- Customer is a Controller or Processor of certain Personal Data and wishes to appoint Impartner as a Processor or sub- processor to Process this Personal Data on Customer’s behalf.
- The parties have entered into this DPA to ensure that Impartner conducts such data Processing in accordance with Customer’s instructions and Applicable Data Protection Law requirements, and with full respect for the fundamental data protection rights of the Data Subjects whose Personal Data will be Processed.
In this DPA, the following terms shall have the following meanings. Other capitalized terms used in this DPA are defined in the context in which they are used or shall have the meanings given such terms in the Order Form or MSA.
“Applicable Data Protection Law” shall mean: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation or “GDPR”) and any data protection laws in any European Union Member State including laws implementing such Regulation, (ii) the California Consumer Privacy Act of 2018, including any regulations promulgated thereunder, as amended from time to time (“CCPA”); (iii) the UK GDPR, and (iv) any other applicable data protection law.
“Contractor” shall carry the meaning of that term in the CCPA.
“Controller” means the entity which determines the purposes and means of the Processing of Personal Data.
“Data Subject” means the identified or identifiable person to whom Personal Data relates.
“EU Standard Contractual Clauses” / “EU SCCs” means Module Two of the standard contractual clauses for the transfer of Personal Data, in accordance with Applicable Data Protection Law, to Controllers and Processors established in Third Countries, the approved version of which is in force at the date of signature of this Agreement that are in the European Commission’s Decision 2021/914 of 4 June 2021, as such standard contractual clauses are available at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en, and as may be amended or replaced by the European Commission from time to time, and as further defined in Section 4 of this DPA.
“Personal Data” means any information relating to (i) an identified or identifiable natural person and, (ii) an identified or identifiable legal entity or household as personal data or personally identifiable information under applicable Data Protection Laws and Regulations, where for each (i) or (ii), such data is Customer Data (as defined in Section 1 below).
“Processing” (and “Process“) means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Processor” means the entity which Processes Personal Data on behalf of the Controller.
“Supervisory Authority(ies)” shall carry the meaning of that term in the GDPR.
“Sell” shall carry the meaning of that term in the CCPA.
“UK Standard Contractual Clauses” / “UK SCCs” means the standard contractual clauses for controllers to processors approved by the European Commission by way of Commission Decision C(2010)593, as amended by the UK Information Commissioner’s Office for use in a UK context, available on the date of this Agreement at https://ico.org.uk/media/for-organisations/documents/2618973/uk-sccs-c-p-202012.docx, and as may be amended or replaced by the Information Commissioner’s Office and/or Secretary of State from time to time.
- Relationship of the parties. Customer appoints Impartner as a Processor, or Contractor, to Process the Personal Data that is the subject matter of the Agreement (the “Data“). Accordingly, the parties acknowledge and agree that with regard to the Processing of Personal Data, Customer is the Controller and Impartner is the Processor. Each party shall comply with the obligations that apply to it under Applicable Data Protection Law. Customer hereby represents and warrants that Customer complies with the requirements in the Applicable Data Protection Law in collecting and transferring the data to Impartner and permitting Impartner to act as a Processor of the Data. Customer agrees that it will not disclose any special categories of personal information to Impartner.
- Purpose limitation. Customer hereby instructs Impartner to Process Personal Data and to transfer Personal Data to any country or territory as necessary for the provision of the Service and consistent with the Agreement. Customer’s instructions for the Processing of Personal Data shall comply with Applicable Data Protection Law. Customer shall have sole responsibility for the accuracy, quality, and legality of the Data and the means by which Customer acquires the Data. Impartner shall Process the Data as a Processor only as necessary to perform its obligations under the Agreement, and in accordance with the documented instructions of Customer (the “Permitted Purpose“), except where otherwise required by Applicable Data Protection Law, in which case Impartner shall to the extent permitted by Applicable Data Protection Law inform Customer of that legal requirement before the relevant Processing of that Data. In no event shall Impartner Process the Data for its own purposes or those of any third party except as set forth in the Agreement. Impartner shall also inform Customer if in its opinion an instruction of Customer infringes or violates Applicable Data Protection Law. Impartner shall not Sell the Data, nor process, retain, use, or disclose the Data (i) for any purposes other than the Permitted Purpose, or (ii) outside of the direct business relationship between Impartner and Customer.
- Details of the Processing. Annex 1 to this DPA sets out certain information regarding Impartner’s Processing of the Data as required by Applicable Data Protection Law (including but not limited to Article 28(3) of the GDPR). Either party may make reasonable amendments to Annex 1 by written notice to the other party from time to time as such party reasonably considers necessary to meet the requirements of Applicable Data Protection Law. Nothing in Annex 1 (including as amended pursuant to this Section 3) confers any right or imposes any obligation on any party to this DPA.
- International transfers. Impartner shall not transfer any Personal Data of European Economic Area (“EEA“) / UK Data Subjects (nor permit such Personal Data to be transferred) outside of the EEA / UK unless (i) it has first obtained Customer’s prior written consent; and (ii) it takes such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Law. Such measures may include (without limitation) transferring the Personal Data to a recipient in a country that the European Commission / UK authorities have decided provides adequate protection for Personal Data, or to a recipient that has achieved binding corporate rules authorization in accordance with Applicable Data Protection Law, or to a recipient that has executed the Standard Contractual Clauses adopted or approved by the European Commission / UK Secretary of State or the UK Information Commissioner (and approved by the UK Parliament). Customer hereby consents to the transfer of Personal Data to Impartner in the United States and the parties agree that the EU / UK Standard Contractual Clauses will apply to any such transfer, as appropriate.
a. The EU SCCs shall be deemed incorporated in this Agreement as follows:
- Clause 7 of the EU SCCs, the “Docking Clause (Optional)”, shall be deemed incorporated;
- in Clause 9 of the EU SCCs, the parties choose Option 2, ‘General Written Authorisation’, with a time period of 10 days;
- the optional wording in Clause 11 of the EU SCCs shall be deemed not incorporated;
- in Clause 17 of the EU SCCs, the Data Exporter and Data Importer agree that the EU SCCs shall be governed by the laws of the Netherlands and choose Option 1 to this effect;
- in Clause 18 of the EU SCCs, the Data Exporter and Data Importer agree that any disputes shall be resolved by the courts of the Netherlands;
- Annexes I.A, I.B, I.C, II and III of the EU SCCs shall be deemed completed with the information set out in Annex 1, Annex 2 and Annex 3 to this DPA.
b. Where the UK SCCs apply (i.e., for transfers from the UK to countries which are not recognized as providing adequate protections by UK authorities), they will be deemed incorporated into this Agreement as follows:
- in Clause 9 of the UK SCCs, the parties agree that UK SCCs shall be governed by the laws of the United Kingdom;
- in Clause 12 of the UK SCCs, the Optional “Indemnification” and “Priority of standard contractual clauses” Clauses are deemed not incorporated;
- Annex 1 and 2 of the UK SCCs shall be deemed completed with the information set out in Annex 1 and Annex 2 of this DPA; and
- in light of the obligations of the parties under UK SCCs, read in light of the Schrems II judgment issued by the Court of Justice of the European Union on July 16, 2020 (“Schrems II“), in regard to the transfer of personal data by Data Exporter from the UK to Data Importer located outside the UK in countries, which were not granted an adequacy decision by the UK Secretary of State (“Third Country“), parties hereby warrant to honour the supplementary safe-guards, as outlined in Annex 4 to UK SCCs, which forms its integral part. For the avoidance of doubt, this clause shall be referred to as the Supplementary Safeguards clause. In case of conflict between this Supplementary Safeguards Clause and the UK SCCs, the UK SCCs shall prevail.
- Confidentiality of Processing. Impartner shall ensure that any person it authorizes to Process the Data (including Impartner’s staff, agents and subcontractors) (each an “Authorized Person“) shall be subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty) and shall not permit any person to Process the Data who is not under such a duty of confidentiality. Impartner shall ensure that all Authorized Persons Process the Data only as necessary for the Permitted Purpose.
- Security. Impartner shall implement appropriate technical and organizational measures to protect the Data (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorized disclosure of, or access to the Data (each a “Security Incident“). Such measures shall take into account the state of the art, the costs of implementation and the nature, scope, context and purpose of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Such measures may include those listed in Annex 2 of this DPA.
a. Impartner may subcontract any processing of the Data to a third-party subcontractor (“Sub-Processor“) in accordance with Applicable Data Protection Law. A list of Impartner’s current Sub-processors for the Licensed Services is available here (the “List”). Impartner may provide a mechanism to subscribe to notifications of new authorized Sub-Processors and Customer agrees to subscribe to such notifications where available. At least ten (10) days before enabling any third party other than existing authorized Sub-Processors to access or participate in the processing of Personal Data, Impartner will add such third party to the List and notify Customer via email. Customer may object to such an engagement by informing Impartner within ten (10) days of receipt of the aforementioned notice by Customer, provided such objection is in writing and based on reasonable grounds relating to data protection. Customer acknowledges that certain sub-processors are essential to providing the Services and that objecting to the use of a sub-processor may prevent Impartner from offering the Services to Customer.
b. If Customer reasonably objects to an engagement in accordance with Section 7(a), and Impartner cannot provide a commercially reasonable alternative within a reasonable period of time, Customer may discontinue the use of the affected Service by providing written notice to Impartner. Discontinuation shall not relieve Customer of any fees owed to Impartner under the Agreement.
c. If Customer does not object to the engagement of a third party in accordance with Section 7(a), that third party will be deemed an authorized Sub-Processor for the purposes of this Addendum.
d. Impartner will enter into a written agreement with the authorized Sub-Processor imposing on the Authorized Sub-Processor data protection obligations comparable to those imposed on Impartner under this Addendum with respect to the protection of Personal Data. In case an authorized Sub-Processor fails to fulfill its data protection obligations under such written agreement with Impartner, Impartner will remain liable to Customer for the performance of the authorized Sub-Processor’s obligations under such agreement.
e. If Customer and Impartner have entered into Standard Contractual Clauses, (i) the above authorizations will constitute Customer’s prior written consent to the subcontracting by Impartner of the processing of Personal Data if such consent is required under the Standard Contractual Clauses, and (ii) the parties agree that the copies of the agreements with Authorized Sub-Processors that must be provided by Impartner to Customer pursuant to Clause 9(c) of the EU SCCs, Clause 5(j) of the UK SCCs, or like requirements of other Applicable Data Protection Law, may have commercial information, or information unrelated to the Standard Contractual Clauses or their equivalent, removed by Impartner beforehand, and that such copies will be provided by Impartner only upon request by Customer.
- Cooperation and Data Subjects’ rights. Impartner shall provide all reasonable and timely assistance (including by appropriate technical and organizational measures) to Customer to enable Customer to respond to: (i) any request from a Data Subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable); and (ii) any other correspondence, inquiry or complaint received from a Data Subject, regulator or other third party in connection with the Processing of the Data. In the event that any such request, correspondence, inquiry or complaint is made directly to Impartner, Impartner shall promptly inform Customer. To the extent legally permitted, Customer shall be responsible for any costs arising from Impartner’s provision of the assistance described in this paragraph. Communications pertaining to the foregoing shall be sent to [email protected].
- Data Protection Impact Assessment. If Impartner believes or becomes aware that its Processing of the Data is likely to result in a high risk to the data protection rights and freedoms of Data Subjects, it shall promptly inform Customer and provide Customer with all such reasonable and timely assistance as Customer may require in order to conduct a data protection impact assessment and, if necessary, consult with its relevant data protection authority.
- Security incidents. Upon becoming aware of a Security Incident, Impartner shall inform Customer without undue delay after becoming aware of the Security Incident, and shall provide all such timely information and cooperation as Customer may require in order for Customer to fulfill its data breach reporting obligations under (and in accordance with the timescales required by) Applicable Data Protection Law. Impartner shall further take all such measures and actions as are necessary to remedy or mitigate the effects of the Security Incident and shall keep Customer apprised of all developments in connection with the Security Incident.
- Deletion or return of Data. Upon termination or expiry of the Agreement, Impartner shall (at Customer’s election) destroy or return to Customer all Data in its possession or control. This requirement shall not apply to the extent that Impartner is required by any EU (or any EU Member State) law to retain some or all of the Data.
- Audit. At Customer’s sole cost and expense, Impartner will (i) submit to audits and inspections directly related to the Processing of Data pursuant to the Agreement, and (ii) provide Customer with information Customer reasonably needs to ensure that both Customer and Impartner are meeting their obligations under Article 28 of GDPR. Customer agrees that its requests to audit Impartner pursuant to this Section may be satisfied by Impartner presenting up-to-date attestations, reports, or extracts from independent bodies, including without limitation external or internal auditors, Impartner’s data protection officer, data protection or quality auditors or other mutually agreed to third parties) or certification by a regulatory body by way of an IT security or data protection audit. Customer shall not exercise its audit rights under this DPA more than once per year, and no such audit may be exercised in a manner that (a) disrupts Impartner’s normal business operations, or (b) causes Impartner to breach any obligation of confidentiality to another customer or to any other third party, whether imposed by regulation or contract.
- Sub-processor Audits. Customer may not audit Impartner’s sub-processors without Impartner’s and Impartner’s sub-processor’s prior agreement. Customer agrees that its requests to audit sub-processors may be satisfied by Impartner or Impartner’s sub-processors presenting up-to-date attestations, reports or extracts from independent bodies, including without limitation external or internal auditors, Impartner’s data protection officer, the IT security department, data protection or quality auditors or other mutually agreed to third parties) or certification by way of an IT security or data protection audit. Onsite audits at sub-processors premises may be performed by Impartner or a mutually agreed to auditor under a confidentiality agreement acting on behalf of Customer.
- Limitation of Liability. Each party’s liability arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of the Agreement.
- Processing for Statistical Purposes. Impartner may Process Data for statistical purposes following the termination or expiration of the Agreement. Any such Processing shall be subject to appropriate safeguards, such as those provided in GDPR Article 89 related to the rights and freedoms of Data Subject. Those measures may include, without limitation, pseudonymization or that the Processing does not permit the identification of Data Subjects.
a. Headings. Headings in this DPA are for convenience of reference only and will not constitute a part of or otherwise affect the meaning or interpretation of this DPA.
b. Entire Agreement. This DPA (including all schedules and appendices hereto) and the Agreement constitute the entire agreement between the parties relating to the subject matter of this DPA and supersede all prior agreements, understandings, negotiations and discussions of the parties in relation to the subject matter of this DPA.
c. Severability. The provisions of this DPA are severable. If any phrase, clause or provision is invalid or unenforceable in whole or in part, such invalidity or unenforceability will affect only such phrase, clause or provision, and the rest of this DPA will remain in full force and effect.
d. Notices. Any notice or other communication under this DPA given by either party to the other will be deemed to be properly given if given in writing and delivered (i) in person, (ii) by electronic mail to the email addresses agreed to between the parties, or (iii) in accordance with the Notice provision of the Agreement. Either party may from time to time change its address for notices under this Section by giving the other party notice of the change in accordance with this Section.
e. Third-party Rights. The provisions of this DPA will inure to the benefit of and will be binding upon the parties and their respective successors and assigns.
f. Counterparts and Signatures. This DPA may be executed in counterparts, each of which will be deemed an original, but all of which together will constitute one and the same instrument. Execution of an agreement incorporating the terms of this DPA shall be deemed to be execution of this DPA including all attachments.
g. Governing Law. This Addendum will be governed by and construed in accordance with the governing law of the Agreement, without regard to its conflict of laws principles, except to the extent that Applicable Data Protection Law(s) require otherwise, in which event this DPA will be governed in accordance with Applicable Data Protection Law.
Impartner’s Technical and Organisational Mesaures Including Technical and Organisational Measures to Ensure the Security of the Data is available here.
ANNEX 3: LIST OF SUB-PROCESSORS
The controller has authorised the use of sub-processors listed here.