Data Processing Addendum
DATA PROCESSING ADDENDUM
Last updated May 19, 2022.
This DATA PROCESSING ADDENDUM (“DPA”) is made and entered into by and between the ACS Solutions entity entering into this DPA (hereinafter, the “Company”) and the Company’s Client or Sub-Supplier also entering into this DPA (“Client/Sub-Supplier”), as a supplement to an underlying Master Services Agreement between the parties.
- Definitions. All capitalized terms have the meanings as set forth in this Addendum, or if not defined, then as set forth within Regulation (EU) 2016/679 of the European Parliament (the General Data Protection Regulation or “GDPR”), or if not defined within the GDPR, then as defined within the United Kingdom General Data Protection Regulation (“UK GDPR”), or if not defined within the UK GDPR, then as defined within the California Consumer Protection Act (“CCPA”), or if not defined within either the GDPR, the UK GDPR or the CCPA, then as defined within the underlying Agreement.
- “Agreement” means the underlying business agreement between the parties, pursuant to which data will be processed that is subject to the CCPA or GDPR.
- “CCPA” means the California Consumer Protection Act, Cal. Civ. Code § 1798.100 et seq., and its implementing regulations.
- “Client Personal Information” means any data, file attachment, text, images, reports, or other information that is transferred between the parties for Services pursuant to the Agreement and that directly or indirectly identifies or relates to a Data Subject.
- “Contracted Processor” means the Processor or a Subprocessor, that will be processing the data pursuant to the Agreement.
- “Data Protection Laws” means the CCPA to the extent Client Personal Information includes that of California residents pursuant to the Agreement, the GDPR to the extent Client Personal Information includes that of EEA residents pursuant to the Agreement, the UK GDPR to the extent Client Personal Information includes that of UK residents pursuant to the Agreement and, to the extent applicable, the data protection or privacy laws of any other state province, or country.
- “Data Subject” means
(i) an identified or identifiable natural person who is in the EEA or whose rights are protected by the GDPR; and
(ii) a “Consumer” as the term is defined in the CCPA.
- “DPA” means this Data Protection Addendum.
- “EEA” means the European Economic Area and includes all countries with the EU in addition to Iceland, Liechtenstein and Norway.
- “EU” means the European Union.
- “SCCs” means the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council of June 4, 2021.
- “Services” has the definition set forth in the Agreement and includes the processing of Client Personal Information pursuant to the Agreement or any applicable Statement of Work (“SOW”).
- “UK” means the United Kingdom of Great Britain and Northern Ireland.
- The Company is NOT established within the EEA, the UK or in a jurisdiction that the European Commission has recognized as offering an adequate level of data protection.
- This DPA supplements the existing Agreement between the parties and except as supplemented by this DPA, the terms of the Agreement shall remain in full force and effect.
- Each party agrees to comply with their respective obligations under applicable Data Protection Laws.
- The parties agree to avoid taking any action that would cause the other party to be deemed to have sold Client Personal Information under the CCPA. In no event will the transfer of Client Personal Information, pursuant to the Agreement, result in or be construed as constituting a sale of such Client Personal Information by or to Company.
- In regard to the transfer of data for data processing occurring pursuant to the Agreement, the parties agree to be bound by the SCCs, applying the following Module:
- If the transfer of data for data processing pursuant to the Agreement is from Controller to Processor, then Module Two of the SCCs will apply;
- If the transfer of data for data processing pursuant to the Agreement is from Processor to Processor, then Module Three of the SCCs will apply; or
- If the transfer of data for data processing pursuant to the Agreement is from Processor to a Controller not otherwise subject to the GDPR, then Module Four or the SCCs will apply;
A current copy of the SCCs is located at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021D0914 and the specific SCCs applicable to this DPA are hereby incorporated into this DPA by reference as if fully restated herein.
- For purposes of selecting optional (or otherwise selectable) language in the SCCs:
- Clause 7 will not apply.
- For Clause 9(a), Option 2 (general written authorization for sub-processors) will apply with the specified time period being five (5) calendar days.
- For Clause 11(a), the optional language (data subject’s ability to lodge complaint with an independent resolution body) will not apply.
- For Clause 17, Option 2 will apply, allowing the choice of law governing for claims within this DPA relating to GDPR compliance to be the EU Member State in which the data exporter is established, unless such law does not allow for third-party beneficiary rights, in which case the parties agree that the choice of law governing this DPA will be the law of Ireland.
- For Clause 18, the parties agree that any dispute arising from this DPA will be resolved by the courts of the EU Member State in which the data exporter is established, unless the data exporter is not established in an EU Member State, in which case the parties agree that such dispute will be resolved in the courts of Ireland.
- If the Client Personal Information is governed by the UK GDPR, this DPA will include the Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on February 2, 2022, as it is revised under Section 18 of those Mandatory Clauses.
- For the purposes of Annex I.A. to the SCCs, the identity and contact details of the parties are as set forth within the signature page(s) of the underlying Agreement and, where applicable, their data protection officer(s) and/or representative(s) in the European Union are specified within the applicable SOW.
- For purposes of Annex I.B. to the SCCs, if Client Personal Information is being processed pursuant to the Services, the applicable SOW will specify the nature of the data processing, categories of data subjects whose data is to be transferred, categories of personal data transferred, whether sensitive data will be transferred and a description of such sensitive data, frequency of the transfer, purpose of the data transfer and further processing, the period for which the Client Personal Information will be retained, and if the transfer will involve use of sub-processors, the subject matter, nature and duration of the sub-processing.
- For purposes of Annex I.C., to the SCCs, if Client Personal Information is being processed pursuant to the Services, the applicable SOW will specify the applicable supervisory authority, unless such processing is governed by the UK GDPR.
- For purposes of Annex II to the SCCs, if Client Personal Information is being processed pursuant to the Services, the applicable SOW will specify the minimum technical and organizational measures that will be implemented by the data importing party.
- For purposes of Annex III to the SCCs, if Client Personal Information is being processed pursuant to the Services, the applicable SOW will identify any sub-processors that are anticipated and describe the processing of Client Personal Data that will be handled by such sub-processors.
- Information provided herein or within an applicable SOW to satisfy Annexes I, II and III to the SCCs is included as may be required by the Data Protection Laws. Nothing in Sections 8-12 of this DPA confers any right or imposes any obligation on a party to this DPA.
- The parties agree to cooperate fully with each other regarding compliance obligations pursuant to this DPA. Such cooperation shall include providing information relevant to conduct necessary audits or assessments and fulfillment of Data Subject requests including, but not limited to, access, erasure, opt-out and objection.
- General Terms. This DPA constitutes the entire agreement between the parties relating to the processing of personal data and supersedes any prior agreements between the parties relating to the subject matter of this DPA. To the extent of any conflict between the terms of this DPA and the terms of the Agreement with respect to the subject matter of this DPA and solely where Data Protection Laws apply, the terms of this DPA will control. This DPA may only amended if in writing and signed by the parties to this agreement. The provisions of this DPA are severable. If any provision is determined to be invalid, illegal, or unenforceable, in whole or in part, the remaining provisions and any partially enforceable provisions will remain in full force and effect. For avoidance of doubt, as between the parties to this DPA, each party’s liability and remedies under this DPA are subject to the liability limitations and damages exclusions set forth in the Agreement. Notwithstanding the foregoing, Company’s total liability will not exceed its insurance policy limits in the aggregate.