This Data Processing Agreement (this “Agreement”) is between the counter-party identified in a mutually executed Order Form executed pursuant to the Services Agreement (as defined in Section 1.1 below)) (“Company”) and Sourcescrub, LLC, a Delaware limited liability company with offices at 115 Sansome Street, Suite 1200, San Francisco, CA 94104 (“Sourcescrub”), each a “Party” and together the “Parties”.
• These terms govern the transfer of Personal Data between Controller and Processor and the Processing of that Personal Data under those certain Sourcescrub Online Terms and Conditions in the Master Service Agreement dated August 2nd between the Parties (the “Services Agreement”), pursuant to which Processor provides certain services to Controller. By executing an Order Form pursuant to the Services Agreement, of which this Agreement forms an integral part, the Parties agree to be bound by the following terms and conditions of this Agreement relating to the Processing of Personal Data.
1.1 Except as modified by this Agreement, the Services Agreement shall remain in full force and effect.
2.1 In this Agreement, unless the context otherwise requires, the following words shall have the meanings set forth below.
2.1.1 “Controller Personal Data” means the Personal Data Processed by Processor in connection with and in the provision of the Services to Controller.
2.1.2 “Data Protection Laws” means the laws, including any amendment, supplement, update, modification to or re-enactment of such laws, applicable to the Processing of Personal Data in connection with the Services, including, as relevant:
(i) US Privacy Laws;
(ii) the EU General Data Protection Regulation (“EU GDPR”) and the UK General Data Protection Regulation pursuant to the UK Data Protection Act 2018 (“UK GDPR” and together, “GDPR”);
(iii) Switzerland’s Federal Act on Data Protection of 19 June 1992 as revised 25 September 2020 (“FADP”);
(iv) the Personal Information Protection and Electronic Documents Act (“PIPEDA”) and any related provincial privacy laws in Canada; and
(v) all other data privacy and/or security legislation applicable to those jurisdictions whose residents have Controller Personal Data that is Processed by Processor.
2.1.3 “Data Subject” shall mean a natural person whose personal information/data is Processed;
2.1.4 “EEA” means the European Economic Area;
2.1.5 “Effective Date” shall mean the date first above written;
2.1.6 “Restricted Transfer” means a Transfer to another country, territory, sector or international organization which the European Commission has not recognized via an adequacy decision as providing an equivalent level of protection for Personal Data, necessitating the need for contractual clauses ensuring appropriate data protection safeguards (e.g., SCCs).
2.1.7 “SCCs” means (i) the standard contractual clauses set out in Commission Implementing Decision (EU) 2021/914 for the transfer of Personal Data to third countries pursuant to the GDPR as updated, amended, replaced and superseded from time to time ("EU SCCs"); and where applicable (ii) the United Kingdom’s International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner under section 119A(1) Data Protection Act 2018 as updated, amended, replaced and superseded from time to time (the “UK Addendum”);
2.1.8 “Security Incident” means any unauthorized access, acquisition, use, modification, disclosure, transfer, distribution, loss, destruction or damage of Controller Personal Data, or any other unauthorized Processing of Controller Personal Data in Processor’s possession or under Processor’s control;
2.1.9 “Services” means any services provided by Processor to Controller under the Services Agreement;
2.1.10 “US Privacy Laws” means any United States data protection or privacy laws or regulations, when applicable, including the California Consumer Privacy Act, and as amended by the California Consumer Privacy Rights Act (collectively, “CCPA”), the Virginia Consumer Data Protection Act, the Colorado Privacy Act, Connecticut Data Privacy Act, Texas Data Privacy and Security Act, Oregon Consumer Privacy Act, Utah Consumer Privacy Act, state security breach notification laws and guidance promulgated by the Federal Trade Commission pursuant to Section 5 of the Federal Trade Commission Act.
2.1.11 The terms “Controller,” “Data Subject,” “Personal Data,” “Personal Data Breach,” “Process,” “Processing,” “Processor,” “Sale,” “Sell,” “Selling,” “Share,” “Sharing,” “Special Categories of Personal Data,” “Supervisory Authority” and “Transfer” (or their corresponding terms in individual Data Protection Laws) have the meanings given to those terms under their relevant Data Protection Laws, as applicable.
2.2 The headings in this Agreement are inserted for convenience and do not affect the construction of this Agreement.
2.3 Any words following the terms including, include, in particular or for example or any similar phrase shall be construed as illustrative and shall not limit the generality of the related general words.
2.4 References to the word: (i) “ensure” and its derivatives means to use commercially reasonable efforts to pursue the stated aim and under no circumstances implies or constitutes any guaranty of results or outcomes or any express or implied legal covenant, warranty or representation; (ii) ”best efforts”, “commercially reasonable efforts” or “reasonable efforts” means acting with diligence and good faith in the performance of the obligation; and (iii) “immediately” means promptly and without undue delay.
3.1 This Agreement shall come into full force and effect on the Effective Date (as defined in the Services Agreement) and shall continue in full force and effect so long as Processor retains any Controller Personal Data in its possession or control (“Term”).
For purposes of this Agreement, Controller is the Controller of the Controller Personal Data.
4.1 Controller will not make accessible, communicate, transfer or transmit to Processor, or instruct Processor to Process, any Personal Data that Processor should not receive in connection with the delivery of the Services or for which Controller has not obtained all consents and other legal authorizations necessary to permit Processor access to such Personal Data.
4.2 Controller shall at all times during this Agreement comply with Controller’s obligations under the Data Protection Laws. In the event Controller makes a determination that it is no longer able to meet its obligations under the Data Protection Laws, Controller shall notify Processor in writing within five (5) business days of such determination, and Processor may suspend or terminate this Agreement and the Services Agreement upon written notice to Controller, unless and until Controller first notifies Processor that it able to resume meeting Controller’s obligations under such Data Protection Laws.
5.1 For purposes of this Agreement, Processor is a Processor of the Controller Personal Data. For the avoidance of doubt, Sourcescrub may be deemed to be both a Processor and Controller of Personal Data, whereby Sourcescrub will only be subject to the obligations under this Agreement that are relevant to Sourcescrub’s capacity as either Processor or Controller.
5.2 With respect to the CCPA and the Controller Personal Data it regulates, Processor will act as a “Processor” and Controller will act as a “Business,” as each of those terms are defined under Cal. Civ. Code § 1798.140.
5.3 Controller hereby instructs and authorizes Processor to receive and Process Controller Personal Data on its behalf in the capacity of a Processor and/or Processor (as applicable) for the purpose of providing the Services (including to build, enhance or improve the quality of Processor’s services).
5.4 Processor acknowledges and agrees that it will in all material respects comply with its obligations under Data Protection Laws and will only Process Controller Personal Data, which is described in Annex I.B to the SCCs, in order to provide the Services and perform its obligations under this Agreement. In the event Processor makes a determination that it is no longer able to meet its obligations under the Data Protection Laws, Processor shall notify Controller in writing within five (5) business days of such determination, and Controller may terminate this Agreement and the Services Agreement upon written notice to Processor, unless and until Processor first notifies Controller that Processor is able to resume meeting Processor’s obligations under the Data Protection Laws.
5.5 Processor shall:
5.5.1 only Process Controller Personal Data as and to the extent necessary for Processor to perform its obligations under this Agreement and the Services Agreement, in accordance with Controller’s instructions (which may be specific instructions or instructions of a general nature as set out in this Agreement or the Services Agreement or as otherwise notified by Controller to Processor from time to time), in compliance with Processor’s obligations under the Data Protection Laws;
5.5.2 provide training to its personnel with respect to Data Protection Laws;
5.5.3 not transfer Controller Personal Data to a third country or any party located outside the EEA without the prior consent of Controller, unless required or permitted to do so by applicable European Union law; provided however that Processor may transfer Controller Personal Data to any of its Permitted sub-Processors (as defined in Clause 5.9 below) located outside the EEA where (i) such Permitted sub-Processor is located in a third country in respect of which the European Commission has issued a finding of adequacy with regard to data protection; or (ii) there are appropriate safeguards (at least as protective as the Security Measures) in place in accordance with Article 46 of the GDPR between Processor and the Permitted sub-Processor and at least the same level of privacy protection is provided as required under Annex II attached hereto and Controller and Processor hereby enter into the SCCs in the case of such a transfer;
5.5.4 only use, reproduce or otherwise Process any Controller Personal Data collected in connection with providing the Services to (i) the extent necessary to provide the Services, (ii) the extent permitted by Data Protection Laws and (iii) build, enhance or improve the quality of Processor’s services; the Parties agree that the disclosure, dissemination, transfer, use, reproduction or other Processing of any Controller Personal Data under this Agreement is not a “Selling” or “Sharing” of Personal Data under US Privacy Laws or any other Data Protection Laws;
5.5.5 not modify, amend, or alter the contents of Controller Personal Data, except as directed by Controller (explicitly or as directed by the Services Agreement) or expressly permitted by Data Protection Laws (e.g., Processor will not combine or update Controller Personal Data received from, or on behalf of, Controller with Personal Data that it received from another source unless and to the extent permitted by Data Protection Laws); and
5.5.6 upon notice, permit Controller to take such steps as may be reasonable (i) to stop and remediate any unauthorized use of Controller Personal Data, and (ii) to help ensure that Processor uses Controller Personal Data in a manner consistent with Controller’s obligations under the Data Protection Laws.
5.6 Processor shall implement the technical and organizational security measures set forth in Annex II (“Security Measures”) to protect Controller Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the Processing involves the transmission of data over a network, and against all other unlawful forms of Processing. The Parties acknowledge and agree that these Security Measures will be designed in a manner intended to provide a level of security reasonable and appropriate to the risks presented by the Processing and the nature of Controller Personal Data to be protected having regard to the state of the art and the cost of their implementation.
5.7 Processor may disclose Controller Personal Data to its personnel who (i) need to know for the purpose of providing the Services and (ii) have committed themselves to confidentiality or are subject to a signed agreement which imposes obligations of confidentiality no less strict than as described in this Agreement.
5.8 If Processor or its respective personnel are required by law and / or an order of any court of competent jurisdiction or any applicable regulatory, judicial or governmental body to disclose Controller Personal Data, Processor shall, to the extent practicable and except where prohibited by law, first:
5.8.1 give Controller notice of the details of the proposed disclosure;
5.8.2 give Controller a reasonable opportunity to take any steps it considers necessary to protect the confidentiality of Controller Personal Data including seeking such judicial redress as Controller may reasonably see fit in the circumstances; and
5.8.3 inform the proposed recipient that the information is confidential Controller Personal Data.
5.9 Processor shall have the right at its discretion to appoint one or more third parties (each a “Permitted sub-Processor”) to process Controller Personal Data relating to the Services; provided that:
5.9.1 any such Permitted sub-Processors are bound by terms which are the same as or equivalent to the terms which Processor is bound relating to this Agreement; and
5.9.2 Processor remains liable to Controller for Processing by any Permitted sub-Processors as if the Processing was being conducted by Processor.
5.10 Except as otherwise set forth in the Order Form between the Parties, Processor does not currently utilize any Permitted sub-Processors.
6.1 Each Party shall co-operate with the other Party to the extent necessary to enable such other Party to comply with any requests of any relevant Data Protection Authority or any other competent supervisory or other regulatory authority in respect of Controller Personal Data Processed by Processor under this Agreement.
6.2 In particular, each Party shall:
6.2.1 promptly inform the other Party upon becoming aware if, in its opinion, an instruction given, or request made by such other Party infringes Data Protection Laws;
6.2.2 provide such reasonable co-operation and assistance as the other Party may require to enable such other Party to comply with its obligations under Data Protection Laws; and
6.2.3 notify the other Party as soon as reasonably practicable if it makes a determination that it can no longer meet its obligations under the Data Protection Laws.
7.1 Each Party shall promptly notify the other Party about any allegation, request or complaint received directly from Data Subjects relating to Processor’s Processing of Controller Personal Data, providing full details of the request or complaint sufficient to enable the other Party to respond.
8.1 If Processor becomes aware of any Personal Data Breach, Processor shall as soon as practicable, and in any event within seventy-two (72) hours, give Controller written notice of the full details of the Security Incident. After providing notice, Processor will investigate the Security Incident, take commercially reasonable efforts to eliminate or contain the exposure of Controller Personal Data, and keep Controller informed of the status of the Security Incident and all related matters.
8.2 After identifying or being informed of any Security Incident, Processor will develop and execute a plan that is designed to reduce the likelihood of a recurrence of a Security Incident. Controller shall reimburse Processor for all such efforts, unless and to the extent the applicable Personal Data Breach was caused by Processor’s breach of its obligations under this Agreement.
With respect to Restricted Transfers the SCCs are hereby incorporated into this Agreement by reference and will come into effect upon commencement of any such Restricted Transfer.
9.1 Where a Restricted Transfer is subject to the GDPR the following terms shall apply:
9.1.1 Annex IA of the EU SCCs attached hereto will be populated with the details of the Parties, Annex IB of the EU SCCs attached hereto will be populated with the description of the Processing of Personal Data;
9.1.2 For the purposes of Modules 1, 2 and 3 of the EU SCCs: clause 7 and the optional language in clause 11(a) shall not apply;
9.1.3 For the purposes of clause 9, the Parties select Option 2 (General authorization);
9.1.4 The technical and organizational security measures set out in Annex II of the EU SCCs attached hereto shall apply;
9.1.5 The supervisory authority for the purposes of Clause 13(a) shall be determined by the place of establishment of the data exporter; the governing law and choice of forum and jurisdiction stipulated in this Agreement shall apply to the extent that it is the law and the courts of an EU member state otherwise it shall be those of the Republic of Ireland; and
9.1.6 The frequency of the transfer shall be continuous, as necessary to deliver the Services, and retention shall be determined by Controller, except where Controller is required by applicable laws to retain Personal Data in accordance with Controller’s corporate record retention schedules and policies.
9.2 Where a Restricted Transfer is subject to both EU GDPR and UK GDPR the following terms with respect to the UK Addendum shall, in addition to Clause 6.1a above, also apply:
9.2.1 The EU SCCs shall be read in accordance with, and deemed amended by, the provisions of Part 2 (Mandatory Clauses) of the UK Addendum;
9.2.2 At Clause 2(h) of the EU SCCs, the Parties select option (iii);
9.2.3 The data subjects, categories of Personal Data and the purposes of the transfer are as specified in the EU SCCs, and the recipients are the recipients to whom it is necessary to disclose data to achieve the purposes;
9.2.4 The contact points for data protection enquiries are the usual business contacts for each Party; and
9.2.5 The Parties confirm that the information required for the purposes of Part 1 (Tables) of the UK Addendum is set out in Agreement Exhibit 2.
9.3 With respect to Restricted Transfers from Switzerland, the EU SCCs, Section 9.1 and the following additional terms shall apply:
9.3.1 For purposes of the EU SCCs, the terms “General Data Protection Regulation” or “Regulation (EU) 2016/679” as utilized in the EU SCCs shall be interpreted to include the FADP;
9.3.2 Clause 13 of the EU SCCs is modified to provide that the Federal Data Protection and Information Commissioner of Switzerland shall have authority over data transfers governed by the FADP and the appropriate EU supervisory authority shall have authority over data transfers governed by the GDPR (subject to the foregoing, all other requirements of Section 13 shall be observed);
9.3.3 The term “EU Member State” as utilized in the EU SCCs shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from exercising their rights in their place of habitual residence in accordance with Clause 18(c) of the EU SCCs; and;
9.3.4 The law that applies will be the laws of Switzerland.
9.4 For the avoidance of doubt (and without prejudice to third party rights for data subjects under the SCCs) the Parties hereby submit to the limitations stipulated in this Agreement with respect to their respective liability towards one another under the SCCs and FADP.
9.5 To the extent that there is any conflict or inconsistency between the terms of the SCCs or FADP and the terms of this Agreement, the terms of the SCCs or FADP shall take precedence.
9.6 If, and to the extent that, the European Commission, the United Kingdom or Switzerland issues any amendment to, or replacement of, the EU SCCs, the UK Addendum or the FADP (as applicable), the Parties agree in good faith to take such additional steps as necessary to provide that such replacement terms are implemented across all transfers.
9.7 If, at any time, a supervisory authority or a court with competent jurisdiction over a Party mandates that transfers from controllers in the EEA, the United Kingdom or Switzerland to controllers or Processors established outside the EEA, the United Kingdom or Switzerland must be subject to specific additional safeguards (including specific technical and organizational measures), the Parties shall work together in good faith to implement such safeguards and provide that any transfer of Personal Data is conducted with the benefit of such additional safeguards.
10.1 Notwithstanding anything to the contrary in this Agreement and/or the Services Agreement, Processor’s total, cumulative liability under this Agreement for all causes of action (whether in contract, tort, strict liability or otherwise) shall be limited to an amount equal to the fees (excluding taxes and reimbursable expenses) actually paid by Controller to Processor for the Services during the twelve (12) months preceding the occurrence giving rise to the applicable claim.
10.2 Notwithstanding anything to the contrary in this Agreement and/or the Services Agreement, in no event shall Processor be liable under this Agreement for any indirect, incidental, consequential, reliance or punitive damages or lost or imputed profits, lost data, unrealized savings, lost revenue, diminished share price, loss of good will, reputational harm, shareholder derivative suits or other business losses of any kind, in each case regardless of whether Processor was advised of the possibility of such losses or damages or such losses or damages were otherwise foreseeable, and notwithstanding the failure of any agreed or other remedy of its essential purpose.
11.1 Processor, upon reasonable request by Controller upon termination of the Services shall:
11.1.1 cease Processing any Controller Personal Data relating to the Services; and
11.1.2 return to Controller or, at Processor’s election, securely destroy all copies of Controller Personal Data received and / or Processed by it under this Agreement unless and to the extent applicable Data Protection Laws permit the retention or storage of the applicable Controller Personal Data. Notwithstanding the foregoing, Processor may retain Controller Personal Data in backups of its information technology devices and systems made in the ordinary course of business; provided that it may not seek to access such information except to the extent permitted by law, requested by Controller or as part of a system restoration.
12.1 If either Party fails to perform any of its material obligations under this Agreement and does not cure such failure within thirty (30) days of receipt of a notice of default from the other Party, then the other Party may, by giving notice to the defaulting Party terminate this Agreement as of the date specified in such notice of termination.
12.2 Subsection 12.2 and Sections 1, 2, 9-11 and 13-18 shall survive the termination of this Agreement for any reason.
13.1 This Agreement and the Services Agreement constitute the entire agreement between the Parties relating to the Processing of Controller Personal Data and supersede any previous agreements arrangements or understandings between them relating to their subject matter.
13.2 In the event of any inconsistency or ambiguity between the terms of this Agreement and the terms of the Services Agreement or any other agreement between the Parties in relation to the Processing of Controller Personal Data, the terms of this Agreement shall prevail.
No variation or amendment to this Agreement shall be effective unless in writing signed by authorized representatives of each of the Parties.
No failure or delay by a Party to exercise any right or remedy provided under this Agreement or any Data Protection Law shall constitute a waiver of that or any other right or remedy, nor shall it prevent or restrict the further exercise of that or any other right or remedy. No single or partial exercise of such right or remedy shall prevent or restrict the further exercise of that or any other right or remedy.
This Agreement may be entered in two or more counterparts or duplicates, each of which when executed shall be an original but each counterpart shall together constitute one and the same Agreement.
Each and every obligation under this Agreement shall be treated as a separate obligation and shall be severally enforceable as such, and in the event of any obligation or obligations being found by any authority of competent jurisdiction to be invalid or unenforceable, such invalidity or unenforceability shall not affect the other provisions or parts of such provisions of this Agreement, all of which shall remain in full force and effect.
Except to the limited extent otherwise provided in Article 9 above, this Agreement shall in all respects be governed by and construed in accordance with the laws of the State of California, without regard to its conflicts of laws principles, and the Parties irrevocably agree that the state and federal courts in San Francisco, California shall have exclusive jurisdiction to settle any dispute or claim that arises out of or in connection with this Agreement or its subject matter or formation (including non-contractual disputes or claims).
A. LIST OF PARTIES
Data exporter(s):
1. Name: Company or Sourcescrub, to the extent such Party is deemed Contoller under this Agreement.
Address: Company’s or Sourcescurb’s address set forth in the Order Form between the Parties, to the extent such Party is deemed Controller under this Agreement.
Contact person’s name, position and contact details: Company’s or Sourcescrub’s contact details ast set forth in the Order Form between the Parties, to the extent such Party is deemed Controller under this Agreement.
Activities relevant to the data transferred under these Clauses: The Processing of Personal Data in connection Processor’s provision of certain services to Controller pursuant to the Services Agreement.
Role (controller/Processor): Controller
Data importer(s): Name: Company or Sourcescrub, to the extent such Party is deemed Processor under this Agreement. If Sourcescrub: Sourcescrub, LLC
Address: Company’s or Sourcescurb’s address set forth in the Order Form between the Parties, to the extent such Party is deemed Processor under this Agreement.If Sourcescrub: 115 Sansome Street, Suite 1200, San Francisco, CA 94104
Contact person’s name, position and contact details: Company’s or Sourcescrub’s contact details ast set forth in the Order Form between the Parties, to the extent such Party is deemed Controller under this Agreement. If Sourcescrub: dataprivacy@Sourcescrub.com
Activities relevant to the data transferred under these Clauses: The Processing of Personal Data in connection Processor’s provision of certain services to Controller pursuant to the Services Agreement. If Sourcescrub is Processor, Sourcescrub provides tools for investors to source deals.
Role (controller/Processor): Processor
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
• Controller’s end-users
• Controller’s administrative personnel responsible for maintenance of Controller’s account with Processor
Categories of personal data transferred
• Controller’s end-user’s work email address, first name, last name, user logins
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
• None
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
• Continuous basis
Nature of the Processing
The personal data transferred will be subject to the following processing operations:
• Processor Processes Controller Personal Data to provide tools for investors to source deals.
• Processor Processes Controller Personal Data to resolve technical or administrative issues, billing and invoicing, and otherwise comply with its own legal obligations.
• Processor Processes Controller Personal Data to optimize the performance of its products and services, improve its products, and for its own business purposes as described in this Agreement.
Purpose(s) of the data transfer and further Processing
• The purpose of the data transfer is to provide Processor’s services as requested by Controller.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
• Different data retention periods apply depending on the applicable service. When determining the specific retention period, Processor considers various factors, such as the type of service provided to Controller, the nature and length of our relationship with Controller, and mandatory retention periods provided by law and the statute of limitations.
For transfers to (sub-) Processors, also specify subject matter, nature and duration of the Processing
• Same as per the above for Processor
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority
• The competent supervisory authority as determined by the place of establishment of Controller.
Description of the technical and organisational measures implemented by the Data Importer(s) (including any relevant certifications) to provide an appropriate level of security, taking into account the nature, scope, context and purpose of the Processing, and the risks for the rights and freedoms of natural persons.
1. Physical access control
Technical and organizational measures to prevent unauthorized persons from gaining access to the data processing systems available in premises and facilities (including databases, application servers and related hardware), where Controller Personal Data is Processed, include:
• Establishing security areas, restriction of access paths;
• Establishing access authorizations for employees and third parties;
• Access control system (ID reader, magnetic card, chip card);
• Key management, card-keys procedures;
• Door locking (electric door openers etc.);
• Security staff, janitors;
• Surveillance facilities, video/CCTV monitor, alarm system; and
• Securing decentralized data processing equipment and personal computers.
2. Virtual access control
Technical and organizational measures to prevent data processing systems from being used by unauthorized persons include:
• User identification and authentication procedures;
• ID/password security procedures (special characters, minimum length, change of password);
• Automatic blocking (e.g. password or timeout);
• Monitoring of break-in-attempts and automatic turn-off of the user ID upon several erroneous passwords attempts;
• Creation of one master record per user, user-master data procedures per data processing environment; and
• Encryption of archived data media.
3. Data access control
Technical and organizational measures to ensure that persons entitled to use a data processing system gain access only to such Controller Personal Data in accordance with their access rights, and that Controller Personal Data cannot be read, copied, modified or deleted without authorization, include:
• Internal policies and procedures;
• Control authorization schemes;
• Differentiated access rights (profiles, roles, transactions and objects);
• Monitoring and logging of accesses;
• Disciplinary action against employees who access Controller Personal Data without authorization;
• Reports of access;
• Access procedure;
• Change procedure;
• Deletion procedure; and
• Encryption.
4. Disclosure control
Technical and organizational measures reasonably designed to ensure that Controller Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media (manual or electronic), and that it can be verified to which companies or other legal entities Controller Personal Data is disclosed, include:
• Encryption/tunneling;
• Logging; and
• Transport security.
5. Entry control
Technical and organizational measures to monitor whether Controller Personal Data have been entered, changed or removed (deleted), and by whom, from data processing systems, include:
• Logging and reporting systems; and
• Audit trails and documentation.
6. Control of instructions
Technical and organizational measures to ensure that Controller Personal Data is Processed solely in accordance with the instructions of Controller include:
• Unambiguous wording of the contract;
• Formal commissioning (request form); and
• Criteria for selecting the Processor.
7. Availability control
Technical and organizational measures reasonably designed to ensure that Controller Personal Data are protected against accidental destruction or loss (physical/logical) include:
• Backup procedures;
• Mirroring of hard disks (e.g. RAID technology);
• Uninterruptible power supply (UPS);
• Remote storage;
• Anti-virus/firewall systems; and
• Disaster recovery plan.
8. Separation control
Technical and organizational measures reasonably designed to ensure that Controller Personal Data collected for different purposes can be Processed separately include:
• Separation of databases;
• “Internal client” concept / limitation of use;
• Segregation of functions (production/testing); and
• Procedures for storage, amendment, deletion, transmission of data for different purposes.
International Data Transfer Addendum to the EU Commission Standard Contractual Clauses
This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.
The Table 1 information below shall reflect the information set forth in Agreement Exhibit 1, Annex I set forth above.
Table 1: Parties
Table 2: Selected SCCs, Modules and Selected Clauses
Table 3: Appendix Information
“AppendixInformation” means the information which must be provided for the selectedmodules as set out in the Appendix of the Approved EU SCCs (other than theParties), and which for this Addendum is set out in:
Annex 1A: List of Parties
Annex 1B: Description of Transfer
Annex II: Security measures, including technical and organisational measures to provide security of the data
Annex III: List of Sub Processors
Table 4: Ending this Addendum when theApproved Addendum Changes
Entering into this Addendum
EachParty agrees to be bound by the terms and conditions set out in this Addendum, in exchange for the other Party also agreeing to be bound by this Addendum.
Although Annex 1A and Clause 7 of the Approved EU SCCs require signature by the Parties, for the purpose of making Restricted Transfers, the Parties may enter into this Addendum in any way that makes them legally binding on theParties and allows data subjects to enforce their rights as set out in thisAddendum. Entering into this Addendum will have the same effect as signing theApproved EU SCCs and any part of the Approved EU SCCs.
Interpretation of this Addendum
Where this Addendum uses terms that are defined in the Approved EU SCCs those terms shall have the same meaning as in the Approved EU SCCs. In addition, the following terms have the following meanings:
This Addendum must always be interpreted in a manner that is consistent with UK Data Protection Laws and so that it fulfils the Parties’ obligation to provide the Appropriate Safeguards.
If the provisions included in the Addendum EU SCCs amend the Approved SCCs in any way which is not permitted under the Approved EU SCCs or the Approved Addendum, such amendment(s) will not be incorporated in this Addendum and the equivalent provision of the Approved EU SCCs will take their place.
If there is any inconsistency or conflict between UK Data Protection Laws and this Addendum, UK Data Protection Laws applies.
If the meaning of this Addendum is unclear or there is more than one meaning, the meaning which most closely aligns with UK Data Protection Laws applies.
Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Addendum has been entered into.
Although Clause 5 of the Approved EU SCCs sets out that the Approved EU SCCs prevail over all related agreements between the Parties, the Parties agree that, for Restricted Transfers, the hierarchy in Section 10 will prevail.
Where there is any inconsistency or conflict between the Approved Addendum and the Addendum EU SCCs (as applicable), the Approved Addendum overrides the Addendum EU SCCs, except where (and in so far as) the inconsistent or conflicting terms of the Addendum EU SCCs provides greater protection for data subjects, in which case those terms will override the Approved Addendum.
Where this Addendum incorporates Addendum EU SCCs which have been entered into to protect transfers subject to the General Data Protection Regulation (EU) 2016/679 then the Parties acknowledge that nothing in this Addendum impacts those Addendum EU SCCs.
This Addendum incorporates the Addendum EU SCCs which are amended to the extent necessary so that:
a. together they operate for data transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter’s Processing when making that data transfer, and they provide Appropriate Safeguards for those data transfers;
b. Sections 9 to 11 override Clause 5 (Hierarchy) of the Addendum EU SCCs; and
c. this Addendum (including the Addendum EU SCCs incorporated into it) is (1) governed by the laws of England and Wales and (2) any dispute arising from it is resolved by the courts of England and Wales, in each case unless the laws and/or courts of Scotland or Northern Ireland have been expressly selected by the Parties.
Unless the Parties have agreed alternative amendments which meet the requirements of Section 12, the provisions of Section 15 will apply.
No amendments to the Approved EU SCCs other than to meet the requirements of Section 12 may be made.
The following amendments to the Addendum EU SCCs (for the purpose of Section 12) are made:
a. References to the “Clauses” means this Addendum, incorporating the Addendum EU SCCs;
b. In Clause 2, delete the words:
“and, with respect to data transfers from controllers to Processors and/or Processors to Processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679”;
c. Clause 6 (Description of the transfer(s)) is replaced with:
“The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter’s Processing when making that transfer.”;
d. Clause 8.7(i) of Module 1 is replaced with:
“it is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer”;
e. Clause 8.8(i) of Modules 2 and 3 is replaced with:
“the onward transfer is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer;”
f. References to “Regulation (EU) 2016/679”, “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of personal data and on the free movement of such data (General Data Protection Regulation)” and “that Regulation” are all replaced by “UK Data Protection Laws”. References to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK Data Protection Laws;
g. References to Regulation (EU) 2018/1725 are removed;
h. References to the “European Union”, “Union”, “EU”, “EU Member State”, “Member State” and “EU or Member State” are all replaced with the “UK”;
i. The reference to “Clause 12(c)(i)” at Clause 10(b)(i) of Module one, is replaced with “Clause 11(c)(i)”;
j. Clause 13(a) and Part C of Annex I are not used;
k. The “competent supervisory authority” and “supervisory authority” are both replaced with the “Information Commissioner”;
l. In Clause 16(e), subsection (i) is replaced with:
“the Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply;”;
m. Clause 17 is replaced with:
“These Clauses are governed by the laws of England and Wales.”;
n. Clause 18 is replaced with:
“Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”; and
o. The footnotes to the Approved EU SCCs do not form part of the Addendum, except for footnotes 8, 9, 10 and 11.
The Parties may agree to change Clauses 17 and/or 18 of the Addendum EU SCCs to refer to the laws and/or courts of Scotland or Northern Ireland.
If the Parties wish to change the format of the information included in Part 1: Tables of the Approved Addendum, they may do so by agreeing to the change in writing, provided that the change does not reduce the Appropriate Safeguards.
From time to time, the ICO may issue a revised Approved Addendum which:
a. makes reasonable and proportionate changes to the Approved Addendum, including correcting errors in the Approved Addendum; and/or
b. reflects changes to UK Data Protection Laws;
The revised Approved Addendum will specify the start date from which the changes to the Approved Addendum are effective and whether the Parties need to review this Addendum including the Appendix Information. This Addendum is automatically amended as set out in the revised Approved Addendum from the start date specified.
If the ICO issues a revised Approved Addendum under Section 18, if any Party selected in Table 4 “Ending the Addendum when the Approved Addendum changes”, will as a direct result of the changes in the Approved Addendum have a substantial, disproportionate and demonstrable increase in:
a its direct costs of performing its obligations under the Addendum; and/or
b its risk under the Addendum,
and in either case it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that Party may end this Addendum at the end of a reasonable notice period, by providing written notice for that period to the other Party before the start date of the revised Approved Addendum.
The Parties do not need the consent of any third party to make changes to this Addendum, but any changes must be made in accordance with its terms.