1. Definitions
“
Business” and “
Service Provider” will have the meanings given to them in the CCPA.
“
California Personal Information” means Personal Data that is subject to the protection of the CCPA.
“
CCPA” means California Civil Code Sec. 1798.100 et seq. (also known as the California Consumer Privacy Act of 2018).
“
Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
“
Data Protection Laws” means all applicable worldwide legislation or regulations relating to data protection and privacy which applies to the respective party in the role of Processing Personal Data in question under this Partner DPA and the Partner Agreement, including without limitation European Data Protection Laws, the CCPA and the data protection and privacy laws of Australia and Singapore; in each case as amended, repealed, consolidated or replaced from time to time.
“
Europe” means the European Union, the European Economic Area and/or their member states, Switzerland, and the United Kingdom.
“
European Data Protection Laws” means data protection laws applicable in Europe, including: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (“
GDPR“); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; and (iii) applicable national implementations of (i) and (ii); or (iii) GDPR as it forms parts of the United Kingdom domestic law by virtue of Section 3 of the European Union (Withdrawal) Act 2018 (“
UK GDPR“); and (iv) Swiss Federal Data Protection Act on 19 June 1992 and its Ordinance (“
Swiss DPA“); in each case, as may be amended, superseded or replaced.
“
European Personal Data” means Personal Data the sharing of which pursuant to this Partner DPA and the Partner Agreement is regulated by European Data Protection Laws.
“
Joint Customer” means a customer of both Partner and PRIOS.
“
Joint Customer Personal Data” means any Personal Data for which a Joint Customer acts as a Controller.
“
PRIOS Personal Data” means any Personal Data for which PRIOS acts as a Controller.
“
Partner Personal Data” means any Personal Data for which Partner acts as a Controller.
“
Personal Data” means any information relating to an identified or identifiable individual where such information is contained within PRIOS Personal Data, Partner Personal Data, or Joint Customer Personal Data and is protected similarly as personal data or personally identifiable information under applicable Data Protection Laws.
“
Personal Data Breach” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
“
Processing” means any operation or set of operations which is performed on Personal Data, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, or erasure of Personal Data. The terms “Process”, “Processes” and “Processed” will be construed accordingly.
“
Processor” means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.
“
Standard Contractual Clauses” or “
SCC’s” means the standard contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021.
“
Subprocessor” means any entity which provides processing services to a Processor.
“
Supervisory Authority” means any public regulatory agency authorized to enforce Data Protection Laws having jurisdiction over a particular matter.”
“
UK Addendum” means the International Data Transfer Addendum (Version B.1.0) issued by the UK ICO under s119A of the Data Protection Act 2018, as it may be amended, superseded, or replaced.
2. Compliance with Laws
The parties each represent and warrant that they will comply with their respective obligations and duties under all applicable Data Protection Laws.
3. Joint Processor Scenarios
Each party, to the extent that it, along with the other party, acts as a Processor with respect to Joint Customer Personal Data, will (i) comply with the instructions and restrictions set forth in any agreement(s) with the Joint Customer; and (ii) reasonably cooperate with the other party to ensure compliance with all applicable Data Protection Laws. Both parties acknowledge and agree that in such scenarios they are acting as a Processor for the Joint Customer and neither party is engaging the other as a Subprocessor.
4. Controller-to-Processor Scenarios
- Relationship of the parties. The rights, responsibilities, and obligations of the parties with regard to Sections 5 – 8 of this Partner DPA shall be as follows: for Processing operations where PRIOS processes Personal Data on Partner’s behalf and at Partner’s direction, the term “Processor” refers to PRIOS, the term “Controller” refers to Partner, and the term “Personal Data” refers to Partner Personal Data. For data processing operations where Partner processes Personal Data on PRIOS’ behalf and at PRIOS’ direction, the term “Processor” refers to Partner, the term “Controller” refers to PRIOS, and the term “Personal Data” refers to PRIOS Personal Data.
- Scope of Processing. In the context of the scenarios described in Section 4(A) above, each party agrees to process Personal Data only for the purposes set forth in the Partner Agreement and/or the Partner’s agreement(s) with the Joint Customer. For the avoidance of doubt, the categories of Personal Data processed and the categories of data subjects subject to this Partner DPA are described in Schedule A.
5. Controller Obligations
The parties in their capacity as a Controller agree to:
- Provide instructions to the Processor and determine the purposes and means of the Processor’s processing of Personal Data in accordance with this Partner DPA and the Partner Agreement; and
- Comply with its protection, security and other obligations with respect to Personal Data prescribed by applicable Data Protection Laws for a Controller by: (i) establishing and maintaining a procedure for the exercise of the rights of the individuals whose Personal Data are processed on behalf of the Controller; (ii) processing only data that has been lawfully and validly collected and ensuring that such data will be relevant and proportionate to the respective uses; and (iii) ensuring compliance with the provisions of this Partner DPA by its personnel or by any third party accessing or using Personal Data on its behalf.
6. Processor Obligations
- Processing Requirements. The parties in their capacity as a Processor agree to:
- Process Personal Data (a) only for the purpose of providing, supporting, and improving the Processor’s product and services (including to provide insights and other reporting), using appropriate technical and organizational security measures; and (b) in compliance with the instructions received from the Controller. The Processor will not use or process Personal Data for any other purpose. The Processor will promptly inform the Controller in writing if it cannot comply with the requirements under Sections 5 – 8 of this Partner DPA, in which case the Controller may terminate this Partner DPA and the Partner Agreement, or take any other reasonable action, including suspending data processing operations;
- Inform the Controller promptly and without undue delay if, in the Processor’s opinion, an instruction from the Controller violates applicable Data Protection Laws;
- If the Processor is collecting Personal Data from individuals on behalf of the Controller, follow the Controller’s instructions regarding such Personal Data collection;
- Take commercially reasonable steps to ensure that (a) persons employed by it and (b) other persons engaged to perform on the Processor’s behalf comply with the terms of this Partner DPA and the Partner Agreement;
- Represent and warrant that its employees, authorized agents and any Subprocessors are subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty), and shall not permit any person to process the personal data who is not under such a duty of confidentiality;
- If it intends to engage Subprocessors to help satisfy its obligations in accordance with this Partner DPA or to delegate all or part of the processing activities to such Subprocessors, then (a) provide a list of Subprocessors currently engaged by the Processor to the Controller (such list for PRIOS is available online at https://principlesus.com/principlesus-list-of-subprocessors/), and promptly notify the Controller of the engagement of any new Subprocessors, giving the Controller the opportunity to object within ten (10) business days of receipt of such notice, (b) remain liable to the Controller for the Subprocessors’ acts and omissions with regard to data protection, and (c) enter into contractual arrangements with such Subprocessors binding them to provide at least the same level of data protection and information security as provided for herein;
- Upon request, provide the Controller with the Processor’s privacy and security policies; and
- Inform the Controller if the Processor undertakes an independent security review and upon Controller’s reasonable request, share any material deficiencies in a reasonable level of detail identified in any such review.
- Notice to the Controller. The Processor will immediately and without undue delay inform the Controller if the Processor becomes aware of:
- Any non-compliance by Processor or its employees with Sections 5 – 8 of this Partner DPA or applicable Data Protection Laws relating to the protection of Personal Data processed under this Partner DPA;
- Any legally binding request for disclosure of Personal Data by a law enforcement or government authority, unless the Processor is otherwise forbidden by law to inform the Controller, for example to preserve the confidentiality of an investigation by law enforcement authorities;
- Any notice, inquiry or investigation by a Supervisory Authority with respect to Personal Data; or
- Any complaint or request (in particular, requests for access to, rectification or blocking of Personal Data) received directly from data subjects of the Controller. The Processor will not respond to any such request without the Controller’s prior written authorization
- Assistance to the Controller. The Processor will provide timely and reasonable assistance to the Controller regarding:
- The response to any attempt by an individual to exercise their rights under applicable Data Protection Laws (including their rights of access, correction, objection, erasure and data portability, as applicable) and the Processor agrees to promptly inform the Controller if such a request is received directly;
- The investigation of Personal Data Breaches and the notification to the Supervisory Authority and the Controller data subjects regarding such Personal Data Breaches; and
- Where appropriate, preparation of data protection impact assessments and, where necessary, communications with any Supervisory Authority.
- Required Processing. If the Processor is required by Data Protection Laws to process any Personal Data for any purpose not permitted by this Partner DPA or the Partner Agreement, unless the Processor is legally prohibited from informing the Controller of such requirement (e.g., as a result of secrecy requirements that may exist under applicable EU member state laws) it will inform the Controller prior to performing any such processing.
- Security. The Processor will:
- Maintain appropriate organizational and technical security policies and procedures designed to protect against unauthorized or accidental access, loss, alteration, disclosure or destruction of Personal Data. Such policies and procedures shall include (but not be limited to) the following: personnel, facilities, hardware and software, storage and networks, access controls, monitoring and logging, vulnerability and breach detection, incident response and encryption of Personal Data, both in transit and at rest;
- Be responsible for the sufficiency of the security, privacy, and confidentiality safeguards of all Subprocessors with respect to Personal Data and liable for any failure by any Subprocessor to comply with the terms of this Partner DPA; and
- Notify the Controller of any Personal Data Breach involving the Processor, its Subprocessors, or any other third parties acting on the Processor’s behalf without undue delay and in any event within 48 hours of becoming aware of a Personal Data Breach.
- Additional Provisions for California Personal Information. When the Processor Processes California Personal Information in accordance with the instructions received from the Controller, the parties acknowledge and agree that the Controller is a Business and the Processor is a Service Provider for the purposes of the CCPA. The parties agree that the Processor will Process California Personal Information as a Service Provider strictly for the purpose of providing the Processor’s services (including to provide insights and other reporting) (the “Business Purpose”) or as otherwise permitted by the CCPA.
7. Audit, Certification
- Supervisory Authority Audit. If a Supervisory Authority requires an audit of the data processing facilities from which the Processor processes Personal Data in order to ascertain or monitor compliance with Data Protection Laws, the Processor shall cooperate with such audit. The Controller will reimburse the Processor for its reasonable expenses incurred to cooperate with the audit, unless such audit reveals the Processor’s noncompliance with this Partner DPA
- Processor Certification. The Processor must, upon the Controller’s request (not to exceed one request per calendar year) certify via email its compliance with this Partner DPA in writing. Where PRIOS is the Processor, such certifications shall be sent to security@principles.com. Any notices to Partner shall be sent to the single point of contact address provided by Partner to PRIOS in writing, which address may be updated in writing by Partner from time to time.
8. Data Return and Deletion
The parties agree that on the termination of the data processing services or upon the Controller’s reasonable request, the Processor shall take reasonable measures to, and where applicable causing any Subprocessors to, at the option of the Controller, either (i) return all the Personal Data and any copies thereof to the Controller, or (ii) securely destroy such data and demonstrate to the satisfaction of the Controller that it has taken such measures, unless Data Protection Laws prevent the Processor from returning or destroying all or part of the Personal Data disclosed. In such case, the Processor agrees to preserve the confidentiality of the Personal Data retained by it and that it will only actively process such Personal Data after such date to the extent required to comply with applicable Data Protection Laws.
9. Data Transfers
Wherever Personal Data is transferred outside its country of origin, each party will ensure such transfers are made in compliance with the requirements of applicable Data Protection Laws.
-
- Partner Personal Data. For transfers of European Personal Data from Partner to PRIOS for processing by PRIOS in a jurisdiction outside Europe that does not provide an adequate level of protection for Personal Data (within the meaning of applicable European Data Protection Laws), the parties agree:
- to abide by and process European Data in compliance with the SCCs as incorporated under Section 9(C) below; and
- that although PRIOS does not rely on the EU-US Privacy Shield as a legal basis for transfers of Personal Data in light of the judgment of the Court of Justice of the EU in Case C-311/18, for as long as PRIOS is self-certified to the Privacy Shield, PRIOS will process European Personal Data in compliance with the Privacy Shield Principles and notify Partner if it is unable to comply with this requirement.
The parties agree that data subjects for whom PRIOS processes European Personal Data are third-party beneficiaries under the SCCs. If PRIOS is unable or becomes unable to comply with these requirements, then European Personal Data will be processed and used exclusively within the territory of a member state of the European Union and any movement of European Personal Data to a non-EU country requires the prior written consent of Partner. PRIOS shall promptly notify Partner of any inability by PRIOS to comply with the provisions of this Section 9(A).
-
- PRIOS Personal Data. For transfers of European Personal Data from PRIOS to Partner for processing by Partner in a jurisdiction outside Europe that does not provide an adequate level of protection for Personal Data (within the meaning of applicable European Data Protection Laws), the parties agree:
- to abide by and process European Data in compliance with the SCCs as incorporated under Section 9(C) below; and
- for as long as PRIOS is self-certified to the Privacy Shield, Partner will process European Personal Data in compliance with the Privacy Shield Principles and promptly notify PRIOS if it is unable to comply with this requirement.
The parties agree that data subjects for whom Partner processes European Personal Data are third-party beneficiaries under the SCCs. If Partner is unable to comply with these requirements, then European Personal Data will be processed and used exclusively within the territory of a member state of the European Union and any movement of European Personal Data to a non-EU country requires the prior written consent of PRIOS. Partner shall promptly notify PRIOS if it is unable to comply with the provisions of this Section 9(B).
- Standard Contractual Clauses. The parties acknowledge and agree that for the purpose of the SCCs: (i) with respect to Partner Personal Data, the “data exporter” shall be Partner and the “data importer” shall be PRIOS; (ii) with respect to PRIOS Personal Data the “data exporter” shall be PRIOS and the “data importer” shall be Partner; (iii) the Module One terms shall apply where both parties are Controllers and the Module Two terms shall apply where the party receiving Personal Data under the SCCs is acting as a Processor on behalf of the other party as a Controller; (iv) in Clause 7, the optional docking clause shall apply; (v) in Clause 9, Option 2 of Module Two shall apply and the Processor shall obtain authorization for Subprocessors in accordance with Section 6(A) of this Partner DPA; (vi) in Clause 11, the optional language shall be deleted; (vii) in Clause 17 and Clause 18(b), the SCCs shall be governed by the laws of and disputes shall be resolved before the courts of the Republic of Ireland; (viii) in Annex I of the SCCs, the details of the parties is set out in this Partner DPA and the Partner Agreement; and (ix) the remaining information in Annex I and Annex II of the SCCs shall be deemed completed with the information set out in Schedule A of this Partner DPA.
- UK Transfers. In relation to Personal Data that is subject to the UK GDPR, the SCCs shall apply in accordance with Section 9(C) above and the following additional modifications: (i) the SCCs shall be amended as specified by the UK Addendum, which shall be incorporated by reference; (ii) Tables 1 to 3 in Part 1 of the UK Addendum shall be populated with relevant information set out in Schedule A of this Partner DPA; (iii) Table 4 in Part 1 of the UK Addendum shall be deemed completed by selecting “neither”; and (iv) any conflict between the SCCs and the UK Addendum shall be resolved in accordance with Section 10 and Section 11 of the UK Addendum.
- Swiss Transfers. In relation to Personal Data that is subject to the Swiss DPA, the SCCs shall apply in accordance with Section 9(C) above and the following additional modifications: (i) references to “Regulation (EU) 2016/679” and specific articles therein shall be interpreted as references to the Swiss DPA and the equivalent articles or sections therein; (ii) references to “EU”, “Union” and “Member State” shall be replaced with references to “Switzerland”; (iii) references to the “competent supervisory authority” and “competent courts” shall be replaced with references to the “Swiss Federal Data Protection Information Commissioner” and “applicable courts of Switzerland”; and (iv) in Clause 17 and Clause 18(b), the SCCs shall be governed by the laws of and disputes shall be resolved before the courts of Switzerland.
10. Term
This Partner DPA shall remain in effect as long as either party carries out Personal Data processing operations on the Personal Data uploaded or otherwise provided by the other party pursuant to and in accordance with the Partner Agreement.
11. Indemnity
Each party shall defend, indemnify, and hold harmless the other and its subsidiaries, affiliates, and its respective officers, directors, members, employees, agents, service providers, and licensors from and against all losses, damages, liabilities, deficiencies, actions, judgments, interest, awards, penalties, fines, costs, or expenses of whatever kind, including reasonable attorneys’ fees, the cost of enforcing any right to indemnification hereunder, and the cost of pursuing any insurance providers, arising out of or resulting from any third-party claim against the other arising out of or resulting from the breaching party’s failure to comply with any of its obligations under this Partner DPA or the applicable laws, regulations, or principles contained in Data Protection Laws. Each Party’s liability hereunder shall be subject to the limitation of liability in the Partner Agreement.