CUSTOMER GDPR DATA PROCESSING ADDENDUM
This GDPR Data Processing Addendum (“GDPR Addendum“), effective as of 25 May 2018, is made by and Swell Systems Inc. (“Swell Systems”) on behalf of itself and (“Customer”) as of the date of the last signature below.
WHEREAS, Swell Systems and Customer are parties to an agreement whereby Customer procures certain products and services from Swell Systems (the “Agreement”) for the purpose of business management.
WHEREAS, the parties desire to amend the Agreement to conform with the requirements of Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (“GDPR”), and any implementing, derivative or related legislation, rule or regulation of the European Union (“Union”), a Union member state (“Member State”), or the United Kingdom (“UK”), with respect to personal data (as defined below) that Swell Systems is processing (as defined below) on behalf of Customer under the Agreement;
NOW THEREFORE, in consideration of the promises made herein, the parties agree to amend the agreement as follows:
All capitalized terms used but not defined herein shall have the same meaning as set forth in the Agreement. Lower case terms used but not defined in this GDPR Addendum, such as “personal data”, “personal data breach”, “processing”, “controller”, “processor”, “supervisory authority” and “data subject”, will have the same meaning as set forth in Article 4 of the GDPR.
- Scope and Roles
This GDPR Addendum applies to the processing of personal data by Swell Systems on behalf of Customer and its authorized affiliates under the Agreement. In this context, the Parties agree that the Customer is the controller of End User personal data, and Swell Systems is the processor of such personal data. Customer’s instructions for the processing of personal data shall comply with applicable laws. Customer shall have sole responsibility for the accuracy, quality, and legality of personal data and the means by which Customer acquired personal data.
- Where Swell Systems is carrying out processing on behalf of Customer, Swell Systems shall implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subject.
- Swell Systems shall not engage another processor without prior specific or general written authorization of Customer. In the case of general written authorization, Swell Systems shall inform Customer of any intended changes concerning the addition or replacement of other processors, thereby giving Customer the opportunity to object to such changes in the manner more specifically set forth herein.
- Processing by Swell Systems shall be governed by this GDPR Addendum under Union or governing Member State law as set forth in the Agreement. In particular, Swell Systems shall:
- process the personal data only on documented instructions from Customer in accordance with the GDPR requirements directly applicable to Swell Systems’ provision of the services under the Agreement, including with regard to transfers of personal data to a third country or an international organization, unless required to do so by the Union or Member State law governing such personal data; in such a case, Swell Systems shall inform Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
- ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
- take all measures required pursuant to Article 32 of the GDPR;
- respect the conditions referred to in paragraphs 2 and 5 in this section C for engaging another processor;
- taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the GDPR;
- assist Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of processing and the information available to Swell Systems;
- at the choice of Customer, delete or return all the personal data to Customer after the end of the provision of services relating to processing and delete existing copies unless Union or governing Member State law requires storage of the personal data;
- make available to Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer;
- to the extent required by applicable privacy laws, maintain complete and accurate written records of all categories of processing activities carried out on behalf of the Customer.
- Swell Systems shall immediately inform Customer if, in its opinion, an instruction from Customer to Swell Systems infringes the GDPR or other Union or governing Member State data protection provisions.
- Where Swell Systems engages another processor for carrying out specific processing activities on behalf of Customer, the same data protection obligations as set out in this GDPR Addendum shall be imposed on that other processor by way of a contract or other legal act under Union or governing Member State law, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR. Where that other processor fails to fulfil those data protection obligations, Swell Systems shall (subject to the terms of the Agreement) remain fully liable to Customer for the performance of that other processor’s obligations.
- Processing Details
The subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data, the categories of data subjects and the obligations and rights of Customer are set forth in the Agreement, including this Addendum, in particular:
- The subject-matter of the processing under this GDPR Addendum is the personal data provided by the Customer to Swell Systems in respect of the products and services under the Agreement.
- The duration of the processing is the duration of the provision of the products and services under the Agreement.
- The nature and purpose of the processing is in connection with the provision of the products and services under the Agreement.
- The types of personal data processed under the Agreement may include full name; email addresses; home postal addresses; office/institution postal addresses; telephone numbers, mobile phone numbers; government-issued identification numbers, including passport numbers (for identification); date of birth; place of birth (for identification); sanction and watch list data; results data from the products and services which may include other third party data and other types of personal data identified in the GDPR, and/or other content containing Personal Data submitted by or at the direction of Customer’s End Users as part of the products and services.
- The categories of data subjects is in connection with the provision of the products and services under the Agreement.
On expiration or termination of Customer’s use of the products and services, Swell Systems shall delete or return personal data in accordance with the terms and timelines for the products and services set forth in the Agreement, unless Union, governing Member State, or other applicable law requires storage of the personal data.
The Customer provides its consent for Swell Systems to use sub-processors in the delivery of the products and services. Where Swell Systems uses any other third-party and where it is acting as a sub-processor in relation to the Company data, Swell Systems shall:
- enter into a legally binding written agreement that places the equivalent data protection obligations as those set out in this GDPR Addendum to the extent applicable to the nature of the services provided by such sub-processor, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirement of the GDPR;
- shall remain liable for any act or omission of a sub-processor that does not comply with the data protection obligations as set out in the GDPR Addendum; and
- Swell Systems shall inform the Company of any intended changes concerning the addition or replacement of a sub-processor with access to Company data and give the Company the opportunity to object to such changes.
- Data Subjects Rights
Swell Systems shall, to the extent legally permitted, promptly notify Customer of any data subject requests received by Swell Systems and reasonably cooperate with Customer to fulfill its obligations under the GDPR in relation to such requests. Customer shall be responsible for any reasonable costs arising from Swell Systems providing assistance to Customer to fulfil such obligations.
Swell Systems will ensure that, to the extent that any personal data originating from the UK or European Economic Area (EEA) is transferred to a country or territory outside the UK or EEA that has not received a binding adequacy decision by the European Commission or a competent national data protection authority, such transfer will be subject to appropriate safeguards that provide an adequate level of protection in accordance with the GDPR, including enforceable rights and effective legal remedies for data subjects.
With regard to transfers of EEA Personal Data made by Customer, Customer warrants and represents that such transfer will be subject to appropriate safeguards that provide an adequate level of protection in accordance with the GDPR, including enforceable rights and effective legal remedies for data subjects, including the following legal basis for such transfer:
- Security of Processing
- Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Customer and Swell Systems shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
- the pseudonymization and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
- In assessing the appropriate level of security, account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.
- Customer and Swell Systems shall take steps to ensure that any natural person acting under the authority of Customer or Swell Systems who has access to personal data does not process them except on instructions from Customer, unless he or she is required to do so by Union or governing Member State law.
- Personal Data Breach
Swell Systems will notify Customer without undue delay after becoming aware of a personal data breach and shall reasonably respond to Customer’s request for further information so that Customer may fulfil its obligations under Articles 33 and 34 of the GDPR.
The rights set out in Section C.(3)(h) are subject to the notice, confidentiality and other requirements for conducting audits set forth in the Agreement. In the absence of such requirements in the Agreement, the following shall apply: Audits shall be:
- subject to the execution of appropriate confidentiality undertakings or relying on similar obligations in the Agreement;
- conducted no more than once per year unless a demonstrated reasonable belief of non-compliance with the Agreement has been made, upon thirty (30) days written notice and having provided a plan for such review; and
- conducted at a mutually agreed upon time and in an agreed upon manner.
If there is any conflict or inconsistency between the terms of this GDPR Addendum and the terms of the Agreement, the terms of this GDPR Addendum will control to the extent required by law. Otherwise, the terms of the Agreement will control in the case of such conflict or inconsistency.
This GDPR Addendum and any dispute or claim arising out of or in connection with it or its subject matter or formation (including any non-contractual disputes or claims) shall be governed by and construed in accordance with the governing law set forth in the Agreement.
The parties irrevocably agree that exclusive jurisdiction to settle any dispute or claim that arises out of or in connection with this GDPR Addendum or its subject matter or formation (including non-contractual disputes or claims) shall be the jurisdiction agreed to by the parties in the Agreement.