Definitions and Interpretation
In this Addendum, the following terms shall have the following meanings:
“Applicable Privacy Laws” means all worldwide data protection and privacy laws and regulations applicable to the Personal Data in question including, where applicable: (i) European Privacy Laws; (ii) the Australian Privacy Act 1988 (Cth) (“Australian Privacy Laws”); (iii) the New Zealand Privacy Act 2020; (iv) the Philippines Republic Act No. 10173; (v) the Brazilian Data Protection Law (Brazil) No. 13,709/2018 (Portuguese: Lei Geral de Proteção de Dados Pessoais) (the “LGPD”); (vi) the California Consumer Privacy Act of 2018 and its regulations (the “CCPA”); and (vii) the Virginia Consumer Data Protection Act of 2021 (the “VCDPA”); in each case as amended, superseded or replaced from time to time.
“Data Subject” means an identified or identifiable individual whose Personal Data is processed.
“European Privacy Laws” means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the “GDPR”); (ii) the GDPR as incorporated into United Kingdom domestic law pursuant to Section 3 of the European Union (Withdrawal) Act 2018 (the “UK GDPR”); (iii) the Swiss Federal Data Protection Act of 19 June 1992 and its corresponding ordinances (the “Swiss DPA”); (iv) EU Directive 2002/58/EC on Privacy and Electronic Communications; and (v) any national law made under or pursuant to items (i) – (iv); in each case as amended, superseded or replaced from time to time.
“Personal Data” means any information relating to an identified or identifiable individual or any other information defined as ‘personal data’ or ‘personal information’ under Applicable Privacy Laws.
“Restricted Transfer” means (i) where the EU GDPR applies, a transfer of Personal Data from the EEA to a country outside the EEA which is not subject to an adequacy determination by the European Commission; (ii) where the UK GDPR applies, a transfer of Personal Data from the UK to any other country which is not based on adequacy regulations pursuant to Section 17A of the UK GDPR; and (iii) where the Swiss DPA applies, a transfer of Personal Data to a country outside of Switzerland which is not included on the list of adequate jurisdictions published by the Swiss Federal Data Protection and Information Commissioner.
“SCCs” means the standard contractual clauses annexed to the European Commission’s Decision (EU) 2021/914 of 4 June 2021(opens in a new tab or window), as may be amended, superseded or replaced from time to time.
“UK Addendum” means the International Data Transfer Addendum (version B1.0) issued by the Information Commissioner’s Office under s.119(A) of the UK Data Protection Act 2018, as may be amended, superseded or replaced from time to time.
The terms “Controller,” “Processor,” “Data Subject,” and “processing” have the meanings given to them in Applicable Privacy Laws or, if not defined therein, the GDPR (and “process,” “processes,” and “processed” shall be interpreted accordingly) and the terms “Business” and “Service Provider” have the meanings given to them in the CCPA.
Any capitalized terms used but not defined in this Addendum shall have the meanings given to them under the Agreement.
Processing of Personal Data
Relationship of the parties: Customer is a Controller or Business (as applicable) of the Personal Data (the “Data”) and Respona shall process the Data solely as a Processor or Service Provider (as applicable) on behalf of Customer. Respona and Customer shall each comply with their respective obligations under Applicable Privacy Laws and further guidance from data protection authorities with respect to such processing. Where the concepts of Controller and Processor are not expressly contemplated by Applicable Privacy Laws, the parties’ obligations in connection with this Addendum shall be interpreted under those Applicable Privacy Laws to align as closely as possible with the scope of those roles while still complying fully with those Applicable Privacy Laws.
Purpose limitation: Respona shall process the Data as necessary to perform its obligations under the Agreement and strictly in accordance with the documented instructions of Customer (the “Permitted Purpose”). Respona shall not: (i) retain, use, disclose or otherwise process the Data for any purpose other than the Permitted Purpose (including for its own commercial purpose), except where otherwise required by any law applicable to Respona; or (ii) “sell” the Data within the meaning of the CCPA, VCDPA or otherwise. Respona shall immediately inform Customer if it becomes aware that Customer’s processing instructions infringe Applicable Privacy Laws but without obligation to actively monitor Customer’s compliance with Applicable Privacy Laws. The parties acknowledge that Customer’s transfer of Data to Respona is not a “sale” of Personal Data within the meaning of Applicable Privacy Laws and Respona provides no monetary or other valuable consideration to Customer in exchange for the Data.
International transfers: To the extent that Respona transfers the Data (or permits the Data to be transferred) to a country other than the country in which the Data was first collected, it shall first take such measures as are necessary to ensure that the transfer is made in compliance with Applicable Privacy Laws. Such measures may include (without limitation) transferring the Data to a recipient that has executed standard contractual clauses adopted by the European Commission, UK Secretary of State or Information Commissioner’s Office or Brazilian Data Protection Authority (as applicable) or transferring the Data to a recipient that has executed a contract with Respona that ensures the Data will be protected to the standard required by Applicable Privacy Laws. Respona will also protect the Data in a way that overall provides comparable safeguards to the country in which the Data was first collected.
Standard contractual clauses: To the extent that the transfer of Data from Customer to Respona involves a Restricted Transfer, the SCCs shall be incorporated by reference and form an integral part of this Addendum with Customer as “data exporter” and Respona as “data importer.” For the purposes of the SCCs: (i) the module two (controller to processor) terms shall apply, and the module one, three, and four terms shall be deleted in their entirety; (ii) in Clause 9, Option 2 shall apply; (iii) in Clause 11, the optional language shall be deleted; (iv) in Clause 17, Option 1 shall apply, and the SCCs shall be governed by Irish law; (v) in Clause 18(b), disputes shall be resolved before the courts of Ireland; (vi) the Annexes of the SCCs shall be populated with the information set out in the DPA; and (vii) if and to the extent the SCCs conflict with any provision of the Agreement (including this DPA), the SCCs shall prevail to the extent of such conflict.
3.4.a. UK transfers: In relation to Data that is protected by the UK GDPR, the SCCs as incorporated under Section 2.4 shall apply with the following modifications: (i) the SCCs shall be amended as specified by the UK Addendum, which shall be incorporated by reference; (ii) Tables 1 to 3 in Part 1 of the UK Addendum shall be deemed completed using the information contained in the DPA; (iii) Table 4 in Part 1 of the UK Addendum shall be deemed completed by selecting “importer”; and (iv) any conflict between the SCCs and the UK Addendum shall be resolved in accordance with Section 10 and Section 11 of the UK Addendum.
3.4.b.Swiss transfers: In relation to Data that is protected by the Swiss DPA, the SCCs as incorporated under Section 2.4 shall apply with the following modifications: (i) references to “Regulation (EU) 2016/679” shall be interpreted as references the Swiss DPA; (ii) references to “EU,” “Union,” and “Member State” shall be replaced with “Switzerland”; (iv) references to the “competent supervisory authority” and “competent courts” shall be interpreted as references to the “Swiss Federal Data Protection and Information Commissioner” and the “competent Swiss courts”; and (v) the SCCs shall be governed by the laws of Switzerland, and disputes shall be resolved before the competent Swiss courts.
Confidentiality of processing: Respona shall ensure that any person that it authorizes to process the Data (including Respona’s staff, agents, and subcontractors) (an “Authorised Person”) shall be subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty). Respona shall ensure that all Authorised Persons process the Data only as necessary for the Permitted Purpose.
Security: Respona shall implement appropriate technical and organizational measures to protect the Data from the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of or access to the Data (a “Security Incident”).
Subprocessing: Customer authorizes Respona to engage third-party Processors (“Subprocessors”) to process the Data for the Permitted Purpose provided that:
3.7.a Respona imposes data protection terms on any Subprocessor it engages that ensure substantially the same standard of protection provided under this Addendum, and Respona remains fully liable for any breach of this Addendum caused by an act, error or omission of its Subprocessors.
3.7.b For the purposes of Clause 9(c) of the SCCs, Customer acknowledges that Respona may be restricted from disclosing Subprocessor agreements to Customer due to confidentiality obligations. Where Respona cannot disclose a Subprocessor agreement to Customer, Customer shall provide all information (on a confidential basis) it reasonably can in connection with such agreement.
Cooperation and Data Subjects’ rights: Respona shall provide all reasonable and timely assistance to Customer to enable Customer to respond to: (i) any request from a Data Subject to exercise any of its rights under Applicable Privacy Laws (including its rights of access, correction, objection, erasure and data portability, as applicable); and (ii) any other correspondence, enquiry or complaint received from a Data Subject, regulator or other third party in connection with Respona’s processing of the Data. In the event that any such request, correspondence, enquiry or complaint is made directly to Respona, Respona shall promptly inform Customer providing full details of the same.
Data Protection Impact Assessment: Respona shall provide Customer with all such reasonable and timely assistance as Customer may require in order to comply with its obligation under Applicable Privacy Laws to conduct data protection impact assessments and, if necessary, to consult with its relevant data protection authority.
Security Incidents: Upon becoming aware of a Security Incident, Respona shall inform Customer without undue delay and shall provide all such timely information and cooperation as Customer may reasonably require in order for Customer to fulfill its data breach reporting obligations under (and in accordance with the timescales required by) Applicable Privacy Laws. Respona shall further take all such measures and actions as are reasonably necessary to remedy or mitigate the effects of the Security Incident and keep Customer informed of all material developments in connection with the Security Incident. Customer will not communicate or publish any notice or admission of liability concerning any Security Incident which directly or indirectly identifies Respona (including in any legal proceeding or in any notification to regulatory authorities or affected Data Subjects) without Respona’s prior approval unless Customer is compelled to do so under applicable law. In any event, Customer shall provide Respona with reasonable prior written notice of any such communication or publication.
Deletion or return of Data: Upon termination or expiry of the Agreement, Respona shall (at Customer’s election) destroy or return to Customer all Data (including all copies of the Data) in its possession or control. This requirement shall not apply to the extent that Respona is required by any law to retain some or all of the Data, in which event Respona shall isolate and protect the Data from any further processing except to the extent required by such law until deletion is possible.