted in a Third-Party Service Provider data centers, by Third-Party Service Provider and/or one or more of its affiliated entities (collectively, “Third-Party Service Providers”) (and not by the Supplier) and, as a consequence, that most of the technical and organisational security measures relating to the Customer Personal Data (as notably referred to in Appendix 2) will be provided by the applicable Third-Party Service Provider under its own liability. Accordingly, and notwithstanding any other provision in the Agreement, the Supplier disclaims any and all responsibility in relation to any acts and/or omission of Third-Party Service Provider, including notably (without limitation) for such Third-Party Service Provider’s technical and organisational security measures as listed for information purposes only and without any representation in Appendix 2. Customer agrees to disclaim Supplier’s liability, in the event of any non-compliance of the Third-Party Service Provider under the applicable agreement.
14 Security Compliance by Processor. Supplier will take appropriate steps to ensure compliance with the Security Measures by its employees, contractors, agents and Subprocessors to the extent applicable to their scope of performance, including ensuring that all persons authorized to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and that such personnel has undertaken appropriate training in accordance with the Data Protection Legislation.
15 Processor Security Assistance. Customer agrees that Supplier will (taking into account the nature of the Processing of Customer Personal Data and the information available to Supplier) assist Customer in ensuring compliance with Customer’s obligations in respect of security of Customer Personal Data and Customer Personal Data breaches, in particular in the event of a Data Incident, including if applicable Customer’s obligations pursuant to Articles 32 to 34 (inclusive) of the GDPR, by: (a) implementing and maintaining the Security Measures in accordance with Section 13 (Supplier’s Security Measures); (b) complying with the terms of Section 16 (Data Incidents).
16 Data Incidents. If Supplier becomes aware of a Data Incident, Supplier will: (a) notify Customer of the Data Incident promptly and without undue delay; and (b) promptly take reasonable steps to minimize harm and secure Customer Personal Data. Notifications will describe, to the extent possible, details of the Data Incident, including steps taken to mitigate the potential risks and steps Supplier recommends Customer to take to address the Data Incident. Notification(s) of any Data Incident(s) will be delivered to the Notification Email Address or, at Supplier’s discretion, by direct communication (for example, by phone call or an in- person meeting). Customer is solely responsible for ensuring that the Notification Email Address is current and valid at any time. Supplier will not assess the contents of Customer Data in order to identify information subject to any specific legal requirements. Customer is solely responsible for complying with notification obligations provided by Data Protection Legislation or Non-European Data Protection Legislation, as applicable to Customer, and fulfilling any third party notification obligations related to any Data Incident(s). Supplier’s notification of or response to a Data Incident under this Section 16 (Data Incidents) will not be construed as an acknowledgement by Supplier of any fault or liability with respect to the Data Incident. Customer must notify Supplier promptly about any possible misuse of its accounts or authentication credentials or any Data Incident related to the Services.
17 Customer’s Security Responsibilities and Assessment. Customer agrees that, without prejudice to Supplier’s obligations under Sections 13-15 (Supplier’s Security Measures, Security Compliance by Processor, Processor Security Assistance) and Section 16 (Data Incidents): (a) Customer is solely responsible for its use of the Services, including: (i) making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of the Customer Data; (ii) securing the account authentication credentials, systems and devices Customer uses to access the Services; and (iii) backing up Customer Data; and (b) Supplier has no obligation to protect Customer Data that Customer elects to store or transfer outside of Processor’s and its Subprocessors’ systems (for example, offline or on-premise storage, or Customer’s Third-Party Service Provider). Customer is solely responsible for evaluating whether the Services, the Security Measures and Supplier’s commitments under Sections 13-17 meet Customer’s needs, including with respect to any security obligations of Customer under the Data Protection Legislation and/or Non-European Data Protection Legislation, as applicable. Customer acknowledges and agrees that (taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the Processing of Customer Personal Data as well as the risks to individuals) the Security Measures implemented and maintained by Supplier as set out in Section 13 (Supplier’s Security Measures) and Appendix 2 provide a level of security appropriate to the risk in respect of the Customer Data. Customer is responsible for implementing and maintaining privacy protections and security measures for components that Customer provides and/or controls.
18 Audits of compliance. If the Data Protection Legislation applies to the Processing of Customer Personal Data, and to the extent Customer’s audit requirements under the Data Protection Legislation cannot reasonably be satisfied through audit reports, documentation or compliance information Supplier makes generally available to its customers, Supplier will allow Customer or an independent auditor appointed by Customer to conduct audits (including inspections), no more than once per calendar year, on at least thirty (30) days’ written notice to Supplier, to verify Supplier’s compliance with its obligations relating to Customer Personal Data under this DPA. Supplier will contribute to such audits as described in this Section 18 (Audits of Compliance). If Customer decides to conduct an audit as described above, then Customer shall bear all costs and expenses connected therewith, including but not limited to the auditors' fees, costs of transport, legal fees. If Customer has entered into SCCs as described in Section 21 (Personal Data Transfer), Supplier will, without prejudice to any audit rights of a Supervisory Authority under such SCCs, allow Customer or an independent auditor appointed by Customer to conduct audits as described in the SCCs. In any event, any audit mandated by Customer pursuant to this Section 18 shall not impair or otherwise trouble Supplier’s usual course of business.
19 Impact Assessments and Consultations. Customer agrees that Supplier will (taking into account the nature of the Processing and the information available to Processor) provide Customer with reasonable assistance in ensuring compliance with any obligations of Customer relating to Customer Personal Data in respect of data protection impact assessments and prior consultation, including if applicable Customer’s obligations pursuant to Articles 35 and 36 of the GDPR, to the extent necessary information is available to Supplier.
20 Data Subject Rights and Requests. During the Term, Supplier will, in a manner consistent with the functionality of the Services, enable Customer to access, rectify and restrict Processing of Customer Personal Data, or erase Customer Personal Data, as applicable, including via the deletion functionality provided by Supplier as described in Section 10 (Deletion During Term), and to export Customer Personal Data, as required by Data Protection Legislation and/or Non-European Data Protection Legislation, as applicable. During the Term, if Supplier receives any request from a Data Subject in relation to Customer Personal Data, Supplier will advise the Data Subject to submit his/her request to Customer or directly report such request to Customer using the Notification Email Address or any other communication channel, and Customer will be responsible for responding to any such request including, where necessary, by using the functionality of the Services. Customer agrees that (taking into account the nature of the Processing of Customer Personal Data) Supplier will provide Customer with reasonable assistance in fulfilling any obligation to respond to requests by Data Subjects, including if applicable Customer’s obligation to respond to requests for exercising the Data Subject’s rights laid down in Chapter III of the GDPR, by complying with the commitments set out in this Section 20, to the extent Supplier is able to respond to such requests. Customer shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Supplier.
21 Personal Data Transfer. Customer acknowledges and agrees that Supplier may, subject to this Section 21 (Personal Data Transfer), store and process Customer Data in the United States and any other country outside the EEA in which Supplier or Subprocessors maintain facilities. If the storage and/or Processing of Customer Personal Data involves a Restricted Transfer, Supplier and Customer hereby agree to enter into the applicable SCCs enclosed in Appendix 4 or Appendix 5 as applicable, and such terms are hereby incorporated by reference into this DPA. To the extent there is any conflict between any term of the SCCs and any other part of this DPA or the Agreement, the term of the SCCs shall prevail. Any Restricted Transfers shall be made in accordance with such SCCs. Supplier will impose under a written agreement the same obligations on the Subprocessors, if any, as are imposed on the Processor under this DPA and the SCCs. Where the Subprocessor fails to fulfill its data protection obligations under such written agreement, the Supplier shall remain fully liable to the Customer for the performance of the Subprocessor's obligations under such agreement. In addition, where provision of the Services involves a Restricted Transfer from the Supplier to a Subprocessor located outside EU, Customer (on behalf of itself and its relevant Affiliates) mandates Supplier, which mandate Supplier hereby accepts, to promptly enter, on Customer's own name and behalf as Data Exporter (Subprocessor being the Data Importer), into a Personal Data processing agreement with any Subprocessor engaged by Supplier in such Restricted Transfer, before such Subprocessor first Processes Customer Personal Data, so as to ensure that any such Restricted Transfer complies with the Data Protection Legislation. Such Personal Data processing agreement shall (a) meet the conditions set out in Article 28 of the GDPR and offer at least the same level of protection for Customer Personal Data as those set out in this DPA and (b) incorporate SCCs. When Supplier uses Third Party Service Provider cloud platform to host and/or provide the Services, information about the locations of Supplier’s Third Party Service Providers’ data centers is available at the Third Party Service Providers’ pages specifying servers locations and may be updated by the Third Party Service Provider from time to time. If Customer has entered into SCCs as described in this Section 21 (Personal Data Transfer), Supplier will, notwithstanding any term to the contrary in the Agreement, ensure that any disclosure of Customer Personal Data, and any notifications relating to any such disclosures, will be made in accordance with such SCCs. If at any time, a Supervisory Authority or a court with competent jurisdiction over a Party mandates that transfers from Controllers and/or Processors in the EU or the UK to Processors established outside the EU or the UK must be subject to specific additional safeguards (including but not limited to specific technical and organisational measures), the Parties shall work together in good faith to implement such safeguards and ensure that any transfer of Customer Personal Data is conducted with the benefit of such additional safeguards. In the same manner, if any Supervisory Authority adopts revised standard contractual clauses for the matters addressed in this DPA and Customer notifies Supplier that it wishes to incorporate any element of those standard contractual clauses into this DPA, Supplier and Customer may agree to amend this DPA to incorporate any proposed changes as reasonably required by the newly adopted standard contractual clauses. In the event that the SCCs enclosed in Appendix 4 and Appendix 5 are deemed to no longer be a valid transfer mechanism to legitimise Restricted Transfers, Supplier and Customer may agree to amend this DPA in order to establish a legitimate transfer of Customer Personal Data outside the EEA. For clarity, Supplier does not control or limit the regions from which Customer or Customer’s End Users may access or move Customer Data.
22 Subprocessors. Customer hereby specifically authorizes the engagement of Supplier’s Affiliates as Subprocessors pursuant to the Agreement and for the Term. In addition, Customer hereby generally authorizes the engagement of any other third parties as Subprocessors (“Third-Party Subprocessors”), subject to Supplier’s compliance with this Section 22. Customer hereby authorizes all Subprocessors listed in Appendix 3, as applicable. If Customer has entered into SCCs as described in Section 21 (Personal Data Transfer), the above authorizations will constitute Customer’s prior written consent to the subcontracting by Supplier of the Processing of Customer Personal Data if such consent is required under the SCCs and Data Protection Legislation and/or Non-European Data Protection Legislation, as applicable. Information about Subprocessors is available in Appendix 3 and may be updated by Supplier from time to time in accordance with this DPA. Subject to the remaining provisions of the Agreement, including this DPA, when engaging any Subprocessor, Supplier will: (a) ensure via a written legal instrument or contract that: (i) the Subprocessor only accesses and processes Customer Personal Data to the extent required to perform the obligations subcontracted to it, and does so in accordance with the Agreement (including this DPA) and any SCCs entered into as described in Section 21 (Personal Data Transfer), as applicable; and (ii) if the GDPR applies to the Processing of Customer Personal Data, the data protection obligations set out in Article 28(3) of the GDPR, as described in this DPA, are mandated by said legal instrument or contract on the Subprocessor; and (b) remain fully liable for all obligations subcontracted to, and all acts and omissions of the Subprocessor only with respect to the Processing of Customer Personal Data. When any Third-Party Subprocessor not listed in Appendix 3 at the Effective Date is engaged during the Term, Supplier will, at least thirty (30) days before the new Third-Party Subprocessor processes any Customer Personal Data, inform Customer of the engagement (including the name and location of the relevant Third-Party Subprocessor and the activities it will perform) by sending an email to the Notification Email Address. Customer may object to any new Third-Party Subprocessor by terminating the Agreement immediately upon written notice to Supplier, provided that Customer sends such notice within thirty (30) days of being informed of the engagement of the Third-Party Subprocessor. This termination right is Customer’s sole and exclusive remedy if Customer objects to any new Third-Party Subprocessor
23 Processing Records. Customer acknowledges that Supplier is required under the GDPR to: (a) collect and maintain records of certain information, including the name and contact details of any Data Processor and/or Data Controller on behalf of which Processor is acting and, where applicable, of such Data Processor’s or Data Controller's local representative and data protection officer, as well as the categories of Processing carried out on behalf of each Data Controller, where possible a general description of the technical and organisational security measures; and (b) make such information available to the Supervisory Authorities. Customer represents and warrants that Customer will supply such information to Supplier and keep it accurate and up-to-date.
24 California Consumer Privacy Act (CCPA). To the extent that the CCPA applies to the collection, retention, use, and disclosure of Customer's Personal Information (as defined in the CCPA) to provide the Service to Customer pursuant to the Agreement, the Parties acknowledge and agree that Supplier does not receive any Personal Information from Customer (“Customer Personal Information”) as consideration for the Services or other items provided by Supplier to Customer. Except as expressly set forth in the Agreement, Supplier shall not (a) have, derive or exercise any rights or benefits regarding Customer Personal Information, (b) Sell Customer Personal Information, or (c) collect, retain, share or use Customer Personal Information except as necessary for the sole purpose of performing the Services or as otherwise permitted under the CCPA. Supplier agrees to refrain from taking any action that would cause any transfers of Customer Personal Information, either to Supplier or from Supplier, to qualify as a Sale of Personal Information under the CCPA. Supplier understands and will comply with the restrictions set forth in this Section and the applicable requirements of the CCPA. For the purposes of this Section, Supplier is a Service Provider and the terms “Personal Information”, “Sell”, “Sale”, and “Service Provider” shall have the same meaning as in the CCPA. If any US authority adopts revised CCPA provisions for the matters addressed in this DPA and Customer notifies Supplier that it wishes to incorporate any element of those revised provisions into this DPA, Supplier and Customer may agree to amend this DPA to incorporate any proposed changes as reasonably required by the newly adopted provisions.
25 Agreed Liability Limitation. Supplier’s liability for breach of any terms and conditions under this DPA, including non-compliance with Data Protection Legislation, shall be subject to the liability limitations and exclusions agreed in the Agreement to which this DPA is part.
26 Miscellaneous.
26.1 Educational institutions
- 26.1.1. If Customer is an educational agency or institution to which regulations under the Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g (“FERPA”), apply, Supplier acknowledges that for the purposes of the DPA, Supplier is a “school official” with “legitimate educational interests” in the relevant Customer Data, as those terms have been defined under FERPA and its implementing regulations, and Supplier agrees to abide by the limitations and requirements imposed by 34 CFR 99.33(a) on school officials.
- 26.1.2. Customer understands that Supplier may possess limited or no contact information for Customer’s students and students’ parents. Consequently, Customer will be responsible for obtaining any parental consent for any End User’s use of the Services that may be required by applicable law (including, without any limitation, Children’s Online Privacy Protection Act ("COPPA")) and to convey notification on behalf of Supplier to students (or, with respect to a student under 18 years of age and not in attendance at a postsecondary institution, to the student’s parent) of any judicial order or lawfully-issued subpoena requiring the disclosure of the relevant Customer Data in Supplier’s possession as may be required under applicable law.
- 26.1.3. Customer acknowledges and agrees that (i) the cap of liability set forth in section 25 of this DPA applies to any breach of any education law requirement and (ii) any indemnification related to compliance with any education law requirement (including without limitation FERPA and COPPA) is hereby disclaimed.
26.2 If Customer uses Services to process Biometric Data, Customer is responsible for: (i) providing notice to data subjects, including with respect to retention periods and destruction; (ii) obtaining consent from data subjects; and (iii) deleting the Biometric Data, all as appropriate and required under applicable Data Protection Legislation. For purposes of this section, “Biometric Data” will have the meaning set forth in Article 4 of the GDPR and, if applicable, equivalent terms in other Data Protection Legislation.
26.3 Neither the rights nor the obligations of any Party may be assigned in whole or in part without the prior written consent of the other Party, provided, however, that this DPA may be transferred or assigned in the event of a restructuring or change of control affecting a Party hereto.
26.4 In the event of any dispute arising between the Parties in connection with this DPA, the Parties shall negotiate in good faith to resolve their dispute. If the dispute cannot be resolved by good faith negotiations by the Parties, the dispute shall be finally settled by a public court relevant for the seat of the Supplier.
26.5 This DPA is governed by the laws of the State of Luxembourg, without reference to its rules governing conflicts of laws. Both parties hereby irrevocably submit any disputes under these Terms to the jurisdiction of the courts located in the State of Luxembourg.
26.6 Should any provision of this DPA be deemed invalid or unenforceable by a competent court, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
26.7 Any amendments to this DPA shall be made in writing, otherwise being null and void.
27 Definitions. Capitalized terms used but not defined in this DPA have the meanings given in the Agreement. In this DPA, unless stated otherwise:
- “Affiliate” means any entity controlling, controlled by, or under common control with a Party, where “control” is defined as: (a) the ownership of at least fifty percent (50%) of the equity or beneficial interests of the entity; (b) the right to vote for or appoint a majority of the board of directors or other governing body of the entity; or (c) the power to exercise a controlling influence over the management or policies of the entity.
- “Agreement” means the Services Agreement entered into between the Supplier and the Customer for the provision of Services by the Supplier to Customer.
- “Customer Data” means data submitted, stored, sent or received via the Services by Customer, its Affiliates or End Users. Customer Data may also include Personal Data sent or otherwise made available by Customer to Supplier and/or Supplier’s Affiliates where Customer uses Supplier Affiliates Solutions.
- “Customer Personal Data” means Personal Data contained within the Customer Data, as described in Appendix 1.
- “Data Incident” means a breach of Supplier’s security measures leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data on systems managed by or otherwise controlled by Supplier. “Data Incidents” will not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
- “Effective Date” means the date on which Customer and Supplier agreed to this DPA.
- “EEA” means the European Economic Area, as well as, for the purposes of this DPA, Switzerland and the United Kingdom.
- “End User” means natural persons authorized by Customer to access or use the Services, including Customer and Customer’s Affiliate personnel, employee, agent or contractor.
- “Data Protection Legislation” means, as applicable: (a) the GDPR; and/or (b) the Federal Data Protection Act of 25 September 2020 (Switzerland); and/or (c) the applicable data protection laws of the United Kingdom, as well as any data protection laws substantially amending, replacing or superseding the GDPR, the Federal Data Protection Act of Switzerland, the applicable data protection laws of the United Kingdom and/or other applicable European Union Member state domestic data protection or national/federal or state/provincial privacy legislation in force, including where applicable, statutes, decisions, guidelines, guidance notes, codes of practice, codes of conduct and data protection certification mechanisms issued from time to time by competent court or Supervisory Authority, relating to the Processing of personal data and privacy.
- “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
- “Non-European Data Protection Legislation” means any national/federal or state/provincial/emirate data protection or privacy legislation, other than the Data Protection Legislation.
- “Notification Email Address(es)” means the email address(es) designated by Customer to receive certain notifications from Supplier.
- “Standard Contractual Clauses” or “SCCs” means the standard data protection clauses for the transfer of personal data to third countries located outside EEA which do not ensure an adequate level of data protection, as (i) approved by the European Commission in the Implementing Decision (EU) 2021/914 of 4 June 2021 "on standard contractual clauses for transfer of personal data to third countries pursuant to GDPR" for the Restricted Transfers related to EU data subjects, as amended, replaced or superseded by any set of clauses approved by the European Commission, and as (ii) issued by the Information Commissioner's Office in accordance with S119A(1) of the Data Protection Act 2018 for Restricted Transfers related to UK data subjects and approved by the UK Parliament. The SCCs are enclosed as Appendix 4 for Restricted Transfers related to EU data subjects and enclosed in Appendix 5 for Restricted Transfers related to UK data subjects. Both appendices are part of this DPA when applicable.
- “Supplier’s Systems” means the computing and storage infrastructure contracted by Supplier to run the Services and to store the Customer Data. For the avoidance of doubt, Supplier’s Systems do not include Third-Party Service Provider Solution used by Customer and contracted by Customer, nor any of the Third Party Offerings.
- “Restricted Transfer” means (a) a transfer of Customer Personal Data from Customer to Supplier or Subprocessor, or (b) an onward transfer of Customer Personal Data from Supplier or Subprocessor to (or between two establishments of) Supplier or Subprocessor, in each case, being a transfer to a country outside the EEA, where such transfer would be prohibited by Data Protection Legislation in the absence of SCCs or other legal instruments required by Data Protection Legislation.
- “Subprocessor(s)” means third parties authorized by Processor under this DPA to have logical access to and process Customer Data on behalf of Customer in order to provide parts of the Services and related technical support, including Supplier’s Affiliates.
- “Security Measures” has the meaning given in Section 13 (Supplier Security Measures).
- “Services” means the services that are used and/or purchased by the Customer pursuant to the Agreement and any applicable Order Form and/or Statement of Work, which may include Yet Another Mail Merge, Form Publisher, Awesome Table (and the Awesome Table add-ons), Playengo, GPT for Work (GPT for Sheets™, GPT for Docs™, GPT in Excel™ and GPT in Microsoft Word™), including any update or replacement thereof and technical support provided by Supplier to Customer from time to time according to the terms of the Agreement. The Services do not include (i) Supplier Affiliates Solution that may have been separately licensed by Customer, (ii) any Third Party Offerings that may have been separately licensed by Customer, nor (iii) the Third-Party Service Provider Solution used by Customer.
- “Supplier Affiliates Solution” means any solution of software provided by one or more Supplier’s Affiliates, which supplements and/or are necessary to provide the Services performed by Supplier, that have either been (i) licensed by Customer from a Supplier’s Affiliate or (ii) licensed by Customer from Supplier.
- “Term” means the period from the Effective Date until the end of Supplier’s provision of the Services to Customer under the Agreement, including, if applicable, any period during which provision of the Services may be suspended and any post-termination period during which Supplier may continue providing the Services to Customer for transitional purposes.
- “Third-Party Service Provider Solution” means any solution or software on which all or part of the Services are performed by the Supplier, that have been separately licensed by Customer, as the case may be, from an unaffiliated Third-Party Service Provider. Third Party Service Providers Solutions may notably include Google, Microsoft and/or Meta solutions or software.
- The terms “Personal Data”, “Data Subject”, “Processing”, “Data Controller”, “Data Processor” and “Supervisory Authority” as used in this DPA have the meanings given to them in the GDPR, and the terms “Data Importer” and “Data Exporter” have the meanings given to them in the SCCs, in each case irrespective of whether the Data Protection Legislation or Non-European Data Protection Legislation applies.
Appendix 1 - Customer Personal Data Processing Details
Subject Matter | Supplier’s provision of the Services and related technical support to Customer. |
Categories of Data Subjects Categories of Data Subjects whose Personal Data will be Processed by Service Provider | Data Subjects whose Personal Data is provided to Supplier via the Services, by (or at the direction of) Customer or by End Users, including (a) End Users (including Customer’s employees and contractors); (b) Customer’s own customers, suppliers and subcontractors (and each of their personnel); and (c) any other person whose Personal Data is transmitted via the Services, including individuals collaborating and communicating with End Users. |
Categories of data Personal Data that will be Processed by Supplier | Personal Data that will be Processed by Supplier includes data submitted, stored, sent or received by Customer, its Affiliates or End Users via the Services, including third party services to which Customer grants access to Supplier,and may include the following categories of data: user IDs, first and last names, work contact details, location data, gender or title, age or date of birth, event attendance, emails, textual information used in document and document titles, description and other metadata, text and images to be displayed by the Services, audit log information, system log information and other data. As the case may be, subject to the relevant Agreement, special categories of personal data may be submitted, stored, sent or received by Customer, its Affiliates or End Users via the Services. |
Location of Processing Operations Locations where the Personal Data will be Processed by Supplier | Personal Data submitted, stored, sent or received by Customer, its Affiliates or End Users via the Services may be processed at Supplier’s locations situated in:
For support reasons only, Personal Data might be accessed at our support's agents’ locations, which include territories outside the US and EU. |
Purposes Purposes for which the Personal Data will be Processed by Supplier | Supplier will process Customer Personal Data identified above for the purposes of providing the Services and related technical support to Customer to provide insights, reporting, analytics and platform abuse, trust and safety monitoring, for the defense of its rights and to comply with any legally binding request for disclosure of Customer Data by a law enforcement authority, in accordance with this DPA. |
Duration of Processing The length of time for which Processing activities will be carried out Supplier | The applicable Term plus the period from expiry of such Term until deletion of all Customer Personal Data by Supplier in accordance with this DPA. |
Appendix 2 - Security Measures
1 As from the Effective Date, Supplier will implement and maintain the Security Measures set out in this Appendix 2 to the Data Processing Agreement. Supplier may update or modify such Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Supplier’s System and of the Services.
2 Regular tests, assessments and evaluations of the effectiveness of technical and organisational measures in order to ensure the security of the processing
In order to provide Customer with best in class security, privacy, and compliance controls, third party auditors assess Supplier platform, infrastructure, and operations and conduct penetration tests on a regular basis. Supplier also reviews new features for security and privacy impact before release to improve privacy by design.
In order to provide Customer with best in class security, privacy, and compliance controls, third party auditors assess Supplier platform, infrastructure, and operations and conduct penetration tests on a regular basis. Supplier also reviews new features for security and privacy impact before release to improve privacy by design.
3 Infrastructure security - Serverless architecture. Depending on the Services used by the Customer, Supplier uses Google Workspace, Google Cloud Platform (GCP) and/or Microsoft Azure (Azure) to host the Supplier’s Systems. All of the Supplier’s Systems are fully managed by Google and/or Microsoft, who are responsible for the physical and networking security of the Supplier’s Systems. Google’s security measures regarding the Google Workspace and GCP infrastructures are described on this page (Google Workspace) https://workspace.google.com/security/?secure-by-design_activeEl=data-centers and this page (Google Cloud Platform): https://cloud.google.com/security/
Microsoft’s security measures regarding the Azure infrastructures are described on this page: https://azure.microsoft.com/en-us/explore/security
Supplier does not run its own routers, load balancers, DNS servers, or physical servers. Supplier chose to partner with Google and Microsoft as providers of their Platform as a Service: Google Cloud Platform (GCP) and Microsoft Azure (Azure). Supplier application uses GCP and Azure as its back end.
Google Cloud Platform and Microsoft Azure provide state of the art services with Security at Their Core. All servers are updated on a regular basis to ensure Supplier has the latest security patches installed.
Microsoft’s security measures regarding the Azure infrastructures are described on this page: https://azure.microsoft.com/en-us/explore/security
Supplier does not run its own routers, load balancers, DNS servers, or physical servers. Supplier chose to partner with Google and Microsoft as providers of their Platform as a Service: Google Cloud Platform (GCP) and Microsoft Azure (Azure). Supplier application uses GCP and Azure as its back end.
Google Cloud Platform and Microsoft Azure provide state of the art services with Security at Their Core. All servers are updated on a regular basis to ensure Supplier has the latest security patches installed.
4 Personnel Security. Supplier personnel accessing Supplier’s Systems are authenticated via their Google Workspace account, protected by the same physical, networking and organizational measures as described in this Appendix. Supplier personnel are required to conduct themselves in a manner consistent with the company’s guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards. Supplier conducts reasonably appropriate background checks to the extent legally permissible and in accordance with applicable local labour law and statutory regulations. All information, data and documents exchanged with Supplier support staff in this context is subject to strict confidentiality procedures and will not be disclosed. Personnel are required to execute a confidentiality agreement and must acknowledge receipt of, and compliance with, Supplier’s confidentiality and privacy policies. Personnel are also required to undertake yearly training on privacy and data protection principles in compliance with the Data Protection Legislation. Supplier staff does not access any of Customer Personal Data unless Customer requests assistance for support purposes. Information resources are protected by the use of access control systems. Access to confidential information is only given to Supplier personnel on a need to know basis. Supplier employees are given the minimum necessary to perform their job responsibilities. The authorisation profile is defined by separating the tasks and area of responsibility, in order to restrict employees' access to the only data strictly necessary for fulfilling their responsibilities.
5 Encryption. Supplier uses bank level encryption from A - Z. Whenever Customer sends or retrieves data from the Services, the communication is always secured through HTTPS or WSS protocol.
Next to encrypting Customer Personal Data in transit, Supplier also encrypts Customer Personal Data at rest.
Supplier databases as well as all stored documents are encrypted, from the moment Supplier receives Customer Personal Data until Supplier deletes it.
Next to encrypting Customer Personal Data in transit, Supplier also encrypts Customer Personal Data at rest.
Supplier databases as well as all stored documents are encrypted, from the moment Supplier receives Customer Personal Data until Supplier deletes it.
6 Subprocessor Security. Before onboarding Subprocessors, Supplier conducts an audit of the security and privacy practices of Subprocessors to ensure Subprocessors provide a level of security and privacy appropriate to their access to Customer Personal Data and the scope of the services they are engaged to provide. Once Supplier has assessed the risks presented by the Subprocessor, then subject always to the requirements set out in Section 22 (Subprocessors) of this Data Processing Agreement, the Subprocessor is required to enter into appropriate security, confidentiality and privacy contract terms.
7 Data Protection Officer. The Data Privacy Officer of the Supplier can be contacted at: legal@talarian.io
Appendix 3 - Subprocessors
Supplier uses the following Subprocessors for the performance of the Services:
Entity name | Corporate location | Localisation of the processing | Relevant Services |
Google LLC or any of its affiliates(data hosting, Generative AI*) | USA | Us-central-1 (Iowa) | Awesome Table (and the Awesome Table add-ons) Form Publisher GPT for Work (GPT for Sheets™, GPT for Docs™, GPT in Excel™ and GPT in Microsoft Word™) Playengo Yet Another Mail Merge |
SendGrid, Inc. (automatic email notification) | USA | USA | Awesome Table (and the Awesome Table add-ons) Form Publisher Playengo Yet Another Mail Merge |
Zendesk, Inc. (support) | USA | USA/Asia Pacific/European Union | Awesome Table (and the Awesome Table add-ons) Form Publisher GPT for Work (GPT for Sheets™, GPT for Docs™, GPT in Excel™ and GPT in Microsoft Word™) Playengo Yet Another Mail Merge |
Microsoft Corporation or any of its affiliates (data hosting) | USA | Central US (Iowa) | GPT for Work (GPT for Sheets™, GPT for Docs™, GPT in Excel™ and GPT in Microsoft Word™) |
OpenAI OpCo, LLC or any of its affiliates (Generative AI*) | USA | Worldwide | GPT for Work (GPT for Sheets™, GPT for Docs™, GPT in Excel™ and GPT in Microsoft Word™) |
Anthropic, PBC or any of its affiliates (Generative AI*) | USA | Worldwide | GPT for Work (GPT for Sheets™, GPT for Docs™, GPT in Excel™ and GPT in Microsoft Word™) |
* Google LLC and/or OpenAI OpCo LLC and/or Anthropic, PBC are engaged for Generative AI purposes only to the extent (i) Customer is using GPT for Work through Talarian’s own API key(s) and (ii) chooses Google LLC and/or OpenAI OpCo LLC and/or Anthropic, PBC as AI Providers, as defined in the GPT for Work Terms of Service. If Customer is using GPT for Work through an API key Customer has set-up, these AI Providers are not considered Supplier’s Subprocessors in the context of this DPA.
Appendix 4
European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679
This Appendix 4 applies to Restricted Transfers related to EU data subjects and includes 2 Modules:
- Module 2 of the SCCs applicable to Restricted Transfers of Customer Personal Data, whereby Customer acts as data controller and Supplier acts as data processor; and
- Module 3 of the SCCs is applicable to Restricted Transfers of Customer Personal Data, whereby Customer acts as a data processor and Supplier also acts as data processor.
MODULE 2
Controller to Processor
This Module 2 of the SCCs is applicable to the Restricted Transfers of Customer Personal Data whereby Customer acts as a controller and Supplier acts as a processor.
SECTION I
Clause 1 - Purpose and scope
a. The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)1 for the transfer of personal data to a third country.
b. The Parties:
(i) the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter “entity/ies”) transferring the personal data, as listed in Annex I.A. (hereinafter each “data exporter”), and
(ii) the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A. (hereinafter each “data importer”) have agreed to these standard contractual clauses (hereinafter: “Clauses”).
(i) the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter “entity/ies”) transferring the personal data, as listed in Annex I.A. (hereinafter each “data exporter”), and
(ii) the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A. (hereinafter each “data importer”) have agreed to these standard contractual clauses (hereinafter: “Clauses”).
c. These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.
d. The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.
Clause 2 - Effect and invariability of the Clauses
a. These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46 (2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.
b. These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.
Clause 3 - Third-party beneficiaries
a. Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:
(i) Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;
(ii) Clause 8.1(b), 8.9(a), (c), (d) and (e);
(iii) Clause 9(a), (c), (d) and (e);
(iv) Clause 12(a), (d) and (f);
(v) Clause 13;
(vi) Clause 15.1(c), (d) and (e);
(vii) Clause 16(e);
(viii) Clause 18(a) and (b).
(i) Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;
(ii) Clause 8.1(b), 8.9(a), (c), (d) and (e);
(iii) Clause 9(a), (c), (d) and (e);
(iv) Clause 12(a), (d) and (f);
(v) Clause 13;
(vi) Clause 15.1(c), (d) and (e);
(vii) Clause 16(e);
(viii) Clause 18(a) and (b).
b. Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.
Clause 4 - Interpretation
a. Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.
b. These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.
c. These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.
Clause 5 - Hierarchy
In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.
Clause 6 - Description of the transfer(s)
The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.
Clause 7 - Docking clause
a. An entity that is not a Party to these Clauses may, with the agreement of the Parties, accede to these Clauses at any time, either as a data exporter or as a data importer, by completing the Appendix and signing Annex I.A.
b. Once it has completed the Appendix and signed Annex I.A, the acceding entity shall become a Party to these Clauses and have the rights and obligations of a data exporter or data importer in accordance with its designation in Annex I.A.
c. The acceding entity shall have no rights or obligations arising under these Clauses from the period prior to becoming a Party.
SECTION II – OBLIGATIONS OF THE PARTIES
Clause 8 - Data protection safeguards
The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.
8.1 Instructions
a. The data importer shall process the personal data only on documented instructions from the data exporter. The data exporter may give such instructions throughout the duration of the contract.
b. The data importer shall immediately inform the data exporter if it is unable to follow those instructions.
8.2 Purpose limitation
The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B, unless on further instructions from the data exporter.
8.3 Transparency
On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including the measures described in Annex II and personal data, the data exporter may redact part of the text of the Appendix to these Clauses prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand the its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information. This Clause is without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.
8.4 Accuracy
If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to erase or rectify the data.
8.5 Duration of processing and erasure or return of data
Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the data exporter and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).
8.6 Security of processing
a. The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter “personal data breach”). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.
b. The data importer shall grant access to the personal data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
c. In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify the data exporter without undue delay after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the breach including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
d. The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer.
8.7 Sensitive data
Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter “sensitive data”), the data importer shall apply the specific restrictions and/or additional safeguards described in Annex I.B.
8.8 Onward transfers
The data importer shall only disclose the personal data to a third party on documented instructions from the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union4(in the same country as the data importer or in another third country, hereinafter “onward transfer”) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:
i the onward transfer is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;
ii the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 Regulation of (EU) 2016/679 with respect to the processing in question;
iii the onward transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or
iv the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person.
Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation
8.9 Documentation and compliance
a. The data importer shall promptly and adequately deal with enquiries from the data exporter that relate to the processing under these Clauses.
b. The Parties shall be able to demonstrate compliance with these Clauses. In particular, the data importer shall keep appropriate documentation on the processing activities carried out on behalf of the data exporter.
c. The data importer shall make available to the data exporter all information necessary to demonstrate compliance with the obligations set out in these Clauses and at the data exporter’s request, allow for and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non compliance. In deciding on a review or audit, the data exporter may take into account relevant certifications held by the data importer.
d. The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice.
e. The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request.
Clause 9 - Use of sub-processors
a. The data importer has the data exporter’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub processors at least thirty (30) days in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.
b. Where the data importer engages a sub-processor to carry out specific processing activities (on behalf of the data exporter), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those binding the data importer under these Clauses, including in terms of third-party beneficiary rights for data subjects. The Parties agree that, by complying with this Clause, the data importer fulfils its obligations under Clause 8.8. The data importer shall ensure that the sub-processor complies with the obligations to which the data importer is subject pursuant to these Clauses.
c. The data importer shall provide, at the data exporter’s request, a copy of such a sub processor agreement and any subsequent amendments to the data exporter. To the extent necessary to protect business secrets or other confidential information, including personal data, the data importer may redact the text of the agreement prior to sharing a copy.
d. The data importer shall remain fully responsible to the data exporter for the performance of the sub-processor’s obligations under its contract with the data importer. The data importer shall notify the data exporter of any failure by the sub processor to fulfil its obligations under that contract.
e. The data importer shall agree a third-party beneficiary clause with the sub-processor whereby - in the event the data importer has factually disappeared, ceased to exist in law or has become insolvent - the data exporter shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.
Clause 10 - Data subject rights
a. The data importer shall promptly notify the data exporter of any request it has received from a data subject. It shall not respond to that request itself unless it has been authorised to do so by the data exporter.
b. The data importer shall assist the data exporter in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679. In this regard, the Parties shall set out in Annex II the appropriate technical and organisational measures, taking into account the nature of the processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required.
c. In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions from the data exporter.
Clause 11 - Redress
a. The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject.
b. In case of a dispute between a data subject and one of the Parties as regards compliance with these Clauses, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them.
c. Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to:
(i) lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work, or the competent supervisory authority pursuant to Clause 13;
(ii) refer the dispute to the competent courts within the meaning of Clause 18.
(i) lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work, or the competent supervisory authority pursuant to Clause 13;
(ii) refer the dispute to the competent courts within the meaning of Clause 18.
d. The Parties accept that the data subject may be represented by a not-for-profit body, organisation or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679.
e. The data importer shall abide by a decision that is binding under the applicable EU or Member State law.
f. The data importer agrees that the choice made by the data subject will not prejudice his/her substantive and procedural rights to seek remedies in accordance with applicable laws.
Clause 12 - Liability
a. Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.
b. The data importer shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data importer or its sub-processor causes the data subject by breaching the third-party beneficiary rights under these Clauses.
c. Notwithstanding paragraph (b), the data exporter shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data exporter or the data importer (or its sub-processor) causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter and, where the data exporter is a processor acting on behalf of a controller, to the liability of the controller under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable.
d. The Parties agree that if the data exporter is held liable under paragraph (c) for damages caused by the data importer (or its sub-processor), it shall be entitled to claim back from the data importer that part of the compensation corresponding to the data importer’s responsibility for the damage.
e. Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.
f. The Parties agree that if one Party is held liable under paragraph (e), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its / their responsibility for the damage.
g. The data importer may not invoke the conduct of a sub-processor to avoid its own liability.
Clause 13 - Supervision
a. Where the data exporter is established in an EU Member State: The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority. Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679: The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority. Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679: The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.
b. The data importer agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Clauses. In particular, the data importer agrees to respond to enquiries, submit to audits and comply with the measures adopted by the supervisory authority, including remedial and compensatory measures. It shall provide the supervisory authority with written confirmation that the necessary actions have been taken.
SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES
Clause 14 - Local laws and practices affecting compliance with the Clauses
a. The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.
b. The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:
(i) the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;
(ii) the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards;
(iii) any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.
(i) the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;
(ii) the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards;
(iii) any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.
c. The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.
d. The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.
e. The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a).
f. Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.
Clause 15 - Obligations of the data importer in case of access by public authorities
15.1 Notification
a. The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it:
(i) receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or
(ii) becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.
(i) receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or
(ii) becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.
b. If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.
c. Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.).
d. The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.
e. Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses.
15.2 Review of legality and data minimisation
a. The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).
b. The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request.
c. The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.
SECTION IV – FINAL PROVISIONS
Clause 16 - Non-compliance with the Clauses and termination
a. The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.
b. In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).
c. The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:
(i) the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;
(ii) the data importer is in substantial or persistent breach of these Clauses; or
(iii) the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.
In these cases, it shall inform the competent supervisory authority of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.
(i) the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;
(ii) the data importer is in substantial or persistent breach of these Clauses; or
(iii) the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.
In these cases, it shall inform the competent supervisory authority of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.
d. Personal data that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall at the choice of the data exporter immediately be returned to the data exporter or deleted in its entirety. The same shall apply to any copies of the data.The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.
e. Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.
Clause 17 - Governing law
These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of Luxembourg.
Clause 18 - Choice of forum and jurisdiction
a. Any dispute arising from these Clauses shall be resolved by the courts of an EU Member State.
b. The Parties agree that those shall be the courts of Luxembourg.
c. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence.
d. The Parties agree to submit themselves to the jurisdiction of such courts.
MODULE 3
Processor to processor
This Module 3 of the SCCs is applicable to the Restricted Transfers of Customer Personal Data whereby Customer acts as a processor and Supplier also acts as a processor.
SECTION 1
Clause 1 - Purpose and scope
a. The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)1 for the transfer of personal data to a third country.
b. The Parties:
(i) the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter “entity/ies”) transferring the personal data, as listed in Annex I.A. (hereinafter each “data exporter”), and
(ii) the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A. (hereinafter each “data importer”) have agreed to these standard contractual clauses (hereinafter: “Clauses”).
(i) the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter “entity/ies”) transferring the personal data, as listed in Annex I.A. (hereinafter each “data exporter”), and
(ii) the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A. (hereinafter each “data importer”) have agreed to these standard contractual clauses (hereinafter: “Clauses”).
c. These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.
d. The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.
Clause 2 - Effect and invariability of the Clauses
a. These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46 (2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.
b. These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.
Clause 3 - Third-party beneficiaries
a. Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:
(i) Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;
(ii) Clause 8.1(a), (c) and (d) and Clause 8.9(a), (c), (d), (e), (f) and (g);
(iii) Clause 9(a), (c), (d) and (e);
(iv) Clause 12(a), (d) and (f);
(v) Clause 13;
(vi) Clause 15.1(c), (d) and (e);
(vii) Clause 16(e);
(viii) Clause 18(a) and (b).
(i) Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;
(ii) Clause 8.1(a), (c) and (d) and Clause 8.9(a), (c), (d), (e), (f) and (g);
(iii) Clause 9(a), (c), (d) and (e);
(iv) Clause 12(a), (d) and (f);
(v) Clause 13;
(vi) Clause 15.1(c), (d) and (e);
(vii) Clause 16(e);
(viii) Clause 18(a) and (b).
b. Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.
Clause 4 - Interpretation
a. Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.
b. These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.
c. These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.
Clause 5 - Hierarchy
In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.
Clause 6 - Description of the transfer(s)
The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.
Clause 7 - Docking clause
a. An entity that is not a Party to these Clauses may, with the agreement of the Parties, accede to these Clauses at any time, either as a data exporter or as a data importer, by completing the Appendix and signing Annex I.A.
b. Once it has completed the Appendix and signed Annex I.A, the acceding entity shall become a Party to these Clauses and have the rights and obligations of a data exporter or data importer in accordance with its designation in Annex I.A.
c. The acceding entity shall have no rights or obligations arising under these Clauses from the period prior to becoming a Party.
SECTION II – OBLIGATIONS OF THE PARTIES
Clause 8 - Data protection safeguards
The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.
8.1 Instructions
a. The data exporter has informed the data importer that it acts as processor under the instructions of its controller(s), which the data exporter shall make available to the data importer prior to processing.
b. The data importer shall process the personal data only on documented instructions from the controller, as communicated to the data importer by the data exporter, and any additional documented instructions from the data exporter. Such additional instructions shall not conflict with the instructions from the controller. The controller or data exporter may give further documented instructions regarding the data processing throughout the duration of the contract.
c. The data importer shall immediately inform the data exporter if it is unable to follow those instructions. Where the data importer is unable to follow the instructions from the controller, the data exporter shall immediately notify the controller.
d. The data exporter warrants that it has imposed the same data protection obligations on the data importer as set out in the contract or other legal act under Union or Member State law between the controller and the data exporter.
8.2 Purpose limitation
The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B., unless on further instructions from the controller, as communicated to the data importer by the data exporter, or from the data exporter.
8.3 Transparency
On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including personal data, the data exporter may redact part of the text of the Appendix prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information.
8.4 Accuracy
If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to rectify or erase the data.
8.5 Duration of processing and erasure or return of data
Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the controller and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).
8.6 Security of processing
a. The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter “personal data breach”). In assessing the appropriate level of security, they shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subject. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter or the controller. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.
b. The data importer shall grant access to the data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
c. In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify, without undue delay, the data exporter and, where appropriate and feasible, the controller after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the data breach, including measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
d. The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify its controller so that the latter may in turn notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer.
8.7 Sensitive data
Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter “sensitive data”), the data importer shall apply the specific restrictions and/or additional safeguards set out in Annex I.B.
8.8 Onward transfers
The data importer shall only disclose the personal data to a third party on documented instructions from the controller, as communicated to the data importer by the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union (in the same country as the data importer or in another third country, hereinafter “onward transfer”) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:
i the onward transfer is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;
ii the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 of Regulation (EU) 2016/679;
iii the onward transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or
iv the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person.
Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.
8.9 Documentation and compliance
a. The data importer shall promptly and adequately deal with enquiries from the data exporter or the controller that relate to the processing under these Clauses.
b. The Parties shall be able to demonstrate compliance with these Clauses. In particular, the data importer shall keep appropriate documentation on the processing activities carried out on behalf of the controller.
c. The data importer shall make all information necessary to demonstrate compliance with the obligations set out in these Clauses available to the data exporter, which shall provide it to the controller.
d. The data importer shall allow for and contribute to audits by the data exporter of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. The same shall apply where the data exporter requests an audit on instructions of the controller. In deciding on an audit, the data exporter may take into account relevant certifications held by the data importer.
e. Where the audit is carried out on the instructions of the controller, the data exporter shall make the results available to the controller.
f. The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice.
g. The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request.
Clause 9 - Use of sub-processors
a. The data importer has the controller’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the controller in writing of any intended changes to that list through the addition or replacement of subprocessors at least thirty (30) days in advance, thereby giving the controller sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the controller with the information necessary to enable the controller to exercise its right to object. The data importer shall inform the data exporter of the engagement of the sub-processor(s).
b. Where the data importer engages a sub-processor to carry out specific processing activities (on behalf of the controller), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those binding the data importer under these Clauses, including in terms of third-party beneficiary rights for data subjects. The Parties agree that, by complying with this Clause, the data importer fulfils its obligations under Clause 8.8. The data importer shall ensure that the sub-processor complies with the obligations to which the data importer is subject pursuant to these Clauses.
c. The data importer shall provide, at the data exporter’s or controller’s request, a copy of such a sub-processor agreement and any subsequent amendments. To the extent necessary to protect business secrets or other confidential information, including personal data, the data importer may redact the text of the agreement prior to sharing a copy.
d. The data importer shall remain fully responsible to the data exporter for the performance of the sub-processor’s obligations under its contract with the data importer. The data importer shall notify the data exporter of any failure by the sub processor to fulfil its obligations under that contract.
e. The data importer shall agree a third-party beneficiary clause with the sub-processor whereby - in the event the data importer has factually disappeared, ceased to exist in law or has become insolvent - the data exporter shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.
Clause 10 - Data subject rights
a. The data importer shall promptly notify the data exporter and, where appropriate, the controller of any request it has received from a data subject, without responding to that request unless it has been authorised to do so by the controller.
b. The data importer shall assist, where appropriate in cooperation with the data exporter, the controller in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable. In this regard, the Parties shall set out in Annex II the appropriate technical and organisational measures, taking into account the nature of the processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required.
c. In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions from the controller, as communicated by the data exporter.
Clause 11 - Redress
a. The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject.
b. In case of a dispute between a data subject and one of the Parties as regards compliance with these Clauses, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them.
c. Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to:
(i) lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work, or the competent supervisory authority pursuant to Clause 13;
(ii) refer the dispute to the competent courts within the meaning of Clause 18.
(i) lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work, or the competent supervisory authority pursuant to Clause 13;
(ii) refer the dispute to the competent courts within the meaning of Clause 18.
d. The Parties accept that the data subject may be represented by a not-for-profit body, organisation or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679.
e. The data importer shall abide by a decision that is binding under the applicable EU or Member State law.
f. The data importer agrees that the choice made by the data subject will not prejudice his/her substantive and procedural rights to seek remedies in accordance with applicable laws.
Clause 12 - Liability
a. Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.
b. The data importer shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data importer or its sub-processor causes the data subject by breaching the third-party beneficiary rights under these Clauses.
c. Notwithstanding paragraph (b), the data exporter shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data exporter or the data importer (or its sub-processor) causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter and, where the data exporter is a processor acting on behalf of a controller, to the liability of the controller under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable.
d. The Parties agree that if the data exporter is held liable under paragraph (c) for damages caused by the data importer (or its sub-processor), it shall be entitled to claim back from the data importer that part of the compensation corresponding to the data importer’s responsibility for the damage.
e. Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.
f. The Parties agree that if one Party is held liable under paragraph (e), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its / their responsibility for the damage.
g. The data importer may not invoke the conduct of a sub-processor to avoid its own liability.
Clause 13 - Supervision
a. Where the data exporter is established in an EU Member State: The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority.
Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679: The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority.
Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679: The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.
Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679: The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority.
Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679: The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.
b. The data importer agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Clauses. In particular, the data importer agrees to respond to enquiries, submit to audits and comply with the measures adopted by the supervisory authority, including remedial and compensatory measures. It shall provide the supervisory authority with written confirmation that the necessary actions have been taken.
SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES
Clause 14 - Local laws and practices affecting compliance with the Clauses
a. The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.
b. The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:
(i) the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;
(ii) the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards;
(iii) any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.
(i) the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;
(ii) the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards;
(iii) any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.
c. The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.
d. The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.
e. The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a). The data exporter shall forward the notification to the controller.
f. Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation, if appropriate in consultation with the controller. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by the controller or the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.
Clause 15 - Obligations of the data importer in case of access by public authorities
15.1 Notification
a. The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it:
(i) receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or
(ii) becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer. The data exporter shall forward the notification to the controller.
(i) receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or
(ii) becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer. The data exporter shall forward the notification to the controller.
b. If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.
c. Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.). The data exporter shall forward the information to the controller.
d. The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.
e. Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses.
15.2 Review of legality and data minimisation
a. The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).
b. The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request. The data exporter shall make the assessment available to the controller.
c. The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.
SECTION IV – FINAL PROVISIONS
Clause 16 - Non-compliance with the Clauses and termination
a. The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.
b. In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).
c. The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:
(i) the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;
(ii) the data importer is in substantial or persistent breach of these Clauses; or
(iii) the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.
In these cases, it shall inform the competent supervisory authority and the controller of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.
(i) the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;
(ii) the data importer is in substantial or persistent breach of these Clauses; or
(iii) the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.
In these cases, it shall inform the competent supervisory authority and the controller of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.
d. Personal data that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall at the choice of the data exporter immediately be returned to the data exporter or deleted in its entirety. The same shall apply to any copies of the data. The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.
e. Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.
Clause 17 - Governing law
These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of Luxembourg.
Clause 18 - Choice of forum and jurisdiction
a. Any dispute arising from these Clauses shall be resolved by the courts of an EU Member State.
b. The Parties agree that those shall be the courts of Luxembourg.
c. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence.
d. The Parties agree to submit themselves to the jurisdiction of such courts.
ANNEX I (applicable to MODULE 2 and MODULE 3)
A. LIST OF PARTIES
Data exporter:
1. Customer as data exporter (MODULE 2)
Name: Customer, as defined in the Agreement
Address: Customer’s address, as defined in the Agreement
Activities relevant to the data transferred under these Clauses: Services as described in the Data Processing Agreement
Role: Controller
2. Customer as data exporter (MODULE 3)
Name: Customer, as defined in the Agreement
Address: Customer’s address, as defined in the Agreement
Activities relevant to the data transferred under these Clauses: Services as described in the Data Processing Agreement
Role: Processor
Data importer (MODULE 2 and MODULE 3):
Name: Talarian S.à.r.l.
Address: 30 Bd Grande-Duchesse Charlotte, L-1330 Luxembourg
Contact person’s name, position and contact details: Stanislas Marion, CEO, legal@talarian.io
Activities relevant to the data transferred under these Clauses: Services as described in the Data Processing Agreement
Role: Processor
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
See Appendix 1 (“Customer Personal Data Processing Details”) of the Data Processing Agreement.
Categories of personal data transferred
See Appendix 1 (“Customer Personal Data Processing Details”) of the Data Processing Agreement.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
See Appendix 1 (“Customer Personal Data Processing Details”) of the Data Processing Agreement.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Transfer is made on a continuous basis.
Nature of the processing.
All kind of processings as defined in article 4(2) of the GDPR, meaning any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Purpose(s) of the data transfer and further processing
Transfer and processing of Customer Personal Data by importer for the provision of Services in accordance with Appendix 1 (“Customer Personal Data Processing Details”) of the Data Processing Agreement.
Purpose(s) for which the personal data is processed on behalf of the controller
Processing of Customer Personal Data by importer for the provision of Services in accordance with Appendix 1 (“Customer Personal Data Processing Details”) of the Data Processing Agreement.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
See Appendix 1 (“Customer Personal Data Processing Details”) of the Data Processing Agreement.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
See Appendix 3 (“Subprocessors”) of the DPA and ANNEX III of the SCCs (“LIST OF SUB-PROCESSORS”).
Processing will take place during the applicable Term, as defined in the Data Processing Agreement, plus the period from expiry of such Term until deletion of all Customer Personal Data by Supplier in accordance with the Data Processing Agreement.
C. COMPETENT SUPERVISORY AUTHORITY
CNPD (Luxembourg)
ANNEX II - TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA (applicable to MODULE 2 and MODULE 3)
Technical and organisation measures including technical and organisational measures to ensure the security of the data are detailed in Appendix 2 (Security Measures) of the Data Processing Agreement.
ANNEX III – LIST OF SUB-PROCESSORS (applicable to MODULE 2 and MODULE 3)
The controller has authorised the use of the following sub-processors:
1. Name: Google LLC or any of its affiliates
Address: 1600 Amphitheatre Parkway Mountain View, CA 94043, USA
Contact person’s name, position and contact details: Privacy Officer privacy@google.com
Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): data hosting and Generative AI
2. Name: SendGrid, Inc.
Address: 375 Beale Street, Suite 300, San Francisco, CA 94105, USA
Contact person’s name, position and contact details: DPO, dpo@sendgrid.com
Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): workflow automatic email notification
3. Name: Zendesk, Inc.
Address: 989 Market St, San Francisco, CA 94103, USA
Contact person’s name, position and contact details: DPO, privacy@zendesk.com
Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): support
4. Name: Microsoft Corporation or any of its affiliates
Address: 1 Microsoft Way, Redmond, Washington
Contact person’s name, position and contact details: Microsoft EU Data Protection Officer, +353 (1) 706-3117
Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): data hosting
5. Name: OpenAI OpCo, LLC or any of its affiliates
Address: 3180 18th St., San Francisco, CA 94110, USA
Contact person’s name, position and contact details: Sheila Dunning, Head of Commercial Legal, privacy@openai.com
Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): Generative AI (OpenAI API)
6. Name: Anthropic, PBC or any of its affiliates
Address: 548 Market St, PMB 90375, San Francisco, CA 94104, USA
Contact person’s name, position and contact details: privacy@anthropic.com
Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): Generative AI (Anthropic API)
Appendix 5 - Transfers from the United-Kingdom (UK Addendum)
This appendix is applicable when personal data is transferred from the United Kingdom to a third country which does not ensure an adequate level of data protection pursuant to UK GDPR.
Part 1: Tables
Table 1: Parties
Start date | The date on which Exporter and Importer agreed to the DPA (i.e. the Effective Date). | |
The Parties | Exporter (who sends the Restricted Transfer) | Importer (who receives the Restricted Transfer) |
Parties’ details | Full legal name: Customer, as defined in the Agreement Trading name (if different): Main address (if a company registered address): Customer’s address, as defined in the Agreement Official registration number (if any) (company number or similar identifier): Customer’s official registration number, as defined in the Agreement | Full legal name: Talarian S.à.r.l. Trading name (if different): Main address (if a company registered address): 30 Bd Grande-Duchesse Charlotte, L-1330 Luxembourg Official registration number (if any) (company number or similar identifier): |
Key Contact | Full Name (optional): As provided by the Customer by email to legal@talarian.io Job Title: As provided by the Customer by email to legal@talarian.io Contact details including email: As provided by the Customer by email to legal@talarian.io | Full Name (optional): Job Title: DPO Contact details including email: legal@talarian.io |
Table 2: Selected SCCs, Modules and Selected Clauses
Addendum EU SCCs | ☐ The version of the Approved EU SCCs which this Addendum is appended to, detailed below, including the Appendix Information: Date: Reference (if any): Other identifier (if any): Or ☒ the Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum: |
Module | Module in operation | Clause 7 (Docking Clause) | Clause 11 (Option) | Clause 9a (Prior Authorisation or General Authorisation) | Clause 9a (Time period) | Is personal data received from the Importer combined with personal data collected by the Exporter? |
1 | ||||||
2 | X | X | X | General Authorisation | 30 days | |
3 | X | X | X | General Authorisation | 30 days | |
3 |
Table 3: Appendix Information
“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:
Annex 1A: List of Parties: See Appendix 4, Annex I, A. of the DPA
Annex 1B: Description of Transfer: See Appendix 4, Annex I, B. of the DPA
Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: See Appendix 4, Annex II of the DPA
Annex III: List of Sub processors (Modules 2 and 3 only): See Appendix 4, Annex III of the DPA
Table 4: Ending this Addendum when the Approved Addendum Changes
Ending this Addendum when the Approved Addendum changes | Which Parties may end this Addendum as set out in Section 19: ☒ Importer ☒ Exporter ☐ neither Party |
Part 2: Mandatory Clauses
Entering into this Addendum
1. Each Party agrees to be bound by the terms and conditions set out in this Addendum, in exchange for the other Party also agreeing to be bound by this Addendum.
2. Although Annex 1A and Clause 7 of the Approved EU SCCs require signature by the Parties, for the purpose of making Restricted Transfers, the Parties may enter into this Addendum in any way that makes them legally binding on the Parties and allows data subjects to enforce their rights as set out in this Addendum. Entering into this Addendum will have the same effect as signing the Approved EU SCCs and any part of the Approved EU SCCs.
Interpretation of this Addendum
3. Where this Addendum uses terms that are defined in the Approved EU SCCs those terms shall have the same meaning as in the Approved EU SCCs. In addition, the following terms have the following meanings:
Addendum | This International Data Transfer Addendum which is made up of this Addendum incorporating the Addendum EU SCCs. | |
Addendum EU SCCs | The version(s) of the Approved EU SCCs which this Addendum is appended to, as set out in Table 2, including the Appendix Information. | |
Appendix Information | As set out in Table 3. | |
Appropriate Safeguards | The standard of protection over the personal data and of data subjects’ rights, which is required by UK Data Protection Laws when you are making a Restricted Transfer relying on standard data protection clauses under Article 46(2)(d) UK GDPR. | |
Approved Addendum | The template Addendum issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18. | |
Approved EU SCCs | The Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021. | |
ICO | The Information Commissioner. | |
Restricted Transfer | A transfer which is covered by Chapter V of the UK GDPR. | |
UK | The United Kingdom of Great Britain and Northern Ireland. | |
UK Data Protection Laws | All laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018. | |
UK GDPR | As defined in section 3 of the Data Protection Act 2018. |
4. This Addendum must always be interpreted in a manner that is consistent with UK Data Protection Laws and so that it fulfils the Parties’ obligation to provide the Appropriate Safeguards.
5. If the provisions included in the Addendum EU SCCs amend the Approved SCCs in any way which is not permitted under the Approved EU SCCs or the Approved Addendum, such amendment(s) will not be incorporated in this Addendum and the equivalent provision of the Approved EU SCCs will take their place.
6. If there is any inconsistency or conflict between UK Data Protection Laws and this Addendum, UK Data Protection Laws applies.
7. If the meaning of this Addendum is unclear or there is more than one meaning, the meaning which most closely aligns with UK Data Protection Laws applies.
8. Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Addendum has been entered into.
Hierarchy
9. Although Clause 5 of the Approved EU SCCs sets out that the Approved EU SCCs prevail over all related agreements between the parties, the parties agree that, for Restricted Transfers, the hierarchy in Section 10 will prevail.
10. Where there is any inconsistency or conflict between the Approved Addendum and the Addendum EU SCCs (as applicable), the Approved Addendum overrides the Addendum EU SCCs, except where (and in so far as) the inconsistent or conflicting terms of the Addendum EU SCCs provides greater protection for data subjects, in which case those terms will override the Approved Addendum.
11. Where this Addendum incorporates Addendum EU SCCs which have been entered into to protect transfers subject to the General Data Protection Regulation (EU) 2016/679 then the Parties acknowledge that nothing in this Addendum impacts those Addendum EU SCCs.
Incorporation of and changes to the EU SCCs
12. This Addendum incorporates the Addendum EU SCCs which are amended to the extent necessary so that:
a. together they operate for data transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter’s processing when making that data transfer, and they provide Appropriate Safeguards for those data transfers;
b. Sections 9 to 11 override Clause 5 (Hierarchy) of the Addendum EU SCCs; and
c. this Addendum (including the Addendum EU SCCs incorporated into it) is (1) governed by the laws of England and Wales and (2) any dispute arising from it is resolved by the courts of England and Wales, in each case unless the laws and/or courts of Scotland or Northern Ireland have been expressly selected by the Parties.
13. Unless the Parties have agreed alternative amendments which meet the requirements of Section 12, the provisions of Section 15 will apply.
14. No amendments to the Approved EU SCCs other than to meet the requirements of Section 12 may be made.
15. The following amendments to the Addendum EU SCCs (for the purpose of Section 12) are made:
a. References to the “Clauses” means this Addendum, incorporating the Addendum EU SCCs;
b. In Clause 2, delete the words:
“and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679”;
c. Clause 6 (Description of the transfer(s)) is replaced with:
“The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.”;
d. Clause 8.7(i) of Module 1 is replaced with:
“it is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer”;
e. Clause 8.8(i) of Modules 2 and 3 is replaced with:
“the onward transfer is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer;”
f. References to “Regulation (EU) 2016/679”, “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)” and “that Regulation” are all replaced by “UK Data Protection Laws”. References to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK Data Protection Laws;
g. References to Regulation (EU) 2018/1725 are removed;
h. References to the “European Union”, “Union”, “EU”, “EU Member State”, “Member State” and “EU or Member State” are all replaced with the “UK”;
i. The reference to “Clause 12(c)(i)” at Clause 10(b)(i) of Module one, is replaced with “Clause 11(c)(i)”;
j. Clause 13(a) and Part C of Annex I are not used;
k. The “competent supervisory authority” and “supervisory authority” are both replaced with the “Information Commissioner”;
l. In Clause 16(e), subsection (i) is replaced with:
“the Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply;”;
m. Clause 17 is replaced with:
“These Clauses are governed by the laws of England and Wales.”;
n. Clause 18 is replaced with:
“Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”; and
o. The footnotes to the Approved EU SCCs do not form part of the Addendum, except for footnotes 8, 9, 10 and 11.
Amendments to this Addendum
16. The Parties may agree to change Clauses 17 and/or 18 of the Addendum EU SCCs to refer to the laws and/or courts of Scotland or Northern Ireland.
17. If the Parties wish to change the format of the information included in Part 1: Tables of the Approved Addendum, they may do so by agreeing to the change in writing, provided that the change does not reduce the Appropriate Safeguards.
18. From time to time, the ICO may issue a revised Approved Addendum which:
a. makes reasonable and proportionate changes to the Approved Addendum, including correcting errors in the Approved Addendum; and/or
b. reflects changes to UK Data Protection Laws;
The revised Approved Addendum will specify the start date from which the changes to the Approved Addendum are effective and whether the Parties need to review this Addendum including the Appendix Information. This Addendum is automatically amended as set out in the revised Approved Addendum from the start date specified.19. If the ICO issues a revised Approved Addendum under Section 18, if any Party selected in Table 4 “Ending the Addendum when the Approved Addendum changes”, will as a direct result of the changes in the Approved Addendum have a substantial, disproportionate and demonstrable increase in:
a. its direct costs of performing its obligations under the Addendum; and/or
b. its risk under the Addendum,
and in either case it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that Party may end this Addendum at the end of a reasonable notice period, by providing written notice for that period to the other Party before the start date of the revised Approved Addendum.20. The Parties do not need the consent of any third party to make changes to this Addendum, but any changes must be made in accordance with its terms.