This Global Data Protection Addendum (“Global Addendum”) sets forth the terms pursuant to which (i) a Party (the “Disclosing Party”) may transmit, disclose, or otherwise make available Personal Data to the other Party (the “Receiving Party”) for the Processing Purposes further defined in Annex A and (ii) Receiving Party may Process such Personal Data received from the Receiving Party for the Processing Purposes further defined in Annex A. This Global Addendum supplements and forms part of the DPA. This Global Addendum is effective as of the effective date of the Agreement (“Effective Date”).
This Global Addendum includes the exhibits ("Exhibits") listed below which form an integral part of this Global Addendum and are incorporated herein by reference:
Exhibit 1: EEA Data Protection Addendum
Exhibit 2: APAC Data Protection Addendum
Exhibit 3: State Privacy Law Addendum
Annex A: Purposes of Processing
In event of any dispute or conflict between the Global Addendum and any of the Exhibits, the relevant Exhibit shall prevail.
For purposes of this Global Addendum, the following terms will have the meaning ascribed below:
“Data Breach” means any unauthorised access to, or use, loss, disclosure or other processing of data, including but not limited to, Personal Data, or as may be otherwise defined under Data Protection Laws.
“EEA” means the European Economic Area.
“Supervisory Authority” means the relevant regulatory authority under Data Protection Laws.
“Third Country” means any jurisdiction other than the jurisdiction in which the Disclosing Party is established, or if the Disclosing Party is established in the EEA, any jurisdiction outside the EEA.
“UK” means the United Kingdom.
“Controller”, “Processor”, “Personal Data” and “Process(-ing)” (or their analogous terms) shall have the meanings ascribed to them in the applicable Data Protection Laws.
Under this Global Addendum, each Party acts as a separate and distinct independent Controller.
In the event that any Disclosing Party, as a Processor on behalf of a Controller, provides Personal Data to Receiving Party, the Disclosing Party will ensure that the Controller on whose behalf it is providing Personal Data has agreed to the obligations set forth in Sections 3 and 5 of this Global Addendum.
In the event that any Receiving Party, as a Processor on behalf of a Controller, receives Personal Data from Disclosing Party, the Receiving Party will ensure that the Controller on whose behalf it is receiving Personal Data has agreed to the obligations set forth in Sections 4, and 5 of this Global Addendum.
Disclosing Party will
Take all reasonable steps appropriate to ensure that the Personal Data it shares with the Receiving Party is accurate, complete, relevant and up to date and correct any errors in the relevant Personal Data as soon as practicable and communicate the rectifications to third parties, if applicable.
Implement appropriate technical and organisational measures to ensure the security of the Personal Data whilst in transit to the Receiving Party.
Receiving Party will
Only Process the Personal Data in order to perform its obligations under the Agreement and for the Processing Purposes.
Ensure that any person acting under its authority in relation to the Personal Data, including a Processor, Processes the Personal Data only on the Receiving Party’s instructions and ensure such persons authorised to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
Notify Disclosing Party as soon as reasonably practicable upon becoming aware of a Data Breach affecting Personal Data Processed in connection with the Agreement.
Not refer to Disclosing Party in any notification of a Data Breach to a Supervisory Authority or third party unless required to do so by law.
Appoint an individual within Receiving Party's organization who will be responsible for ensuring that Receiving Party complies with its obligations regarding data protection as set out in the Agreement and this Global Addendum. The Receiving Party will make available this individual's contact details to Disclosing Party on Receiving Party's written request.
Ensure that – in case Receiving Party engages a Processor for the Processing of Personal Data received from Disclosing Party – all necessary steps to facilitate compliance with requirements regarding the engagement of Processors under applicable Data Protection Laws are taken.
The Parties
Shall ensure the Personal Data is adequate, relevant and limited to what is necessary in relation to the Agreement and the Processing Purposes.
Shall cooperate with each other and provide assistance, to the extent reasonably requested, in relation to requests or complaints by Data Subjects, any inquiries or investigations conducted by any Supervisory Authority with respect to Personal Data.
Shall, in case the Receiving Entity is established in a Third Country, take all necessary steps to facilitate compliance with requirements regarding transfers of Personal Data to such Third Country under applicable Data Protection Laws.
Each shall be responsible for their own reporting and information obligations related to Data Breaches as required by applicable Data Protection Laws.
Conflicts. In the event of a conflict between this Global Addendum and any provision of its Exhibits, the Exhibit shall prevail.
Survival. This Global Addendum will survive any expiration or termination of the Agreement.