Data Processing Addendum
Data Processing Addendum
Effective date October, 2022
This Data Processing Agreement (“DPA”) is incorporated into the services agreement between the Sourcepass entity with whom the Client (“Client”) has entered into a services agreement (“Agreement”) for the Sourcepass Services.
Herein, “Services” shall mean, with respect to the Agreement that this DPA is incorporated into, the Sourcepass Services provided pursuant to that Agreement, and “Sourcepass” shall mean the Sourcepass entity that is the service provider to Client under such Agreement.
1 Definitions. All capitalized terms used but not otherwise defined in this DPA shall have the meaning ascribed to such terms in the Agreement. The following definitions and rules of interpretation below apply to this DPA:
“Adequate” in relation to the level of protection given to Personal Data in countries outside the European Economic Area (“EEA”) or United Kingdom, means a decision made by the European Commission under Article 25(6) of Directive 95/46/EC (as amended or replaced from time to time) or Information Commissioner’s Office, finding that the relevant third country provides an adequate level of protection by reason of its domestic law or of the international commitments it has entered into.
“Applicable Data Protection Law(s)” refers to all laws and regulations applicable in relation to the processing of Personal Data under the Agreement.
“controller”, “processor”, “data subject” and “processing” (and “process”) have the meanings given in accordance with Applicable Data Protection Law.
“Client Account Data” means (a) Personal Data that relates to Client’s relationship with Sourcepass, including the names, phone numbers and/or contact information of individuals authorized by Client to access Client’s Sourcepass account and/or use the Services and billing information; and (b) Personal Data processed by Sourcepass for the purposes of storing, transmitting or exchanging Client Content, sending goods, and to provide the Services, that may include shipping address, data used to trace and identify the source and destination of a communication, such as individual data subjects’ telephone numbers, data on the location of the device generated in the context of providing the Services, and the date, time, duration and type of communication, and/or data provided by the channels used by the Client to communicate with their Clients.
“Client Content” means Personal Data exchanged by use of the Services, such as text, call recording, message bodies, conversation transcriptions, voicemail recordings, voicemail transcription, video recording, video files, images and sound.
“End User” means individuals or businesses who contact or are contacted by the Client using the Services.
“Personal Data” or “personal data” means any information relating to an identified or identifiable natural person where an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Security Incident” means a security incident leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to, Personal Data transmitted, stored or otherwise processed.
“Sensitive Personal Data” means Personal Data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, data concerning a natural person’s sex life or sexual orientation, or any other data that falls within the definition of “special categories of data” under Applicable Data Protection Law.
“Standard Contractual Clauses” or “SCC” means
(a) for the transfer of data from the EEA outside the EEA to a non-adequate country, the standard contractual clauses for the transfer of personal data to third countries approved by the European Commission in the decision (EU) 2021/914 of 4 June 2021 (“EEA SCCs”)
(b) for the transfer of data from the United Kingdom to a non-adequate country, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner, Version B1.0, in force 21 March 2022 (“UK International Data Transfer Addendum”).
“Sub-processor” means any processor engaged by Sourcepass for the purposes of the provision of the Services under the Agreement.
“Sourcepass Group” means the corporate entities that from time-to-time control, are controlled by or are under common control with Sourcepass Holdings, LLC.
2 Relationship of the Parties
2.1 Client Content. The parties acknowledge and agree that with regard to the processing of Client Content, Client may act either as a controller or processor and Sourcepass acts as a processor (where Client is a controller) or sub-processor (where Client is a processor); and an independent data controller (and the Client is a controller) for the purpose of improving and enhancing the Services.
2.2 Client Account Data. The parties acknowledge that, with regard to the processing of Client Account Data, Client is a controller and Sourcepass is an independent controller, not a joint controller with Client.
3 Processing of Personal Data
3.2 Client Instructions. Client will ensure that its instructions comply with Applicable Data Protection Laws and that Sourcepass’s processing of the Client Content in accordance with Client’s instructions will not cause Sourcepass to violate Applicable Data Protection Laws. Sourcepass will notify Client to the extent permitted by law if it becomes aware or reasonably believes that Client’s data processing instructions would violate Applicable Data Protection Law.
3.3 Client Compliance. Client shall ensure that (a) it has and will continue to comply with Applicable Data Protection Law in its use of the Services; (b) its Clients and end users are provided adequate notice of Sourcepass’s processing activities for which Sourcepass acts as a controller, to fulfil the requirements of Applicable Data Protection Laws (c) it has, and will continue to have, the right to transfer, or provide access to, its Clients’ and end users’ Personal Data (including, as applicable, Sensitive Personal Data) to Sourcepass for processing in accordance with the terms of the Agreement and this DPA; and (d) appropriate technical and organisational measures and suitable safeguards are in place before transmitting or processing Sensitive Personal Data, and/or before permitting Client’s end users to transmit or process any Sensitive Personal Data via the Services.
3.4 Processing Information. Schedule 1 of this DPA details the duration of processing, the nature and purpose of processing, the type of Personal Data and the categories of data subjects processed by Sourcepass.
4.1 Sub-processors list and engagement. Client acknowledges that Sourcepass engages Sub-processors in connection with the provision of the Services and Client provides general consent for Sourcepass to appoint sub-processors, subject to this clause 4. The engagement by Sourcepass of any such Sub-processor shall be on written terms which impose upon the Sub-processor data protection obligations to the standard required by Applicable Data Protection Law, such as including the same data protection obligations referred to in Article 28(3) of the GDPR, including providing sufficient guarantees to implement appropriate technical and organizational measures. Sourcepass’s up-to-date sub-processors list is set forth here [VV1] (the “Sub-processors List”).
4.2 General Consent for Sourcepass Group Sub-processors. Client grants a general authorization to Sourcepass to appoint other entities of Sourcepass Group as Sub-processors, conditional on the requirements detailed in Section 4.1
4.3 Notification Mechanism. When a Sub-processor is replaced or a new one appointed, the Sub-processors List may be modified pursuant to a notification mechanism [VV2] (“Notification Mechanism”). Client may subscribe to the Notification Mechanism and if Client subscribes, Sourcepass will provide notification of any proposed use of a new or replacement Sub-processor, and, where commercially feasible, the notice shall be provided at least thirty days’ prior to such change. Sourcepass’s notification will be sent to the email address Client provided when subscribing to the Notification Mechanism.
4.4 Objection to new Sub-processors. If Client objects to Sourcepass’s appointment or replacement of a Sub-processor based on reasonable grounds relating to data protection, it shall notify Sourcepass in writing of such objection prior to the appointment or replacement of the Sub-processor. In such event, Sourcepass will use reasonable efforts to provide the Services to Client in accordance with the Agreement without using the Sub-processor. If Sourcepass reasonably requires use of the Sub-processor and is unable to satisfy Client as to the suitability of the Sub-processor within thirty (30) days of Client’s objection, the Client may elect to terminate only the part of the Services or Order(s) which cannot be provided by Sourcepass without the use of the objected-to Sub-processor.
4.5 Sub-Processor liability. Sourcepass shall be liable for its Sub-processors’ processing of Client Content to the same extent that Sourcepass would be liable if performing the processing activities of each Sub-processor directly under the terms of this DPA.
5 Data Transfers
5.1 Sourcepass data transfer. To the extent that any Personal Data is transferred from the European Economic Area, the United Kingdom, and/or Switzerland (either directly or via onward transfer) to any country that, according to the European Commission or the competent authority for the UK and Switzerland, does not provide an adequate level of protection for personal data, the parties agree that the Standard Contractual Clauses, incorporated by reference to this DPA, will apply in respect of the processing of such Personal Data. The Standard Contractual Clauses and this Clause 5 will not apply to Personal Data that is not transferred, either directly or via onward transfer, outside the EEA, the United Kingdom and/or Switzerland. In relation to the Standard Contractual Clauses, Sourcepass will comply with the obligations of the ‘data importer’ in the Standard Contractual Clauses and the Client will comply with the obligations of the ‘data exporter’. Appendices of the EEA SCCs shall be deemed completed as set forth in Schedule 2 of this DPA in relation to transfer of personal data outside the EEA. The UK International Data Transfer Addendum applicable to transfer of personal data outside the United Kingdom shall be deemed completed as set forth in Schedule 3.
5.2 In the event of any conflict or inconsistency between the EU Standard Contractual Clauses (Schedule 2) or UK International Data Transfer Addendum (Schedule 3), and the terms of this DPA, the EU Standard Contractual Clauses or UK International Data Transfer Addendum, as applicable, shall prevail.
5.3 Request for Personal Data.
5.3.1 If Sourcepass receives a civil or criminal subpoena, search warrant, or other official and written request that is legally binding (“Request”) by a public authority that is not from an EEA country, the UK, or a country considered Adequate (“Requesting Party”) for disclosure of Client’s personal data, Sourcepass will, insofar as legally permissible, redirect the Requesting Party to request that Personal Data directly from Client instead. If this is not possible, Sourcepass will promptly notify Client about the Request to allow Client to seek a protective order or other appropriate remedy if not precluded from doing so by the Request.
5.3.2 Sourcepass will review the Request to determine whether the Request is valid and if Sourcepass has a legal requirement to disclose Personal Data. Sourcepass will reject or contest any request that is not valid, legally binding and lawful. Sourcepass will also challenge any overbroad or inappropriate Requests or Requests that are otherwise subject to appropriate grounds for challenge.
5.3.3 In the event that the information must be provided, Sourcepass will (a) ensure that the disclosed Personal Data is the minimum required to satisfy the Request; and (b) take all commercially reasonable steps to ensure that such Client information is afforded confidential treatment by the authorities.
5.4 Sub-processors data transfer. If in the performance of the Services, Sourcepass permits processing of any Personal Data by a Sub-processor outside the EEA, except if in an Adequate country, without prejudice to Section 4, Sourcepass shall in advance of any such transfer ensure that a legal mechanism to achieve adequacy in respect of that processing is in place, such as:
5.4.1 Standard Contractual Clauses; or
5.4.2 the existence of any other specifically approved safeguard for data transfers as recognised under Applicable Data Protection Law and/or a European Commission or Information Commissioner’s Office finding of adequacy.
6 Security of Personal Data
6.1 Security measures. Sourcepass has implemented and will maintain appropriate administrative, technical and organizational measures [VV3] to protect Personal Data from a Security Incident, having regard to the state of technological development and the cost of implementing such measures, as well as the nature, scope, context and purposes of processing and the likelihood and severity of harm to the interests of data subjects that may be expected to result from any such Security Incident.
6.2 Employee Access. Sourcepass shall ensure that only such of its employees who may be required by it to provide the Services to Client or assist Sourcepass in meeting its obligations under this DPA shall have access to Personal Data. Sourcepass will ensure that the employees accessing Client Content are under confidentiality obligations to protect such personal information.
7 Security Incidents
7.1 Security Incident Involving personal data. Upon confirming a Security Incident involving personal data for which Sourcepass acts a data processor, Sourcepass will:
7.1.1 to the extent permitted by applicable law, notify Client without undue delay, such notice to be delivered in accordance with Section 13 of this DPA;
7.1.2 to the extent such Security Incident is caused by Sourcepass’s violation of its obligations under this DPA, take such reasonable remedial steps to address such Security Incident and prevent any further incidents; and
7.1.3 promptly provide the Client with all relevant information in its possession as reasonably required by Applicable Data Protection Law to comply with any reporting obligations of a relevant regulatory authority concerning such Security Incident.
7.2 Notification to the supervisory authority: If Client determines that a Security Incident must be notified to any supervisory authority and/or data subjects and/or the public or portions of the public pursuant to the Applicable Data Protection Law, Client will to the extent commercially feasible notify Sourcepass before the communication is made (and where not commercially feasible, as soon as is commercially feasible after such communication) and supply Sourcepass with copies of any written documentation to be filed with the supervisory authority and of any notification Client proposes to make (whether to any supervisory authority, data subjects, the public or portions of the public) which directly or indirectly references Sourcepass, its security measures and/or role in the Security Incident, whether or not by name. Subject to Client’s compliance with any mandatory notification deadlines under Applicable Data Protection Law, Client will consult with Sourcepass in good faith and take account of any clarifications or corrections Sourcepass reasonably requests to such notifications and which are consistent with Applicable Data Protection Law.
8.1 Demonstrated Compliance. Upon Client’s written request, no more than once annually and subject to adequate confidentiality provisions, Sourcepass shall, in accordance with Applicable Data Protection Laws, make available to Client such reasonable information in Sourcepass’s possession or control to demonstrate Sourcepass’s compliance with its obligations as a data processor of Client Content to satisfy Client’s audit rights granted by Applicable Data Protection Law (including, where applicable, the Standard Contractual Clauses).
9 Personal Data on Expiry or Termination
9.1 Deletion of Personal Data. In respect of the Client Content that Sourcepass processes as data processor pursuant to the Agreement, Sourcepass shall cease to process such personal data and will promptly arrange for its deletion on expiry or termination of the Agreement, unless otherwise agreed by the parties in writing, in which case Sourcepass shall hold Client Content in accordance with the data retention term agreed by the parties. Notwithstanding anything to the contrary in this Section 9, Sourcepass may retain Client Content or any portion of it if required by applicable law, in which case, Sourcepass shall comply with Applicable Data Protection Law regarding the deletion and retention of Personal Data.
10 Data Protection Impact Assessment
10.1 Sourcepass shall provide reasonable assistance to Client (taking into account the nature of processing and the information available to Sourcepass and at Client’s expense) with respect to data protection impact assessments or consultations with supervisory authorities that may be required in accordance with Applicable Data Protection Law.
11 Data Subject Request
11.1 Self-service features. As part of certain Services, Sourcepass may provide Client with self-service features to delete, retrieve or restrict use of Client Content, which the Client may use to comply with its obligations under Applicable Data Protection Law with respect to responding to requests from data subjects.
11.2 Additional assistance. In addition, upon request, Sourcepass will provide reasonable additional and timely assistance in relation to Client Content, at Client’s expense, to assist Client in complying with its data protection obligations to respond to requests for exercising the rights of data subject under Applicable Data Protection Law.
12.1 Liability. This DPA is without prejudice to the rights and obligations of the parties under the Agreement which shall continue to have full force and effect, including any limitations and exclusions on liability contained therein which shall apply to this DPA as if fully set forth herein. In the event of any conflict between the terms of this DPA and the terms of the Agreement, the terms of this DPA shall prevail so far as the subject matter concerns the processing of Personal Data.
12.2 Penalties. Notwithstanding anything to the contrary in this DPA or in the Agreement, neither party will be responsible for any fines issued or levied under Article 83 of the GDPR against the other party by a regulatory authority or governmental body in connection with such other party’s violation of the GDPR.
13.1 All notices given by Sourcepass to Client under or in connection with this DPA shall be validly served by email. Where Client has subscribed to the Notification Mechanism, Client shall receive notifications pursuant to Clause 4.3 of this DPA. All other notices given by Sourcepass to Client under or in connection with this DPA shall be sent to Client’s email address associated to their Sourcepass account or as stated on the last Order executed by Client; and any notice given by Client to Sourcepass shall be sent to [email protected] opens in a new window.
14.1 Governing Law and Jurisdiction. This DPA shall be governed by and construed in accordance with the law and the jurisdiction of the country or territory which governs the Agreement, except as otherwise specified in this DPA, including its Schedules, or required by Applicable Data Protection Law.
14.2 Jurisdiction Specific Terms. To the extent Sourcepass processes Personal Data protected by Applicable Data Protection Laws in a jurisdiction listed in Schedule 4, then the terms specified in Schedule 4 (“Jurisdiction Specific Terms”) apply and in case of any conflict between the Jurisdiction Specific Terms and any term of this DPA, the applicable Jurisdiction Specific Terms will take precedence.
14.3 Updates. Sourcepass may update the terms of this DPA where the changes (a) are required to comply with Applicable Data Protection Law, applicable regulation, a court order or guidance issued by a regulator or agency; or (b) do not have a material adverse impact on Client’s rights under the DPA. Sourcepass shall provide 30 days’ notice prior to making any material change to the provisions of this DPA. If the Client objects, the Client has the right to terminate the affected Services within 30 days of receiving written notice of the changes.
DETAILS OF PROCESSING
1. Nature and Purpose of processing
- Client Content. Sourcepass will process Client Content in accordance with Section 3.1 of this DPA.
- Client Account Data. Sourcepass will process Client Account Data as a controller to perform the functions as a communications service provider that may include, but are not limited to, (a) manage the relationship with the Client; (b) carry out Sourcepass’s business operations, such as accounting, tax, billing, audit and compliance; (c) to investigate security issues, fraud, unauthorised or unlawful use of the service and other misuses; (d) to improve the Services; and (e) as required by Applicable Data Protection Law.
2. Duration of Processing
2.1 Sourcepass acting as processor for Client Content. Sourcepass will process Client Content for the duration outlined in Section 9 of this DPA.
2.2 Sourcepass acting as controller. Sourcepass will process personal data as a controller for as long as needed to provide the Services. Upon termination of the Agreement, Sourcepass may retain personal data (a) for the purposes outlined in Section 1.2 of this Schedule 1; or (b) as required by law. Sourcepass will promptly delete or anonymize such personal data when Sourcepass no longer requires it for the herein mentioned purposes.
3. Types of Personal Data
3.1 Sourcepass processes personal data contained in Client Content and Client Account Data as defined in Section 1 of this DPA.
4. Categories of Data Subjects
4.1 Client Content. Client Content may include the following categories of data subjects:
- Client’s authorized users, who are those individuals that are authorized by the Client to use the Services on behalf of the Client.
- Client’s Clients and end users
4.2 Client Account Data. Client Account Data may include the following categories of data subjects:
- Client’s employees and agents
- Client’s authorized users
- Client’s Clients and end users
STANDARD CONTRACTUAL CLAUSES Decision (EU) 2021/914
Terms applicable to the EEA SCCs
(i) Clause 7 – the optional docking clause will not apply;
(ii) Clause 9 – Option 2 will apply and the time period for prior notice of sub-processor changes will be as set forth in Section 4 (Sub-processors) of this DPA;
(iii) Clause 11 (a) – the optional language will not apply;
(iv) Clause 17 – Option 1 will apply and the Clauses will be governed by the law of the Netherlands;
(v) Clause 18 – disputes will be resolved before the courts of the Netherlands;
(vi) Module One (Controller to Controller) of the EEA SCCs apply where Client is a controller and Sourcepass is an independent controller.
(vii) Module Two (Controller to Processor) of the EEA SCCs apply where Client is a controller and Sourcepass is a processor.
(viii) Module Three (Processor to Processor) of the EEA SCCs apply where Client is a processor and Sourcepass is a processor
A. LIST OF PARTIES
1. Name: The company defined as Client who is party to the Agreement.
Address: The address of the Client as provided in the Agreement.
Contact details: Client’s email address associated to their Sourcepass account or as stated on the last Order executed by Client.
Activities relevant to the data transferred under these Clauses: purchase of Sourcepass Services.
Signature and date: By entering into the Agreement, Data Exporter is deemed to have signed these Standard Contractual Clauses, including their Annexes, as of the date the parties entered into the Agreement or this DPA, whichever is later.
Role: The Data Exporter’s role is as set forth in Section 2 (Relationship of the Parties) of this DPA.
1. Name: The Sourcepass Group entity that is the service provider to Client under the Agreement.
Address: The Sourcepass Group entity’s address specified in the Agreement.
Contact details: Sourcepass Privacy Team, [email protected].
Activities relevant to the data transferred under these Clauses: Provision of Communications APIs services, Unified Communications services and/or Contact Centre services.
Signature and date: By entering into the Agreement, Data Importer is deemed to have signed the Standard Contractual Clauses, including their Annexes, as of the date the parties entered into the Agreement or this DPA, whichever is later.
Role: The Data Importer’s role is as set forth in Section 2 (Relationship of the Parties) of this DPA.
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred: As described in Section 4 of Schedule 1 (Details of Processing) of this DPA.
Categories of personal data transferred: Sourcepass processes personal data contained in Client Content and Client Account Data as defined in Section 1 (Definitions) of this DPA.
Sensitive data: N/A
The frequency of the transfer: The data is transferred on a continuous basis.
Nature of the processing: is as Section 1 of Schedule 1 (Details of Processing) of this DPA.
Purpose(s) of the data transfer and further processing: Sourcepass processes personal data for the purposes described in Section 1 of Schedule 1 (Details of Processing) of this DPA.
The period for which the personal data will be retained: Sourcepass retains data for the duration described in Section 2 of Schedule 1 (Details of Processing) of this DPA.
For transfers to (sub-) processors, the subject matter, nature and duration of the processing is set forth in the Sub-processors List (refer to Section 4.1 of this DPA).
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies: The Dutch supervisory authority is the competent supervisory authority.
ANNEX II – TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Description of the technical and organizational security measures implemented by the data importer are as set forth in Section 6.1 of this DPA. The data importer may update its security document from time to time provided that there is no degradation to the security and/or privacy of the services.
ANNEX III – LIST OF SUB-PROCESSORS
MODULE TWO: Transfer controller to processor
As per the Sub-processors List (in Section 4.1 of this DPA).
UK International Data Transfer Addendum
Standard Data Protection International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the Commissioner under S119A(1) Data Protection Act 2018
VERSION B1.0, in force 21 March 2022
PART 1: Tables
Table 1: Parties
|Start date||As set forth in the order or Agreement that incorporates these Standard Contractual Clauses by reference or as set forth in the DPA, whichever is later.|
|The Parties||Exporter (who sends the Restricted Transfer)||Importer (who receives the Restricted Transfer)|
|Parties’ details||Full legal name: The company defined as Client who is party to the Agreement.
Trading name (if different):
Main address (if a company registered address): The address of the Client as provided in the Agreement or order form.
Official registration number (if any) (company number or similar identifier): As provided in the Agreement or order form.
|Full legal name: The Sourcepass Group entity that is the service provider to Client under the Agreement.
Trading name (if different):
Main address (if a company registered address): The Sourcepass Group entity address specified in the Agreement or order form.
Official registration number (if any) (company number or similar identifier): as provided in the Agreement or order form.
|Key Contact||Full Name (optional):
Contact details including email:
Client’s email address associated to their Sourcepass account or as stated on the last Order executed by Client
|Full Name (optional):
Contact details including email:
Sourcepass Privacy Team, [email protected]
|Signature (if required for the purposes of Section 2)||By entering into the order form or the Agreement, the parties are deemed to have signed this UK International Data Transfer Addendum||By entering into the order form or the Agreement, the parties are deemed to have signed this UK International Data Transfer Addendum|
Table 2: Selected SCCs, Modules and Selected Clauses
|Addendum EU SCCs||☒ The version of the Approved EU SCCs which this Addendum is appended to, detailed below, including the Appendix Information:
Date: as provided in Table 1 above
Reference (if any):
Other identifier (if any):
☐ the Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum:
|Module||Module in operation||Clause 7 (Docking Clause)||Clause 11
|Clause 9a (Prior Authorization or General Authorization)||Clause 9a (Time period)||Is personal data received from the Importer combined with personal data collected by the Exporter?|
|1||√||Does not apply||Optional language does not apply|
|2||√||Does not apply||Optional language does not apply||Option 2 applies – general authorization||At least thirty days’ prior to such change, where commercially feasible. In any event no less than 10 days.|
|3||√||Does not apply||Optional language does not apply||Option 2 applies – general authorization||At least thirty days’ prior to such change, where commercially feasible. In any event no less than 10 days.|
Table 3: Appendix Information
“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:
|Annex 1A: List of Parties: as set forth in Annex I.A of Schedule 2 of this DPA|
|Annex 1B: Description of Transfer: as set forth in Annex I.B of Schedule 2 of this DPA|
|Annex II: Technical and organizational measures including technical and organizational measures to ensure the security of the data: as set forth in Annex II of Schedule 2 of this DPA|
|Annex III: List of Sub processors (Modules 2 and 3 only): as set forth in Annex II of Schedule 2 of this DPA|
Table 4: Ending this Addendum when the Approved Addendum Changes
|Ending this Addendum when the Approved Addendum changes||Which Parties may end this Addendum as set out in Section 19:
☐ neither Party
PART 2: Mandatory Clauses
|Mandatory Clauses||Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses.|
JURISDICTION SPECIFIC TERMS
- The definition of “Applicable Data Protection Law” includes the Australian Privacy Principles (APPs) and the Australian Privacy Act (1988).
- The definition of “Personal Data” includes “Personal Information” as defined under Applicable Data Protection Law.
- The definition of “sensitive data” includes “Sensitive Information” as defined under Applicable Data Protection Law.
- The definition of “Applicable Data Protection Law” includes the Lei Geral de Proteção de Dados (LGPD).
- The definition of “processor” includes “operator” as defined under Applicable Data Protection Law.
- The definition of “Security Incident” includes a security incident that may result in any relevant risk or damage to the data subjects.
- The definition of “Applicable Data Protection Law” includes the California Consumer Privacy Act (CCPA).
- The definition of “Personal Data” includes “Personal Information” as defined under Applicable Data Protection Law.
- The definition of “data subject” includes “Consumer” as defined under Applicable Data Protection Law. Any Data Subject Rights, as described in Section 11 of the DPA, apply to Consumer rights. In regards to Data Subject Requests, Sourcepass can only verify a request from Client and not from Client’s end user or any third party.
- The definition of “controller” includes “Business” as defined under Applicable Data Protection Law.
- The definition of “processor” includes “Service Provider” as defined under Applicable Data Protection Law.
- Sourcepass will process, retain, use, and disclose Personal Data only as necessary to provide the Services under the Agreement, which constitutes a business purpose. Sourcepass agrees not to sell Client’s Personal Data or Client end users’ Personal Data; retain, use, or disclose Client’s Personal Data for any commercial purpose other than providing the Services; or retain, use, or disclose Client’s Personal Data outside of the scope of the Agreement. Sourcepass understands its obligations under the Applicable Data Protection Law and will comply with them.
- Sourcepass certifies that its Sub-processors, as described in Section 4 of the DPA, are Service Providers under Applicable Data Protection Law, with whom Sourcepass has entered into a written contract that includes terms substantially similar to this DPA. Sourcepass conducts appropriate due diligence on its Sub-processors.
- Sourcepass will implement and maintain the reasonable security procedures and practices appropriate to the nature of the Personal Data it processes as set forth in Section 6 of the DPA.
- The definition of “Applicable Data Protection Law” includes the Federal Personal Information Protection and Electronic Documents Act (PIPEDA).
- Sourcepass’s Sub-processors, as described in Section 4 of the DPA, are third parties under Applicable Data Protection Law, with whom Sourcepass has entered into a written contract that includes terms substantially similar to this DPA. Sourcepass has conducted appropriate due diligence on its Sub-processors.
- Sourcepass will implement technical and organizational measures as set forth in Section 6 of the DPA.
- The definition of “Applicable Data Protection Law” includes the EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”).
- The definition of “Applicable Data Protection Law” includes the Protection of Privacy Law (PPL).
- The definition of “controller” includes “Database Owner” as defined under Applicable Data Protection Law.
- The definition of “processor” includes “Holder” as defined under Applicable Data Protection Law.
- Sourcepass will require that any personnel authorized to process Client Content comply with the principle of data secrecy and have been duly instructed about Applicable Data Protection Law. Such personnel sign confidentiality agreements with Sourcepass in accordance with Section 6 of the DPA.
- Sourcepass must take sufficient steps to ensure the privacy of data subjects by implementing and maintaining the security measures as specified in Section 6 of the DPA and complying with the terms of the Agreement.
- Sourcepass must ensure that the Personal Data will not be transferred to a Sub-processor unless such Sub-processor has executed an agreement with Sourcepass pursuant to Section 4.1 of this DPA.
- The definition of “Applicable Data Protection Law” includes the Act on the Protection of Personal Information (APPI).
- The definition of “Personal Data” includes “Personal Information” as defined under Applicable Data Protection Law.
- The definition of “controller” includes “Business Operator” as defined under Applicable Data Protection Law. As a Business Operator, Sourcepass is responsible for the handling of Personal Data in its possession.
- The definition of “Applicable Data Protection Law” includes the Personal Data Protection Act 2012 (PDPA).
- Sourcepass will process Personal Data to a standard of protection in accordance with the PDPA by implementing adequate technical and organizational measures as set forth in Section 6 of the DPA and complying with the terms of the Agreement.
- The definition of “Applicable Data Protection Law” includes the Data Protection Act 2018 and the UK GDPR.
- References in this Addendum to GDPR will be deemed to be references to the corresponding laws of the United Kingdom, this is UK GDPR and Data Protection Act 2018).