Data Processing Addendum
Effective from: 11th April 2023
For prior version, click here.
For the current version in PDF format, click here.
This Data Processing Addendum incorporates the new Standard Contractual Clauses issued by the European Commission in June 2021, the new international data transfer addendum approved by the UK Parliament on 21 March 2022 and the California Consumer Privacy Act 2018 (as amended by the California Privacy Rights Act 2020). It forms part of and is incorporated into the Terms of Service between BILLSBY LIMITED (and our Group companies) (“us”, “we”, “our”) and you and together they form a contract between you and us regarding how we process your Personal Data. If you have any queries about this contract please contact us at [email protected].
1. Definitions
| Term | Description |
|---|---|
| CCPA | California Consumer Privacy Act 2018 |
| CPRA | California Privacy Rights Act 2020 |
| DPA | this Data Processing Addendum |
| Data Protection Law | all laws and regulations applicable to the Processing of Personal Data under this DPA, including laws and regulations of the United States (“US”), European Union (“EU”), the European Economic Area and their member states (“EEA”), Switzerland, and the United Kingdom (“UK”), including, the CCPA (as amended by the CPRA) the EU GDPR and any applicable national laws made under it where you are established in the EEA and the Swiss Federal Act on Data Protection (as amended or superseded) where you are established in Switzerland |
| Data Retention Period | one hundred and twenty (120) days |
| Data Subject Request | a request from a Data Subject to access, correct or delete their Personal Data or an objection by a Data Subject to the Processing of their Personal Data |
| EU GDPR | Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, repealing Directive 95/46/EC |
| Group Companies | any of our subsidiaries, any holding company or parent company that we may have and any subsidiary of any such holding company or parent company as such terms are defined in section 1159 of the Companies Act 2006 |
| IDTA | the new international data transfer addendum approved by the UK Parliament on 21 March 2022 |
| Personal Data | any information relating to an identified or identifiable natural person that is included in the Personal Data that we Process on your behalf while providing the Services and which is subject to the Data Protection Law |
| SCCs | standard contractual clauses as approved by the EU Commission (Implementing Decision (EU) 2021/914 of 04 June 2021) and as set out Schedule D. Modules 2 and 3 of the SCCs shall (for the avoidance of doubt) apply as set out in clause 8 of this DPA (IDTA) |
| Sensitive Data | including: social security number, tax file number, passport number, driver’s license number, or similar identifier (or any portion thereof); credit or debit card number (other than the truncated last four digits of a credit or debit card); employment, financial, credit, genetic, biometric or health information; racial, ethnic, political or religious affiliation, trade union membership, information about sexual life or sexual orientation, or criminal record; account passwords; or other information that falls within the definition of special categories of Personal Data under the Data Protection Law |
| Sub-Processor | any Processor engaged by us or one of our Group Companies to assist in fulfilling our obligations with respect to providing Services pursuant to the Terms or this DPA and as described in the EU GDPR (Article 28) and which may include third parties but shall exclude our employees, contractors or consultants |
| Terms | the Terms of Service between BILLSBY LIMITED (“us”, “we”, “our”) and you |
| TOMs | appropriate technical and organisational measures as set out in Schedule C to this DPA aimed at protecting Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the Processing involves the transmission of Service Data over a network and against all other unlawful forms of processing |
| UK GDPR | the aspect of the EU GDPR saved into UK law by section 3 of the United Kingdom European Union (Withdrawal) Act 2018 |
1.1 The terms "Controller", "Data Subject", “Personal Data Breach”, "Processor", "Processing", “Data Protection Impact Assessment” or similar shall have the meanings given under the Data Protection Law.
1.2 All capitalized terms not defined in this DPA shall have the meanings set out in the Terms.
1.3 Unless otherwise stated any reference in this DPA to a Section or Schedule shall mean to a Section or Schedule in this DPA and any capitalized term contained in such Section or Schedule shall have the same meaning as defined in this DPA and/or the Terms as applicable
2. Processing of Personal Data - Roles and Responsibilities
2.1 If the Data Protection Law is applicable to the parties’ Processing of Personal Data, you may be either the Controller or the Processor. Where you are the Controller, we are the Processor and where you are a Processor, we will be a Sub-Processor. We may also engage Sub-Processors pursuant to clause 4 (Sub-Processors) of this DPA.
2.2 We shall Process Personal Data only in accordance with your documented lawful instructions and as necessary to comply with the requirements of the Data Protection Law. You shall have sole responsibility for the accuracy, quality, and legality of Personal Data and how you acquire Personal Data. This DPA sets out your complete instructions to us in relation to the processing of Personal Data, and processing outside the scope of these instructions (if any) shall require prior written agreement between the parties.
2.3 You will not provide or cause to be provided to us any Sensitive Data for Processing under this DPA and we will have no liability whatsoever for Sensitive Data, whether in connection with a Personal Data Breach or otherwise. For the avoidance of doubt, this DPA will not apply to Sensitive Data.
2.4 You will ensure that our Processing of Personal Data in accordance with your instructions will not cause us to violate any applicable law, regulation, or rule, including, without limitation, the Data Protection Law. We shall inform you promptly in writing if, in our opinion, an instruction infringes any applicable law. We shall not be liable for any losses, fines, costs, penalties, damages, etc., arising from or in connection with Processing carried out in accordance with your instructions following your receipt of any information provided by us in accordance with the foregoing. We shall provide reasonable assistance to you to assist you in complying with Articles 32 to 36 of the EU GDPR. We shall allow for and contribute to audits, including to inspections, by you or another auditor mandated by you for this purpose in accordance with clause 6 (Audits) of this DPA.
2.5 Any person engaged by us in Processing your Personal Data shall be informed by us of the confidential nature of your Personal Data, receive appropriate training and be required to execute a written agreement addressing their obligations regarding confidentiality, data protection and data security. These confidentiality obligations shall survive the termination of their engagement by us.
2.6 The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Schedule A (Details of the Processing) of this DPA.
3. Representations and warranties
3.1 You represent and warrant to us that:
3.4.1 you have complied and will continue to comply, with all applicable laws, including the Data Protection Law, in respect of your processing of the Personal Data and any processing instructions you issue to us; and
3.4.2 you have provided, and will continue to provide, all notices and have obtained, and will continue to obtain, all consents and rights necessary under the Data Protection Law for us to process Personal Data for the purposes described in this DPA.
4. Sub-Processors
4.1 You authorize us to appoint any of our Group Companies as Sub-Processors and we and any of our Group Companies appointed as a Sub-Processor may in turn appoint any other third party as a Sub-Processor to support the performance of the Services.
4.2 A current list of our Sub-Processors applicable to each Service is set out in Schedule B to this DPA. We shall provide you with not less than 10 business days’ notice (by email or posting on a website identified by us to you) of any new, removed, or replacement Sub-Processors. Where we use a Sub-Processor, we shall ensure that there is in place a written contract with that Sub-Processor applying essentially the same data protection terms as are set out in this DPA.
4.3 Except as may otherwise be set out in the Terms we shall be liable for the acts and omissions of our Sub-Processors to the same extent we would be liable if we were performing the services of each Sub-Processor directly under the terms of this DPA.
5. Disclosure of Personal Data to third parties and Data Subject Requests
5.1. We will not disclose Personal Data to any government agency, court, or law enforcement agency except with your written consent or as necessary to comply with applicable mandatory laws. If we are obliged to disclose Personal Data to a law enforcement agency, then we agree to give you reasonable notice of the access request prior to granting such access, to allow you to seek a protective order or other appropriate remedy. If such notice is legally prohibited, then we will take reasonable measures to protect your Personal Data from undue disclosure as if it were our own confidential information being requested and shall inform you promptly as soon as possible if and when such legal prohibition ceases to apply.
5.2 To the extent legally permitted we shall notify you promptly if we receive a Data Subject Request. We shall not respond to a Data Subject Request without your prior written consent except to confirm that such request relates to you. To the extent that you, in your use of the Services, do not have the ability to address a Data Subject Request, we shall upon your request provide commercially reasonable assistance to facilitate such Data Subject Request to the extent we are legally permitted to do so and provided that such Data Subject Request is exercised in accordance with the Data Protection Law. To the extent legally permitted, you shall be responsible for any reasonable costs arising from our provision of such assistance.
6. Data Protection Impact Assessment
6.1 Where a Data Protection Impact Assessment is required under the Data Protection Law for the Processing of Personal Data, we shall, taking into the account the nature of processing and information available to us, provide to you upon request any information and assistance reasonably required including assistance for any communication with data protection authorities unless the requested information or assistance does not pertain to your obligations under this DPA.
6.2 You shall pay us mutually agreed charges for providing such assistance, to the extent that such assistance cannot be reasonably accommodated within the normal provision of the Services.
7. Security reports and audits
7.1 We shall maintain appropriate TOMs for protection from a Personal Data Breach. We regularly monitor compliance with these TOMs.
7.2 You acknowledge that the Services include certain features and functionalities that you may elect to use that impact the security of the Personal Data processed by your use of the Services, such as, but not limited to, encryption of custom fields and availability of multi-factor authentication on your account. You are responsible for properly configuring the Services and using available features and functionalities to maintain appropriate security in light of the nature of the Personal Data processed by your use of the Services.
7.3 We shall, to the extent permitted by law, notify you of any Personal Data Breach no later than seventy-two (72) hours from the time we become aware of it. To the extent such Personal Data Breach is caused by a violation of the requirements of this DPA by us, we shall make reasonable efforts to identify and remediate the cause of such Personal Data Breach. We shall provide reasonable information, cooperation and assistance to you in relation to any action to be taken in response to a Personal Data Breach and in the event, you are required under the Data Protection Law to notify a supervisory authority or any Data Subjects of the Personal Data Breach.
7.4 We have obtained third-party certifications and audits. Upon your written request at reasonable intervals, and subject to the confidentiality obligations set forth in the Terms, we may share a copy of our most recent third-party audit reports or certifications, as applicable.
7.5 In accordance with the Data Protection Law we shall make available to you on request and in a timely manner such information as is necessary to demonstrate compliance by us with our obligations under the Data Protection Law. To the extent you want to conduct an audit the scope of which is beyond the scope covered under the third-party certifications or audits provided for at clause 7.4 we shall upon reasonable notice allow for and contribute to audits of our Processing of Personal Data, as well as the TOMs to determine our compliance with our obligations under the Data Protection Law, during regular business hours and with minimal interruption to our business operations. Such audits may be conducted by you, your affiliates or an independent third party on your behalf provided that such third party is not a competitor of our business and is subject to reasonable confidentiality obligations. You shall pay us reasonable costs of allowing or contributing to audits or inspections where you wish to conduct more than one audit or inspection every twelve (12) months. We undertake to reasonably cooperate with you in your dealings with national data protection authorities and with any audit requests received from national data protection authorities.
8. Return or Deletion of Personal Data
8.1 Following termination of the contract between us, we will retain the Personal Data for the Data Retention Period. Upon the expiration of the Data Retention Period, we will no longer have an obligation to maintain or provide you access to the Personal Data. Thereafter, unless prohibited by law, we reserve the right to destroy all Personal Data in our possession. You understand that Personal Data, once deleted, cannot be recovered. Notwithstanding the Data Retention Period, upon your written request following the termination of the contract between us, we will destroy all Personal Data in our possession.
9. IDTA
9.1 To the extent that we Process any Personal Data originating from Switzerland, the UK and/or the EEA in a country that has not been designated by the EU Commission as providing an adequate level of protection for Personal Data, the SCCs, which are incorporated into this DPA by reference, shall apply to any such Processing as follows:
- Module 2 (Controller to Processor) shall apply where you are a Controller; and
- Module 3 (Processor to Processor) shall apply where you are a Processor. Where you act as Processor under Module 3 of the SCCs, we acknowledge that you act as Processor under the instructions of a Controller(s).
9.2 Purely for the purposes of descriptions in the SCCs and only as between the parties to this DPA, you agree that you are the “Data Exporter” and we are the “Data Importer” under the SCCs (notwithstanding that you may be located outside the EEA and may yourself be a Processor acting on behalf of third-party Controllers). Schedules A, B and C of this DPA will take the place of Annexes 1, 2 and 3 of the SCCs as provided for to in Schedule D to this DPA.
9.3 The provisions in Schedule E to this DPA shall also apply to the extent mandated under the UK GDPR for transfers of Personal Data originating in the UK to any other country not recognized by the competent UK regulatory authority or governmental body for the UK as providing an adequate level of protection for Personal Data.
10. CCPA OBLIGATIONS
10.1 Notwithstanding anything to the contrary in this DPA, this clause 10 shall apply to the Personal Information of the residents of the State of California, USA. In this clause the terms “Business”, “Service Provider”, “Personal Information”, “Consumers”, “Sell”, and “Share”, shall have the meanings given in the CCPA.
10.2 You acknowledge and agree that you are the Business and we are the Service Provider with respect to Personal Information of Consumers (as those terms are understood under the CCPA) disclosed by you to us forming part of Service Data.
10.3 We will not Sell, or Share the Personal Information of Consumers that we process on your behalf pursuant to the Terms and the DPA.
10.4 We will not retain, use, or disclose Personal Information of Consumers that we process on your behalf pursuant to the Terms and the DPA for any purpose other than for the specific purposes set forth in the Terms, DPA and as part of the direct relationship between you and us.
10.5 We will not combine the Personal Information that is received from or on your behalf with Personal Information that is received from or on behalf of any other person or persons or from our direct interaction with the Consumers except as permitted under the CCPA.
10.6 You acknowledge and agree that you shall be responsible for providing the required notice to Consumers with respect to sharing their Personal Information with us.
10.7 We acknowledge that you have the right upon notice to take reasonable and appropriate steps to stop and remediate the unauthorized use of the Personal Information.
10.8 During the term of the Terms, to the extent that you, in your use of the Services, do not have the ability to address a request from Consumers, including a request to delete Personal Information, we shall provide reasonable cooperation to assist you to respond to such requests from Consumers relating to the Processing of Personal Information under the Terms and/or the DPA when you are required to respond to such requests under the CCPA, subject to the provisions under the CCPA. In the event that, any such request is made directly to us, we shall not respond to such communication directly without your prior authorization, unless legally compelled to do so, except to confirm that such request relates to you to which you hereby agree.
10.9 We shall notify you immediately if we determine that we can no longer comply with the obligations under the CCPA.
10.10 We certify that we understand the restrictions in this clause and will comply with such restrictions.
11. Term and Termination
11.1 It shall continue to be in full force and effect for the duration of the Terms and shall cease automatically thereafter.
11.2 Either Party may terminate the DPA as well as the Terms or any other agreement referred to in a Schedule to this DPA upon reasonable notice if the other party is in material breach of its terms.
11.3 Where amendments are required to ensure compliance of this DPA or a Schedule with the Data Protection Law, we shall agree on such amendments upon your request. Where the parties are unable to agree upon such amendments, you may terminate the Terms and this DPA with prior written notice to us.
12. Miscellaneous
12.1 In case of any conflict, the provisions of this DPA shall take precedence over the provisions of any other agreement between us.
12.3 In the event that individual provisions of this DPA become void, invalid or non-viable, the validity of the remaining conditions of this DPA shall not be affected.
SCHEDULE A: DETAILS OF PROCESSING
A. Parties to SCCs
(1) Data Exporter
Name: The entity subscribing to the Terms
Address: As provided by the entity when subscribing to the Terms
Contact details: As provided by the entity when subscribing to the Terms
Role: Controller or Processor
(2) Data Importer
Name: BILLSBY LIMITED
Address: New Derwent House, 69 – 73 Theobalds Road, London WC1X 8TA
Contact details: [email protected]
Activities relevant to the Personal Data transferred under these SCCs: Provision of the Services and Processing of Personal Data as permitted under the Terms.
Role: Processor and/or Sub-Processor
By entering into the Terms, the Data Exporter and the Data Importer are deemed to have signed these SCCs as of the Effective Date of the Terms.
B. Description of Transfer
Categories of Data Subjects whose Personal Data is transferred
Unless provided otherwise by the Data Exporter, transferred Personal Data relates to the following categories of Data Subjects: employees, contractors, business partners, customers or other individuals having Personal Data stored, transmitted to, made available to, accessed or otherwise processed by the Data Importer.
Categories of Personal Data transferred
You determine the categories of Personal Data that may be transferred under the Terms.
Sensitive Data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
No Sensitive Personal Data transferred. The Data Exporter shall not disclose (and shall not permit any individual to disclose) any Sensitive Data to the Data Importer for Processing.
Frequency of transfer
Personal Data is transferred on a continuous basis.
Nature of the Processing
Collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of data (whether or not by automated means).
Purpose(s) of the transfer and further Processing
We will Process Personal Data, as necessary to perform the Services pursuant to the Terms to the extent determined and controlled by you in your sole discretion. We will also Process and enrich the Personal Data in our systems to: improve, enhance, support and operate the Services and their availability; develop, demonstrate and enable access to new products and services; and compile statistical reports and insights into usage patterns.
We may also transfer Personal Data to third-party service providers that host and maintain our applications, backup, storage, payment processing, analytics and other services as specified in the clause on Sub-Processors below. These third-party service providers may have access to or Process Personal Data for the purpose of providing these Services to us.
The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period
Following termination of the agreement between us, we will retain your Personal Data for the Data Retention Period. Upon the expiration of the Data Retention Period, we will no longer have an obligation to maintain or provide you, your users and end-customers with access to the Personal Data. Thereafter, unless prohibited by law, we reserve the right to destroy all Personal Data in our possession. You understand that Personal Data, once deleted, cannot be recovered. Notwithstanding the Data Retention Period, upon your written request following the termination of the contract between us, we will destroy all Personal Data in our possession. This requirement shall not apply to the extent that we are permitted by applicable law to retain some or all the Personal Data, in which event we shall isolate and protect the Personal Data from any further Processing.
For transfers to (Sub-)Processors, also specify subject matter, nature and duration of the processing
The current list of Sub-Processors is available in Schedule B.
C. Competent Supervisory Authority
In respect of the SCCs:
Module 2: Transfer Controller to Processor
Module 3: Transfer Processor to Processor
Where you are the Data Exporter, the supervisory authority shall be the competent supervisory authority that has supervision over you in accordance with clause 11 of the SCCs.
SCHEDULE B: LIST OF OUR SUB-PROCESSORS
The following is a list of our Sub-Processors as at the Effective Date: 11th April 2023
Service specific Sub-Processors
Billsby uses the third parties listed below to provide specific functionality within our services, which result in transfer of personally identifiable customer data.
| Name | Description | Entity country | Location of Data Processing |
|---|---|---|---|
| Calendly | Appointment booking software | United States | United States |
| Canny | User feedback software | United States | United States |
| Fetchify | Data validation tool | United Kingdom | United Kingdom, Europe, United States |
| FullContact | Contact data enrichment | United States | United States |
| Google Analytics | Insight and analytics | United States | United States |
| Google Cloud | Google recaptcha fraud prevention tool | United States | United States |
| HotJar | Insight and analytics | Malta | Ireland |
| Intercom | In-app messaging and CRM tool | United States | United States |
| Mailgun | Email notifications services | United States | United States |
| Messagebird | SMS notification services | United Kingdom | United States |
| Readme.io | Documentation and knowledgebase services | United Kingdom | United States |
| Simple Analytics | Insight and analytics | Netherlands | Netherlands |
| Spreedly | Credit card vaulting services | United States | United States |
| Stripe | Uptime tracking and service notifications | United States | United States |
| TaxJar | Sales tax automation | United States | United States |
| Toky | Call center and phone line services | United States | United States |
Infrastructure and CDN Sub-Processors
Billsby uses the third parties listed below to host our customer data and to provide specific functionality within our services.
| Name | Description | Entity country | Location of Data Processing |
|---|---|---|---|
| Azure | Marketing site hosting | United States | United States |
| Cloud hosting provider | United States | United States | |
| MaxCDN | CDN for marketing site | United States | United States |
| Microsoft | Cloud hosting provider | United States | United States |
SCHEDULE C: TECHNICAL AND ORGANISATIONAL SECURITY MEASURES (“TOMs”)
We have implemented and maintain a security program in accordance with industry standards and appropriate TOMS to protect from a Personal Data Breach. The Security program can be accessed here.
SCHEDULE D: STANDARD CONTRACTUAL CLAUSES (“SCCs”)
1. Parties
1.1 The parties are:
1.1.1 the natural or legal person(s), public authority(ies), agency(ies) or other body(ies) (“entity(ies)”) transferring the Personal Data (“Data Exporter”); and
1.1.2 the entity(ies) in a third country receiving the Personal Data from the Data Exporter, directly or indirectly via another entity also party to the SCCs (“Data Importer”)
each as set out in Annex 1 of this Schedule D (Schedule A, Part A to the DPA).
2. Purpose
2.1 The purpose of these SCCs is to ensure compliance with the EU GDPR on the protection of natural persons regarding the Processing of Personal Data and on the free movement of such data for the transfer of Personal Data to a third country.
3. Interpretation
3.1 These SCCs are to be interpreted in the light of the provisions of the EU GDPR. Where the SCCs use terms defined in the EU GDPR such terms shall have the same meaning and shall not be interpreted in a way that conflicts with any rights and obligations provided for in the EU GDPR.
3.2 In the event of a conflict between the SCCs and the provisions of related agreements between the parties existing at the time the SCCs are agreed or entered into after the SCCs are agreed the SCCs shall prevail.
3.3 References in this Schedule D to Annexes are to the Annexes to this Schedule D and references to Schedules are to the Schedules referred to in the Annexes. The Annexes and Schedules form an integral part of these SCCs.
4. Scope and effect
4.1 The SCCs apply to the transfer of Personal Data as described in Annex 1 of this Schedule D (Schedule A to the DPA).
4.2 The SCCs set out appropriate safeguards, including enforceable Data Subject rights and effective legal remedies, pursuant to the EU GDPR (Articles 46(1) and 46(2)(c)) and, with respect to data transfers from Controllers to Processors and/or Processors to Processors, pursuant to Article 28(7) of the EU GDPR, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Annexes. This does not prevent the parties from including these SCCs in a wider contract and/or to add other clauses or additional safeguards, provided they do not contradict, directly or indirectly, the SCCs or prejudice the fundamental rights or freedoms of Data Subjects.
4.3 The SCCs are without prejudice to obligations to which the Data Exporter is subject by virtue of the EU GDPR.
5. Third-party beneficiaries
5.1 Without prejudice to their rights under the EU GDPR, Data Subjects may invoke and enforce the SCCs, as third-party beneficiaries, against the Data Exporter and/or Data Importer, with the exception of the following clauses: 1, 3, 5, 6, 7, 8.1, 8.9.1, 8.9.3, 8.9.4 and 8.9.5; 9.1, 9.3, 9.5 and 9.5; 10.6, 10.7 and 10.8; 11; 13.1, 13.4 and 13.6; 15.6; and 17.1 and 17.2.
Description of the transfer(s)
6.1 The details of the transfer(s), and in particular the categories of Personal Data that are transferred and the purpose(s) for which they are transferred, are specified in Annex 1 of this Schedule D (Schedule A, Part B to the DPA).
7. Docking clause
7.1 An entity that is not a party to the SCCs may, with the agreement of the parties, accede to the SCCs at any time, either as Data Exporter or as Data Importer, by completing and signing the DPA and once it has done so that entity shall become a party to the SCCs and shall have the rights and obligations of a Data Exporter or Data Importer as the case may be. The acceding entity shall have no rights or obligations arising under the SCCs from the period prior to becoming a party.
8. Data protection
The Data Exporter warrants that it has used reasonable efforts to determine that the Data Importer is able, through the implementation of appropriate TOMs, to satisfy its obligations under the SCCs:
8.1 Instructions The Data Importer shall process the Personal Data only on documented instructions from the Data Exporter. Where the Data Exporter is a Processor, the Data Importer shall process the Personal Data only on documented instructions from the Controller, as communicated to the Data Importer by the Data Exporter, and any additional documented instructions from the Data Exporter. Such additional instructions shall not conflict with the instructions from the Controller. The Controller or Data Exporter may give further documented instructions throughout the duration of the contract. The Data Importer shall immediately inform the Data Exporter if it is unable to follow the given instructions. Where the Data Importer is unable to follow the instructions from the Controller, the Data Exporter shall immediately notify the Controller. Where the Data Exporter is a Processor, the Data Exporter warrants that it has imposed the same data protection obligations on the Data Importer as set out in the contract or other legal act under EEA member State law between the Controller and the Data Exporter.
8.2 Purpose limitation The Data Importer shall process the Personal Data only for the specific purpose(s) of the transfer as specified at Annex 1 of this Schedule D (Schedule A to the DPA), unless on further instructions from the Controller, as communicated to the Data Importer by the Data Exporter, or from the Data Exporter.
8.3 Transparency The Data Exporter shall make a copy of these SCCs as completed by the parties, available to the Data Subject upon request and without charge. To the extent necessary to protect business secrets or other confidential information, including the measures described in Annex 3 (Schedule C of the DPA) and Personal Data, the Data Exporter may redact part of the text of the Schedules prior to sharing a copy, but shall provide a meaningful summary where the Data Subject would otherwise not be able to understand its content or exercise their rights. On request, the parties shall provide the Data Subject with the reasons for the redactions, to the extent possible without revealing the redacted information. This clause is without prejudice to the obligations of the Data Exporter or, where the Data Exporter is a Processor, the Controller, under the EU GDPR (Articles 13 and 14).
8.4 Accuracy If the Data Importer becomes aware that the Personal Data received is inaccurate, or has become outdated, it shall inform the Data Exporter without undue delay in which case, the Data Importer shall cooperate with the Data Exporter to erase or rectify the Personal Data.
8.5 Duration of Processing and erasure or return of Personal Data Processing by the Data Importer shall only take place for the duration specified in Annex 1 of this Schedule D (Schedule A, Part B of the DPA). After the end of the provision of the Processing Services, the Data Importer shall, at the request of the Data Exporter, delete all Personal Data processed on behalf of the Data Exporter or the Controller, and certify to the Data Exporter that it has done so, or return to the Data Exporter all Personal Data processed on its behalf and delete existing copies. Until the Personal Data is deleted or returned, the Data Importer shall continue to ensure compliance with these SCCs. In case of local laws applicable to the Data Importer that prohibit return or deletion of the Personal Data, the Data Importer warrants that it will continue to ensure compliance with these SCCs and will only process it to the extent and for as long as required under that local law. This is without prejudice to SCC 12, in particular the requirement for the Data Importer under SCC 12.1 to notify the Data Exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under SCC 12.1.
8.6 Processing safeguards
8.6.1 The Data Importer and the Data Exporter shall implement appropriate TOMs to ensure the security of the Personal Data, including protection against a breach of security leading to a Personal Data Breach. In assessing the appropriate level of security, the parties shall take account of matters including the costs of implementation, the nature, scope, context and purpose(s) of the Processing and the risks involved in Processing for the Data Subjects. The Parties shall consider recourse to encryption or pseudonymisation, including during transmission, where the purpose of Processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the Personal Data to a Data Subject shall, where possible, remain under the exclusive control of the Data Exporter or the Controller. In complying with its obligations under this sub-section, the Data Importer shall at least implement the TOMs specified in Annex 3 of this Schedule D (Schedule C of the DPA). The Data Importer shall carry out regular checks to ensure that the TOMs continue to provide an appropriate level of security.
8.6.2 The Data Importer shall grant access to the Personal Data to its personnel only to the extent strictly necessary for the implementation, management, and monitoring of the contract. It shall ensure that the persons authorised to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
8.6.3 In the event of a Personal Data Breach concerning Personal Data Processed by the Data Importer under these SCCs, the Data Importer shall take appropriate measures to address such Personal Data Breach, including measures to mitigate its adverse effects. The Data Importer shall also notify the Data Exporter and, where appropriate and feasible, the Controller without undue delay after having become aware of a Personal Data Breach. Such notification shall include: details of a contact point where more information can be obtained; a description of the nature of the breach (including, where possible, categories and approximate number of Data Subjects and Personal Data concerned); likely consequences; and the measures taken or proposed to address the Personal Data Breach including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
8.6.4 The Data Importer shall cooperate with and assist the Data Exporter to enable the Data Exporter to comply with its obligations under the EU GDPR and in particular to notify the competent supervisory authority and the affected Data Subjects, taking into account the nature of processing and the information available to the Data Importer.
8.7 Sensitive Data Where the transfer involves Sensitive Data, the Data Importer shall apply the specific restrictions and/or additional safeguards described in Annex 1 to this Schedule D (Schedule A, Part B of the DPA).
8.8 Onward Transfer(s)
8.8.1 The Data Importer shall only disclose the Personal Data to a third party on documented instructions from the Data Exporter or the Controller, as communicated to the Data Importer by the Data Exporter. In addition, the Personal Data may only be disclosed to a third party located outside the EU (in the same country as the Data Importer or in another third country (“Onward Transfer”) if the third party is or agrees to be bound by these SCCs, under the appropriate Module, or if:
8.8.1.1 the Onward Transfer is to a country benefiting from an adequacy decision pursuant to the EU GDPR (Article 45) that covers the Onward Transfer;
8.8.1.2 the third party otherwise ensures appropriate safeguards pursuant to the EU GDPR (Article 46 or 47) with respect to the Processing in question;
8.8.1.3 the Onward Transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or
8.8.1.4 the Onward Transfer is necessary in order to protect the vital interests of the Data Subject or of another natural person.
8.8.2 Any Onward Transfer is subject to compliance by the Data Importer with all the other safeguards under these SCCs.
8.9 Documentation and compliance
8.9.1 The Data Importer shall promptly and adequately deal with enquiries from the Data Exporter or the Controller that relate to the Processing under these SCCs.
8.9.2 The parties shall be able to demonstrate compliance with these SCCs. In particular, the Data Importer shall keep appropriate documentation on the Processing carried out on behalf of the Data Exporter or Controller.
8.9.3 The Data Importer shall make available to the Data Exporter all information necessary to demonstrate compliance with the obligations set out in these SCCs. Where the Data Exporter is a Processor, the Data Exporter shall provide such information to the Controller. The Data Importer shall allow for and contribute to audits by the Data Exporter of the Processing activities covered by these SCCs, at reasonable intervals or if there are indications of non-compliance. The same shall apply where the Data Exporter requests an audit on the instructions of the Controller. In deciding on a review or audit, the Data Exporter may take into account relevant certifications held by the Data Importer. Where the audit is carried out on the instructions of the Controller, the Data Exporter shall make the results available to the Controller.
8.9.4 The Data Exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the Data Importer and shall, where appropriate, be carried out with reasonable notice.
8.9.5 The parties shall make the information referred to in sub-clauses 8.9.2 and 8.9.3, including the results of any audits, available to the competent supervisory authority on request.
9. Sub-Processors
9.1 The Data Importer is authorised by the Data Exporter to engage a Sub-Processor from an agreed list at Annex 2 to this Schedule D (Schedule B to the DPA). The Data Importer shall specifically inform the Data Exporter in writing of any intended changes to the list at Annex 2 through the addition or replacement of Sub-Processors at least ten (10) days in advance, thereby giving the Data Exporter sufficient time to be able to object to such changes prior to the engagement of the Sub-Processor(s). The Data Importer shall provide the Data Exporter with the information necessary to enable the Data Exporter to exercise its right to object.
9.2 Where the Data Importer engages a Sub-Processor to carry out specific Processing activities on behalf of the Data Exporter, it shall do so by way of a written contract that provides for, substantially the same data protection obligations as those binding the Data Importer under these SCCs, including in terms of third-party beneficiary rights for Data Subjects. The parties agree that, by complying with this SCC 9, the Data Importer fulfils its obligations under SCC 8.8. The Data Importer shall ensure that the Sub-Processor complies with the obligations to which the Data Importer is subject pursuant to these SCCs.
9.3 The Data Importer shall provide, at the Data Exporter’s request, a copy of such a Sub-Processor contract (and any subsequent amendments) to the Data Exporter. To the extent necessary to protect business secrets or other confidential information, including Personal Data, the Data Importer may redact the text of the contract prior to sharing a copy.
9.4 The Data Importer shall remain fully responsible to the Data Exporter for the performance of the Sub-Processor’s obligations under its contract with the Data Importer. The Data Importer shall notify the Data Exporter of any failure by the Sub-Processor to fulfil its obligations under that contract.
9.5 In the event the Data Importer has disappeared, ceased to exist in law or has become insolvent, the Data Importer shall agree a third-party beneficiary clause with the Sub-Processor whereby the Data Exporter shall have the right to terminate the Sub-Processor contract and to instruct the Sub-Processor to erase or return the Personal Data.
10. Data Subject Requests
10.1 The Data Importer shall promptly notify the Data Exporter and, where appropriate, the Controller of any Data Subject Requests received by it. The Data Importer shall not respond to a Data Subject Request unless it has been authorised to do so by the Data Exporter.
10.2 The Data Importer shall assist the Data Exporter, (and where appropriate in cooperation with the Data Exporter, the Controller) in fulfilling its obligations to respond to Data Subjects’ Requests under the EU GDPR. In this regard, the parties shall set out in Annex 3 the appropriate TOMs, taking into account the nature of the Processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required.
10.3 In fulfilling its obligations under this SCC 10, the Data Importer shall comply with the instructions from the Data Exporter or, the Controller, as communicated by the Data Exporter.
11. Supervision
11.1 Where the Data Exporter is not established in an EU member state, but falls within the territorial scope of application of the EU GDPR (Article 3(2)) and has appointed a representative pursuant to the EU GDPR (Article 27(1)), the supervisory authority of the member state in which the representative within the meaning of the EU GDPR (Article 27(1)) is established shall act as the competent supervisory authority.
11.2 The Data Importer agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these SCCs. In particular, the Data Importer agrees to respond to enquiries, submit to audits and comply with the measures adopted by the competent supervisory authority, including remedial and compensatory measures. It shall provide the competent supervisory authority with written confirmation that the necessary actions have been taken.
12. Access by public authorities
Local laws and practices affecting compliance with the SCCs
12.1 The parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the Processing of the Personal Data by the Data Importer, including any requirements to disclose Personal Data or measures authorising access by public authorities, prevent the Data Importer from fulfilling its obligations under these SCCs. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in the EU GDPR (Article 23(1)), are not in contradiction with these SCCs.
12.2 The parties declare that in providing the warranty in SCC 12.1, they have taken due account of:
12.2.1 the specific circumstances of the transfer including the length of the Processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of the Processing; the categories and format of the transferred Personal Data; the economic sector in which the transfer occurs; and the storage location of the Personal Data transferred;
12.2.2 the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards;
12.2.3 any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these SCCs, including measures applied during transmission and to the Processing of the Personal Data in the country of destination.
12.3 The Data Importer warrants that, in carrying out the assessment under SCC 12.2, it has used best efforts to provide the Data Exporter with relevant information and agrees that it will continue to cooperate with the Data Exporter in ensuring compliance with these SCCs.
12.4 The parties agree to document the assessment under SCC 12.2 and make it available to the competent supervisory authority on request.
12.5 The Data Importer agrees to notify the Data Exporter promptly if, after having agreed to these SCCs and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under SCC 12.1, including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in SCC 12.1.
12.6 Following a notification pursuant to SCC 12.5, or if the Data Exporter otherwise has reason to believe that the Data Importer can no longer fulfil its obligations under these SCCs, the Data Exporter shall promptly identify appropriate measures (e.g. TOMs to ensure security and confidentiality) to be adopted by the Data Exporter and/or Data Importer to address the situation and where the Data Exporter is a Processor, if appropriate in consultation with the Controller. The Data Exporter shall suspend the transfer of the Personal data if it considers that no appropriate safeguards for such transfer can be ensured, or where the Data Exporter is a Processor, if instructed by the Controller or if instructed by the competent supervisory authority to do so. In this case, the Data Exporter shall be entitled to terminate the contract, insofar as it concerns the processing of Personal Data under these SCCs. If the contract involves more than two parties, the Data Exporter may exercise this right to termination only with respect to the relevant party, unless the parties have agreed otherwise. Where the contract is terminated pursuant to this SCC 12, SCCs 15.4 and 15.5 shall apply.
Obligations of the Data Importer
12.7 The Data Importer agrees to notify the Data Exporter and, where possible, the Data Subject promptly (if necessary, with the help of the Data Exporter) if it:
12.7.1 receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of Personal Data transferred pursuant to these SCCs. Any such notification shall include information about the Personal Data requested, the requesting authority, the legal basis for the request and the response provided; or
12.7.2 becomes aware of any direct access by public authorities to Personal Data transferred pursuant to these SCCs in accordance with the laws of the country of destination. Any such notification shall include all information available to the Data Importer.
and where the Data Exporter is a Processor, the Data Exporter shall forward the notification to the Controller.
12.8 If the Data Importer is prohibited from notifying the Data Exporter and/or the Data Subject under the laws of the country of destination, the Data Importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The Data Importer agrees to document its best efforts in order to be able to demonstrate them on request of the Data Exporter.
12.9 Where permissible under the laws of the country of destination, the Data Importer agrees to provide the Data Exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.).
12.10 The Data Importer agrees to preserve the information pursuant to SCCs 12.7, 12.8 and 12.9 for the duration of the contract and make it available to the competent supervisory authority on request.
12.11 SCCs 12.7, 12.8 and 12.9 are without prejudice to the obligation of the Data Importer pursuant to SCC 12.5 and SCC 15 to inform the Data Exporter promptly where it is unable to comply with these SCCs.
12.12 The Data Importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if it reasonably considers that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The Data Importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the Data Importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the Personal Data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the Data Importer under SCC 12.5.
12.13 The Data Importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the Data Exporter. Where the Data Exporter is a Processor, the Data Exporter shall make the assessment available to the Controller. It shall also make it available to the competent supervisory authority on request.
12.14 The Data Importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.
13. Liability
13.1 Each party shall be liable to the other party/ies for any damages it causes the other party/ies by any breach of these SCCs.
13.2 The Data Importer shall be liable to the Data Subject, and the Data Subject shall be entitled to receive compensation, for any damages the Data Importer or its Sub-Processor causes the Data Subject by breaching the third-party beneficiary rights under these SCCs.
13.3 Without prejudice to the liability of the Data Exporter or, where the Data Exporter is a Processor, the Controller, under the EU GDPR and notwithstanding SCC 13.2, the Data Exporter shall be liable to the Data Subject, and the Data Subject shall be entitled to receive compensation, for any damages the Data Exporter or the Data Importer (or its Sub-Processor) causes the Data Subject by breaching the third-party beneficiary rights under these SCCs.
13.4 The parties agree that if the Data Exporter is held liable under SCC 13.3 for damages caused by the Data Importer (or its Sub-Processor), it shall be entitled to claim back from the Data Importer that part of the compensation corresponding to the Data Importer’s responsibility for the damage.
13.5 Where more than one party is responsible for any damage caused to the Data Subject because of a breach of these SCCs, all responsible parties shall be jointly and severally liable and the Data Subject is entitled to bring an action in court against any of these parties.
13.6 The parties agree that if one party is held liable under SCC 13.5, it shall be entitled to claim back from the other party/ies that part of the compensation corresponding to its/their responsibility for the damage.
13.7 The Data Importer may not invoke the conduct of a Sub-Processor to avoid its own liability.
14. Complaints and disputes
14.1 The Data Importer shall inform Data Subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints and shall deal promptly with any complaints it receives from a Data Subject.
14.2 In the event of a dispute between a Data Subject and one of the parties as regards compliance with these SCCs, that party shall use its best efforts to resolve the issue amicably and in a timely fashion. The parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them.
14.3 Where a Data Subject invokes a third-party beneficiary right pursuant to SCC 5, the Data Importer shall accept the decision of the Data Subject to:
14.3.1 lodge a complaint with the supervisory authority in the member state of his/her habitual residence or place of work, or the competent supervisory authority pursuant to SCC 11;
14.3.2 refer the dispute to the competent courts within the meaning of SCC 17.
14.4 The parties accept that a Data Subject may be represented by a not-for-profit body, organisation or association under the conditions set out in the EU GDPR (Article 80(1)).
14.5 The Data Importer shall abide by a decision that is binding under the applicable EU or member state law.
14.6 The Data Importer agrees that the choice made by a Data Subject will not prejudice their substantive and procedural rights to seek remedies in accordance with applicable laws.
15. Non-compliance and termination
15.1 The Data Importer shall promptly inform the Data Exporter if it is unable to comply with these SCCs, for whatever reason.
15.2 Without prejudice to SCC 12.6, if the Data Importer is in breach of or is unable to comply with these SCCs then the Data Exporter shall suspend the transfer of Personal Data to the Data Importer until compliance is again ensured or the contract is terminated.
15.3 The Data Exporter shall be entitled to terminate the contract, insofar as it concerns the Processing of Personal Data under these SCCs, where:
15.3.1 the Data Exporter has suspended the transfer of Personal Data to the Data Importer pursuant to SCC 15.2 and compliance with these SCCs is not restored within a reasonable time and in any event within one month of suspension;
15.3.2 the Data Importer is in substantial or persistent breach of these SCCs; or
15.3.3 the Data Importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these SCCs.
15.4 In these cases, it shall inform the competent supervisory and, where the Data Exporter is a Processor, the Controller of such non-compliance. Where the contract involves more than two parties, the Data Exporter may exercise this right to termination only with respect to the relevant party, unless the parties have agreed otherwise.
15.5 Personal Data that has been transferred prior to the termination of the contract pursuant to SCC 15.3 shall at the choice of the Data Exporter immediately be returned to the Data Exporter or deleted in its entirety. The same shall apply to any copies of the Personal Data. The Data Importer shall certify the deletion of the Personal Data to the Data Exporter. Until the Personal Data is deleted or returned, the Data Importer shall continue to ensure compliance with these SCCs. In case of local laws applicable to the Data Importer that prohibit the return or deletion of the transferred Personal Data, the Data Importer warrants that it will continue to ensure compliance with these SCCs and will only Process the Personal Data to the extent and for as long as required under that local law.
15.6 Either party may revoke its agreement to be bound by these SCCs where:
15.6.1 the EU Commission adopts a decision pursuant to the EU GDPR (Article 45(3)) that covers the transfer of Personal Data to which these SCCs apply; or
15.6.2 the EU GDPR becomes part of the legal framework of the country to which the Personal Data is transferred. This is without prejudice to other obligations applying to the processing in question under the EU GDPR.
16. Governing Law
16.1 These SCCs shall be governed by the law of one of the EU Member States, provided such law allows for third party beneficiary rights. The parties agree that this shall be the law of the Netherlands.
17. Choice of forum and jurisdiction
17.1 Any dispute arising from these SCCs shall be resolved by the courts of an EU Member State.
17.2 The parties agree that those shall be the courts of the Netherlands.
17.3 A Data Subject may also bring legal proceedings against the Data Exporter and/or Data Importer before the courts of the member state/Switzerland in which he/she has his/her habitual residence.
17.4 The parties agree to submit themselves to the jurisdiction of such courts.
ANNEXES
ANNEX 1
DETAILS OF PROCESSING
As specified in Schedule A to the DPA
ANNEX 2
LIST OF SUB-PROCESSORS
As specified in Schedule B to the DPA
ANNEX 3
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA (“TOMs”)
As specified in Schedule C to the DPA
Updated about 1 year ago