1.1. In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
1.1.1 “Company Affiliate” means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with Company, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.
1.1.2 “Personal Information” means any information defined as “personal information” or “personal data” under Data Protection Laws including data (i) relating to an identified or identifiable natural person; or (ii) that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household, regardless of the media in which it is maintained, that may be:
22.214.171.124 processed at any time by Vendor in anticipation of, in connection with or incidental to the performance of the Services under the Principal Agreement and this DPA; or
126.96.36.199 derived by Vendor from such information.
1.1.3 “Company Personal Data” means any Personal Data Processed by Vendor on behalf of a Company pursuant to or in connection with the Principal Agreement and according to Company instructions.
1.1.4 “Data Protection Laws” means EU, UK and Non-EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country.
1.1.5 “EEA” means the European Economic Area.
1.1.6 “EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR.
1.1.7 “UK Data Protection Laws” means (a) the UK Data Protection Act 2018 incorporating the GDPR (as may be amended by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019); (b) the GDPR, read in conjunction with and subject to any Member State law that provides for specifications or restrictions of its rules; and (c) any other applicable UK or EU data protection or privacy law to the extent that such law applies to a Company, Vendor Affiliate or Vendor, in each case as amended, replaced or superseded from time to time.
1.1.8 “Non-EU Data Protection Laws” means the “Non-EU Applicable Laws” as described above by the respective governmental institutions.
1.1.9 “GDPR” means EU General Data Protection Regulation 2016/679.
1.1.10 “Restricted Transfer” means:
188.8.131.52 a transfer of Company Personal Data from Company to Vendor; or
184.108.40.206 an onward transfer of Company Personal Data from Vendor to a Subprocessor, or between two establishments of Vendor and Subprocessor,
in each case, where such transfer would be prohibited by Data Protection Laws defined above (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws) in the absence of the Standard Contractual Clauses to be established under Schedule 1 below or, on a case by case basis, such other lawful transfer mechanism referred to in Article 46 of the GDPR or derogation referred to in Article 49 of the GDPR as may apply.
1.1.11 “Services” means the services and other activities to be supplied to or carried out by or on behalf of Vendor for Company pursuant to the Principal Agreement.
1.1.12 “Standard Contractual Clauses” means the model clauses for the transfer of Personal Data to processors established in third countries approved by the European Commission, the approved version of which is set out in the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 and at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX%3A32021D0914&locale=e, which clauses are incorporated herein by this reference.
1.1.13 “Subprocessor” means any person (including any third party, but excluding an employee of Vendor) appointed by or on behalf of Vendor to Process Personal Data on behalf of Company in connection with the Principal Agreement.
1.1.14 “Privacy and Data Protection Requirements” means all applicable federal, state, and foreign laws and regulations relating to the processing, protection, or privacy of the Personal Information, including where applicable, the guidance and codes of practice issued by regulatory bodies in any relevant jurisdiction. This includes, but is not limited to, the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA).
1.2. The terms, “Commission“, “Controller“, “Data Subject“, “Member State“, “Personal Data“, “Personal Data Breach“, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
1.3. The word “include” shall be construed to mean include without limitation, and cognate terms shall be construed accordingly.
2. Processing of Company Personal Data
2. Processing of Company Personal Data
2.1. Vendor shall:
2.1.1 comply with all applicable Data Protection Laws in the Processing of Company Personal Data; and
2.1.2 not Process Company Personal Data other than on Company’s documented instructions unless Processing is required by Applicable Laws to which the Vendor is subject, in which case Vendor shall to the extent permitted by Applicable Laws inform the Company of that legal requirement before the relevant Processing of that Personal Data.
2.1.3 maintain the confidentiality of all Personal Information, will not sell it to anyone, and will not disclose it to third parties unless the Company or this DPA specifically authorizes the disclosure, or as required by law. If a law requires the Vendor to process or disclose Personal Information, the Vendor must first inform the Company of the legal requirement and give the Company an opportunity to object or challenge the requirement, unless the law prohibits such notice.
2.1.4 reasonably assist the Company with meeting the Company’s compliance obligations under the Privacy and Data Protection Requirements, taking into account the nature of the Vendor’s processing and the information available to the Vendor.
2.1.5 promptly notify the Company of any changes to Privacy and Data Protection Requirements that may adversely affect the Vendor’s performance of the Master Agreement.
2.1.6 if additional Processing (including Transfer) requirements are necessary for any specific jurisdiction in order for the Processing by Vendor or its Authorized Subprocessors to be compliant with Applicable Law, Vendor and Company shall negotiate in good faith to amend this Agreement to include such requirements and implement these provisions accordingly.
2.2.1 instructs Vendor (and authorizes Vendor to instruct each Subprocessor) to:
220.127.116.11 Process Company Personal Data; and
18.104.22.168 in particular, transfer Company Personal Data to any country or territory, provided it is to a country that provides an adequate level of protection as determined by the standard defined by applicable data protection laws or safeguards are in place to provide an adequate level of protection such as standard contractual clauses approved by the relevant Government or Commissioned bodies or the transfer is otherwise permitted under Data Protection Law,
to the extent and in such a manner as is reasonably necessary for the provision of the Services and consistent with the Principal Agreement; and
2.2.2 warrants and represents that it is and, unless it provides written notice to the Vendor to the contrary, will remain duly and effectively authorized to give the instruction set out in section 2.2.1 on behalf of each relevant Company Affiliate.
2.2.3 retains control of the Company Personal Data and remains responsible for its compliance obligations under the applicable Privacy and Data Protection Requirements, including providing any required notices and obtaining any required consents, and for the processing instructions it gives to the Vendor.
3. Vendor Personnel
3. Vendor Personnel
Vendor shall take reasonable steps to ensure the reliability of any employee, agent or contractor of Vendor who may have access to the Company Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Company Personal Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with Applicable Laws in the context of that individual’s duties to the Vendor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
4.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Vendor shall in relation to the Company Personal Data implement appropriate physical, technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
4.2 In assessing the appropriate level of security, Vendor shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.
5.1 Company authorizes Vendor to appoint (and permit each Subprocessor appointed in accordance with this section 5 to appoint) Subprocessors in accordance with this section 5 and any restrictions in the Principal Agreement.
5.2 Vendor may continue to use those Subprocessors already engaged by Vendor as at the date of this Addendum and add new Subprocessors, subject to in each case as soon as practicable meeting the obligations set out in section 5.3 and 5.4.
5.3 Vendor shall ensure that each Subprocessor performs the obligations under the applicable sections of this DPA, as they apply to Processing of Company Personal Data carried out by that Subprocessor, as if it were party to this Addendum in place of Vendor.
5.4 Before replacing or adding a new Subprocessor, Vendor shall give Company reasonable notice of such replacement or addition, giving Company an opportunity to object.
6. Data Subject Rights
6. Data Subject Rights
6.1. Taking into account the nature of the Processing, Vendor shall assist Company by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Companys’ obligations, as reasonably understood by Company, to respond to requests to exercise Data Subject rights under the Data Protection Laws.
6.2. Vendor shall:
6.2.1 promptly notify Company if Vendor receives a request from a Data Subject under any Data Protection Law in respect of Company Personal Data; and
6.2.2 ensure that Vendor does not respond to that request except on the documented instructions of Company or the relevant Company Affiliate or as required by Applicable Laws to which Vendor is subject, in which case Vendor shall to the extent permitted by Applicable Laws inform Company of that legal requirement before the Vendor responds to the request.
6.3. Company shall:
6.3.1 Promptly notify Vendor if Customer receives a request from a Data Subject under any Data Protection Law in respect of Company Personal Data;
6.3.2 Assist Vendor as necessary to fulfil Data Subject requests.
7. Personal Data Breach
7. Personal Data Breach
7.1 Vendor shall notify Company without undue delay upon Vendor or any Subprocessor becoming aware of a Personal Data Breach affecting Company Personal Data, providing Company with sufficient information to allow Company to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
7.2 Vendor shall co-operate with Company and Company and take such reasonable commercial steps as are directed by Company to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
7.3 Company shall co-operate with Vendor and take such reasonable commercial steps as are directed by Vendor to assist in the investigation, mitigation, and remediation of each such Personal Data Breach as necessary.
7.4 The Vendor can claim compensation for support services that are not included in the service description or are not attributable to misconduct on the part of the contractor. If necessary, Vendor will submit a separate offer to the Company for approval. Vendor will charge the following fees:
7.4.1 $187.50 plus tax per hour. On Saturdays a surcharge of 50%, on Sundays and holidays a surcharge of 100% will be charged.
7.4.2 The client must reimburse Vendor separately for the following expenses: Travel costs ($0.70 / mile plus tax), travel time ($95.00 / hour plus tax), hotel costs, expenses according to the law and, if applicable, other costs according to expenditure and as proof.
7.4.3 Each invoice is due for payment within ten working days without deduction.
8. Data Protection Impact Assessment and Prior Consultation
8. Data Protection Impact Assessment and Prior Consultation
Vendor shall provide reasonable assistance to Company with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Company reasonably considers to be required of any Company by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Company Personal Data by, and taking into account the nature of the Processing and information available to, Vendor.
9. Deletion or return of Company Personal Data
9. Deletion or return of Company Personal Data
9.1 Subject to sections 9.2 and 9.3, Vendor shall promptly after the date of cessation of any Services involving the Processing of Company Personal Data (the “Cessation Date”), delete and procure the deletion of all copies of those Company Personal Data unless otherwise required by applicable Data Protection Laws or other regulations.
9.2 Subject to section 9.3, Company may in its absolute discretion by written notice to Vendor within 30 days of the Cessation Date require Vendor to (a) return a complete copy of all Company Personal Data to Company by secure file transfer in such format as is reasonably notified by Company to Vendor; and (b) delete and procure the deletion of all other copies of Company Personal Data Processed by Vendor. Vendor shall comply with any such written request within 30 days of the Cessation Date unless otherwise required by applicable Data Protection Laws or other regulations.
9.3 Vendor may retain Company Personal Data to the extent required by Applicable Laws and only to the extent and for such period as required by Applicable Laws and always provided that Vendor shall ensure the confidentiality of all such Company Personal Data and shall ensure that such Company Personal Data is only Processed as necessary for the purpose(s) specified in the Applicable Laws requiring its storage and for no other purpose.
9.4 Vendor shall, if requested in writing by Company, provide written certification to Company that it has fully complied with this section 9 within 30 days of the Cessation Date.
10. Audit Rights
10. Audit Rights
10.1 Within thirty (30) days of Company’s written request, and no more than once annually and subject to the confidentiality obligations set forth in the Agreement, Vendor shall make available to Company (or a mutually agreed upon third-party auditor) information reasonably necessary to demonstrate Vendor’s compliance with the obligations set forth in this Addendum.
10.2 The Vendor may assert a claim for remuneration in order to enable the client to carry out audits or inspections. If necessary, Vendor will submit a separate offer to the Company for approval. Vendor will charge the following fees:
10.2.1 $187.50 plus tax per hour. On Saturdays a surcharge of 50%, on Sundays and holidays a surcharge of 100% will be charged.
10.2.2 The client must reimburse Vendor separately for the following expenses: Travel costs ($0.70 / mile plus tax), travel time ($95.00 / hour plus tax), hotel costs, expenses according to the law and, if applicable, other costs according to expenditure and as proof.
10.2.3 Each invoice is due for payment within ten working days without deduction.
11. Restricted Transfers
11. Restricted Transfers
11.1 Subject to section 11.3, Company (as “data exporter”) and Vendor, as appropriate, (as “data importer”) hereby enter into the Standard Contractual Clauses in respect of any Restricted Transfer from that Company to Vendor.
11.2 The Standard Contractual Clauses shall come into effect under section 11.1 on the later of:
11.2.1 the data exporter becoming a party to them;
11.2.2 the data importer becoming a party to them; and
11.2.3 commencement of the relevant Restricted Transfer.
11.3 Section 11.1 shall not apply to a Restricted Transfer unless its effect, together with other reasonably practicable compliance steps (which, for the avoidance of doubt, do not include obtaining consents from Data Subjects), is to allow the relevant Restricted Transfer to take place without breach of applicable Data Protection Law.
12. General Terms
12. General Terms
Governing law and jurisdiction
12.1 Without prejudice to Clause 17 of the Standard Contractual Clauses:
12.1.1 the parties to this Addendum hereby submit to the choice of jurisdiction stipulated in the Principal Agreement with respect to any disputes or claims howsoever arising under this Addendum, including disputes regarding its existence, validity or termination or the consequences of its nullity; and
12.1.2 this Addendum and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Principal Agreement.
Order of precedence
12.2 Nothing in this Addendum reduces Vendor’s obligations under the Principal Agreement in relation to the protection of Personal Data or permits Vendor to Process (or permit the Processing of) Personal Data in a manner which is prohibited by the Principal Agreement. In the event of any conflict or inconsistency between this Addendum and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
12.3 Subject to section 12.2, with regard to the subject matter of this Addendum, in the event of inconsistencies between the provisions of this Addendum and any other agreements between the parties, including the Principal Agreement and including (except where explicitly agreed otherwise in writing, signed on behalf of the parties) agreements entered into or purported to be entered into after the date of this Addendum, the provisions of this Addendum shall prevail.
Changes in Data Protection Laws, etc.
12.4 Company may:
12.4.1 by at least 60 (sixty) calendar days’ written notice to Vendor from time to time make any variations to the Standard Contractual Clauses (including any Standard Contractual Clauses entered into under section 11.1), as they apply to Restricted Transfers which are subject to a particular Data Protection Law, which are required, as a result of any change in, or decision of a competent authority under, that Data Protection Law, to allow those Restricted Transfers to be made (or continue to be made) without breach of that Data Protection Law; and
12.4.2 propose any other variations to this Addendum which Company reasonably considers to be necessary to address the requirements of any Data Protection Law.
12.5 If Company gives notice under section 12.4.1:
12.5.1 Vendor shall promptly co-operate (and ensure that any affected Subprocessors promptly co-operate) to ensure that equivalent variations are made to any agreement put in place under section 5.3; and
12.5.2 Company shall not unreasonably withhold or delay agreement to any consequential variations to this Addendum proposed by Vendor to protect the Vendor against additional risks associated with the variations made under section 12.4.1 or
12.6 If Company gives notice under section 12.4.2, the parties shall promptly discuss the proposed variations and negotiate in good faith with a view to agreeing and implementing those or alternative variations designed to address the requirements identified in Company’s notice as soon as is reasonably practicable.
12.7 Neither Company nor Vendor shall require the consent or approval of any Company Affiliate to amend this Addendum pursuant to this section 12.5 or otherwise.
12.8 Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
This Addendum is entered into and becomes a binding part of the Principal Agreement with effect from the date of execution of the Principal Agreement.
Schedule I – Standard Contractual Clauses
Schedule I – Standard Contractual Clauses
1.1 To the extent legally required, the signatories to the Agreement are deemed to have signed the clauses issued pursuant to the EU Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX%3A32021D0914&locale=e (the “2021 Standard Contractual Clauses”), which form part of this DPA and will be deemed completed as follows:
1.1.1 Module 2 of the 2021 Standard Contractual Clauses applies to transfers of Personal Data from Company to Vendor and Module 4 of the 2021 Standard Contractual Clauses applies to transfers of Personal Data from Vendor to Company;
1.1.2 Clause 7 of Modules 2 and 4 (the optional docking clause) is not included;
1.1.3 Under Clause 9 of Module 2 (Use of sub-processors). the parties select Option 2 (general authorization). The contents of Annex III (the list of sub-processors already authorized by Company) are attached hereto as Schedule 3 to this DPA;
1.1.4 Under Clause 11 of Modules 2 and 4 (Redress). the optional language requiring that data subjects be permitted to lodge a complaint with an independent dispute resolution body shall not be deemed to be included;
1.1.5 Under Clause 17 of Modules 2 and 4 (Governing law). the parties choose Option 1 (the law of an EU Member State that allows for third-party beneficiary rights). The parties select the law of the Federal Republic of Germany;
1.1.6 Under Clause 18 of Modules 2 and 4 (Choice of forum and jurisdiction). the parties select the courts of the Federal Republic of Germany.
This Annex forms part of the Standard Contractual Clauses
Data exporter is Company.
Address: the Company’s address set out in the Principal Agreement.
Contact person’s name, position, and contact details: the Company’s contact details as set out in the Principal Agreement or order form.
Activities relevant to the data transferred under these Clauses: activities necessary to provide the Services described in the Principal Agreement.
The data importer is Filestage GmbH.
Address: Lautenschlagerstraße 16, 70173 Stuttgart, Germany
Contact person’s name, position, and contact details:
Data Protection Officer
Phone: +49 721 98615899
Activities relevant to the data transferred under these Clauses:
activities necessary to provide the Services described in the Principal Agreement.
Categories of data subjects whose personal data is transferred
The categories of persons concerned by the processing include:
Users of the Filestage platform
Categories of personal data transferred
The subject of the processing of personal data are the following data types/categories (enumeration/description of data categories):
Personal master data (first name, last name)
Communication data (e-mail address, telephone number if applicable)
Contract billing and payment data (bank details, email address for sending invoices, billing address)
Contract master data (contractual relationship, product or contractual interest)
User data (password (only in hashed form), IP address)
Sensitive data transferred (if applicable)
The Frequency of the Transfer
Nature of the processing
The processes may include collection, storage, retrieval, consultation, use, erasure or destruction, disclosure by transmission, dissemination, or otherwise making available data exporter’s data as necessary to provide the Services in accordance with the data exporter’s instructions, including related internal purposes.
Purpose(s) if the data transfer and further processing
The objective of the processing of Personal Data by the data importer is the performance of the services related to the Principal Agreement with the data exporter.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period.
Personal data is retained for so long as is reasonably necessary to fulfill the purposes for which the data was collected, to perform Vendor’s contractual and legal obligations, and for any applicable statute of limitations periods for the purposes of bringing and defending claims, or as long as legally required by a relevant authority or law.
Competent Supervisory Authority
Identify the competent supervisory authority/ies in accordance with Clause 13.
Technical And Organisational Measures Including Technical And Organisational Measures To Ensure The Security Of The Data
The description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) are as follows:
An Information Security policy and topic-specific policies are defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties, and are periodically reviewed and if significant changes occur.
Information security roles and responsibilities are defined and allocated.
Conflicting duties and conflicting areas of responsibility are segregated.
Management requires all personnel to apply information security in accordance with the established information security policy, topic-specific policies and procedures.
Contact with relevant authorities has been established and is maintained.
Contact with special interest groups or other specialist security forums and professional associations has been established and is maintained.
Information relating to information security threats is collected and analysed to produce threat intelligence.
Information security is integrated into project management.
An inventory of information and other associated assets, including owners, has been developed and is maintained.
Rules for the acceptable use and procedures for handling information and other associated assets are identified, documented and implemented.
Personnel and other interested parties as appropriate return all assets in their possession upon change or termination of their employment, contract or agreement.
Information is classified, according to information security needs, based on confidentiality, integrity, availability and relevant interested party requirements.
An appropriate set of procedures for information labelling are developed and implemented in accordance with the information classification scheme.
Information transfer rules, procedures, or agreements are in place for all types of internal and external transfer facilities.
Rules to control physical and logical access to information and other associated assets are established and implemented based on business and information security requirements.
The full life cycle of identities is managed.
Allocation and management of authentication information is controlled by a management process, including advising personnel on the appropriate handling of authentication information.
Access rights to information and other associated assets are provisioned, periodically reviewed, modified and removed in accordance with the topic-specific policy on and rules for access control.
Processes and procedures are defined and implemented to manage the information security risks associated with the use of supplier’s products or services.
Relevant information security requirements are established and agreed with each supplier based on the type of supplier relationship.
Processes and procedures are defined and implemented to manage the information security risks associated with the ICT products and services supply chain.
Change in supplier information security practices and service delivery is periodically monitored, reviewed, evaluated and managed.
Processes for acquisition, use, management and exit from cloud services are established in accordance with information security requirements.
Information security incidents are planned and prepared for by defining, establishing and communicating information security incident management processes, roles and responsibilities.
Information security events are assessed to decide if they are to be categorized as information security incidents.
Information security incidents are responded to in accordance with the documented procedures.
Knowledge gained from information security incidents is used to strengthen and improve the information security controls.
Procedures for the identification, collection, acquisition and preservation of evidence related to information security events are established and implemented.
Plans are established for maintaining information security at an appropriate level during disruption.
ICT readiness is planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements.
Legal, statutory, regulatory and contractual requirements relevant to information security and the approach to meet these requirements are identified, documented and kept up to date.
Appropriate procedures to protect intellectual property rights are implemented.
Records are protected from loss, destruction, falsification, unauthorized access and unauthorized release.
Requirements regarding the preservation of privacy and protection of personally identifiable information according to applicable laws and regulations and contractual requirements are identified and met.
The approach to managing information security and its implementation including people, processes and technologies is reviewed independently at planned intervals, or when significant changes occur.
Compliance with the information security policy, topic-specific policies, rules and standards is periodically reviewed.
Operating procedures for information processing facilities are documented and made available to personnel who need them.
Background verification checks on senior management candidates are carried out prior to employment and on an a periodic basis taking into consideration applicable laws, regulations and ethics and are proportional to the business requirements, the classification of the information to be accessed and the perceived risks.
The employment contractual agreements state the personnel’s and the data importer’s responsibilities for information security.
Personnel and relevant interested parties receive appropriate information security awareness, education and training and regular updates of the information security policy, topic-specific policies and procedures, as relevant for their job function.
A disciplinary process is formalized and communicated to take actions against personnel and other relevant interested parties who have committed an information security policy violation.
Information security responsibilities and duties that remain valid after termination or change of employment are defined, enforced and communicated to relevant personnel and other interested parties.
Confidentiality or non-disclosure agreements reflecting the needs for the protection of information are identified, documented, periodically reviewed and signed by personnel and other relevant interested parties.
Security measures are implemented when personnel are working remotely to protect information.
A mechanism is provided for personnel to report observed or suspected information security events through appropriate channels in a timely manner.
Clear desk rules for papers and removable storage media and clear screen rules for information processing facilities are defined and appropriately enforced.
Storage media is managed through their life cycle of acquisition, use, transportation and disposal in accordance with the classification scheme and handling requirements.
Items of equipment containing storage media is verified to ensure that any sensitive data and licensed software is removed or securely overwritten prior to disposal or re-use.
Information stored on, processed by or accessible via user endpoint devices is protected.
The allocation and use of privileged access rights is restricted and managed.
Access to information and other associated assets is restricted in accordance with the established topic-specific policy on access control.
Read and write access to source code, development tools and software libraries is appropriately managed.
Secure authentication technologies and procedures are implemented based on information access restrictions and the topic-specific policy on access control.
The use of resources is monitored and adjusted in line with current and expected capacity requirements.
Protection against malware is implemented and supported by appropriate user awareness.
Information about technical vulnerabilities of information systems in use is obtained, and exposure to such vulnerabilities is evaluated and appropriate measures are taken.
Configurations, including security configurations, of hardware, software, services and networks are established, documented, implemented, monitored and reviewed.
Information stored in information systems, devices or in any other storage media is deleted when no longer required.
Data masking is used in accordance with the topic-specific policy on access control and other related topic-specific policies, and business requirements, taking applicable legislation into consideration.
Data leakage prevention measures are applied to systems, networks and any other devices that process, store or transmit sensitive information.
Backup copies of information, software and systems are maintained and regularly tested in accordance with the agreed topic-specific policy on backup.
Information processing facilities are implemented with redundancy sufficient to meet availability requirements.
Logs that record activities, exceptions, faults and other relevant events are produced, stored, protected and analysed.
Networks, systems and applications are monitored for anomalous behaviour and appropriate actions taken to evaluate potential information security incidents.
The use of utility programs that can be capable of overriding system and application controls is restricted and tightly controlled.
Procedures and measures are implemented to securely manage software installation on operational systems.
Networks and network devices are secured, managed and controlled to protect information in systems and applications.
Security mechanisms, service levels and service requirements of network services are identified, implemented and monitored.
Groups of information services, users and information systems are segregated within networks.
Access to external websites is managed to reduce exposure to malicious content.
Rules for the effective use of cryptography, including cryptographic key management, is defined and implemented.
Rules for the secure development of software and systems are established and applied.
Information security requirements are identified, specified and approved when developing or acquiring applications.
Principles for engineering secure systems are established, documented, maintained and applied to any information system development activities.
Secure coding principles are applied to software development.
Security testing processes are defined and implemented in the development life cycle.
Activities related to outsourced system development are directed, monitored and reviewed.
Development, testing and production environments are separated and secured.
Changes to information processing facilities and information systems are subject to change management procedures.
Test information is appropriately selected, protected and managed.
The Customer has authorized the use of the listed sub-processors effective as of the date of this DPA.
Schedule II: UK Addendum to the EU Standard Contractual Clauses
Schedule II: UK Addendum to the EU Standard Contractual Clauses
Entering into this Addendum
1. Each Party agrees to be bound by the terms and conditions set out in this Addendum, in exchange for the other Party also agreeing to be bound by this Addendum.
2. Although Annex 1A and Clause 7 of the Approved EU SCCs require signature by the Parties, for the purpose of making Restricted Transfers, the Parties may enter into this Addendum in any way that makes them legally binding on the Parties and allows data subjects to enforce their rights as set out in this Addendum. Entering into this Addendum will have the same effect as signing the Approved EU SCCs and any part of the Approved EU SCCs.
Interpretation of this Addendum
3. Where this Addendum uses terms that are defined in the Approved EU SCCs those terms shall have the same meaning as in the Approved EU SCCs. In addition, the following terms have the following meanings:
Addendum: This International Data Transfer Addendum which is made up of this Addendum incorporating the Addendum EU SCCs.
Addendum EU SCCs: The version(s) of the Approved EU SCCs which this Addendum is appended to, as set out in Table 2, including the Appendix Information.
Appendix: As set out in Table 3.
Appropriate Safeguards: The standard of protection over the personal data and of data subjects’ rights, which is required by UK Data Protection Laws when you are making a Restricted Transfer relying on standard data protection clauses under Article 46(2)(d) UK GDPR.
Approved Addendum: The template Addendum issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 28 January 2022, as it is revised under Section 18.
Approved EU SCCs: The Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
ICO: The Information Commissioner.
Restricted Transfer: A transfer which is covered by Chapter V of the UK GDPR.
UK: The United Kingdom of Great Britain and Northern Ireland.
UK Data Protection Laws: All laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018.
UK GDPR: As defined in section 3 of the Data Protection Act 2018.
4. This Addendum must always be interpreted in a manner that is consistent with UK Data Protection Laws and so that it fulfils the Parties’ obligation to provide the Appropriate Safeguards.
5. If the provisions included in the Addendum EU SCCs amend the Approved SCCs in any way which is not permitted under the Approved EU SCCs or the Approved Addendum, such amendment(s) will not be incorporated in this Addendum and the equivalent provision of the Approved EU SCCs will take their place.
6. If there is any inconsistency or conflict between UK Data Protection Laws and this Addendum, UK Data Protection Laws applies.
7. If the meaning of this Addendum is unclear or there is more than one meaning, the meaning which most closely aligns with UK Data Protection Laws applies.
8. Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Addendum has been entered into.
9. Although Clause 5 of the Approved EU SCCs sets out that the Approved EU SCCs prevail over all related agreements between the parties, the parties agree that, for Restricted Transfers, the hierarchy in Section 10 will prevail.
10. Where there is any inconsistency or conflict between the Approved Addendum and the Addendum EU SCCs (as applicable), the Approved Addendum overrides the Addendum EU SCCs, except where (and in so far as) the inconsistent or conflicting terms of the Addendum EU SCCs provides greater protection for data subjects, in which case those terms will override the Approved Addendum.
11. Where this Addendum incorporates Addendum EU SCCs which have been entered into to protect transfers subject to the General Data Protection Regulation (EU) 2016/679 then the Parties acknowledge that nothing in this Addendum impacts those Addendum EU SCCs.
Incorporation of and changes to the EU SCCs
12. This Addendum incorporates the Addendum EU SCCs which are amended to the extent necessary so that:
a. together they operate for data transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter’s processing when making that data transfer, and they provide Appropriate Safeguards for those data transfers;
b. Sections 9 to 11 override Clause 5 (Hierarchy) of the Addendum EU SCCs; and
c. this Addendum (including the Addendum EU SCCs incorporated into it) is (1) governed by the laws of England and Wales and (2) any dispute arising from it is resolved by the courts of England and Wales, in each case unless the laws and/or courts of Scotland or Northern Ireland have been expressly selected by the Parties.
13. Unless the Parties have agreed alternative amendments which meet the requirements of Section 12, the provisions of Section 15 will apply.
14. No amendments to the Approved EU SCCs other than to meet the requirements of Section 12 may be made.
15. The following amendments to the Addendum EU SCCs (for the purpose of Section 12) are made:
a. References to the “Clauses” means this Addendum, incorporating the Addendum EU SCCs;
b. In Clause 2, delete the words: “and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679”;
c. Clause 6 (Description of the transfer(s)) is replaced with: “The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.”;
d. Clause 8.7(i) of Module 1 is replaced with: “it is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer”;
e. Clause 8.8(i) of Modules 2 and 3 is replaced with: “the onward transfer is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer;”
f. References to “Regulation (EU) 2016/679”, “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)” and “that Regulation” are all replaced by “UK Data Protection Laws”. References to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK Data Protection Laws;
g. References to Regulation (EU) 2018/1725 are removed;
h. References to the “European Union”, “Union”, “EU”, “EU Member State”, “Member State” and “EU or Member State” are all replaced with the “UK”;
i. The reference to “Clause 12(c)(i)” at Clause 10(b)(i) of Module one, is replaced with “Clause 11(c)(i)”;
j. Clause 13(a) and Part C of Annex I are not used;
k. The “competent supervisory authority” and “supervisory authority” are both replaced with the “Information Commissioner”;
l. In Clause 16(e), subsection (i) is replaced with: “the Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply;”;
m. Clause 17 is replaced with: “These Clauses are governed by the laws of England and Wales.”;
n. Clause 18 is replaced with: “Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”; and
o. The footnotes to the Approved EU SCCs do not form part of the Addendum, except for footnotes 8, 9, 10 and 11.
Amendments to this Addendum
16. The Parties may agree to change Clauses 17 and/or 18 of the Addendum EU SCCs to refer to the laws and/or courts of Scotland or Northern Ireland.
17. If the Parties wish to change the format of the information included in Part 1: Tables of the Approved Addendum, they may do so by agreeing to the change in writing, provided that the change does not reduce the Appropriate Safeguards.
18. From time to time, the ICO may issue a revised Approved Addendum which:
a. makes reasonable and proportionate changes to the Approved Addendum, including correcting errors in the Approved Addendum; and/or
b. reflects changes to UK Data Protection Laws;
The revised Approved Addendum will specify the start date from which the changes to the Approved Addendum are effective and whether the Parties need to review this Addendum including the Appendix Information. This Addendum is automatically amended as set out in the revised Approved Addendum from the start date specified.
19. If the ICO issues a revised Approved Addendum under Section 18, if any Party selected in Table 4 “Ending the Addendum when the Approved Addendum changes”, will as a direct result of the changes in the Approved Addendum have a substantial, disproportionate and demonstrable increase in:
a its direct costs of performing its obligations under the Addendum; and/or
b its risk under the Addendum,
and in either case it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that Party may end this Addendum at the end of a reasonable notice period, by providing written notice for that period to the other Party before the start date of the revised Approved Addendum.
20. The Parties do not need the consent of any third party to make changes to this Addendum, but any changes must be made in accordance with its terms.