Exhibit C: Data Processing Addendum
This Data Processing Addendum (“DPA”), is made pursuant to the order form to which it is attached (the “Order Form”), by and between Impartner, Inc. (“Impartner”) and the customer indicated on page 1 of the Order Form (“Customer,” or “Data Controller”). This DPA will govern the Order Form as well as any subsequent order forms, amendments, and/or renewals, unless otherwise expressly agreed in writing between the parties. The Order Form and any exhibits attached thereto, including this DPA, shall be referred to collectively herein as the “Agreement.”
In the course of providing the Service to Customer pursuant to the Agreement, Impartner may Process Personal Data on behalf of Customer and the parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.
A. Customer is a Controller or Processor of certain Personal Data and wishes to appoint Impartner as a Processor or sub- processor to Process this Personal Data on Customer’s behalf.
B. The parties have entered into this DPA to ensure that Impartner conducts such data Processing in accordance with Customer’s instructions and Applicable Data Protection Law requirements, and with full respect for the fundamental data protection rights of the Data Subjects whose Personal Data will be Processed.
In this DPA, the following terms shall have the following meanings. Other capitalized terms used in this DPA are defined in the context in which they are used or shall have the meanings given such terms in the Order Form or Subscription Agreement.
“Applicable Data Protection Law” shall mean: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation or “GDPR”) and any data protection laws in any European Union Member State including laws implementing such Regulation, (ii) the California Consumer Privacy Act of 2018 (“CCPA”), including any regulations promulgated thereunder, as amended from time to time; (iii) the UK GDPR, and (iv) any other applicable data protection law.
“Controller” means the entity which determines the purposes and means of the Processing of Personal Data.
“Data Subject” means the identified or identifiable person to whom Personal Data relates.
“EU Standard Contractual Clauses” / “EU SCCs” means Module Two of the standard contractual clauses for the transfer of Personal Data, in accordance with Applicable Data Protection Law, to Controllers and Processors established in Third Countries, the approved version of which is in force at the date of signature of this Agreement that are in the European Commission’s Decision 2021/914 of 4 June 2021, as such standard contractual clauses are available at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en, and as may be amended or replaced by the European Commission from time to time, and as further defined in clause 4 of this DPA.
“Personal Data” means any information relating to (i) an identified or identifiable natural person and, (ii) an identified or identifiable legal entity (where such information is protected similarly as personal data or personally identifiable information under applicable Data Protection Laws and Regulations), where for each (i) or (ii), such data is Customer Data.
“Processing” (and “Process“) means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Processor” means the entity which Processes Personal Data on behalf of the Controller.
“Supervisory Authority(ies)” shall carry the meaning of that term in the GDPR.
“UK Standard Contractual Clauses” / “UK SCCs” means the standard contractual clauses for controllers to processors approved by the European Commission by way of Commission Decision C(2010)593, as amended by the UK Information Commissioner’s Office for use in a UK context, available on the date of this Agreement at https://ico.org.uk/media/for-organisations/documents/2618973/uk-sccs-c-p-202012.docx, and as may be amended or replaced by the Information Commissioner’s Office or/and Secretary of State from time to time.
- Relationship of the parties. Customer appoints Impartner as a Processor, or service provider, to Process the Personal Data that is the subject matter of the Agreement (the “Data“). Accordingly, the parties acknowledge and agree that with regard to the Processing of Personal Data, Customer is the Controller and Impartner is the Processor. Each party shall comply with the obligations that apply to it under Applicable Data Protection Law. Customer hereby represents and warrants that Customer complies with the requirements in the Applicable Data Protection Law in collecting and transferring the data to Impartner and permitting Impartner to act as a processor of the Data. Customer agrees that it will not disclose any special categories of personal information to Impartner and Customer will indemnify Impartner from any third-party claims against Impartner as a result of such disclosure.
- Purpose limitation. Customer hereby instructs Impartner to Process Personal Data and to transfer Personal Data to any country or territory as necessary for the provision of the Service and consistent with the Agreement. Customer’s instructions for the Processing of Personal Data shall comply with Applicable Data Protection Law. Customer shall have sole responsibility for the accuracy, quality, and legality of the Data and the means by which Customer acquires the Data. Impartner shall Process the Data as a Processor only as necessary to perform its obligations under the Agreement, and in accordance with the documented instructions of Customer (the “Permitted Purpose“), except where otherwise required by any EU (or any EU Member State) law applicable to Impartner, in which case Impartner shall to the extent permitted by Applicable Data Protection Law inform Customer of that legal requirement before the relevant Processing of that Data. In no event shall Impartner Process the Data for its own purposes or those of any third party except as set forth in the Agreement. Impartner shall also inform Customer if in its opinion an instruction of Customer infringes or violates Applicable Data Protection Law. Impartner shall not sell the Data, nor process, retain, use, or disclose the Data (i) for any purposes other than the Permitted Purpose, or (ii) outside of the direct business relationship between Impartner and Customer.
- Details of the Processing. Annex 1 to this DPA sets out certain information regarding Impartner’s Processing of the Data as required by Article 28(3) of the GDPR. Either party may make reasonable amendments to Annex 1 by written notice to the other party from time to time as such party reasonably considers necessary to meet those requirements. Nothing in Annex 1 (including as amended pursuant to this Section 3) confers any right or imposes any obligation on any party to this DPA.
- International transfers. Impartner shall not transfer any Personal Data of European Economic Area (“EEA“) / UK Data Subjects (nor permit such Personal Data to be transferred) outside of the EEA / UK unless (i) it has first obtained Customer’s prior written consent; and (ii) it takes such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Law. Such measures may include (without limitation) transferring the Personal Data to a recipient in a country that the European Commission / UK authorities have decided provides adequate protection for Personal Data, or to a recipient that has achieved binding corporate rules authorization in accordance with Applicable Data Protection Law, or to a recipient that has executed the Standard Contractual Clauses adopted or approved by the European Commission / UK Secretary of State or the UK Information Commissioner (and approved by the UK Parliament). Partner hereby consents to the transfer of Personal Data to Impartner in the United States and the parties agree that the EU / UK Standard Contractual Clauses will apply to any such transfer, as appropriate.
A. The EU SCCs shall be deemed incorporated in this Agreement as follows:
- Clause 7 of the EU SCCs, the “Docking Clause (Optional)”, shall be deemed incorporated;
- in Clause 9 of the EU SCCs, the Parties choose Option 2, ‘General Written Authorisation’, with a time period of 10 days;
- the optional wording in Clause 11 of the EU SCCs shall be deemed not incorporated;
- in Clause 17 of the EU SCCs, the Data Exporter and Data Importer agree that the EU SCCs shall be governed by the laws of the Netherlands and choose Option 1 to this effect;
- in Clause 18 of the EU SCCs, the Data Exporter and Data Importer agree that any disputes shall be resolved by the courts of the Netherlands;
- Annexes I.A, I.B, I.C, II and III of the EU SCCs shall be deemed completed with the information set out in Annex 1, Annex 2 and Annex 3 to this DPA.
B. Where the UK SCCs apply (i.e., for transfers from UK to countries, which were not recognized as providing adequate protections by UK authorities), they will be deemed incorporated in this Agreement as follows:
- in Clause 9 of the UK SCCs, the Parties agree that UK SCCs shall be governed by the laws of the United Kingdom.
- in Clause 12 of the UK SCCs, the Optional “Indemnification” and “Priority of standard contractual clauses” Clauses are deemed not incorporated;
- Annex 1 and 2 of the UK SCCs shall be deemed completed with the information set out in Annex 1 and Annex 2 of this DPA; and
- in light of the obligations of the parties under UK SCCs, read in light of the Schrems II judgment issued by the Court of Justice of the European Union on July 16, 2020 (“Schrems II”), in regard to the transfer of personal data by Data Exporter from the UK to Data Importer located outside the UK in countries, which were not granted an adequacy decision by the UK Secretary of State (“Third Country”), parties hereby warrant to honour the supplementary safe-guards, as outlined in Annex 4 to UK SCCs, which forms its integral part. For the avoidance of doubt, this clause shal be referred to as the Supplementary Safeguards clause. In case of conflict between this Supplementary Safeguards Clause, and the UK SCCs, the UK SCCs shall prevail.
- Confidentiality of Processing. Impartner shall ensure that any person that it authorizes to Process the Data (including Impartner’s staff, agents and subcontractors) (an “Authorized Person“) shall be subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty) and shall not permit any person to Process the Data who is not under such a duty of confidentiality. Impartner shall ensure that all Authorized Persons Process the Data only as necessary for the Permitted Purpose.
- Security. Impartner shall implement appropriate technical and organizational measures to protect the Data (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorized disclosure of, or access to the Data (a “Security Incident”). Such measures shall take into account the state of the art, the costs of implementation and the nature, scope, context and purpose of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Such measures may include those listed in Appendix 2.
- Sub-processing. Impartner may subcontract any processing of the Data to a third-party subcontractor (“sub-processor“) in accordance with the Applicable Data Protection Law. Customer hereby specifically authorizes the engagement of Impartner’s current sub-processors as identified on Annex 3. Impartner will impose data protection terms on its sub-processors to the same standard as provided for by this DPA. In the event that Impartner desires to add or replace any sub-processor, Impartner will provide at least 10 days’ prior notice of the addition or replacement of any sub-processor (including details of the processing it performs or will perform). Customer may object to Impartner’s addition or replacement of a sub-processor prior to its appointment or replacement, provided such objection is based on reasonable grounds relating to data protection. Customer consents to Impartner engaging other third party sub-processors to Process the Data provided that: (i) Impartner obtains Customer’s written consent; (ii) Impartner imposes data protection terms on any sub-processor it appoints that protect the Data to the same standard provided for by this DPA; and (iii) Impartner remains fully liable for any breach of this DPA that is caused by an act, error or omission of its sub-processor. Customer may object to Impartner’s appointment or replacement of a third- party sub-processor, provided such objection is on reasonable grounds relating to the protection of the Data. In such event, Impartner will either not appoint or replace the sub-processor or, if this is not possible, Customer may suspend or terminate this DPA and the Agreement (without prejudice to any fees incurred by Customer prior to suspension or termination). Customer will not directly communicate with Impartner’s sub-processors about the Service unless agreed to by Impartner.
- Cooperation and Data Subjects’ rights. Impartner shall provide all reasonable and timely assistance (including by appropriate technical and organizational measures) to Customer to enable Customer to respond to: (i) any request from a Data Subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable); and (ii) any other correspondence, inquiry or complaint received from a Data Subject, regulator or other third party in connection with the Processing of the Data. In the event that any such request, correspondence, inquiry or complaint is made directly to Impartner, Impartner shall promptly inform Customer. To the extent legally permitted, Customer shall be responsible for any costs arising from Impartner’s provision of the assistance described in this paragraph. Communications pertaining to the foregoing shall be sent to email@example.com.
- Data Protection Impact Assessment. If Impartner believes or becomes aware that its Processing of the Data is likely to result in a high risk to the data protection rights and freedoms of Data Subjects, it shall promptly inform Customer and provide Customer with all such reasonable and timely assistance as Customer may require in order to conduct a data protection impact assessment and, if necessary, consult with its relevant data protection authority.
- Security incidents. Upon becoming aware of a Security Incident, Impartner shall inform Customer without undue delay after becoming aware of the Security Incident, and shall provide all such timely information and cooperation as Customer may require in order for Customer to fulfill its data breach reporting obligations under (and in accordance with the timescales required by) Applicable Data Protection Law. Impartner shall further take all such measures and actions as are necessary to remedy or mitigate the effects of the Security Incident and shall keep Customer apprised of all developments in connection with the Security Incident.
- Deletion or return of Data. Upon termination or expiry of the Agreement, Impartner shall (at Customer’s election) destroy or return to Customer all Data (including all copies of the Data) in its possession or control (including any Data subcontracted to a third party for Processing). This requirement shall not apply to the extent that Impartner is required by any EU (or any EU Member State) law to retain some or all of the Data.
- Audit. Impartner will submit to audits and inspections in relation to the Processing of Data, at Customer’s sole cost and expense, and will provide Customer with whatever information it needs to ensure that they are both meeting their obligations under Article 28 of GDPR. Customer agrees that its requests to audit Impartner may be satisfied by Impartner presenting up- to-date attestations, reports or extracts from independent bodies, including without limitation external or internal auditors, Impartner’s data protection officer, data protection or quality auditors or other mutually agreed to third parties) or certification by a regulatory body by way of an IT security or data protection audit. Customer shall not exercise its audit rights under this DPA more than once per year, and no such audit may be exercised in a manner that (i) disrupts Impartner’s normal business operations, or (ii) causes Impartner to breach any obligation of confidentiality to another customer or to any other third party, whether imposed by regulation or contract.
- Sub-processor Audits. Customer may not audit Impartner’s sub-processors without Impartner’s and Impartner’s sub- processor’s prior agreement. Customer agrees that its requests to audit sub-processors may be satisfied by Impartner or Impartner’s sub-processors presenting up-to-date attestations, reports or extracts from independent bodies, including without limitation external or internal auditors, Impartner’s data protection officer, the IT security department, data protection or quality auditors or other mutually agreed to third parties) or certification by way of an IT security or data protection audit. Onsite audits at sub-processors premises may be performed by Impartner or a mutually agreed to auditor under a confidentiality agreement acting on behalf of Customer.
- Limitation of Liability. Each party’s liability arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of the Agreement.
- Processing for Statistical Purposes. Impartner may Process Data for statistical purposes following the termination or expiration of the Agreement. Any such Processing shall be subject to appropriate safeguards, as provided in Article 89 of the GDPR, for the rights and freedoms of the Data Subject. Those safeguards will ensure that technical and organizational measures are in place in particular in order to ensure respect for the principal of data minimization. Those measures may include pseudonymization or that the Processing does not permit the identification of Data Subjects.
A. Headings. Headings in this DPA are for convenience of reference only and will not constitute a part of or otherwise affect the meaning or interpretation of this DPA.
B. Entire Agreement. This DPA (including all schedules and appendices thereto) and the Agreement constitute the entire agreement between the parties relating to the subject matter of this DPA and supersede all prior agreements, understandings, negotiations and discussions of the parties in relation to the subject matter of this DPA.
C. Severability. The provisions of this DPA are severable. If any phrase, clause or provision is invalid or unenforceable in whole or in part, such invalidity or unenforceability will affect only such phrase, clause or provision, and the rest of this DPA will remain in full force and effect.
D. Notices. Any notice or other communication under this DPA given by either party to the other will be deemed to be properly given if given in writing and delivered (i) in person, (ii) by electronic mail to the email addresses agreed to between the parties, or (iii) in accordance with the Notice provision of the Agreement. Either party may from time to time change its address for notices under this Section by giving the other party notice of the change in accordance with this Section.
E. Third-party Rights. The provisions of this DPA will endure to the benefit of and will be binding upon the parties and their respective successors and assigns.
F. Counterparts. This DPA may be executed in counterparts, each of which will be deemed an original, but all of which together will constitute one and the same instrument. Execution of an Agreement incorporating the terms of this DPA shall be deemed to be execution of this DPA including all attachments.
G. Governing Law. This Addendum will be governed by and construed in accordance with the governing law of the Agreement, without regard to its conflict of laws principles, except to the extent that Applicable Data Protection Law(s) require otherwise, in which event this DPA will be governed in accordance with Applicable Data Protection Law.
H. Signatures. This DPA has been signed on behalf of each of the parties by a duly authorized signatory.