Data Protection Addendum
- The Customer and Aggua Force Ltd. (the "Service Provider"), are parties to the Agreement, as defined below, to which this Data Protection Addendum applies.
- If Service Provider processes personal data, or if Service Provider has access to personal data in the course of its performance under the Agreement, Service Provider shall comply with the terms and conditions of this Data Protection Addendum ("Data Protection Addendum").
- By signing this Data Protection Addendum, Service Provider shall qualify as the Data Processor, as this term is defined under Data Protection Laws. Customer acknowledges and agrees that as the Controller, it is responsible for the legal basis of Processing hereunder, including obtaining any necessary consents in accordance with the requirements of Data Protection Laws. All capitalized terms not defined herein shall have the meaning set forth in the Agreement.
All capitalized terms not defined in this Data Protection Addendum have the meanings set forth in the Agreement.
- "Agreement" means the agreement between Customer and the Service Provider which involves Service Provider having access to or otherwise processing personal data, and to which this Data Protection Addendum is incorporated by reference;
- "Approved Jurisdiction" means a member state of the European Economic Area ("EEA"), or other jurisdiction as may be approved as having adequate legal protections for data by the European Commission currently found here: http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm.
- "Breach Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed;
- "Customer" means the entity who entered into an ordering document with the Service Provider to which this Data Protection Addendum is incorporated by reference.
- "Data Protection Laws" means any and/or all applicable domestic and foreign laws, rules, directives and regulations, on any local, provincial, state or deferral or national level, pertaining to data privacy, data security and/or the protection of personal data, including the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data ("GDPR"), and the Privacy and Electronic Communications Directive 2002/58/EC (and local implementing laws) concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), including any amendments or replacements to themdpa.
- "Standard Contractual Clauses" the standard contractual clauses for the transfer of personal data to third countries adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council pursuant to GDPR art. 46.
- The terms "personal data", "process", "processing" and "Special Categories of Data" herein shall have the meaning ascribed to them in the GDPR.
3. DATA PROTECTION AND PRIVACY
- If Service Provider has access to or otherwise processes personal data, then Service Provider shall:
i. only process the personal data in accordance with Customer's documented instructions and on its behalf, and in accordance with the Agreement and this Data Protection Addendum;
ii. take reasonable steps to ensure the reliability of its staff and any other person acting under its supervision who may come into contact with, or otherwise have access to and process, personal data; ensure persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; and ensure that such personnel are aware of their responsibilities under this Data Protection Addendum and any Data Protection Laws (or Service Provider’s own written binding policies are at least as restrictive as this Data Protection Addendum);
iii. assist Customer as needed to cooperate with and respond to requests from supervisor authorities, data subjects, customers, or others to provide information (including details of the services provided by Service Provider) related to Service Provider’s processing of personal data;
iv. notify the Customer without undue delay, and no later than forty eight (48) hours, after becoming aware of a Breach Incident;
v. provide full, reasonable cooperation and assistance to Customer in:
- allowing data subjects to exercise their rights under the Data Protection Laws, including (without limitation) the right of access, right to rectification, restriction of processing, erasure (“right to be forgotten”), data portability, object to the processing, or the right not to be subject to an automated individual decision making;
- ensuring compliance with any notification obligations of personal data breach to the supervisory authority and communication obligations to data subjects, as required under Data Protection Laws;
- Ensuring compliance with its obligation to carry out data protection impact assessments with respect to the processing of personal data, and with its prior consultation with the supervisory authority obligation (as applicable).
vi. only process or use personal data on its systems or facilities to the extent necessary to perform its obligations under the Agreement;
vii. as required under Data Protection Laws, maintain accurate written records of any and all the Processing activities of any personal data carried out under the Agreement (including the categories of Processing carried out and, where applicable, the transfers of personal data), and shall make such records available to the applicable supervisory authority on request;
viii. make all reasonable efforts to ensure that personal data are accurate and up to date at all times while in its custody or under its control, to the extent Service Provider has the ability to do so;
x. promptly notify Customer of any investigation, litigation, arbitrated matter or other dispute relating to Service Provider’s information security or privacy practices as it relates to the processing of personal data;
xi. promptly notify Customer in writing and provide Customer an opportunity to intervene in any judicial or administrative process if Service Provider is required by law, court order, warrant, subpoena, or other legal or judicial process to disclose any personal data to any person other than Customer;
xii. upon termination of the Agreement, or upon Customer's written request at any time during the term of the Agreement, Service Provider shall cease to process any personal data received from Customer, and within a reasonable period will at the request of Customer: (1) return the personal data; or (2) securely and completely destroy or erase all personal data in its possession or control (including any copies thereof), unless and solely to the extent the foregoing conflicts with any applicable laws. At Customer’s request, Service Provider shall certify to Customer that it has fully complied with this clause.
- Service Provider may subcontract its obligations under this Data Protection Addendum to another person or entity ("Contractor(s)"), as stated in Exhibit A attached hereto, provided that Service Provider shall inform the Customer of any intended changes concerning the addition/replacement of other processors at least 30 days prior to such change, and the Customer may notify Service Provider that it objects to such change and terminate the Agreement by written notice to the Customer.
- Service Provider will execute a written agreement with such approved Contractor containing equivalent terms to this Data Protection Addendum.
- Service Provider shall have a written security policy that provides guidance to its Contractors to ensure the security, confidentiality and integrity of personal data and systems maintained or processed by Service Provider.
- Customer may require Service Provider to provide Customer with full details of the proposed Contractor’s involvement including but not limited to the identity of the Contractor, its data security record, the location of its processing facilities and a description of the access to personal data proposed.
- Service Provider shall be responsible for the acts or omissions of Contractors to the same extent it is responsible for its own actions or omissions under this Data Protection Addendum.
5. THE TRANSFER OF PERSONAL DATA
- If the Service Provider is required to transfer personal data to a third country or an international organization under applicable laws, it shall inform the Customer of that legal requirement before processing; If, subject to Customer’s prior consent, Service Provider processes personal data from the EEA in a jurisdiction that is not an Approved Jurisdiction, Service Provider shall ensure that it has a legally approved mechanism in place to allow for the international data transfer. If Service Provider intends to rely on Standard Contractual Clauses, the following additional terms will apply to Service Provider and Service Provider’s Service Providers and/or affiliates (where subcontracting or performance is allowed by the Agreement):
i. The Standard Contractual Clauses will apply. If such Standard Contractual Clauses are superseded by new or modified Standard Contractual Clauses, the new or modified Standard Contractual Clauses shall be deemed to be incorporated into this Data Protection Addendum. Service Provider will abide by the obligations set forth under the Standard Contractual Clauses for data importer and/or sub-processor as the case may be.
ii. If Service Provider subcontracts any processing of personal data (as allowed by the Agreement and Applicable Law), it will:
a. Notify and obtain Customer’s advance written permission before proceeding; and
b. Ensure that it has a legally approved mechanism in place to allow for the international data transfer, or that Contractors have entered into the Standard Contractual Clauses with Service Provider.
6. SECURITY STANDARDS
- Service Provider shall implement and maintain commercially reasonable and appropriate physical, technical and organizational security measures to protect personal data against accidental or unlawful destruction; accidental loss, alteration, unauthorized disclosure or access to personal data transmitted, stored or otherwise processed; all other unlawful forms of processing; including (as appropriate): (i) the pseudonymisation and encryption of personal data; (ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (iii) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and (iv) a process for regularly assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing
- To the extent that Service Provider processes Special Categories of Data, the security measures referred to in this Data Protection Addendum shall also include, at a minimum (i) routine risk assessments of Service Provider’s information security program, (ii) regular monitoring to measure and confirm the effectiveness of the information security program’s key controls, systems, and procedures, and (iii) encryption of Special Categories of Data while “at rest” and during transmission (whether sent by e-mail, fax, or otherwise), and storage (including when stored on mobile devices, such as a portable computer, flash drive, PDA, or cellular telephone).
- If any of the Data Protection Laws are superseded by new or modified Data Protection Laws (including any decisions or interpretations by a relevant court or governmental authority relating thereto), the new or modified Data Protection Laws shall be deemed to be incorporated into this Data Protection Addendum, and Service Provider will promptly begin complying with such Data Protection Laws.
- Any ambiguity in this Data Protection Addendum shall be resolved to permit Customer to comply with all Data Protection Laws. In the event and to the extent that the Data Protection Laws impose stricter obligations on the Service Provider than under this Data Protection Addendum, the Data Protection Laws shall prevail.
- If this Data Protection Addendum does not specifically address a particular data security or privacy standard or obligation, Service Provider will use appropriate, generally accepted practices to protect the confidentiality, security, privacy, integrity, availability, and accuracy of personal data.
- Service Provider agrees that, in the event of a breach of this Data Protection Addendum, neither Customer nor any relevant Customer's customer will have an adequate remedy in damages and therefore either Customer or an affected customer shall be entitled to seek injunctive or equitable relief to immediately cease or prevent the use or disclosure of personal data not contemplated by the Agreement and to enforce the terms of this Data Protection Addendum or ensure compliance with all Data Protection Laws.
- If Service Provider is unable to provide the level of protection as required herein, Service Provider shall immediately notify Customer and cease processing. Any non-compliance with the requirements herein shall be deemed a material breach of the Agreement and Customer shall have the right to terminate the Agreement immediately without penalty.
- Customer, shall have the right to: (a) require from Service Provider all information necessary to, and (b) conduct its own audit and/or inspections of Service Provider in order to: demonstrate compliance with the Data Protection Addendum. Such audit and/or inspection shall be conducted with reasonable advanced notice to Service Provider, at Customer's expense, no more than once a year, and during normal business hours to reasonably limit any disruption to Service Provider’s business.
- Notwithstanding anything to the contrary, with effect from 25 May 2018, Service Provider will process personal data in accordance with the GDPR requirements directly applicable to its activities.