Data Protection Addendum
Last updated on December 1, 2022
Data Protection Agreement
This Data protection agreement is entered into by and between Intango Ltd. and its Affiliates (“Company”) and the legal entity, vendor, or third-party provider (“Recipient”), to reflect the parties’ agreement with regards to the Processing of Personal Data as fully more described in this Data Protection Agreement (“DPA”). Each party shall be referred to as a “Party”, together the “Parties”.
If you are accepting this DPA on behalf of Recipient, you warrant that: (a) you have full legal authority to bind Recipient to this DPA; and (b) you have read and understood its terms including any supplementary documents incorporated by reference herein. If you do not have the legal authority to bind Recipient, please do not accept this DPA.
This DPA reflect the Parties’ agreement on the processing of Personal Data in connection with the Data Protection Laws. Any ambiguity in this DPA shall be resolved to permit the Parties to comply with all Data Protection Laws. In the event and to the extent that the Data Protection Laws impose stricter obligations on the Parties than under this DPA, the Data Protection Laws shall prevail.
2. DEFINITIONS AND INTERPRETATION
2.1 In this DPA:
2.1.1 “Affiliate” means any person or entity directly or indirectly controlling, controlled by, or under common control with a Party. For the purpose of this definition, “control” (including, with correlative meanings, the terms “controlling”, “controlled by” and “under common control with”) means the power to manage or direct the affairs of the person or entity in question, whether by ownership of voting securities, by contract or otherwise.
2.1.2 “Approved Jurisdiction“ means a jurisdiction approved as having adequate legal protections for data by the European Commission, currently found here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en.
2.1.3 “Data Protection Laws” means any and all applicable domestic and foreign laws, rules, directives and regulations, on any local, provincial, state or federal or national level, pertaining to data privacy, data security or the protection of Personal Data, including but not limited to the Privacy and Electronic Communications Directive 2002/58/EC (as amended, and respective local implementing laws) concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), the UK’s Privacy and Electronic Communications Regulation 2003 (PECR), Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”), Data Protection Act 2018 and the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”), the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. and the regulations promulgated thereunder (“CCPA”), including any amendments or replacements to the foregoing. In this DPA, unless stated otherwise, all references to the GDPR include the UK GDPR as well.
2.1.4 “Data Subject” means a natural person to whom Personal Data relates.
2.1.5 “Personal Data” means any information which could be used, either directly or by employing additional means, to identify a natural person, and that is shared with or processed by the Recipient in the context of the performance of the Agreement.
2.1.6 “Security Incident“ shall mean any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data. For the avoidance of doubt, any Personal Data Breach will comprise a Security Incident
2.1.7 “Standard Contractual Clauses” means: (a) with respect to transfers to which the GDPR applies – Module One of the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council from June 4th 2021, as available here; and (b) with respect to transfers to which the UK GDPR applies – the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, which was entered into force on 21 March, 2022, as available here; both (a) or (b) above, as applicable, are incorporated herein by reference.
2.1.8 “Effective Date” means the effective date of the Agreement.
2.1.9 The terms “controller”, “processing” and “processor” as used in this DPA have the meanings given to them in Data Protection Laws. Where applicable, a controller shall be deemed to be a “Business“ and a processor shall be deemed to be a “Service Provider“, as these terms are defined in the CCPA.
2.1.10 Any reference to a legal framework, statute or other legislative enactment is a reference to it as amended or re-enacted from time to time.
3. APPLICATION OF THIS DPA
3.1 This DPA will only apply to the extent all of the following conditions are met:
3.1.1 Either Party processes Personal Data that is made available by the other Party in connection with the Agreement;
3.1.2 The Data Protection Laws apply to the processing of Personal Data.
3.2 This DPA will only apply to the services for which the Parties agreed to in the Agreement, which incorporates the DPA by reference.
4. ROLES AND RESTRICTIONS ON PROCESSING
4.1 Independent Controllers. Each Party:
(a) is an independent controller of Personal Data under the Data Protection Laws;
(b) as required under the Data Protection Laws, maintain accurate written records of all the processing activities conducted by that Party in relation to any Personal Data for the purposes of performing its respective obligations under the Agreement;
(c) will individually determine the purposes and means of its processing of Personal Data;
(d) will be responsible to ensure that any Personal Data collected and processed by such Party is accurate and remains accurate for the duration of its processing;
(e) will comply with the obligations applicable to it under the Data Protection Laws with respect to the processing of Personal Data;
(f) will be responsible to exercise and respond to any requests by data subjects to exercise their rights under Data Protection Law, including (but not limited to) Articles 15-22 of the GDPR (“Data Subject Rights”), and shall provide reasonable cooperation and assistance to the other Party in connection with exercising Data Subject Rights;
(g) will promptly notify the other Party of any circumstances in which such Party is unable or becomes unable to comply with this DPA or Data Protection Laws, or any actual or potential changes to Data Protection Laws, if this shall affect the other Party’s ability to comply with its obligations under this DPA or Data Protection Laws.
4.2 Restrictions on Processing. Section 4.1 (Independent Controllers) will not affect any restrictions on either Party’s rights to use or otherwise process Personal Data under the Agreement.
4.3 Sharing of Personal Data. In performing its obligations under the Agreement, the Recipient shall process Personal Data provided by the Company (i) only for the purposes set forth in the Agreement or as otherwise agreed to in writing by the Parties, provided such processing strictly complies with (a) Data Protection Laws, and (b) its obligations under the Agreement (the “Permitted Purposes”), provided that it will not do or permit any act or omission which would cause the Company to incur any liability under Data Protection Laws, and (ii) solely during the term of the Agreement, and shall securely delete or return the copies of the disclosed Personal Data to the Company (by secure file transfer in such format as the Company reasonably requests) and cease the processing of the disclosed Personal Data, and shall certify to the Company to that effect, unless and only insofar as the processing of the Personal Data is required for the fulfillment of the Permitted Purposes or is permissible under Data Protection Laws, and in which case the Recipient will inform the Company of any such requirement and only further process the Personal Data as necessary to comply with the foregoing.
4.4 Lawful grounds and transparency. Each Party shall maintain a publicly-accessible privacy notice that satisfies transparency disclosure requirements of Data Protection Laws, and warrants and represents that it has provided Data Subjects with appropriate transparency regarding data collection and use and all required notices, in accordance with Data Protection Law, including Articles 13 and 14 of the GDPR. Where either Party collects Personal Data and discloses such Personal Data to the other Party, then the disclosing Party shall ensure it has obtained and recorded any and all consents or permissions necessary under Data Protection Laws, or other applicable lawful grounds, in order for itself and the other Party to Process such Personal Data as set out herein. The foregoing shall not derogate from either Party’s responsibilities under the Data Protection Laws (such as the requirement to provide information to the data subject in connection with the processing of Personal Data).
4.5 Subcontracting. Where either Party subcontracts the processing activities of Personal Data contemplated herein to a third party, it shall ensure that such third party enters into written contractual obligations which are (in the case of a third-party controller) no less onerous than those imposed by this DPA or (in the case of a third-party processor) compliant with Article 28 of the GDPR. Each Party shall be liable for the acts or omissions of its subcontractors to the same extent it is liable for its own actions or omissions under this DPA.
5. PERSONAL DATA TRANSFERS
5.1 Where the GDPR is applicable, either Party may transfer Personal Data outside the European Economic Area or an Approved Jurisdiction, subject to one of the appropriate safeguards in Article 46 of the GDPR.
5.2 Where the GDPR is applicable, to the extent that Recipient processes Personal Data outside the EEA or an Approved Jurisdiction, then the Parties shall be deemed to enter into module 1 of the Standard Contractual Clauses, subject to any amendments contained in Schedule A, in which event: (i) the Standard Contractual Clauses are incorporated herein by reference; and (ii) the Company shall be deemed as the data exporter and the Recipient shall be deemed as the data importer (as these terms are defined therein).
5.3 Where the UK GDPR is applicable, to the extent that Recipient processes Personal Data outside the UK, EEA or an Approved Jurisdiction then the Parties shall be deemed to enter into the UK Addendum in addition to the Standard Contractual Clauses, subject to any amendments contained in Schedule A, in which event: (i) the Standard Contractual Clauses are incorporated herein by reference; and (ii) the Company shall be deemed as the data exporter and the Recipient shall be deemed as the data importer (as these terms are defined therein).
6. PROTECTION OF PERSONAL DATA.
6.1 The Parties will provide a level of protection for Personal Data that is at least equivalent to that required under Data Protection Laws. Both Parties shall implement appropriate technical and organizational measures to protect the Personal Data.
6.2 In the event that a Party suffers a confirmed Security Incident with respect to Personal Data disclosed from the other Party, such Party shall notify the other Party without undue delay and the Parties shall cooperate in good faith to agree and action such measures as may be necessary to mitigate or remedy the effects of the Security Incident. In the event that a Party suffers a confirmed Security Incident, then such Party shall be responsible to notify the supervisory authority and/or the Data Subjects with respect to such Security Incident, as required under Data Protection Laws.
7. MUTUAL ASSISTANCE
7.1 Each party will
7.1.1 work together in good faith to reach an agreement with regards to any issues arising from time to time in relation to the processing of Personal Data in connection with the Agreement and this DPA;
7.1.2 inform the other Party (without delay) in the event that it receives a Data Subject request related solely to the other Party’s processing activities and provide all reasonable assistance to ensure Data Subject requests are completed within the timeframe set out in Data Protection Laws;
7.1.3 provide the other Party with reasonable assistance (having regard to the data available to it) to enable the other Party to comply with any Data Subject request received by the other Party and to respond to any other queries or complaints from Data Subjects;
7.1.4 provide the other Party with such assistance as the other Party may reasonably request from time to time to enable the other Party to comply with its obligations under the Data Protection Laws including (without limitation) in respect of security, breach notifications, impact assessments and consultations with supervisory authorities or other regulators;
7.1.5 provide the other Party with such information as it may reasonably request in order to: (a) monitor the technical and organizational measures being taken to ensure compliance with the Data Protection Laws, or (b) satisfy any legal or regulatory requirements, including information reporting, disclosure and other related obligations to any regulatory authority from time to time;
7.1.6 in the event of an actual Security Incident which does or is reasonably likely to affect the respective processing activities of both Parties, will corporate in good faith to consider what action is required in order to resolve the issue in accordance with the Data Protection Laws, and provide such reasonable assistance as is necessary to the other Party to facilitate the handling of such Security Incident in an expeditious and compliant manner.
8. OBLIGATIONS UNDER THE CCPA
8.1 To the extent that Recipient processes Personal Data of Californian residents for a Business Purpose (as it is defined under the CCPA), it shall be regarded as a Service Provider and be subject to the following obligations:
8.1.1 Recipient shall not sell such Personal Data (as the term “sell” is defined under the CCPA).
8.1.2 Recipient is prohibited from retaining, using, or disclosing such Personal Data for a commercial purpose other than providing the services to Company under the Agreement.
8.1.3 Recipient understands its obligations under this clause and will comply with them.
9. RESOLUTION OF DISPUTES WITH DATA SUBJECTS OR SUPERVISORY AUTHORITIES
9.1 If either Party is the subject of a claim by a Data Subject or a supervisory authority or receives a notice or complaint from a supervisory authority relating to its respective processing activities (a “DP Claim”), it shall promptly inform the other Party of the DP Claim and provide the other Party with such information as it may reasonably request regarding the DP Claim.
9.2 Where the DP Claim concerns the respective processing activities of one Party only, then that Party shall assume sole responsibility for disputing or settling the DP Claim.
9.3 Where the DP Claim concerns the respective processing activities of both Parties, then the Parties shall use all reasonable endeavors to cooperate with a view to disputing or settling the DP Claim in a timely manner, provided always that neither Party shall make any admission or offer of settlement or compromise without using all reasonable endeavors to consult with the other Party in advance.
10.1 Notwithstanding anything else in the Agreement, the total liability of either Party towards the other party under or in connection with this DPA will be limited to the maximum monetary or payment-based amount at which that party’s liability is capped under the Agreement.
11.1 If there is any conflict or inconsistency between the terms of this DPA and the remainder of the Agreement then, the terms of this DPA will govern. Subject to the amendments in this DPA, the Agreement remains in full force and effect.
11.2 If there is any conflict or inconsistency between the terms of this DPA and the Standard Contractual Clauses, the terms of the Standard Contractual Clauses will govern.
12. CHANGES TO THIS DPA.
12.1 No changes, modifications or amendments to this DPA shall be valid or binding, unless made in writing and signed by both Parties.
12.2 If any of the Data Protection Laws are superseded by new or modified Data Protection Laws (including any decisions or interpretations by a relevant court or governmental authority relating thereto), the new or modified Data Protection Laws shall be deemed to be incorporated into this DPA, and each Party will promptly begin complying with such Data Protection Laws in respect of its respective processing activities.