DPA For Customers (Controller-Processor)
Data Processing Agreement/Addendum
Last updated: 7 August, 2023
This Date Processing Agreement (“DPA”) is incorporated by reference to our Terms and Conditions (available at https://www.nimbleway.com/data-processing-agreement) and/or otherwise forms part of the agreement between The Data Company Technologies Inc. (or, if applicable, the other Nimble entity specified in the Order) ("Company", "we", "us", or "our") and the customer entity specified in the order form ("Client" "you", or "your"), (the “Agreement”). This DPA is designed to reflect the parties’ agreements with regard to the Processing of Personal Data pursuant to the Agreement, where applicable. Unless explicitly mentioned otherwise, capitalized terms in this DPA shall have their respective definition as indicated in the Agreement. Both parties shall be referred to as the “Parties” and each, a “Party”.
This DPA and the obligations hereunder apply only to the extent that: (a) Personal Data is involved in the Services; or (b) the EU GDPR, UK GDPR, and/or CCPA otherwise apply to either one of the Parties.
This DPA does not apply to (a) aggregated reporting or statistics information; (b) Processing activities in which Company acts as a Controller. The latter is governed by Company’s Privacy Policy.
1. INTERPRETATION AND DEFINITIONS
1.1. The headings in this DPA are for convenience only and shall not be interpreted to limit or otherwise affect the provisions of this DPA.
1.2. Terms used in their singular form include the plural and vice versa, as the context may require.
1.3. Definitions:
1.3.1. “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control”, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
1.3.2. “Authorized Affiliate” means any of Client's Affiliate(s) which is explicitly permitted to use the Services pursuant to the Agreement between the Parties, but has not signed its own agreement with Company, and is not a “Client” as defined under the Agreement.
1.3.3. “CCPA” and/or “CPRA” means, respectively, the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et. seq. and the California Privacy Rights Act, expanding and amending the CCPA.
1.3.4. The terms "Controller", "Member State", "Processor", “Sub-processor” "Processing" and "Supervisory Authority" shall have the same meaning as in the GDPR. The terms “Business”, “Business Purpose”, “Consumer”, “Household” and “Service Provider” shall have the same meaning as in the CCPA. Upon CCPA applicability, when used in this DPA, the term “Controller” shall also mean “Business”, and the term “Processor” shall also mean “Service Provider”.
1.3.5. “Data Protection Laws and Regulations” means all applicable and binding privacy and data protection laws and regulations, including such laws and regulations of the European Union, the European Economic Area and their Member States, Switzerland, the United Kingdom, Canada, Israel and the United States of America, as applicable to the Processing of Personal Data under the Agreement including (without limitation) the GDPR, the UK GDPR, and the CCPA, as applicable to the Processing of Personal Data hereunder and in effect at the time of Processor’s performance hereunder.
1.3.6. “Data Subject” means the identified or identifiable person to whom the Personal Data relates.
1.3.7. “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
1.3.8. “Personal Data” or “Personal Information” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
1.3.9. “Services” means the technology, platform, solutions and related services provided by Company, in accordance with the terms of the Agreement;
1.3.10. “Special Categories of Personal Data” or “Sensitive Data” means a category of Personal Data having a sensitive or intimate nature, that is protected under special legislation and requires strict treatment. This may include, without limitation (a) social security number, tax file number, passport number, driver’s license number, or similar identifier (or any portion thereof); (b) financial or credit information, credit or debit card number; (c) information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning a person’s health, sex life or sexual orientation, or data relating to criminal convictions and offenses; (d) Personal Data relating to children; and/or (e) account passwords.
1.3.11. “Standard Contractual Clauses” or “SCC” means either the standard contractual clauses approved by the European Commission for the transfer of Personal Data to Processors or those for the transfer of Personal Data to Controllers (as the context requires), in each case established in third countries which do not ensure an adequate level of data protection current to the date of the transfer, or, where the UK GDPR applies, any equivalent set of clauses approved by the applicable authority.
1.3.12. "UK GDPR" means the Data Protection Act 2018, as well as the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (EU Exit) Regulations 2019 (SI 2019/419).
1.3.13. "UK IDTA" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner under section 119A(1) Data Protection Act 2018 (available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf)
2. PROCESSING OF PERSONAL DATA
2.1. Roles of the Parties. With respect to any Personal Data collected or Processed via the Services, it is agreed that (a) Client acts as a Data Controller, and (b) Company acts as a Data Processor; and (c) Company or its Affiliates may engage Sub-processors pursuant to the requirements set forth in Section 5 “Sub-processors” below. For the purposes of the CCPA and CPRA, and to the extent applicable, Client is the Business and Company is the Service Provider.
2.2. Details of Processing. Schedule 1 (Details of Processing) includes a description of the Processing activities performed by Company as a Processor, on behalf of the Client. The Parties may, from time to time, jointly agree to make such changes to Schedule 1 as reasonably necessary to meet the requirements of GDPR Article 28(3) or any other applicable Data Protection Law and Regulation regarding information to be Processed in an agreement between a Controller and a Processor (or similar definitions).
2.3. Subject to the Agreement, Company will Process Personal Data in accordance with Client’s instructions and as necessary for the performance of the Services, the performance of the Agreement, including this DPA, unless required otherwise by Union or Member State law or any other applicable law to which Company and its Affiliates are subject. In which case, and if known to Company, Company will inform Client of the legal requirement before Processing, unless that law prohibits such information on important grounds of public interest. The duration of the Processing, the nature and purposes of the Processing, as well as the types of Personal Data Processed and categories of Data Subjects under this DPA are further specified in Schedule 1.
2.4. To the extent that Company or its Affiliates cannot comply with a request (including, without limitation, any instruction, direction, code of conduct, certification, or change of any kind) from Client and/or its authorized users relating to Processing of Personal Data, or where Company considers such a request to be unlawful, Company (i) will inform Client, providing relevant details of the problem, (ii) may, without any kind of liability towards Client, temporarily cease all Processing of the affected Personal Data (other than securely storing those data), and (iii) if the Parties do not agree on a resolution to the issue in question and the costs thereof, each Party may, as its sole remedy, terminate the Agreement and this DPA with respect to the affected Processing, and Client shall pay to Company all the amounts owed to Company or due before the date of termination. Client will have no further claims against Company (including, without limitation, requesting refunds for Services) due to the termination of the Agreement and/or the DPA in the situation described in this paragraph (excluding the obligations relating to the termination of this DPA set forth below).
2.5. Company will not be liable in the event of any claim brought by a third party, including, without limitation, a Data Subject, arising from any act or omission of Company, to the extent that such is a result of Client’s instructions.
2.6. Client’s Processing of Personal Data.
2.6.1. Client shall, in its use of the Services, Process Personal Data only in compliance with the requirements of Data Protection Laws and Regulations and comply at all times with the obligations applicable to Data Controllers (including, without limitation, Article 24 of the GDPR), and/or the equivalent requirements in any other Data Protection Laws and Regulations. For the avoidance of doubt, Client’s instructions for the Processing of Personal Data, whether reflected by this DPA or by accessing and/or using the Services, and/or by setting and configuring the Services, shall comply with Data Protection Laws and Regulations.
2.6.2. Client shall have sole responsibility for the means by which Client acquired and Process Personal Data. Without limitation, Client shall comply with any and all transparency-related obligations (including, without limitation, displaying any and all relevant and required privacy notices or policies) and shall have any and all legal bases in order to collect, Process and transfer to or via Company any Personal Data.
2.6.3. Client shall defend, hold harmless and indemnify Company, its Affiliates and subsidiaries (including without limitation their directors, officers, agents, subcontractors and/or employees) from and against any liability of any kind related to any breach, violation or infringement by Client and/or its authorized users of any Data Protection Laws and Regulations and/or this DPA and/or this Section.
2.7. Sensitive Data. The Parties agree that the Services are not intended for the Processing of Sensitive Data, and that if Client wishes to use the Services to Process Sensitive Data, it must first obtain (a) an explicit prior written approval of Company and (b) demonstrate legal basis as required by applicable law; and (c) enter into any additional agreements and/or policies as may be required by Company.
3. RIGHTS OF DATA SUBJECTS
3.1. If Company receives a request from a Data Subject to exercise its right to be informed, right of access, right to rectification, erasure, restriction of Processing, data portability, right to object, or its right not to be subject to a decision solely based on automated processing, including profiling (“Data Subject Request”), Company shall, to the extent legally permitted, promptly notify and forward such Data Subject Request to Client.
3.2. Taking into account the nature of the Processing, Company shall use commercially reasonable efforts to assist Client by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Client’s obligation to respond to a Data Subject Request under Data Protection Laws and Regulations. To the extent legally permitted, Client shall be responsible for any costs arising from Company’s assistance.
4. PERSONNEL
4.1. Confidentiality. Company will grant access to Personal Data to persons under its authority (including, without limitation, its personnel) only on a need-to-know and need-to-access basis and ensure that such persons engaged in the Processing of Personal Data have committed themselves to confidentiality.
4.2. Company may disclose and Process the Personal Data (a) as permitted hereunder (b) to the extent required by a court of competent jurisdiction or other Supervisory Authority and/or otherwise as required by applicable laws or applicable Data Protection Laws and Regulations (in such a case, Company will inform the Client of the legal requirement before the disclosure, unless that law prohibits such information on important grounds of public interest), or (c) on a “need-to-know” basis under an obligation of confidentiality to legal counsel(s), data protection advisor(s), accountant(s), investors or potential acquirers.
5. SUB-PROCESSORS
5.1. Authorized Sub-processors. Customer provides general authorization to Company’s use of sub-processors to provide processing activities on Clients’ Data on behalf of Client (“Sub-processors”) in accordance with this Section. Company’s current list of Sub-processors is included in Schedule 2 (“Sub-processor List”), is made available online, and is hereby approved by Data Controller.
5.2. Notice. Prior to the engagement of any new Sub-Processor, Company will update the applicable Sub-processor List and provide Client with a mechanism to obtain notice of that update (such as an email notification or, notice in the applicable Service’s dashboard or websites). To object to a Sub-processor, Customer can: (i) follow the objection mechanism described in Section 5.3, or (ii) terminate the Agreement pursuant to Section 5.3, or (iii) cease using the portion of the Services for which Company has engaged the Sub-processor; or (iv) request Company for specific customizations where the engaged the Sub-processor is no longer invovled (if possible and does not involve additional costs).
5.3. Objection. Within three (3) business days from Company’s notice of a new Sub-processor, Client may reasonably object for reasons related to the GDPR to Company’s engagement with the new Sub-processor by providing a written and explained objection to dpo@nimbleway.com or, via any mechanism made available via the Services. In the event that Client reasonably objects to Sub-processor, and the Parties do not find a solution in good faith to the issue in question, then Client may, terminate the applicable Agreement with respect only to those Services which cannot be provided by Company without the use of the objected-to Sub-processor. Client will have no further claims against Company due to (i) past use of approved Sub-processors prior to the date of objection or (ii) the termination of the Agreement (including, without limitation, requesting refunds) and the DPA in the situation described in this paragraph.
5.4. Agreements with Sub-processors. Company or Sub-processor operating on behalf of Company, has entered into a written agreement with its Sub-processors containing appropriate safeguards to the protection of Personal Data. Where Company engages a Sub-processor for carrying out specific Processing activities on behalf of the Client, the same or materially similar data protection obligations as set out in this DPA will be imposed on such new Sub-processor by way of a contract, and in particular, obligations to implement appropriate technical and organizational measures in such a manner that the Processing will meet the requirements of the applicable Data Protection Law and Regulation.
6. SECURITY
6.1. Controls for the Protection of Personal Data. Taking into account the nature of Processing, Company shall maintain all industry-standard technical and organizational measures required pursuant to Article 32 of the GDPR (or, as otherwise applicable and required by Data Protection Laws and Regulations for the protection and security of Personal Data, including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Personal Data, confidentiality and integrity of Personal Data.
6.2. Upon Client’s request, Company will use commercially reasonable efforts to assist Client, at Client’s cost, in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of the processing, the costs of implementation, the scope, the context, the purposes of the Processing and the information available to Company.
7. PERSONAL DATA INCIDENT: MANAGEMENT AND NOTIFICATION
7.1. To the extent required under applicable Data Protection Laws and Regulations, Company shall notify Client without undue delay after becoming aware of accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data, including Personal Data transmitted, stored or otherwise Processed by Company or its Sub-processors of which Company becomes aware (“Personal Data Incident”).
7.2. Company will make reasonable efforts to identify the cause of such Personal Data Incident and take those steps as Company deems necessary, possible and reasonable in order to remediate the cause of such a Personal Data Incident to the extent the remediation is within Company’s reasonable control. The obligations herein shall not apply to incidents that are caused by Client or Client’s users. In any event, Client will be the party responsible for notifying supervisory authorities and/or concerned data subjects (where required by Data Protection Laws and Regulations).
8. AUTHORIZED AFFILIATES
8.1. Contractual Relationship. The Parties acknowledge and agree that, by executing the DPA, the Client enters into the DPA on behalf of itself and, as applicable, in the name and on behalf of its Authorized Affiliates. Each Authorized Affiliate agrees to be bound by the obligations under this DPA. All access to and use of the Services by Authorized Affiliates must comply with the terms and conditions of the Agreement, this DPA and Applicable Laws and Regulations, and any violation of the terms and conditions therein by an Authorized Affiliate shall be deemed a violation by Client.
8.2. Communication. The Client shall remain responsible for coordinating all communication with Company under the Agreement and this DPA and shall be entitled to make and receive any communication in relation to this DPA on behalf of its Authorized Affiliates.
9. CROSS-BORDER TRANSFERS OF DATA
9.1. Transfers to countries that offer an adequate level of data protection. Personal Data may be transferred from an EU Member State, the three EEA member countries (Norway, Liechtenstein and Iceland), (collectively, “EEA”), Switzerland and the United Kingdom (UK) to countries that offer an adequate level of data protection under or pursuant to the adequacy decisions published by the relevant data protection authorities of the EEA, the Union, the Member States or the European Commission (“Third Countries” and “Adequacy Decisions”, respectively), without any further safeguard being necessary.
9.2. Transfers to other countries. If the Processing of Personal Data includes transfers from the EEA or the UK to countries outside the EEA or the UK, respectively, which do not offer an adequate level of data protection or which have not been subject to an Adequacy Decision (“Other Countries”), the Parties shall comply with Chapter V of the GDPR, including, if necessary, executing the update framework (including, without limitation, Standard Contractual Clauses (SCC) adopted by the relevant data protection authorities of the EEA, the Union, the Member States, the UK, the European Commission or any other relevant authority) or comply with any of the other mechanisms provided for in the applicable Data Protection Laws and Regulations for cross border transfers of Personal Data to such Other Countries.
9.3. Without limiting the generality of Sections 9.1 and 9.2, for the purpose of Chapter V of the GDPR, or similar provisions under any Applicable Laws and Regulation, Company may transfer Personal Data, including, without limitation, to Processors (in its role as a Controller), to Sub-Processors and/or to Company’a group member companies in Third Countries where such transfers are conducted in a lawful manner under the GDPR (or the UK GDPR), or to Other Countries where such Personal Data transfers are (i) governed by the applicable Standard Contractual Clauses, or (ii) otherwise based on an international agreement under Article 48 of the GDPR; or (iii) subject to a derogation under Article 49 of the GDPR.
9.4. Schedule 3 sets forth the applicable Standard Contractual Clauses applicable to the Parties' engagement under this DPA.
10. TERMINATION
10.1. This DPA shall automatically terminate upon the termination or expiration of the Agreement under which the Services are provided. Sections 2.2, this Section 10 and 11 shall survive the termination or expiration of this DPA for any reason. This DPA cannot, in principle, be terminated separately from the Agreement, except where the Processing ends before the termination of the Agreement, in which case, this DPA shall automatically terminate.
10.2. This DPA will remain in effect for as long as personal data is processed as per the Agreement.
11. HIERARCHY
11.1. In case of any conflict between the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail.
11.2. Notwithstanding anything to the contrary in the Agreement and/or in any agreement between the Parties and to the maximum extent permitted by law: (a) Company’s (including Company’s Affiliates’) entire, total and aggregate liability, related to Personal Data or information, privacy, or for breach of, this DPA and/or Data Protection Laws and Regulations, including, without limitation, if any, any indemnification obligation under the Agreement or applicable law regarding data protection or privacy, shall be limited to the amounts paid to Company under the Agreement within twelve (12) months preceding the event that gave rise to the claim. This limitation of liability is cumulative and not per incident; (b) In no event will Company and/or Company Affiliates and/or their third-party providers, be liable under, or otherwise in connection with this DPA for: (i) any indirect, exemplary, special, consequential, incidental or punitive damages; (ii) any loss of profits, business, or anticipated savings; (iii) any loss of, or damage to data, reputation, revenue or goodwill; and/or (iv) the cost of procuring any substitute goods or services; and (c) The foregoing exclusions and limitations on liability set forth in this Section shall apply: (i) even if Company, Company Affiliates or third-party providers, have been advised, or should have been aware, of the possibility of losses or damages; (ii) even if any remedy in this DPA fails of its essential purpose; and (iii) regardless of the form, theory or basis of liability (such as, but not limited to, breach of contract or tort).
12. OTHER PROVISIONS
12.1. Amendments. This DPA may be amended at any time by a written instrument duly signed by each of the Parties.
Legal Effect.
Company may assign this DPA or its rights or obligations hereunder to any Affiliate thereof, or to a successor or any Affiliate thereof, in connection with a merger, consolidation or acquisition of all or substantially all of its shares, assets or business relating to this DPA or the Agreement. Any Company obligation hereunder may be performed (in whole or in part), and any Company right (including invoice and payment rights) or remedy may be exercised (in whole or in part), by an Affiliate of Company.
13. List of Schedules
SCHEDULE 1 - DETAILS OF THE PROCESSING
SCHEDULE 2 - SUB-PROCESSOR LIST
SCHEDULE 3 - TRANSFERS
SCHEDULE 1 - DETAILS OF THE PROCESSING
Subject matter
Company will Process Personal Data only as requested or instructed by Client, and as necessary to perform the Services.
Company may process Personal Data for administration, compliance, statistics and monitoring purposes.
Note to Client/Controller: Provided that Client discloses to Company the Personal Information of another person, you are responsible for obtaining that person's consent to process their personal information in accordance with this notice. All in all, this is the Client’s choice and decision on what data they wish to capture and transfer via the Services.
Nature and Purpose of Processing
1. Providing the Service(s) to Client, including the operation, monitoring, development, facilitation and protection of the Services.
2. Improving the Services, developing and enhancing technological modulus, features and the safety and/or monitoring of such.
3. Setting up an account for users authorized by Clients and account operation, management and protection.
4. For Company to comply with documented reasonable instructions provided by Client where such instructions are consistent with the terms of the Agreement.
5. Performing the Agreement, this DPA and/or other contracts executed by the Parties.
6. Providing support and technical maintenance, if agreed in the Agreement.
7. Resolving disputes.
8. Enforcing the Agreement, this DPA and/or defending Company’s rights or Data Subject’s rights, as the case may be.
9. Management of the Agreement, the DPA and/or other contracts executed by the Parties, including fees payment, account administration, accounting, tax, management, litigation; and
10. Complying with applicable laws and regulations, including cooperating with local and foreign tax authorities, and preventing fraud, money laundering and terrorist financing.
11. Tasks related to any of the above.
12. As further requested or instructed by Client, and agreed upon by Company.
Categories of Data Subjects
Client may choose to submit Personal Data to the Services, or otherwise use the Services in conjunction with Personal Data. The extent of which is determined and controlled by Client in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:
Category 1: Client’s personnel and/or authorized representatives or users of the Services
Category 2: Web users who made their personal data manifestly public.
Categories of Personal Data
Client may submit Personal Data to the Services, or, use the Services in conjunction with Personal Data. Client will submit the segments and categories of data directly to the API Application, or, provide Company with reports (all in accordance with the agreed upon scope of Services).
The following categories of Personal Data involved in the usage of the Services, including, if Special Categories of Data are involved:
Data Subjects of Category 1: Full name, business email address, role, company, login credentials, Services’ activity log and other Services’ related metadata.
Data Subjects of Category 2: Publicly available data which may be collected as part of the Service and which may include names of individuals, email addresses and any other personal data that an individual chooses to display publicly.
Duration of Processing
Category 1: The lastest of: (i) for as long as the Client account is active; or (ii) the Agreement is active between the Parties; (iii) applicable legislation requires a longer retention period of certain personal data.
Category 2: Subject to any Section of the DPA and/or the Agreement handling the duration of the Processing and the consequences of the expiration or termination thereof, Company will Process Personal Data as per Clients’ instructions, or, in the absence of such, for the duration of 24 to 48 hours.
SCHEDULE 2 – SUB-PROCESSOR (AND AUTHORIZED AFFILIATES) LIST
SCHEDULE 3 – CROSS BORDER DATA TRANSFERS
According to the GDPR, Standard Contractual Clauses ensure appropriate data protection safeguards can be used as a ground for data transfers from the EU or the EEA to Third Countries. This includes model contract clauses, so-called Standard Contractual Clauses (SCC) that have been pre-approved by the European Commission.
On 4 June 2021, the European Commission (EC) issued modernized SCC under the GDPR for data transfers from Controllers or Processors in the EU/EEA (or otherwise subject to the GDPR) to Controllers or Processors established outside the EU/EEA (and not subject to the GDPR), those available here.
Applicability of SCC to this DPA and Agreement
In the absence of an Adequacy Decision, as per Section 9 of the DPA, the following modules of the Standard Contractual Clauses shall apply:
1. Transfers from the EU and the EEA (based on the EC decision, available at: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN)
a. In respect of any Restricted Transfer, the Client (as "data exporter") and the Company and each Company Affiliate (as "data importer") with effect from the commencement of the relevant transfer hereby enter into the Standard Contractual Clauses in respect of any transfer from the Client or via Client’s usage of the Services, to the Company and each Company Affiliate (or any onward transfer). "Restricted Transfer" means a transfer of Personal Data between the Parties which in the absence of an Adequacy Decision or the SCCs, would be unlawful under Data Protection Laws;
b. Module 2 of the Standard Contractual Clauses shall apply between the Client and the Company (or each Company Affiliate), i.e. Controller to Processor, and Module 3 of the Standard Contractual Clauses shall apply between Company and each Sub-processor, i.e. Processor to Processor, and the following:
Clause 7- Docking clause of the Standard Contractual Clauses shall apply;
Clause 9- Use of sub-processors of the Standard Contractual Clauses Option 2 shall apply and the "time period" shall be 7 days in Module 2; Option 1 shall apply and the “time period” shall be 15 days in Module 3.
Clause 11(a)- Redress of the Standard Contractual Clauses, the optional language shall not apply;
Clause 13(a)- Supervision of Standard Contractual Clauses, the following shall be inserted: The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, the Irish Supervisory Authority shall act as a competent supervisory authority.
Clause 17- Governing law of the Standard Contractual Clauses Option 2 shall apply and the "Member State" shall be Irland;
Clause 18- Choice of forum and jurisdiction of the Standard Contractual Clauses the Member State shall be Irland;
Annex I of the Standard Contractual Clauses shall be deemed to be pre-populated with the relevant sections of Schedule 3.1 to this DPA and the processing operations are deemed to be those described in the Agreement and Schedule 1 of this DPA;
Annex II of the Standard Contractual Clauses shall be deemed to be pre-populated with the relevant sections of Schedule 3.2 to this DPA.
2. Transfers from the UK (available at: https://ico.org.uk/media/for-organisations/documents/4019538/international-data-transfer-agreement.pdf.)
a. Where a Restricted Transfer is subject to the UK GDPR, the Standard Contractual Clauses shall be read in accordance with, and deemed amended by, the provisions of Part 2 (Mandatory Clauses) of the UK IDTA, and the parties confirm that the information required for the purposes of Part 1 (Tables) of the UK IDTA is set out in Schedule 3.1 to this DPA and the Agreement.
3. Conflict In the case of conflict between the terms of the Standard Contractual Clauses and the Agreement, the terms of the Standard Contractual Clauses shall take precedence.
Schedule 3.1 [SCC ANNEX 1]
A. LIST OF PARTIES
Data Exporter: Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union.
Name: Client’s name as stipulated in the applicable Order.
Address: Client’s address as stipulated in the applicable Order.
Contact person's name, position and contact details: as stipulated in the applicable Order.
Role (controller/processor):
Data Importer: Identity and contact details of the data importer(s), including any contact person with responsibility for data protection
Name: The Data Company Technologies Inc.
Address: 007 N. Orange St., 10th Fl., Wilmington, Delaware 19801
Contact person's name, position and contact details: as stipulated in the applicable Order.
Role (controller/processor):
B. DESCRIPTION OF TRANSFER
1. Categories of data subjects whose personal data is transferred
1.1. The data subject (at Client or Client’s Affiliate)
1.2. The general public (Data made manifestly publicly available)
2. Categories of personal data transferred
2.1. Client Data which may include certain identification data of Client’s personnel such as names and business email addresses.
2.2. Publicly available data which may be collected as part of the Services and which may include names of individuals, email addresses and any other personal data that an individual chooses to display publicly.
3. Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
No sensitive data shall be transferred.
4. The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Personal Data is transferred on a continuous basis, under the terms of the Agreement
5. Nature of the processing
The personal data transferred will be subject to the following processing activities: (i) retrieval, consultation or use of the personal data and (ii) alignment, combination, blocking, erasure or destruction of the personal data; (iii) as otherwise provided in the Agreement, this DPA or required by applicable law.
6. Purpose(s) of the data transfer and further processing
The data importer shall process the Personal Data for the purposes set out in the Agreement, and as set out in Schedule 1.
7. The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period.
Personal data of category number 2 is not retained by Company in its servers and processed online for the purpose of providing and facilitating the Services. Personal data of category number 1, is retained for the Subscription Term of the Agreement, or longer if required by applicable law.
8. For transfers to (sub-) processors, also specify the subject matter, nature and duration of the processing
8.1. Subject matter: the subject matter of the processing of the Personal Data is as set out in the Agreement.
8.2. The personal data transferred will be subject to the following processing activities: (i) retrieval, consultation or use of the personal data and (ii) alignment, combination, blocking, erasure or destruction of the personal data; (iii) as otherwise provided in the Agreement, this DPA or required by applicable law.
8.3. Duration of processing: Personal data of category number 2 is not retained by Company in its servers and processed online for the purpose of providing and facilitating the Services. Personal data of category number 1, is retained for the Subscription Term of the Agreement, or longer if required by applicable law.
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13 of the SCCs
The Irish Data Protection Authority
Schedule 3.2 [SCC ANNEX 2]
Company and Company Affiliate implement appropriate technical and organizational measures, policies and controls to maintain the effective security of all Company physical, computer or network systems accessing, storing, transmitting, processing or otherwise supporting the Processing of Personal Data in accordance with this DPA and to ensure that such Personal Data is protected from accidental, unauthorized or unlawful processing, access, disclosure, loss, alteration, damage or destruction.
Company and Company Affiliate make best efforts to ensure compliance with the requirements described at: https://mvsp.dev/mvsp.en/index.html.