EU Data Protection Addendum
Last Modified 12/13/22
THIS DATA PROCESSING AGREEMENT (“DPA”) is made as of ______________________ (the “Effective Date”).
BETWEEN:
Little Taller, LLC., a company whose principal office is at ________________ USA (“Processor“); and _______________________________ (“Controller“).
BACKGROUND:
- (A) Controller intends to transfer certain Personal Data to Processor, so that it may be Processed in accordance with an agreement for the provision of Processor’s services entered by and between the parties (the “Agreement“).
- (B) The parties agree that this DPA will govern the parties’ rights and obligations with respect to the Processing of such Personal Data.
- (C) Capitalized terms used but not defined in this DPA shall have the meanings given in the Agreement.
The parties hereby as follows:
1. Data Protection
1.1. Definitions: In this Clause, the following terms shall have the following meanings:
(a) “controller“, “processor“, “data subject“, “personal data” and “processing” (and “process”) shall have the meanings given in EU/UK Data Protection Law;
(b) “Applicable Data Protection Law” means all worldwide data protection and privacy laws and regulations, to the extent applicable to the parties and the nature of the personal data processed under the Agreement, including, where applicable, (i) EU/UK Data Protection Law; and (ii) the California Consumer Privacy Act (the “CCPA“).
(c) “EU/UK Data Protection Law” means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the “EU GDPR“); (ii) the EU GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (the “UK GDPR“); (iii) the EU e-Privacy Directive (Directive 2002/58/EC); and (iv) any and all applicable national data protection laws made under, pursuant to or that apply in conjunction with any of (i), (ii) or (iii); in each case as may be amended or superseded from time to time;(d) “Restricted Transfer” means: (i) where the EU GDPR applies, a transfer of personal data from the European Economic Area to a country outside of the European Economic Area which is not subject to an adequacy determination by the European Commission; and (ii) where the UK GDPR applies, a transfer of personal data from the United Kingdom to any other country which is not based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018; and
(e) “Standard Contractual Clauses” means: (i) where the EU GDPR applies, the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCCs“); and (ii) where the UK GDPR applies, standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR (“UK SCCs“).
1.2. Relationship of the parties: Controller instructs Processor to process the personal data that is the subject of the Agreement (the “Data“) on its behalf. In respect of such processing, Controller shall be the controller and Processor shall be a processor. Each party shall comply with the obligations that apply to it under Applicable Data Protection Law.
1.3. Prohibited data: Controller shall not disclose (and shall not permit any data subject to disclose) any special categories of Data to Processor for processing except where and to the extent expressly disclosed in Annex I.
1.4. Purpose limitation: Processor shall process the Data for the purposes described in Annex I and strictly in accordance with the documented instructions of Controller (the “Permitted Purpose”), except where otherwise required by law(s) that are not incompatible with Applicable Data Protection Law. In no event shall Processor process the Data for its own purposes or those of any third party. Processor shall immediately inform Controller if it becomes aware that such processing instructions infringe Applicable Data Protection Law (but without obligation to actively monitor Controller’s compliance with Applicable DataProtection Law).
1.5. Restricted transfers: The parties agree that when the transfer of Data from Controller to Processor is a Restricted Transfer it shall be subject to the appropriate Standard Contractual Clauses as follows:
(a) in relation to Data that is protected by the EU GDPR, the EU SCCs will apply completed as follows:
(i) Module Two will apply;
(ii) in Clause 7, the optional docking clause will apply;
(iii) in Clause 9, Option 2 will apply, and the time period for prior notice of subprocessor changes shall be as set out in Clause 1.9 of this DPA;
(iv) in Clause 11, the optional language will not apply;
(v) in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;
(vi) in Clause 18(b), disputes shall be resolved before the courts of Ireland;(vii) Annex I of the EU SCCs shall be deemed completed with the information set out in Annex I to this DPA;
(viii) Annex II of the EU SCCs shall be deemed completed with the information set out in Annex II to this DPA; and
(ix) Annex III of the EU SCCs shall be deemed completed with the information set out in Annex III to this DPA;
(b) in relation to Data that is protected by the UK GDPR, the “UK Addendum to the EU Standard Contractual Clauses” (“UK Addendum“) issued by the Information Commissioner’s Office under s.119A(1) of the Data Protection Act 2018, will be completed as follows:
(A) The EU SCCs, completed as set out above in clause 1.5(a) of this DPA shall also apply to transfers of such Data, subject to sub-clause (B) below;
(A) The UK Addendum shall be deemed executed between the transferring Controller and the Processor, and the EU SCCs shall be deemed amended as specified by the UK Addendum in respect of the transfer of such Controller Data.
(c) in the event that any provision of this DPA contradicts, directly or indirectly, the. Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
1.6. Onward transfers: Processor shall not participate in (nor permit any subprocessor to participate in) any other Restricted Transfers of Data (whether as an exporter or an importer of the Data) unless:
(i) it has first obtained Controller’s prior written consent; and
(ii) the Restricted Transfer is made in full compliance with Applicable Data Protection Law.
Such measures may include (without limitation) transferring the Data to a recipient in a country that the European Commission has decided provides adequate protection for personal data, to a recipient that has achieved binding corporate rules authorization in accordance with Applicable Data Protection Law, or pursuant to Standard Contractual Clauses implemented between the relevant exporter and importer of the Data.
1.7. Confidentiality of processing: Processor shall ensure that any person that it authorises to process the Data (including Processor’s staff, agents and subprocessors) (an “Authorised Person”) shall be subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty), and shall not permit any person to process the Data who is not under such a duty of confidentiality. Processor shall ensure that all Authorised Persons process the Data only as necessary for the Permitted Purpose.
1.8. Security: The processor shall implement appropriate technical and organisational measures to protect the Data from accidental or unlawful destruction, loss, alteration, or unauthorised disclosure or access (a “Security Incident”). Such measures shall have regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Such measures shall include, as appropriate:
(a) the pseudonymisation and encryption of personal data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. At a minimum, such measures shall include the measures identified in Annex II.
1.9. Subprocessing: Processor shall not subcontract any processing of the Data to a third party subprocessor without the prior written consent of Controller. Not withstanding this, Controller consents to Processor engaging third party subprocessors to process the Data provided that:
(i) Processor provides at least 30 days’ prior notice of the addition of any subprocessor (including details of the processing it performs or will perform);
(ii) Processor imposes data protection terms on any subprocessor it appoints that protect the Data, in substance, to the same standard provided for by this DPA; and
(iii) Processor remains fully liable for any breach of this DPA that is caused by an act, error or omission of its subprocessor. A list of approved subprocessors as at the date of this DPA is attached at Annex III, and Processor shall maintain and provide updated copies of this list to Controller upon request. If Controller refuses to consent to Processor’s appointment of a third party subprocessor on reasonable grounds relating to the protection of the Data, then either Processor will not appoint the subprocessor or Controller may elect to suspend or terminate the Agreement without penalty. All subprocessors shall be service providers for purposes of the CCPA.
1.10. Cooperation and data subjects’ rights: Processor shall provide all reasonable and timely assistance (including by appropriate technical and organisational measures) to Controller to enable Controller to respond to: (i) any request from a data subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable); and (ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Data. In the event that any such request, correspondence, enquiry or complaint is made directly to Processor, Processor shall promptly inform Controller providing full details of the same.
1.11. Data Protection Impact Assessment: If Processor believes or becomes aware that its processing of the Data is likely to result in a high risk to the data protection rights and freedoms of data subjects, it shall promptly inform Controller and Processor shall provide Controller with all such reasonable and timely assistance as Controller may require in order to enable it to conduct a data protection impact assessment in accordance with Applicable Data Protection Law including, if necessary, to assist Controller to consult with its relevant data protection authority.
1.12. Security incidents: Upon becoming aware of a Security Incident, Processor shall inform Controller without undue delay (and within 48 hours in any event) and shall provide all such timely information and cooperation as Controller may require in order for Controller to fulfil its data breach reporting obligations under (and in accordance with the timescales required by) Applicable Data Protection Law. Processor shall further take all such measures and actions as are necessary to remedy or mitigate the effects of the Security Incident and shall keep Controller informed of all developments in connection with the Security Incident.
1.13. Deletion or return of Data: Upon termination or expiry of the Agreement, Processor shall (at Controller’s election destroy or return to Controller all Data (including all copies of the Data) in its possession or control (including any Data subcontracted to a third party for processing). This requirement shall not apply to the extent that Processor is required by any applicable law to retain some or all of the Data, in which event Processor shall isolate and protect the Data from any further processing except to the extent required by such law until deletion is possible.
1.14. Audit: Processor shall make available to Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA. In fulfilment of this requirement:
(a) Controller acknowledges that Processor is regularly audited against SSAE 18 SOC 2 standards by independent third auditors. Upon request, Processor shall supply a summary copy of its audit report(s) to Controller, which reports shall be subject to the confidentiality provisions of the Agreement.
(b) Processor shall also respond to any written audit questions submitted to it by Controller, provided that Controller shall not exercise this right more than once per year. By signing below, each party acknowledges that it has read and understood the terms of this DPA and agrees to be bound by them, effective as of the date that both parties sign below.
Annex I
Data Processing Description
This Annex I forms part of the DPA and describes the processing that the processor will perform on behalf of the controller.
A. LIST OF PARTIES
Controller(s) / Data exporter(s): [Identity and contact details of the controller(s) /data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]
Processor(s) / Data importer(s):[Identity and contact details of the processor(s) /data importer(s), including any contact person with responsibility for data protection]
В.DESCRIPTION OF TRANSFER
1.COMPETENT SUPERVISORY AUTHORITY
Annex II
Technical and Organisational
Security Measures
Description of the technical and organisational measures implemented by the processor(s) / data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller (and, for transfers from a processor to a sub-processor, to the data exporter).
Annex III
Approved Sub-processors
To support the delivery of Services, Little Taller may engage third-party services providers, referred to as Sub-processors. A list of our sub-processors and the purpose and location for each sub-processor is available at https://www.littletaller.com/sub-processors/