Data processing agreement

Last update: 24 September 2021
1 The customer agreeing to these terms (“Customer”), and Awesome Gapps SARL (Supplier), have entered into an agreement under which Supplier has agreed to provide certain Services, which may be amended from time to time (the “Agreement”).
2 This Data Processing Agreement and its appendices (the “DPA”), which is between Supplier and Customer (each, a “Party”, and together, “the Parties”), forms part of the Agreement and is the Parties’ agreement related to Supplier’s processing of Customer Personal Data. This DPA might be updated from time to time and will be effective and replace any previously applicable data processing agreement as from the Effective Date (as defined below). To the extent of any conflict or inconsistency between the terms of this DPA and the remainder of the Agreement, the terms of this DPA will govern. Definitions are provided in Section 26.
3 The Parties acknowledge and agree that (a) under the Data Protection Legislation, Supplier is a Data Processor of Customer Personal Data listed in Appendix 1, (b) Customer subscribing to Supplier's services may be a Data Controller or Data Processor, as applicable, of Customer Personal Data and (c) each Party will comply with the obligations applicable to it under the Data Protection Legislation with respect to the Processing of that Customer Personal Data.
4 Details on categories of data processed and data subjects concerned, Processing operations, location of Processing, and purpose and duration of Processing are provided in Appendix 1.
5 Duration. This DPA will take effect on the Agreement Effective Date and, notwithstanding expiry of the Term, remains in effect until, and automatically expire upon, deletion of all Customer Personal Data by Supplier as described in this DPA.
6 Scope. The Parties acknowledge and agree that the Data Protection Legislation will apply to the Processing of Customer Personal Data if: (a) the Processing is carried out in the context of the activities of an establishment of Customer in the territory of the EEA/Switzerland; and/or (b) the Customer Personal Data relates to Data Subjects who are in the EEA/ Switzerland and the Processing relates to the offering of goods or services in the EEA or the monitoring of their behaviour in the EEA.
7 Non-European Data Protection Legislation. The Parties acknowledge and agree that Non-European Data Protection Legislation may also apply to the Processing of Customer Personal Data. Except to the extent this DPA states otherwise, the terms of this DPA will apply irrespective of whether the Data Protection Legislation or Non-European Data Protection Legislation applies to the Processing of Customer Personal Data by Supplier. If Non-European Data Protection Legislation applies to either Party’s Processing of Customer Personal Data, the Parties acknowledge and agree that the relevant Party will comply with any obligations applicable to it under that legislation with respect to the Processing of that Customer Personal Data.
8 Third-party Data Controller. If the Data Protection Legislation applies to the Processing of Customer Personal Data and Customer is a Data Processor acting under the instructions of a third-party Data Controller, Customer warrants to Supplier that Customer’s instructions and actions with respect to that Customer Personal Data, including its appointment as Data Processor have been authorized by the Third Party Data Controller and shall provide evidence thereof, at Supplier’s request.
9 Customer’s Instructions. By entering into this DPA, Customer instructs Supplier to Process Customer Personal Data only in accordance with the Data Protection Legislation and/or Non-European Data Protection Legislation, as applicable: (a) to provide the Services and related technical support; (b) as further specified by Customer or required by Customer’s use of the Services and related technical support; (c) as documented in the form of the Agreement, including this DPA; and (d) as further documented in any other legitimate and written instructions given by Customer and acknowledged by Supplier as constituting instructions for purposes of this DPA. As from the Effective Date, Supplier will comply with the Customer’s instructions provided in this Section, including with regard to Personal Data transfers, in accordance with Section 21. Supplier shall not process, transfer, modify, amend or alter Customer Personal Data or disclose or permit the disclosure of the Customer Personal Data to any third-party other than in accordance with the Customer’s instructions (whether in the Agreement or otherwise) unless EU law or EU Member State law to which Processor is subject requires other Processing of Customer Personal Data by Supplier, in which case Supplier will inform Customer prior to implement the Processing (unless that law prohibits Processor from doing so on important grounds of public interest) via the Notification Email Address. Supplier agrees to immediately inform the Customer if, in its opinion, an instruction infringes the applicable Data Protection Legislation.
10 Deletion During Term. Supplier will enable Customer to delete Customer Personal Data during the Term in a manner consistent with the functionality of the Services. If Customer or an End User uses the Services to delete any Customer Personal Data during the Term and the Customer Personal Data cannot be recovered by Customer or an End User, this use will constitute a Customer’s Instruction to Supplier to delete the relevant Customer Personal Data from Supplier’s Systems in accordance with applicable Data Protection Legislation. Supplier will comply with this instruction as soon as reasonably practicable and within a maximum period of 90 days, unless EU or EU Member State law requires or justifies that such Personal Data be retained by Supplier for a longer period of time.
11 Deletion on Term Expiry. Subject to Section 12 (Deferred Deletion Instructions), upon expiry of the Term, Customer shall instruct Supplier to delete all Customer Personal Data (including existing copies) from Supplier’s Systems in accordance with applicable Data Protection Legislation. Processor will comply with this Instruction as soon as reasonably practicable and within a maximum period of 90 days, unless EU or EU Member State law requires or justifies that such Customer Personal Data be retained by Processor for a longer period of time. Without prejudice to Section 20 (Data Subjects Rights and Requests) Customer acknowledges and agrees that Customer will be responsible for exporting, before the Term expires, any Customer Data it wishes to retain afterwards.
12 Deferred Deletion Instruction. To the extent any Customer Personal Data covered by the deletion instruction described in Section 11 (Deletion on Term Expiry) is also processed, when the Term under Section 11 expires, in relation to an agreement between Customer and Supplier having a continuing Term, such deletion instruction will only take effect with respect to such Customer Personal Data when the continuing Term expires. For clarity, in the event of a Deferred Deletion Instruction, this DPA will continue to apply to such Customer Personal Data until its deletion by Supplier.
13 Supplier Security Measure. Supplier will implement and maintain technical and organizational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access as described in Appendix 2 (the “Security Measures”). As described in Appendix 2, the Security Measures include measures to help ensure ongoing confidentiality, integrity, availability and resilience of Supplier’s Systems, restore timely access to Customer Personal Data following a Data Incident and regular testing of effectiveness. Supplier may update or modify the Security Measures in Appendix 2 from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services or Supplier’s Systems. Customer acknowledges that Customer Data will be hosted in a Third-Party Service Provider data centres, by Third-Party Service Provider and/or one or more of its affiliated entities (collectively, “Third-Party Service Providers”) (and not by the Supplier) and, as a consequence, that most of the technical and organisational security measures relating to the Customer Personal Data (as notably referred to in Appendix 2) will be provided by the applicable Third-Party Service Providerunder its own liability. Accordingly, and notwithstanding any other provision in the Agreement, the Supplier disclaims any and all responsibility in relation to any acts and/or omission of Third-Party Service Provider, including notably (without limitation) for such Third-Party Service Provider’s technical and organisational security measures as listed for information purposes only and without any representation in Appendix 2. Customer agrees to disclaim Supplier’s liability, in the event of any non-compliance of the Third-Party Service Provider under the applicable agreement.
14 Security Compliance by Processor. Supplier will take appropriate steps to ensure compliance with the Security Measures by its employees, contractors, agents and Subprocessors to the extent applicable to their scope of performance, including ensuring that all persons authorized to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and that such personnel has undertaken appropriate training in accordance with the Data Protection Legislation.
15 Processor Security Assistance. Customer agrees that Supplier will (taking into account the nature of the Processing of Customer Personal Data and the information available to Supplier) assist Customer in ensuring compliance with Customer’s obligations in respect of security of Customer Personal Data and Customer Personal Data breaches, in particular in the event of a Data Incident, including if applicable Customer’s obligations pursuant to Articles 32 to 34 (inclusive) of the GDPR, by: (a) implementing and maintaining the Security Measures in accordance with Section 13 (Supplier’s Security Measures); (b) complying with the terms of Section 16 (Data Incidents).
16 Data Incidents. If Supplier becomes aware of a Data Incident, Supplier will: (a) notify Customer of the Data Incident promptly and without undue delay; and (b) promptly take reasonable steps to minimize harm and secure Customer Personal Data. Notifications will describe, to the extent possible, details of the Data Incident, including steps taken to mitigate the potential risks and steps Supplier recommends Customer to take to address the Data Incident. Notification(s) of any Data Incident(s) will be delivered to the Notification Email Address or, at Supplier’s discretion, by direct communication (for example, by phone call or an in- person meeting). Customer is solely responsible for ensuring that the Notification Email Address is current and valid at any time. Supplier will not assess the contents of Customer Data in order to identify information subject to any specific legal requirements. Customer is solely responsible for complying with notification obligations provided by Data Protection Legislation or Non-European Data Protection Legislation, as applicable to Customer, and fulfilling any third party notification obligations related to any Data Incident(s). Supplier’s notification of or response to a Data Incident under this Section 16 (Data Incidents) will not be construed as an acknowledgement by Supplier of any fault or liability with respect to the Data Incident.
17 Customer’s Security Responsibilities and Assessment. Customer agrees that, without prejudice to Supplier’s obligations under Sections 13-15 (Supplier’s Security Measures, Security Compliance by Processor, Processor Security Assistance) and Section 16 (Data Incidents): (a) Customer is solely responsible for its use of the Services, including: (i) making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of the Customer Data; (ii) securing the account authentication credentials, systems and devices Customer uses to access the Services; and (iii) backing up Customer Data; and (b) Supplier has no obligation to protect Customer Data that Customer elects to store or transfer outside of Processor’s and its Subprocessors’ systems (for example, offline or on-premise storage, or Customer’s Third- Party Service Provider). Customer is solely responsible for evaluating whether the Services, the Security Measures and Supplier’s commitments under Sections 13-17 meet Customer’s needs, including with respect to any security obligations of Customer under the Data Protection Legislation and/or Non-European Data Protection Legislation, as applicable. Customer acknowledges and agrees that (taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the Processing of Customer Personal Data as well as the risks to individuals) the Security Measures implemented and maintained by Supplier as set out in Section 13 (Supplier’s Security Measures) and Appendix 2 provide a level of security appropriate to the risk in respect of the Customer Data.
18 Audits of compliance. If the Data Protection Legislation applies to the Processing of Customer Personal Data, Supplier will allow Customer or an independent auditor appointed by Customer to conduct audits (including inspections) to verify Supplier’s compliance with its obligations relating to Customer Personal Data under this DPA. Supplier will contribute to such audits as described in this Section 18 (Audits of Compliance). If Customer decides to conduct an audit as described above, then Customer shall bear all costs and expenses connected therewith, including but not limited to the auditors' fees, costs of transport, legal fees. If Customer has entered into Model Contract Clauses as described in Section 21 (Personal Data Transfer),Supplier will, without prejudice to any audit rights of a Supervisory Authority under such Model Contract Clauses, allow Customer or an independent auditor appointed by Customer to conduct audits as described in the Model Contract Clauses. In any event, any audit mandated by Customer pursuant to this Section 18 shall not impair or otherwise trouble Supplier’s usual course of business.
19 Impact Assessments and Consultations. Customer agrees that Supplier will (taking into account the nature of the Processing and the information available to Processor) provide Customer with reasonable assistance in ensuring compliance with any obligations of Customer relating to Customer Personal Data in respect of data protection impact assessments and prior consultation, including if applicable Customer’s obligations pursuant to Articles 35 and 36 of the GDPR, to the extent necessary information is available to Supplier.
20 Data Subject Rights and Request. During the Term, Supplier will, in a manner consistent with the functionality of the Services, enable Customer to access, rectify and restrict Processing of Customer Personal Data, or erase Customer Personal Data, as applicable, including via the deletion functionality provided by Supplier as described in Section 10 (Deletion During Term), and to export Customer Personal Data, as required by Data Protection Legislation and/or Non-European Data Protection Legislation, as applicable. During the Term, if Supplier receives any request from a Data Subject in relation to Customer Personal Data, Supplier will advise the Data Subject to submit his/her request to Customer or directly report such request to Customer using the Notification Email Address or any other communication channel, and Customer will be responsible for responding to any such request including, where necessary, by using the functionality of the Services. Customer agrees that (taking into account the nature of the Processing of Customer Personal Data) Supplier will provide Customer with reasonable assistance in fulfilling any obligation to respond to requests by Data Subjects, including if applicable Customer’s obligation to respond to requests for exercising the Data Subject’s rights laid down in Chapter III of the GDPR, by complying with the commitments set out in this Section 20, to the extent Supplier is able to respond to such requests.
21 Personal Data Transfer. Customer acknowledges and agrees that Supplier may, subject to this Section 21 (Personal Data Transfer), store and process Customer Data in the United States and any other country outside the EEA in which Supplier or Subprocessors maintain facilities. If the storage and/or Processing of Customer Personal Data involves a Restricted Transfer, Supplier and Customer hereby agree to enter into the applicable Model Contract Clauses enclosed in Appendix 4 or Appendix 5 as applicable, and such terms are hereby incorporated by reference into this DPA. To the extent there is any conflict between any term of the Model Contract Clauses and any other part of this DPA or the TOS Agreement, the term of the Model Contract Clauses shall prevail. Any Restricted Transfers shall be made in accordance with such Model Contract Clauses. Supplier will impose under a written agreement the same obligations on the Subprocessors, if any, as are imposed on the Processor under this DPA and the Model Contract Clauses. Where the Subprocessor fails to fulfil its data protection obligations under such written agreement, the Supplier shall remain fully liable to the Customer for the performance of the Subprocessor's obligations under such agreement. In addition, where provision of the Services involves a Restricted Transfer from the Supplier to a Subprocessor located outside EU, Customer (on behalf of itself and its relevant Affiliates) mandates Supplier, which mandate Supplier hereby accepts, to promptly enter, on Customer's own name and behalf as Data Exporter (Subprocessor being the Data Importer), into a Data processing agreement with any Subprocessor engaged by Supplier in such Restricted Transfer, before such Subprocessor first Processes Customer Personal Data, so as to ensure that any such Restricted Transfer complies with the Data Protection Legislation. Such Data processing agreement shall (a) meet the conditions set out in Article 28 of the GDPR and offer at least the same level of protection for Customer Personal Data as those set out in this DPA and (b) incorporate Model Contract Clauses. When Supplier uses Third Party Service Provider Cloud Platform to host and/or provide the Services, information about the locations of Supplier’s Third Party Service Providers’ data centers is available at the Third Party Service Providers’ pages specifying servers locations and may be updated by the Third Party Service Provider from time to time. If Customer has entered into Model Contract Clauses as described in this Section 21 (Personal Data Transfer), Supplier will, notwithstanding any term to the contrary in the Agreement, ensure that any disclosure of Customer Personal Data, and any notifications relating to any such disclosures, will be made in accordance with such Model Contract Clauses. If at any time, a Supervisory Authority or a court with competent jurisdiction over a Party mandates that transfers from Controllers /Processors in the EU or the UK to Processors established outside the EU or the UK must be subject to specific additional safeguards (including but not limited to specific technical and organisational measures), the Parties shall work together in good faith to implement such safeguards and ensure that any transfer of Customer Personal Data is conducted with the benefit of such additional safeguards. In the same manner, if any Supervisory Authority adopts revised standard contractual clauses for the matters addressed in this DPA and Customer notifies Supplier that it wishes to incorporate any element of those standard contractual clauses into this DPA, Supplier and Customer may agree to amend this DPA to incorporate any proposed changes as reasonably required by the newly adopted standard contractual clauses. In the event that the Model Contract Clauses enclosed in Appendix 4 and Appendix 5 are deemed to no longer be a valid transfer mechanism to legitimate Restricted Transfers, Supplier and Customer may agree to amend this DPA in order to establish a legitimate transfer of Customer Personal Data outside the EEA.
22 Subprocessors. Customer hereby specifically authorizes the engagement of Supplier’s Affiliates as Subprocessors pursuant to the Agreement and for the Term. In addition, Customer hereby generally authorizes the engagement of any other third parties as Subprocessors (“Third-Party Subprocessors”), subject to Supplier’s compliance with this Section 22. Customer hereby authorizes all “Subprocessors” listed in Appendix 3. If Customer has entered into Model Contract Clauses as described in Section 21 (Personal Data Transfer), the above authorizations will constitute Customer’s prior written consent to the subcontracting by Supplier of the Processing of Customer Personal Data if such consent is required under the Model Contract Clauses and Data Protection Legislation and/or Non-European Data Protection Legislation, as applicable. Information about Subprocessors is available in Appendix 3 and may be updated by Supplier from time to time in accordance with this DPA. When engaging any Subprocessor, Supplier will: (a) ensure via a written legal instrument or contract that: (i) the Subprocessor only accesses and processes Customer Personal Data to the extent required to perform the obligations subcontracted to it, and does so in accordance with the Agreement (including this DPA) and any Model Contract Clauses entered into as described in Section 21 (Personal Data Transfer), as applicable; and (ii) if the GDPR applies to the Processing of Customer Personal Data, the data protection obligations set out in Article 28(3) of the GDPR, as described in this DPA, are mandated by said legal instrument or contract on the Subprocessor; and (b) remain fully liable for all obligations subcontracted to, and all acts and omissions of, the Subprocessor. When any Third- Party Subprocessor not listed in Appendix 3 at the Agreement Effective Date is engaged during the Term, Supplier will, at least thirty (30) days before the new Third-Party Subprocessor processes any Customer Personal Data, inform Customer of the engagement (including the name and location of the relevant Third- Party Subprocessor and the activities it will perform) by sending an email to the Notification Email Address. Customer may object to any new Third-Party Subprocessor by terminating the Agreement immediately upon written notice to Supplier, provided that Customer sends such notice within thirty (30) days of being informed of the engagement of the Third-Party Subprocessor. This termination right is Customer’s sole and exclusive remedy if Customer objects to any new Third-Party Subprocessor
23 Processing Records. Customer acknowledges that Supplier is required under the GDPR to: (a) collect and maintain records of certain information, including the name and contact details of any Data Processor and/or Data Controller on behalf of which Processor is acting and, where applicable, of such Data Processor’s or Data Controller's local representative and data protection officer, as well as the categories of Processing carried out on behalf of each Data Controller, where possible a general description of the technical and organisational security measures; and (b) make such information available to the Supervisory Authorities.
24 California Consumer Privacy Act (CCPA). To the extent that the CCPA applies to the collection, retention, use, and disclosure of Customer's Personal Information (as defined in the CCPA) to provide the Service to Customer pursuant to the Agreement, the Parties acknowledge and agree that Supplier does not receive any Personal Information from Customer (“Licensee Personal Information”) as consideration for the Services or other items provided by Supplier to Customer. Except as expressly set forth in the Agreement, Supplier shall not (a) have, derive or exercise any rights or benefits regarding Customer Personal Information, (b) Sell Customer Personal Information, or (c) collect, retain, share or use Customer Personal Information except as necessary for the sole purpose of performing the Services and professional services connected therewith if applicable or as otherwise permitted under the CCPA. Supplier agrees to refrain from taking any action that would cause any transfers of Customer Personal Information, either to Supplier or from Supplier, to qualify as a Sale of Personal Information under the CCPA. Supplier understands and will comply with the restrictions set forth in this Section and the applicable requirements of the CCPA. For the purposes of this Section, Supplier is a Service Provider and the terms “Personal Information”, “Sell”, “Sale”, and “Service Provider” shall have the same meaning as in the CCPA.
25 Agreed Liability Cap. The cap of liability set forth in the Agreement governing the provision of Services to which this DPA is part applies to any violation of the provisions of this DPA or any damage which may result from the Supplier's or its Affiliate's non-compliance with Data Protection Legislation. Nothing in this Section 25 (Agreed Liability Cap) will affect the remaining terms of the Agreement relating to liability (including any specific exclusions from any limitation of liability).
26 Miscellaneous.
26.1 Neither the rights nor the obligations of any Party may be assigned in whole or in part without the prior written consent of the other Party, provided, however, that this DPA may be transferred or assigned in the event of a restructuring or change of control affecting a Party hereto.
26.2 In the event of any dispute arising between the Parties in connection with this DPA, the Parties shall negotiate in good faith to resolve their dispute. If the dispute cannot be resolved by good faith negotiations by the Parties, the dispute shall be finally settled by a public court relevant for the seat of the Supplier.
26.3 This DPA is governed by the laws of the State of Luxembourg, without reference to its rules governing conflicts of laws. Both parties hereby irrevocably submit any disputes under these Terms to the jurisdiction of the courts located in the State of Luxembourg.
26.4 Should any provision of this DPA be deemed invalid or unenforceable by a competent court, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
26.5 Any amendments to this DPA shall be made in writing, otherwise being null and void.
27 Definitions. Capitalized terms used but not defined in this DPA have the meanings given in the Agreement. In this DPA, unless stated otherwise:
  • Affiliate” means any entity controlling, controlled by, or under common control with a Party, where “control” is defined as: (a) the ownership of at least fifty percent (50%) of the equity or beneficial interests of the entity; (b) the right to vote for or appoint a majority of the board of directors or other governing body of the entity; or (c) the power to exercise a controlling influence over the management or policies of the entity.
  • Agreement” means the Services Agreement entered into between the Supplier and the Customer for the provision of Services by the Supplier to Customer.
  • Agreed Liability Cap” means the maximum monetary or payment-based amount at which a Party’s liability is capped under the Agreement, either per annual period or event giving rise to liability, as applicable.
  • Customer Data” means data submitted, stored, sent or received via the Services by Customer, its Affiliates or End Users. Customer Data may also include Personal Data sent or otherwise made available by Customer to Supplier and/or Supplier’s Affiliates where Customer uses Supplier Affiliates Solutions.
  • Customer Personal Data” means Personal Data contained within the Customer Data, as described in Appendix 1.
  • Data Incident” means a breach of Supplier’s security measures leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data on systems managed by or otherwise controlled by Supplier. “Data Incidents” will not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
  • Effective Date” means the date on which Customer and Supplier agreed to this DPA, and is the Agreement Effective Date.
  • EEA” means the European Economic Area.
  • End User” means natural persons authorized by Customer to access or use the Services, including Customer and Customer’s Affiliate personnel, employee, agent or contractor.
  • Data Protection Legislation” means, as applicable: (a) the GDPR; and/or (b) the Federal Data Protection Act of 19 June 1992 (Switzerland) as well as any data protection laws substantially amending, replacing or superseding the GDPR, the Federal Data Protection Act of Switzerland and/or other applicable European Union Member state domestic data protection or national/federal or state/provincial privacy legislation in force, including where applicable, statutes, decisions, guidelines, guidance notes, codes of practice, codes of conduct and data protection certification mechanisms issued from time to time by competent court or Supervisory Authority, relating to the Processing of personal data and privacy.
  • GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
  • Model Contract Clauses” or “MCCs” means the standard data protection clauses for the transfer of personal data to third countries located outside EEA which do not ensure an adequate level of data protection, as approved by the European Commission in Decision 2010/87/EU, for Restricted Transfers for UK data subjects or in the Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the Restricted Transfers for EU data subjects, as amended, replaced or superseded by any set of clauses approved by the European Commission. The Model Contract Clauses are enclosed as Appendix 4 for Restricted Transfers related to EU data subjects and enclosed in Appendix 5 for Restricted Transfers related to UK data subjects. Both appendices are part of this DPA when applicable.
  • Non-European Data Protection Legislation” means any national/federal or state/provincial/emirate data protection or privacy legislation, other than the Data Protection Legislation.
  • Notification Email Address(es)” means the email address(es) designated by Customer to receive certain notifications from Supplier.
  • Supplier’s Systems” means the computing and storage infrastructure contracted by Supplier to run the Services and to store the Customer Data. For the avoidance of doubt, Supplier’s Systems do not include Third-Party Service Provider Solution used by Customer and contracted by Customer, nor any of the Third Party Offerings.
  • Restricted Transfer” means (a) a transfer of Customer Personal Data from Customer to Supplier or Subprocessor, or (b) an onward transfer of Customer Personal Data from Supplier or Subprocessor to (or between two establishments of) Supplier or Subprocessor, in each case, being a transfer to a country outside the EEA, where such transfer would be prohibited by European Data Protection Legislation in the absence of Model Contract Clauses or other legal instruments required by European Data Protection Legislation.
  • Subprocessor(s)” means third parties authorized by Processor under this DPA to have logical access to and process Customer Data on behalf of Customer in order to provide parts of the Services and related technical support, including Supplier’s Affiliates.
  • Security Measures” has the meaning given in Section 13 (Supplier Security Measures).
  • Services” means the services that have been purchased by the Customer pursuant to the Agreement and any applicable Order Form, which may include Yet Another Mail Merge, Form Publisher and Awesome Table (and the Awesome Table add-ons), including any update or replacement thereof and technical support provided by Supplier to Customer from time to time. The Services do not include (i) Supplier Affiliates Solution that may have been separately licensed by Customer, (ii) any Third Party Offerings that may have been separately licensed by Customer, nor (iii) the Third-Party Service Provider Solution used by Customer.
  • Supplier Affiliates Solution” means any solution of software provided by one or more Supplier’s Affiliates, which supplements and/or are necessary to provide the Services performed by Supplier, that have either been (i) licensed by Customer from a Supplier’s Affiliate or (ii) licensed by Customer from Supplier.
  • The terms “Personal Data”, “Data Subject”, “Processing”, “Data Controller”, “Data Processor” and “Supervisory Authority” as used in this DPA have the meanings given to them in the GDPR, and the terms “Data Importer” and “Data Exporter” have the meanings given to them in the Model Contract Clauses, in each case irrespective of whether the European Data Protection Legislation or Non-European Data Protection Legislation applies.
  • Term” means the period from the Agreement Effective Date until the end of Supplier’s provision of the Services to Customer under the Agreement, including, if applicable, any period during which provision of the Services may be suspended and any post-termination period during which Supplier may continue providing the Services to Customer for transitional purposes.
  • Third-Party Service Provider Solution” means any solution or software on which all or part of the Services are performed by the Supplier, that have been separately licensed by Customer, as the case may be, from an unaffiliated Third-Party Service Provider. Third Party Service Providers Solutions may notably include Google, Microsoft and/or Facebook solutions or software.

Appendix 1 - Customer Personal Data Processing Details

Subject Matter
Supplier’s provision of the Services and related technical support to Customer.
Categories of Data Subjects
Categories of Data Subjects whose Personal Data will be Processed by Service Provider
Data Subjects whose Personal Data is provided to Supplier via the Services, by (or at the direction of) Customer or by End Users, including (a) End Users (including Customer’s employees and contractors); (b) Customer’s own customers, suppliers and subcontractors (and each of their personnel); and (c) any other person whose Personal Data is transmitted via the Services, including individuals collaborating and communicating with End Users.
Categories of data
Personal Data that will be Processed by Supplier
Personal Data that will be Processed by Supplier includes data submitted, stored, sent or received by Customer, its Affiliates or End Users via the Services, and may include the following categories of data: user IDs, first and last names, work contact details, location data, gender or title, age or date of birth, event attendance, emails, textual information used in document and document titles, description and other metadata, text and images to be displayed by such services, audit log information, system log information and other data. As the case may be, special categories of personal data may be submitted, stored, sent or received by Customer, its Affiliates or End Users via the Services.
Location of Processing Operations
Locations where the personal data will be Processed by Supplier
Personal Data submitted, stored, sent or received by Customer, its Affiliates or End Users via the Services may be processed at Supplier’s locations situated at:
  • France
  • USA
  • Italy
Purposes
Purposes for which the Personal Data will be Processed by Supplier
Supplier will process Customer Personal Data submitted, stored, sent or received by Customer, its Affiliates or End Users via the Services for the purposes of providing the Services and related technical support to Customer in accordance with this DPA.
Duration of processing
The length of time for which Processing activities will be carried out Supplier
The applicable Term plus the period from expiry of such Term until deletion of all Customer Personal Data by Supplier in accordance with this DPA.

Appendix 2 - Security Measures

1 As from the Agreement Effective Date, Supplier will implement and maintain the Security Measures set out in this Appendix 2 to the Data Processing Agreement. Supplier may update or modify such Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Supplier’s System and of the Services.
2 Regular tests, assessments and evaluations of the effectiveness of technical and organisational measures in order to ensure the security of the processing
In order to provide Customer with best in class security, privacy, and compliance controls, third party auditors assess Supplier platform, infrastructure, and operations and conduct penetration tests on a regular basis. Supplier also reviews new features for security and privacy impact before release to improve privacy by design.
3 Infrastructure security - Serverless architecture. Supplier uses Google Workspace and Google Cloud Platform (GCP) to host the Supplier’s Systems. All of the Supplier’s Systems are fully managed by Google, who is responsible for the physical and networking security of the Supplier’s Systems. Google’s security measures regarding the Google Workspace and GCP infrastructures are described on this page (Google Workspace) https://workspace.google.com/security/?secure-by-design_activeEl=data-centers and this page (Google Cloud Platform): https://cloud.google.com/security/
Supplier does not run its own routers, load balancers, DNS servers, or physical servers. Supplier chose to partner with Google as a provider of their Platform as a Service: Google Cloud Platform (GCP). Supplier application uses GCP as its back end.
Google Cloud Platform provides state of the art services with Security at Its Core. All servers are updated on a regular basis to ensure Supplier has the latest security patches installed.
4 Personnel Security. Supplier personnel accessing Supplier’s Systems are authenticated via their Google Workspace account, protected by the same physical, networking and organizational measures as described in this Appendix. Supplier personnel are required to conduct themselves in a manner consistent with the company’s guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards. Supplier conducts reasonably appropriate background checks to the extent legally permissible and in accordance with applicable local labour law and statutory regulations. All information, data and documents exchanged with Supplier support staff in this context is subject to strict confidentiality procedures and will not be disclosed. Personnel are required to execute a confidentiality agreement and must acknowledge receipt of, and compliance with, Supplier’s confidentiality and privacy policies. Personnel are also required to undertake yearly training on privacy and data protection principles in compliance with the Data Protection Legislation. Supplier staff does not access any of Customer Personal Data unless Customer requests assistance for support purposes. Information resources are protected by the use of access control systems. Access to confidential information is only given to Supplier personnel on a need to know basis. Supplier employees are given the minimum necessary to perform their job responsibilities. The authorisation profile is defined by separating the tasks and area of responsibility, in order to restrict employees' access to the only data strictly necessary for fulfilling their responsibilities.
5 Encryption. Supplier uses bank level encryption from A - Z. Whenever Customer sends or retrieves data from the Services, the communication is always secured through HTTPS or WSS protocol.
Next to encrypting Customer Personal Data in transit, Supplier also encrypts Customer Personal Data at rest. Supplier databases as well as all stored documents are encrypted, from the moment Supplier receives Customer Personal Data until Supplier deletes it.
6 Subprocessor Security. Before onboarding Subprocessors, Supplier conducts an audit of the security and privacy practices of Subprocessors to ensure Subprocessors provide a level of security and privacy appropriate to their access to Customer Personal Data and the scope of the services they are engaged to provide. Once Supplier has assessed the risks presented by the Subprocessor, then subject always to the requirements set out in Section 22 (Subprocessors) of this Data Processing Agreement, the Subprocessor is required to enter into appropriate security, confidentiality and privacy contract terms.
7 Data Protection Officer. The Data Privacy Officer of the Supplier can be contacted at: legal@talarian.io

Appendix 3 - Subprocessors

Supplier uses the following Subprocessors for the performance of the Services:
Entity name
Corporate location
Google Ireland Limited (hosting)
Ireland

Appendix 4

European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679
This Appendix 4 applies to Restricted Transfers related to EU data subjects and includes 2 Modules:
  • Module 2 of the MCCs applicable to Restricted Transfers of Customer Personal Data, whereby Customer acts as data controller and Supplier acts as data processor; and
  • Module 3 of the MCCs is applicable to Restricted Transfers of Customer Personal Data, whereby Customer acts as a data processor and Supplier also acts as data processor.

MODULE 2

Controller to Processor

This Module 2 of the MCCs is applicable to the Restricted Transfers of Customer Personal Data whereby Customer acts as a controller and Supplier acts as a processor.

SECTION I

Clause 1 - Purpose and scope

a. The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)1 for the transfer of personal data to a third country.
b. The Parties:
(i) the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter “entity/ies”) transferring the personal data, as listed in Annex I.A. (hereinafter each “data exporter”), and
(ii) the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A. (hereinafter each “data importer”) have agreed to these standard contractual clauses (hereinafter: “Clauses”).
c. These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.
d. The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.

Clause 2 - Effect and invariability of the Clauses

a. These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46 (2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.
b. These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.

Clause 3 - Third-party beneficiaries

a. Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:
(i) Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;
(ii) Clause 8.1(b), 8.9(a), (c), (d) and (e);
(iii) Clause 9(a), (c), (d) and (e);
(iv) Clause 12(a), (d) and (f);
(v) Clause 13;
(vi) Clause 15.1(c), (d) and (e);
(vii) Clause 16(e);
(viii) Clause 18(a) and (b).
b. Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.

Clause 4 - Interpretation

The Data Exporter agrees and warrants:
a. Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.
b. These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.
c. These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.

Clause 5 - Hierarchy

In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.

Clause 6 - Description of the transfer(s)

The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.

Clause 7 - Docking clause

a. An entity that is not a Party to these Clauses may, with the agreement of the Parties, accede to these Clauses at any time, either as a data exporter or as a data importer, by completing the Appendix and signing Annex I.A.
b. Once it has completed the Appendix and signed Annex I.A, the acceding entity shall become a Party to these Clauses and have the rights and obligations of a data exporter or data importer in accordance with its designation in Annex I.A.
c. The acceding entity shall have no rights or obligations arising under these Clauses from the period prior to becoming a Party.

SECTION II – OBLIGATIONS OF THE PARTIES

Clause 8 - Data protection safeguards

The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.
8.1 Instructions
a. The data importer shall process the personal data only on documented instructions from the data exporter. The data exporter may give such instructions throughout the duration of the contract.
b. The data importer shall immediately inform the data exporter if it is unable to follow those instructions.
8.2 Purpose limitation
The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B, unless on further instructions from the data exporter.
8.3 Transparency
On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including the measures described in Annex II and personal data, the data exporter may redact part of the text of the Appendix to these Clauses prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand the its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information. This Clause is without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.
8.4 Accuracy
If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to erase or rectify the data.
8.5 Duration of processing and erasure or return of data
Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the data exporter and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).
8.6 Security of processing
a. The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter “personal data breach”). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.
b. The data importer shall grant access to the personal data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
c. In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify the data exporter without undue delay after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the breach including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
d. The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer.
8.7 Sensitive data
Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter “sensitive data”), the data importer shall apply the specific restrictions and/or additional safeguards described in Annex I.B.
8.8 Onward transfers
The data importer shall only disclose the personal data to a third party on documented instructions from the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union4(in the same country as the data importer or in another third country, hereinafter “onward transfer”) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:
i the onward transfer is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;
ii the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 Regulation of (EU) 2016/679 with respect to the processing in question;
iii the onward transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or
iv the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person.
Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation
8.9 Documentation and compliance
a. The data importer shall promptly and adequately deal with enquiries from the data exporter that relate to the processing under these Clauses.
b. The Parties shall be able to demonstrate compliance with these Clauses. In particular, the data importer shall keep appropriate documentation on the processing activities carried out on behalf of the data exporter.
c. The data importer shall make available to the data exporter all information necessary to demonstrate compliance with the obligations set out in these Clauses and at the data exporter’s request, allow for and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non compliance. In deciding on a review or audit, the data exporter may take into account relevant certifications held by the data importer.
d. The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice.
e. The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request.

Clause 9 - Use of sub-processors

a. The data importer has the data exporter’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub processors at least thirty (30) days in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.
b. Where the data importer engages a sub-processor to carry out specific processing activities (on behalf of the data exporter), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those binding the data importer under these Clauses, including in terms of third-party beneficiary rights for data subjects. The Parties agree that, by complying with this Clause, the data importer fulfils its obligations under Clause 8.8. The data importer shall ensure that the sub-processor complies with the obligations to which the data importer is subject pursuant to these Clauses.
c. The data importer shall provide, at the data exporter’s request, a copy of such a sub processor agreement and any subsequent amendments to the data exporter. To the extent necessary to protect business secrets or other confidential information, including personal data, the data importer may redact the text of the agreement prior to sharing a copy.
d. The data importer shall remain fully responsible to the data exporter for the performance of the sub-processor’s obligations under its contract with the data importer. The data importer shall notify the data exporter of any failure by the sub processor to fulfil its obligations under that contract.
e. The data importer shall agree a third-party beneficiary clause with the sub-processor whereby - in the event the data importer has factually disappeared, ceased to exist in law or has become insolvent - the data exporter shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.

Clause 10 - Data subject rights

a. The data importer shall promptly notify the data exporter of any request it has received from a data subject. It shall not respond to that request itself unless it has been authorised to do so by the data exporter.
b. The data importer shall assist the data exporter in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679. In this regard, the Parties shall set out in Annex II the appropriate technical and organisational measures, taking into account the nature of the processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required.
c. In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions from the data exporter.

Clause 11 - Sub-Processing

a. The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject.
b. In case of a dispute between a data subject and one of the Parties as regards compliance with these Clauses, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them.
c. Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to:
(i) lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work, or the competent supervisory authority pursuant to Clause 13;
(ii) refer the dispute to the competent courts within the meaning of Clause 18.
d. The Parties accept that the data subject may be represented by a not-for-profit body, organisation or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679.
e. The data importer shall abide by a decision that is binding under the applicable EU or Member State law.
f. The data importer agrees that the choice made by the data subject will not prejudice his/her substantive and procedural rights to seek remedies in accordance with applicable laws.

Clause 12 - Liability

a. Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.
b. The data importer shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data importer or its sub-processor causes the data subject by breaching the third-party beneficiary rights under these Clauses.
c. Notwithstanding paragraph (b), the data exporter shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data exporter or the data importer (or its sub-processor) causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter and, where the data exporter is a processor acting on behalf of a controller, to the liability of the controller under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable.
d. The Parties agree that if the data exporter is held liable under paragraph (c) for damages caused by the data importer (or its sub-processor), it shall be entitled to claim back from the data importer that part of the compensation corresponding to the data importer’s responsibility for the damage.
e. Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.
f. The Parties agree that if one Party is held liable under paragraph (e), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its / their responsibility for the damage.
g. The data importer may not invoke the conduct of a sub-processor to avoid its own liability.

Clause 13 - Supervision

a. Where the data exporter is established in an EU Member State: The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority. Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679: The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority. Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679: The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.
b. The data importer agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Clauses. In particular, the data importer agrees to respond to enquiries, submit to audits and comply with the measures adopted by the supervisory authority, including remedial and compensatory measures. It shall provide the supervisory authority with written confirmation that the necessary actions have been taken.

SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES

Clause 14 - Local laws and practices affecting compliance with the Clauses

a. The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.
b. The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:
(i) the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;
(ii) the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards;
(iii) any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.
c. The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.
d. The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.
e. The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a).
f. Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.

Clause 15 - Obligations of the data importer in case of access by public authorities

15.1 Notification
a. The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it:
(i) receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or
(ii) becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.
b. If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.
c. Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.).
d. The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.
e. Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses.
15.2 Review of legality and data minimisation
a. The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).
b. The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request.
c. The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.

SECTION IV – FINAL PROVISIONS

Clause 16 - Non-compliance with the Clauses and termination

a. The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.
b. In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).
c. The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:
(i) the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;
(ii) the data importer is in substantial or persistent breach of these Clauses; or
(iii) the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.
In these cases, it shall inform the competent supervisory authority of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.
d. Personal data that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall at the choice of the data exporter immediately be returned to the data exporter or deleted in its entirety. The same shall apply to any copies of the data.The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.
e. Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.

Clause 17 - Governing law

These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of Luxembourg.

Clause 18 - Choice of forum and jurisdiction

a. Any dispute arising from these Clauses shall be resolved by the courts of an EU Member State.
b. The Parties agree that those shall be the courts of Luxembourg.
c. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence.
d. The Parties agree to submit themselves to the jurisdiction of such courts.

MODULE 3

Processor to processor

This Module 3 of the MCCs is applicable to the Restricted Transfers of Customer Personal Data whereby Customer acts as a processor and Supplier also acts as a processor.

SECTION 1

Clause 1 - Purpose and scope

a. The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)1 for the transfer of personal data to a third country.
b. The Parties:
(i) the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter “entity/ies”) transferring the personal data, as listed in Annex I.A. (hereinafter each “data exporter”), and
(ii) the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A. (hereinafter each “data importer”) have agreed to these standard contractual clauses (hereinafter: “Clauses”).
c. These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.
d. The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.

Clause 2 - Effect and invariability of the Clauses

a. These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46 (2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.
b. These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.

Clause 3 - Third-party beneficiaries

a. Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:
(i) Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;
(ii) Clause 8.1(a), (c) and (d) and Clause 8.9(a), (c), (d), (e), (f) and (g);
(iii) Clause 9(a), (c), (d) and (e);
(iv) Clause 12(a), (d) and (f);
(v) Clause 13;
(vi) Clause 15.1(c), (d) and (e);
(vii) Clause 16(e);
(viii) Clause 18(a) and (b).
b. Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.

Clause 4 - Interpretation

a. Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.
b. These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.
c. These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.

Clause 5 - Hierarchy

In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.

Clause 6 - Description of the transfer(s)

The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.

Clause 7 - Docking clause

a. An entity that is not a Party to these Clauses may, with the agreement of the Parties, accede to these Clauses at any time, either as a data exporter or as a data importer, by completing the Appendix and signing Annex I.A.
b. Once it has completed the Appendix and signed Annex I.A, the acceding entity shall become a Party to these Clauses and have the rights and obligations of a data exporter or data importer in accordance with its designation in Annex I.A.
c. The acceding entity shall have no rights or obligations arising under these Clauses from the period prior to becoming a Party.

SECTION II – OBLIGATIONS OF THE PARTIES

Clause 8 - Data protection safeguards

The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.
8.1 Instructions
a. The data exporter has informed the data importer that it acts as processor under the instructions of its controller(s), which the data exporter shall make available to the data importer prior to processing.
b. The data importer shall process the personal data only on documented instructions from the controller, as communicated to the data importer by the data exporter, and any additional documented instructions from the data exporter. Such additional instructions shall not conflict with the instructions from the controller. The controller or data exporter may give further documented instructions regarding the data processing throughout the duration of the contract.
c. The data importer shall immediately inform the data exporter if it is unable to follow those instructions. Where the data importer is unable to follow the instructions from the controller, the data exporter shall immediately notify the controller.
d. The data exporter warrants that it has imposed the same data protection obligations on the data importer as set out in the contract or other legal act under Union or Member State law between the controller and the data exporter.
8.2 Purpose limitation
The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B., unless on further instructions from the controller, as communicated to the data importer by the data exporter, or from the data exporter.
8.3 Transparency
On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including personal data, the data exporter may redact part of the text of the Appendix prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information.
8.4 Accuracy
If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to rectify or erase the data.
8.5 Duration of processing and erasure or return of data
Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the controller and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).
8.6 Security of processing
a. The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter “personal data breach”). In assessing the appropriate level of security, they shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subject. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter or the controller. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.
b. The data importer shall grant access to the data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
c. In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify, without undue delay, the data exporter and, where appropriate and feasible, the controller after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the data breach, including measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
d. The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify its controller so that the latter may in turn notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer.
8.7 Sensitive data
Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter “sensitive data”), the data importer shall apply the specific restrictions and/or additional safeguards set out in Annex I.B.
8.8 Onward transfers
The data importer shall only disclose the personal data to a third party on documented instructions from the controller, as communicated to the data importer by the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union (in the same country as the data importer or in another third country, hereinafter “onward transfer”) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:
i the onward transfer is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;
ii the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 of Regulation (EU) 2016/679;
iii the onward transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or
iv the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person.
Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.
8.9 Documentation and compliance
a. The data importer shall promptly and adequately deal with enquiries from the data exporter or the controller that relate to the processing under these Clauses.
b. The Parties shall be able to demonstrate compliance with these Clauses. In particular, the data importer shall keep appropriate documentation on the processing activities carried out on behalf of the controller.
c. The data importer shall make all information necessary to demonstrate compliance with the obligations set out in these Clauses available to the data exporter, which shall provide it to the controller.
d. The data importer shall allow for and contribute to audits by the data exporter of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. The same shall apply where the data exporter requests an audit on instructions of the controller. In deciding on an audit, the data exporter may take into account relevant certifications held by the data importer.
e. Where the audit is carried out on the instructions of the controller, the data exporter shall make the results available to the controller.
f. The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice.
g. The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request.

Clause 9 - Use of sub-processors

a. The data importer has the controller’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the controller in writing of any intended changes to that list through the addition or replacement of subprocessors at least thirty (30) days in advance, thereby giving the controller sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the controller with the information necessary to enable the controller to exercise its right to object. The data importer shall inform the data exporter of the engagement of the sub-processor(s).
b. Where the data importer engages a sub-processor to carry out specific processing activities (on behalf of the controller), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those binding the data importer under these Clauses, including in terms of third-party beneficiary rights for data subjects. The Parties agree that, by complying with this Clause, the data importer fulfils its obligations under Clause 8.8. The data importer shall ensure that the sub-processor complies with the obligations to which the data importer is subject pursuant to these Clauses.
c. The data importer shall provide, at the data exporter’s or controller’s request, a copy of such a sub-processor agreement and any subsequent amendments. To the extent necessary to protect business secrets or other confidential information, including personal data, the data importer may redact the text of the agreement prior to sharing a copy.
d. The data importer shall remain fully responsible to the data exporter for the performance of the sub-processor’s obligations under its contract with the data importer. The data importer shall notify the data exporter of any failure by the sub processor to fulfil its obligations under that contract.
e. The data importer shall agree a third-party beneficiary clause with the sub-processor whereby - in the event the data importer has factually disappeared, ceased to exist in law or has become insolvent - the data exporter shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.

Clause 10 - Data subject rights

a. The data importer shall promptly notify the data exporter and, where appropriate, the controller of any request it has received from a data subject, without responding to that request unless it has been authorised to do so by the controller.
b. The data importer shall assist, where appropriate in cooperation with the data exporter, the controller in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable. In this regard, the Parties shall set out in Annex II the appropriate technical and organisational measures, taking into account the nature of the processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required.
c. In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions from the controller, as communicated by the data exporter.

Clause 11 - Redress

a. The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject.
b. In case of a dispute between a data subject and one of the Parties as regards compliance with these Clauses, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them.
c. Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to:
(i) lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work, or the competent supervisory authority pursuant to Clause 13;
(ii) refer the dispute to the competent courts within the meaning of Clause 18.
d. The Parties accept that the data subject may be represented by a not-for-profit body, organisation or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679.
e. The data importer shall abide by a decision that is binding under the applicable EU or Member State law.
f. The data importer agrees that the choice made by the data subject will not prejudice his/her substantive and procedural rights to seek remedies in accordance with applicable laws.

Clause 12 - Liability

a. Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.
b. The data importer shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data importer or its sub-processor causes the data subject by breaching the third-party beneficiary rights under these Clauses.
c. Notwithstanding paragraph (b), the data exporter shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data exporter or the data importer (or its sub-processor) causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter and, where the data exporter is a processor acting on behalf of a controller, to the liability of the controller under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable.
d. The Parties agree that if the data exporter is held liable under paragraph (c) for damages caused by the data importer (or its sub-processor), it shall be entitled to claim back from the data importer that part of the compensation corresponding to the data importer’s responsibility for the damage.
e. Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.
f. The Parties agree that if one Party is held liable under paragraph (e), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its / their responsibility for the damage.
g. The data importer may not invoke the conduct of a sub-processor to avoid its own liability.

Clause 13 - Supervision

a. Where the data exporter is established in an EU Member State: The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority.
Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679: The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority.
Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679: The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.
b. The data importer agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Clauses. In particular, the data importer agrees to respond to enquiries, submit to audits and comply with the measures adopted by the supervisory authority, including remedial and compensatory measures. It shall provide the supervisory authority with written confirmation that the necessary actions have been taken.

SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES

Clause 14 - Local laws and practices affecting compliance with the Clauses

a. The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.
b. The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:
(i) the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;
(ii) the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards;
(iii) any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.
c. The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.
d. The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.
e. The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a). The data exporter shall forward the notification to the controller.
f. Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation, if appropriate in consultation with the controller. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by the controller or the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.

Clause 15 - Obligations of the data importer in case of access by public authorities

15.1 Notification
a. The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it:
(i) receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or
(ii) becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer. The data exporter shall forward the notification to the controller.
b. If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.
c. Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.). The data exporter shall forward the information to the controller.
d. The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.
e. Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses.
15.2 Review of legality and data minimisation
a. The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).
b. The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request. The data exporter shall make the assessment available to the controller.
c. The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.

SECTION IV – FINAL PROVISIONS

Clause 16 - Non-compliance with the Clauses and termination

a. The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.
b. In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).
c. The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:
(i) the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;
(ii) the data importer is in substantial or persistent breach of these Clauses; or
(iii) the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.
In these cases, it shall inform the competent supervisory authority and the controller of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.
d. Personal data that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall at the choice of the data exporter immediately be returned to the data exporter or deleted in its entirety. The same shall apply to any copies of the data. The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.
e. Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.

Clause 17 - Governing law

These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of Luxembourg.

Clause 18 - Choice of forum and jurisdiction

a. Any dispute arising from these Clauses shall be resolved by the courts of an EU Member State.
b. The Parties agree that those shall be the courts of Luxembourg.
c. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence.
d. The Parties agree to submit themselves to the jurisdiction of such courts.

ANNEX I (applicable to MODULE 2 and MODULE 3)

A. LIST OF PARTIES

Data exporter:
1. Customer as data exporter (MODULE 2)
Name: Customer, as defined in the Agreement
Address: Customer’s address, as defined in the Agreement
Activities relevant to the data transferred under these Clauses: Services as described in the Data Processing Agreement
Role: Controller
2. Customer as data exporter (MODULE 3)
Name: Customer, as defined in the Agreement
Address: Customer’s address, as defined in the Agreement
Activities relevant to the data transferred under these Clauses: Services as described in the Data Processing Agreement
Role: Processor
Data importer (MODULE 2 and MODULE 3):
Name: Awesome Gapps S.à.r.l.
Address: 30 Bd Grande-Duchesse Charlotte, L-1330 Luxembourg
Contact person’s name, position and contact details: Stanislas de Villoutreys, General Counsel, legal@talarian.io
Activities relevant to the data transferred under these Clauses: Services as described in the Data Processing Agreement
Role: Processor

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred
See Appendix 1 (“Customer Personal Data Processing Details”) of the Data Processing Agreement.
Categories of personal data transferred
See Appendix 1 (“Customer Personal Data Processing Details”) of the Data Processing Agreement.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
See Appendix 1 (“Customer Personal Data Processing Details”) of the Data Processing Agreement.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Transfer is made on a continuous basis.
Nature of the processing.
All kind of processings as defined in article 4(2) of the GDPR, meaning any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Purpose(s) of the data transfer and further processing
Transfer and processing of Customer Personal Data by importer for the provision of Services in accordance with Appendix 1 (“Customer Personal Data Processing Details”) of the Data Processing Agreement.
Purpose(s) for which the personal data is processed on behalf of the controller
Processing of Customer Personal Data by importer for the provision of Services in accordance with Appendix 1 (“Customer Personal Data Processing Details”) of the Data Processing Agreement.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
See Appendix 1 (“Customer Personal Data Processing Details”) of the Data Processing Agreement.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
See Appendix 3 (“Subprocessors”) of the DPA and ANNEX III of the MCCs (“LIST OF SUB-PROCESSORS”).
Processing will take place during the applicable Term, as defined in the Data Processing Agreement, plus the period from expiry of such Term until deletion of all Customer Personal Data by Supplier in accordance with the Data Processing Agreement.

C. COMPETENT SUPERVISORY AUTHORITY

CNPD (Luxembourg)

ANNEX II - TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA (applicable to MODULE 2 and MODULE 3)

Technical and organisation measures including technical and organisational measures to ensure the security of the data are detailed in Appendix 2 (Security Measures) of the Data Processing Agreement.

ANNEX III – LIST OF SUB-PROCESSORS (applicable to MODULE 2 and MODULE 3)

The controller has authorised the use of the following sub-processors:

1. Name: Google Ireland Limited or its affiliates
Address: Gordon House, Barrow Street, Dublin 4, Ireland
Contact person’s name, position and contact details: Privacy Officer privacy@google.com
Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): data hosting

Appendix 5 - Transfers from the United-Kingdom

This appendix is applicable when personal data is transferred from the United Kingdom to a third country which does not ensure an adequate level of data protection pursuant to UK GDPR.
If at any time the UK Government approves the Controller to Processor (MODULE 2) and Processor to Processor (MODULE 3) new SCCs for use under the UK Data Protection Laws, the provisions of Appendix 4 shall apply in place of this Appendix 5 in respect of UK Restricted Transfers, subject to any modifications to the Controller to Processor or Processor to Processor SCCs required by the UK Data Protection Laws (and subject to the governing law of the Controller to Processor and Processor to Processor SCCs being English law and the supervisory authority being the Information Commissioner’s Office).
Model Contractual Clauses (processor) for the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection
Supplier (the “Data Importer”) and Customer (the “Data Exporter”), each a “party”, together “the parties”, agree on the following Model Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the Data Exporter to the Data Importer of the personal data specified in the Clauses Schedule 1. The Clauses (including Schedules 1 and 2) are incorporated by reference into the Data Processing Agreement and are effective from the DPA Effective Date.

Clause 1 - Definitions

For the purposes of the Clauses:
a. Personal data, special categories of data, process/processing, controller, processor, Data Subject and Supervisory Authority shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
b. Data Exporter means the controller who transfers the personal data;
c. Data Importer means the processor who agrees to receive from the Data Exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25 (1) of Directive 95/46/EC;
d. Subprocessor means any processor engaged by the Data Importer or by any other subprocessor of the Data Importer who agrees to receive from the Data Importer or from any other subprocessor of the Data Importer personal data exclusively intended for processing activities to be carried out on behalf of the Data Exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
e. Applicable data protection law means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the Data Exporter is established;
f. Technical and organisational security measures means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

Clause 2 - Details of the transfer

The details of the transfer and in particular the special categories of personal data where applicable are specified in Schedule 1 which forms an integral part of the Clauses.

Clause 3 - Third-party beneficiary clause

1. The Data Subject can enforce against the Data Exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
2. The Data Subject can enforce against the Data Importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the Data Exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the Data Exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the Data Exporter, in which case the Data Subject can enforce them against such entity.
3. The Data Subject can enforce against the Subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the Data Exporter and the Data Importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the Data Exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the Data Subject can enforce them against such entity. Such third-party liability of the Subprocessor shall be limited to its own processing operations under the Clauses.
4. The parties do not object to a Data Subject being represented by an association or other body if the Data Subject so expressly wishes and if permitted by national law.

Clause 4 - Obligations of the Data Exporter

a. That the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the Data Exporter is established) and does not violate the relevant provisions of that State;
b. That it has instructed and throughout the duration of the personal data processing services will instruct the Data Importer to process the personal data transferred only on the Data Exporter’s behalf and in accordance with the applicable data protection law and the Clauses;
c. That the Data Importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Schedule 2 to the Clauses;
d. That after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
e. That it will ensure compliance with the security measures;
f. That, if the transfer involves special categories of data, the Data Subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
g. To forward any notification received from the Data Importer or any Subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the Data Exporter decides to continue the transfer or to lift the suspension;
h. To make available to the Data Subjects upon request a copy of the Clauses, with the exception of Schedule 2, and a summary description of the security measures, as well as a copy of any contract for sub-processing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
i. That, in the event of sub-processing, the processing activity is carried out in accordance with Clause 11 by a Subprocessor providing at least the same level of protection for the personal data and the rights of Data Subject as the Data Importer under the Clauses; and
j. That it will ensure compliance with Clause 4(a) to (i).

Clause 5 - Obligations of the Data Importer

The Data Importer agrees and warrants:
a. To process the personal data only on behalf of the Data Exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the Data Exporter of its inability to comply, in which case the Data Exporter is entitled to suspend the transfer of data and/or terminate the contract;
b. That it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the Data Exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the Data Exporter as soon as it is aware, in which case the Data Exporter is entitled to suspend the transfer of data and/or terminate the contract;
c. That it has implemented the technical and organisational security measures specified in Schedule 2 before processing the personal data transferred;
d. That it will promptly notify the Data Exporter about:
(i) Any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;
(ii) Any accidental or unauthorised access; and
(iii) Any request received directly from the Data Subjects without responding to that request, unless it has been otherwise authorised to do so;
e. To deal promptly and properly with all inquiries from the Data Exporter relating to its processing of the personal Data Subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
f. At the request of the Data Exporter to submit its data-processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the Data Exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the Data Exporter, where applicable, in agreement with the supervisory authority;
g. To make available to the Data Subject upon request a copy of the Clauses, or any existing contract for sub-processing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Schedule 2 which shall be replaced by a summary description of the security measures in those cases where the Data Subject is unable to obtain a copy from the Data Exporter;
h. That, in the event of sub-processing, it has previously informed the Data Exporter and obtained its prior written consent;
i. That the processing services by the Subprocessor will be carried out in accordance with Clause 11;
j. To send promptly a copy of any Subprocessor agreement it concludes under the Clauses to the Data Exporter.

Clause 6 - Liability

1. The parties agree that any Data Subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or Subprocessor is entitled to receive compensation from the Data Exporter for the damage suffered.
2. If a Data Subject is not able to bring a claim for compensation in accordance with paragraph 1 against the Data Exporter, arising out of a breach by the Data Importer or his Subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the Data Exporter has factually disappeared or ceased to exist in law or has become insolvent, the Data Importer agrees that the Data Subject may issue a claim against the Data Importer as if it were the Data Exporter, unless any successor entity has assumed the entire legal obligations of the Data Exporter by contract or by operation of law, in which case the Data Subject can enforce its rights against such entity. The Data Importer may not rely on a breach by a Subprocessor of its obligations in order to avoid its own liabilities.
3. If a Data Subject is not able to bring a claim against the Data Exporter or the Data Importer referred to in paragraphs 1 and 2, arising out of a breach by the Subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the Data Exporter and the Data Importer have factually disappeared or ceased to exist in law or have become insolvent, the Subprocessor agrees that the Data Subject may issue a claim against the data Subprocessor with regard to its own processing operations under the Clauses as if it were the Data Exporter or the Data Importer, unless any successor entity has assumed the entire legal obligations of the Data Exporter or Data Importer by contract or by operation of law, in which case the Data Subject can enforce its rights against such entity. The liability of the Subprocessor shall be limited to its own processing operations under the Clauses.

Clause 7 - Mediation and jurisdiction

1. The Data Importer agrees that if the Data Subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the Data Importer will accept the decision of the Data Subject;
a. to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
b. to refer the dispute to the courts in the Member State in which the Data Exporter is established.
2. The parties agree that the choice made by the Data Subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

Clause 8 - Cooperation with supervisory authorities

1. The Data Exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
2. The parties agree that the supervisory authority has the right to conduct an audit of the Data Importer, and of the Subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the Data Exporter under the applicable data protection law.
3. The Data Importer shall promptly inform the Data Exporter about the existence of legislation applicable to it or any Subprocessor preventing the conduct of an audit of the Data Importer, or any Subprocessor, pursuant to paragraph 2. In such a case the Data Exporter shall be entitled to take the measures foreseen in Clause 5(b).

Clause 9 - Governing Law

The Clauses shall be governed by the law of the Member State in which the Data Exporter is established.

Clause 10 - Variation of the contract

The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.

Clause 11 - Sub-Processing

1. The Data Importer shall not subcontract any of its processing operations performed on behalf of the Data Exporter under the Clauses without the prior written consent of the Data Exporter. Where the Data Importer subcontracts its obligations under the Clauses, with the consent of the Data Exporter, it shall do so only by way of a written agreement with the Subprocessor which imposes the same obligations on the Subprocessor as are imposed on the Data Importer under the Clauses. Where the Subprocessor fails to fulfil its data protection obligations under such written agreement the Data Importer shall remain fully liable to the Data Exporter for the performance of the Subprocessor’s obligations under such agreement.
2. The prior written contract between the Data Importer and the Subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the Data Subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the Data Exporter or the Data Importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the Data Exporter or Data Importer by contract or by operation of law. Such third-party liability of the Subprocessor shall be limited to its own processing operations under the Clauses.
3. The provisions relating to data protection aspects for sub-processing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the Data Exporter is established.
4. The Data Exporter shall keep a list of sub-processing agreements concluded under the Clauses and notified by the Data Importer pursuant to Clause 5(j), which shall be updated at least once a year. The list shall be available to the Data Exporter’s data protection supervisory authority.

Clause 12 - Obligation after the termination of personal data processing services

1. The parties agree that on the termination of the provision of data processing services, the Data Importer and the Subprocessor shall, at the choice of the Data Exporter, return all the personal data transferred and the copies thereof to the Data Exporter or shall destroy all the personal data and certify to the Data Exporter that it has done so, unless legislation imposed upon the Data Importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the Data Importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
2. The Data Importer and the Subprocessor warrant that upon request of the Data Exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.

Schedule 1 to the Model Contractual Clauses
Data Exporter
The Data Exporter is the Customer legal entity that is a party to the Clauses.
Data Importer
The Data Importer is the Supplier, a global provider of a variety of technology services for businesses.
Categories of Data Subjects
The personal data transferred concern personal data submitted, stored, sent or received by Customer, its Affiliates or End Users via the Services and concerning the categories of Data Subjects listed in the DPA Appendix 1.
Categories of Data
The personal data transferred is personal data that will be Processed by Supplier including data submitted, stored, sent or received by Customer, its Affiliates or End Users via the Services as listed in the DPA Appendix 1
Processing operations
The personal data transferred will be subject to the following basic processing activities:
  • Scope of processing:
    • The Clauses reflect the parties’ agreement with respect to the processing and transfer of personal data specified in this Schedule pursuant to the provision of the “Service” as defined under the Agreement.
    • Personal data may be processed for the following purposes: (a) to provide the Service, (which may include the detection, prevention and resolution of security and technical issues); (b) to respond to customer support requests; and (c) otherwise to fulfil the obligations under the Agreement.
    • The Data Exporter instructs the Data Importer to process personal data in countries in which the Data Importer or its Subprocessors maintain facilities as necessary for it to provide the Service
  • Term of Data Processing: Data processing will be for the term specified in the Agreement. For the term of the Agreement, and for a reasonable period of time after the expiry or termination of the Agreement, the Data Importer will provide the Data Exporter with access to, and the ability to export, the Data Exporter’s personal data processed pursuant to the Agreement and this DPA.
  • Data Deletion: For the term of the Agreement, the Data Importer will provide the Data Exporter with the ability to delete the Data Exporter’s personal data from the Service. After termination or expiry of the Agreement, the Data Importer will delete the Data Exporter’s personal data in accordance with the Agreement and this DPA.
  • Access to Data: For the term of the Agreement, the Data Importer will provide the Data Exporter with the ability to correct, block, export and delete the Data Exporter’s personal data from the Service in accordance with the Agreement and this DPA.
  • Subprocessors: The Data Importer may engage Subprocessors to provide parts of the Service. The Data Importer will ensure Subprocessors only access and use the Data Exporter’s personal data to provide the Service and not for any other purpose.

Schedule 2 to the Model Contractual Clauses
Description of the technical and organisational security measures implemented by the Data Importer in accordance with Clauses 4(c) and 5(c):
The Data Importer currently abides by the security standards in this Schedule 2. The Data Importer may update or modify these security standards from time to time provided such updates and modifications will not result in a material degradation in the security of the Service during the term of the Agreement.
Please see ANNEX II (TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA) of the Appendix 4 - MODULE 2 and MODULE 3 - above.