Data Protection Addendum
Acrolinx GmbH, a company registered at the Berlin-Charlottenburg District Court with registration number HRB 84183 (“Vendor“), acting on its own behalf and as agent for each Vendor Affiliate and the counterparty agreeing to these terms (“Customer”) acting on its own behalf and as agent for each Customer Affiliate, have entered into an agreement for Services provided by Vendor (“Main Agreement”). This Data Protection Addendum forms part of the Main Agreement.
The terms used in this Addendum shall have the meanings set forth in this Addendum. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Main Agreement. Except as modified below, the terms of the Main Agreement shall remain in full force and effect.
In consideration of the mutual obligations set out herein, the parties hereby agree that the terms and conditions set out below shall be added as an addendum to the Main Agreement(s). Except where the context requires otherwise, references in this Addendum to the Main Agreement are to the Main Agreement as amended by, and including, this Addendum.
1. Definitions
1.1 In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
1.1.1 “Applicable Laws” means (a) European Union or Member State laws with respect to any Company Personal Data in respect of which any Company Group Member is subject to EU Data Protection Laws; and (b) any other applicable law with respect to any Company Personal Data in respect of which any Company Group Member is subject to any other Data Protection Laws;
1.1.2 “Controller”: means the Customer which determines the purposes and means of the processing of personal data and ordering services from the Vendor under the Main Agreement.
1.1.3 “Processor“: means the Vendor providing services to the Company (controller) under the Agreement and processing personal data on behalf of the Company.
1.1.4 “EU”: means the European Union.
1.1.5 “In writing” includes electronic text form such as email, pdf or fax.
1.1.6 “Customer Affiliate” means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with Customer, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise;
1.1.7 “Customer Group Member” means Customer or any Customer Affiliate;
1.1.8 “Customer Personal Data” means any Personal Data Processed by a Contracted Processor on behalf of a Customer Group Member pursuant to or in connection with the Principal Agreement. For the avoidance of doubt, this may include Personal Data of employees of Customer Group Members;
1.1.9 “Contracted Processor” means Vendor or a Subprocessor;
1.1.10 “Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;
1.1.11 “EEA” means the European Economic Area, namely the EU Member States along with Iceland, Liechtenstein and Norway;
1.1.12 “EU Data Protection Laws” means the GDPR and laws implementing or supplementing the GDPR, (b) laws replacing the GDPR in the UK after the UK leaves the EU, and (c) decisions by competent EU or EEA bodies or authorities including the European Data Protection Supervisor and the European Data Protection Board, as interpreted by the European Court of Justice;
1.1.13 “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);
1.1.14 “International Transfer” means:
1.1.14.1 a transfer of Customer Personal Data from the Vendor or Vendor Affiliate to any Customer Group Member; or
1.1.14.2 an onward transfer of Customer Personal Data from the Vendor or Vendor Affiliate to a Contracted Processor, or between two establishments of the Vendor or Vendor Affiliate, in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws) in the absence of the appropriate Module of the Standard Contractual Clauses to be established under section 14 below. For the avoidance of doubt: where a transfer of Personal Data is of a type authorized by Data Protection Laws in the exporting country, for example in the case of transfers from within the European Union to a country (such as Switzerland) or an adequacy decision by the Commission pursuant to Art. 45 GDPR as ensuring an adequate level of protection or any transfer which falls within a permitted derogation, such transfer shall not be an International Transfer;
1.1.15 “Services” means the services and other activities to be supplied to or carried out by or on behalf of Vendor for Customer Group Members pursuant to the Main Agreement.
1.1.16 “Standard Contractual Clauses” means the contractual clauses set out in Annex 4, amended as indicated (in square brackets and italics) in that Annex and under section 14.1. To the extent the competent authorities replace or amend the Standard Contractual Clauses, the Standard Contractual Clauses shall automatically be identically replaced or amended;
1.1.17 “Subprocessor” means any person appointed by or on behalf of Vendor or any Vendor Affiliate to Process Personal Data on behalf of any Customer Group Member in connection with the Main Agreement including any third party and any Vendor Affiliate, but excluding (a) employees of Vendor and independent contractors of Vendor closely integrated into Vendor’s organization; and
1.1.18 “Vendor Affiliate” means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with Vendor, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.
1.2 The terms, “Commission“, “Controller“, “Data Subject“, “Member State“, “Personal Data“, “Personal Data Breach“,”Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
1.3 The word “include” shall be construed to mean “include without limitation”, and cognate terms shall be construed accordingly.
2. Scope, Duration and Specification of Processing
2.1 The scope and duration and the detailed stipulations on the type and purpose of Processing, namely types and categories of personal data, categories of concerned data subjects as well as the extent and nature of the collection, processing and use of personal data under this Addendum shall be governed by Annex 1 of this Addendum and the Main Agreement.
2.2 The Addendum applies to all data processing operations conducted by the Vendor (Processor), its employees or sub-contractors (as applicable) which may come into contact with personal data processed by the Vendor on behalf of the Company (Controller) as part of the provision of services under the Main Agreement. This shall include in particular, but not be limited to, the purposes of collection, the categories of personal data and the data subjects listed in Annex 1 to this Addendum.
3. Processing of Customer Personal Data on behalf of the Customer
3.1 The Vendor shall collect process and use personal data only within the scope of the Main Agreement and on the Customer’s documented instructions. This shall not apply to backup copies where these are required to ensure proper data processing, or to any data required by the Vendor to comply with statutory obligations.
3.2 The Customer’s instructions are defined in the Agreement. Further than defined in the Agreement, the Customer is not entitled to issue additional instructions, unless the Vendor is able to carry out such instruction without unreasonable efforts and the Customer pays compensation for these additional efforts according to the Vendor’s then current rates.
3.3 Additional Instructions must be issued by Customer and confirmed by Vendor in writing.
3.4 The Vendor shall inform the Customer immediately if he considers an instruction to violate applicable data protection laws. The Vendor shall then be entitled to suspend the execution of the relevant instructions until the Customer confirms or changes them.
3.5 Each Customer Group Member:
3.5.1 instructs Vendor and each Vendor Affiliate (and authorizes Vendor and each Vendor Affiliate to instruct each Subprocessor) to:
3.5.1.1 Process Customer Personal Data; and
3.5.1.2 in particular, transfer Customer Personal Data to any country or territory, as reasonably necessary for the provision of the Services and consistent with the Main Agreement; and
3.6 Annex 1 to this Addendum sets out certain information regarding the Contracted Processors’ Processing of the Customer Personal Data as required by article 28(3) of the GDPR and, possibly, equivalent requirements of other Data Protection Laws. Customer may make reasonable amendments to Annex 1 by written notice to Vendor from time to time as Customer reasonably considers necessary to meet those requirements. Nothing in Annex 1 (including as amended pursuant to this section 3) confers any right or imposes any obligation on any party to this Addendum.
4. Vendor and Vendor Affiliate Personnel
4.1 Vendor warrants and represents that it is and will at all relevant times remain duly and effectively authorized to give the instruction set out in section 3.51 on behalf of each relevant Customer Affiliate.
4.2 Vendor and each Vendor Affiliate shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to the Customer Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know and access the relevant Customer Personal Data, as strictly necessary for the purposes of the Main Agreement, and to comply with Applicable Laws in the context of that individual’s duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings within the meaning of 0 or professional or statutory obligations of confidentiality.
Vendor and each Vendor Affiliate shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements, which survive the termination of the personnel engagement.
5. Obligations of the Vendor (Processor)
5.1 The Customer Group Member shall correct, delete or block personal data in the scope of this Addendum. Vendor shall take such action where the Customer Group Members are unable and the Customer issues such instruction. The Customer shall compensate the Vendor for these efforts according to the Vendor’s then current rates.
5.2 The Vendor’s personnel engaged in performing processing operations under this Addendum have been bound to confidentiality and have previously been familiarized with the data protection provisions relevant to their work.
5.3 The Vendor shall notify to the Customer the point of contact for all issues related to data privacy and protection within the scope of the Main Agreement.
5.4 The Vendor shall periodically monitor the internal processes and the technical and organizational measures to ensure that processing within his area of responsibility is in accordance with the applicable data protection laws.
5.5 Vendor shall reasonably support Customer at the Customer’s expense according to the then current rates of the Vendor on a time and material basis in complying with his obligations according to Articles 33 to 36 of the GDPR.
5.6 The Vendor will process personal data exclusively within a Member State of the EU, the EEA or Switzerland. Each and every transfer of data to a state which is not a Member State of either the EU, the EEA or Switzerland shall only occur if the specific conditions of Articles 44 et seq. GDPR have been fulfilled.
6. Obligations of the Customer
6.1 The Customer shall ensure compliance with all applicable data protection laws, in particular with the GDPR.
6.2 The Customer shall inform the Vendor immediately in case the Customer detects any errors or irregularities of the data processing operations which affect the compliance with the applicable data protection laws.
7. Technical and Organizational Measures
7.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Vendor and each Vendor Affiliate shall in relation to the Customer Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR as described in Annex 2 (“TOMs”).
7.2 Customer acknowledges and agrees that the technical and organizational as set out in Annex 2 provide a level of security appropriate to the risk in respect of the Customer Personal Data.
7.3 The technical and organizational measures are subject to technical progress and further development. The Vendor may amend the technical and organizational measures, provided that the new measures do not fall short of the level of security provided by the specified measures.
7.4 Customer Group Members in due time inform Vendor of unusual and potentially unexpected risks presented by Processing including the Processing of special categories of personal data (Art. 9 (1) GDPR), confidential information, or trade secrets.
8. Subprocessing
8.1 The Vendor may not subcontract any or a portion of the collection, processing and/or use of personal data to Subprocessors without the Customer’s prior consent.
8.2 The Customer consents to the Vendor engaging the Subprocessors listed in Annex 3 to this Addendum.
8.3 The Vendor shall notify the Customer about any substitution of or addition to the Subprocessors. The Customer may object to a new Subprocessor on basis of reasonable grounds by notice to the Vendor in writing within fourteen (14) days as of the receipt of the Vendor’s notification. The notice shall include sufficient information on the reasonable grounds so that Vendor is able to evaluate whether it is able to address the concerns. If Vendor does not receive any notice within fourteen (14) days as of the receipt of the Vendor’s notification, this shall be deemed as consent of the Customer.
8.4 If the Customer objects to a substitute or additional sub-contractor with reasonable ground, the Vendor is entitled to either address the concerns, or to inform the Customer that the new Subprocessor will be added as originally proposed. In the latter case, the Customer may terminate this Addendum by providing written notice to the Vendor.
8.5 When engaging Subprocessors in the collection, processing and/or use of personal data on behalf of the Customer, the Vendor shall ensure the fulfilment of the following conditions:
8.5.1 The sub-processing contract must reflect comparable data protection provisions agreed between the Customer and the Vendor in this Addendum;
8.5.2 The Vendor is responsible for the conduct and performance of each approved Subprocessor, and will be the Customer’s sole point of contact regarding the processing of personal data by the Subprocessor.
8.5.3 The Vendor’s Subprocessors may further sub-contract any or a portion of the processing to a sub-Subprocessor, subject to the Vendor’s express consent. The Subprocessor is responsible for the conduct and performance of each approved sub-Subprocessor, and the Vendor remains the Customer’s sole point of contact regarding any portion of the Services performed by sub-Subprocessors.
9. Data Subject Rights
9.1 The Vendor is not obliged to directly respond to any enquiries of data subjects and shall refer such data subjects to the Customer, if the information provided by the data subject suffices to identify the Customer as the one the enquiry relates to. The foregoing applies accordingly, where a data subject requests the Vendor to correct, delete or block data.
9.2 If the Customer is obliged to answer any data subjects’ enquiry related to the collection, processing and/or use of personal data, the Vendor shall reasonably support the Customer in providing the required information. The Vendor shall only be obliged to provide the information upon the Customer’s documented instruction, and where the Customer reimburses the Vendor for the cost and expenses according to the then current rates of the Vendor incurred in providing such support. The Vendor shall not be liable if the Customer fails to correctly or timely respond to the request of the concerned data subject, or if the Customer does not respond to the data subject’s enquiries at all.
9.3 If claims pursuant to Art. 82 GDPR are brought by the data subject against the Vendor, the Customer undertakes to assist the Vendor’s defense against such claims.
10. Personal Data Breach
10.1 The Vendor shall notify the Customer without undue delay if the Vendor becomes aware of any incident leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data (“Personal Data Breach”. These incidents will not include unsuccessful attempts or activities that do not compromise the security of the Customer Personal Data of Customer, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems. The Customer instructs the Vendor to take all measures the Vendor deems necessary or helpful to secure the data processed on behalf of the Customer and to minimize any possible adverse consequences to the data subject, and where the Customer reimburses the Vendor for the cost and expenses according to the then current rates of the Vendor incurred in providing such support.
11. Data Protection Impact Assessment and Prior Consultation
Vendor and each Vendor Affiliate shall provide reasonable assistance to each Customer Group Member with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Customer reasonably considers to be required of any Customer Group Member by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Customer Personal Data by, and taking into account the nature of the Processing and information available to, the Contracted Processors, and where the Customer reimburses the Vendor for the cost and expenses according to the then current rates of the Vendor incurred in providing such support.
12. Deletion or return of Customer Personal Data
12.1 Subject to section 12.2 Vendor and each Vendor Affiliate shall promptly and in any event within 3 months of the date of cessation of any Services involving the Processing of Customer Personal Data (the “Cessation Date“), delete and procure the deletion of all copies of those Customer Personal Data.
12.2 Each Contracted Processor may retain Customer Personal Data to the extent required by Applicable Laws and only to the extent and for such period as required by Applicable Laws and always provided that Vendor and each Vendor Affiliate shall ensure the confidentiality of all such Customer Personal Data and shall ensure that such Customer Personal Data is only Processed as necessary for the purpose(s) specified in the Applicable Laws requiring its storage and for no other purpose.
13. Audit Rights
13.1 Customer hereby consents to the appointment of an independent external auditor by Vendor, provided that Customer reasonably requests an audit and Vendor provides a copy of the audit report to Customer.
Vendor shall be entitled to requesting remuneration for Vendor’s support in conducting inspections. Vendor’s time and effort for such inspections shall be limited to one day per calendar year, unless agreed upon otherwise.
13.2 Where a data protection supervisory authority or another supervisory authority with statutory competence for Customer conducts an inspection, 13.1 above shall apply mutatis mutandis. The execution of a confidentiality undertaking shall not be required if such supervisory authority is subject to professional or statutory confidentiality obligations whose breach is sanctionable under the applicable criminal code.
14. International Transfers
14.1 Subject to section 14.3, each Customer Group Member based in a third country outside the EU and EEA for which the European Commission has not issued an adequacy decision pursuant to Art. 45 GDPR (as “data importer”) and each Vendor and Vendor Affiliate, as appropriate, (as “data exporter”) hereby enter into the Standard Contractual Clauses, Module Four in respect of any transfer from that Vendor or Vendor Affiliate to that Customer Group Member .
14.2 The Standard Contractual Clauses shall come into effect under section 14.1 on the later of:
14.2.1 the data exporter becoming a party to them;
14.2.2 the data importer becoming a party to them; and
14.2.3 commencement of the relevant International Transfer.
14.3 Section 14.1 shall not apply to a International Transfer unless its effect, together with other reasonably practicable compliance steps, which, for the avoidance of doubt, do not include obtaining, consents from Data Subjects, is to allow the relevant International Transfer to take place without a significant breach of applicable Data Protection Law and in accordance with Art. 44 et seqq. GDPR.
14.4 Where an onward transfer of Customer Personal Data from the Vendor or Vendor Affiliate (data exporter) to a Contracted Processor (data importer), or between two establishments of the Vendor or Vendor Affiliate Module 3 (processor to processor) of the Standard Contractual Clauses shall be concluded.
15. Costs and Liability
15.1 Subject to the following provisions of this section, Vendor and Vendor Affiliates may charge a fee based on reasonable costs for its actions for a Customer Group Member according to sections 9, 10, 11 and 13.
15.2 Vendor and Vendor Affiliates may not charge a fee for deleting or returning data.
15.3 Vendor shall give Customer Group Member reasonable notice of the expected costs.
15.4 All Customer Group Members are responsible for fees charged under this Addendum.
15.5 Customer and Supplier shall be liable to data subject in accordance with Article 82 of the GDPR.
16. General Terms
Miscellaneous
16.1 In the event of any contradictions, the provisions of this Addendum shall take precedence over the provisions of the Main Agreement or other contractual agreements between Vendor and Customer.
Governing law and jurisdiction
16.2 Without prejudice to clauses 7 (Mediation and Jurisdiction) and 9 (Governing Law) of the Standard Contractual Clauses, this Addendum and all contractual or other obligations arising out of or in connection with it are governed by the laws of Germany, excluding choice of law provisions and the United Nations Convention on Contracts for the International Sale of Goods including for the issue of whether this contract is properly executed, under exclusive jurisdiction and venue of the courts of Berlin, Germany.
Order of precedence
16.3 In the event of any conflict or inconsistency between this Addendum and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
16.4 Subject to section 16.3, with regard to the subject matter of this Addendum, in the event of inconsistencies between the provisions of this Addendum and any other agreements between the parties, including the Main Agreement and including except where explicitly agreed otherwise in writing, signed on behalf of the parties agreements entered into or purported to be entered into after the date of this Addendum, the provisions of this Addendum shall prevail.
Severance
Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
Effective Date and Termination
16.5 The Addendum comes into force at the same time as the Main Agreement. The Addendum stays in force until the end of the day on which all processing under the Main Agreement has ceased. For sake of clarification, it shall not automatically terminate upon termination or expiration of a Main Agreement unless all relevant processing has also been completed.
Immediate Intermediary Effect by Conclusive Conduct
16.6 Other than by signature or by incorporation into the Main Agreement, the Addendum may come into force by conclusive conduct before the parties have formally signed the Addendum, if and to the extent processing of Personal Data regulated by this Addendum would be significantly less permissible under Applicable Laws without this Addendum.
16.6.1 Conclusive conduct under this clause may include
16.6.1.1 initial or continued Processing of Personal Data,
16.6.1.2 deletion of Personal Data,
16.6.1.3 use of Services,
16.6.1.4 International Transfers, and
16.6.1.5 the request for or acceptance of any of the above, if processing of Personal Data regulated by this Addendum would be less permissible under Applicable Laws without this Addendum and the party does clearly object to this clause.
16.6.2 Unless the Addendum comes into force sooner according to section 16.5, the Addendum shall come into force on the end of the day before a Vendor or Vendor Affiliate first Processed Personal Data falling under this Addendum.
16.6.3 Once the parties have finally negotiated and signed this Addendum or another data processing agreement to take the place of the Addendum, such agreement will retroactively replace this Addendum, unless otherwise agreed therein.
16.6.4 A terminated Addendum may become effective again according to this section 16.6.
16.6.5 The purpose of this clause is to minimize periods of unlawful processing of data in the interest of both parties. This clause shall be interpreted in the light of this purpose.
Electronic Signature
16.7 Notwithstanding section 16.6, the parties agree that the electronic signature of a party to this Addendum shall be as valid as an original signature of such party and shall be effective to bind such party to this Addendum or any related amendment, appendix or Order Form. The parties agree that any electronically signed document (including this Addendum) shall be deemed (i) to be “written” or “in writing,” (ii) to have been signed and (iii) to constitute a record established and maintained in the ordinary course of business and an original written record when printed from electronic files.
Reverse Application
16.8 Where a Customer Group Member sometimes Processes Personal Data for Vendor and no agreement regarding the processing of Personal Data exists for such Processing of Personal Data, this Addendum shall apply to such Processing with the Customer Group Member being deemed Vendor and the Vendor being deemed Customer until such agreement regarding Processing of Personal Data is executed. Section 16.6 shall apply mutandis mutatis to this section.
Interpretation, Living Document
Any obligations arising out of this Addendum shall be interpreted in accordance with the purpose of the Addendum to require and facilitate compliance with Data Protection Laws. Where further actions are required for compliance with Data Protection Laws, the parties shall take all reasonable required measures in reasonable time.
ANNEX 1: DETAILS OF PROCESSING OF COMPANY PERSONAL DATA
This Annex 1 includes certain details of the Processing of Customer Personal Data as required by Article 28 GDPR and Annex 4.
Controller:
The Controller means the Customer Group Member which determines the purposes and means of the processing of personal data and ordering services from the Vendor under the Main Agreement.
Processor:
The Processor means the Vendor providing services to the Customer Group Member (Controller) under the Agreement and processing personal data on behalf of the Customer Group Member.
Subject matter and duration of the Processing of Customer Personal Data
The subject matter and duration of the Processing of the Customer Personal Data are set out in the Principal Agreement and this Addendum. Processing does not end before the deletion of all Customer Personal Data by Vendor and Vendor Affiliate in accordance with the Main Agreement.
The nature and purpose of the Processing of Customer Personal Data
Vendor and Vendor Affiliates will Process Customer Personal Data to provide the Services in accordance with the Main Agreement. Processing Customer Personal Data includes
· rendering the Service (Acrolinx software platform),
· supporting, or administrating the Service by persons of Vendor or Vendor Affiliate (together “Vendor Persons”), and
· implementing new features for the Service by Vendor Persons, and
· providing trainings by Vendor Persons
by means of Collection, Recording, Organization, Structuring, Storage, Adaptation or alteration, Retrieval, Consultation, Use, Disclosure by transmission, Dissemination or otherwise making available, Alignment or combination, Restriction, erasure or destruction of Customer Personal Data (together the “Processing Activities”).
Customer Personal Data Types to be Processed:
Customer Personal Data provided to Vendor or Vendor Affiliate via the Services by (or at the direction of) Customer Group Member, generally including Name, Credentials including Passwords or Access Tokens, Title and Position, Contact information (company email), Salutation (mr/ms), Scores, and Guidance.
Data Subject Categories to whom the Customer Personal Data relates:
Employees and/or authorized users of the Controller
Individuals whose Personal Data is included in the Controller’s content as part of the Services provided by Vendor
The obligations and rights of the Controller (Customer and Customer Affiliates)
The obligations and rights of Customer and Customer Affiliates are set out in the Principal Agreement and this Addendum.
Controller’s (Customer’s) employees entitled to issue instructions,
Customer’s employees entitled to issue instructions: All authorized employees and all authorized by such.
Processor’s (Vendor’s) authorized recipients of instructions:
Jörn Woywat, CFO, joern.woywat@acrolinx.com; Director of Support Tyler Faivre, support@acrolinx.com
Communication channels to be used for instructions:
Any communications channels provided along with authorized persons above. Oral instructions must be sent in writing / text (e.g. e-mail) in close temporal relation (within one working day).
Vendor’s (Processor’s) data protection email:
ANNEX 2: TECHNOLOGICAL AND ORGANIZATION MEASURES
1. Physical Access Control
Denial of unauthorized access to processing systems.
| # | Measures | Implementation |
| 1 | Use of an electronic and automatic access control system with personal access card. | Every employee who needs access to the office has a personal access card, which is authorized to open the main door of the office building and the Acrolinx office floors. |
| 2 | Separate access rules for visitors, suppliers, and other external persons. | Visitors have to ring the bell and report to the front desk and are always accompanied by internal staff. |
| 3 | Mechanical locking device for security zones. | Every room is secured via safety locks. Doors to security zones are self-closing, additionally rules for rooms: |
| 4 | Surveillance of the premises. | Premise is surveilled via: |
| 5 | Existence of a key management system. | Every key is documented and the access via the electric access card is documented via logs. Issuance and return of the keys and key cards are documented and part of the joiner/leaver process. |
2. Access Control
Assurance that those authorized to use an automated processing system have access to the personal data covered by their access authorization only.
| # | Measures | Implementation |
| 1 | System-side logging of access to systems, applications, and storage media. | Standard Server Protocols |
| 2 | Event-related evaluation of log files at system and application level. | Standard Server Protocols |
| 3 | Authorization of access according to the minimal principle. | Centralized Enforcement System |
| 4 | Role-based access control after approval by the respective supervisor. | Centralized Enforcement System |
| 5 | Existence of a documented process and standards for the assignment and withdrawal of access and authorizations rights. | Formal process for assignment and withdrawal of access and authorization rights implemented. |
| 6 | Withdrawal of access rights for employees who have resigned ore have been transferred to another team. | Withdrawing of access rights/deactivating of the user account is part of the joiner/leaver process and is triggered by HR. |
| 7 | Encryption of data at rest | Server and database encryption at rest |
3. User Control
Prevention of the use of automated processing systems by means of data transmission devices by unauthorized persons.
| # | Measures | Implementation |
| 1 | Screen is automatically locked after 15 minutes of inactivity. | Centralized Enforcement System |
| 2 | Users have been sensitized about the prohibition of passing on passwords and other sensitive access data. | Mandatory data protection and information security training. |
| 3 | Protection of internal networks against unauthorized external access by firewalls. | Firewall, Intrusion Detection and Prevention System(s) |
| 4 | Use of User IDs and passwords. | Central Authentication Provider(s) |
| 5 | Existence of documented processes and standards for the assignment and withdrawal of access and authorizations rights. | Withdrawing of access rights/deactivating of the user account is part of the joiner/leaver process and will be triggered by HR. |
| 6 | Password policy | |
| 7 | Digital data carriers are encrypted. | Only encrypted data carriers allowed. |
4. Data Carrier Control
Prevention of unauthorized reading, copying, modifying or deleting of data carriers.
| # | Measures | Implementation |
| 1 | Ensuring the orderly destruction of physical data carriers by certified disposal companies or shredders. | Paper shredding service and a hard drive/media destruction service provider(s) |
| 2 | Digital data carriers are encrypted. | Only encrypted data carriers allowed. |
5. Transport Control
Assurance that the confidentiality and integrity of data is protected during the transmission of personal data and during the transport of data carriers.
| # | Measures | Implementation |
| 1 | All digital data carriers are encrypted | Only encrypted data carriers are allowed to use. |
| 2 | Employees are trained and sensitized how to guarantee information security. | Annually data protection and information security training. |
| 3 | Digital data carries in transit are encrypted | Transport encryption of data in transit (e.g. TLS, VPN) |
6. Entry Control
Assurance that it’s possible to check and establish subsequently which personal data has been entered or changed in automated processing systems and at what time and by whom.
| # | Measures | Implementation |
| 1 | Logging of entries made, changes and deletions. | Logging enabled for file deletion at File Server level. In databases, this is handled by the log files themselves. |
7. Organizational Control
The internal organization is designed to meet the special requirements of data protection.
| # | Measures | Implementation |
| 1 | Definition of responsibilities and responsibilities for equipment, installations, and processes. | Area of responsibility defined by job descriptions. |
| 2 | Appointment of a Data Protection Officer, an IT Security Officer and Information Security officer. | |
| 3 | The presence of lockable containers in sufficient quantity. | Sufficient lockable Cupboards and roll containers are provided. |
| 4 | Written commitment of the employees involved in data processing to information secrecy and data protection. | The written commitment is part of the employment contract and the compliance with the regulations is ensured through regular trainings. |
| 5 | Existence of written guidelines and work instructions regarding to IT-use and information security, data protection, and data security. | Adequate instructions and guidelines are provided. |
| 6 | Ensure the right of the data subject to request the deletion of personal data, to request a copy of the personal data or blocking of personal data. | Processes are defined and supervised by the data protection officer. |
| 7 | Deletion of personal data after discontinuation of the purpose. | Ensured by Data Deletion Concept. |
| 8 | Business Continuity Plan | Measures are communicated to all related departments and reviewed and tested at least annually. |
8. Order Control
Assurance that personal data processed on behalf of the customer can only be processed in accordance with the instructions of the customer.
| # | Measures | Implementation |
| 1 | Conclusion of written agreements with the external service provider. | Basis of contract |
| 2 | Written transmission and documentation of instructions to the external service provider. | Basis of contract |
| 3 | Review of certifications of external service providers. | Basis of contract |
| 4 | Designation of clearly defined contact persons (including deputies) | Basis of contract |
| 5 | Performing controls on external service providers. | Ensuring through appropriate agreements and requesting evidence. |
| 6 | Non-disclosure agreement | Third parties sign confidentiality clauses prior engagement. |
| 7 | Information security | Information security is a selection criterion for third parties (certificates, reports etc.) |
9. Separability
Assurance that personal data collected for different purposes can be processed separately.
| # | Measures | Implementation |
| 1 | Separate processing of development-, test-and productive systems. | Development-, test-and productive systems are separated. |
10. Availability Control
Assurance that personal data is protected against destruction or loss.
| # | Measures | Implementation |
| 1 | Existence of a data backup policy | Backup policy implemented and regularly tested. |
| 2 | Storage of backup media in a safe | Backup media are stored in a secured environment. |
| 3 | Regular testing of data recovery | Data recovery is regularly tested. |
| 4 | Uninterruptible power supply | UPS is implemented and regularly tested. |
| 5 | Virus protection on the server | Centrally managed A/V software deployed on servers. |
| 6 | Existence of an antivirus concept | Anti-Malware-Policy implemented. |
| 7 | Regular server check for vulnerabilities (security scans) | Regular internal and external vulnerability scans. |
| 8 | Redundant design of data processing systems | Redundant data centers. |
| 9 | Classification of the building into different fire sections | Different fire sections implemented. |
| 10 | Existence of a fire alarm system | Fire alarm system is directly connected to the fire department. |
ANNEX 3: LIST OF SUBPROCESSORS
For a complete list of Acrolinx subprocessors, please visit https://www.acrolinx.com/acrolinx-sub-processors/
ANNEX 4: STANDARD CONTRACTUAL CLAUSES
These Clauses are deemed to be amended from time to time, to the extent that they relate to an International Transfer which is subject to the Data Protection Laws of a given country or territory, to reflect (to the extent possible without material uncertainty as to the result) any change (including any replacement) made in accordance with those Data Protection Laws (i) by the Commission to or of the equivalent contractual clauses approved by the Commission under EU Directive 95/46/EC or the GDPR (in the case of the Data Protection Laws of the European Union or a Member State); or (ii) by an equivalent competent authority to or of any equivalent contractual clauses approved by it or by another competent authority under another Data Protection Law (otherwise).
STANDARD CONTRACTUAL CLAUSES
MODULE FOUR: Transfer processor to controller
SECTION I
Clause 1
Purpose and scope
| (a) | The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)[1] for the transfer of personal data to a third country. |
| (b) | The Parties: (i) the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter ‘entity/ies’) transferring the personal data, as listed in Annex I.A (hereinafter each ‘data exporter’), and (ii) the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A (hereinafter each ‘data importer’) have agreed to these standard contractual clauses (hereinafter: ‘Clauses’). |
| (c) | These Clauses apply with respect to the transfer of personal data as specified in Annex I.B. |
| (d) | The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses. |
Clause 2
Effect and invariability of the Clauses
| (a) | These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46(2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects. |
| (b) | These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679. |
Clause 3
Third-party beneficiaries
| (a) | Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions: (i) Clause 1, Clause 2, Clause 3, Clause 6, Clause 7; (ii) Clause 8 – Module One: Clause 8.5 (e) and Clause 8.9(b); Module Two: Clause 8.1(b), 8.9(a), (c), (d) and (e); Module Three: Clause 8.1(a), (c) and (d) and Clause 8.9(a), (c), (d), (e), (f) and (g); Module Four: Clause 8.1 (b) and Clause 8.3(b); (iii) Clause 9 – Module Two: Clause 9(a), (c), (d) and (e); Module Three: Clause 9(a), (c), (d) and (e); (iv) Clause 12 – Module One: Clause 12(a) and (d); Modules Two and Three: Clause 12(a), (d) and (f); (v) Clause 13; (vi) Clause 15.1(c), (d) and (e); (vii) Clause 16(e); (viii) Clause 18 – Modules One, Two and Three: Clause 18(a) and (b); Module Four: Clause 18. |
| (b) | Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679. |
Clause 4
Interpretation
| (a) | Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation. |
| (b) | These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679. |
| (c) | These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679. |
Clause 5
Hierarchy
In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.
Clause 6
Description of the transfer(s)
The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.
Clause 7 – Optional
Docking clause
| (a) | An entity that is not a Party to these Clauses may, with the agreement of the Parties, accede to these Clauses at any time, either as a data exporter or as a data importer, by completing the Appendix and signing Annex I.A. |
| (b) | Once it has completed the Appendix and signed Annex I.A, the acceding entity shall become a Party to these Clauses and have the rights and obligations of a data exporter or data importer in accordance with its designation in Annex I.A. |
| (c) | The acceding entity shall have no rights or obligations arising under these Clauses from the period prior to becoming a Party. |
SECTION II – OBLIGATIONS OF THE PARTIES
Clause 8
Data protection safeguards
The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organizational measures, to satisfy its obligations under these Clauses.
MODULE FOUR: Transfer processor to controller
8.1 Instructions
| (a) | The data exporter shall process the personal data only on documented instructions from the data importer acting as its controller. |
| (b) | The data exporter shall immediately inform the data importer if it is unable to follow those instructions, including if such instructions infringe Regulation (EU) 2016/679 or other Union or Member State data protection law. |
| (c) | The data importer shall refrain from any action that would prevent the data exporter from fulfilling its obligations under Regulation (EU) 2016/679, including in the context of sub-processing or as regards cooperation with competent supervisory authorities. |
| (d) | After the end of the provision of the processing services, the data exporter shall, at the choice of the data importer, delete all personal data processed on behalf of the data importer and certify to the data importer that it has done so, or return to the data importer all personal data processed on its behalf and delete existing copies. |
8.2 Security of processing
| (a) | The Parties shall implement appropriate technical and organizational measures to ensure the security of the data, including during transmission, and protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access (hereinafter ‘personal data breach’). In assessing the appropriate level of security, they shall take due account of the state of the art, the costs of implementation, the nature of the personal data[2], the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects, and in particular consider having recourse to encryption or pseudonymization, including during transmission, where the purpose of processing can be fulfilled in that manner. |
| (b) | The data exporter shall assist the data importer in ensuring appropriate security of the data in accordance with paragraph (a). In case of a personal data breach concerning the personal data processed by the data exporter under these Clauses, the data exporter shall notify the data importer without undue delay after becoming aware of it and assist the data importer in addressing the breach. |
| (c) | The data exporter shall ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. |
8.3 Documentation and compliance
| (a) | The Parties shall be able to demonstrate compliance with these Clauses. |
| (b) | The data exporter shall make available to the data importer all information necessary to demonstrate compliance with its obligations under these Clauses and allow for and contribute to audits. |
Clause 10
Data subject rights
MODULE FOUR: Transfer processor to controller
The Parties shall assist each other in responding to enquiries and requests made by data subjects under the local law applicable to the data importer or, for data processing by the data exporter in the EU, under Regulation (EU) 2016/679.
Clause 12
Liability
MODULE FOUR: Transfer processor to controller
| (a) | Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses. |
| (b) | Each Party shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages that the Party causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter under Regulation (EU) 2016/679. |
| (c) | Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties. |
| (d) | The Parties agree that if one Party is held liable under paragraph (c), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its/their responsibility for the damage. |
| (e) | The data importer may not invoke the conduct of a processor or sub-processor to avoid its own liability. |
SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES
Clause 14
Local laws and practices affecting compliance with the Clauses
MODULE FOUR: Transfer processor to controller (where the EU processor combines the personal data received from the third country-controller with personal data collected by the processor in the EU)
| (a) | The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorizing access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses. |
| (b) | The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements: (i) the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred; (ii) the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorizing access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards[3]; (iii) any relevant contractual, technical or organizational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination. |
| (c) | The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses. |
| (d) | The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request. |
| (e) | The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a). |
| (f) | Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply. |
Clause 15
Obligations of the data importer in case of access by public authorities
MODULE FOUR: Transfer processor to controller (where the EU processor combines the personal data received from the third country-controller with personal data collected by the processor in the EU)
15.1 Notification
| (a) | The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it: (i) receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or (ii) becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer. |
| (b) | If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter. |
| (c) | Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.). |
| (d) | The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request. |
| (e) | Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses. |
15.2 Review of legality and data minimization
| (a) | The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e). |
| (b) | The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request. |
| (c) | The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request. |
SECTION IV – FINAL PROVISIONS
Clause 16
Non-compliance with the Clauses and termination
| (a) | The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason. |
| (b) | In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f). |
| (c) | The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where: (i) the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension; (ii) the data importer is in substantial or persistent breach of these Clauses; or (iii) the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses. In these cases, it shall inform the competent supervisory authority of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. |
| (d) | Personal data collected by the data exporter in the EU that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall immediately be deleted in its entirety, including any copy thereof. The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law. |
| (e) | Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679. |
Clause 17
Governing law
MODULE FOUR: Transfer processor to controller
These Clauses shall be governed by the law of a country allowing for third-party beneficiary rights. The Parties agree that this shall be the law of Germany.
Clause 18
Choice of forum and jurisdiction
MODULE FOUR: Transfer processor to controller
Any dispute arising from these Clauses shall be resolved by the courts of Germany.
APPENDIX
EXPLANATORY NOTE:
It must be possible to clearly distinguish the information applicable to each transfer or category of transfers and, in this regard, to determine the respective role(s) of the Parties as data exporter(s) and/or data importer(s). This does not necessarily require completing and signing separate appendices for each transfer/category of transfers and/or contractual relationship, where this transparency can achieved through one appendix. However, where necessary to ensure sufficient clarity, separate appendices should be used.
ANNEX I
A. LIST OF PARTIES
MODULE FOUR: Transfer processor to controller
Data exporter:
Name: Acrolinx GmbH
Address: Invalidenstr. 73, 10557 Berlin, Germany
Data Protection Officer: Lukas Wagner, wagner@comtection.de
Activities relevant to the data transferred under these Clauses: commissioned data processing
Role (controller/processor): processor
Data importer:
Customer
Address: See main agreement
Activities relevant to the data transferred under these Clauses: commissioned data
processing
Role (controller/processor): controller
B. DESCRIPTION OF TRANSFER
MODULE FOUR: Transfer processor to controller
See Annex 1 of the present Data Protection Addendum.
[1] Where the data exporter is a processor subject to Regulation (EU) 2016/679 acting on behalf of a Union institution or body as controller, reliance on these Clauses when engaging another processor (sub-processing) not subject to Regulation (EU) 2016/679 also ensures compliance with Article 29(4) of Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39), to the extent these Clauses and the data protection obligations as set out in the contract or other legal act between the controller and the processor pursuant to Article 29(3) of Regulation (EU) 2018/1725 are aligned. This will in particular be the case where the controller and processor rely on the standard contractual clauses included in Decision 2021/915.
[2] This includes whether the transfer and further processing involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions or offences.
[3] As regards the impact of such laws and practices on compliance with these Clauses, different elements may be considered as part of an overall assessment. Such elements may include relevant and documented practical experience with prior instances of requests for disclosure from public authorities, or the absence of such requests, covering a sufficiently representative timeframe. This refers in particular to internal records or other documentation, drawn up on a continuous basis in accordance with due diligence and certified at senior management level, provided that this information can be lawfully shared with third parties. Where this practical experience is relied upon to conclude that the data importer will not be prevented from complying with these Clauses, it needs to be supported by other relevant, objective elements, and it is for the Parties to consider carefully whether these elements together carry sufficient weight, in terms of their reliability and representativeness, to support this conclusion. In particular, the Parties have to take into account whether their practical experience is corroborated and not contradicted by publicly available or otherwise accessible, reliable information on the existence or absence of requests within the same sector and/or the application of the law in practice, such as case law and reports by independent oversight bodies.