data processing addendum
THIS DATA PROCESSING ADDENDUM (“DPA”) is entered into and forms part of the Services Agreement (or other such titled written or electronic agreement addressing the same subject matter, as amended, the “Agreement”) between Book4Time (“Provider”) and the Customer for the purchase of online spa and recreation management software (“Software”), including related Book4Time offline or mobile components, from Book4Time, together the “Parties” and each a “Party”.
If the Customer signing this DPA is a party to the Agreement, then this DPA acts as an addendum to, and forms part of, the Agreement. If the Customer signing this DPA has executed an Order Form with Book4Time or an entity of the Book4Time Group pursuant to the Agreement, but is not itself a party to the Agreement, then this DPA acts as an addendum to that Order Form and applicable renewal Order Forms. The Customer enters into this DPA on behalf of itself and, to the extent required under Applicable Data Protection Laws, in the name and on behalf of its Authorized Affiliates, if and to the extent that Book4Time processes Personal Data for which such Authorized Affiliates qualify as the Controller.
01. Definitions
In this DPA the terms below shall have the meanings set out in this Section 1, unless expressly stated otherwise. Capitalized terms used, but not defined, in this DPA shall have the meaning given to them in the Agreement. References to “including” mean “including, without limitation”.
“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity, where “control” refers to the power to direct or cause the direction of the subject entity, whether through ownership of voting securities, by contract or otherwise.
“Applicable Data Protection Laws” means the privacy, data protection and data security laws and regulations of any jurisdiction applicable to the Processing of Customer Personal Data under the Agreement, including but not limited to, the GDPR, PIPEDA, CCPA, VCDPA and PIPL (as applicable).
“Authorized Affiliate” means any of the Customer’s Affiliate(s) which:
A. Is subject to the data protection laws and regulations of the European Union, the European Economic Area and/or their member states, Switzerland and/or the United Kingdom; and
B. Is permitted to use the Service pursuant to the Agreement between the Customer and Book4Time, but has not signed its own Order Form with Book4Time, and is not a “Customer” as defined under the Agreement.
“Book4Time Group” means Book4Time Inc., or any of its Affiliates.
“CCPA” means collectively the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (the “CPRA”), and any regulations promulgated thereunder.
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
“Customer” means the entity that is either (i) a party to the Agreement; or (ii) an entity that has executed an Order Form with Provider or an entity of the Book4Time Group pursuant to the Agreement.
“Customer Personal Data” means any Personal Data pertaining to users of Customer’s websites or other online services that Customer makes available to Provider for Processing to perform the Services.
“Data Subject” means the identified or identifiable natural person to whom Customer Personal Data relates.
“Data Subject Request” means the request of a Data Subject to exercise rights under Applicable Data Protection Laws in respect of Customer Personal Data in Provider’s possession, custody or control.
“EEA” means the European Economic Area.
“GDPR” means, as and where applicable to Processing concerned (i) the General Data Protection Regulation (Regulation (EU) 2016/679) (“EU GDPR”) and/or (ii) the EU GDPR as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018 (as amended, including by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019) (“UK GDPR”), including, in each case (i) and (ii), any applicable national implementing or supplementary legislation (e.g., the UK Data Protection Act 2018), and any successor, amendment or re-enactment, to or of the foregoing. References to “Articles” and “Chapters” of, and other relevant defined terms in, the GDPR shall be construed accordingly.
“Personal Data” means “personal data,” “personal information,” “personally identifiable information” or similar terms as defined in Applicable Data Protection Laws.
“Personal Data Breach” means a breach of Provider’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data in Provider’s possession, custody or control.
“PIPEDA” means the Canadian Personal Information Protection and Electronic Documents Act.
“PIPL” means the PRC Personal Information Protection Law.
“PRC” or “China” means the People’s Republic of China, excluding Hong Kong, Macau, and Taiwan solely for the purpose of this DPA.
“Process” and inflections thereof refer to any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure and destruction.
“Processor” means a natural or legal person, public authority, agency, or other body which Processes Personal Data on behalf of the Controller.
“Restricted Transfer” means any transfer of Customer Personal Data to any person located in (i) in the context of the EEA, any country or territory outside the EEA which does not benefit from an adequacy decision from the European Commission described in Chapter 45 of the GDPR (an “EU Restricted Transfer”) and (ii) in the context of the UK, any country or territory outside the UK, which does not benefit from an adequacy decision from the UK Government (a “UK Restricted Transfer”), in each case, which would be prohibited without a legal basis under Chapter V of the GDPR.
“SCCs” means the standard contractual clauses approved by the European Commission pursuant to implementing Decision (EU) 2021/914, as populated in accordance with Part 1 of Attachment 1 to Annex 2 (European Annex).
“Services” means those services performed for Customer by Provider pursuant to the Agreement.
“Subprocessor” means any third party engaged directly or indirectly by or on behalf of Provider to Process Customer Personal Data under Provider’s care, custody or control.
“Supervisory Authority” means (i) in the context of the EEA and the EU GDPR, “supervisory authority” as defined in the EU GDPR; and (ii) in the context of the UK and the UK GDPR, means the UK Information Commissioner’s Office.
“UK Transfer Addendum” means the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of the Mandatory Clauses included in Part 2 thereof (the “UK Mandatory Clauses”).
“VCDPA” means the Virginia Consumer Data Protection Act.
02. Scope of this Data Processing Addendum
2.1 The Parties acknowledge and agree that the details of Provider’s Processing of Customer Personal Data (including the respective roles of the Parties relating to such Processing) are as described in Annex 1 (Data Processing Details) to the DPA.
2.2 Annex 2 (European Annex) to this DPA applies to Provider’s Processing of Customer Personal Data that is subject to the GDPR.
2.3 Annex 3 (California Annex) to this DPA applies to Provider’s Processing of Customer Personal Data that is subject to the CCPA.
2.4 Annex 4 (China Annex) to this DPA applies to Provider’s Processing of Customer Personal Data that is subject to the PIPL.
2.5 Annex 5 (Canada Annex) to this DPA applies to Provider’s Processing of Customer Personal Data that is subject to PIPEDA.
03. Processing of Customer Personal Data
3.1 Provider shall not Process Customer Personal Data other than on Customer’s instructions or as required by applicable laws (or in the case of Customer Personal Data subject to the GDPR, the laws of the UK or EEA, as applicable, to which Provider is subject). This DPA is a complete expression of such instructions, and Customer’s additional instructions will be binding on Provider only pursuant to an amendment to this DPA signed by both parties. Customer instructs Provider to Process Customer Personal Data to provide the Services and as authorized by the Agreement. Customer’s instructions for the Processing of Customer Personal Data shall comply with Applicable Data Protection Laws. Without prejudice to the foregoing, Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Personal Data, and the means by which Customer acquired Customer Personal Data. Where Provider receives an instruction from Customer that, in its reasonable opinion, infringes Applicable Data Protection Laws, Provider shall notify Customer.
3.2 The Parties acknowledge that Provider’s Processing of Customer Personal Data authorized by Customer’s instructions stated in this DPA are integral to the Services and the business relationship between the Parties. Access to Personal Data does not form part of the consideration exchanged between the Parties in respect of the Agreement or any other business dealings.
04. Vendor Personnel
Provider shall ensure that all Provider employees or other personnel who Process Customer Personal Data are subject to contractual or appropriate statutory obligations of confidentiality with respect to such Customer Personal Data.
05. Security
Provider shall implement and maintain technical, organizational and physical measures designed to protect the confidentiality, integrity and availability of Customer Personal Data and prevent Personal Data Breaches. Such measures shall include the measures described in Annex 6 of this DPA (the “Security Measures”). Provider may update the Security Measures from time to time, so long as the updated measures do not decrease the overall protection of Personal Data.
06. Data Subject Requests
6.1 Provider, taking into account the nature of the Processing of Customer Personal Data, shall provide Customer with such assistance by appropriate technical and organizational measures as Customer may reasonably request to assist Customer in fulfilling its obligations to respond to Data Subject Requests.
6.2 Provider shall promptly notify Customer if it receives a Data Subject Request and not respond to any Data Subject Request, other than to advise the Data Subject to submit the request to Customer, except as required by Applicable Data Protection Laws.
07. Personal Data Breaches
7.1 Provider shall notify Customer of a Personal Data Breach without undue delay after becoming aware of the occurrence thereof. Provider’s notification of or response to a Personal Data Breach will not be construed as Provider’s acknowledgement of any fault or liability with respect to the Personal Data Breach.
7.2 If Customer determines that a Personal Data Breach must be notified to any Supervisory Authority or other governmental authority, any Data Subject(s), the public or others under Applicable Data Protection Laws in a manner that directly or indirectly refers to or identifies Provider, where permitted by applicable laws, Customer agrees to notify Provider in advance and in good faith consult with Provider and consider any clarifications or corrections Provider may reasonably recommend or request to any such notification.
08. Sub-Processing
8.2 Information about Subprocessors, including their functions and locations, is available at: subprocessor page (as may be updated by Provider from time to time) or such other website address as Provider may provide to Customer from time to time (the “Subprocessor Site”).
8.3 When engaging any Subprocessor, Provider will enter into a written contract with such Subprocessor containing data protection obligations not less protective than those in this DPA with respect to Customer Personal Data to the extent applicable to the nature of the services provided by such Subprocessor. Provider shall be liable for all obligations under the Agreement subcontracted to the Subprocessor or its actions and omissions related thereto to the same extent Provider would be liable if performing such obligations itself under the terms of the Agreement.
8.4 When Provider engages any Subprocessor after the effective date of the Agreement, Provider will notify Customer of the engagement (including the name and location of the relevant Subprocessor and the activities it will perform) by updating the Subprocessor Site or by other written means at least 15 days before such Subprocessor Processes Customer Personal Data. If Customer objects to such engagement (on reasonable grounds) in a written notice to Provider within 15 days after being notified of the engagement on reasonable grounds relating to the protection of Personal Data, Customer and Provider will work together in good faith to consider a mutually acceptable resolution to such objection. If the parties are unable to reach a mutually acceptable resolution within a reasonable timeframe, Customer may, as its sole and exclusive remedy, terminate the Agreement and cancel the Services by providing written notice to Provider and pay Provider for all amounts due and owing under the Agreement as of the date of such termination.
09. Compliance Assistance; Audits
9.1 Provider, taking into account the nature of the Processing and the information available to Provider, shall provide such information and assistance as Customer may reasonably request (insofar as such information is available to Provider and the sharing thereof does not compromise the security, confidentiality, integrity or availability of Personal Data Processed by Provider) to help Customer meet its obligations under Applicable Data Protection Laws, including in relation to the security of Customer Personal Data, the reporting and investigation of Personal Data Breaches, the demonstration of Customer’s compliance with such obligations, and the performance of any data protection assessments and consultations with Supervisory Authorities or other government authorities regarding such assessments in relation to Provider’s Processing of Customer Personal Data, including those required under Articles 35 and 36 of the GDPR.
9.2 Provider shall make available to Customer such information as Customer may reasonably request for Provider to demonstrate compliance with this DPA. Without limitation of the foregoing, Customer may conduct (in accordance with Section 9.3), at its sole cost and expense, and Provider will reasonably cooperate with, audits (including inspections, manual reviews, and automated scans and other technical and operational testing that Customer is entitled to perform under Applicable Data Protection Laws), in each case, whereby Customer or an auditor appointed by Customer may assess such compliance.
9.3 Customer shall give Provider reasonable advance notice of any such audits. Provider need not cooperate with any audit (a) performed by any third-party auditor whom Provider has not approved in advance (which approval shall not be unreasonably withheld); (b) to any individual or entity who has not entered into a non-disclosure agreement with Provider on terms acceptable to Provider in respect of information obtained in relation to the audit; (c) outside normal business hours; or (d) on more than one occasion in any calendar year during the term of the Agreement, except for any additional audits that Customer is required to perform under Applicable Data Protection Laws. The audit must be conducted in accordance with Provider’s safety, security or other relevant policies, must not impact the security, confidentiality, integrity or availability of any data Processed by Provider and must not unreasonably interfere with Provider’s business activities. Customer shall not conduct any scans or technical or operational testing of Provider’s applications, websites, Services, networks or systems without Provider’s prior approval (which shall not be unreasonably withheld).
9.4 If the controls or measures to be assessed in the requested audit are assessed in a SOC 2 Type 2, ISO, NIST or similar audit report performed by a qualified and independent third-party auditor pursuant to a recognized industry standard audit framework within twelve (12) months of Customer’s audit request (“Audit Report”) and Provider has confirmed in writing that there have been no known material changes to the controls audited and covered by such Audit Report(s), Customer agrees to accept provision of such Audit Report(s) in lieu of requesting an audit of such controls or measures. Provider shall provide copies of any such Audit Reports to Customer upon request.
9.5 Such Audit Reports and any other information obtained by Customer in connection with an audit under this Section 9 shall constitute confidential information of Provider, which Customer shall use only for the purposes of confirming compliance with the requirements of this DPA or meeting Customer’s obligations under Applicable Data Protection Laws. Nothing in this Section 9 shall be construed to obligate Provider to breach any duty of confidentiality.
10. Return and Deletion
10.1 Before the expiration or earlier termination of the Agreement, Customer shall extract Customer Personal Data via either (a) comma-separated value (.csv) reports within the Software or (b) by utilizing the Book4Time data API, if licensed, promptly following which Provider shall delete all other copies of such Customer Personal Data.
10.2 Notwithstanding the foregoing, Provider may retain Customer Personal Data where required by applicable laws (or in the case of Customer Personal Data subject to the GDPR, the laws of the UK or the EEA, as applicable), provided that Provider shall (a) maintain the confidentiality of all such Customer Personal Data and (b) Process the Customer Personal Data only as necessary for the purpose(s) and duration specified in the applicable law requiring such retention.
11. Customer Responsibilities
11.1 Customer agrees that, without limiting Provider’s obligations under Section 5, Customer is solely responsible for its use of the Services, including (a) making appropriate use of the Services to maintain a level of security appropriate to the risk in respect of the Customer Personal Data; (b) securing the account authentication credentials, systems and devices Customer uses to access the Services; (c) securing Customer’s systems and devices that Provider uses to provide the Services; and (d) retaining Customer Personal Data as required by law, including under any Applicable Data Protection Laws.
11.2 Customer shall ensure that there is a valid legal basis for Provider’s Processing of Customer Personal Data in accordance with the Agreement for the purposes of Applicable Data Protection Laws (including Article 6, Article 9(2) and/or Article 10 of the GDPR and Articles 13 and 14 of the PIPL, where applicable). Customer shall ensure (and is solely responsible for ensuring) that all required notices have been given to, and all consents and permissions have been obtained from, Data Subjects and others as are required, including under Applicable Data Protection laws, for Provider to Process Customer Personal Data as contemplated by the Agreement.
11.3 Customer has assessed the level of security appropriate to the Processing in the context of its obligations under Applicable Data Protection Laws and agrees that the Service, the Security Measures, and Provider’s commitments under this DPA are adequate to meet Customer’s needs, including with respect to any security obligations of Customer under Applicable Data Protection Laws, and provide a level of security appropriate to the risk in respect of the Customer Personal Data.
11.4 Customer shall ensure that Customer Personal Data made available to Provider for Processing does not contain any (a) Social Security numbers or other government-issued identification numbers; (b) biometric information; (c) passwords to any online accounts; (d) credentials to any financial accounts; (e) tax return data; (f) any payment card information subject to the Payment Card Industry Data Security Standard; (g) data relating to criminal convictions and offences or related security measures; or (h) information that constitutes special categories of personal data (as defined in the GDPR), sensitive personal information (as defined in the CCPA or the PIPL, where applicable) or information of a similarly sensitive character regulated by Applicable Data Protection Laws.
11.5 Except to the extent prohibited by applicable law, Customer shall compensate Provider at Provider’s then-current professional services rates for, and reimburse any costs reasonably incurred by Provider in the course of providing, cooperation, information or assistance requested by Customer pursuant to Sections 6, 9 and (solely in relation to the return of Customer Personal Data requested by Customer) 10 of this DPA beyond Provider’s provision of any self-service tools as part of the Services that Customer can use to obtain the requested cooperation, information or assistance.
12. Precedence
In the event of any conflict or inconsistency between (a) this DPA and the Agreement, this DPA shall prevail or (b) any SCCs entered into pursuant to Annex 2 (European Annex) and this DPA and/or the Agreement, the SCCs shall prevail in respect of the Restricted Transfer to which they apply.
Annex 1 - Data Processing Details
Customer / ‘Data Exporter’ Details
Name: As set out in the Agreement or applicable ordering document
Contact details for data protection: As set out in the Agreement or applicable ordering document
Customer Activities: Provider of spa services and recreational services
Role: Controller
Provider / ‘Data Importer’ Details
Name: Book4Time Inc.
Contact details for data protection: privacy@book4time.com
Customer Activities: Provider of online Spa and Recreation Management Software, including offline and mobile components.
Role: Processor
Details of Processing
Categories of Data Subjects: Users of Customer’s websites or other online services
Categories of Personal Data: Personal Data pertaining to data subjects’ use of and interaction with Customer’s websites or other online services
Sensitive Categories of Data, and associated additional restrictions/safeguards: Not applicable
Frequency of transfer: For as long as necessary to fulfil the purpose(s) for which the information was collected, depending on the purpose(s) for which the information was collected, the nature of the information, any contractual relationship that may governs the retention of the data, and any legal or regulatory obligations.
Nature and purpose of the Processing: Provide online spa and recreation management services, as more particularly described in the Agreement and comply with Customer instructions thereunder
Duration of Processing / Retention Period: Concurrent with term of the Agreement and then thereafter pursuant to Section 10
Transfers to Subprocessors: Transfers to Subprocessors are as, and for the purposes, described from time to time in the Subprocessor List (as may be updated from time to time in accordance with the DPA).
Annex 2 – European Annex
1. Restricted Transfers
1.1 General. The Parties acknowledge that Customer’s transmission of Customer Personal Data to Provider hereunder may involve a Restricted Transfer. The SCCs described in Paragraph 1.2 and/or 1.3 shall apply and have effect only if and to the extent permitted and required under the EU GDPR and/or UK GDPR (if and as applicable) to establish a valid basis under Chapter V of the EU GDPR and/or UK GDPR in respect of the transfer from Customer to Provider of Customer Personal Data.
1.2 EU Restricted Transfers. To the extent that any Processing of Customer Personal Data under this DPA involves an EU Restricted Transfer from Customer to Provider, the Parties shall comply with their respective obligations set out in the SCCs, which are hereby deemed to be (a) populated in accordance with Part 1 of Attachment 1 to Annex 2 (European Annex); and (b) entered into by the Parties and incorporated by reference into this DPA.
1.3 UK Restricted Transfers. To the extent that any Processing of Customer Personal Data under this DPA involves a UK Restricted Transfer from Customer to Provider, the Parties shall comply with their respective obligations set out in the SCCs, which are hereby deemed to be (a) varied to address the requirements of the UK GDPR in accordance with UK Transfer Addendum and populated in accordance with Part 2 of Attachment 1 to Annex 2 (European Annex); and (b) entered into by the Parties and incorporated by reference into this DPA.
1.4 Provision of full-form SCCs. In respect of any given Restricted Transfer, on Customer’s written request, Provider shall provide Customer with an executed version of the relevant set(s) of SCCs (amended and populated in accordance with Attachment 1 to Annex 2 (European Annex)) in respect of the relevant Restricted Transfer.
2. Operational Clarifications
2.1 When complying with its transparency obligations under Clause 8.3 of the SCCs, Customer agrees that it shall not provide or otherwise make available, and shall take all appropriate steps to protect, Provider’s and its licensors’ trade secrets, business secrets, confidential information and/or other commercially sensitive information.
2.2 Where applicable, for the purposes of Clause 10(a) of Module Three of the SCCs, Customer acknowledges and agrees that there are no circumstances in which it would be appropriate for Provider to notify any third-party controller of any Data Subject Request and that any such notification shall be the sole responsibility of Customer.
2.3 For the purposes of Clause 15.1(a) of the SCCs, except to the extent prohibited by applicable law and/or the relevant public authority, as between the Parties, Customer agrees that it shall be solely responsible for making any notifications to relevant Data Subject(s) if and as required.
2.4 The terms and conditions of Section 8 apply in relation to Provider’s appointment and use of Subprocessors under the SCCs.
2.5 Any approval by Customer of Provider’s appointment of a Subprocessor that is given expressly or deemed given pursuant to Section 8 constitutes Customer’s documented instructions to effect disclosures and onward transfers to any relevant Subprocessors if and as required under Clause 8.8 of the SCCs.
2.6 The audits described in Clauses 8.9(c) and 8.9(d) of the SCCs shall be subject to any relevant terms and conditions detailed in Section 9.
2.7 Certification of deletion of Customer Personal Data as described in Clauses 8.5 and 16(d) of the SCCs, shall be provided only upon Customer’s written request
3. Liability to Data Subjects
Notwithstanding any provision of the Agreement to the contrary, nothing in the Agreement shall limit either party’s liability to Data Subjects under the third-party beneficiary provisions of the SCCs.
Attachment 1 to European Annex
Population of SCCs
In the context of any EU Restricted Transfer, the SCCs populated in accordance with Part 1 of this Attachment 1 are incorporated by reference into and form an effective part of the DPA (if and where applicable in accordance with Paragraphs 1.1 and 1.2 of Annex 2 (European Annex) to the DPA).
In the context of any UK Restricted Transfer, the SCCs as varied by the UK Transfer Addendum and populated in accordance with Part 2 of this Attachment 1 are incorporated by reference into and form an effective part of the DPA (if and where applicable in accordance with Paragraphs 1.1 and 1.3 of Annex 2 (European Annex) to the DPA).
Part 1: Population of EU SCCs
4. Signature of the SCCs; Modules
4.1 Where applicable in accordance with Paragraphs 1.1 and 1.2 of Annex 2 (European Annex) to the DPA, (a) each of the Parties is hereby deemed to have signed the SCCs at the relevant signature block in Annex I to the Appendix to the SCCs; and (b) those SCCs are entered into by and between the Parties with effect from (i) the effective date of the Agreement; or (ii) the date of the first EU Restricted Transfer to which they apply in accordance with Paragraphs 1.1 and 1.2 of 2 (European Annex) to the DPA, whichever is the later.
4.2 The following modules of the SCCs apply in the manner set out below (having regard to the role(s) of Customer set out in Annex 1 (Data Processing Details) to the DPA):
Module Two of the SCCs applies to any EU Restricted Transfer involving Processing of Customer Personal Data in respect of which Customer is a Controller in its own right.
5. Population of the Body of the SCCs
5.1 For each Module of the SCCs, the following applies as and where applicable to that Module and the Clauses thereof:
(a) The optional ‘Docking Clause’ in Clause 7 is not used and the body of that Clause 7 is left intentionally blank.
(b) In Clause 9:
(i) OPTION 2: GENERAL WRITTEN AUTHORIZATION applies, and the minimum time period for advance notice of the addition or replacement of Subprocessors shall be the advance notice period set out in Section 8 of DPA, and the list of Subprocessors already authorized by the data exporter shall be the list on the Subprocessor Site as of the effective date of the Agreement; and
(ii) OPTION 1: SPECIFIC PRIOR AUTHORIZATION is not used and that optional language is deleted; as is, therefore, Annex III to the Appendix to the SCCs.
(c) In Clause 11, the optional language is not used and is deleted.
(d) In Clause 13, all square brackets are removed and all text therein is retained.
(e) In Clause 17:
(i) OPTION 1 applies, and the Parties agree that the SCCs shall governed by the law of Ireland in relation to any EU Restricted Transfer; and
(ii) OPTION 2 is not used and that optional language is deleted.
(f) For the purposes of Clause 18, the Parties agree that any dispute arising from the SCCs in relation to any EU Restricted Transfer shall be resolved by the courts of Ireland, and Clause 18(b) is populated accordingly.
5.2 In this Paragraph, references to “Clauses” are references to the Clauses of the SCCs.
6. Population of Annexes to the Appendix to the SCCs
6.1 Annex I to the Appendix to the SCCs is populated with the corresponding information detailed in Annex 1 (Data Processing Details) to the DPA, with Customer being ‘data exporter’ and Provider being ‘data importer’.
6.2 Part C of Annex I to the Appendix to the EU SCCs is populated as follows:
(a) Where Customer is established in an EU Member State, the competent supervisory authority shall be the supervisory authority of that EU Member State in which Customer is established.
(b) Where Customer is not established in an EU Member State, Article 3(2) of the GDPR applies and Customer has appointed an EU representative under Article 27 of the GDPR: the competent supervisory authority shall be the supervisory authority of the EU Member State in which Customer’s EU representative relevant to the processing hereunder is based (from time-to-time).
(c) Where Customer is not established in an EU Member State, Article 3(2) of the GDPR applies, but Customer has not appointed an EU representative under Article 27 of the GDPR: the competent supervisory authority shall be the supervisory authority of the EU Member State notified in writing to Provider’s contact point for data protection identified in Annex 1 (Data Processing Details) to the DPA, which must be an EU Member State in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located.
6.3 Annex II to the Appendix to the SCCs is populated as below
(a) General: Please refer to Section 5 of the DPA and the Security Measures described therein. In the event that Customer receives a Data Subject Request under the EU GDPR and requires assistance from Provider, Customer should email Provider’s contact point for data protection identified in Annex 1 (Data Processing Details) to the DPA.
(b) Subprocessors: When Provider engages a Subprocessor under these Clauses, Provider shall enter into a binding contractual arrangement with such Subprocessor that imposes upon them data protection obligations which, in substance, meet or exceed the relevant standards required under these Clauses and the DPA – including in respect of (a) applicable information security measures; (b) notification of Personal Data Breaches to Provider; (c) return or deletion of Customer Personal Data as and where required; and (d) engagement of further Subprocessors.
Part 2: UK Restricted Transfers
7. UK Transfer Addendum
7.1 Where relevant in accordance with Paragraphs 1.1 and 1.3 of Annex 2 (European Annex) to the DPA, the SCCs also apply in the context of UK Restricted Transfers as varied by the UK Transfer Addendum in the manner described below –
(a) Part 1 to the UK Transfer Addendum. As permitted by Section 17 of the UK Transfer Addendum, the Parties agree:
(i) Tables 1, 2 and 3 to the UK Transfer Addendum are deemed populated with the corresponding details set out in Annex 1 (Data Processing Details) to the DPA and the foregoing provisions of this Attachment 1 to Annex 2 (European Annex) (subject to the variations effected by the Mandatory Clauses described in (b) below); and
(ii) Table 4 to the UK Transfer Addendum is completed by the box labelled ‘Data Importer’ being deemed to have been ticked.
(b) Part 2 to the UK Transfer Addendum. The Parties agreed to be bound by the Mandatory Clauses of the UK Transfer Addendum.
7.2 In relation to any UK Restricted Transfer to which they apply, where the context permits and requires, any reference in the DPA to the SCCs, shall be read as a reference to those SCCs as varied in the manner set out in Paragraph 4.1 of this Part 2.
Annex 3 - California Annex
1. Capitalized terms used in this California Annex but not defined in the Agreement shall have the meanings given in the CCPA. As used in this California Annex, “Personal Information” means Customer Personal Data that constitutes “personal information” under the CCPA.
2. It is the Parties’ intent that Provider is a Service Provider with respect to its processing of Customer Personal Data. Provider (a) acknowledges that Personal Information is disclosed by Customer only for limited and specified purposes described in the Agreement; (b) shall comply with applicable obligations under the CCPA and shall provide the same level of privacy protection to Personal Information as is required by the CCPA; (c) agrees that Customer has the right to take reasonable and appropriate steps under Section 9 of the DPA to help to ensure that Provider’s use of Personal Information is consistent with Customer’s obligations under the CCPA; (d) shall notify Customer in writing of any determination made by Provider that it can no longer meet its obligations under the CCPA; and (e) agrees that Customer has the right, upon notice, including pursuant to the preceding clause, to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Information.
3. Provider shall not (a) Sell or Share Personal Information; (b) retain, use, or disclose any Personal Information for any purpose other than for the Business Purposes specified in the Agreement, including retaining, using, or disclosing Personal Information for a Commercial Purpose other than the Business Purpose specified in the Agreement, or as otherwise permitted by the CCPA; (c) retain, use or disclose Personal Information outside of the direct business relationship between Provider and Customer; or (d) combine Personal Information received pursuant to the Agreement with Personal Information (i) received from or on behalf of another person, or (ii) or collected from Provider’s own interaction with any Consumer to whom such Personal Information pertains, except as otherwise permitted by the CCPA.
4. Giving Customer notice of Subprocessor engagements in accordance with Section 8 of the DPA shall satisfy Provider’s obligation under the CPRA to give notice of such engagements.
Annex 4 – China Annex
1. International Transfer of Customer Personal Data.
1.1 “International Transfer” means, to the extent that the Customer Personal Data is collected from Data Subjects in China, the disclosure, grant of access or other transfer of such Customer Personal Data to any person located in any country or territory outside of China.
1.2 If Customer’s transfer, disclosure or other act of making available the Customer Personal Data to Provider amounts to an International Transfer, Customer shall comply with all the requirements for the International Transfer under the PIPL and its implementing regulations and rules (“PRC International Transfer Rules”), including, (i) providing notice to Data Subjects and obtaining separate consent from Data Subjects for the International Transfer; (ii) adopting one of the following lawful mechanisms (as applicable): (A) undergoing a security assessment administered by competent relevant Chinese government authority; or (B) entering into a standard contract for the International Transfer of the Customer Personal Data based on the template contract issued by Chinese government authority; and (iii) complying with any other requirements under PRC International Transfer Rules.
Annex 5 – Canada Annex
In addition, where applicable, Customer will notify Data Subjects that their Personal Data may be transferred and stored outside of Canada and accessible to courts, law enforcement and national authorities in other countries. Customer will obtain any consents, if required by the Applicable Data Protection Laws of Canada, for Provider to transfer the Personal Data outside Canada and/or outside the Canadian province where the Customer and/or the Data Subjects are located.
Annex 6 – Security Measures
Provider agrees to implement and maintain the following Security Measures:
1. Organizational management and dedicated staff responsible for the development, implementation, and maintenance of Provider’s information security program.
2. Audit and risk assessment procedures for the purposes of periodic review and assessment of risks to Provider’s organization, monitoring and maintaining compliance with Provider’s policies and procedures, and reporting the condition of its information security and compliance to internal senior management.
3. Data security controls which include at a minimum logical segregation of data, restricted (e.g., role-based) access and monitoring, and utilisation of commercially available and industry standard encryption technologies for Customer Personal Data.
4. Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions.
5. Password controls designed to manage and control password strength, expiration and usage.
6. System audit or event logging and related monitoring procedures to proactively record user access and system activity.
7. Physical and environmental security of data centers, server room facilities and other areas containing Customer Personal Data designed to protect information assets from unauthorized physical access or damage.
8. Operational procedures and controls to provide for configuration, monitoring and maintenance of technology and information systems, including secure disposal of systems and media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from Provider’s possession.
9. Change management procedures and tracking mechanisms designed to test, approve, and monitor all material changes to Provider’s technology and information assets.
10. Incident management procedures designed to allow Provider to investigate, respond to, mitigate, and notify of events related to Provider’s technology and information assets.
11. Network security controls and procedures for network services and components.
12. Vulnerability assessment and threat protection technologies and scheduled monitoring procedures designed to identify, assess, mitigate, and protect against identified security threats, viruses, and other malicious code.
13. Business resiliency/ continuity and disaster recovery procedures designed to maintain service and/or recovery from foreseeable emergency situations or disaster.