a. You (“Customer“, “you” or “your”) and Inspekto A.M.V. Ltd. and/or Inspekto GmbH (with its affiliates, the “Service Provider“), are parties to the Agreement, as defined below, to which this Data Protection Addendum applies.
b. If Service Provider processes personal data, or if Service Provider has access to personal data in the course of its performance of Service Provider’s services under the Agreement (the “Services“), Service Provider shall comply with the terms and conditions of this Data Protection Addendum (“Data Protection Addendum” or “DPA“).
c. This DPA sets forth that Service Provider shall qualify as the Data Processor, as this term is defined under Data Protection Laws. Customer acknowledges and agrees that as the Controller, it is responsible for the legal basis of Processing hereunder, including obtaining any necessary consents in accordance with the requirements of Data Protection Laws. All capitalized terms not defined herein shall have the meaning set forth in the Agreement.
All capitalized terms not defined in this Data Protection Addendum have the meanings set forth in the Agreement.
a. “Agreement” means the agreement between Customer and the Service Provider which involves Service Provider having access to or otherwise processing personal data.
b. “Approved Jurisdiction” means a member state of the European Economic Area (“EEA“), or other jurisdiction as may be approved as having adequate legal protections for data by the European Commission currently found here: Adequacy decisions (europa.eu)
c. “Breach Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
d. “Data Protection Laws” means any and/or all applicable domestic and foreign laws, rules, directives and regulations, on any local, provincial, state or deferral or national level, pertaining to data privacy, data security and/or the protection of personal data, including the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR“), and the Privacy and Electronic Communications Directive 2002/58/EC (and local implementing laws) concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), including any amendments or replacements to thereto.
e. “Standard Contractual Clauses” the standard contractual clauses for the transfer of personal data to third countries adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council pursuant to GDPR art. 46.
f. The terms “personal data“, “process“, “processing” and “Special Categories of Data” herein shall have the meaning ascribed to them in the GDPR.
- DATA PROTECTION AND PRIVACY
a. If Service Provider has access to or otherwise processes personal data, then Service Provider shall:
i. only process the personal data in accordance with Customer’s documented instructions and on its behalf, and in accordance with the Agreement and this Data Protection Addendum, including such processing as required for regulatory compliance purposes in connection with the Services.;
ii. take reasonable steps to ensure the reliability of its staff and any other person acting under its supervision who may come into contact with, or otherwise have access to and process, personal data; ensure persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; and ensure that such personnel are aware of their responsibilities under this Data Protection Addendum and any Data Protection Laws (or Service Provider’s own written binding policies are at least as restrictive as this Data Protection Addendum);
iii. assist Customer as needed to cooperate with and respond to requests from supervisor authorities, data subjects, customers, or others to provide information (including details of the services provided by Service Provider) related to Service Provider’s processing of personal data;
iv. notify the Customer without undue delay, and no later than seventy-two (72) hours, after becoming aware of a Breach Incident;
v. provide full, reasonable cooperation and assistance to Customer in:
a. allowing data subjects to exercise their rights under the Data Protection Laws, including (without limitation) the right of access, right to rectification, restriction of processing, erasure (“right to be forgotten”), data portability, object to the processing, or the right not to be subject to an automated individual decision making, subject to Service Provider’s and Customer’s regulatory retention obligations in connection with the Services;
b. ensuring compliance with any notification obligations of personal data breach to the supervisory authority and communication obligations to data subjects, as required under Data Protection Laws;
c. Ensuring compliance with its obligation to carry out data protection impact assessments with respect to the processing of personal data, and with its prior consultation with the supervisory authority obligation (as applicable).
vi. only process or use personal data on its systems or facilities to the extent necessary to perform its obligations under the Agreement;
vii. as required under Data Protection Laws, maintain accurate written records of any and all the Processing activities of any personal data carried out under the Agreement (including the categories of Processing carried out and, where applicable, the transfers of personal data), and shall make such records available to the applicable supervisory authority on request;
viii. make all reasonable efforts to ensure that personal data are accurate and up to date at all times while in its custody or under its control, to the extent Service Provider has the ability to do so;
ix. not lease, sell or otherwise derive commercial benefit from personal data;
x. promptly notify Customer of any investigation, litigation, arbitrated matter or other dispute relating to Service Provider’s information security or privacy practices as it relates to the processing of personal data;
xi. promptly notify Customer in writing and provide Customer an opportunity to intervene in any judicial or administrative process if Service Provider is required by law, court order, warrant, subpoena, or other legal or judicial process to disclose any personal data to any person other than Customer;
xii. except as required to comply with regulatory obligations in connection with the Services, upon termination of the Agreement, or upon Customer’s written request at any time during the term of the Agreement, Service Provider shall cease to process any personal data received from Customer, and within a reasonable period will at the request of Customer: (1) return the personal data; or (2) securely and completely destroy or erase all personal data in its possession or control (including any copies thereof), unless and solely to the extent the foregoing conflicts with any applicable laws. At Customer’s request, Service Provider shall certify to Customer that it has fully complied with this clause.
a. Service Provider may subcontract its obligations under this Data Protection Addendum to another person or entity (“Contractor(s)”), as stated in Exhibit A attached hereto, provided that Service Provider shall inform the Customer of any intended changes concerning the addition/replacement of other processors at least 30 days prior to such change, and the Customer may notify Service Provider that it objects to such change and terminate the Agreement by written notice to the Customer.
b. Service Provider will execute a written agreement with such approved Contractor containing equivalent terms to this Data Protection Addendum.
c. Service Provider shall have a written security policy that provides guidance to its Contractors to ensure the security, confidentiality and integrity of personal data and systems maintained or processed by Service Provider.
d. Customer may require Service Provider to provide Customer with full details of the proposed Contractor’s involvement including but not limited to the identity of the Contractor, its data security record, the location of its processing facilities and a description of the access to personal data proposed.
e. Service Provider shall be responsible for the acts or omissions of Contractors to the same extent it is responsible for its own actions or omissions under this Data Protection Addendum.
- THE TRANSFER OF PERSONAL DATA
a. Personal data may be transferred from the EEA, Switzerland and the United Kingdom (“UK“) to countries that offer an adequate level of data protection under or pursuant to the adequacy decisions published by the relevant data protection authorities of the EEA, the European Union, the Member States or the European Commission, Switzerland, and/or the UK as relevant (“Adequacy Decisions“), as applicable, without any further safeguard being necessary.
b. If the Processing of Personal Data by Processor includes a transfer (either directly or via onward transfer):
i. from the EEA or Switzerland to other countries which have not been subject to a relevant Adequacy Decision, and such transfers are not performed through an alternative recognized compliance mechanism as may be adopted by Processor for the lawful transfer of personal data (as defined in the GDPR) outside the EEA or Switzerland (“EEA Transfer“), the terms set forth in Part 1 of Exhibit C (EEA Cross Border Transfers) shall apply.
ii. from the UK to other countries which have not been subject to a relevant Adequacy Decision, and such transfers are not performed through an alternative recognized compliance mechanism as may be adopted by Processor for the lawful transfer of personal data (as defined in the UK GDPR) outside the EEA or UK (“UK Transfer“), the terms set forth in Part 2 of Exhibit C (UK Cross Border Transfers) shall apply.
iii. the terms set forth in Part 3 of Exhibit C (Additional Safeguards) shall apply to an EEA Transfer and a UK Transfer.
- SECURITY STANDARDS
a. Service Provider shall implement and maintain commercially reasonable and appropriate physical, technical and organizational security measures to protect personal data against accidental or unlawful destruction; accidental loss, alteration, unauthorized disclosure or access to personal data transmitted, stored or otherwise processed; all other unlawful forms of processing; including (as appropriate): (i) the pseudonymisation and encryption of personal data; (ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (iii) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and (iv) a process for regularly assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing
b. To the extent that Service Provider processes Special Categories of Data, the security measures referred to in this Data Protection Addendum shall also include, at a minimum (i) routine risk assessments of Service Provider’s information security program, (ii) regular monitoring to measure and confirm the effectiveness of the information security program’s key controls, systems, and procedures, and (iii) encryption of Special Categories of Data while “at rest” and during transmission (whether sent by e-mail, fax, or otherwise), and storage (including when stored on mobile devices, such as a portable computer, flash drive, PDA, or cellular telephone).
a. If any of the Data Protection Laws are superseded by new or modified Data Protection Laws (including any decisions or interpretations by a relevant court or governmental authority relating thereto), the new or modified Data Protection Laws shall be deemed to be incorporated into this Data Protection Addendum, and Service Provider will promptly begin complying with such Data Protection Laws.
b. Any ambiguity in this Data Protection Addendum shall be resolved to permit Customer to comply with all Data Protection Laws. In the event and to the extent that the Data Protection Laws impose stricter obligations on the Service Provider than under this Data Protection Addendum, the Data Protection Laws shall prevail.
c. If this Data Protection Addendum does not specifically address a particular data security or privacy standard or obligation, Service Provider will use appropriate, generally accepted practices to protect the confidentiality, security, privacy, integrity, availability, and accuracy of personal data.
d. Service Provider agrees that, in the event of a breach of this Data Protection Addendum, neither Customer nor any relevant Customer’s customer will have an adequate remedy in damages and therefore either Customer or an affected customer shall be entitled to seek injunctive or equitable relief to immediately cease or prevent the use or disclosure of personal data not contemplated by the Agreement and to enforce the terms of this Data Protection Addendum or ensure compliance with all Data Protection Laws.
e. If Service Provider is unable to provide the level of protection as required herein, Service Provider shall immediately notify Customer and cease processing. Any non-compliance with the requirements herein shall be deemed a material breach of the Agreement and Customer shall have the right to terminate the Agreement immediately without penalty.
f. Customer, shall have the right to: (a) require from Service Provider all information necessary to, and (b) conduct its own audit and/or inspections of Service Provider in order to: demonstrate compliance with the Data Protection Addendum. Such audit and/or inspection shall be conducted with reasonable advanced notice to Service Provider, at Customer’s expense, no more than once a year, and during normal business hours to reasonably limit any disruption to Service Provider’s business.
g. Notwithstanding anything to the contrary, with effect from 25 May 2018, Service Provider will process personal data in accordance with the GDPR requirements directly applicable to its activities.
List of Sub Processors
|NAME OF SUB-PROCESSOR
|Netsuite CRM, ERP, Oracle
|Commercial, Customer Support, Sales and Marketing
|Sales and Marketing
|e-mail interaction for Commercial, Customer Support, Sales and Marketing
|e-mail interaction for Commercial, Customer Support, Sales and Marketing
|Microsoft 365 tools
|Internal statistics for Commercial, Customer Support, Sales and Marketing
EXHIBIT B – DETAILS OF PROCESSING
- Subject matter and duration of the Processing of Personal Data
The subject matter of the Processing of the Personal Data are set out in the DPA and this Addendum. The duration of the processing shall be for the term of the Agreement, and in relation to financial information, in accordance with Processor’s financial regulation compliance obligations.
- The nature and purpose of the Processing of Personal Data
Service Provider is engaged to provide Services to the Customer which involve the Processing of Personal Data. The scope of the Services is set out in the Agreement, and the Personal Data will be Processed by the Service Provider and Service Provider Affiliates to deliver those Services, to comply with the terms of the Agreement and this DPA and with Service Provider’s regulatory obligations.
- The types of Personal Data to be Processed:
Area/s of business
- The categories of Data Subject to whom the Personal Data relates:
Employees of Customers
Employees of Suppliers
Employees of Subcontractors
- The obligations and rights of Service Provider and Service Provider Affiliates
The obligations and rights of Service Provider and Service Provider Affiliates are set out in the Agreement and this DPA.
- The Processing operations carried out in relation to the Personal Data
Collecting and recording the data, hosting the data, organizing the data, adapting, or altering the data, and analyzing the data, in each case for the purposes of providing Services to Customer, the scope of which are set out in the Agreement.
EXHIBIT C – CROSS BORDER TRANSFERS
PART 1 – EEA Transfers
- The parties agree that the terms of the Standard Contractual Clauses are hereby incorporated by reference and shall apply to an EEA Transfer.
- Module Two (Controller to Processor) of the Standard Contractual Clauses shall apply where the EEA Transfer is effectuated by Customer as the data controller of the Personal Data and Service Provider is the data processor of the Personal Data.
- Module Three (Processor to Processor) of the Standard Contractual Clauses shall apply where the EEA Transfer is effectuated by Customer as the data processor of the Personal Data and Service Provider is a Sub-processor of the Personal Data.
- Clause 7 of the Standard Contractual Clauses (Docking Clause) shall not apply.
- Option 2: GENERAL WRITTEN AUTHORISATION in Clause 9 of the Standard Contractual Clauses shall apply, and the method for appointing and time period for prior notice of Sub-processor changes shall be as set forth in Section 4 of the DPA.
- In Clause 11 of the Standard Contractual Clauses, the optional language will not apply.
- In Clause 17 of the Standard Contractual Clauses, Option 1 shall apply, and the Parties agree that the Standard Contractual Clauses shall be governed by the laws of the Republic of Ireland.
- In Clause 18(b) of the Standard Contractual Clauses, disputes will be resolved before the courts of the Republic of Ireland.
- Annex I.A of the Standard Contractual Clauses shall be completed as follows:
Data Exporter: Customer.
Contact details: As detailed in the Terms.
Data Exporter Role:
Module Two: The Data Exporter is a data controller.
Module Three: The Data Exporter is a data processor.
Signature and Date: By entering into the Terms and DPA, Data Exporter is deemed to have signed these Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date of the Terms.
Data Importer: Service Provider.
Contact details: As detailed in the Terms.
Data Importer Role:
Module Two: The Data Importer is a data processor.
Module Three: The Data Importer is a sub-processor.
Signature and Date: By entering into the Terms and DPA, Data Importer is deemed to have signed these Standard Contractual Clauses, incorporated herein, including their Annexes, as of the Effective Date of the Agreement.
- Annex I.B of the Standard Contractual Clauses shall be completed as follows:
The categories of data subjects are described in Exhibit B (Details of Processing) of this DPA.
The categories of personal data are described in Exhibit B (Details of Processing) of this DPA.
The Parties do not intend for Sensitive Data to be transferred.
The frequency of the transfer is a continuous basis for the duration of the Terms.
The nature of the processing is described in Exhibit B (Details of Processing) of this DPA.
The purpose of the processing is described in Exhibit B (Details of Processing) of this DPA.
The period for which the personal data will be retained is for the duration of the Terms, unless agreed otherwise in the Terms and/or the DPA.
- Annex I.C of the Standard Contractual Clauses shall be completed as follows:
The competent supervisory authority in accordance with Clause 13 is the supervisory authority in the Member State stipulated in Section 13 above.
- The Security Measures in Appendix A serve as Annex II of the Standard Contractual Clauses.
- To the extent there is any conflict between the Standard Contractual Clauses and any other terms in this DPA or the Terms, the provisions of the Standard Contractual Clauses will prevail.
PART 2 – UK Transfers
- This Part 2 is effective from the same date as the Standard Contractual Clauses.
- This Part 2 is intended to provide appropriate safeguards for the purposes of transfers of Personal Data to a third country or an international organisation in reliance on Articles 46 of the UK GDPR and with respect to data transfers from controllers to processors and/or processors to processors.
- Where this Part 2 uses terms that are defined in the Standard Contractual Clauses, those terms shall have the same meaning as in the Standard Contractual Clauses. In addition, the following terms have the following meanings:
|UK Data Protection Laws
|All laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018.
|The United Kingdom General Data Protection Regulation, as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018.
|The United Kingdom of Great Britain and Northern Ireland
- This Part 2 shall be read and interpreted in the light of the provisions of UK Data Protection Laws, and so that if fulfils the intention for it to provide the appropriate safeguards as required by Article 46 GDPR.
- This Part 2 shall not be interpreted in a way that conflicts with rights and obligations provided for in UK Data Protection Laws.
- Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, reenacted and/or replaced after this DPA has been entered into.
- In the event of a conflict or inconsistency between this Part 2 and the provisions of the Standard Contractual Clauses or other related agreements between the Parties, existing at the time the DPA is agreed or entered into thereafter, the provisions which provide the most protection to data subjects shall prevail.
- This Part 2 incorporates the Standard Contractual Clauses which are deemed to be amended to the extent necessary so they operate:
- for transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter’s processing when making that transfer; and
- to provide appropriate safeguards for the transfers in accordance with Articles 46 of the UK GDPR Laws.
- The amendments required by Section 8 above, include (without limitation):
- References to the “Clauses” means this Part 2 as it incorporates the Standard Contractual Clauses
- Clause 6 Description of the transfer(s) is replaced with:
“The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred are those specified in Appendix B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.”
- References to “Regulation (EU) 2016/679” or “that Regulation” are replaced by “UK Data Protection Laws” and references to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK Data Protection Laws.
- References to Regulation (EU) 2018/1725 are removed.
- References to the “Union”, “EU” and “EU Member State” are all replaced with the “UK”
- Clause 13(a) and Part C of Annex II are not used; the “competent supervisory authority” is the Information Commissioner;
- Clause 17 is replaced to state “These Clauses are governed by the laws of England and Wales”.
- Clause 18 is replaced to state:
“Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”
- The footnotes to the Clauses do not form part of this Part 2.
- The Parties may agree to change Clause 17 and/or 18 to refer to the laws and/or courts of Scotland or Northern Ireland.
- The Parties may amend this Part 2 provided it maintains the appropriate safeguards required by Art 46 UK GDPR for the relevant transfer by incorporating the Standard Contractual Clauses and making changes to them in accordance with Section 8 above.
- The Parties may give force to this Part 2 (incorporating the Standard Contractual Clauses) in any way that makes them legally binding on the Parties and allows data subjects to enforce their rights as set out in the Contractual Clauses.
PART 3 – Additional Safeguards
In the event of an EEA Transfer or a UK Transfer, the Parties agree to supplement these with the following safeguards and representations, where appropriate:
- The Processor shall have in place and maintain in accordance with good industry practice measures to protect the Personal Data from interception (including in transit from the Controller to the Processor and between different systems and services). This includes having in place and maintaining network protection intended to deny attackers the ability to intercept data and encryption of Personal Data whilst in transit and at rest intended to deny attackers the ability to read data.
- The Processor will make commercially reasonable efforts to resist, subject to applicable laws, any request for bulk surveillance relating to the Personal Data protected under GDPR or the UK GDPR, including under section 702 of the United States Foreign Intelligence Surveillance Court (“FISA“);
- If the Processor becomes aware that any government authority (including law enforcement) wishes to obtain access to or a copy of some or all of the Personal Data, whether on a voluntary or a mandatory basis, then unless legally prohibited or under a mandatory legal compulsion that requires otherwise:
- The Processor shall inform the relevant government authority that the Processor is a processor of the Personal Data and that the Controller has not authorized the Processor to disclose the Personal Data to the government authority, and inform the relevant government authority that any and all requests or demands for access to the Personal Data should therefore be notified to or served upon the Controller in writing;
- The Processor will use commercially reasonable legal mechanisms to challenge any such demand for access to Personal Data which is under the Processor’s control. Notwithstanding the above, (a) the Controller acknowledges that such challenge may not always be reasonable or possible in light of the nature, scope, context and purposes of the intended government authority access, and (b) if, taking into account the nature, scope, context and purposes of the intended government authority access to Personal Data, the Processor has a reasonable and good-faith belief that urgent access is necessary to prevent an imminent risk of serious harm to any individual or entity, this subsection (e)(II) shall not apply. In such event, the Processor shall notify the Controller, as soon as possible, following the access by the government authority, and provide the Controller with relevant details of the same, unless and to the extent legally prohibited to do so.
Once in every 12-month period, the Processor will inform the Controller, at the Controller’s written request, of the types of binding legal demands for Personal Data it has received and solely to the extent such demands have been received, including national security orders and directives, which shall encompass any process issued under section 702 of FISA.
HFNDOCS# 7428255v2 – Inspekto – Customer DPA Final V100