WHEREAS, the Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework in relation to data processing; and
WHEREAS, the Parties wish to lay down their rights and obligations with respect to the same.
IT IS AGREED AS FOLLOWS:
1. Definitions and Interpretations
1.1. “California Personal Information” shall mean Personal Information that is subject to the laws of California, particularly the CCPA.
1.2. “CCPA” shall mean the California Consumer Protection Act of 2018.
1.3. “Data Controller” shall mean the entity that determines the purposes and means of processing Personal Information and includes any natural or legal person, public authority, agency or any body, which along or jointly with others, has the competency and authority to determine the purposes and means of processing of Personal Information.
1.4. “Data Protection Laws” means all applicable worldwide legislation involving the protection and processing of data and privacy which applies to the respective Party to this Agreement, including without limitation the EU General Data Protection Regulation, the CCPA, and the data protection and privacy laws of India, in each case as amended, repealed, consolidated or replaced from time to time.
1.5. “Data Subject” means an identified or identifiable natural person or the individual to whom the Personal Information relates.
1.6. “European Information” means Personal Information that is subject to the protection of European Data Protection Laws.
1.7. “European Data Protection Laws” shall include the data protection and privacy laws applicable in Europe, including Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (“GDPR”), Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector, applicable data protection laws of the United Kingdom, and the Swiss Federal Data Protection Act, 1992 along with its Ordinance, in each case, as may be amended, superseded or replaced.
1.8. “Instructions” shall mean the written, documented instructions issued by You to the Data Processor, and directing the same to perform a specific or general action with regard to the Personal Information (including, but not limited to, depersonalising, blocking, deletion, making available, or otherwise).
1.9. “Personal Information” shall mean any identifiable information of the Data Controller where such information is protected as personal data, personal information or personally identifiable information under applicable Data Protection Laws.
1.11. “Processing” means, including its variants, any operation or set of operations which is performed on Personal Information, encompassing the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, restriction or erasure of Personal Information performed by the Data Processor in compliance with the Instructions issued by You.
1.12. “Processor” means an entity that Processes Personal Information on behalf of the Data Controller.
1.13. “Sub-Processor” means a Processor engaged by or acting on behalf of a party who is acting as a Processor to Process Personal Information.
2. Your Responsibilities
3. Data Processor Obligations
3.3 Security. The Data Processor agrees and undertakes to implement and maintain appropriate technical and organisational measures to protect Personal Information from Personal Information Breaches. Notwithstanding any provision to the contrary, the Data Processor may modify or update the security measures at its discretion provided that such modification or update does not result in a material degradation in the protection offered by such measures.
3.4 Confidentiality. The Data Processor shall ensure that any personnel authorised to Process Personal Information on behalf of the Data Processor is subject to appropriate confidentiality obligations (whether a contractual or statutory duty) with respect to the particular Personal Information.
3.6 Data Subject Requests. The Data Processor shall assist the Data Controller to enable the Data Controller to respond to any request from a Data Subject to exercise any of its rights under applicable Data Protection Laws, or any other correspondence, inquiry or complaint received from a Data Subject in connection with the processing of Personal Information.
3.7 Personal Information Breaches. The Data Processor shall notify You without undue delay after becoming aware of any Personal Information Breach and will provide timely updates and information relating to the Personal Information Breach as it becomes known or reasonably requested by You. At Your request, the Data Processor will promptly provide You with such reasonable assistance as necessary to enable You to take necessary steps to protect the sanctity of the Personal Information shared with the Data Processor, as well as to notify the same to competent authorities, if You are required to do so under Data Protection Laws.
4.1 The Data Processor reserves the right to engage affiliate Sub-pProcessors to carry out the Processing of Personal Information on behalf of the Data Processor. The Data Processor shall notify You of any changes to the entity in charge of Processing Your Personal Information. You agree and consent to the appointment of such affiliate Sub-pProcessors, and waive any objection to the Processing of Personal Information by affiliate Sub-pProcessors. The Data Processor undertakes to onboard affiliate Sub-pProcessors only after thorough scrutiny and due diligence, to ensure that the Processing of Your Personal Information is undertaken only in compliance with the requirements contained in this Agreement. This shall be to ensure that the Data Processor is ensuring that at least the same level of protection is being extended to the Processing of Personal Information by affiliate Subp-Processors. The Data Processor shall remain responsible for the affiliate Subp-Processors’ compliance with the obligations of this Agreement and for any acts or omissions of such affiliate Sub-pProcessor that causes a breach of any of the obligations contained in this Agreement.
5. Data Transfers
6.1 The Parties agree and consent that either in compliance with applicable law or as and when deemed necessary by the Data Processor, the Data Controller and Data Processor may perform, and accordingly shall assist in the conducting of, audits regarding the Processing of Personal Information as well as its compliance with Data Protection Laws, either at the instance of a Party or by an auditor appointed by a Party.
6.2 The Parties further agree that each Party shall make available to the other all information necessary to demonstrate compliance with the obligations contained in this Agreement.
6.3 The Parties agree that each Party shall allow to the other Party an opportunity to cause an inspection of the former Party’s premises and facilities where Personal Information is stored or Processed.
7.1 The Parties agree and undertake to duly examine, remain vigilant and notify the other in case a Party becomes aware of the existence of a breach of any obligation contained in any Data Protection Law so as to enable the Parties to cooperate in the rectification and curing of such breach, as well as to report such breach, and to share liability proportionately (where liability cannot be attributed to a single Party).
8. Provisions for European Information
8.1 Scope. This section shall apply only with respect to European Information.
8.2 Roles of the Parties. When Processing European information in accordance with Your Instructions, the Parties acknowledge and agree that You are the Data Controller of European Information and the Data Processor is the Processor, as determined under applicable European law.
8.3 Instructions. If the Data Processor is of the opinion that Your Instruction infringes European Data Protection Laws (where applicable), the Data Processor shall inform You without delay.
8.5 Affiliate processor Agreements. You acknowledge that the Data Processor may be restricted from disclosing affiliate processor agreements, but the Data Processor shall use reasonable efforts to require any affiliate processor so appointed to permit to disclose the said agreement to You, and shall provide (on a confidential basis) all information reasonably possible.
8.6 Transfer mechanisms for data transfers. The Data Processor shall not transfer European Information to any country or recipient not recognised as providing an adequate level of protection for Personal Information (within the meaning of applicable European Data Protection Laws), unless such transfer can be shown to be in compliance with applicable European Data Protection Laws. Such measures may include (without limitation) transferring such data to a recipient that is covered by a suitable framework or other legally adequate transfer mechanism recognised by the relevant authorities or courts as providing an adequate level of protection for Personal Information, to a recipient that has achieved binding corporate rules authorisation in accordance with European Data Protection Laws, or to a recipient that has executed appropriate standard contractual clauses in each case as adopted or approved in accordance with applicable European Data Protection Laws.
9. Additional provisions for California Personal Information
9.1 Scope. This section shall apply only with respect to California Personal Information.
9.2 Roles of the Parties. When Processing California Personal Information in accordance with Your Instructions, the Parties acknowledge and agree that You are a Business, and the Data Processor is a Service Provider for the purposes of the CCPA.
10. General Provisions
10.1 Amendments. Notwithstanding anything to the contrary and without prejudice to any of the sections in this Agreement, the Data Processor reserves the right to make any updates and changes to this Agreement.
10.2 Severability. If any individual provisions of this Agreement are determined to be invalid or unenforceable, the validity and enforceability of the other provisions of this Agreement will not be affected.