DATA PROCESSING ADDENDUM TO THE SIMSEI MASTER AGREEMENT
(Updated December 2020)
This Data Processing Addendum (“DPA”) between Applied Medical Resources Cooperation (“Supplier”) and Customer is incorporated into and made part of the Master Agreement (the “Agreement”) between Customer and Supplier. The Parties agree that this DPA sets forth their obligations with respect to the Processing of Personal Data in connection with Customer’s use of the Products. This DPA will remain in effect until, and automatically expire upon, the date on which Supplier ceases to process Personal Data. Capitalized terms used, but not defined in this DPA have the meanings given to them in the Agreement.
- ”CCPA” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., and its implementing regulations.
- ”Controller” means the Party that determines the purposes and means of the Processing of Personal Data.
- ”Data Protection Legislation” means any law, statute, regulation, or other binding restriction that applies to the Processing of Personal Data to which a Party to the Agreement is subject, including without limitation, the GDPR, United Kingdom Data Protection Act 2018, and the CCPA.
- ”Data Subject” means an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- ”GDPR” means the General Data Protection Regulation (EU) 2016/679 of the European Parliament.
- ”Personal Data” means any information provided by Customer relating to a Data Subject.
- ”Process,” ”Processes” or ”Processing” means any operation or set of operations which is performed on Personal Data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, erasure, or destruction.
- ”Processor” means the Party that Processes the Personal Data on behalf of the Controller, including, as applicable, a “service provider” as that term is defined by the CCPA.
- ”Subprocessor” means any third party that Processes Personal Data on behalf of the Processor.
- ”Supervisory Authority” means an independent public authority or a government agency established by a country, state, or territory and has appropriate jurisdiction over Supplier regarding Supplier’s Processing of Personal Data pursuant to this DPA.
- ”Supplier’s Personnel” means Supplier’s employees who are engaged in Processing of Personal Data pursuant to this DPA
In the course of providing the Products to Customer in accordance with the Agreement, Supplier shall have a legitimate interest in Processing any Personal Data. The purpose of this DPA is to document the agreement between the Parties relating to the Processing of Personal Data in accordance with the requirements of Data Protection Legislation. If any provision in this DPA conflicts with the Agreement, then this DPA shall prevail.
For the avoidance of doubt, consistent with Clause 10 of the Standard Contractual Clauses in Schedule 3, if a provision of the Standard Contractual Clauses conflicts with the DPA, the Standard Contractual Clauses shall prevail.
The Parties agree and acknowledge that if Customer provides Supplier with Personal Data under the Agreement, then as between the Parties: (i) Customer is the Controller; and (ii) Supplier shall act as Processor acting on behalf of and at the direction of the Controller.
- Customer as Controller. Customer acknowledges that it has sole control over: (i) the process of obtaining Personal Data from Data Subjects and all necessary consents for such Personal Data; (ii) the categories of Data Subjects and Personal Data to be Processed; and (iii) the accuracy, quality, and legality of the Personal Data and the means by which it was acquired. Customer expressly acknowledges that its use of the Products will not violate the rights of any Data Subject that has opted-out from sales or other disclosures of Personal Data, to the extent applicable under the CCPA.
- Supplier as Processor. Supplier shall Process the Personal Data as set forth in Schedule 1 in accordance with the following: (i) the Agreement and any transaction documents thereunder; (ii) reasonable instruction provided by Customer to Supplier, which is otherwise consistent with the Agreement, including all instructions provided via email; and (iii) Processing initiated by Customer in its use of the Products. Supplier shall not Process Personal Data for any other purpose than as instructed by Customer and as contemplated under the Agreement.
- Consent. As between Customer and Supplier, Customer shall remain the Controller at all times for the purposes of the Agreement and this DPA. Customer is solely responsible for compliance with its obligations as Controller under Data Protection Legislation, in particular for justification of any transmission of Personal Data to Supplier (including providing any required notices and obtaining any required consents, or establishing an alternative justification for legally collecting Personal Data for Processing).
- Access Requests. Supplier shall immediately inform Customer in writing in the event it receives:
- any request for access to any Personal Data received from an individual who is (or claims to be) the Data Subject;
- any request for access to any Personal Data received by Supplier from a Supervisory Authority; or
- any other requests with respect to Personal Data received from Customer’s employees or other third parties. Supplier shall not respond to these requests (except to confirm that such request relates to Customer), unless explicitly authorised by Customer or the response is legally required under a subpoena or similar legal document issued by a Supervisory Authority that compels disclosure by Supplier.
- Rectification and Erasure. Data Protection Legislation may require Customer to rectify or erase Personal Data upon reasonable request of the Data Subject. Supplier’s Products have features that enable Customer to erase or rectify any Personal Data which may exist in the system. If the Customer is unable to do so on its own (or requires assistance), Customer may provide written request with instructions to Supplier to perform such deletions or rectifications on Customer’s behalf. To the extent such request and instructions are technically feasible and legally permissible, Supplier shall (for a fee to Customer) carry out such request and instructions at the sole cost of Customer. Supplier shall only accept such requests from an authorized Customer administrator.
- Assistance to Controller. Supplier shall provide reasonable assistance to Customer (at Customer’s sole cost and expense) in response to Customer’s written request for assistance in relation to:
- a request, complaint, notice, or communication relating to Supplier’s Processing of customer Data received from a Data Subject whose Personal Data Supplier Processes on behalf of Customer;
- any investigation, request or notice from a Supervisory Authority;
- a privacy impact assessment conducted by Customer which is relevant to Customer’s Processing of Personal Data in accordance with the Agreement or a transaction conducted thereunder; or
- a Customer’s request (not to be made more than once per year unless requested by a Supervisory Authority) for Supplier to provide a written attestation that Supplier is in material compliance with this DPA.
Supplier shall thoroughly inform all Supplier Personnel of their obligations of confidentiality under the Agreement, this DPA, and Data Protection Legislation. Supplier shall provide detailed training to all Supplier Personnel on the confidential nature of Personal Data. Such trainings shall include explanation of their duties and responsibilities. Supplier shall be responsible for entering into written non-disclosure agreements with Supplier Personnel who have obligations of confidentiality intended to survive the termination of employment of Supplier Personnel. Access to Customer’s database, if any, is limited to Supplier’s Personnel who require such access for the purpose of Processing Customer Data on behalf of Customer.
Customer expressly authorises Supplier to utilize Subprocessors to enable Supplier to perform its obligations under the Agreement. Supplier shall enter into separate written agreements with each Subprocessor that contain obligations no less protective than those set forth in this DPA. Supplier shall be responsible for each Subprocessor’s compliance with this DPA. A current list of Supplier’s Subprocessors is attached in Schedule 3.
At least thirty (30) days before Supplier engages any new Subprocessor to perform processing activities on behalf of Customer, Supplier will update the applicable website and provide Customer with a mechanism to obtain notice of that update. Customer may object to the use of a new Subprocessor in writing within ten (10) days of such update on the website on reasonable grounds relating to the protection of the Personal Data. Supplier shall work with Customer in good faith to make available a commercially reasonable change to Customer’s use of the Products that avoids the use of that proposed Subprocessor. Where such a change cannot implemented within twenty (20) days from Supplier’s receipt of Customer’s objection (“Reassessment Period”), Customer may terminate the Agreement by providing written notice of termination. This termination right is Customer’s sole and exclusive remedy to Customer’s objection to Supplier’s engagement of a new Subprocessor. No refund or relief from any payment obligation shall be available to Customer if Customer terminates the Agreement based on Supplier’s choice of Subprocessor. Customer’s use of the Products after the expiration of the Reassessment Period shall constitute Customer’s acceptance of the new Subprocessor.
In the event that Supplier becomes aware of an unauthorised, unlawful or wrongful disclosure of, or access to Personal Data that Supplier or any Subprocessor is Processing on behalf of Customer (a “Security Incident”), Supplier shall (to the extent known and permitted under law) provide Customer with prompt notice of such Security Incident. Such notice shall include details of the Security Incident, steps taken to mitigate the potential risks, and reasonable steps Supplier recommends Customer take to address the Security Incident.
The Parties shall cooperate in good faith to help limit the effects of such Security Incident and prevent a recurrence. Customer shall be solely responsible for providing notifications to the Supervisory Authority and/or any Data Subjects; provided, however, Supplier shall provide Customer with reasonable assistance and cooperation in carrying out such notifications. Supplier’s notification of or response to a Security Incident under this Section 7 will not be construed as an acknowledgment by Supplier of any fault or liability with respect to the Security Incident. The obligations set forth in this Section 7 shall not apply to incidents that are caused by Customer or users authorised by Customer.
Security of Processing.
Supplier shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk associated with Processing. Specifically, Supplier shall maintain appropriate safeguards to protect Customer Data from unauthorised or unlawful Processing or a Security Incident.
Data Impact Assessments; Record Keeping.
Supplier shall conduct Data Impact Assessments as necessary and shall maintain appropriate records of all Data Processing Activities including without limitation, the records required pursuant to Article 30(2) of the GDPR.
Transfer of Personal Data Across National Borders.
Supplier shall only transfer Personal Data across any national borders or permit remote access to the Personal Data by any employee, contractor, or Subprocessor in compliance with applicable Data Protection Legislation governing the cross-border transfer of Personal Data.
- Transfer of Personal Data outside of the European Economic Area (“EEA”), the United Kingdom (“UK”), and Switzerland. Subject to the additional terms set forth in Schedule 2, if Supplier transfers Personal Data originating in the EEA, the UK, or Switzerland to countries that do not ensure an adequate level of protection as contemplated by the Data Protection Legislation of the foregoing territories (including, but not limited to, Article 45 of the GDPR), the Parties agree to comply with the EU Standard Contractual Clauses for Processors (2010/87/EU) (“Standard Contractual Clauses”) attached to this DPA as Schedule 3.
- To the extent that Supplier permits a Subprocessor to transfer Personal Data that originated in the EEA, the UK, or Switzerland to countries that do not ensure an adequate level of protection as contemplated by the Data Protection Legislation of the foregoing territories, Supplier shall impose on such Subprocessor data protection terms that protect the Personal Data to comparable requirements as the requirements set forth in this DPA.
If Supplier is Processing Personal Data within the scope of the CCPA, Supplier will process Personal Data on behalf of Customer and, not retain, use, or disclose that data for any purpose other than for the purposes set out in the Agreement, this DPA, and as permitted under the CCPA, including under any “sale” exemption. In no event, will Supplier sell Personal Data. This Section 14 of the DPA does not limit or reduce any data protection commitments Supplier makes to Customer in the Agreement or this DPA.
Except to the extent required by Data Protection Legislation, Customer may audit Supplier’s compliance with its obligations under this DPA up to once per year. Supplier will contribute to such audits by providing Customer or Customer’s Supervisory Authority with the information and assistance reasonably necessary to conduct the audit, including any relevant records of Processing activities applicable to the Services. To request an audit, Customer must submit a detailed proposed audit plan to Supplier at least two weeks in advance of the proposed audit date. Supplier will review the proposed audit plan and provide Customer with any concerns or questions. Supplier will work cooperatively with Customer to agree on a final audit plan. Nothing in this section shall require Supplier to breach any duties of confidentiality. The audit must be conducted during regular business hours at the applicable facility, subject to the agreed final audit plan and Supplier’s health and safety or other relevant policies, and may not unreasonably interfere with Supplier business activities. If the requested audit scope is addressed in an SSAE 16/ISAE 3402 Type 2, SOC 1 or SOC 2, ISO, NIST or similar audit report performed by a qualified third party auditor (“Audit Reports”) within twelve (12) months of Customer’s audit request and Supplier confirms there are no known material changes in the controls audited, Customer agrees to accept those findings in lieu of requesting an audit of the controls covered by the report.
Customer acknowledges and agrees that Supplier may create and derive anonymized and/or aggregated data from Processing related to the Products that does not identify Customer or any Data Subject, and use, publicize, or share with third parties such data to improve the Products and for its legitimate business purposes.
Data Retention Policy.
Supplier shall implement and maintain an appropriate data retention policy which stores backups of the system and which takes into account technical and legal requirements to ensure a retention period appropriate to the risk associated with Processing. Upon the termination of the Agreement, Supplier shall, at the Customer’s written request, promptly return to Customer or delete all Personal Data, provided that Supplier is not required to retain such Personal Data in order to comply with a legal obligation under applicable law.
Data Protection Contacts.
Supplier’s data protection contact is
For USA: Connie Castellon (Contracts Attorney) firstname.lastname@example.org
For EEA: Karin van de Lustgraaf (Legal Counsel and data protection officer) DPO-Europe@appliedmedical.com
Customer is responsible for providing notice to Supplier about Customer’s data protection contact or officer. Both Parties are responsible for keeping the other Party informed of any changes to their respective data protection contacts.
Schedule 1: Personal Data Processing Details
Schedule 2: Additional Terms for Personal Data Transfers Pursuant to the Standard Contractual Clauses
Schedule 3: List of Current Subprocessors
Schedule 4: Standard Contractual Clauses (controller to processor)
PERSONAL DATA PROCESSING DETAILS
Purpose of Processing
Customer relationship management (including to provide technical support), business administration, and the provision of services pursuant to the Agreement
Categories of Data Subjects
Customer’s residents / employees (past, present, and prospective) and user administrators
Categories of Personal Data
Business contact details: Name, email, PGY, title, specialty, phone number, other contact details
Educational data: Assessment scores, course progress, course scheduling, course attendance, video assessments
IT systems information (i.e., user ID, password, asset IDs, and filename extensions)
In case of expansion of functionalities, additional data categories will be updated.
Special Categories of Personal Data
No transfer of special categories is anticipated.
Recipients of Personal Data
Current list of potential recipients/third party Sub-processors (including location(s) of Processing is listed in Schedule 3.
Duration of Processing
In accordance with the License Term as defined under the Agreement.
Customer is the Controller and defines the retention policy of the data processed subject to this agreement. Customer will delete personal data from the portal when no longer needed and follow up on Data Subject Request within the timeline of 30 days. At the end of the contract, Supplier will at request of the Customer, hand an extract of the personal data from the system to Customer. Supplier will destroy the data from its systems and servers within 3 months as of end of contract. Employee contact information processed for business administration purposes, shall be retained for the duration of the License Term and in accordance with any applicable law.
SCHEDULE 2 – ADDITIONAL TERMS FOR PERSONAL DATA TRANSFERS PURSUANT TO THE STANDARD CONTRACTUAL CLAUSES
- The Standard Contractual Clauses and the additional terms set forth in this Schedule 2 of the DPA apply to Customer, which is subject to the Data Protection Laws of the EU, the EEA, Switzerland and/or the UK. For the purposes of the Standard Contractual Clauses, Customer shall be deemed a “data exporter.”
- Instructions. For the purposes of Clause 5(a) of the Standard Contractual Clauses, the following is deemed an instruction by the Customer to process Personal Data: (a) Processing in accordance with the Agreement; (b) Processing initiated by Customer in its use of the Products; and (c) Processing to comply with other reasonable instructions provided by Customer in writing (e.g., via email) where such instructions are consistent with the terms of the Agreement.
- Appointment of New Subprocessors and List of Current Subprocessors. Pursuant to Clause 5(h) of the Standard Contractual Clauses, Customer acknowledges and expressly agrees that (a) Supplier’s Affiliates may be retained as Subprocessors; and (b) Supplier and Supplier’s Affiliates may engage third-party Subprocessors in connection with the provision of the Products. Supplier shall make available to Customer the current list of Subprocessors in accordance with Section 6 of the DPA. Customer acknowledges and expressly agrees that Supplier may engage new Subprocessors as set forth in Section 6 of the DPA.
- Copies of Subprocessor Agreements. The Parties agree that the copies of the Subprocessor agreements that Supplier must provide to Customer pursuant to Clause 5(j) of the Standard Contractual Clauses may have provisions unrelated to the Standard Contractual Clauses or their equivalent, removed by Supplier beforehand; and, that such copies will be provided by Supplier, in a manner to be determined in its discretion, only upon request by Customer.
- Audits. The Parties agree that the audits described in Clause 5(f) and Clause 12(2) of the Standard Contractual Clauses shall be in accordance with Section 11 of the DPA.
- Certification of Deletion. The Parties agree that the certification of deletion of Personal Data that is described in Section 12(1) of the Standard Contractual Clauses shall be provided by Supplier to Customer only upon Customer’s written request.
LIST OF SUBCONTRACTORS
|Cloud services; administration, progress tracking, reporting and delivery of training material and assessments .
|Business Intelligence to determine effectiveness of the Implementation Program (optional service)
|Analytics to understand how users use the web application (optional service)
STANDARD CONTRACTUAL CLAUSES (CONTROLLER TO PROCESSOR)
Beginning May 25, 2018 and thereafter, references to various Articles from the Directive 95/46/EC in the Standard Contractual Clauses below will be treated as references to the relevant and appropriate Articles in the GDPR. For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection.
Data Exporter: Customer (as set forth in the Master Agreement)
Data Importer: Supplier
each a ‘party’; together the ‘parties’,
HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.
For the purposes of the Clauses:
- ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (1);
- ‘the data exporter’ means the controller who transfers the personal data;
- ‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
- ‘the sub-processor’ means any processor engaged by the data importer or by any other sub-processor of the data importer who agrees to receive from the data importer or from any other sub-processor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
- ‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
- ‘technical and organisational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
Details of the transfer
The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.
Third-party beneficiary clause
- The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
- The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
- The data subject can enforce against the sub-processor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.
- The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.
Obligations of the data exporter
The data exporter agrees and warrants:
- that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
- that it has instructed and throughout the duration of the personal data-processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;
- that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;
- that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
- that it will ensure compliance with the security measures;
- that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
- to forward any notification received from the data importer or any sub-processor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
- to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for sub-processing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
- that, in the event of sub-processing, the processing activity is carried out in accordance with Clause 11 by a sub-processor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and
- that it will ensure compliance with Clause 4(a) to (i).
Obligations of the data importer (2)
The data importer agrees and warrants:
- to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
- that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
- that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;
- that it will promptly notify the data exporter about:
- any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;
- any accidental or unauthorised access; and
- any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;
- to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
- at the request of the data exporter to submit its data-processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
- to make available to the data subject upon request a copy of the Clauses, or any existing contract for sub-processing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
- that, in the event of sub-processing, it has previously informed the data exporter and obtained its prior written consent;
- that the processing services by the sub-processor will be carried out in accordance with Clause 11;
- to send promptly a copy of any sub-processor agreement it concludes under the Clauses to the data exporter.
- The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or sub-processor is entitled to receive compensation from the data exporter for the damage suffered.
If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his sub-processor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.
The data importer may not rely on a breach by a sub-processor of its obligations in order to avoid its own liabilities.
- If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the sub-processor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the sub-processor agrees that the data subject may issue a claim against the data sub-processor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the sub-processor shall be limited to its own processing operations under the Clauses.
Mediation and jurisdiction
- to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
- to refer the dispute to the courts in the Member State in which the data exporter is established.
- The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.
Cooperation with supervisory authorities
- The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
- The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any sub-processor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
- The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any sub-processor preventing the conduct of an audit of the data importer, or any sub-processor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5(b).
The Clauses shall be governed by the law of the Member State in which the data exporter is established, namely …
Variation of the contract
This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.
- The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the sub-processor which imposes the same obligations on the sub-processor as are imposed on the data importer under the Clauses (3) . Where the sub-processor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the sub-processor’s obligations under such agreement.
- The prior written contract between the data importer and the sub-processor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.
- The provisions relating to data protection aspects for sub-processing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established, namely …
- The data exporter shall keep a list of sub-processing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5(j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.
Obligation after the termination of personal data-processing services
- The parties agree that on the termination of the provision of data-processing services, the data importer and the sub-processor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
- The data importer and the sub-processor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data-processing facilities for an audit of the measures referred to in paragraph 1.
APPENDIX 1 TO THE STANDARD CONTRACTUAL CLAUSES
(CONTROLLER TO PROCESSOR)
The data exporter is:
Customer (as set forth in the Agreement). Customer uses Supplier’s software and services for its cybersecurity-related needs.
The data importer is:
Supplier. Supplier provides cybersecurity-related support services and software to the data exporter under the Agreement, in the course of which it processes certain personal data as a processor.
The personal data transferred concern the following categories of data subjects:
Customer’s residents / employees (past, present, and prospective) and user administrators.
Categories of Data
The personal data transferred concern the following categories of data:
Business contact details: Name, email, PGY, title, specialty, phone number, other contact details
Educational data: Assessment scores, course progress, course scheduling, course attendance, video assessments
IT systems information (i.e., user ID, password, asset IDs, and filename extensions)
In case of expansion of functionalities, additional data categories will be updated.
Special Categories of Data (if appropriate)
The personal data transferred concern the following special categories of data:
No transfer of special categories is anticipated
The personal data transferred will be subject to the following basic processing activities:
- Provision of training curriculum
- Provision of technical support and other services under the Agreement
- Customer relationship management
APPENDIX 2 TO THE STANDARD CONTRACTUAL CLAUSES
(CONTROLLER TO PROCESSOR)
Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c):
Supplier has an information security program aligned with security industry accepted good practices, frameworks, and standards for the protection of data, including Personal Data, and has implemented and maintains physical, technical and organizational measures and safeguards to help protect the security and confidentiality of data against unauthorized or accidental access to, or processing, disclosure, destruction, damage or loss. The performance of the security program is measured, and continuous monitoring is performed for conformance to the requirements outlined in the information security policies. Testing and assessments are periodically performed to measure the effectiveness of security controls and identify areas of improvement. Sensitive data including Personal Data is encrypted and access is restricted based upon a reasonable required business need and monitored. Changes are assessed for security impact and must be approved prior to implementation. Without limiting the foregoing, such measures are sufficient to satisfy Article 32 of GDPR.