ARYAKA NETWORKS – DATA PROTECTION ADDENDUM – GDPR / CCPA
Preliminary Notes – The following Data Protection Agreement:
- is drafted to incorporate the terms required by (A) Article 28 of the General Data Protection Regulation (GDPR) 2016/679 between “controllers” and “processors” where Supplier (Aryaka) is acting as a data processor, and (B) the California Consumer Protection Act of 2018 (CCPA) where Supplier, Customer, or both are acting as a “business”;
- is to protect the “Personal Data” of “data subjects” under the GDPR and to protect the “Personal Information” of “consumers” under the CCPA; and
- is intended for appending as an Addendum or Schedule of the underlying Contract (Master Subscription Agreement – it is not a stand-alone agreement.
DATA PROTECTION AGREEMENT
(Covering European Economic Area (GDPR), California (CCPA) and Elsewhere)
The following terms and conditions of this Supplier Data Protection Agreement (the “DPA”) is entered into between [INSERT CUSTOMER ENTITY], (“Customer”) on behalf of itself and its Authorized Affiliates and Aryaka Networks, Inc. on behalf of itself and its Affiliates (collectively, “Supplier”) and applies to and is made part of the Contracts, each a “Party”, together the “Parties”. For the purposes of this DPA only, and except where otherwise indicated, the term “Customer” shall include Customer and its Authorized Affiliates.
BACKGROUND
- Supplier has entered into one or more Master Subscription Agreements, purchase orders, contracts, agreements and the like (the “Contracts)” with Customer which may include Authorized Affiliates.
- In delivering the services under the Contracts (the “Services”), Supplier may process Customer Personal Data or Consumer Personal Information controlled by Customer or its respective customers, suppliers, or business partners.
- As part of their privacy programs and contractual arrangements, the Parties have provided certain assurances to its employees, independent contractors, candidates, customers, consumers, suppliers or business partners to ensure the appropriate protection of Customer Personal Data and Consumer Personal Information.
- Therefore, the Parties desire to be subject to certain data protection laws, rules and regulations in the European Economic Area, California USA, and all other applicable areas of the world (the “Applicable Privacy Laws”) pursuant to this DPA.
Agreement
1. DEFINITIONS
- 1.1 “Affiliate” means any entity that is directly or indirectly controlled by, controlling or under common control with a Party. “Control” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
- 1.2 “Applicable Privacy Laws” means (a) all worldwide data protection and privacy laws and regulations applicable to the Customer Personal Data and Consumer Personal Information in question, (b) including, where applicable, EEA Data Protection Law and (c) the California Consumer Protection Act.
- 1.3 “Authorized Affiliate” means any of Customer’s Affiliates permitted to or otherwise receiving the benefit of the Services pursuant to the Contracts.
- 1.4 “Authorized Persons” means any person who processes personal data or personal information under this DPA on a Party’s behalf, including that Party’s employees, officers, directors, partners, principals, agents, representatives, contractors, and in the case of Supplier, its Sub-Processors.
- 1.5 “Business” or “business” means, under the CCPA, any for-profit legal entity that does business in the state of California and collects and controls consumers’ personal information and satisfies one or more of the following thresholds: (a) annual gross revenues in excess of $USD25 million, (b) alone or in combination buys, receives, sells or shares for commercial purposes the personal information of 50,000 or more consumers, households or devices on an annual basis, and (c) derives 50% or more of its annual revenues from selling consumers’ personal information. A “business” also includes any entity that controls or is controlled by a business that satisfies these criteria. For the avoidance of doubt, “Customers” that are also controllers under the GDPR are included as “Businesses” for purposes of this Agreement.
- 1.6 “California Consumer Protection Act” or “CCPA” means the California Consumer Protection Act of 2018, in particular 2017 California Assembly Bill No. 375, California 2017-2018 Regular Session (amending Part 4 of Division 3 of the California Civil Code), amended by 2017 California Senate Bill No. 1121, that defines the “personal information” subject to its protection and grants consumers extensive rights to control that information, to become effective approximately January 1, 2020 and enforceable on and after approximately June 1, 2020 (as superseded, amended or replaced).
- 1.7 “Consumer” or “consumer” means, under the CCPA, any natural person who is a California resident to who Personal Information relates, but does not include sole proprietorships, partnerships, limited liability companies or corporations, and certain other legal entities specified in the CCPA.
- 1.8 “Customer Personal Data” or “Customer Data” means and includes all Personal Information and Personal Data except where specified otherwise (i) provided to Supplier by or at the direction of Customer in connection with the Services; (ii) created or obtained by Supplier on behalf of Customer in the performance of Services; or (iii) which Supplier accesses at the direction of Customer, in the course of Supplier’s performance under the Contracts, it being understood that the Services do not, and in the ordinary course of providing Services Supplier does not, access Personal Information or Personal Data or any personally identifiable information, but instead provides a proprietary software-defined wide area network (SD-WAN) over which data is carried. For the avoidance of doubt, “Customers” that are also controllers under the GDPR are included as “Businesses” for purposes of this Agreement.
- 1.9 “Controller” means the entity that determines the purposes and means of the processing of Personal Data or Personal Information.
- 1.10 “C2C Model Clauses” means the Standard Contractual Clauses for Controllers as approved by the European Commission and available at http://ec.europa.eu/justice/data-protection/international-transfers/files/clauses_for_personal_data_transfer_set_ii_c2004-5721.doc (as amended, superseded or updated from time to time). The current version (as of the Effective Date) of these clauses is set forth in Schedule 1.8 to this DPA.
- 1.11 “C2P Model Clauses” means the Standard Contractual Clauses for Processors as approved by the European Commission and available at https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_en. (as amended, superseded or updated from time to time). The current version (as of the Effective Date) of these clauses is set forth in Schedule 1.9 to this DPA.
- 1.12 “Data Subject” or “data subject” means the identified or identifiable person to whom Personal Data relates.
- 1.13 “EEA Data Protection Law” means (i) prior to 25 May 2018, Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of Customer Personal Data and on the free movement of such data (the “Directive”); and on and after 25 May 2018, Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Customer Personal Data and on the free movement of such data (General Data Protection Regulation) (“GDPR“); (ii) the e-Privacy Directive (Directive 2002/58/EC); and (iii) any national data protection laws made under or pursuant to (i) or (ii) (in each case, as superseded, amended or replaced).
- 1.14 “Personal Data“, “Personal Information”, “processing“, “process“, “sell”, “collect” and “supervisory authority” shall have the meanings, respectively, given in the Applicable Privacy Law.
- 1.15 “Privacy Shield” means the EU-US and Swiss-US Privacy Shield Frameworks, as administered by the U.S. Department of Commerce.
- 1.16 “Privacy Shield Principles” means the Privacy Shield Framework Principles (as supplemented by the Supplemental Principles) contained in Annex II to the European Commission Decision of 12 July 2016 pursuant to the Directive, details of which can be found at www.privacyshield.gov/eu-us-framework.
- 1.17 “Processor” means the entity that processes Personal Data or Personal Information on behalf of the Controller.
- 1.18 “Processor Binding Corporate Rules” means the Binding Corporate Rules Processor (or BCR-P) of the Supplier that have been approved by a supervisory authority.
- 1.19 “Security Incident” means any unauthorized or unlawful breach of security leading to, or reasonably believed to have led to, the accidental or unlawful destruction loss, alteration, unauthorized disclosure or access to Personal Data or Personal Information transmitted, stored or otherwise processed by Supplier or its Sub-Processors.
- 1.20 “Sub-Processor” means any Processor engaged by Supplier or its Affiliates to assist in fulfilling its obligations with respect to providing the Services that processes Customer Data.
2. SCOPE, GDPR / CCPA REQUIREMENTS, RIGHTS AND REMEDIES
- 2.1 This Agreement covers protection under the GDPR of Personal Data of data subjects that is controlled or processed by data controllers and processors, and protection under the CCPA of Personal Information of consumers that is collected or used by businesses. Data controllers and data processors are considered to be “businesses” under this Agreement. Specifically: (a) With respect to the GDPR: Applies to processing of personal data: (i) relating to EU or non-EU data subjects in the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing takes place in the EU or not, and (ii) of EU data subjects by controllers or processors located outside of the EU if the processing activities are related to the offering of goods or services to, or monitoring the behavior of, individuals residing in the EU. (b) With respect to the CCPA: Applies to businesses located within or outside of California if personal information of California consumers is collected. For clarity, the protections of the CCPA are associated with California residents. Accordingly, any business that “does business” in California, regardless of its physical location, may become covered by the CCPA due to its interaction with California residents.
- 2.2 Roles of the Parties and Details of Processing. Supplier shall process Personal Information and Personal Data under the Contracts as a Processor acting on behalf of Customer. Supplier agrees that it will process Personal Information and Personal Data as described at Annex A, which forms an integral part of this DPA.
- 2.3 Supplier’s Processing of Data and Information. Supplier shall at all times process the Personal Information and the Personal Data only for the purpose of providing the Services to Customer under the Contracts and in accordance with Customer’s documented instructions.
-
2.4 Supplier’s Notification Obligations Regarding Customer Instructions. Supplier shall promptly notify Customer in writing, unless prohibited from doing so under Applicable Privacy Law, if:
- It becomes aware or believes that any data processing instruction from Customer violates Applicable Privacy Law;
- It is unable to comply with Customer’s data processing instructions for any reason; or
- It is unable to comply with the terms of the Contracts (including this DPA) as they relate to or govern the processing of Personal Information or Personal Data or the security of Personal Information or Personal Data for any reason.
-
2.5 Information Requirements:
- (a) With respect to the CCPA: (i) Upon receipt of a consumer’s request for any disclosure of the categories and specific pieces of Personal Information that a business has collected about that consumer, the business shall deliver such information to the consumer free of charge within 45 days of receipt of a verifiable request. The time period for disclosure may be extended once by an additional 45 days upon the provision of notice to the consumer. The delivery of information may be made by mail or electronically. However, electronic disclosures must be provided in portable format to the extent feasible. (ii) Businesses that collect a consumer’s Personal Information shall, either at or before the point of collection, inform consumers as to the categories of Personal Information to be collected and the purposes for which the categories of Personal Information shall be used. Businesses shall not collect additional categories of Personal Information, or use collected information for additional purposes, without providing notice to the consumer. (iii) Businesses shall include the information set forth in 2.5(a)(i) and 2.5(a)(ii) in the business’ privacy policy and update the policy at least once every 12 months.
- (b) With respect to the GDPR: (i) A list of information shall be provided to data subjects (A) at the time their Personal Data is obtained if their Personal Data was collected directly from them, or (B) within 30 days or other applicable timeframes afterwards specified in the Applicable Privacy Law if their Personal Data was not collected directly from them, unless provision of such data would be impossible or involve a disproportionate effort. (ii) The list of information to be provided includes the identity and contact details of the controller, the contact details of the data protection officer, the purposes for processing and legal bases for processing, the recipients of the Personal Data, the Personal Data retention period, the data subjects’ rights, and appropriate safeguards used to transfer the Personal Data out of the EU. (iii) The information set forth in 2.5(b)(i) and 2.5(b)(ii) shall be included in a policy or notice such as the controller’s or processor’s privacy policy notice or a GDPR-specific policy.
-
2.6 Consent Requirements:
- (a) With respect to the CCPA: In order to comply with consumer opt-out provisions, businesses must make available two or more designated methods for submitting requests for disclosure of information including, at minimum, a toll-free telephone number and a public website. Business’ websites must provide a clear and conspicuous link on their websites titled “Do Not Sell My Personal Information” that enables consumers to opt-out of the sale of their Personal Information. In addition, businesses must provide a description of consumers’ right to opt out of the sale of their Personal Information, along with the above-described website link, in their website privacy policies or in any California-specific description of consumers’ privacy rights. Businesses must also disclose in a form that is reasonably accessible to consumers and in accordance with a specified process that consumers have a right to request that their Personal Information be deleted.
- (b) With respect to the GDPR: If the grounds for processing Personal Data is based the consent of the data subject, the controller or processor understand and agree that any such consent must be as defined in the Applicable Privacy Law, as follows: “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
-
2.7 Data Retention Requirements:
- (a) With respect to the CCPA: Businesses are not required to retain Personal Information collected for a single, one-time transaction if the information is not sold or retained by the business. However, businesses that sell or retain Personal Information shall provide disclosures to consumers regarding the collection and use of their Personal Information covering the preceding 12-month period from the date of receipt of the request.
- (b) With respect to the GDPR: Personal Data must be retained in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the Personal Data are processed, except as provided in the Applicable Privacy Law. Information about the period for which Personal Data will be stored, or if that is not possible, the criteria used to determine that period, shall to be included as part of the information requirements (see Section 2.5(b) above).
-
2.8 Individual Rights:
- (a) With respect to the CCPA: Subject to exemptions or conditions in the Applicable Privacy Law, if any, each consumer shall have the right to: (i) request that a business delete Personal Information that it has collected on such consumer; (ii) request and receive information about, and specific items of, Personal Information on such consumer that has been collected or sold or disclosed to third parties by a business; (iii) opt out of the sale of a consumer’s Personal Information; and (iv) not be discriminated against due to the exercise of any right established by the CCPA.
- (b) With respect to the GDPR: Subject to exemptions or conditions in the Applicable Privacy Law, if any, each data subject shall have the right to: (i) request that a data controller or data processor delete Personal Data that it has collected on such data subject; (ii) request and receive information about, and specific items of, Personal Data of such data subject that has been collected or sold or disclosed to third parties by a data controller or data processor; (iii) request that Personal Data be rectified; (iv) have the processing of Personal Data restricted; (v) have Personal Data provided to it and transferred to another organization; (vi) object to the processing of its Personal Data; (vii) withdraw consent to the processing of its Personal Data; (viii) complain to a regulator concerning the processing of its Personal Data; and (ix) not be subject to a decision based solely on certain forms of automatic processing, including profiling.
-
2.9 Opt Out:
- (a) With respect to the CCPA: Any business that proposes to sell consumers’ Personal Information shall disclose this fact to such consumers, who shall have the right to opt out of the sale of their Personal Information. For consumers under the age of 16, the parents of any such consumer have the right to opt-in to any sale of such consumer’s personal information.
- (b) With respect to the GDPR: Data subjects may seek to enforce their rights described in Section 2.8(b) with regard to any selling of their Personal Data.
-
2.10 Remedies:
- (a) With respect to the CCPA: (i) The CCPA provides a private right of action for any consumer whose non-encrypted or non-redacted Personal Information was subject to an unauthorized access and exfiltration, theft or disclosure as a result of a business’ failure to implement and maintain reasonable security procedures. Statutory damages are provided in the Applicable Privacy Law and also injunctive and declaratory relief and any other relief deemed proper by the court. (ii) The CCPA also provides for administrative enforcement, including by authorizing the attorney general of California to bring actions for civil penalties against any business that fails to cure an alleged violation of the Applicable Privacy Law law within 30 days of being notified of such violation.
- (b) With respect to the GDPR: Data subjects have the right to: (i) A judicial remedy against a legally binding decision of a regulator. (ii) A judicial remedy against a controller or processor. (iii) Compensation from a controller or processor. Regulators may also impose fines on controllers or processors as provided in the Applicable Privacy Law.
- 2.11 Limited Supplier Rights. Except as expressly set forth to the contrary in this DPA or the Contracts, Supplier acknowledges that it has no right, title or interest in Personal Information or Personal Data and may not sell, rent or lease Personal Information or Personal Data to anyone.
3. SUBPROCESSING
-
3.1 Appointment of Sub-Processors. Supplier shall not subcontract any processing of the Personal Data or Personal Information to a Sub-Processor without the prior written consent of Customer. Such consent will not be unreasonably withheld, delayed or conditioned. Notwithstanding this, Customer hereby consents to Supplier engaging Sub-Processors to process the Personal Data and Personal Information provided that:
- (a) Notification of New Sub-Processors. Supplier provides at least 30 days prior written notice to Customer of any change in its Sub-Processors (including details of the processing, location and any other information reasonably required by Customer) and Supplier shall update the list of all Sub-Processors engaged to process Personal Data and Personal Information under this DPA at Annex C and send such updated version to Customer prior to the change of Sub-Processor;
- (b) Objection Right for New Sub-Processors. Customer may object to the appointment or replacement of a Sub-Processor within 10 days after Customer first receives prior notice of such change, provided such objection is based on reasonable grounds relating to data protection. In such event, the parties shall discuss in good faith commercially reasonably alternative solutions;
- (c) Data Protection Terms for Sub-Processors. Supplier imposes the same data protection terms contained in this DPA on any Sub-Processor it engages; and
- (d) Liability. Supplier remains fully liable for the acts or omissions of its Sub-Processors to the same extent Supplier would be liable if performing the services of each Sub-Processor directly under the terms of this DPA.
4. RIGHTS OF DATA SUBJECTS AND CONSUMERS AND COOPERATION
- 4.1 Data Subject or Consumer Request. Supplier shall, taking into account the nature of the processing, reasonably cooperate with Customer to enable Customer to respond to any requests, complaints or other communications from Data Subjects or Consumers or regulatory or judicial bodies relating to the processing of Personal Data or Personal Information, including requests from Data Subjects or Consumers seeking to exercise their rights under Applicable Privacy Laws (“Data Request”). In the event a Data Request is made directly to Supplier, Supplier shall promptly notify the Customer of the request and shall not respond to such communication without Customer’s express authorization.
- 4.2 Subpoenas and Court Orders. If Supplier receives a subpoena, court order, warrant or other legal demand from a third party (including law enforcement or other public or judicial authorities) seeking the disclosure of Personal Data or Personal Information, Supplier shall not disclose any information but shall immediately notify Customer in writing of such request, and reasonably cooperate with Customer if it wishes to limit, challenge or protect against such disclosure, to the extent permitted by applicable laws.
- 4.3 Data Privacy Impact Assessments (“DPIA’s”). To the extent Supplier is required under Applicable Privacy Laws, Supplier will assist Customer (or its third-party Controller) to conduct a data protection impact assessment (DPIA) and, where legally required, consult with applicable data protection authorities in respect of any proposed processing activity conducted in connection with the Services and the performance of the Contracts that may present a high risk to Data Subjects or Consumers with respect to unauthorized disclosures of data.
5. DATA ACCESS & SECURITY MEASURES
- 5.1 Confidentiality and Limited of Access. Supplier shall ensure that any Authorized Person is subject to a duty of confidentiality (whether a contractual or statutory duty) and that they process Personal Data and Personal Information only for the purpose of delivering the Services under the Contracts to Customer. Supplier shall ensure that Supplier’s access to Personal Data and Personal Information is limited to those personnel performing the Services.
- 5.2 Security Measures. Supplier will implement and maintain all appropriate technical and organizational measures to protect any Personal Data and Personal Information from Security Incidents and to preserve the security and confidentiality of such Personal Data and Personal Information. Such measures shall have regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. At a minimum, Supplier agrees to the Security Measures identified at Annex B related to the protection of Personal Data and Personal Information.
6. SECURITY INCIDENTS
- 6.1 Notification of Security Incidents. In the event of a Security Incident, Supplier shall inform Customer without undue delay, and in any event no later than 24 hours of becoming aware of such Security Incident, and provide written details of the Security Incident, including the type of data affected and the identity of affected persons as soon as such information becomes known or available to Supplier.
-
6.2 Supplier Obligations Following Security Incident. In the event of a Security Incident, Supplier shall:
-
(a) Provide all timely information and cooperation as Customer may reasonably require to fulfill Customer’s data breach reporting obligations under (and in accordance with the timeframes provided by) Applicable Privacy Laws or to comply with or respond to any inquiries by a data protection authority or any lawsuit arising from the Security Incident, including collecting and preserving all evidence pertaining to the Security Incident and any investigation conducted by Supplier. Such information shall include, without limitation:
- (i) the nature of the Security Incident including, where possible, the categories and approximate number of Data Subjects and Consumers concerned and the categories and approximate number of records concerned;
- (ii) the name and contact details of the contact point within Supplier (or Supplier’s Sub-processor’s as applicable) who can provide more information on the Security Incident;
- (iii) a description of the likely consequences of the Security Incident based on Supplier’s reasonable assessment; and
- (iv) a description of the measures Supplier (or its Sub-processor’s, as applicable) will take, proposes to take, or suggests that Customer takes to address the Security Incident, including, where appropriate to mitigate its possible adverse effects.
- (b) Promptly take all such measures and actions as are appropriate to remedy or mitigate the effects of the Security Incident and shall keep Customer informed about all developments in connection with the Security Incident; and
- (c) Reasonably assist Customer, at Customers expense and if requested by Customer, to prepare and send all notifications that are legally required or reasonably necessary with respect to each Data Security Incident involving Personal Data and Personal Information.
-
- 6.3 The content and provision of any notification, public and regulatory communication, or press release concerning the Security Incident shall be solely at Customer’s reasonable discretion, except as otherwise required by Applicable Privacy Laws.
7. SECURITY REPORTS & INSPECTIONS
- 7.1 Supplier Security Standards. Supplier shall maintain records of its security standards. Upon request, Supplier shall provide to Customer copies of relevant external certifications, audit report summaries or other documentation maintained or obtained by Supplier in order to verify Supplier’s compliance with this DPA.
- 7.2 Right of Inspection. While it is the Parties’ intention ordinarily to rely on Supplier’s obligations set forth in Section 7.1 to verify Supplier’s compliance with this DPA, Customer (or its appointed representatives) may, at Customer’s sole expense, carry out an inspection of the Supplier’s operations and facilities where Customer considers it necessary or appropriate (for example, without limitation, where Customer has reasonable concerns about Supplier’s data protection compliance, following a Security Incident or following instruction from a data protection authority). With respect to any such inspection, Supplier shall make available all information reasonably necessary to demonstrate compliance with Applicable Privacy Laws. Notwithstanding the foregoing, any such inspection shall be (a) limited to the provision of Supplier’s then-current technical documentation which relates to the processing of Personal Data and Personal Information unless otherwise required by a data protection authority, (b) subject to Supplier’s confidentiality, security and safety terms and policies, and (c) conducted during ordinary business hours and after reasonable advance written notice
8. INTERNATIONAL TRANSFERS
- 8.1 International Transfers. Supplier or its Affiliates shall not process or transfer any Personal Data or Personal Information in or to a territory other than the territory in which the Personal Data and Personal Information was first collected (nor permit such data to be so processed or transferred) unless it takes all such measures as are necessary to ensure such processing or transfer is in compliance with Applicable Privacy Laws (including such measures as may be communicated by Customer to Supplier) and in accordance with any applicable transfer mechanism provisions set forth in Section 8.3 below. However, Customer’s execution of each Contract shall be deemed to be Customer’s instructions to Supplier with respect to the transfer of Personal Data and Personal Information pursuant to the Services provided under the Contracts. Except with respect to such transfers under the Contracts, Supplier shall inform Customer of any international transfers of Personal Data and Personal Information in advance of making the transfer and shall assist Customer in assessing the parties’ respective obligations to comply with Applicable Privacy Laws.
-
8.2 Privacy Shield Flow Downs. To the extent that Customer or the Authorized Affiliates are self-certified to the Privacy Shield, Supplier represents and warrants that it shall:
- (a) Provide at least the same level of protection to such Customer Personal Data as is required by the Privacy Shield Principles and the Security Measures set forth in Section 5.2 of this DPA; and
- (b) Promptly notify Customer if it makes a determination that it can no longer meet its obligations under Section 8.2(a) above, and in such event, to work with Customer and promptly take all reasonable and appropriate steps to stop and remediate (if remediable) any processing until such time as the processing meets the level of protection as is required by Section 8.2(a).
-
8.3 Transfer Mechanisms.
- Supplier Self-Certification to Privacy Shield. To the extent Supplier or its US Affiliates are self-certified to Privacy Shield, Supplier agrees: (i) that it or its US Affiliates (as applicable) shall maintain such Privacy Shield certification; and (ii) with respect to Customer Personal Data that is protected by EEA Data Protection Law or that originates from Switzerland, it or its US Affiliates (as applicable) shall comply with the Privacy Shield Principles when handling such data.
- Processor Binding Corporate Rules. To the extent Supplier has adopted Processor Binding Corporate Rules, Supplier agrees that it shall maintain such Processor Binding Corporate Rules when handling Customer Personal Data.
- Incorporation of Model Clauses. In the event Supplier or its Affiliates are not utilizing the transfer mechanisms set forth in 8.3 (a) or (b), then the Parties further agree: (i) the Model Clauses are incorporated by reference and form an integral part of this DPA; (ii) Supplier or its Affiliates (as applicable) shall be the “data importer” and Customer (acting on behalf of itself and all Affiliates) is the “data exporter” (notwithstanding that Customer may be located outside the European Economic Area or Switzerland and may itself be a Processor acting on behalf of third party Controllers); and (iii) Annexes A and B of this DPA will take the place of Appendixes 1 and 2 of the Model Clauses, respectively.
- 8.4 Disclosure of DPA. Each Party acknowledges that the other Party or its Affiliates may disclose this DPA and any relevant privacy provisions in the Contracts to the US Department of Commerce, the Federal Trade Commission, European data protection authority, or any other US or EU judicial or regulatory body upon their legitimate and authorized request.
9. DELETION AND RETURN OF PERSONAL DATA
- 9.1 Upon Customer’s request, or upon termination or expiry of this DPA, Supplier shall destroy or return to Customer all Personal Data and Personal Information (including copies) in its possession or control, if any (including any Personal Data and Personal Information processed or controlled by its Sub-Processors). This requirement shall not apply to the extent that Supplier is required by any applicable law to retain some or all of the Personal Data or Personal Information, or with respect to Personal Data or Personal Information it has archived on back-up systems, in which event Supplier shall protect the Personal Data and Personal Information from any further processing except to the extent required by such law.
10. LIABILITY
- 10.1 The liability of Customer and each Authorized Affiliate pursuant to this DPA and the Model Clauses shall be several and the other Customer companies shall not be liable for any liability of such Customer company incurred under this DPA or the Model Clauses.
- 10.2 In any event, no Supplier or Supplier Affiliate shall be able to claim more than once for the same loss or damage when such a claim has already been made by such Supplier company against one of the other Customer companies.
- 10.3 The liability of each Supplier and each Supplier Affiliate pursuant to this DPA and the Model Clauses shall be several and the other Supplier companies shall not be liable for any liability of such Supplier company incurred under this DPA or the Model Clauses:
- 10.4 In any event, no Customer of Authorized Affiliate shall be able to claim more than once for the same loss or damage when such a claim has already been made by such Customer company against one of the other Supplier companies.
11. GENERAL
- 11.1 The obligations placed upon the Parties under this DPA shall survive so long as Supplier or its Sub-Processors processes Personal Data or Personal Information on behalf of Customer. The provisions contained in this DPA and its attachments, annexes, exhibits and schedules that by their context are intended to survive termination or expiration will survive accordingly.
- 11.2 This DPA may not be modified except by a subsequent written instrument signed by both Parties.
- 11.3 If any part of this DPA is held unenforceable, the validity of all remaining parts will not be affected.
- 11.4 Except for the changes made by this DPA, the Contracts shall remain unchanged and in full force and effect. In the event of any conflict or inconsistency between this DPA and any other term or terms of the Contracts, this DPA shall prevail in respect of the subject matter (i.e. the protection of Personal Data or Personal Information). This Agreement including annexes, schedules, exhibits and the like, together with the Contracts, constitute the entire, final, exclusive and complete agreement with respect to such subject matter.
- 11.5 Clause headings and other headings in this DPA are for convenience of reference only and shall not constitute a part of or otherwise affect the meaning or interpretation of this DPA. Attachments, annexes, exhibits and schedules to this DPA shall be deemed to be an integral part of this DPA to the same extent as if they had been set forth verbatim herein.
- 11.6 This DPA shall be governed by and construed in all respects in accordance with the governing law and jurisdiction provisions set out in the Contract that is the Master Subscription Agreement, unless required otherwise by Applicable Privacy Laws.
- 11.7 Nothing in this DPA shall be deemed to: (a) constitute a Customer company the agent of any Supplier company, nor authorise a Customer company to make or enter into any commitments for or on behalf of any Supplier company; or (b) constitute a Supplier company the agent of any Customer company, nor authorise a Supplier company to make or enter into any commitments for or on behalf of any Customer company; or (c) create a partnership, joint venture or other relationship.
- 11.8 Each Party warrants that it has authority to act on behalf of itself and its Affiliated companies, including such companies that may be added as a Party to this DPA by either Party.
- 11.9 This DPA may be executed in two or more counterparts, each of which shall be deemed an original and all of which taken together shall be deemed to constitute one and the same document. The Parties may sign and deliver this DPA by email transmission.