PriceHubble Data Processing Addendum

PARTIES

(1) Client contracting with Provider (the “Client”).

(2) PriceHubble US, LLC, a limited liability company organized under the laws of Delaware, with offices located at 2443 Fillmore St #380-8512, San Francisco, CA 94155 (the “Provider”).

Personal data is any data that can be related to a specific natural person, such as their name or IP address.

RECITALS

WHEREAS, the Client and the Provider entered into the PriceHubble Software-as-a-Service Agreement (the “Master Agreement”) that may require the Provider to process Personal Information provided by or collected for the Client; and

WHEREAS, this Data Processing Addendum (the “DPA”) sets out the additional terms, requirements, and conditions on which the Provider will obtain, handle, process, disclose, transfer, or store Personal Information when providing services under the Master Agreement;

NOW, THEREFORE, in consideration of the mutual covenants and agreements hereinafter set forth and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the parties hereto agree as follows:

1.Definitions and Interpretation

1.1. The following definitions and rules of interpretation apply in this DPA.

“Authorized Persons” means the persons or categories of persons that the Client authorizes in writing to give the Provider personal information processing instructions.

"Business Purpose" means the services described in the Master Agreement or any other purpose specifically identified in Appendix A.

"Data Subject" means an individual who is the subject of the Personal Information and to whom or about whom the Personal Information relates or identifies, directly or indirectly.

“Personal Information” means any information that the Provider processes by or at the direction of Client or information to which access was provided to Provider by or at the direction of Client, in the course of Provider’s performance under the Master Agreement that (a) identifies or relates to an individual who can be identified directly or indirectly from that data alone or in combination with other information in the Provider's possession or control or that the Provider is likely to have access to, or (b) the relevant Privacy and Data Protection Requirements otherwise define as protected personal information. Personal Information includes, but is not limited to: property owner names, contact details, property addresses, property valuation data, and other data processed via the PriceHubble Platform as necessary to perform in accordance with the Master Agreement.

"Processing, processes, or process" means any activity that involves the use of Personal Information or that the relevant Privacy and Data Protection Requirements may otherwise include in the definition of processing, processes, or process. It includes obtaining, recording, or holding the data, or carrying out any operation or set of operations on the data including, but not limited to, organizing, amending, retrieving, using, disclosing, erasing, or destroying it. Processing also includes transferring Personal Information to third parties.

“Privacy and Data Protection Requirements” means all data protection and privacy laws, to the extent applicable to a party’s Processing of Personal Information, including EU GDPR (Regulation (EU) 2016/679); UK GDPR and the Data Protection Act 2018; and US State Privacy Laws (including ,without limitation CCPA/CPRA, VCDPA, CPA, CTDPA, UCPA), in each case as amended.

"Security Breach" means any act or omission that compromises the security, confidentiality, or integrity of Personal Information or the physical, technical, administrative, or organizational safeguards put in place to protect it. The loss of or unauthorized access, disclosure, or acquisition of Personal Information is a Security Breach whether or not the incident rises to the level of a security breach under the Privacy and Data Protection Requirements.

“Standard Contractual Clauses (SCC)” means the European Commission's standard contractual clauses for the transfer of personal data from the European Union to third countries, as set out in the Annex to Commission Decision (EU) 2021/914, a completed copy of which comprises Appendix B. Personal Information originating from Switzerland shall be processed in accordance with the SCCs, with the following amendments:

• “FDPIC” means the Swiss Federal Data Protection and Information Commissioner.

• “Revised FADP” means the revised version of the FADP of 25 September 2020, which is scheduled to come into force on 1 September 2023.

• The term “EU Member State” must not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c).

• The EU SCCs also protect the data of legal entities until the entry into force of the Revised FADP.

• The FDPIC shall act as the “competent supervisory authority” insofar as the relevant data transfer is governed by the FADP.

• With respect to Personal Information originating from the United Kingdom, the parties will comply with the terms of Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the Information Commissioner’s Office and laid before Parliament in accordance with Section 119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses (the “UK Addendum”). The parties also agree (i) that the information included in Part 1 of the UK Addendum is as set out in Annex I of Appendix A to this DPA and (ii) that either party may end the UK Addendum as set out in Section 19 of the UK Addendum.

1.2. This DPA is subject to the terms of the Master Agreement and is incorporated into the Master Agreement. Interpretations and defined terms set forth in the Master Agreement apply to the interpretation of this DPA.

1.3. The Appendices form part of this DPA and will have effect as if set out in full in the body of this DPA. Any reference to this DPA includes the Appendices.

1.4. A reference to writing or written includes faxes and email.

1.5. In the case of conflict or ambiguity between:

1. any provision contained in the body of this DPA and any provision contained in the Appendices, the provision in the body of this DPA will prevail;

2. the terms of any accompanying invoice or other documents annexed to this DPA and any provision contained in the Appendices, the provision contained in the Appendices will prevail; 

3. any of the provisions of this DPA and the provisions of the Master Agreement, the provisions of this DPA will prevail with respect to data protection terms; and

4. any of the provisions of this agreement and any executed Standard Contractual Clauses, the provisions of the executed Standard Contractual Clauses will prevail.

2. Personal Information Types and Processing Purposes

2.1. The Client retains control of the Personal Information and remains responsible for its compliance obligations under the applicable Privacy and Data Protection Requirements, including providing any required notices and obtaining any required consents, and for the processing instructions it gives to the Provider.

2.2. Appendix A describes the general categories of Personal Information and related types of Data Subjects the Provider may process to fulfill the Business Purposes of the Master Agreement. The Client discloses Personal Information to the Provider only for the limited and specified Business Purposes.

3. Provider's Obligations

3.1. The Provider will only process, retain, use, or disclose the Personal Information to the extent, and in such a manner, as is necessary for the Business Purposes in accordance with the Client's written instructions from Authorized Persons. The Provider will not process, retain, use, or disclose the Personal Information for any other purpose, outside of the parties' business relationship, or in a way that does not comply with this DPA, the Master Agreement or the Privacy and Data Protection Requirements. The Provider will not combine or update the Personal Information with personal information obtained outside of this contract unless the Privacy and Data Protection Requirements permit the action. The Provider must promptly notify the Client if, in its opinion, the Client's instruction would not comply with the Privacy and Data Protection Requirements.

3.2. The Provider must promptly comply with any Client request or instruction from Authorized Persons requiring the Provider to amend, transfer, or delete the Personal Information, or to stop, mitigate, or remedy any unauthorized processing.

3.3. The Provider will maintain the confidentiality of all Personal Information and will not sell it to anyone, share it for cross-context behavioral advertising (targeted advertising) with anyone, or disclose it to third parties without specific authorization from the Client or this DPA, unless required by law. If a law requires the Provider to process or disclose Personal Information, the Provider must first inform the Client of the legal requirement and give the Client an opportunity to object or challenge the requirement, unless the law prohibits such notice.

3.4. The Provider will reasonably assist the Client with meeting the Client's compliance obligations under the Privacy and Data Protection Requirements, taking into account the nature of the Provider's processing and the information available to the Provider. Upon request, Provider will supply information reasonably required for DPIAs, prior consultations, and transfer risk assessments, including security architecture, subprocessors, data-flow diagrams, encryption/key-management descriptions, and government-access practices.

3.5. The Provider must promptly notify the Client of any changes to Privacy and Data Protection Requirements, or its ability to meet those obligations, that may adversely affect the Provider's performance of the Master Agreement or this DPA. 

3.6. The Client acknowledges that the Provider is under no duty to investigate the completeness, accuracy, or sufficiency of any specific Client instructions from Authorized Persons or the Personal Information other than as required under the Privacy and Data Protection Requirements.

3.7. The Provider will only collect Personal Information for the Client using a notice or method that the Client specifically pre-approves in writing, which contains an approved data privacy notice informing the Data Subject of the Client's identity, the purpose or purposes for which their Personal Information will be processed, and any other information that is required by applicable Privacy and Data Protection Requirements. The Provider will not modify or alter the notice in any way without the Client's prior written consent.

3.8. Provider may create de-identified data solely for security, analytics, and service improvement. Provider shall (i) implement technical safeguards preventing re-identification, (ii) publicly commit not to re-identify, (iii) bind recipients to the same, and (iv) not attempt to re-identify or use de-identified data for targeted advertising.

4. Provider's Employees

4.1. The Provider will limit Personal Information access to:

1. those employees who require Personal Information access to meet the Provider's obligations under this DPA and the Master Agreement; and

2. the part or parts of the Personal Information that those employees strictly require for the performance of their duties.

4.2. The Provider will ensure that all employees:

1. are informed of the Personal Information's confidential nature and use restrictions and are obliged to keep the Personal Information confidential;

2. have undertaken training on the Privacy and Data Protection Requirements relating to handling Personal Information and how it applies to their particular duties; and

3. are aware both of the Provider's duties and their personal duties and obligations under the Privacy and Data Protection Requirements and this DPA.

4.3. The Provider will take reasonable steps to ensure the reliability, integrity, and trustworthiness of all of the Provider's employees with access to the Personal Information.

5. Security

5.1. The Provider must at all times implement appropriate technical and organizational measures designed to safeguard Personal Information against unauthorized or unlawful processing, access, copying, modification, storage, reproduction, display, or distribution, and against accidental loss, destruction, unavailability, or damage, including, but not limited to, the security measures set out in Appendix C. The Provider must document those measures in writing and periodically review them, at least annually, to ensure they remain current and complete.

5.2. The Provider will immediately notify the Client if it becomes aware of any advance in technology and methods of working, which indicate that the parties should adjust their security measures.

5.3. The Provider must take reasonable precautions to preserve the integrity of any Personal Information it processes and to prevent any corruption or loss of the Personal Information, including but not limited to establishing effective back-up and data restoration procedures.

6. Security Breaches and Personal Information Loss

6.1. The Provider will promptly notify the Client if any Personal Information is lost or destroyed or becomes damaged, corrupted, or unusable. The Provider will restore such Personal Information at its own expense.

6.2. The Provider will notify the Client without undue delay and, in any case, within seventy-two (72) hours after confirming, acting reasonably and in good faith, if it becomes aware of:

1. any unauthorized or unlawful processing of the Personal Information; or

2. any Security Breach.

6.3. Immediately following any unauthorized or unlawful Personal Information processing or Security Breach, the parties will co-ordinate with each other to investigate the matter. The Provider will reasonably co-operate with the Client in the Client's handling of the matter, including:

1. assisting with any investigation; 

2. providing the Client with physical access to any facilities and operations affected;

3. facilitating interviews with the Provider's employees, former employees, and others involved in the matter; and

4. making available all relevant records, logs, files, data reporting, and other materials required to comply with all Privacy and Data Protection Requirements or as otherwise reasonably required by the Client.

6.4. The Provider will not inform any third party of a Security Breach without first obtaining the Client's prior written consent, except when law or regulation requires it.

6.5. The Provider agrees that the Client has the sole right to determine:

1. whether to provide notice of the Security Breach to any Data Subjects, regulators, law enforcement agencies, or others, as required by law or regulation or in the Client's discretion, including the contents and delivery method of the notice; and

2. whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy.

6.6. The Provider will cover all reasonable expenses associated with the performance of the obligations under Section 6.2 and Section 6.3, unless the matter arose from the Client's specific instructions, negligence, willful default, or breach of this DPA, in which case the Client will cover all reasonable expenses. 

6.7. The Provider will also reimburse the Client for actual reasonable expenses the Client incurs when responding to and mitigating damages, to the extent that the Provider caused a Security Breach, including all costs of notice and any remedy as set out in Section 6.5.

7. Cross-Border Transfers of Personal Information

7.1. Appendix A lists all of the countries where the Provider may receive, access, transfer, or store Personal Information. The Provider must not receive, access, transfer, or store Personal Information outside the countries listed on Appendix A without the Client's prior written consent.

7.2. If any Personal Information transfer between the Provider and the Client requires execution of Standard Contractual Clauses in order to comply with the Privacy and Data Protection Requirements, the parties will complete all relevant details in, and execute, the Standard Contractual Clauses contained in Appendix B, and take all other actions required to legitimize the transfer, including implementing any needed supplementary measures or supervisory authority consultations.

7.3. The Provider will not transfer any Personal Information to another country unless the transfer complies with the Privacy and Data Protection Requirements.

8. Subcontractors

8.1. General authorization; Approved list. Client grants Provider a general authorization to engage the third-party subprocessors listed in Appendix D (the “Approved Subprocessors”) to Process Client's Personal Information as necessary to deliver the Services. Approved Subprocessors engaged as of the Effective Date are deemed pre-approved.

8.2. Provider may add or replace a Subprocessor by giving Client prior written notice of at least 30 days (email or portal notice sufficient), identifying the Subprocessor’s name, location, and a brief description of processing and transfer mechanisms. Client may object on reasonable data-protection grounds within that period. If Client objects, Provider will work in good faith to (a) not use the subprocessor for Client, (b) propose a functionally equivalent alternative, or (c) demonstrate compliance. If unresolved, Client’s sole and exclusive remedy is to terminate the affected Service(s) only within 30 days of Provider’s response, with a pro-rata refund of any prepaid, unused fees for the terminated Service(s). Emergency replacements needed to maintain security, continuity, or availability may be made on shorter notice, with prompt follow-up notice thereafter.

8.3. Where the subcontractor fails to fulfill its obligations under such written agreement, the Provider remains fully liable to the Client for the subcontractor's performance of its agreement obligations. 

8.4. The parties consider the Provider to control any Personal Information controlled by or in the possession of its subcontractors. 

8.5. Upon the Client's written request, the Provider will audit a subcontractor's compliance with its obligations regarding the Client's Personal Information and provide the Client with the audit results.

9. Data Subject Requests, Complaints, and Third Party Rights

9.1. The Provider must notify the Client within 3 business days if it receives a request from a Data Subject to exercise any rights the individual may have regarding their Personal Information, such as access, correction, deletion, or to opt-out of or limit certain activities like sales, disclosures, or other processing actions.

9.2. The Provider must notify the Client immediately if it receives any other complaint, notice, or communication that directly or indirectly relates to the Personal Information processing or to either party's compliance with the Privacy and Data Protection Requirements.

9.3. Provider will, upon Client’s written request, provide reasonable cooperation and assistance, limited to what is required by law and to Client Personal Information in Provider’s possession or control in responding to any complaint, notice, communication, or Data Subject request, and will not respond directly (unless legally required), instead directing the requester to Client. Assistance beyond the standard functionality (including bespoke data pulls, non-routine investigations, or excessive/unfounded/repetitive requests) may be provided on a reasonable time-and-materials basis, and subject to a mutually agreed scope. Nothing in this DPA requires Provider to create new functionality or provide legal or regulatory advice.

9.4. The Provider must not disclose the Personal Information to any Data Subject or to a third party unless the disclosure is either at the Client's request or instruction, permitted by this DPA, or is otherwise required by law.

10. Term and Termination

10.1. This DPA will remain in full force and effect so long as: 

1. the Master Agreement remains in effect; or 

2. the Provider retains any Personal Information related to the Master Agreement in its possession or control (the "Term").

10.2. Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination of the Master Agreement in order to protect Personal Information will remain in full force and effect.

10.3. The Provider's failure to comply with the terms of this DPA is a material breach of the Master Agreement. In such event, the Client may terminate the Master Agreement or any part of the Master Agreement authorizing the processing of Personal Information effective immediately upon written notice to the Provider without further liability or obligation. 

10.4. If a change in any Privacy and Data Protection Requirement or either party's circumstances prevents a party from fulfilling all or part of its Master Agreement obligations, the parties will suspend the processing of Personal Information until the party's processing complies with the requirements. If the parties are unable to bring the Personal Information processing into compliance with the Privacy and Data Protection Requirements within 30 days, they may terminate the Master Agreement upon written notice to the other party.

11. Data Return and Destruction

11.1. At the Client's request, the Provider will give the Client a copy of or access to all or part of the Client's Personal Information in its possession or control in the format and on the media reasonably specified by the Client.

11.2. On termination of the Master Agreement for any reason or expiration of its term, the Provider will securely destroy or, if directed in writing by the Client, return and not retain, all or any Personal Information related to this agreement in its possession or control, except for one copy that it may retain and use for up to 12 months for audit purposes only.

11.3. If any law, regulation, or government or regulatory body requires the Provider to retain any documents or materials that the Provider would otherwise be required to return or destroy, it will notify the Client in writing of that retention requirement, giving details of the documents or materials that it must retain, the legal basis for retention, and establishing a specific timeline for destruction once the retention requirement ends. The Provider may only use this retained Personal Information for the required retention reason or audit purposes. 

11.4. The Provider will certify in writing that it has destroyed the Personal Information within 30 days after it completes the destruction.

12. Records

12.1. The Provider will keep detailed, accurate, and up-to-date records regarding any processing of Personal Information it carries out for the Client, including but not limited to, the access, control, and security of the Personal Information, approved subcontractors and affiliates, the processing purposes, and any other records required by the applicable Privacy and Data Protection Requirements (the "Records").

12.2. The Provider will ensure that the Records are sufficient to enable the Client to verify the Provider's compliance with its obligations under this DPA.

12.3. The Client and the Provider must review the information listed in the Appendices to this DPA once a year to confirm its current accuracy and update it when required to reflect current practices.

13. Audit

13.1  Upon reasonable written request no more than once annually, and subject to confidentiality and security obligations, Provider will make available information (including third-party audit reports) sufficient to demonstrate compliance with this DPA.  

13.2  If such materials do not reasonably address Client’s needs, Client may conduct an on-site audit or inspection, during normal business hours, without undue disruption, upon 30 days’ notice. Client will not access data of other Clients, and will use independent auditors bound by confidentiality. Client bears its audit costs; Service Provider may charge reasonable fees for support beyond standard materials.

1.3. The Provider will promptly address any issues, concerns, or exceptions noted in the audit reports with the development and implementation of a corrective action plan by the Provider's management.

2. Warranties

2.3. The Provider warrants and represents that:

2.3.a) its employees, subcontractors, agents, and any other person or persons accessing Personal Information on its behalf are reliable and trustworthy and have received the required training on the Privacy and Data Protection Requirements relating to the Personal Information; and

2.3.b) it and anyone operating on its behalf will process the Personal Information in compliance with both the terms of this DPA and all applicable Privacy and Data Protection Requirements and other laws, enactments, regulations, orders, standards, and other similar instruments; and

2.3.c) it has no reason to believe that any Privacy and Data Protection Requirements prevent it from providing any of the Master Agreement's contracted services; and

2.3.d) considering the current technology environment and implementation costs, it will take appropriate technical and organizational measures to prevent the unauthorized or unlawful processing of Personal Information and the accidental loss or destruction of, or damage to, Personal Information, and ensure a level of security appropriate to:

2.3.d)i) the harm that might result from such unauthorized or unlawful processing or accidental loss, destruction, or damage; and

2.3.d)ii) the nature of the Personal Information protected; and

2.3.d)iii) comply with all applicable Privacy and Data Protection Requirement and its information and security policies, including the security measures required in clause 5.1.

2.4. The Client warrants and represents that the Provider's expected use of the Personal Information for the Business Purpose and as specifically instructed by the Client will comply with all Privacy and Data Protection Requirements.

3. Liability and Indemnity

3.3. The liability of each party under or in connection with this DPA, including any indemnification obligations, shall be subject to the same limitations and exclusions of liability as set forth in the Agreement. For the avoidance of doubt, no provision of this DPA shall be construed to increase or expand either party’s liability beyond the limits and exclusions agreed in the Agreement. Nothing in this DPA limits liability that cannot be limited under Applicable Data Protection Laws. 

3.4. This DPA does not create third-party beneficiary rights except as expressly provided in the SCCs.

4. Notice

4.3. Any notice or other communication given to a party under or in connection with this DPA must be in writing and delivered to either the Client and/or the Provider.

4.4. Section 16.1 does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution.

APPENDIX A

Personal Information Processing Purposes and Details

Processing Duration: The term of the Master Agreement, and any such additional period stated in the Master Agreement.

Countries where the Provider may receive, access, transfer, or store Personal Information: 

United States, Switzerland, France, Belgium, Germany, United Kingdom

APPENDIX B

Standard Contractual Clauses

I. SECTION I

Clause 1

Purpose and scope

(a) The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) for the transfer of personal data to a third country.

(b) The “Parties”:

(i) the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter ‘entity/ies’) transferring the personal data  (hereinafter each ‘data exporter’), and

(ii) the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses  (hereinafter each ‘data importer’) have agreed to these standard contractual clauses (hereinafter: ‘Clauses’).

(c) These Clauses apply with respect to the transfer of personal data as specified in Annex I.A.

(d) The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.

Clause 2

Effect and invariability of the Clauses

(a) These Clauses set out appropriate safeguards, including enforceable data

subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46(2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.

(b) These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.

Clause 3

Thirdparty beneficiaries

(a) Data subjects may invoke and enforce these Clauses, as thirdparty beneficiaries, against the data exporter and/or data importer, with the following exceptions:

(i) Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;

(ii) Clause 8 –Clause 8.1(b), 8.9(a), (c), (d) and (e);

(iii) Clause 9 –Clause 9(a), (c), (d) and (e);

(iv) Clause 12 –Clause 12(a), (d) and (f);

(v) Clause 13;

(vi) Clause 15.1(c), (d) and (e);

(vii) Clause 16(e);

(viii) Clause 18 – Clause 18(a) and (b).

(b) Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.

Clause 4

Interpretation

(a) Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.

(b) These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.

(c) These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.4

Clause 5

Hierarchy

In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.

Clause 6

Description of the transfer(s)

The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.A.

Clause 7

Docking clause

(a) An entity that is not a Party to these Clauses may, with the agreement of the Parties, accede to these Clauses at any time, either as a data exporter or as a data importer 

(b) Once it has completed the Appendix, the acceding entity shall become a Party to these Clauses and have the rights and obligations of a data exporter or data importer.

(c) The acceding entity shall have no rights or obligations arising under these Clauses from the period prior to becoming a Party.

II. SECTION II – OBLIGATIONS OF THE PARTIES

Clause 8

Data protection safeguards

The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.

8.1   Instructions

(a) The data importer shall process the personal data only on documented instructions from the data exporter. The data exporter may give such instructions throughout the duration of the contract.

(b) The data importer shall immediately inform the data exporter if it is unable to follow those instructions.

8.2   Purpose limitation

The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.A., unless on further instructions from the data exporter.

8.3   Transparency

On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including the measures described in Annex II and personal data, the data exporter may redact part of the text of the Appendix to these Clauses prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information. This Clause is without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.

8.4   Accuracy

If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to erase or rectify the data.

8.5   Duration of processing and erasure or return of data

Processing by the data importer shall only take place for the duration specified in Annex I.A. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the data exporter and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).

8.6   Security of processing

(a) The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter ‘personal data breach’). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.

(b) The data importer shall grant access to the personal data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

(c) In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify the data exporter without undue delay, and in no event more than 72 hours, after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the breach including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.

(d) The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer.

8.7   Sensitive data

Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter ‘sensitive data’), the data importer shall apply the specific restrictions and/or additional safeguards described in Annex I.A.

8.8   Onward transfers

The data importer shall only disclose the personal data to a third party on documented instructions from the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union (4) (in the same country as the data importer or in another third country, hereinafter ‘onward transfer’) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:

(i) the onward transfer is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;

(ii) the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 Regulation of (EU) 2016/679 with respect to the processing in question;

(iii) the onward transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or

(iv) the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person.

Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.

8.9   Documentation and compliance

(a) The data importer shall promptly and adequately deal with enquiries from the data exporter that relate to the processing under these Clauses.

(b) The Parties shall be able to demonstrate compliance with these Clauses. In particular, the data importer shall keep appropriate documentation on the processing activities carried out on behalf of the data exporter.

(c) The data importer shall make available to the data exporter all information necessary to demonstrate compliance with the obligations set out in these Clauses and at the data exporter’s request, allow for and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of noncompliance. In deciding on a review or audit, the data exporter may take into account relevant certifications held by the data importer.

(d) The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice.

(e) The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request.

Clause 9

Use of subprocessors

(a) The data importer has the data exporter’s general authorisation for the engagement of subprocessor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of subprocessors at least 15 days in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the subprocessor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.

(b) Where the data importer engages a subprocessor to carry out specific processing activities (on behalf of the data exporter), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those binding the data importer under these Clauses, including in terms of thirdparty beneficiary rights for data subjects. The Parties agree that, by complying with this Clause, the data importer fulfils its obligations under Clause 8.8. The data importer shall ensure that the subprocessor complies with the obligations to which the data importer is subject pursuant to these Clauses.

(c) The data importer shall provide, at the data exporter’s request, a copy of such a subprocessor agreement and any subsequent amendments to the data exporter. To the extent necessary to protect business secrets or other confidential information, including personal data, the data importer may redact the text of the agreement prior to sharing a copy.

(d) The data importer shall remain fully responsible to the data exporter for the performance of the subprocessor’s obligations under its contract with the data importer. The data importer shall notify the data exporter of any failure by the subprocessor to fulfil its obligations under that contract.

(e) The data importer shall agree a thirdparty beneficiary clause with the subprocessor whereby – in the event the data importer has factually disappeared, ceased to exist in law or has become insolvent – the data exporter shall have the right to terminate the subprocessor contract and to instruct the subprocessor to erase or return the personal data.

Clause 10

Data subject rights

(a) The data importer shall promptly notify the data exporter of any request it has received from a data subject. It shall not respond to that request itself unless it has been authorised to do so by the data exporter.

(b) The data importer shall assist the data exporter in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679. In this regard, the Parties shall set out in Annex II the appropriate technical and organisational measures, taking into account the nature of the processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required.

(c) In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions from the data exporter.

Clause 11

Redress

(a) The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject.

(b) In case of a dispute between a data subject and one of the Parties as regards compliance with these Clauses, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them.

(c) Where the data subject invokes a thirdparty beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to:

(i) lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work, or the competent supervisory authority pursuant to Clause 13;

(ii) refer the dispute to the competent courts within the meaning of Clause 18.

(d) The Parties accept that the data subject may be represented by a notforprofit body, organisation or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679.

(e) The data importer shall abide by a decision that is binding under the applicable EU or Member State law.

(f) The data importer agrees that the choice made by the data subject will not prejudice his/her substantive and procedural rights to seek remedies in accordance with applicable laws.

Clause 12

Liability

(a) Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.

(b) The data importer shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or nonmaterial damages the data importer or its subprocessor causes the data subject by breaching the thirdparty beneficiary rights under these Clauses.

(c) Notwithstanding paragraph (b), the data exporter shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or nonmaterial damages the data exporter or the data importer (or its subprocessor) causes the data subject by breaching the thirdparty beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter and, where the data exporter is a processor acting on behalf of a controller, to the liability of the controller under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable.

(d) The Parties agree that if the data exporter is held liable under paragraph (c) for damages caused by the data importer (or its subprocessor), it shall be entitled to claim back from the data importer that part of the compensation corresponding to the data importer’s responsibility for the damage.

(e) Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.

(f) The Parties agree that if one Party is held liable under paragraph (e), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its/their responsibility for the damage.

(g) The data importer may not invoke the conduct of a subprocessor to avoid its own liability.

Clause 13

Supervision

(a) The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.B, shall act as competent supervisory authority.

(b) The data importer agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Clauses. In particular, the data importer agrees to respond to enquiries, submit to audits and comply with the measures adopted by the supervisory authority, including remedial and compensatory measures. It shall provide the supervisory authority with written confirmation that the necessary actions have been taken.

III. SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES

Clause 14

Local laws and practices affecting compliance with the Clauses

(a) The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.

(b) The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:

(i) the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;

(ii) the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards;

(iii) any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.

(c) The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.

(d) The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.

(e) The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a).

(f) Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.

Clause 15

Obligations of the data importer in case of access by public authorities

15.1   Notification

(a) The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it:

(i) receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or

(ii) becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.

(b) If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.

(c) Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.).

(d) The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.

(e) Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses.

15.2   Review of legality and data minimization

(a) The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity.

The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).

(b) The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request.

(c) The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.

IV. SECTION IV – FINAL PROVISIONS

Clause 16

Noncompliance with the Clauses and termination

(a) The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.

(b) In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).

(c) The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:

(i) the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;

(ii) the data importer is in substantial or persistent breach of these Clauses; or

(iii) the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.

In these cases, it shall inform the competent supervisory authority of such noncompliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.

(d) Personal data that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall at the choice of the data exporter immediately be returned to the data exporter or deleted in its entirety. The same shall apply to any copies of the data. The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.

(e) Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.

Clause 17

Governing law

These Clauses shall be governed by the law of the EU Member State in which the data exporter is established. Where such law does not allow for third party beneficiary rights, they shall be governed by the law of another EU Member State that does allow for third party beneficiary rights.

Clause 18

Choice of forum and jurisdiction

(a) Any dispute arising from these Clauses shall be resolved by the courts of an EU Member State.

(b) The Parties agree that those shall be the courts of the EU Member State in which the data exporter is established.

(c) A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence.

(d) The Parties agree to submit themselves to the jurisdiction of such courts. 

ANNEX I

A.   DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

Users of data exporters applications.

Categories of personal data transferred

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

The frequency of the transfer (e.g. whether the data is transferred on a oneoff or continuous basis).Continuous.

Nature of the processing

The performance of the services described in the agreement to which this appendix is attached.

Purpose(s) of the data transfer and further processing

The performance of the services described in the agreement to which this appendix is attached.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

The term of the Master Agreement, and any such additional period stated the Master Agreement.

For transfers to (sub) processors, also specify subject matter, nature and duration of the processing 

The performance of the services described in the agreement to which this appendix is attached.

B.   COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13

The data protection authority of the EU Member State in which the exporter is established.

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA (SECURITY ADDENDUM )

Provider shall provide technical, organizational, and security measures as further detailed in Appendix C.   

APPENDIX C

Security Measures

1. PHYSICAL ACCESS CONTROLS.

The following measures have been implemented to prevent unauthorized persons from accessing the data processing equipment:

• Chip card/transponder locking system

• Manual locking system (e.g., keys)

• Security locks

• Identity checks at the gatekeeper or reception

• Visitors only accompanied by employees

  
  

2. SYSTEM ACCESS CONTROLS.

The following measures have been implemented to prevent unauthorized persons from accessing the data processing systems:

• Authentication with username and password

• Authentication with biometric data

• Use of mobile device management

• Encryption of data carriers

• Automatic desktop lock

• Encryption of notebooks/tablets

• Management of user permissions

• Creation of user profiles

• Central password rules

• Use of two-factor authentication

• General company policy on data protection or security

• Company policy for secure passwords

• Company "clean desk" policy

• Company policy on the use of mobile devices

• General instruction to manually lock the desktop when leaving the workplace

  
  

3. DATA ACCESS CONTROLS.

The following measures have been implemented to ensure that unauthorized persons do not have access to Personal Information:

• Physical deletion of data carriers before reuse

• Logging of access to applications (especially when entering, changing, and deleting data)

• Keeping the number of administrators as small as possible

• Management of user rights by system administrators

  
  

4. TRANSMISSION CONTROLS.

It is ensured that personal data cannot be read, copied, modified, or removed without authorization during transmission or storage on data carriers and that it is possible to check which persons or bodies have received personal data. The following measures are implemented to ensure this:

• Email encryption

• WLAN encryption (WPA2 with strong password)

• Logging of accesses and retrievals

• Provision of data via encrypted connections, such as SFTP or HTTPS

  
  

5. INPUT CONTROLS.

The following measures ensure that it is possible to check who has processed personal data in data processing systems and at what time:

• Assignment of rights to enter, change, and delete data based on an authorization concept

• Clear responsibilities for deletions

  
  

6. DATA BACKUPS.

The following measures ensure that Personal Information is protected against accidental destruction or loss and is always available to the client:

• Creation of a backup and recovery concept

• Hosting (at least of the most important data) with a professional host

  
  

7. DATA SEGREGATION.

The following measures ensure that Personal Information collected for different purposes is processed separately:

• Separation of production and test systems

• Logical client separation (on the software side)

• For pseudonymized data: Separate storage of the assignment file on a separate, secure IT system (encrypted if possible)

• Creation of an authorization concept

• Definition of database rights

  
  

8. DATA PROTECTION MANAGEMENT

The following measures are intended to ensure that an organization that meets the basic requirements of data protection law is in place:

• Use of the heyData platform for data protection management

• Commitment of employees to data secrecy

• Regular training of employees in data protection

  
  

9. ORDER CONTROL

The following measures ensure that personal data can only be processed in accordance with instructions:

• Written instructions to the contractor or instructions in text form (e.g., through a data processing agreement)

• Ensuring the destruction of data after completion of the order, e.g., by requesting appropriate confirmations

• Confirmation from contractors that they oblige their own employees to maintain data secrecy (typically in the contract processing agreement)

• Careful selection of contractors (especially with regard to data security)

• Ongoing review of contractors and their activities

• Ensuring that data is destroyed after completion of the order, e.g., by requesting appropriate confirmations