This is the large print
Small print follows…
Data Processing Agreement
This Data Processing Agreement (“DPA”) is made by and between the parties to any Service Agreement or Terms incorporating this DPA by reference and this DPA shall be in addition to any obligations set out in any Service Agreement or Terms.
This DPA outlines the obligations between the parties where Good Technologies acts as a data processor in providing Services to the Client insofar as it relates to Client contact personal data.
Definitions
All capitalised terms in this DPA shall have the meaning as prescribed by the Good Technologies Terms or as otherwise agreed between the parties, unless otherwise specified below.
Applicable Law means as applicable and binding on the Client, Good Technologies and/or the Services:
(a) any law, statute, regulation, byelaw or subordinate legislation in force from time to time to which a party is subject and/or in any jurisdiction that the Services are provided to or in respect of, as may be specified in Terms;
(b) the common law and laws of equity as applicable to the parties from time to time;
(c) any binding court order, judgment or decree; or
(d) any applicable direction, policy, rule or order that is binding on a party and that is made or given by any regulatory body having jurisdiction over a party or any of that party’s assets, resources or business;
Data Controller means the party determining the processing activities conducted in relation to Personal Data, as may be more described under applicable Data Protection Laws;
Data Processor means the party conducting processing activities at the instruction of the Data Controller in relation to Personal Data, as may be more described under applicable Data Protection Laws;
Data Protection Laws means as applicable and binding on the Client, Good Technologies and/or the Services:
(a) for Services supplied by Good Technologies Limited, the General Data Protection Regulation (EU) 2016/679 (and national implementing legislation of the same, including the Data Protection Act 2018), the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (“DPPEC”), the Privacy and Electronic Communications (EC Directive) Regulations 2003 and/or any corresponding or equivalent national laws or regulations;
(b) specifically in relation to the Client, all data protection and/or privacy laws in which recipient Data Subjects are contacted through the Services are located;
(c) any Applicable Laws replacing, amending, extending, re-enacting or consolidating any of the above Data Protection Laws from time to time;
Data Protection Losses means:
(a) administrative fines, penalties, sanctions, liabilities or other remedies imposed by a Supervisory Authority; and/or
(b) compensation which is ordered by a Supervisory Authority to be paid to a Data Subject;
Data Subject means the individual to whom Personal Data relates (as may be further defined by applicable Data Protection Laws, whether defined under the same term or as an equivalent term)
Data Subject Request means a request made by a Data Subject to exercise any rights of Data Subjects under Data Protection Laws;
International Recipient has the meaning given to that term in clause 6.2;
Personal Data has the meaning given to that term in Data Protection Laws, or, where that term is not identically defined in the applicable Data Protection Law, the meaning given to the equivalent defined term in that applicable Data Protection Law;
Personal Data Breach means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Protected Data;
Processing has the meanings given to that term in Data Protection Laws (and related terms such as process have corresponding meanings);
Processing Instructions has the meaning given to that term in clause 3.2.1;
Protected Data means Personal Data received from or on behalf of the Client in connection with the performance of Good Technologies’ obligations under this DPA;
SCCs means the standard contractual clauses for the transfer of personal data to processors established in third countries authorised by the Commission Decision of 5 February 2010 (2010/87/EU);
Sub-Processor means another Data Processor engaged by Good Technologies for carrying out processing activities in respect of the Protected Data on behalf of the Client; and
Supervisory Authority means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Data Protection Laws.
References to any Applicable Laws (including to the Data Protection Laws and each of them specifically, as the case may be) and to terms defined in such Applicable Laws shall be replaced with or incorporate (as the case may be) references to any Applicable Laws replacing, amending, extending, re-enacting or consolidating such Applicable Law (including any new Data Protection Laws from time to time) and the equivalent terms defined in such Applicable Laws, once in force and applicable. A reference to a law includes all subordinate legislation made under that law.
1 Interaction with the Agreement
1.1. This DPA will take effect from the date on which the Client accepts the terms of this DPA (or signs a Service Agreement incorporating the terms of this DPA) and shall continue until the end of Good Technologies’ provision of the Services (including any period of suspension, where relevant) (“Term”).
1.2. Except for the changes made by this DPA, the Terms and Service Agreement remain in full force and effect. To the extent that there is any conflict between this DPA and the Terms, the order of precedence shall be the SCCs (if applicable), the clauses of this DPA and then the Terms.
2 Data Processor and Data Controller
2.
2.1. The parties agree that in relation to Protected Data (as it may be applicable to the parties under Data Protection Laws), the Client shall be the Data Controller and Good Technologies shall be the Data Processor.
2.2. Good Technologies shall process Protected Data in compliance with:
2.2.1. the obligations of Data Processors under Data Protection Laws in respect of the performance of its obligations herein; and
2.2.2. the terms of this DPA, the Terms and the Service Agreement which sets out the Client’s instructions in relation to such processing activities.
2.3. The Client shall comply with:
2.3.1. all Data Protection Laws in connection with the processing of Protected Data, use of the Services and the exercise and performance of its respective rights and obligations under this DPA, including maintaining all relevant regulatory registrations and notifications as required under Data Protection Laws; and
2.3.2. the terms of this DPA.
2.4. The Client warrants, represents and undertakes, that:
2.4.1. all data sourced by the Client for use in connection with the Services shall comply in all respects, including in terms of its collection, storage and processing (which shall include the Client providing all of the required fair processing information to, and obtaining all necessary consents from, Data Subjects), with Data Protection Laws; and
2.4.2. all instructions given by it to Good Technologies in respect of Personal Data shall at all times be in accordance with Data Protection Laws.
2.5 The Client shall not unreasonably withhold, delay or condition its agreement to any change or amendment requested by Good Technologies in order to ensure the Services and Good Technologies (and each Sub-Processor) can comply with Data Protection Laws.
3 Instructions and details of processing
3.
3.1. 3.1 By entering into this DPA, Client instructs Good Technologies to process Client Protected Data only in accordance with Applicable Law:
3.1.1. To provide the Services;
3.1.2. As further specified by Client’s use of the Services or the Software;
3.1.3. As documented in the form of the terms and this DPA; and
3.1.4. As further documented in any other written instructions provided by the Client and acknowledged by Good Technologies as being instructions for the purposes of this DPA.
3.2. Insofar as Good Technologies processes Protected Data on behalf of the Client, Good Technologies:
3.2.1. unless required to do otherwise by Applicable Law, shall (and shall take steps to ensure each person acting under its authority shall) process the Protected Data only on and in accordance with the Client’s documented instructions as set out in this clause, as updated from time to time as agreed between the parties (“Processing Instructions“);
3.2.2. if Applicable Law requires it to process Protected Data other than in accordance with the Processing Instructions, shall notify the Client of any such requirement before processing the Protected Data (unless Applicable Law prohibits such information on important grounds of public interest); and
3.2.3. shall inform the Client if Good Technologies becomes aware of a Processing Instruction that, in Good Technologies’ opinion, infringes Data Protection Laws, provided that:
(a) this shall be without prejudice to clauses 3 and 2.4; and
(b) to the maximum extent permitted by mandatory law, Good Technologies shall have no liability howsoever arising (whether in contract, tort (including negligence) or otherwise) for any losses, costs, expenses or liabilities (including any Data Protection Losses) arising from or in connection with any processing in accordance with the Client’s Processing Instructions following the Client’s receipt of that information.
3.3. The subject matter and details of the processing of Protected Data to be carried out by Good Technologies under this DPA shall comprise the processing set out in Schedule 1 (Data Processing details), as may be updated from time to time as agreed between the parties.
3.4. Further to the above, Good Technologies acknowledges that its processing of Protected Data is limited to that as set out in this DPA in order to supply the Services to the Client and will not retain, use or disclose Protected Data other than specified under this DPA, or (for the purposes of US Data Protection Laws) “sell” Protected Data, as that term is defined under the CCPA.
4 Technical and organisational measures
4.
4.1. Good Technologies shall implement and maintain, at its cost and expense and in relation to the processing of Protected Data by Good Technologies, technical and organisational measures taking into account the nature of the processing, to assist the Client insofar as is possible in the fulfilment of the Client’s obligations to respond to Data Subject Requests relating to Protected Data.
5 Using Sub-Processors
5.
5.1. Subject to the remainder of this clause 5, Good Technologies shall not engage any Sub-Processor for carrying out any processing activities in respect of the Protected Data where data is hosted outside of the United Kingdom (UK) or European Economic Area (EEA) without express written permission of the Client.
5.2. Client specifically authorises the engagement of Good Technologies’ affiliates and associated group companies as Sub-Processors and also authorises the appointment of any of the Sub-Processors Good Technologies chooses. A current list of which can be provided upon request.
5.3. Good Technologies shall ensure:
5.3.1. via a written contract that the Sub-Processor only accesses and processes Protected Data to perform the obligations subcontracted to it and does so in accordance with the measures contained in this DPA that is enforceable by Good Technologies; and
5.3.2. remain fully liable for all the acts and omissions of each Sub-Processor as if they were its own.
5.4. When any new Sub-Processor outside of the United Kingdom (UK) or European Economic Area (EEA) is engaged by Good Technologies during the Term, Good Technologies shall give Client 30 days’ prior notice of the appointment of any new Sub-processor, including details of the Processing to be undertaken by the Sub-Processor, via email.
5.5. Client may object (on reasonable grounds and only relating to data protection) to any such new Sub-Processor appointed per clause 5.4. above within 14 days of Good Technologies’ notice; If Client notifies Good Technologies in writing of any objections to the proposed appointment:
5.5.1. Good Technologies shall work with Client in good faith to make available a commercially reasonable change in the provision of the Services which avoids the use of that proposed Sub-Processor; and
5.5.2. where such a change cannot be made within 14 days of Good Technologies’ receipt of Client’s notice, Client may by written notice to Good Technologies with immediate effect terminate the Service Agreement to the extent that it relates to the Services which require the use of the proposed Sub-Processor. This termination right is Client’s sole and exclusive remedy to Client’s objection of any Sub-Processor appointed by Good Technologies during the Term
6 International data transfers
6.
6.1. Australian Transfers Where Good Technologies receives Protected Data protected by Australian Data Protection Laws, the Client acknowledges and agrees that Good Technologies may transfer such Personal Data to Sub-Processors located outside of Australia, as contemplated under this DPA subject to Good Technologies complying with this DPA and applicable Data Protection Laws.
6.2. European Transfers The Client agrees that Good Technologies may transfer any Protected Data to Sub-Processors located in countries outside the European Economic Area (EEA) (an “International Recipient“), provided all transfers by Good Technologies of Protected Data to an International Recipient shall (to the extent required under Data Protection Laws) be effected agrees to abide by and process EU Data in compliance with the SCCs.
6.3. Where there is a transfer of Protected Data to Good Technologies by a Client established in the European Economic Area, and the location of the relevant Good Technologies entity is a third country under European Data Protection Laws, Good Technologies agrees to abide by and process Protected Data in compliance with the SCCs in the form set out in Schedule 2. For the purposes of the descriptions in the SCCs that it is the “data importer” and Client is the “data exporter” (notwithstanding that the Client may itself be an entity located outside Europe).
6.4. Singapore Transfers Where Good Technologies receives Protected Data protected by Singaporean Data Protection Laws, the Client acknowledges and agrees that Good Technologies may transfer such Protected Data to Sub-Processors located outside of Singapore, as contemplated under this DPA subject to Good Technologies complying with the DPA and applicable Data Protection Laws.
Good Technologies has taken appropriate steps to ascertain whether, and to ensure that, that any recipient of the Protected Data is bound by legally enforceable obligations to provide to the transferred Protected Data a standard of protection that is at least comparable to the protection under the PDPA.
7 Staff
7.
7.1. Good Technologies shall ensure that all persons authorised by it (or by any Sub-Processor) to process Protected Data are subject to a binding written contractual obligation to keep the Protected Data confidential (except where disclosure is required in accordance with Applicable Law, in which case Good Technologies shall, where practicable and not prohibited by Applicable Law, notify the Client of any such requirement before such disclosure).
8 Assistance with the Client’s compliance and Data Subject rights
8.
8.1. Good Technologies shall refer all Data Subject Requests it receives to the Client within ten Business Days of receipt of the request.
8.2. Further to the above and notwithstanding anything to the contrary in the Terms, Good Technologies reserves the right to disclose the identity of the Client to any relevant Data Subject following any such request from a Data Subject.
8.3. Good Technologies shall provide such reasonable assistance as the Client reasonably requires (taking into account the nature of processing and the information available to Good Technologies) to the Client in ensuring compliance with the Client’s obligations under Data Protection Laws with respect to:
8.3.1. security of processing;
8.3.2. data protection impact assessments (as such term is defined in Data Protection Laws);
8.3.3. prior consultation with a Supervisory Authority regarding high risk processing; and
8.3.4. notifications to the Supervisory Authority and/or communications to Data Subjects by the Client in response to any Personal Data Breach.
9 Records, information and audit
9.
9.1. Good Technologies shall maintain, in accordance with Data Protection Laws binding on Good Technologies, written records of all categories of processing activities carried out on behalf of the Client.
9.2. Good Technologies shall, in accordance with Data Protection Laws, make available to the Client such information as is reasonably necessary to demonstrate Good Technologies’ compliance with the obligations of Data Processors under Data Protection Laws, and allow for and contribute to audits, including inspections, by the Client (or another auditor mandated by the Client) for this purpose, subject to the Client:
9.2.1. giving Good Technologies reasonable prior notice of such information request, audit and/or inspection being required by the Client;
9.2.2. ensuring that all information obtained or generated by the Client or its auditor(s) in connection with such information requests, inspections and audits is kept strictly confidential (save for disclosure to the Supervisory Authority or as otherwise required by Applicable Law);
9.2.3. ensuring that such audit or inspection is undertaken during normal business hours, with minimal disruption to Good Technologies’ business and the business of other Clients of Good Technologies; and
9.2.4. paying Good Technologies’ reasonable costs for assisting with the provision of information and allowing for and contributing to inspections and audits on-site, calculated on a time & materials basis.
10 Breach notification
10.
10.1. In respect of any Personal Data Breach involving Protected Data, Good Technologies shall, without undue delay (but in any event within 24 hours) from when Good Technologies becomes aware of the same:
10.1.1. notify the Client of the Personal Data Breach; and
10.1.2. provide the Client, where possible, with details of the Personal Data Breach.
10.2. Notice of a Personal Data Breach as contemplated under 10.1.1 above shall include:
10.2.1. the nature of the Personal Data Breach (including, where possible, the categories and approximate number of data subjects and data records concerned);
10.2.2. the likely consequences of the Personal Data Breach; and
10.2.3. the measures taken or proposed to be taken to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects; and
10.2.4. such other information as may be required by Data Protection Law.
11 Deletion or return of Protected Data and copies
11.
11.1. Good Technologies shall, at the Client’s written request, or provide facilities for the Client to either delete or return all the Protected Data to the Client in such form as the Client reasonably requests within a reasonable time after the earlier of:
11.1.1. the end of the provision of the relevant Services related to processing; or
11.1.2. once processing by Good Technologies of any Protected Data is no longer required for the purpose of Good Technologies’ performance of its relevant obligations under the Service Agreement, and delete existing copies (unless storage of any data is required by Applicable Law and, if so, Good Technologies shall inform the Client of any such requirement).
12 Liability
12.
12.1. Any claims brought under or in connection with this DPA shall be subject to the terms and conditions, including, but not limited to, the exclusions and limitations set out in the Terms.
12.2.Notwithstanding the foregoing, the limitations specified in 12.1 above shall not apply to Data Protection Losses. In no event shall any party limit its liability with respect to any individual’s data protection rights under this DPA or otherwise.
12.3.Any Data Protection Losses incurred by one party arising from or in connection with the other’s failure to comply with its obligations under this DPA or any applicable Data Protection Laws shall be considered a liability to the non-compliant party.
13 Cooperation
13.
13.1. If a party receives a compensation claim from an individual or Supervisory Authority relating to processing of Protected Data, it shall promptly provide the other party with notice and full details of such claim. The party with conduct of the action shall:
13.1.1. make no admission of liability nor agree to any settlement or compromise of the relevant claim without the prior written consent of the other party (which shall not be unreasonably withheld or delayed); and
13.1.2. consult fully with the other party in relation to any such action.
14 Government Requests
14.
14.1. Good Technologies does not, as a matter of course, voluntarily supply government authorities, agencies or law enforcement access to or information relating to Good Technologies Client accounts or Protected Data. If Good Technologies receives a compulsory request (whether via court order, warrant, or other valid legal process) from any government authority, agency or law enforcement for access to or information relating to a Client account (including Protected Data) belonging to a Client (hereafter, a “Government Request”), Good Technologies shall take all such reasonable steps as necessary to confirm the validity of such a request.
14.2.In the event that Good Technologies satisfies itself that a Government Request is valid, Good Technologies shall:
14.2.1. inform the government authority, agency or law enforcement that Good Technologies is a processor of the Protected Data;
14.2.2. attempt to redirect the government authority, agency or law enforcement to request the data directly from the Client; and
14.2.3. notify Client via email of the Government Request to allow Customer to seek their own appropriate remedy, whereby Good Technologies may provide the Client’s contact information.
14.3. Good Technologies shall not be required to comply with the provisions of clauses 14.1 or 14.2 above if:
14.3.1. Good Technologies is legally prohibited from doing so; or
14.3.2. if Good Technologies has a reasonable and good-faith belief that urgent access is necessary to prevent an imminent risk of serious harm to any individual, the safety of the public, or Good Technologies’ Services or property.
SCHEDULE 1: DATA PROCESSING DETAILS
1 Subject-matter of processing:
Protected Data relating to Good Technologies’ provision of the Services to the Client.
2 Duration of the processing:
The term of any relevant Service Agreement until deletion of all Protected Data by Good Technologies in accordance with the DPA.
3 Nature and purpose of the processing:
Good Technologies will process Client Protected Data for the purposes of providing the Services to the Client in accordance with the DPA and the Terms and as initiated by the Client in its use of the Services.
4 Type of Personal Data:
Data relating to individuals provided to Good Technologies via the provision of the Services by or at the direction of the Client, including but not limited to contact data (such as email address, contact number, name or other contact details) and marketing preferences.
5 Categories of Data Subjects:
Data subjects include the individuals about whom data is provided to Good Technologies via the Services by or at the direction of Client or end-users of the Client.
SCHEDULE 2: STANDARD CONTRACTUAL CLAUSES (PROCESSORS)
For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection, Good Technologies (whose details are particularised on the relevant service Agreement and Terms, hereinafter the “data importer“) and the Client ((whose details are particularised on the relevant service Agreement and Terms, hereinafter the “data exporter“) each a party; together the parties, HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.
Clause 1
Definitions
For the purposes of the Clauses:
(a) ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
(b) ‘the data exporter’ means the controller who transfers the personal data;
(c) ‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
(d) ‘the subprocessor’ means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
(e) ‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
(f) ‘technical and organisational security’ measures means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
Clause 2
Details of the transfer
The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.
Clause 3
Third-party beneficiary clause
1 The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
2 The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
3 The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
4 The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.
Clause 4
Obligations of the data exporter
The data exporter agrees and warrants:
(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
(b) that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;
(c) that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;
(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
(e) that it will ensure compliance with the security measures;
(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
(g) to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
(i) that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and
(j) that it will ensure compliance with Clause 4(a) to (i).
Clause 5
Obligations of the data importer
The data importer agrees and warrants:
(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(c) that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;
(d) that it will promptly notify the data exporter about:
(i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,
(ii) any accidental or unauthorised access, and
(iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;
(e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
(f) at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
(g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
(h) that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;
(i) that the processing services by the subprocessor will be carried out in accordance with Clause 11;
(j) to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.
Clause 6
Liability
1 The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.
2 If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.
The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.
3 If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.
Clause 7
Cooperation with supervisory authorities
1 The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
(a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
(b) to refer the dispute to the courts in the Member State in which the data exporter is established.
2 The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.
Clause 8
Cooperation with supervisory authorities
1 The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
2 The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
3 The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).
Clause 9
Governing Law
The Clauses shall be governed by the law of the Member State in which the data exporter is established.
Clause 10
Variation of the contract
The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.
Clause 11
Subprocessing
1 The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses. Where the subprocessor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor’s obligations under such agreement.
2 The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
3 The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.
4 The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5(j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.
Clause 12
Obligation after the termination of personal data processing services
1 The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
2 The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.
APPENDIX 1 TO THE STANDARD CONTRACTUAL CLAUSES
Details of the transfer:
Please see the details set forth in Schedule 1 to the Data Processing Agreement to which these Clauses are incorporated.
APPENDIX 2 TO THE STANDARD CONTRACTUAL CLAUSES
Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) available upon request.