Master Lock Company Data Processing Addendum

Recitals

1. A. Master Lock has entered into one or more agreements (each an “Agreement”) with Customer and/or Customer Affiliates governing the provision of Services (which, unless the parties have entered into a separate written agreement, shall refer to the Master Lock Terms and Conditions located at masterlockvault.com/terms as of the date Customer began using the Services). In delivering the Services under each Agreement, Master Lock may process certain Personal Data controlled by Customer, a Customer Affiliate and/or their respective customers, partners or end users.
2. B. As part of its privacy policy and its contractual arrangements, Customer has provided certain assurances to its customers, partners and/or end users to ensure the appropriate protection of Personal Data when Customer engages third-party processors.
3. C. The Parties are entering into this DPA to ensure that the processing by Master Lock of Personal Data within the Services by Master Lock and/or on its behalf, is done in a manner compliant with Applicable Privacy Laws and its requirements regarding the collection, use and retention of Personal Data of Data Subjects.

Agreement

1. Definitions

1. 1.1 “Affiliate” means, with respect to the identified party, any entity that is directly or indirectly controlled by, controlling or under common control with such party.
2. 1.2 “Applicable Privacy Laws” means all worldwide data protection and privacy laws and regulations applicable to the Personal Data in question, including, where applicable, EU Data Protection Law.
3. 1.3 “Authorized Person(s)” means any person who processes Personal Data on Master Lock's behalf, including Master Lock employees, officers, partners, principals, contractors and Subprocessors.
4. 1.4 “Data Subject” means an individual to whom the Personal Data relates.
5. 1.5 “Master Lock Group” means Master Lock Company LLC. and its Affiliates.
6. 1.6 “EU Data Protection Law” means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“GDPR”).
7. 1.7 “Model Clauses” means the Standard Contractual Clauses (controller to processor) promulgated by the EU Commission Decision 2010/87/EU (“SCC 2010”) attached as Annex B.
8. 1.8 “Personal Data” means information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to their physical, physiological, genetic, mental, economic, cultural or social identity. For the avoidance of doubt, Personal Data includes personally identifiable information.
9. 1.9 “Privacy Shield” means the EU-US and Swiss-US Privacy Shield self-certification programs operated by the U.S. Department of Commerce and approved by the European Commission pursuant to Decision C(2016)4176 dated July 12, 2016 (as may be amended, superseded, or replaced) and the Federal Council of Switzerland, respectively.
10. 1.10 “Privacy Shield Principles” means the Privacy Shield Framework Principles (as supplemented by the Supplemental Principles) contained in Annex II to the European Commission Decision of 12 July 2016 pursuant to the Directive, details of which can be found at www.privacyshield.gov/eu- us-framework.
11. 1.11 “Security Breach” means a breach of security leading to any accidental, unauthorized or unlawful loss, disclosure, destruction, alteration or access to Personal Data processed through the Services or by a Master Lock Group member.
12. 1.12 “Sensitive Data” means any (i) bank, credit card or other financial account numbers or login credentials, (ii) social security, tax, driver’s license or other government-issued identification numbers, (iii) health information identifiable to a particular individual; or (iv) any “special” or “sensitive” categories of data as those terms are defined according to EU Data Protection Law or any similar category under other Applicable Privacy Laws.
13. 1.13 “Subprocessor” means any third party (including any Master Lock Affiliate) engaged by Master Lock to process any Personal Data that may contain Personal Data on behalf of Customer or who may receive Personal Data provided by Customer through the Services pursuant to the terms of the Agreement.
14. 1.14 "Services” refers to the services provided by the Application, each as defined within the Agreement.
15. 1.15 “Usage Data” means usage data collected by Master Lock relating to the use of the Services by Customer.
16. 1.16 The terms “Controller”, “Processor,” and “processing,” and “Personal Data Breach” have the meanings given to them in Applicable Privacy Laws. If and to the extent that Applicable Privacy Laws do not define such terms, then the definitions given in EU Data Protection Law will apply.

2. Purpose; Ownership of Data

1. 2.1 Customer and Master Lock have entered into the Agreement pursuant to which Customer is granted access to the Services. In using the Services, Customer may submit through the Services or otherwise provide access to Master Lock certain Personal Data. Additionally, when using the Services, Master Lock will collect Usage Data. When such Personal Data or Usage Data contains Personal Data, it will be subject to the terms and conditions of this DPA.
2. 2.2 As between the Parties, all Personal Data processed under the terms of this DPA and the Agreement shall remain the property of Customer. Under no circumstances will any member of the Master Lock Group act, or be deemed to act, as a “Controller” (or equivalent concept) of the Personal Data processed within the Services under any Applicable Privacy Laws. Usage Data, except to the extent such Usage Data contains Personal Data collected from Customer, is and shall remain the property of Master Lock.

3. Subprocessing

1. 3.1 Customer agrees that Master Lock may appoint Subprocessors to assist it in providing the Services by processing Personal Data solely for the purpose of providing the Services, provided that such Subprocessors:
   1. (a) agree to act only on Master Lock instructions when processing the Personal Data (which instructions shall be consistent with Customer's processing instructions to Master Lock); and
   2. (b) agree to protect the Personal Data to a standard consistent with the requirements of this DPA, including by implementing and maintaining appropriate technical and organizational measures to protect the Personal Data they process consistent with the Security Standards described in Section 5.3.
2. 3.2 Master Lock remains fully liable for any breach of this DPA or the Agreement that is caused by an act, error or omission of such Subprocessor.
3. 3.3 Master Lock shall maintain an up-to-date list of all Subprocessors used in the provision of the Services who may have access to or process (a) Personal Data (which may contain Personal Data) or (b) other Personal Data received by Master Lock from Customer through the Services under the Agreement. Master Lock shall provide an updated list upon Customer’s reasonable request. Prior to the addition or change of any Subprocessors, Master Lock shall provide notice to Customer, which may include by updating the Subprocessor list on a website address provided to Customer not less than 30 days prior to the date on which the Subprocessor shall commence processing Personal Data. It is Customer’s responsibility to check this website for changes.
4. 3.4 In the event that Customer objects to the processing of its Personal Data by any newly appointed Subprocessor as described in Section 3.3, it shall inform Master Lock in writing within 10 calendar days after notice has been provided by Master Lock. In the event that Customer objects on reasonable grounds relating to the protection of Personal Data, Master Lock will either, at Master Lock’s option, (a) work with Customer to address Customer’s reasonable objections and thereafter proceed to use the Subprocessor to perform such processing; (b) instruct the Subprocessor to cease any further processing of Customer's Personal Data, which may result in new Services features enabled by the Subprocessor not being available to Customer; or (c) allow Customer to terminate the affected Agreement immediately.
5. 3.5 Customer acknowledges that any third-party services that may be linked to or used within the Master Lock Services (“Non-Master Lock Services”) are governed solely by the terms and conditions and privacy policies of such Non-Master Lock Services, and Master Lock does not endorse, is not responsible or liable for and makes no representations as to any aspect of such Non-Master Lock Services, including, without limitation, their content or the manner in which they handle your Personal Data or any interaction between Customer and the provider of such Non-Master Lock Services. Master Lock is not liable for any damage or loss caused or alleged to be caused by or in connection with Customer’s enablement, access or use of any such Non-Master Locks Services, or Customer’s reliance on the privacy practices, data security processes or other policies of such Non-Master Lock Services. The providers of Non-Master Lock Services shall not be deemed Subprocessors for any purpose under this DPA.

4. Cooperation

1. 4.1 Master Lock shall reasonably cooperate with Customer to enable Customer (or its third-party Controller) to respond to any requests, complaints or other communications from Data Subjects and regulatory or judicial bodies relating to the processing of Personal Data under the Agreement, including requests from Data Subjects seeking to exercise their rights under Applicable Privacy Laws (a “DSR”) insofar as this is possible. In the event that any such DSR, complaint or communication is made directly to Master Lock, Master Lock shall promptly pass such communication on to Customer and shall not respond to such communication without Customer’s express authorization. For the avoidance of doubt, the foregoing shall not prohibit Master Lock from communicating with a Data Subject if it is not reasonably apparent on the face of the communication to which customer of Master Lock the DSR relates.
2. 4.2 If Master Lock receives a subpoena, court order, warrant or other legal demand from a third party (including law enforcement or other public or judicial authorities) seeking the disclosure of Personal Data, Master Lock shall not disclose any information but shall promptly notify Customer in writing of such request, and reasonably cooperate with Customer if it wishes to limit, challenge or protect against such disclosure, to the extent permitted by applicable laws.
3. 4.3 To the extent Master Lock is required under Applicable Privacy Laws, Master Lock will assist Customer (or its third-party Controller) to conduct a data protection impact assessment and, where legally required, consult with applicable data protection authorities in respect of any proposed processing activity that presents a high risk to Data Subjects. Customer shall be responsible for any costs arising from Master Lock’s provision of such assistance.
4. 4.4 At Customer’s written request, Master Lock will make reasonable efforts to provide Customer with all information necessary to demonstrate its compliance with EU Data Protection Law.
5. 4.5 If the Applicable Data Privacy Laws and corresponding obligations related to the processing of EEA change, the parties shall discuss in good faith any necessary amendments to this DPA.

5. Data Access & Security Measures

1. 5.1 Master Lock shall ensure that any Authorized Person is subject to a strict duty of confidentiality (whether a contractual, statutory or fiduciary duty) and that such person processes the Personal Data only for the purpose of delivering the Services under the Agreement to Customer.
2. 5.2 Master Lock will implement and maintain appropriate technical and organizational security measures to ensure a level of security appropriate to the risk, including to protect against Security Breaches and to preserve the security, availability, integrity and confidentiality of Personal Data (“Security Measures”) in accordance with Applicable Privacy Law.
3. 5.3 Master Lock’s data protection shall include:
   1. (a) the pseudonymisation and encryption of Personal Data;
   2. (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
   3. (c) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
   4. (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

6. Security Breach

1. 6.1 In the event of a Security Breach, Master Lock shall without undue delay inform Customer and provide written details of the Security Breach, including the type of data affected and the identity of affected person(s) as soon as such information becomes known or available to Master Lock.
2. 6.2 Furthermore, in the event of a Security Breach, Master Lock shall:
   1. (a) provide timely information and cooperation as Customer may reasonably require to fulfil Customer’s Personal Data Breach reporting obligations under Applicable Privacy Laws; and
   2. (b) take such measures and actions as are appropriate to remedy or mitigate the effects of the Security Breach and shall keep Customer up-to-date about developments in connection with the Security Breach.
3. 6.3 The decision whether to provide notification, public/regulatory communication or press release (each, a “Notification”) concerning the Security Breach shall be solely at Customer’s discretion, but the content of any Notification that names Master Lock or from which Master Lock’s identity could reasonably be determined shall be subject to the prior approval of Master Lock, which approval shall not be unreasonably withheld, conditioned or delayed, except as otherwise required by applicable laws and provided that conditioning of the Notification on Master Lock’s approval shall not prevent Customer from complying with Applicable Privacy Laws.

7. Security Records; Audits

Master Lock will keep at its normal place of business records of its processing of Customer Personal Data. To the extent Master Lock is required under Applicable Privacy Laws, at Customer’s reasonable request and with advance written notice, Master Lock will make available to Customer such records and information as is necessary to demonstrate its compliance with Applicable Privacy Laws with respect to its processing of Customer Personal Data and allow Customer or a mutually agreed-upon independent third party to conduct an audit to verify such compliance. Any such audit will be conducted (a) on reasonable advance written notice to Master Lock; (b) no more than once per year; (c) during Master Lock’s standard business hours; and (d) in such a manner to minimize disruption to Master Lock’s operations. Any information provided by Master Lock in connection with such audit or generated as a result of such audit must be protected as Master Lock’s confidential information subject to a separate non-disclosure agreement entered into between Master Lock and the recipient of such information before such audit. To request an audit, Customer must submit a detailed audit plan at least 90 days in advance of the proposed audit date describing the proposed scope, duration, and start date of the audit, subject to mutual agreement between the parties. Customer will bear the costs of such audit.

8. Data Processing & Transfer

1. 8.1 If Customer Personal Data that originates in the European Economic Area (“EEA”) or Switzerland is transferred to Master Lock for processing in a country not subject to an adequacy decision in accordance with Applicable Privacy Laws (“Data Transfer”), the parties will conduct such Data Transfer in accordance with this Section 8.
2. 8.2 Master Lock will at all times provide an adequate level of protection for the Personal Data, wherever processed, in accordance with the requirements of Applicable Privacy Laws. Customer acknowledges that Master Lock and its Subprocessors may maintain data processing operations in countries that are outside of the EEA and Switzerland. As such, both Master Lock and its Subprocessors may process Personal Data in non-EEA and non-Swiss countries. This will apply even where Customer has agreed with Master Lock to use cloud instances of the Services located in the EEA.
3. 8.3 Master Lock shall process Personal Data (i) submitted to Master Lock by Customer through the Services only as a Processor acting on behalf of Customer (whether as Controller or itself a Processor on behalf of third-party Controllers); and (ii) in accordance with Customer’s documented instructions as set forth in this DPA, the Agreement or as otherwise necessary to provide the Services; provided that Master Lock shall inform Customer if, in its opinion, Customer’s processing instructions violate any law or regulation; in such event, Master Lock is entitled to refuse processing of Personal Data that it believes to be in violation of any law or regulation.
4. 8.4 Where Master Lock processes Personal Data under this DPA that is subject to EU Data Protection Laws:
   1. (a) If Master Lock maintains an active certification under the Privacy Shield, then any Data Transfers shall occur pursuant to the Privacy Shield, and Master Lock will provide at least the same level of protection to such Personal Data as is required by the Privacy Shield Principles, in conjunction with its own Privacy Shield certification;
   2. (b) If the Privacy Shield is invalidated or if Master Lock does not maintain an active certification under the Privacy Shield, then any Data Transfer will be conducted pursuant to the Model Clauses (which will be deemed executed by the parties as of the effective date of this DPA), and the following terms will apply:
      1. (1) Customer will be referred to as the “Data Exporter” and Master Lock will be referred to as the “Data Importer” in such clauses;
      2. (2) details in Annex A of this DPA will be used to complete Appendix 1 of those Model Clauses;
      3. (3) details of Section 5.3 of this DPA will be used to complete Appendix 2 of those Model Clauses; and
      4. (4) if there is any conflict between this DPA or the Agreement and the Model Clauses, with respect to Data Transfer, the Model Clauses will prevail.
   3. (c) Master Lock will promptly notify Customer if it makes a determination that it can no longer meet its obligations under Section 8.4(a) or (b) above, and in such event, will work with Customer and promptly take all reasonable and appropriate steps to stop and remediate (if remediable) any processing until such time as the processing meets the level of protection as is required by Section 8.2 and promptly cease (and procure all Subprocessors to promptly cease) processing such Personal Data if in Customer’s sole discretion, Customer determines that Master Lock has not or cannot correct any non-compliance with Section 8.2 above in accordance with this Section 8.4(c) within a reasonable time frame.
5. 8.5 Master Lock acknowledges that Customer may disclose this DPA and any relevant privacy or data protection provisions of the Agreement to the US Department of Commerce, European Data Protection Authorities, or any other US or EU judicial or regulatory body with jurisdiction (each, a “Data Regulatory Authority”) upon their request, provided that for the avoidance of doubt, this DPA shall remain confidential information subject to the restrictions in the Agreement notwithstanding any requirement to share it with a Data Regulatory Authority.

9. Obligations of Customer

1. (i) that the processing of Personal Data by Customer, including instructing the processing by Master Lock in accordance with this DPA, is and shall continue to be in accordance with all the relevant provisions of Applicable Privacy Laws, particularly with respect to the security, protection and disclosure of Personal Data;
2. (ii) that if processing by Master Lock or its Subprocessors involves any Sensitive Data, Customer has collected such Sensitive Data in accordance with Applicable Privacy Laws;
3. (iii) that Customer will inform its Data Subjects:
   1. (a) about its use of data processors to process their Personal Data, including Master Lock; and
   2. (b) that their Personal Data may be processed outside of the European Economic Area;
4. (iv) that it shall respond in reasonable time and to the extent reasonably practicable to inquiries by Data Subjects regarding the processing of their Personal Data by Customer, and to give appropriate instructions to Master Lock in a timely manner; and
5. (v) that it shall respond in a reasonable time to enquiries from a competent supervisory or Data Regulatory Authority regarding the processing of relevant Personal Data by Customer.

10. Deletion & Return

Upon Customer’s reasonable request or upon termination or expiry of the Agreement, Master Lock shall destroy all Personal Data in its possession or control. This requirement shall not apply to the extent that Master Lock is required by any applicable law to retain some or all of the Personal Data, in which event Master Lock shall isolate and protect the Personal Data from any further processing except to the extent required by such law.

11. General

1. 11.1 This DPA shall be effective on the date Customer uses the Services to process Personal Data from residents of the EEA or Switzerland. The obligations placed upon Master Lock under this DPA shall remain in effect so long as Master Lock and/or its Subprocessors processes Personal Data on behalf of Customer.
2. 11.2 This DPA may not be modified except by a subsequent written instrument signed by both parties.
3. 11.3 If any part of this DPA is held unenforceable, the validity of all remaining parts will not be affected.
4. 11.4 In the event of any conflict between this DPA and any data privacy provisions set out in any Agreement, the parties agree that the terms of this DPA shall prevail, provided that each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA or the Agreement, whether in contract, tort or under any other theory of liability, shall remain subject to the ‘Limitation of Liability’ section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and this DPA, including all Annexes hereto.

Annex A

Details of Processing

Description of Customer:

A Master Lock Vault Enterprise customer manages electronic locking devices and users, in a system defined to deliver electronic access control services and audit history.

As between the parties, Customer shall be the Data Controller of certain Personal Data provided to Master Lock related to Customer’s use of the Services.

Nature of Services provided by Master Lock:

Master Lock provides user and locking device management; application software; digital keys, temporary codes, audit history, geolocation information.

Duration of Processing

Master Lock will process Customer Personal Data in accordance with and until termination of the Agreement, or as otherwise specified by Customer.

Data subjects

The Personal Data transferred may concern the following categories of data subjects (please specify):

Employees, agents, contractors, and users of Customer.

Categories of data

The Personal Data transferred may concern at least the following categories of data (please specify):

Contact data (email address, first name, last name, password, phone number) and location data (audit history, device access geolocation).

Special categories of data (if appropriate)

The Personal Data transferred concern the following special categories of data (please specify):

n/a

Processing operations:

The Personal Data transferred will be subject to at least the following basic processing activities (please specify):

Contact Data / Login credentials: email, password to validate authorized usage, and determine which geographic region the user belongs to (EU, or other);

Audit History: used to provide Customer with access history of user and locking device; email, time, geolocation, locking device ID; method of access (digital key, temporary code, other codes); first name, last name

Annex B

Model Clauses

Standard Contractual Clauses (processors)

Name of the data exporting organisation: The Customer, as defined within the Master Lock Agreement

(the “data exporter” or “Customer”)

And

Name of the data importing organisation: Master Lock Company LLC.

a Delaware corporation
(the “data importer” or “Master Lock”)

each a “party”; together “the parties”, have agreed on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.

Clause 1

Definitions

For the purposes of the Clauses:

1. (a) 'personal data', 'special categories of data', 'process/processing', 'controller', 'processor', 'data subject' and 'supervisory authority' shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
2. (b) 'the data exporter' means the controller who transfers the personal data;
3. (c) 'the data importer' means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country's system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
4. (d) 'the subprocessor' means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
5. (e) 'the applicable data protection law' means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
6. (f) 'technical and organisational security measures' means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

Clause 2

Details of the transfer

The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.

Clause 3

Third-party beneficiary clause

1. 1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
2. 2. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
3. 3.The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
4. 4. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.

Clause 4

Obligations of the data exporter

The data exporter agrees and warrants:

1. (a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
2. (b) that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter's behalf and in accordance with the applicable data protection law and the Clauses;
3. (c) that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;
4. (d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
5. (e) that it will ensure compliance with the security measures;
6. (f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
7. (g) to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
8. (h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
9. (i) that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and
10. (j) that it will ensure compliance with Clause 4(a) to (i).

Clause 5

Obligations of the data importer

The data importer agrees and warrants:

1. (a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
2. (b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
3. (c) that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;
4. (d) that it will promptly notify the data exporter about:
   1. (i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,
   2. (ii) any accidental or unauthorised access, and
   3. (iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;
5. (e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
6. (f) at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
7. (g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
8. (h) that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;
9. (i) that the processing services by the subprocessor will be carried out in accordance with Clause 11;
10. (j) to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.

Clause 6

Liability

1. 1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.
2. 2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.

   The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.

3. 3. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.

Clause 7

Mediation and jurisdiction

1. 1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
   1. (a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
   2. (b) to refer the dispute to the courts in the Member State in which the data exporter is established.
2. 2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

Clause 8

Cooperation with supervisory authorities

1. 1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
2. 2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
3. 3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).

Clause 9

Governing Law

The Clauses shall be governed by the law of the Member State in which the data exporter is established.

Clause 10

Variation of the contract

The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.

Clause 11

Subprocessing

1. 1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses. Where the subprocessor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor's obligations under such agreement.
2. 2. The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third- party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
3. 3. The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.
4. 4. The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter's data protection supervisory authority.

Clause 12

Obligation after the termination of personal data processing services

1. 1. The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
2. 2. The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.

Appendix 1 to the standard contractual clauses

This Appendix forms part of the Clauses and must be completed and signed by the parties. The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.

Please see details set forth in Annex A to the Data Processing Addendum

Appendix 2 to the standard contractual clauses

This Appendix forms part of the Clauses and must be completed and signed by the parties.

Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):

Please see the Security Measures set forth in Section 5.3.

Appendix 3 to the standard contractual clauses

Where the EU Controller-to-Processor Model Clauses ("Clauses") apply pursuant to Section 8 of this Data Processing Addendum, then this Appendix 3 sets out the parties' interpretations of their respective obligations under specific provisions within the Clauses, as identified below. Where a party complies with the interpretations set out in this Appendix 3, that party shall be deemed by the other party to have complied with its commitments under the Clauses. When used below, the terms "data exporter" and "data importer" shall have the meaning given to them in the Clauses.

Nothing in the interpretations below is intended to vary or modify the Clauses or conflict with either party's rights or responsibilities under the Clauses and, in the event of any conflict between the interpretations below and the Clauses, the Clauses shall prevail to the extent of such conflict. Notwithstanding this, the parties expressly agree that any claims brought under the Clauses shall be exclusively governed by the limitations on liability set out in the Agreement. For the avoidance of any doubt, in no event shall any party limit its liability with respect to any data subject rights under the Clauses.

Clause 4(h): Obligations of the data exporter regarding non-disclosure requirements

Clause 5(a): Suspension of data transfers and termination:

1. 1. The parties acknowledge that data importer may process the personal data only on behalf of the data exporter and in compliance with its instructions as provided by the data exporter and the Clauses.
2. 2. The parties acknowledge that if data importer cannot provide such compliance for whatever reason, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract.
3. 3. If the data exporter intends to suspend the transfer of personal data and/or terminate these Clauses due to non-compliance, it shall endeavour to provide notice to the data importer and provide data importer with a reasonable period of time to cure the non-compliance (“Cure Period”).
4. 4. If after the Cure Period the data importer has not or cannot cure the non-compliance then the data exporter may suspend or terminate the transfer of personal data immediately. The data exporter shall not be required to provide such notice in instance where it considers there is a material risk of harm to data subjects or their personal data.

Clause 5(f): Audit:

1. 1. Data exporter agrees to exercise its audit right under Clause 5(f) by instructing data importer to execute the audit measures as described in Section 7 of the DPA. Should a Data Regulatory Authority finally determine that this mechanism is not legally sufficient under the Clauses:
   1. a. the parties agree that data exporter audits conducted pursuant to Clause 5(f) will be conducted no more than annually unless the data exporter reasonably believes the data importer is failing to fulfil its obligations under these Clauses.
   2. b. Data exporter will endeavour to provide data importer with reasonable notice of its intent to conduct an audit and to cooperate reasonably with data importer in scheduling such audit. Data exporter will use reasonable endeavours to minimise any business disruption to data importer when conducting such audit.
   3. c. Any audit will be conducted at data exporter's expense and the data importer may charge reasonable day rates for any support it provides data exporter in connection with such audit (such rates to be agreed with the data importer in advance or, if no such agreement, then at the data importer's normal professional day rates). In the event that such audit reveals a material breach of these Clauses by the data importer, then the data importer shall bear the costs of such audit.
   4. d. Any auditor, whether internal to data exporter or a third party appointed by the data exporter, must execute a non-disclosure agreement in a form reasonably acceptable to data importer prior to accessing data importer's facilities or otherwise receiving confidential information from data importer in connection with such audit.

Clause 5(j): Disclosure of subprocessor agreements

1. 1. The parties acknowledge the obligation of the data importer to send promptly a copy of any onward subprocessor agreement it concludes under the Clauses to the data exporter upon the data exporter’s reasonable request and subject to any confidentiality provisions present in such subprocessor agreements.
2. 2. Accordingly, the parties agree that upon the request of data exporter, data importer shall provide all relevant information evidencing compliance with Clause 5(j). Should the information provided by data importer be insufficient to demonstrate data importer’s compliance with Clause 5(j) then data importer may provide a version of the onward subprocessor agreement with commercially sensitive and/or confidential information removed.
3. 3. Accordingly, the parties agree that any onward subprocessor agreement or information related thereto that data importer provides to data exporter shall constitute data importer's confidential information and shall not be disclosed by data exporter to any third party without data importer's prior agreement.

Clause 6: Liability

1. 1. Any claims brought under the Clauses shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in data importer's Agreement in effect as of the date of execution of these Clauses or other written or electronic agreement for data exporter’s use and purchase of data importer’s products and services. In no event shall any party limit its liability with respect to any data subject rights under these Clauses.

Clause 11: Onward subprocessing

1. 1. The parties acknowledge that, pursuant to FAQ II.1 in Article 29 Working Party Paper WP 176 entitled “FAQs in order to address some issues raised by the entry into force of the EU Commission Decision 2010/87/EU of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC” the data exporter may provide a general consent to onward subprocessing by the data importer.
2. 2. Accordingly, data exporter provides a general consent to data importer, pursuant to Clause 11 of these Clauses, to engage onward subprocessors. Such consent is conditional on data importer’s compliance with the requirements set out below, which collectively ensure that the onward subprocessor will provide adequate protection for the personal data that it processes:
   1. a. any onward subprocessor must agree in writing: (i) to only process personal data in the European Economic Area or another country that the European Commission has formally declared to have an “adequate” level of protection in accordance with the requirements of EU Data Protection Law; or (ii) to process personal data on terms equivalent to these Model Clauses or pursuant to a Binding Corporate Rules approval granted by competent European data protection authorities and whose scope extends to transfers of personal data from the territories in which the data exporter is established; and
   2. b. data importer must restrict the onward subprocessor’s access to personal data only to what is strictly necessary to perform its subcontracted data processing services to data importer (which shall be consistent with the instructions issued to data importer by data exporter) and data importer will prohibit the onward subprocessor from processing the personal data for any other purpose.