Data Processing Agreement for Cross-border Payments

June 28, 2021

This Data Processing Agreement ("Agreement") forms part of the Merchant Agreement between EBANX and the Merchant (together as the “Parties”).

WHEREAS

(A)The Merchant acts as a Data Controller and EBANX may act as a Data Controller and/or a Data Processor.
(B) The Merchant wishes to contract payment processing services provided by EBANX, which implies the processing of the personal data specified in Schedule A.
(C) The Parties seek to implement this Data Processing Agreement to comply with the requirements of the current legal framework in relation to data processing.
(D) The Parties wish to lay down their rights and obligations.

IT IS HEREBY AGREED as follows:



1. Definitions and Interpretations.

Unless otherwise defined herein or in the Agreement, capitalized terms and expressions used in this DPA shall have the following meaning

  • Applicable Laws means the relevant privacy and data protection laws applicable to the Agreement and this DPA or to the Customer in the Territories as applicable and in force from time to time, and as amended, consolidated, reenacted or replaced from time to time;

  • Data Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Applicable Laws;

  • Data Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Data Controller, according to the purposes and means defined by the later;

  • Data Subjects: means Customers related to the activity of processing payments in the Territories;

  • Data Subject Request: means the exercise by Data Subjects of their rights under, and in accordance with Applicable Laws, including but not limited to Chapter III of the GDPR;

  • Data Subject Rights: means the following rights to individuals, the right to be informed, the right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object, and rights in relation to automated decision making and profiling, as defined in the Applicable Laws, including the GDPR;

  • Data Transfer means a transfer of Personal Data from the Merchant to EBANX; or an onward transfer of Personal Data from EBANX to a Subprocessor, or between companies belonging to the EBANX Group;

  • Instructions means the written, documented instructions issued by a Data Controller to a Data Processor, and directing the same to perform a specific or general action with regard to Personal Data (including, but not limited to, depersonalizing, blocking, deletion, making available);

  • Personal Data means any Personal Data processed by EBANX or Subprocessors on behalf of Merchant pursuant to or in connection with the Agreement;

  • Personal Data means any information relating to an identified or identifiable natural person, who can be identified, directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data, an online identifier or to one or more factors specific to the physical, psychological, genetic, mental, economic, cultural or social identity of that natural person;

  • Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed;

  • Processing means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;'

  • Services or EBANX Services: means any service provided by a company within the EBANX Group;

  • Subprocessor means any person appointed by or on behalf of EBANX to process Personal Data on behalf of the Merchant in connection with the Agreement as described in Schedule B;

  • Supervisory Authority means an independent public authority which is concerned with the processing of Personal Data due to Applicable Laws.


3. Processing of Personal Data. 

If any Personal Data is processed under the Agreement on behalf of Merchant, the Parties agree that EBANX shall comply with the following clauses in respect of such processing:

3.1. EBANX shall only process Personal Data on behalf of the Merchant and in accordance with the Instructions, the Agreement and this DPA for the purpose of performing its obligations under the Agreement. If EBANX cannot comply with such terms for whatever reason (including if the Instruction violates the Applicable Laws), EBANX agrees to promptly inform the Merchant of its inability to comply, in which case the Merchant shall be entitled to suspend the Data Transfer to EBANX.

3.2. EBANX shall implement, and ensure that its authorised personnel comply with, the technical and organisational security measures applicable as provided in Schedule C before Processing Personal Data and shall continue to comply with them during the term of the Agreement, including as appropriate to the risk:

3.2.1. encryption of Personal Data;

3.2.2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services;

3.2.3. the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and

3.2.4. a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing.

3.3. EBANX shall provide data protection and security training to those persons authorised to access the Personal Data and keep a copy of the documentation that evidences the same.

3.4. EBANX shall promptly notify the Merchant about any legally binding request for disclosure of the Personal Data by a regulatory body, government agency, or law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation.

3.5. If EBANX receives a request from a Data Subject for access to Personal Data, or for the rectification or erasure of such Personal Data, or any other request from a Data Subject relating to its own Personal Data (including Data Subjects’ exercising rights under Applicable Data Protection Laws) (a “Data Subject Request”), Data Processor will:

3.5.1. notify the Merchant of the Data Subject Request;


3.5.2. provide details of the Data Subject Request (and any other relevant information the Data Controller may reasonably request) to the Merchant; and


3.5.3. provide such assistance to the Merchant for the purposes of responding to the Data Subject Request.

3.6. EBANX shall, upon written request from the Merchant, and within reasonable time, provide the Merchant with all information necessary to demonstrate EBANX’s compliance with Applicable Data Protection Laws, including of the measures EBANX has taken to comply with its obligations under this DPA, and will at its own cost implement any further steps that are reasonably necessary to ensure compliance.

3.7. Where:

3.7.1. a Data Subject exercises his or her rights under the Applicable Data Protection Law in respect of Personal Data Processed by EBANX on behalf of the Merchant;


3.7.2. the Merchant is required to deal or comply with any assessment, enquiry, notice, consultation or investigation by any Supervisory Authority; or


3.7.3. the Merchant is required under the Applicable Data Protection Laws to carry out a data protection impact assessment or consult with the Supervisory Authority prior to Processing Personal Data entrusted to EBANX under this DPA;

then EBANX will cooperate as requested by the Merchant to enable the Merchant to comply with all obligations which arise as a result thereof.

3.8. To the extent in force from time to time, EBANX shall execute the clauses from this DPA with any relevant Subprocessors (including affiliates) it appoints on behalf of the Merchant, and the clauses from this DPA may replace any clauses executed between the relevant subcontractor and the Controller.



4. Processor Personnel.

EBANX shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Subprocessor who may have access to Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Personal Data, as strictly necessary for the purposes of the Agreement, and to comply with Applicable Laws in the context of that individual's duties to the Subprocessor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.



5. Security.

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, EBANX shall implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk. In assessing the appropriate level of security, EBANX shall take into account the risks that are presented by Processing, in particular from a Personal Data Breach.



6. Subprocessing.

EBANX shall not subcontract, appoint, or disclose any Personal Data to any Subprocessor on behalf of the Merchant unless:

6.1. It is required by the Merchant and such Subprocessor has the ability to comply with EBANX’s obligations set out in this DPA;


6.2. It is previously authorized by the Merchant, as identified in Schedule B, and such Subprocessor has the ability to comply with EBANX’s obligations set out in this DPA; or


6.3. It is necessary for the provision of the Services and the Subprocessor has entered into a previous contract with EBANX which requires the Subprocessor to take adequate technical and organisational measures to safeguard the security and integrity of the relevant Personal Data.



7. Data Subject Rights

7.1. Taking into account the nature of the Processing, EBANX shall assist the Merchant by implementing appropriate technical and organizational measures, insofar as possible, for the fulfilment of the Merchant obligations to respond to requests to exercise Data Subject rights under the Applicable Laws.


7.2. EBANX shall ensure that it does not respond to that request except as required by Applicable Laws to which EBANX is subject or on the documented Instructions of Merchant.


7.3. Whether EBANX cannot fulfil Merchant’s obligation to respond to requests to exercise Data Subject rights under the Applicable Laws, EBANX shall promptly notify Merchant if it receives a request from a Data Subject in respect of Personal Data.



8. Personal Data Breach

8.1. If EBANX reasonably believes that there is any improper, unauthorized or unlawful access to, use of, or disclosure of, or any other compromise which affects the availability, integrity or confidentiality of Personal Data which is Processed by EBANX under or in connection with this DPA (“Data Breach”), upon becoming aware of such Data Breach, EBANX shall:

a) immediately notify the Merchant of all known details of the Data Breach relating to the Personal Data, including:

i) a description of the nature of the Data Breach including, where possible, the categories and approximate number of Data Subjects and records concerned;
ii) the name and contact details of the data protection officer or other contact point where more information can be obtained;
iii) a description of the likely consequences of the Data Breach; and
iv) a description of the measures taken or proposed to be taken to address the Data Breach, including, where appropriate, measures to mitigate its possible adverse effects;

b) provide the Merchant with regular status updates on any Data Breach (including actions taken to resolve the incident) and share additional information related to the breach as soon as more details become available;

c) mitigate any harmful effect that is known to EBANX of a use or disclosure of the Personal Data in violation of this DPA or in connection with a Data Breach;

d) assist the Merchant in remediating or mitigating any potential damage from a Data Breach.

e) after the closure of the incident, provide the Merchant a written report describing the Data Breach, the root cause analysis, actions taken by EBANX during its response and EBANX's plans for future actions to prevent a similar Data Breach from occurring;

f) assist the Merchant with notifying the Data Breach to any Supervisory Authority or the Data Subject in accordance with, and in the timeframe required by, the Applicable Data Protection Laws.



9. Data Protection

Impact Assessment and Prior Consultation. EBANX shall provide reasonable assistance to the Merchant with any data protection impact assessments, insofar as possible, and prior consultations with Supervisory Authorities, which Merchant reasonably considers to be required whether the Processing would result in high risk in the absence of measures taken by EBANX to mitigate the risk, in each case solely in relation to Processing of Personal Data by EBANX.



10. Deletion or Return of Personal Data

10.1. In the event of cessation of the Services involving the Processing of Personal Data, EBANX shall, within 90 business days, delete and procure the deletion of all copies of Personal Data.

10.2. Regardless of the above, EBANX shall continue the Processing of Personal Data to comply with purposes for which they were collected or for compliance with a legal or regulatory obligation under Applicable Laws. In this case, EBANX shall delete and procure the deletion of all copies of Personal Data within 90 business days after the cessation of such grounding.



11. Lawful basis for the Processing of Personal Data as a Data Processor.

Merchant shall ensure the collection of Personal Data according to the Applicable Laws, taking into account the nature, scope, context and purposes of the Processing and allow EBANX, whenever acting as a Data Processor, to process Personal Data for the provision of the Services or on the relevant Merchant’s documented Instructions. Any Processing outside the scope of these instructions will require prior written agreement between Merchant and EBANX.



II. DATA CONTROLLER CLAUSES

12. To the extent that EBANX independently determines the means and purposes of processing any Personal Data pursuant to the Agreement or to this DPA, EBANX shall:

12.1. solely process Personal Data for the purpose of performing its obligations under the Agreement or for the lawful purposes determined by EBANX as described in the Agreement or in the DPA;

12.2. implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purpose of processing and promptly notify the Merchant if any Personal Data is subject to any unauthorised or unlawful access, loss, destruction or damage;

12.3. promptly assist the Merchant in complying with any data subject rights request under the Applicable Laws that the Merchant may receive from any individuals to whom any Personal Data relates;

12.4. promptly assist the Merchant in complying with any duties to cooperate with Supervisory Authorities under the Applicable Laws;

12.5. take any other alternative or additional steps reasonably requested by the Merchant in order to ensure that appropriate measures are put in place to provide an adequate level of protection for Personal Data.



III. GENERAL CLAUSES

13. Each Party shall collect and process Merchant Personal Data under the Agreement in accordance with Applicable Laws and applicable industry standards under the Agreement in the Territories, including by obtaining required consents or making required notifications for the collection and processing of Personal Data.

14. EBANX will have the right to control and/or process the data to the extent necessary for the performance of its obligations under the Agreement and this DPA.



15. Data Transfers.

EBANX shall ensure that Personal Data internationally transferred due to the provision of the Services is adequately protected. To achieve this, EBANX shall transfer Personal Data to countries or international organizations that ensure adequate levels of protection.



16. Transfer Mechanisms.

For any transfers by Merchant of Personal Data from (a) the European Economic Area and/or its member states, United Kingdom and/or Switzerland, or (b) from Singapore or any ASEAN member states ((a) and (b) collectively, “Restricted Countries”), to EBANX in a country which does not ensure an adequate level of protection (within the meaning of and to the extent governed by the Data Protection Laws of the Restricted Countries) (collectively, “Third Country”), such transfers shall be governed by a valid mechanism for the lawful transfer of Customer Personal Data recognized under Data Protection Laws, such as those directly below:

16.1. Standard Contractual Clauses. EBANX agrees to abide by, and Process Personal Data from the Restricted Countries in compliance with the Standard Contractual Clauses which are incorporated into this DPA by reference, and for these purposes EBANX shall be the "data importer" and Merchant is the "data exporter" under the Standard Contractual Clauses (notwithstanding that Merchant may be an entity located outside of a Restricted Country). For the purposes of this clause:

(a) Schedule D shall apply only with respect to Personal Data from the European Economic Area and/or its member states, United Kingdom and/or Switzerland; and
(b) Schedule E shall apply only with respect to Personal Data from Singapore or any ASEAN member states.



17. Indemnity.

17.1. Without prejudice to any other rights or remedies that each Party may have, either Party hereby acknowledges and agrees that a Party with rights under this DPA may be irreparably harmed by any breach of its terms and that damages alone may not be an adequate remedy. Accordingly, a Party bringing a claim under this DPA shall be entitled to the remedies of injunction, specific performance, or other equitable relief for any threatened or actual breach of the terms of this DPA.

17.2. In addition to, and without affecting any other rights or remedies that each Party may have, if any Party breaches the terms of this DPA, it shall defend, indemnify and hold harmless the other Party and its Affiliates, officers, directors and employees (“Indemnified Parties”) from and against any and all claims, liabilities, costs, expenses, loss or damage incurred (including court costs and reasonable attorneys’ legal fees, and consequential, indirect, special and punitive damages, loss of profits and revenue, loss of reputation and all interest, penalties and legal and other professional costs and expenses) arising directly or indirectly from a breach of this DPA by any Party.



18. General Terms

18.1. Unless otherwise stated in the Agreement, to the extent that the terms of this DPA and the Agreement conflict, the terms of this DPA shall prevail.

18.2. If, at any time, any one or more of the provisions of this DPA shall be deemed invalid, illegal, or unenforceable in any event the validity, legality and enforceability of the remaining provisions of this DPA shall not in any way be affected or impaired and shall remain valid and enforceable to the fullest extent permitted by law.

18.3. Any change hereto shall only be valid and effective if in writing upon agreement by the Merchant and EBANX. However, EBANX reserves the right to revise and modify the provisions set forth herein though a previous notice sent electronically to you or published in our website. If you do not agree with the new terms, you may request the termination of this Agreement within 30 (thirty) days. Otherwise, if you continue using the Services, we may presume your acceptance to the new terms.



SCHEDULE A - DATA PROCESSING DETAILS

Data Controller: The Data Controller may be the Merchant or any company within the EBANX Group in each of the Territories, where applicable according to this DPA.

Data Processor: The Data Processor may be any company within the EBANX Group (as defined in the Agreement) responsible for providing payment processing services in each of the Territories.

Data Subjects: Data Subjects are Customers related to the activity of processing payments in the Territories.

Categories of Data and Processing Operations: The following categories of Personal Data may be processed by EBANX on behalf of Merchant, depending on the Processing purpose:

  • (1) full name;

  • (2) email;

  • (3) ID data;

  • (4) address;

  • (5) date of birth;

  • (6) telephone number;

  • (7) scanned documents;

  • (8) biometric photograph;

  • (9) Internet Protocol (IP) address;

  • (10) payment method information;

  • (11) proof of address;

  • (12) proof of payments;

  • (13) information regarding transactions carried out in the Merchant’s website, such as volume, approval, chargeback and cancellation index;

  • (14) information sent by or associated with the device(s) used to access Merchant’s website, such as users device’s IP address, computer/mobile device operating system and browser type, type of mobile device, the characteristics of the mobile device, the unique device identifier (UDID) or mobile equipment identifier (MEID) for user mobile device .

Processing Operations Purposes:
As a Data Processor on behalf of the Merchant, EBANX may Process Personal Data for the following purposes:

  • to provide the Services, including, but not limited to activities related to payment processing, reversals, and refunds of transactions;

  • to perform the obligations provided in the Agreement;

  • to monitor, prevent and detect frauds and security threats;

  • to verify payment’s authenticity;

  • to prevent harm to Merchant, EBANX and/or third parties;

  • to respond to Customer and Merchant support request;

  • to host and maintain data and systems;
    otherwise to fulfill the obligations set out in the Agreement.

As a Data Controller, EBANX may Process Personal Data for the following purposes:

  • to comply with legal or regulatory obligations applicable to EBANX;

  • to monitor, prevent and detect frauds and security threats;

  • to verify payment’s authenticity;
    to prevent harm to Merchant, EBANX and/or third parties;

  • to host and maintain data and systems;

  • to produce and distribute promotional marketing actions;

  • to analyze, develop and improve its products and services.

Whenever EBANX acts as a Data Controller, the Processing of Personal Data will be subject to EBANX’s Privacy Policy (available in English here), besides any other EBANX’s Privacy Policy applicable in each Territory which may differ due to Applicable Laws.

Recipients: any company belonging to the EBANX Group (as defined in the Agreement) responsible for providing payment processing services in each of the Territories, and Subprocessors.



SCHEDULE B - SUBPROCESSORS

The following Subprocessors are authorized by the Merchant to process Personal Data on behalf of the Merchant. Such Subprocessors have the ability to comply with EBANX’s obligations set out in this DPA, are necessary for the provision of the Services, and have entered into a previous contract with EBANX, which requires each one of them to take adequate technical and organisational measures to safeguard the security and integrity of the relevant Personal Data.

(1) Subprocessor: Amazon Web Services Inc.
Location: United States of America
Description: Such processing is related to AWS cloud services that supports the provision of Vendor’s payment processing services. AWS was chosen by having the most advanced security certifications and being the lead company on the Gartner Magic Quadrant (Cloud infrastructure as a Service). Vendor stores only the information required to the contracted services, and they are stored within our cloud-hosted infrastructure in the Region of USA - California (main region) and USA - Virginia (Disaster Recovery).

(2) Subprocessor: Konduto
Location: Brazil
Description: Such processing is performed to ensure that our operations are secure against fraud. Konduto is a global pioneer in using machine learning and browsing behavior monitoring technologies to combat online fraud.

(3) Subprocessor: LexisNexis Emailage
Location: Brazil or another country where LexisNexis Risk Solutions affiliates and service providers maintain servers and facilities
Description: Such processing is performed to ensure that our operations are secure against fraud. LexisNexis Emailage is a powerful fraud risk rating solution powered by intelligence in the evaluation of email data.

(4) Subprocessor: CyberSource
Location: Brazil or another country where LexisNexis Risk Solutions affiliates and service providers maintain servers and facilities
Description: Such processing is performed to ensure that our operations are secure against fraud. CyberSource is a company that optimises online fraud management and simplifies payment security.

(5) Subprocessor: ClearSale
Location: Brazil
Description: Such processing is performed to ensure that our operations are secure against fraud. ClearSale is a company that has solutions for fraud management in different business models. With the available resources, digital onboarding, payment authentication and account opening processes become less complex and more secure.

(6) Subprocessor: Any company within the EBANX Group (as defined in the Agreement) responsible for providing payment processing services in each of the Territories.
Location: Any Territory where EBANX Group (as defined in the Agreement) provides its payment processing services.
Description: Such processing is related to the provision of the payment processing services described in the Agreement. This processing is required because EBANX Group relies on its companies located in each of the Territories to provide its payment processing services.



SCHEDULE C - TECHNICAL AND ORGANISATIONAL SECURITY MEASURES

TECHNICAL AND ORGANISATIONAL MEASURES. Data Processor shall implement a comprehensive privacy and security programme for the purpose of protecting content. This programme includes the following:

a. Data security. Data Processor shall design and implement the following measures to protect customer's data against unauthorised access:

i. standards for data categorization and classification;

ii. a set of authentication and access control capabilities at the physical, network, system and application levels; and

iii. a mechanism for detecting big data-based abnormal behaviour.

b. Network security. Data Processor shall design and implement stringent rules on internal network isolation to achieve access control and border protection for internal networks (including office networks, development networks, testing networks and production networks) by way of physical and logical isolation.

c. Physical and environmental security. Data Processor shall implement stringent infrastructure and environment access controls have been implemented for Data Processor’s infrastructure based on relevant regional security requirements. Sub-processor shall implement an access control matrix is, based on the types of personnel and their respective access privileges, to ensure effective management and control of access and operations by personnel.

d. Incident management. Data Processor shall operate active and real-time service monitoring, combined with a rapid response and handling mechanism, that enables prompt detection and handling of security incidents.

e. Compliance with standards. Data Processor shall comply with the following standards:

i. Information security management system – ISO 27001:2013.



Supplemental Terms to Provide Additional Safeguards

1. This Appendix 3 is supplemental to, and should be read in conjunction with, the Clauses.

2. The data subject can enforce, as third-party beneficiary, this paragraph 2 and paragraph 5 of this Appendix 3 against the data importer in accordance with Clause 3(2) of the Clauses.

3. The data exporter warrants that, prior to the transfer of personal data to the data importer, it has assessed the adequacy of the protection of the personal data in accordance with the requirements of the applicable data protection law, including taking into account the legal regime of the jurisdiction of the data importer. As part of this assessment, the data export warrants that it has considered what additional safeguards may be implemented to ensure an adequate level of protection for the personal data that the data importer receives from the data exporter. The data exporter shall document this assessment, including any additional safeguards implemented, and make it available to the data importer upon request.
Additional safeguards required to be put in place to ensure the adequate protection of the personal data transferred, and not otherwise provided for in this Appendix 3, are set out in the technical and organisational security measures in Appendix 2. These safeguards include, among other measures:

  • secure encryption of the personal data in transit and at rest;

  •  technical measures to secure relevant encryption keys;

  • secure pseudonymisation of the personal data;

  • technical measures to secure the additional information which allows pseudonymised data to be attributed to a specific data subject.

The data importer agrees and warrants:
(a) without prejudice to Clause 5(b) of the Clauses, that, in the event the Clauses cease to be an appropriate safeguard for the transfer of the personal data as described in Appendix 1, in accordance with applicable data protection law or by virtue of a binding decision by a competent supervisory authority, the data exporter shall be entitled to suspend the transfer of data;

(b) to assist the data exporter with the data exporter’s continuing assessment of the adequacy of the protection of the personal data in accordance with the requirements of the applicable data protection law and pursuant to Clause 5(a) of the Clauses;

(c) Upon receipt of any legally binding order or request for disclosure of the personal data by a law enforcement authority or other competent government authority, the data importer will:

  • i. use reasonable efforts to re-direct the relevant authority to request or obtain the personal data directly from the data exporter;

  • ii. in addition to promptly notifying the data exporter of the request or order pursuant to Clause 5(d) of the Clauses, use reasonable efforts to assist the data exporter in its efforts to oppose the request or order, if applicable;

  • iii. in the event it is prohibited by applicable laws from notifying the data exporter of the request or order, use reasonable efforts to challenge such request or order in a court of competent jurisdiction and to seek relevant permission to allow the data exporter to intervene in the proceedings; and

  • Iv. in the event such request or any subsequent disclosure or other action by the data importer prevents or would prevent the data importer from complying with the Clauses or the instructions of the data exporter, the data importer agrees, pursuant to Clause 5(a) of the Clauses, to promptly inform the data exporter of its inability to comply. 


SCHEDULE D - STANDARD CONTRACTUAL CLAUSES FOR EUROPEAN DATA

These Clauses are deemed to be amended from time to time, to the extent that they relate to a Restricted Transfer which is subject to the Data Protection Laws of a given country or territory, to reflect (to the extent possible without material uncertainty as to the result) any change (including any replacement) made in accordance with those Data Protection Laws.


PART 1 - Standard Contractual Clauses for Controllers to Processors

For the purposes of Regulation (EU) 2016/679 for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection.

THE PARTIES HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.

Background
The data exporter has entered into a data processing addendum (“DPA”) with the data importer. Pursuant to the terms of the DPA, it is contemplated that services provided by the data importer will involve the transfer of personal data to data importer. Data importer is located in a country not ensuring an adequate level of data protection. To ensure compliance with Regulation (EU) 2016/679 and applicable data protection law, the controller agrees to the provision of such Services, including the processing of personal data incidental thereto, subject to the data importer’s execution of, and compliance with, the terms of these Clauses.

Clause 1. Definitions. For the purposes of the Clauses:

(a) 'personal data', 'special categories of data', 'process/processing', 'controller', 'processor', 'data subject' and 'the Commissioner’ shall have the same meaning as in the UK GDPR;

(b) 'the data exporter' means the controller who transfers the personal data;

(c) 'the data importer' shall mean the controller who agrees to receive from the data exporter personal data for further processing in accordance with his instructions and the terms of these Clauses and who is not subject to a third country’s system covered by UK adequacy regulations issued under Section 17A Data Protection Act 2018 or Paragraphs 4 and 5 of Schedule 21 of the Data Protection Act 2018;

(d) 'the subprocessor' means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;

(e) 'the applicable data protection law' means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the UK;

(f) ’technical and organisational security measures' means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

Clause 2. Details of the transfer. The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.

Clause 3. Third-party beneficiary clause.
1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.

2. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.

3. The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.

4. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.

Clause 4. Obligations of the data exporter. The data exporter agrees and warrants:

(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the Commissioner) and does not violate the applicable data protection law;

(b) that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter's behalf and in accordance with the applicable data protection law and the Clauses;

(c) that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;

(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;

(e) that it will ensure compliance with the security measures;

(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not covered by adequacy regulations issued under Section 17A Data Protection Act 2018 or Paragraphs 4 and 5 of Schedule 21 Data Protection Act 2018;

(g) to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the Commissioner if the data exporter decides to continue the transfer or to lift the suspension;

(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;

(i) that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and

(j) that it will ensure compliance with Clause 4(a) to (i).

Clause 5. Obligations of the data importer. The data importer agrees and warrants:

(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(c) that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;

(d) that it will promptly notify the data exporter about:

  • (i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,

  • (ii) any accidental or unauthorised access, and

  • (iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;

(e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the Commissioner with regard to the processing of the data transferred;

(f) at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the Commissioner;

(g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;

(h) that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;

(i) that the processing services by the subprocessor will be carried out in accordance with Clause 11;

(j) to promptly send a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.

Clause 6. Liability.

1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.

2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.
The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.

3. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.

Clause 7. Mediation and jurisdiction.

1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:

  • (a) to refer the dispute to mediation, by an independent person or, where applicable, by the Commissioner;

  • (b) to refer the dispute to the UK courts.

2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

Clause 8. Cooperation with supervisory authorities.

1. The data exporter agrees to deposit a copy of this contract with the Commissioner if it so requests or if such deposit is required under the applicable data protection law.

2. The Parties agree that the Commissioner has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.

3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).

Clause 9. Governing Law. The Clauses shall be governed by the law of England and Wales.

Clause 10. Variation of the contract. The parties undertake not to vary or modify the Clauses. This does not preclude the parties from (i) making changes permitted by Paragraph 7(3) & (4) of Schedule 21 Data Protection Act 2018) and (ii) adding clauses on business related issues where required as long as they do not contradict the Clause.

Clause 11. Subprocessing.

1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses. Where the subprocessor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor's obligations under such agreement.

2. The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.

3. The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of England and Wales.

4. The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the Commissioner.

Clause 12. Obligation after the termination of personal data processing services.

1. The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.

2. The data importer and the subprocessor warrant that upon request of the data exporter and/or of the Commissioner, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.


PART 2 - Standard Contractual Clauses for Controllers to Controllers

For the purposes of Article 46(1) of Regulation (EU) 2016/679 for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection.

THE PARTIES HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.

1. Definitions. For the purpose of the Clauses:

(a) “personal data”, “special categories of data/sensitive data”, “process/processing”, “controller”, “processor”, “data subject” and “the Commissioner” shall have the same meaning as in the UK GDPR;

(b) “the data exporter” shall mean the controller who transfers the personal data;

(c) “the data importer” shall mean the controller who agrees to receive from the data exporter personal data for further processing in accordance with terms of these Clauses and who is not subject to a third country’s system covered by UK adequacy regulations issued under Section 17A Data Protection Act 2018 or Paragraphs 4 and 5 of Schedule 21 of the Data Protection Act 2018;

(d) “Clauses” shall mean these contractual clauses, which are a free-standing document that does not incorporate commercial business terms established by the parties under separate commercial arrangements;

The details of the transfer (as well as the personal data covered) are specified in Appendix B, which forms an integral part of the Clauses.

I. Obligations of the data exporter. The data exporter warrants and undertakes that:

(a) The personal data have been collected, processed and transferred in accordance with the laws applicable to the data exporter;

(b) It has used reasonable efforts to determine that the data importer is able to satisfy its legal obligations under these Clauses;

(c) It will provide the data importer, when so requested, with copies of relevant data protection laws or references to them (where relevant, and not including legal advice) of the country in which the data exporter is established;

(d) It will respond to enquiries from data subjects and the Commissioner concerning processing of the personal data by the data importer, unless the parties have agreed that the data importer will so respond, in which case the data exporter will still respond to the extent reasonably possible and with the information reasonably available to it if the data importer is unwilling or unable to respond. Responses will be made within a reasonable time;

(e) It will make available, upon request, a copy of the Clauses to data subjects who are third party beneficiaries under Clause III, unless the Clauses contain confidential information. Where information is removed, the data exporter shall inform data subjects in writing of the reason for removal and of their right to draw the removal to the attention of the Commissioner. However, the data exporter shall abide by a decision of the Commissioner regarding access to the full text of the Clauses by data subjects, as long as data subjects have agreed to respect the confidentiality of the confidential information removed. The data exporter shall also provide a copy of the Clauses to the Commissioner where required.

II. Obligations of the data importer. The data importer warrants and undertakes that:

(a) It will have in place appropriate technical and organisational measures to protect the personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, and which provide a level of security appropriate to the risk represented by the processing and the nature of the data to be protected;

(b) It will have in place procedures so that any third party it authorises to have access to the personal data, including processors, will respect and maintain the confidentiality and security of the personal data. Any person acting under the authority of the data importer, including a data processor, shall be obligated to process the personal data only on instructions from the data importer. This provision does not apply to persons authorised or required by law or regulation to have access to the personal data;

(c) It has no reason to believe, at the time of entering into these Clauses, in the existence of any local laws that would have a substantial adverse effect on the guarantees provided for under these Clauses, and it will inform the data exporter (which will pass such notification on to the Commissioner where required) if it becomes aware of any such laws;

(d) It will process the personal data for purposes described in Appendix B, and has the legal authority to give the warranties and fulfil the undertakings set out in these Clauses;

(e) It will identify to the data exporter a contact point within its organization authorised to respond to enquiries concerning processing of the personal data and will cooperate in good faith with the data exporter, the data subject and the Commissioner concerning all such enquiries within a reasonable time. In case of legal dissolution of the data exporter, or if the parties have so agreed, the data importer will assume responsibility for compliance with the provisions of Clause I(e);

(f) At the request of the data exporter, it will provide the data exporter with evidence of financial resources sufficient to fulfil its responsibilities under Clause III (which may include insurance coverage);

(g) Upon reasonable request of the data exporter, it will submit its data processing facilities, data files and documentation needed for processing to reviewing, auditing and/or certifying by the data exporter (or any independent or impartial inspection agents or auditors, selected by the data exporter and not reasonably objected to by the data importer) to ascertain compliance with the warranties and undertakings in these clauses, with reasonable notice and during regular business hours. The request will be subject to any necessary consent or approval from a regulatory or supervisory authority within the country of the data importer, which consent or approval the data importer will attempt to obtain in a timely fashion;

(h) It will process the personal data, at its option, in accordance with the data processing principles set forth in Appendix A;

  • (i) It will not disclose or transfer the personal data to a third-party data controller located outside the UK, unless it notifies the data exporter about the transfer and
    (i) the third-party data controller processes the personal data in accordance with UK adequacy regulations finding that a third country provides adequate protection, or

  • (ii) the third-party data controller becomes a signatory to these Clauses, or another data transfer agreement approved by the Commissioner, or

  • (iii) data subjects have been given the opportunity to object, after having been informed of the purposes of the transfer, the categories of recipients and the fact that the countries to which data is exported may have different data protection standards, or

  • (iv) with regard to onward transfers of sensitive data, data subjects have given their unambiguous consent to the onward transfer.

III. Liability and third-party rights.

(a) Each party shall be liable to the other parties for damages it causes by any breach of these Clauses. Liability as between the parties is limited to actual damage suffered. Punitive damages (i.e., damages intended to punish a party for its outrageous conduct) are specifically excluded. Each party shall be liable to data subjects for damages it causes by any breach of third-party rights under these Clauses. This does not affect the liability of the data exporter under the UK GDPR or the DPA 2018;

(b) The parties agree that a data subject shall have the right to enforce as a third party beneficiary this Clause and Clauses I(b), I(d), I(e), II(a), II(c), II(d), II(e), II(h), II(i), III(a), V, VI(d) and VII against the data importer or the data exporter, for their respective breach of their contractual obligations, with regard to his personal data, and accept jurisdiction for this purpose in the data exporter’s country of establishment. In cases involving allegations of breach by the data importer, the data subject must first request the data exporter to take appropriate action to enforce his rights against the data importer; if the data exporter does not take such action within a reasonable period (which under normal circumstances would be one month), the data subject may then enforce his rights against the data importer directly. A data subject is entitled to proceed directly against a data exporter that has failed to use reasonable efforts to determine that the data importer is able to satisfy its legal obligations under these Clauses (the data exporter shall have the burden to prove that it took reasonable efforts).

IV. Law applicable to the Clauses. These Clauses shall be governed by the law of England, with the exception of the laws and regulations relating to processing of the personal data by the data importer under Clause II(h), which shall apply only if so selected by the data importer under that Clause.

V. Resolution of disputes with data subjects or the Commissioner.

(a) In the event of a dispute or claim brought by a data subject or the Commissioner concerning the processing of the personal data against either or both of the parties, the parties will inform each other about any such disputes or claims, and will cooperate with a view to settling them amicably in a timely fashion;

(b) The parties agree to respond to any generally available non-binding mediation procedure initiated by a data subject or by the Commissioner. If they do participate in the proceedings, the parties may elect to do so remotely (such as by telephone or other electronic means). The parties also agree to consider participating in any other arbitration, mediation or other dispute resolution proceedings developed for data protection disputes;

(c) Each party shall abide by a decision of a competent court of the data exporter’s country of establishment or of the Commissioner which is final and against which no further appeal is possible.

VI. Termination.

(a) In the event that the data importer is in breach of its obligations under these Clauses, then the data exporter may temporarily suspend the transfer of personal data to the data importer until the breach is repaired or the contract is terminated;

(b) In the event that:

  • (i) the transfer of personal data to the data importer has been temporarily suspended by the data exporter for longer than one month pursuant to paragraph (a);

  • (ii) compliance by the data importer with these Clauses would put it in breach of its legal or regulatory obligations in the country of import;

  • (iii) the data importer is in substantial or persistent breach of any warranties or undertakings given by it under these Clauses;

  • (iv) a final decision against which no further appeal is possible of a competent court of the United Kingdom rules that there has been a breach of the Clauses by the data importer or the data exporter, or

  • (v) a petition is presented for the administration or winding up of the data importer, whether in its personal or business capacity, which petition is not dismissed within the applicable period for such dismissal under applicable law; a winding up order is made; a receiver is appointed over any of its assets; a trustee in bankruptcy is appointed, if the data importer is an individual; a company voluntary arrangement is commenced by it; or any equivalent event in any jurisdiction occurs
    then the data exporter, without prejudice to any other rights which it may have against the data importer, shall be entitled to terminate these clauses, in which case the Commissioner shall be informed where required. In cases covered by (i), (ii), or (iv) above the data importer may also terminate these Clauses.

(c) Either party may terminate these Clauses if new UK adequacy regulations under Section 17A Data Protection Act 2018 are issued in relation to the country (or a sector thereof) to which the data is transferred and processed by the data importer;

(d) The parties agree that the termination of these Clauses at any time, in any circumstances and for whatever reason does not exempt them from the obligations and/or conditions under the Clauses as regards the processing of the personal data transferred.

VII. Variation of these Clauses.

The parties may not modify these Clauses except to update any information in Appendix B, in which case they will inform the Commissioner where required. This does not preclude the parties from (i) making changes permitted by Paragraph 7(3) & (4) of Schedule 21 Data Protection Act 2018; or (ii) adding additional commercial Clauses where required.

VIII. Description of the transfer.

The details of the transfer and of the personal data are specified in Annex B. The parties agree that Appendix B may contain confidential business information which they will not disclose to third parties, except as required by law or in response to a competent regulatory or government agency, or as required under Clause I(e). The parties may execute additional annexes to cover additional transfers, which will be submitted to the Commissioner where required. Annex B may, in the alternative, be drafted to cover multiple transfers.


APPENDIX A TO THE STANDARD CONTRACTUAL CLAUSES

This Appendix forms part of the Clauses and must be completed and signed by the parties

This Appendix sets out the data processing principles which the importer must comply with if it selects this option in Clause II(h) above.

Principle 1. Purpose limitation. Personal data may be processed and subsequently used or further communicated only for purposes described in Appendix B or subsequently authorised by the data subject.

Principle 2. Data quality and proportionality. Personal data must be accurate and, where necessary, kept up to date. The personal data must be adequate, relevant and not excessive in relation to the purposes for which they are transferred and further processed.

Principle 3. Transparency. Data subjects must be provided with information necessary to ensure fair processing (such as information about the purposes of processing and about the transfer), unless such information has already been given by the data exporter.

Principle 4. Security and confidentiality. Technical and organisational security measures must be taken by the data controller that are appropriate to the risks, such as against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, presented by the processing. Any person acting under the authority of the data controller, including a processor, must not process the data except on instructions from the data controller.

Principle 5. Rights of access, rectification, deletion and objection. Data subjects must, whether directly or via a third party, be provided with the personal information about them that an organization holds, except for requests which are manifestly abusive, based on unreasonable intervals of their number or repetitive or systematic nature, or for which access need not be granted under the law of the country of the data exporter.

Provided that the Commissioner has given its prior approval, access need also not be granted when doing so would be likely to seriously harm the interests of the data importer or other organisations dealing with the data importer and such interests are not overridden by interests for fundamental rights and freedoms of the data subject. The sources of the personal data need not be identified when this is not possible by reasonable efforts, or where the rights of persons other than the individual would be violated.

Data subjects must be able to have the personal information about them rectified, amended, or deleted where it is inaccurate or processed against these principles. If there are compelling grounds to doubt the legitimacy of the request, the organization may require further justifications before proceeding to rectification, amendment or deletion. Notification of any rectification, amendment or deletion to third parties to whom the data have been disclosed need not be made when this involves a disproportionate effort.

A data subject must also be able to object to the processing of the personal data relating to him if there are compelling legitimate grounds relating to his particular situation. The burden of proof for any refusal rests on the data importer, and the data subject may always challenge a refusal before the Commissioner.

Principle 6. Sensitive data. The data importer shall take such additional measures (eg relating to security) as are necessary to protect such sensitive data in accordance with its obligations under Clause II.

Principle 7. Data used for marketing purposes. Where data are processed for the purposes of direct marketing, effective procedures should exist allowing the data subject at any time to “opt-out” from having his data used for such purposes.

Principle 8. Automated decisions. For purposes hereof “automated decision” shall mean a decision by the data exporter or the data importer which produces legal effects concerning a data subject or significantly affects a data subject and which is based solely on automated processing of personal data intended to evaluate certain personal aspects relating to him, such as his performance at work, creditworthiness, reliability, conduct, etc. The data importer shall not make any automated decisions concerning data subjects, except when:

(a)

  • (i) such decisions are made by the data importer in entering into or performing a contract with the data subject, and

  • (ii) the data subject is given an opportunity to discuss the results of a relevant automated decision with a representative of the parties making such decision or otherwise to make representations to those parties.
    or

(b) where otherwise provided by the law of the data exporter.



SCHEDULE E - STANDARD CONTRACTUAL CLAUSES FOR ASEAN DATA

These Clauses are deemed to be amended from time to time, to the extent that they relate to a Restricted Transfer which is subject to the Data Protection Laws of a given country or territory, to reflect (to the extent possible without material uncertainty as to the result) any change (including any replacement) made in accordance with those Data Protection Laws.


PART 1 - Standard Contractual Clauses for Controllers to Processors

1. Definitions.
1.1. “DP Law”: any and all written laws of Singapore relating to data protection (or are, minimally, relevant to the transfer of Personal Data) which the Data Exporter or the Data Importer (or both) are subject to, in special the Personal Data Protection Act 2012 of Singapore (PDPA), and its amendments;

1.2 “Commission”: the Data Protection Commission of Singapore (PDPC);

1.3. “Data Breach”: any loss or unauthorised use, copying, modification, disclosure, or destruction of, or access to, Personal Data transferred under this contract.

1.4. “Data Exporter”: the Party which transfers Personal Data to the Data Importer under this contract.

1.5. “Data Importer”: the Party which receives Personal Data from the Data Importer for Processing under this contract.

1.6. “Data Sub-Processor”: any person or legal entity which may be engaged by the Data Importer to assist in the Data Exporter’s Processing of Personal Data on behalf of the Data Exporter.

1.7. “Enforcement Authority”: any public authority empowered by applicable DP Law to implement and enforce the applicable DP Law, including but not limited to the Data Protection Commission of Singapore (PDPC);

1.8. “Personal Data”: any information relating to an identified or identifiable natural person living or deceased (“Data Subject”) transferred under this contract.

1.9. “Processing”: any operation or set of operations that are performed on Personal Data or on sets of Personal Data, whether or not by automated means, including, for example, collection, use and disclosure of Personal Data.

2. Obligations of Data Exporter. The Data Exporter warrants, represents and undertakes that:
2.1. The Personal Data has been collected, used, disclosed and transferred to the Data Importer under this contract in accordance with applicable DP Law. In the absence of such law, where reasonable and practicable, the Data Subject has been notified of and given consent to the purpose(s) of the collection, use, disclosure and/or transfer of his/her Personal Data.

2.2. Any Personal Data that has been transferred under this contract is accurate and complete to the extent necessary for the purposes identified by the Data Exporter in order to comply with Clause 2.1.

2.3. The Data Exporter shall implement adequate technical and operational measures to ensure the security of the Personal Data during transmission to the Data Importer.

2.4. The Data Exporter shall respond to enquiries from Data Subjects or Enforcement Authorities regarding the Processing of Personal Data by the Data Importer as required by applicable DP Law, including requests to access or correct Personal Data, unless the Parties have agreed in writing that the Data Importer shall so respond, and such delegation is permitted by applicable DP Law. Responses to such enquiries and requests shall be made within a reasonable time frame or within the time frame and in the manner, if any, required under the applicable DP Law.

2.5. Upon notification of a data breach pursuant to clause 3.10, the Data Exporter must conduct an assessment of whether the data breach is a notifiable data breach. Where the breach has been assessed to be a notifiable one, the Data Exporter must notify:

  • (a) the Commission as soon as in practicable, but in any case, no later than three calendar days after the Data Exporter has made the assessment; and

  • (b) each affected individual in a manner that is reasonable in the circumstances.

3. Obligations of Data Importer. The Data Importer warrants, represents and undertakes that:

3.1. The Data Importer shall Process the Personal Data only in compliance with the Data Exporter’s instructions and for the purposes described in Appendix A.

3.2. The Data Importer shall not further disclose or transfer the Personal Data it receives from the Data Exporter to another person, Enforcement Authority or legal entity, including to Data Sub-Processors, unless it has notified the Data Exporter of such further disclosure or transfer in writing, and provided reasonable opportunity for the Data Exporter to object.

3.3. The Data Importer agrees that prior to any disclosure or transfer of Personal Data to third parties, including to Data Subprocessors, the Data Importer shall ensure that the third party shall be subject to and bound by the obligations of the Data Importer to the Data Exporter.

3.4. The Data Importer agrees to take reasonable steps to implement measures on the storage and Processing of Personal Data that comply with adequate security standards prescribed by the Data Exporter.

3.5. The Data Importer shall promptly communicate and refer to the Data Exporter any enquiries and requests from Data Subjects relating to the Personal Data transferred by the Data Exporter, including requests to access or correct the Personal Data.

3.6. The Data Importer shall correct any error or omission in the Personal Data reasonably requested by the Data Exporter as soon as practicable, or such other time frame required by applicable DP Law, whichever is shorter.

3.7. Upon the termination of this contract or completion of Processing required under this contract, the Data Importer shall, at the election of the Data Exporter, either return to the Data Exporter the Personal Data held in its possession pursuant to this contract or cease to retain such Personal Data in manner approved of by the Data Exporter. The Data Importer agrees to confirm this with the Data Exporter in writing once action has been taken to cease to retain such Personal Data.

3.8. The Data Importer shall have in place reasonable and appropriate technical, administrative, operational and physical measures, consistent with applicable DP Law to protect the confidentiality, integrity and availability of Personal Data, in particular against risks of Data Breaches.

3.9. If the Data Importer becomes aware that a Data Breach has occurred affecting Personal Data in its possession or under its control, or in the possession or under the control of an importer of an onward disclosure or transfer of the Personal Data, it shall notify the Data Exporter without undue delay.

3.10. The Data Importer shall promptly notify and consult with the Data Exporter regarding any investigation regarding the collection, use, transfer, disclosure, security, or disposal of the Personal Data transferred under this contract, unless otherwise prohibited under law.

3.11. The Data Importer shall provide prompt assistance to the Data Exporter upon request for the purposes of clause 2.4; and where the Data Importer has agreed in writing, to respond to enquiries and requests from Data Subjects or Enforcement Authorities regarding its Processing of Personal Data when notified by the Data Exporter.

4. Choice of Law.

4.1. This contract shall be interpreted according to the laws of Singapore;

4.2. If there is any conflict or inconsistency between clauses in this contract and Singaporean DP Law, then the applicable DP Law shall prevail.

5. Suspension of Transfer.

5.1. In the event that the Data Importer is in breach of its obligations under this contract or applicable DP Law, then the Data Exporter may temporarily suspend the transfer of Personal Data to the Data Importer until the breach is repaired or the Processing under this contract is terminated.

6. Termination of Contract
6.1. In the event that:

6.1.1. the transfer of Personal Data to the Data Importer has been temporarily suspended by the Data Exporter for longer than 30 (thirty) business days pursuant to Clause 5.1;

6.1.2. compliance by the Data Importer with this contract would put it in breach of its obligations under the law in the country in which it is Processing the Personal Data;

6.1.3. the Data Importer is in material breach of any obligations under this contract;

6.1.4. there is a final decision from which no further appeal is possible of a competent court that there has been a breach of this contract by the Data Importer; or

6.1.5. the Data Importer ceases its operations voluntarily or involuntarily, announces its intent to cease operations, or transfers all or substantially all of its assets to a non-affiliated entity, then the Data Exporter, without prejudice to any other rights which it may have against the Data Importer shall be entitled to terminate this contract. In cases covered by (6.1.1), (6.1.2), or (6.1.4) above the Data Importer may also terminate this contract.

6.2. In the event that:

6.2.1. compliance by the Data Exporter with this contract would put it in breach of its obligations under the law;

6.2.2. the Data Exporter is in material breach of any obligations under this contract;

6.2.3. there is a final decision from which no further appeal is possible of a competent court that there has been a breach of this contract by the Data Exporter; or

6.2.4. the Data Exporter ceases its operations voluntarily or involuntarily, announces its intent to cease operations, or transfers all or substantially all of its assets to a non-affiliated entity,

then the Data Importer, without prejudice to any other rights which it may have against the Data Exporter, shall be entitled to terminate this contract. In cases covered by (6.2.1), or (6.2.3) above, the Data Exporter may also terminate this contract.

6.3. The Parties agree that the termination of this contract at any time, in any circumstances and for whatever reason does not exempt them from the obligations of this contract regarding the return or deletion of the Personal Data transferred.

7. General Undertakings

7.1. Each Party warrants, represents and undertakes to the other Party that it has full capacity and authority to enter into and to perform its obligations under and in accordance with this contract.

7.2. Each Party agrees to comply with all applicable DP Law in connection with the performance of its obligations under this contract.

8. Variation

8.1. The Parties may, by written agreement, adopt or modify this contract where consistent with the principles set forth in the ASEAN Framework on Personal Data Protection, or as required by applicable DP Law. This does not preclude the Parties from adding or amending clauses, by written agreement, as appropriate for their commercial or business arrangements.

9. Description of the Transfer

9.1. The details of the transfer and the Personal Data involved are specified in Appendix A. The Parties agree that Appendix A may contain confidential business information which they shall not disclose to third parties, except as in accordance with Clause 3.2.

Additional Terms for Individual Remedies

This section contains and is an integral part of the Contract between the Parties. Words and phrases given a defined meaning in these additional terms have the same meaning in the Contract. If there is any inconsistency between these additional terms and the Contract, these additional terms shall prevail.

Individual Remedies:

1.1. The Parties acknowledge that the law of Singapore confers a right on Data Subjects to enforce the data protection warranties and undertakings of this contract as third-party beneficiaries. The Parties agree that this contract shall uphold such rights of Data Subjects under Singapore law.

1.2. Data Subjects can enforce against the Data Exporter Clauses 2.1 and 2.4 as third-party beneficiary.

1.3. Data Subjects can enforce against the Data Importer Clauses 3.5.

1.4. Data Subjects can enforce against Sub-Processors Clauses 2.1, 2.4 and 3.5 when both the Data Exporter and Data Importer have ceased operations, ceased to exist in law, or transferred all or substantially all of their assets to a non-associated entity such that the non-associated entity has assumed the legal obligations of the Data Exporter by contract or operation of law.

1.5. To the extent authorized by applicable Singapore Law, Data Subjects may obtain compensation for breaches of this contract by either the Data Importer and/or Data Exporter (as prescribed by Singapore Law or, if such law is silent on the allocation of compensation, then from both the Data Importer and Data Exporter in equal shares.

1.6. The Parties do not object to a Data Subject being represented by another body if the Data Subject expressly wishes so and such representation is permitted by applicable law.


PART 2 - Standard Contractual Clauses for Controllers to Controllers

1. Definitions

1.1. “DP Law”: any and all written laws of Singapore relating to data protection (or are minimally relevant to the transfer of personal data) which the Data Exporter or the Data Importer (or both) are subject to, in special the Personal Data Protection Act 2012 of Singapore (PDPA), and its amendments;

1.2. “Data Breach”: any loss or unauthorised use, copying, modification, disclosure, or destruction of, or access to, Personal Data transferred under this contract.

1.3. “Data Exporter”: the Party which transfers Personal Data to the Data Importer under this contract.

1.4. “Data Importer”: the Party that receives Personal Data from a Data Exporter under this contract.

1.5. “Enforcement Authority”: any public authority empowered by applicable DP Law to implement and enforce the applicable DP Law, including but not limited to the Data Protection Commission of Singapore (PDPC);

1.6. “Personal Data”: any information relating to an identified or identifiable natural person living or deceased (“Data Subject”) transferred under this contract.

1.7. “Processing”: any operation or set of operations that are performed on Personal Data or on sets of Personal Data, whether or not by automated means, including for example, collection, use, transfer and disclosure of Personal Data.

2. Obligations of Data Exporter. The Data Exporter warrants, represents and undertakes that:

2.1. The Personal Data has been collected, used, disclosed and transferred to the Data Importer under this contract in accordance with applicable DP Law, or in the absence of such laws, where reasonable and practicable, the Data Subject has been notified of and given consent to the collection, use, disclosure and/or transfer of his/her Personal Data.

2.2. Any Personal Data that have been collected, processed, and transferred is accurate and complete to the extent necessary for the purposes of transfer under this contract.

2.3. The Data Exporter shall provide the Data Importer, on request, with copies of relevant data protection laws or references to them (where relevant, and not including legal advice) of the country in which the Data Exporter is established.

3. Obligations of Data Importer. The Data Importer warrants, represents and undertakes that:

3.1. The Data Importer shall Process the Personal Data only for the purposes described in Appendix A.

3.2. The Data Importer shall have in place reasonable and appropriate technical, administrative, operational and physical measures, consistent with any applicable DP Law, to protect the Personal Data against risks of Data Breaches.

3.3. The Data Importer shall provide to the Data Exporter and Data Subjects a contact point who is authorized on behalf of the Data Importer to respond to enquiries concerning Personal Data.

3.4. If the Data Importer becomes aware that a Data Breach has occurred or is likely to occur affecting Personal Data in its possession or under its control, or by the importer of an onward transfer, it shall notify the Data Exporter without undue delay.

3.5. The Data Importer acknowledges that upon receipt of the Personal Data, it assumes responsibility for the protection, Processing and maintenance of the Personal Data in its possession, in accordance with applicable DP Law and this contract.

3.6. The Parties agree that upon the termination or completion of the performance of this contract, the Data Importer shall, at the election of the Data Exporter, either return to the Data Exporter the Personal Data held in its possession or dispose of such data in a manner approved of by the Data Exporter. The Data Importer agrees to confirm this in writing with the Data Exporter once such action has been taken.

4. Obligations of both Data Exporter and Data Importer.

4.1. Both Parties have taken appropriate steps to determine the level of potential risk of data breaches involved in transferring the relevant data and to consider suitable security measures that both parties must undertake.

4.2. Both Parties shall agree on and implement appropriate controls and adequate security standards that shall apply to the storage and Processing of Personal Data.

4.3. The Data Exporter and Data Importer shall each respond to enquiries from relevant Data Subjects or Enforcement Authorities regarding processing of Personal Data in their respective jurisdictions, including requests to access or correct Personal Data.

5. Choice of Law.

5.1. This contract shall be interpreted according to the laws of Singapore.

5.2. If there is any conflict or inconsistency between clauses in this contract and DP Law, then the applicable DP Law shall prevail.

6. Termination of Contract.

6.1. In the event that:

6.1.1. compliance by the Data Importer with this contract would put it in breach of its obligations under the law in the country in which it is Processing the Personal Data;

6.1.2. the Data Importer is in material breach of any obligations under this contract;

6.1.3. there is a final decision from which no further appeal is possible of a competent court that there has been a breach of this contract by the Data Importer; or

6.1.4. the Data Importer ceases its operations voluntarily or involuntarily, announces its intent to cease operations, or transfers all or substantially all of its assets to a non-affiliated entity, then the Data Exporter, without prejudice to any other rights which it may have against the Data Importer shall be entitled to terminate this contract. In cases covered by (6.1.1) or (6.1.3) above the Data Importer may also terminate this contract.

6.2. In the event that:

6.2.1. compliance by the Data Exporter with this contract would put it in breach of its obligations under the law;

6.2.2. the Data Exporter is in material breach of any obligations under this contract;

6.2.3. there is a final decision from which no further appeal is possible of a competent court that there has been a breach of this contract by the Data Exporter; or

6.2.4. the Data Exporter ceases its operations voluntarily or involuntarily, announces its intent to cease operations, or transfers all or substantially all of its assets to a non-affiliated entity, then the Data Importer, without prejudice to any other rights which it may have against the Data Exporter, shall be entitled to terminate this contract. In cases covered by (6.2.1), or (6.2.3) above, the Data Exporter may also terminate this contract.

6.3. The Parties agree that the termination of this contract at any time, in any circumstances and for whatever reason does not exempt them from the obligations of this contract regarding the return or deletion of the Personal Data transferred.

7. General Undertakings

7.1. Each Party warrants, represents and undertakes to the other Party that it has full capacity and authority to enter into and to perform its obligations under and in accordance with this contract.

7.2. Each Party agrees to comply with all applicable DP Law in connection with the performance of its obligations under this contract.

8. Variation

8.1. Parties may, by written agreement, adopt or modify clauses in this contract in a manner consistent with the principles set forth in the ASEAN Framework on Personal Data Protection, or as required by applicable AMS Law. This does not preclude the parties from adding or amending clauses, by written agreement, as appropriate for their commercial or business arrangements.

9. Description of the Transfer

9.1. The details of the transfer and the Personal Data involved are specified in Appendix A. The parties agree that Appendix A may contain confidential business information which they shall not disclose to third parties, unless it has notified the other Party of such further disclosure or transfer in writing and provided reasonable opportunity for the other Party to object.

Additional Terms for Individual Remedies

This section contains the additional provisions and forms an integral part of the Contract between the Parties. Words and phrases given a defined meaning in these additional terms have the same meaning in the Contract. If there is any inconsistency between these additional terms and the Contract, these additional terms shall prevail.

Individual Remedies:

1.1. The Parties acknowledge that the law of Singapore confers a right on Data Subjects to enforce the data protection warranties and undertakings of this contract as third-party beneficiaries. The Parties agree that this contract shall uphold such rights of Data Subjects under Singapore law.

1.2. Data Subjects can enforce against the Data Exporter Clauses 2.1 as third-party beneficiary.

1.3. Data Subjects can enforce against the Data Importer Clauses 3.3 as a third-party beneficiary.

1.4. To the extent authorized by applicable DP Law, Data Subjects may obtain compensation for breaches of this contract by either the Data Importer and/or Data Exporter (as prescribed by applicable DP Law or, if such law is silent on the allocation of compensation, then from both the Data Importer and Data Exporter in equal shares.

1.5. The Parties do not object to a Data Subject being represented by another body if the Data Subject expressly wishes so and such representation is permitted by applicable law.