Data Processing Agreement
This Data Processing Agreement (“DPA“) forms an integral part of the agreement signed between the G2 entity which is a party to the principal agreement (“Company” and “Agreement” respectively) and its counter party (“Partner”, each “Party”, together “Parties”).
If Company Processes Personal Data, or if Company has access to Personal Data in the course of its performance under the Agreement, Company shall be considered a “processor”.
1. Definitions
1.1 “Approved Jurisdiction” means a member state of the EEA, the UK, or other jurisdiction as may be approved pursuant to the applicable Data Protection Law as having adequate legal protections for data by either the European Commission currently found here, or the UK Information Commissioner’s Office (ICO), as applicable .
1.2 “Data Protection Law” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR“), and the GDPR as it forms part United Kingdom (UK law) by virtue of section 3 of the UK’s European Union (Withdrawal) Act 2018 and the UK Data Protection Act 2018 (collectively referred as the “UK GDPR“), including any applicable domestic laws implementing the foregoing.
1.3 “Data Controller”, “Data Processor”, “Data Subject”, “Personal Data“, “Personal Data Breach”, “Process” and “Processing” shall have the meanings ascribed to them in the Data Protection Law.
1.4 “EEA” means those countries that are member of the European Economic Area.
1.5 “Permitted Purposes” mean any purposes in connection with Company performing its obligations under the Agreement.
1.6 “Security Measures” mean commercially reasonable security-related policies, standards, and practices commensurate with the size and complexity of Company’s business, the level of sensitivity of the data collected, handled and stored, and the nature of Company’s business activities.
1.7 “Standard Contractual Clauses” mean the Commission Implementing Decision of 4 June 2021 on standard contractual clauses for the transfer of personal data to processors established in third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as available here. Where the UK GDPR is applicable, the term Standard Contractual Clauses shall also include the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, which was entered into force on 21 March, 2022 (“UK Addendum“).
1.8 “Sub-Processors” mean any Affiliate, agent or assignee of Company that may process Personal Data pursuant to the terms of the Agreement, and any unaffiliated processor engaged by Company.
2. Application of this DPA
2.1 This DPA will only apply to the extent all of the following conditions are met:
2.1.1 Company processes Personal Data that is made available by Partner in connection with the Agreement (whether directly by Partner or indirectly by a third party retained by and operating for the benefit of Partner);
2.1.2 Data Protection Laws apply to the processing of Personal Data.
2.2 This DPA will only apply to the services for which the parties agreed to in the Agreement, which incorporates the DPA by reference.
3. Compliance with Laws
3.1 Each Party shall comply with its respective obligations under Data Protection Law.
3.2 Company shall provide reasonable cooperation and assistance to Partner in relation to Company’s processing of Personal Data in order to allow Partner to comply with its obligations as a Data Controller under Data Protection Law.
3.3 Company agrees to notify Partner promptly if it becomes unable to comply with the terms of this DPA and take reasonable and appropriate measures to remedy such non-compliance.
3.4 Throughout the duration of the DPA, Partner agrees and warrants that:
3.4.1 Personal Data has been and will continue to be collected, processed and transferred by Partner in accordance with the relevant provisions of the Data Protection Law;
3.4.2 Partner is solely responsible for determining the lawfulness of the data processing instructions it provides to Company and shall provide Company only instructions that are lawful under Data Protection Law;
3.4.3 Processing of Personal Data by Company for the Permitted Purposes, as well as any instructions to Company in connection with Processing of Personal Data (“Processing Instructions”), has been and will continue to be carried out in accordance with the relevant provisions of the Data Protection Law; and
3.4.4 that Partner has informed Data Subjects of the processing and transfer of Personal Data pursuant to this DPA and obtained the relevant consents or lawful grounds thereto (including without limitation any consent required in order to comply with the Processing Instructions and the Permitted Purposes).
4. Processing Purpose and Instructions
4.1 The subject-matter of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, shall be as set out in the Agreement, or in Annex I.
4.2 The duration of the processing under the Agreement is determined by the Parties, as set out in the Agreement.
4.3 Company shall process Personal Data only for the Permitted Purposes and in accordance with Partner’s written Processing Instructions (unless waived in a written requirement), the Agreement and the Data Protection Law, unless Company is otherwise required to do so by law to which it is subject (and in such a case, Company shall inform Partner of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest).
4.4 To the extent that any Processing Instructions may result in the Processing of any Personal Data outside the scope of the Agreement and/or the Permitted Purposes, then such Processing will require prior written agreement between Company and Partner, which may include any additional fees that may be payable by Partner to Company for carrying out such Processing Instructions. Company shall immediately inform Partner if, in Company’s opinion, an instruction is in violation of Data Protection Law.
5. Reasonable Security and Safeguards
5.1 Company represents, warrants, and agrees to use Security Measures (i) to protect the availability, confidentiality, and integrity of any Personal Data collected, accessed or processed by Company in connection with this Agreement, and (ii) to protect such data from Personal Data Breach incidents.
5.2 The Security Measures are subject to technical progress and development and Company may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the services procured by Partner.
5.3 Company shall take reasonable steps to ensure the reliability of its staff and any other person acting under its supervision which has access to and processes Personal Data. Company shall ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
5.4 Company is responsible for performing its obligations under the Agreement in a manner which enables Company to comply with Data Protection Law, including implementing appropriate technical and organizational measures.
6. Personal Data Breach. Upon becoming aware of a Personal Data Breach, Company will notify Partner without undue delay and will provide information relating to the Personal Data Breach as reasonably requested by Partner. Company will use reasonable endeavors to assist Partner in mitigating, where possible, the adverse effects of any Personal Data Breach.
7. Security Assessments and Audits
7.1 Company shall, upon reasonable and written prior notice (of no less than 30 calendar days prior notice) and subject to obligations of confidentiality, allow its data processing procedures and documentation to be inspected, no more than once a year and during regular business hours, by Partner (or its designee), at Partner’s expense, in order to ascertain compliance with this DPA, provided that such inspection shall be conducted with minimal interruption to Company’s business. Company shall cooperate in good faith with audit requests by providing access to relevant knowledgeable personnel and documentation.
7.2 At Partner’s written request, and subject to obligations of confidentiality, Company may satisfy the requirements set out in this section by providing Partner with a copy of a report so that Partner can reasonably verify Company’s compliance with its obligations under this DPA.
8. Cooperation and Assistance
8.1 If Company receives any requests from individuals or applicable data protection authorities relating to the processing of Personal Data under the Agreement, including requests from individuals seeking to exercise their rights under Data Protection Law, Company will promptly redirect the request to Partner, unless legally prohibited from doing so. Company will not respond to such communication directly without Partner’s prior authorization, unless legally compelled to do so. If Company is required to respond to such a request, Company will promptly notify Partner and provide Partner with a copy of the request, unless legally prohibited from doing so.
8.2 If Company receives a legally binding request for the disclosure of Personal Data which is subject to this DPA, Company shall (to the extent legally permitted) notify Partner upon receipt of such order, demand, or request. It is hereby clarified however that if no such response is received from Partner within three (3) business days (or otherwise any shorter period as dictated by the relevant law or authority), Company shall be entitled to provide such information.
8.3 Notwithstanding the foregoing, Company will cooperate with Partner with respect to any action taken by it pursuant to such order, demand or request, including ensuring that confidential treatment will be accorded to such disclosed Personal Data. Upon reasonable notice, Company shall:
8.3.1 Taking into account the nature of the processing, provide reasonable assistance to Partner by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Partner’s obligation to respond to requests for exercising Data Subject’s rights, at Partner’s expense;
8.3.2 Provide reasonable assistance to Partner in ensuring Partner’s compliance with its obligation to carry out Data Protection Impact Assessments (“DPIA”) or prior consultations with data protection authorities with respect to the processing of Personal Data, provided, however, that if such assistance entails material costs to Company, the parties shall first come to agreement on Partner reimbursing Company for such costs and expenses.
8.4 Partner agrees to exercise any right it may have to conduct an audit or inspection, including under the Standard Contractual Clauses or the UK Addendum if they apply, by instructing Company to carry out the audit described in Section 7.
9. Use of Sub-Processors
9.1 Partner provides a general authorization to Company to appoint (and permit each Sub-Processor appointed in accordance with this Clause to appoint) Processors and/or Sub Processors in accordance with this Clause.
9.2 Company may continue to use those Processors and/or Sub Processors already engaged by Company as at the date of this Agreement, subject to Company in each case as soon as practicable meeting the obligations set out in this Clause.
9.3 Company can at any time and without justification appoint a new Processor and/or Sub-Processor provided that Partner is given seven (7) days’ prior notice and Partner does not legitimately object to such changes within that timeframe. Legitimate objections must contain reasonable and documented grounds relating to a Processor and/or Sub-Processor’s non-compliance with Data Protection Law. If, in Company’s reasonable opinion, such objections are legitimate, Company shall either refrain from using such Processor and/or Sub-Processor in the context of the processing of Personal Data or shall notify Partner of its intention to continue to use the Processor and/or Sub-Processor. Where Company notifies Partner of its intention to continue to use the Processor and/or Sub-Processor in these circumstances, Partner may, by providing written notice to Company, terminate the Agreement immediately.
9.4 With respect to each Processor and/or Sub Processor, Company shall ensure that the arrangement between Company and the Processor and/or Sub Processor is governed by a written contract including terms which offer at least the same level of protection as those set out in this Agreement and meet the requirements of article 28(3) of the GDPR;
9.5 Company will be responsible for any acts, errors or omissions by its Sub-Processors, which may cause Company to breach any of its obligations under this DPA.
10. International Data Transfers
10.1 To the extent that Company processes Personal Data outside the EEA, or the UK, then the Parties shall be deemed to enter into the Standard Contractual Clauses, in which event Partner shall be deemed as the Data Exporter and Company shall be deemed as the Data Importer (as these terms are defined therein):
10.2 Company may transfer Personal Data of residents of the EEA or UK outside the EEA or the UK (“Transfer”), only subject to the following:
i. The Transfer is necessary for the purpose of Company carrying out its obligations under the Agreement, or is required under applicable laws; and
ii. The Transfer is done: (i) to an Approved Jurisdiction, or (ii) subject to appropriate safeguards (for example, the Standard Contractual Clauses), or (iii) in accordance with any of the exceptions listed in the Data Protection Law.
10.3 To the extent that the Parties will rely on the Standard Contractual Clauses, the following amendments shall apply:
i. The Parties shall be deemed to enter into the Controller to Processor Standard Contractual Clauses (Module 2).
ii. Clause 7 of the Standard Contractual Clauses shall not be applicable.
iii. In Clause 9, option 2 shall apply. The Data Importer shall inform the Data Exporter of any intended changes to the list of Sub-Processors (Annex III) at least seven (7) days prior to the engagement of the Sub-Processor. Annex III shall be updated accordingly.
iv. In Clause 11, data subjects shall not be able to lodge a complaint with an independent dispute resolution body.
v. In Clause 17, option 1 shall apply. The Parties agree that the clauses shall be governed by the law of England and Wales.
vi. In Clause 18(b) the Parties choose the courts of England and Wales as their choice of forum and jurisdiction.
vii. The Parties shall complete Annex I-III below, which are incorporated in the Standard Contractual Clauses by reference.
10.4 Where the transfer of Personal Data is subject to the UK GDPR and the transfer relies on the UK Addendum, then the following amendments shall apply to the UK Addendum:
i. In Table 1 the “Exporter” is Partner the “Importer” is Company; and the Parties details and signatures are included in this DPA.
ii. In Table 2, the first option is selected and the “Approved EU SCCs” are those Standard Contractual Clauses incorporated into this DPA.
iii. In Table 3: “Annex 1A and 1B” shall be replaced by Annex I of this DPA; (2) “Annex II” shall be replaced by Annex II of this DPA; and (3) “Annex III” shall be replaced by Annex III of this DPA.
iv. In Table 4, both the “Importer” and the “Exporter” can terminate the UK Addendum in accordance with section 19 of the UK Addendum.
11. Data Retention and Destruction
11.1 Company will only retain Personal Data for the duration of the Agreement or as required to perform its obligations under the Agreement, or as otherwise required under applicable laws or regulations. Following expiration or termination of the Agreement, Company will delete or return to Partner all Personal Data in its possession as provided in the Agreement, except to the extent Company is required under applicable laws to retain the Personal Data. The terms of this DPA will continue to apply to such Personal Data.
11.2 Notwithstanding the foregoing, Company shall be entitled to maintain Personal Data following the termination of this Agreement for statistical and/or financial purposes provided always that Company maintains such Personal Data on an aggregated basis or otherwise after having removed all personally identifiable attributes from such Personal data.
11.3 Notwithstanding the foregoing, Company shall be entitled to retain Personal Data solely for the establishment or exercise of legal claims, and/or in aggregated and anonymized form, for whatever purpose.
12. General
12.1 Any claims brought under this DPA will be subject to the terms and conditions of the Agreement, including the exclusions and limitations set forth in the Agreement.
12.2 In the event of a conflict between the Agreement (or any document referred to therein) and this DPA, the provisions of this DPA shall prevail.
12.3 Changes. Company may change this DPA if the change is required to comply with Data Protection Law, a court order or guidance issued by a governmental regulator or agency, provided that such change does not:
12.3.1 seek to alter the categorization of Company as the Data Processor;
12.3.2 expand the scope of, or remove any restrictions on, either Party’s rights to use or otherwise process Personal Data; or
12.3.3 have a material adverse impact on Partner, as reasonably determined by Company.
13. Notification of Changes. If Company intends to change this DPA under this section, and such change will have a material adverse impact on Partner, as reasonably determined by Company, then Company will use commercially reasonable efforts to inform Partner at least 30 days (or such shorter period as may be required to comply with applicable law, applicable regulation, a court order or guidance issued by a governmental regulator or agency) before the change will take effect.
ANNEX I
A. IDENTIFICATION OF PARTIES
“Data Exporter“: Partner;
“Data Importer“: Company.
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
As described in the Agreement
Categories of personal data transferred
As described in the Agreement
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
As described in the Agreement
The frequency of the transfer
As described in the Agreement
Nature of the processing
As described in the Agreement
Purpose(s) of the data transfer and further processing
As described in the Agreement
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
Duration of the Agreement.
C. COMPETENT SUPERVISORY AUTHORITY
The competent Supervisory authority will be in accordance with the provisions of Clause 13 of the Standard Contractual Clauses.
ANNEX II – TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
The description of technical and organizational security measures will be provided upon request
ANNEX III – LIST OF SUB-PROCESSORS
The lists of current sub-processors will be provided upon request