DATA PROCESSING ADDENDUM
This Data Processing Addendum (“DPA”) forms part of the End User License Agreement or Terms of Use available at https://www.42gears.com/trust-center/ or such other location as the Terms of Use/EULA may be posted from time to time as applicable (, the “Agreement”), entered into by and between the (“Customer”) and 42Gears contracting entity(42Gears Mobility Systems Pvt. Ltd. Hereinafter referred as ”42Gears”) and is incorporated by reference into this Addendum. Customer’s location determines 42Gears entity as provided in End User License Agreement or Terms of Use. The purpose of this Data Processing Addendum is to reflect the party’s agreement with regard to the processing of personal data in accordance with the requirements of (i) General Data Protection Regulation, ii) the Brazilian General Data Protection Law (Federal Law 13.709/2018) (“LGPD”), (iii)California Consumer Protection Act/ California Privacy Rights Act, 2023, (iv) UK-GDPR and (v) the Swiss Federal Act of 19 June 1992 on Data Protection (‘FADP’) or any other relevant applicable data protection law and regulations(collectively,” “Applicable Data Protection Law”).
The Data Processing Addendum will not apply where 42Gears act as Data Controller. This Data Processing Addendum applies when Personal Data is processed by 42Gears on behalf of customers and/or partners. In this context 42Gears will act as a “processor” to Customer/Partner who may act either as a “Controller” or “Processor” with respect to the Customer Data (as each term is defined below in accordance with GDPR or applicable laws/regulations)
1. DEFINITIONS:
- AGREEMENT: means the agreement between 42Gears and the Customer whether in any written or electronic form to provide Service to the Customers.
- DATA CONTROLLER: means the natural or legal person, entity, public authority, agency, or other body which, alone or jointly with others, determine the purposes and means for processing of personal data.
- DATA PROCESSOR: means any natural or legal entity who processes the personal data on behalf of the data controller.
- SECURITY BREACH: means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, customer data transmitted, stored, or otherwise processed in connection with the provision of services by 42Gears. A Security Incident shall exclude any unsuccessful attempt or activity that does not pose a threat to the security of Customer Data. This includes, but is not limited to, actions such as pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not lead to access beyond header information), and similar occurrences.
- PERSONAL DATA: means any information, including personal information, relating to an identified or identifiable natural person (“data subject”) or as defined in and subject to Applicable Data Protection Legislation.
- CUSTOMER DATA: means any data including personal data that 42Gears access or receive or that Customer send or upload for storage or processing in order for 42Gears to perform Services.
- SERVICES: any cloud services or customer support provided by 42Gears to the Customers pursuant to this Agreement.
- SUB-PROCESSOR: means any third-party service provider that 42Gears or its Affiliates engaged or may engage to process personal data of its Customers pursuant to this Agreement. Sub-processors may include third parties or 42Gears Affiliates but shall exclude 42Gears employees, contractors or consultants.
- ISO 27001 CERTIFICATION: means ISO/IEC 27001:2019 certification or a comparable certification for the Processor Services.
- SECURITY INCIDENT: means any confirmed unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, or alteration of, or unauthorized disclosure of or access to, Customer Data on systems managed or otherwise controlled by 42Gears.
- SENSITIVE DATA: means (a) social security number, tax file number, passport number, driver's license number, or similar identifier (or any portion thereof); (b) credit or debit card number (other than the truncated (last four digits) of a credit or debit card); (c) employment, financial, credit, genetic, biometric or health information; (d) racial, ethnic, political or religious affiliation, trade union membership, information about sexual life or sexual orientation, or criminal record; (e) account passwords; or (f) other information that falls within the definition of "special categories of data" under applicable Data Protection Laws.
- CALIFORNIA PRIVACY RIGHTS ACT, 2023 or “CPRA”: means Assembly Bill 375 of California House of Representatives, an act to add Title 1.81.5 (commencing with Section 1798.100) to Part 4 of Division 3 of the Civil Code, relating to privacy and approved by the California Governor on June 28, 2018.
- STANDARD CONTRACTUAL CLAUSES: means ANNEXURE 1, attached to and forming part of this Data Processing Addendum pursuant to the European Commission Decision of 5thJanuary 2010 on Standard Contractual Clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC.
2. OBJECTIVES OF DATA PROCESSING:
- 42Gears undertakes to process personal data on behalf of the Customer in accordance with the conditions laid down in this Data Processing Addendum. The processing will be executed exclusively within the framework of the Addendum, and for all such purposes as may be agreed to subsequently.
- 42Gears shall refrain from making use of the personal data for any purpose other than as specified by the Customer. The Customer will inform 42Gears of any such purposes which are not contemplated in this Data Processing Addendum.
- All personal data processed on behalf of the Customer shall remain the property of the Customer and/or the relevant Data subjects.
- 42Gears shall not, on its behalf, make any unilateral decisions regarding the processing of the personal data other than the purpose as set out in the Agreement.
- The parties shall at all times comply with the applicable data protection legislation and privacy laws, including without limitation the EU Privacy Directive and the General Data Protection Regulation (“GDPR”) and the California Consumer Privacy Act/ California Privacy Rights Act, 2023 (“CCPA/CPRA”). The parties acknowledge and agree that with regard to the Processing of Personal Data, Customer is the Data Controller (or Business under CCPA/CPRA) and 42Gears is the Data Processor (or Service Provider under CCPA/CPRA).
- Processor and Controller will timely provide each other with all necessary information regarding the Processing of Personal Data to enable compliance with the relevant Data Protection Laws and Regulations.
- 42Gears will not be held responsible for any Data Protection Losses that occur as a result of or in association with processing carried out in compliance with the Controller's instructions.
- Regardless of the foregoing prohibitions, the parties agree that 42Gears may, and Controller instructs 42Gears to, process Personal Data for the following activities that are necessary to support the Services: detect data security incidents; protect against fraudulent or illegal activity; effectuate repairs; and provide, maintain, or improve the quality of the services.
3. 42GEARS OBLIGATIONS TO PROCESS PERSONAL DATA:
- 42Gears shall warrant compliance with the applicable data protection laws and regulations governing the protection of personal data, including the General Data Protection Regulations which take effect from 25th May,2018.
- 42Gears shall furnish to the Customer promptly on request, with details regarding the measures it has adopted to comply with its obligations under this Data Processing Addendum. The obligations arising under the terms of this Data Processing Addendum also apply to each Sub-Processor who processes personal data under the instruction of 42Gears. Without limiting the generality of the foregoing, to the extent the California Consumer Privacy Act of 2018/California Privacy Rights Act, 2023, as amended, Cal. Civ. Code § 1798.100 et.seq. (“CCPA/CPRA”), applies to any Personal Data, such Personal Data will be disclosed by Customer to 42Gears for a ‘business purpose’ and 42Gears will act as Customer’s ‘service provider’, as such terms are defined under CCPA/CPRA. 42Gears will not retain, use or disclose Personal Data for a commercial or any other purpose other than for the specific purpose of providing the Services, as further described in the Agreement, or as otherwise permitted by the CCPA/CPRA.
4. ALLOCATION OF RESPONSIBILITY:
- 42Gears shall only be responsible for processing the personal data under this Data Processing Addendum, in accordance with the Customer’s instructions and under the (ultimate) responsibility of the Customer. 42Gears is explicitly not responsible for other processing of personal data, including but not limited to processing for purposes that are not reported by the Customer to 42Gears.
- Customer represents and warrants that it has express consent and/or a legal basis to process the relevant personal data. Furthermore, the Customer represents and warrants that the contents are not unlawful and do not infringe. This document is proprietary and confidential. No part of this document may be disclosed in any manner to a third party without the prior written consent of 42Gears. In this context, the Customer indemnifies 42Gears of all claims and actions of third parties related to the processing of personal data without express consent and/or legal basis under this Data Processing Addendum.
- The Customer will not provide (or cause to be provided) any Sensitive Data to 42Gears for processing under this Agreement, and 42Gears will have no liability whatsoever for Sensitive Data, whether in connection with a Security Incident or otherwise. For the avoidance of doubt, this DPA will not apply to Sensitive Data.
5. SUB-PROCESSORS:
- 42Gears is authorized within the framework of the Agreement to engage Sub- processors mentioned in the Annex 4 (which may be updated from time to time) to provide certain services on its behalf.
- 42Gears shall in any event ensure that the Sub-processor will be obliged to agree in writing to the similar substantial duties that are agreed between the Customer and 42Gears as set out in this Data Processing Addendum.
- 42Gears agrees (i) to provide at least 10 days prior notice to Customer of any new appointment or a replacement of an existing Sub- processor to process Personal Data and (ii) if Customer objects to a new Sub-processor on reasonable data protection grounds within thirty (30) days of receiving the notice, to discuss the Customer those concerns in good faith with a view to achieve a resolution. In the event that the parties are unable to find such a solution, Customer may terminate the Agreement at no additional cost.
- Processor shall not subcontract any of its Processing operations regarding Controller’s Personal Data without the express prior written consent of Controller whose consent shall not be withheld in case of a reasonable request.
- Processor shall only subcontract its Processing operations regarding the Personal Data by way of a written agreement signed between the Processor and the Sub-processor which is in accordance with the obligations and restrictions imposed on the Processor by the applicable Data Protection Laws and Regulations and the principles set forth in this Data Processing Agreement.
6. DUTY TO REPORT SECURITY INCIDENT:
- If the Processor becomes aware of any incident involving the accidental, unlawful or unauthorized destruction, loss, alteration, disclosure of or access to Controller’s Personal Data, the Processor shall notify the Controller without undue delay within 48 hours about the Data Security Breach or security incident related to the Processing of Personal Data under this Data Processing Agreement and the 42Gears Terms. Further, 42Gears shall investigate and provide the Controller with sufficient information related to the Data Security Breach in order to meet any legal obligation to report or inform Data Subjects or the Supervisory Authority of the Data Security Breach under the applicable Data Protection Laws and Regulations. 42Gears will endeavor that the furnished information is complete, correct, and accurate.
- In case of a security incident Processor will promptly take adequate measures to mitigate the consequences of the incident and to prevent future incidents. Processor will ensure reasonable cooperation in order to enable the Controller to comply with its legal obligation to notify of Data Security Breaches and to inform Data Subjects and the Supervisory Authority within the time frame provided in the applicable Data Protection Laws and Regulations.
- Under the GDPR or under any applicable law and/or regulation, 42Gears shall cooperate in notifying the relevant authorities and/or Data subjects. However, 42Gears obligation to notify or respond is not an acknowledgment by 42Gears of any fault or liability with respect to the Security incident.
- Notification(s) of Security Incidents, if any, will be delivered to one or more of Customer’s administrators by any means 42Gears selects, including via email. It is Customer’s sole responsibility to ensure Customer’s administrators maintain accurate contact information on 42Gears SureMDM console and secure transmission at all times.
- The obligations contained in Section 6 should not apply to security incidents that are caused by Customer or Customer’s users. However, 42Gears may notify Customers promptly upon becoming aware of any such security incident.
7. SECURITY:
- 42Gears will endeavor to take adequate technical and organizational measures against loss or any form of unlawful processing (such as unauthorized disclosure, deterioration, alteration or disclosure of personal data) in connection with the processing of personal data mentioned under Annex 2 of this Data Processing Addendum.
- 42Gears will endeavor to ensure that the security measures are of a reasonable level, having regard to the sensitivity of the personal data and the costs related to the security measures.
- The Customer will solely assure its own security measures for secure transfer of personal data to 42Gears. 42Gears will adopt appropriate security measures to ensure data security while transferring the personal data back to the Customer including (a) the security measures mentioned in ANNEX 2, (b) securing the account authentication credentials, systems and devices Customer uses to access the Service; and (c) backing up Customer Data.
- To evaluate and ensure the continued effectiveness of the security measures, 42Gears will maintain the ISO-27001 Certification and restricts its personnel from processing Personal Data without authorization (unless required to so by applicable law) and will ensure that any person authorized by 42Gears to Process Personal Data is subject to an obligation of confidentiality.
- Customer acknowledges that the security measures are subject to technical progress and development and that 42Gears may update or modify the security measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Services purchased by the Customer.
8. RESPONSE TO DATA SUBJECTS:
Where a Data subject submits a request to 42Gears to exercise any of its rights under the General Data Protection Regulation or any applicable law/regulation, 42Gears, taking into account the nature of processing, will use commercially reasonable efforts to forward such request to the Customer and the request will then be dealt with by the Customer, 42Gears will not respond directly to such request without obtaining the prior approval of the Customer. If 42Gears is required to respond to the Data Subject Request directly, it will promptly notify the Customer of such request, unless 42Gears is prohibited to do so under any applicable law/regulation. To the extent legally permitted, Customer shall be responsible for any costs arising from 42Gears provision of such assistance.
9. DATA CENTRE AND INTERNATIONAL TRANSFER:
9.1 42Gears uses reputed cloud service providers such as AWS, GCP etc. to host the services. Information about the locations of the datacenter is available at our privacy policy: https://www.42gears.com/trust-center/privacy/privacy-policy/.
9.2 Subject to Section 9.3, Customer acknowledges that 42Gears may transfer and process Customer Data to and in the United States and anywhere else in the world where 42Gears, its Affiliates or its Sub-processors maintain data processing operations. 42Gears shall at all times ensure that such transfers are made in compliance with the requirements of applicable Data Protection Laws and this DPA.
9.3 Australian Data. To the extent that 42Gears is a recipient of Customer Data protected by the Australian Privacy Law, the parties acknowledge and agree that 42Gears may transfer such Customer Data outside of Australia as permitted by the terms agreed upon by the parties and subject to 42Gears complying with this DPA and the Australian Privacy Law.
9.4 European Data transfers. To the extent that 42Gears is a recipient of Customer Data protected by EU Data Protection Laws ("EU Data") in a country outside of Europe that is not recognized as providing an adequate level of protection for personal data (as described in applicable EU Data Protection Law), the parties agree to the following:
(a) SCCs: 42Gears agrees to abide by and process EU Data in compliance with the SCCs in the form set out in Annexure 1. For the purposes of the descriptions in the SCCs, 42Gears agrees that it is the "data importer" and Customer is the "data exporter" (notwithstanding that Customer may itself be an entity located outside Europe).
9.5 Alternative transfer mechanism. To the extent 42Gears adopts an alternative data export mechanism (including any new version of or successor to the SCCs ) for the transfer of EU Data not described in this DPA ("Alternative Transfer Mechanism"), the Alternative Transfer Mechanism shall apply instead of the transfer mechanisms described in this DPA (but only to the extent such Alternative Transfer Mechanism complies with applicable EU Data Protection Law and extends to the countries to which EU Data is transferred). In addition, if and to the extent that a court of competent jurisdiction or supervisory authority orders (for whatever reason) that the measures described in this DPA cannot be relied on to lawfully transfer EU Data (within the meaning of applicable EU Data Protection Law), 42Gears may implement any additional measures or safeguards that may be reasonably required to enable the lawful transfer of EU Data.
9.6 South African data transfers. To the extent that 42Gears is a recipient of Customer Data protected by POPIA in a country outside South Africa that does not provide for an adequate level of protection for personal data similar to the protections under POPIA, 42Gears shall process the Customer Data as permitted by the terms agreed upon by the parties and subject to 42Gears complying with this DPA and the data protection principles in POPIA.
9.7 Processor will only Process Personal Data on behalf of and in accordance with Controller’s documented instructions in the course of providing the Services under the 42Gears Terms or to comply with legal obligations to which Processor or its affiliated companies are subject. For the avoidance of doubt, Controller will ensure that its instructions for the Processing of Personal Data shall comply with the applicable Data Protection Laws and Regulations. If however, at any time during the execution of this Data Processing Agreement and the 42Gears Terms, Processor establishes that Controller’s instructions appear in any way to be unlawful or non-compliant with the applicable legislation, Processor shall without undue delay notify this to Controller and wait for further instructions.
9.8 In the event a legal requirement prevents Processor from complying with Controller’s instructions or requires Processor to Process the Personal data for a particular purpose or to disclose the Personal Data to a Third Party, Processor shall inform Controller in writing of the relevant legal requirement before carrying out the relevant Processing activities and co-operate with Controller regarding the manner of such disclosure.
9.9 Processor shall not perform cross-border Transfers outside the EEA, disclose or otherwise permit access to the Personal Data to any Third Party for any purpose, without Controller’s prior written consent, unless the Transfer, the disclosure or the access permission are strictly necessary in order to comply with a legal obligation or for the performance of the Services and Processor’s compliance with the terms of this Data Processing Agreement and the 42Gears Terms. Notwithstanding the above, for the Processing of Personal Data outside the EEA, Processor will provide Controller with an overview of the countries in which the Personal Data is Processed or transferred to. Upon signing this Data Processing Agreement, Controller gives its consent for the processing of Personal Data by the Processor or its Sub-processors in the countries as per this agreement.
10. AUDIT:
Customer agrees its right to audit 42Gears may be satisfied by 42Gears presenting the valid certifications, reports or extracts from independent bodies, including external or internal auditors, IT security department, data protection or quality auditors or others mutually agreed to third parties or certification by way of an IT security or data protection audit.
- To the extent it is not possible to satisfy an audit obligation mandated by applicable Data Protection Laws and Regulations through such attestations, reports or extracts, the Customer may conduct an audit by assigning an independent third party who shall be obliged to observe confidentiality in this regard. Any such audit will follow 42Gears reasonable security requirements and will not interfere unreasonably with 42Gears business activities.
- Customers shall bear all the audit cost and not audit 42Gears process more than once annually.
- 42Gears may object to any third-party audit, if the auditor is, in 42Gears's reasonable opinion, not suitably qualified or independent, a competitor of 42Gears or otherwise manifestly unsuitable. Any such objection by 42Gears will require the Customer to appoint another auditor or conduct the audit itself. Nothing in this Data Protection Addendum will require 42Gears either to disclose Customer or its third-party auditor or to allow Customer or its third-party auditor to access:
- any data of any other Customer of 42Gears and its any entity
- 42Gears internal accounting or financial information.
- any trade secret of 42Gears
- Any information that, in 42Gears reasonable opinion, could (A) compromise the security of any 42Gears systems or premises or (B) cause 42Gears to breach any of its obligations under the Data Protection Legislation or its security and/or privacy obligations to Customer or any third party; or
- Any information that Customer or its third-party auditor seeks to access for any reason other than the good faith fulfillment of Customer's obligations under the Data Protection Legislation.
- Processor undertakes to cooperate with Controller in its dealings with national data protection authorities and with any audit requests received from national data protection authorities. The Controller shall be entitled to disclose this Data Processing Agreement or any other documents (including contracts with subcontractors) that relate to the performance of its obligations under this Data Processing Agreement (commercial information may be removed).
- Customers acknowledge that 42Gears operates a shared cloud environment. Accordingly, 42Gears shall have the right to reasonably adapt the scope of any On-Site Audit to avoid or mitigate risks with respect to, and including, service levels, availability, and confidentiality of other 42Gears customers’ and users' information. You shall promptly provide 42Gears with the full report and complete results of any On-Site Audit.
11. DURATION AND TERMINATION:
- This Data Processing Agreement becomes effective upon signature or accepting it as a click wrap Agreement. It shall continue to be in full force and effect as long as the Processor is processing Personal Data according to Schedule 1 Annex I and shall cease automatically thereafter.
- This Data Processing Addendum may only be amended by the Parties subject to mutual consent.
- 42Gears shall provide its full cooperation in amending and adjusting this Data Processing Addendum in the event of new legislation.
12. LIMITATION OF LIABILITY:
- Each Party’s and all of its Affiliate’s liability, taken together in the aggregate, arising out of or related to this DPA, and all DPAs between Authorized Affiliates and 42Gears, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and all DPAs together.
- Any claims made against 42Gears or its Affiliates under or in connection with this DPA (including, where applicable, the SCC’s) shall be brought solely by the Customer entity that is party to the Agreement.
- Controller shall indemnify and hold Processor harmless from any liability, losses, claims, penalties, damages, costs and expenses of whatever nature, imposed by the Supervisory Authority on Processor and arising out of any claims, actions, proceedings or settlements, resulting from the breach or non-compliance of Controller with the terms and conditions of this Data Processing Agreement and/or with the applicable Data Protection Laws and Regulations.
Processor shall:- promptly notify Controller of any claim, investigation or other circumstances that come to its attention and that may lead to such liability, losses, claims, penalties, damages, costs and expenses to be imposed by the authorities
- act and communicate with the authority and cooperate as may be reasonably required by the Controller at Controller’s cost in settling the claim.
- Except as specifically provided in the EU Standard Contractual Clauses, 42Gears and all of its Affiliates and subsidiaries' liability, taken together in the aggregate, arising out of or related to this DPA, whether in contract, tort or under any other theory of liability or any indemnification provision, is subject to the ‘Limitation of Liability’ section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and all DPAs together.
- For the avoidance of doubt, 42Gears and its Affiliates’ total liability for all claims from Customer and all of its Authorized Affiliates arising out of or related to the Agreement and all DPAs shall apply in the aggregate for all claims under both the Agreement and all DPAs established under the Agreement, including by Customer and all Authorized Affiliates, and, in particular, shall not be understood to apply individually and severally to Customer and/or to any Authorized Affiliate that is a contractual party to any such DPA.
13. CUSTOMER REQUESTS:
42Gears shall comply with the applicable data protection laws and regulations. For the avoidance of doubt, we will:
- Provide support to Customer at their request to assess the impact of our services on their privacy (for example, through assisting Customer with a Data Protection Impact Assessment at Customer’s cost);
- Provide support to customers in responding to requests from data subjects to exercise their rights under the EU General Data Protection Regulation (GDPR).
- Processor shall promptly notify Controller if it receives a request from a Data Subject to exercise its rights of access to, rectification, amendment, restriction of Processing or deletion (“right to be forgotten”), data portability, objection to the Processing of that person’s Personal Data or any other Data Subject request, under any of the applicable Data Protection Laws and Regulations. Processor will not respond to any such Data Subject request without Controller’s prior written consent and in accordance with Controller’s instructions, except to confirm that the request relates to Controller.
- Processor shall provide Controller with all reasonable cooperation and assistance in order to enable Controller to comply with its legal obligations in relation to the handling of Data Subject requests, within the statutory time limits, to the extent that the Processor is legally permitted to do so and provided that such Data Subject Requests are exercised in accordance with the applicable Data Protection Laws and Regulations.
14. RETURN OR DELETION OF DATA:
- Processor will retain the Personal Data for a duration as instructed by the Controller, and consistent with the retention periods as applicable by law. Processor warrants to return or, to the extent allowed by the applicable laws and in accordance with Controller’s instructions and the terms of this Data Processing Agreement, delete and destroy all Personal Data and any copies of such data after the retention period has lapsed.
- Upon Controller’s request, expiration or earlier termination of this Data Processing Agreement, Processor shall promptly and in any event within thirty (30) days of the date of cessation of any Services involving the Processing of Controller’s Personal Data, return to Controller or delete and procure a certification of destruction of all copies of Controller’s Personal Data that might be in their possession. The return of Controller’s Personal data and all its copies in Processor’s possession shall be completed by secure file transfer in such format as is reasonably requested by Controller to Processor. The parties agree that the Controller will bear all reasonable costs involved in the return or the deletion of the Personal Data.
- The Processor may retain Controller’s Personal Data to the extent required by the applicable laws and for such period as required by the applicable laws. Notwithstanding the above, when retaining Controller’s Personal Data Processor shall ensure the confidentiality of all such Personal Data and shall ensure that such Personal Data is Processed only as necessary for the purpose(s) specified in the applicable laws requiring its storage and for no other purpose.
15. TRANSPARENCY:
42Gears has documented its processing and publishes this in the privacy notice. This can be found on the 42Gears website or provided at your request.
16. MISCELLANEOUS:
- In the case of any inconsistency between documents and the appendices thereto, the following order of priority will apply:
- This Data Processing Addendum.
- The Agreement.
- Additional conditions, where applicable.
- In the event of changes in the Services or applicable Data Protection Laws and Regulations which will affect the Processing of the Personal Data and requires the amendment of the Data Processing Agreement in order for the parties to be able to address the requirements and comply with the applicable laws, the parties will consult with each other in good faith in order to amend the Data Processing Agreement. Any amendments to this Data Processing Agreement can solely be made in writing by duly authorized representatives of the parties.
- If any provision of this Data Processing Agreement is found by any court or administrative body of competent jurisdiction to be void, invalid, illegal, or otherwise unenforceable, all other terms and provisions of this Data Processing Agreement shall nevertheless remain in full force and effect, and the invalidity or unenforceability of such provision will not adversely affect the enforceability of any other provision of this Data Processing Agreement.
- Any claims brought in connection with this DPA will be subject to the terms and conditions, including, but not limited to, the exclusions and limitations set forth in the Agreement.
- Notwithstanding anything to the contrary in this DPA or in the Agreement (including, without limitation, either party’s indemnification obligations), neither party will be responsible for any GDPR or UK-GDPR fines issued or levied under Article 83 of the GDPR against the other party by a regulatory authority or governmental body in connection with such other party’s violation of the GDPR or UK-GDPR.
ANNEXURE 1
STANDARD CONTRACTUAL CLAUSES
(controller to processor)
COMMISSION IMPLEMENTING DECISION (EU) 2021/914
of 4 June 2021
on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (Text with EEA relevance)
For purposes of this Attachment B: any reference to “data exporter” means Customer, acting as data exporter on behalf of its EEA or Swiss customer(s) where applicable, and any reference to “data importer” means 42Gears each a “party”; together “the parties”.
The parties have agreed on the following Standard Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Annex 1.
For purposes of this Annexure: any reference to “data exporter” means Customer, acting as data exporter on behalf of its EEA or Swiss customer(s) where applicable, and any reference to “data importer” means 42Gears each a “party”; together “the parties”. The parties have agreed on the following Standard Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in
SCHEDULE 1.
DEFINITIONS
For the purposes of the Clauses:
(a). ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
(b). ‘the data exporter’ means the controller who transfers the personal data.
(c). ‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
(e). ‘the sub-processor’ means any processor engaged by the data importer or by any other sub-processor of the data importer who agrees to receive from the data importer or from any other sub-processor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract.
(f). ‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established.
(g). ‘technical and organizational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
SECTION I
Clause 1
Purpose and scope
(a). The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)1 for the transfer of personal data to a third country.
(b). The Parties:
- the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter “entity/ies”) transferring the personal data, as listed in Annex I.A. (hereinafter each “data exporter”), and
- the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A. (hereinafter each “data importer”) have agreed to these standard contractual clauses (hereinafter: “Clauses”).
(c). These Clauses apply with respect to the transfer of personal data as specified in Annex I.B and aforesaid definitions.
(d). The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.
Clause 2
Effect and invariability of the Clauses
- These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46 (2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Annex. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.
- These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.
Clause 3
Third-party beneficiaries
- Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions: i. Clause 1, Clause 2, Clause 3, Clause 6, Clause 7; ii. Clause 8 - Module One: Clause 8.5 (e) and Clause 8.9(b); Module Two: Clause 8.1(b), 8.9(a), (c), (d) and (e); Module Three: Clause 8.1(a), (c) and (d) and Clause 8.9(a), (c), (d), (e), (f) and (g); Module Four: Clause 8.1 (b) and Clause 8.3 (b); iii. Clause 9 - Module Two: Clause 9(a), (c), (d) and (e); Module Three: Clause 9(a), (c), (d) and (e); iv. Clause 12 - Module One: Clause 12(a) and (d); Modules Two and Three: Clause 12(a), (d) and (f); v. Clause 13; vi. Clause 15.1(c), (d) and (e); vii. Clause 16(e); viii. Clause 18 - Modules One, Two and Three: Clause 18(a) and (b); Module Four: Clause 18.
- Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.
Clause 4
Interpretation
- Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.
- These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.
- These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.
Clause 5
Hierarchy
In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.
Clause 6
Details Of The Transfer
The details of the transfer and in particular the special categories of personal data where applicable are specified in Annex 1 which forms an integral part of the Clauses.
Clause 7 – Optional Docking
clause
(a). An entity that is not a Party to these Clauses may, with the agreement of the Parties, accede to these Clauses at any time, either as a data exporter or as a data importer, by completing the Appendix and signing Annex I.A.
(b). Once it has completed the Appendix and signed Annex I.A, the acceding entity shall become a Party to these Clauses and have the rights and obligations of a data exporter or data importer in accordance with its designation in Annex I.A.
(c). The acceding entity shall have no rights or obligations arising under these Clauses from the period prior to becoming a Party.
Section II– Obligations of The Parties
Clause 8
Data protection safeguards
MODULE TWO: Transfer controller to processor
The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organizational measures, to satisfy its obligations under these Clauses.
8.1. Instructions
- The data importer shall process the personal data only on documented instructions from the data exporter. The data exporter may give such instructions throughout the duration of the contract.
- The data importer shall immediately inform the data exporter if it is unable to follow those instructions.
8.2. Purpose limitation
The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B, unless on further instructions from the data exporter.
8.3. Transparency
On request, the data exporter shall make a copy of these Clauses, including the Annexures as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including the measures described in Annex II and personal data, the data exporter may redact part of the text of the Annexures to these Clauses prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information. This Clause is without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.
8.4. Accuracy
If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to erase or rectify the data.
8.5. Duration of processing and erasure or return of data
Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the data exporter and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).
8.6. Security of processing
- The data importer and, during transmission, also the data exporter shall implement appropriate technical and organizational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to that data (hereinafter “personal data breach”). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects. The Parties shall in particular consider having recourse to encryption or pseudonymization, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymization, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organizational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.
- The data importer shall grant access to the personal data to members of its personnel only to the extent strictly necessary for the implementation, management, and monitoring of the contract. It shall ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify the data exporter without undue delay after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the breach including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
- The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer.
8.7. Sensitive data
Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter “sensitive data”), the data importer shall apply the specific restrictions and/or additional safeguards described in Annex I.B.
8.8. Onward transfers
The data importer shall only disclose the personal data to a third party on documented instructions from the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union4 (in the same country as the data importer or in another third country, hereinafter “onward transfer”) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:
- the onward transfer is to a country benefiting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;
- the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 Regulation of (EU) 2016/679 with respect to the processing in question;
- the onward transfer is necessary for the establishment, exercise or defense of legal claims in the context of specific administrative, regulatory or judicial proceedings; or
- the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person.
Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.
8.9. Documentation and compliance
- The data importer shall promptly and adequately deal with enquiries from the data exporter that relate to the processing under these Clauses.
- The Parties shall be able to demonstrate compliance with these Clauses. In particular, the data importer shall keep appropriate documentation on the processing activities carried out on behalf of the data exporter.
- The data importer shall make available to the data exporter all information necessary to demonstrate compliance with the obligations set out in these Clauses and at the data exporter’s request, allow for and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of noncompliance. In deciding on a review or audit, the data exporter may take into account relevant certifications held by the data importer.
- The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice.
- The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request.
Clause 9
Use of sub-processors
MODULE TWO: Transfer controller to processor
- GENERAL WRITTEN AUTHORISATION: The data importer has the data exporter’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub- processors at least 30 days in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.
- Where the data importer engages a sub-processor to carry out specific processing activities (on behalf of the data exporter), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those binding the data importer under these Clauses, including in terms of third-party beneficiary rights for data subjects. The Parties agree that, by complying with this Clause, the data importer fulfills its obligations under Clause 8.8. The data importer shall ensure that the sub-processor complies with the obligations to which the data importer is subject pursuant to these Clauses.
- The data importer shall provide, at the data exporter’s request, a copy of such a sub- processor agreement and any subsequent amendments to the data exporter. To the extent necessary to protect business secrets or other confidential information, including personal data, the data importer may redact the text of the agreement prior to sharing a copy.
- The data importer shall remain fully responsible to the data exporter for the performance of the sub-processor’s obligations under its contract with the data importer. The data importer shall notify the data exporter of any failure by the sub- processor to fulfil its obligations under that contract.
- The data importer shall agree a third-party beneficiary clause with the sub- processor whereby - in the event the data importer has factually disappeared, ceased to exist in law or has become insolvent - the data exporter shall have the right to terminate the sub- processor contract and to instruct the sub-processor to erase or return the personal data.
Clause 10
Data subject rights
MODULE TWO: Transfer controller to processor
- The data importer shall promptly notify the data exporter of any request it has received from a data subject. It shall not respond to that request itself unless it has been authorized to do so by the data exporter.
- The data importer shall assist the data exporter in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679. In this regard, the Parties shall set out in Annex II the appropriate technical and organizational measures, taking into account the nature of the processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required.
- In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions from the data exporter.
Clause 11
Redress
MODULE TWO: Transfer controller to processor
- The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorized to handle complaints. It shall deal promptly with any complaints it receives from a data subject.
- In case of a dispute between a data subject and one of the Parties as regards compliance with these Clauses, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them.
- Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to:
- lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work, or the competent supervisory authority pursuant to Clause 13;
- refer the dispute to the competent courts within the meaning of Clause 18.
- The Parties accept that the data subject may be represented by a not-for-profit body, organisation or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679.
- The data importer shall abide by a decision that is binding under the applicable EU or Member State law.
- The data importer agrees that the choice made by the data subject will not prejudice his/her substantive and procedural rights to seek remedies in accordance with applicable laws.
Clause 12 Liability
MODULE TWO: Transfer controller to processor
- Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.
- The data importer shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data importer or its sub-processor causes the data subject by breaching the third- party beneficiary rights under these Clauses.
- Notwithstanding paragraph (b), the data exporter shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data exporter or the data importer (or its sub-processor) causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter and, where the data exporter is a processor acting on behalf of a controller, to the liability of the controller under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable.
- The Parties agree that if the data exporter is held liable under paragraph (c) for damages caused by the data importer (or its sub-processor), it shall be entitled to claim back from the data importer that part of the compensation corresponding to the data importer’s responsibility for the damage.
- Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.
- The Parties agree that if one Party is held liable under paragraph (e), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its their responsibility for the damage.
- The data importer may not invoke the conduct of a sub-processor to avoid its own liability.
Clause 13 Supervision
MODULE TWO: Transfer controller to processor
- The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority.
- The data importer agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Clauses. In particular, the data importer agrees to respond to enquiries, submit to audits and comply with the measures adopted by the supervisory authority, including remedial and compensatory measures. It shall provide the supervisory authority with written confirmation that the necessary actions have been taken.
Section III – Local Laws And Obligations In Case Of Access By Public Authorities Clause 14
Local laws and practices affecting compliance with the Clauses
MODULE TWO: Transfer controller to processor
- The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.
- The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:
- the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;
- the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards; iii. any relevant contractual, technical or organizational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.
- The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.
- The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request
- The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a). The data exporter shall forward the notification to the controller.
- Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g.: technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.
Clause 15
Obligations Of The Data Importer In Case Of Access By PublicAuthorities
MODULE TWO: Transfer controller to processor
15.1. Notification
(a). The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it: (i) receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or (ii) becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.
(b). If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.
(c). Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.).
(d). The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.
(e). Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses.
15.2. Review of legality and data minimization
(a). The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules.
(b). The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request.
(c). The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.
Section IV – Final Provisions Clause 16
Non-compliance with the Clauses and termination
- The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.
- In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).
- The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:
- the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;
- the data importer is in substantial or persistent breach of these Clauses; or
- the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.
- In these cases, it shall inform the competent supervisory authority of such non- compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.[For Modules One, Two and Three: Personal data that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall at the choice of the data exporter immediately be returned to the data exporter or deleted in its entirety. The same shall apply to any copies of the data.] The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.
- Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.
Clause 17
Governing Law
MODULE TWO: Transfer Controller To Processor
These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of the Data Exporter’s Member State. Where such law does not allow for third-party beneficiary rights, they shall be governed by the law of another EU Member State that does allow for third-party beneficiary rights. The Parties agree that this shall be governed by Laws of England and Wales , United Kingdom.
Clause 18
Choice of forum and jurisdiction
MODULE TWO: Transfer controller to processor
- Any dispute arising from these Clauses shall be resolved by the courts of an EU Member State.
- The Parties agree that those shall be the courts of the Netherlands.
- A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence.
- The Parties agree to submit themselves to the jurisdiction of such courts.
Clause 18
Choice of forum and jurisdiction
MODULE TWO: Transfer controller to processor
- Any dispute arising from these Clauses shall be resolved by the courts of an EU Member State.
- The Parties agree that those shall be the courts of the Netherlands.
- A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence.
- The Parties agree to submit themselves to the jurisdiction of such courts.
Clause 19
Obligation After The Termination Of Personal Data-Processing Services
- The parties agree that on the termination of the provision of data-processing services, the data importer and the sub-processor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
- The data importer and the sub-processor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data-processing facilities for an audit of the measures referred to in paragraph 1.
Clause 20
Obligation After The Termination Of Personal Data-Processing Services
- Data importer agrees that the data exporter will fulfil its obligation to return or destroy all the personal data on the termination of the provision of data-processing services by complying with the 'Deletion or Return of Personal Data' section of the DPA.
ANNEX 1 TO THE STANDARD CONTRACTUAL
This Annex 1 forms part of the Clauses.
A. List of Parties
Data exporter- The data exporter is Customer, acting as data exporter on behalf of itself or a customer where applicable. Activities relevant to the transfer include the performance of services for Customer and its customer(s)
Role: Controller
DATA IMPORTER
The Data Importer is 42Gears Mobility Systems Private Limited and its affiliates and subsidiaries, an enterprise mobility solution.
Role: Processor
B. Description of transfer
- Categories of data subjects whose personal data is transferred the Personal Data transferred concern the following categories of Data Subjects:
42Gears may process any data inputted by authorized users of our Products or Services. Primarily, this will relate to living individuals who are: users who are authorized by Data Exporter to use the services employees, agents, contractors, and contacts of the Data Exporter prospects, customers and clients, business partners and vendors of the Data Exporter advisors and professional experts of the Data Exporter employees, agents, contractors, and contacts of the Data Exporter’s prospects, customers and clients, business partners, vendor, advisors and professional experts.
2. CATEGORIES OF PERSONAL DATA TRANSFERRED
1. The Personal Data transferred concern the following categories of data:
2. 42Gears may Process any data inputted by authorised users at the time of login in our Products or Services. For further details regarding what all data we collect, please refer to 42Gears Privacy Notice.
3. Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures. Unless a data exporter or its users use data importer’s products and services to transmit or store sensitive data, data importer does not process sensitive data.
4. The frequency of the transfer (e.g.: whether the data is transferred on a one-off or continuous basis). The Transfer happens on a continuous basis.
5. Nature of Processing The Personal Data transferred will be subject to processing activities such as storing, recording, using, sharing, transmitting, analyzing, collecting, transferring, and making available personal data. More details on 42Gears Processing activity of personal data will reflect in and pursuant to our EULA and Terms of Use.
6. Purpose(s) of the data transfer and further processing The personal data transferred may be subject to the following basic processing activities, as may be further set forth in contractual agreements entered into from time to time between 42Gears and Customer: (a) customer service activities, such as processing orders, providing technical support and improving offerings, (b) sales and marketing activities as permissible under mandatory applicable law, (c) consulting, professional, security, storage, hosting and other services delivered to Customer, and (d) internal business processes and management, fraud detection and prevention, and compliance with governmental, legislative, and regulatory requirements
7. The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period Personal data will be retained as needed to fulfill the purposes for which it was collected, such as delivery of the Services and Products, and as necessary for 42Gears to comply with its business requirements, legal obligations, resolve disputes, protect its assets, and enforce its rights and agreements.
8. For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing 42Gears transfers Personal Data to its sub-processors till the contractual arrangement exists with them. All Personal data is transferred and used in accordance with the obligations set in this Agreement.
C. Competent Supervisory Authority
Identify the competent supervisory authority/ies in accordance with Clause 13.
Annex 2
Technical And Organizational Measures Including Technical And Organizational Measures To Ensure The Security Of The Data
Our security practices are described in our Security and Compliance Standards available at https://www.42gears.com/security-and-compliance/ (or at such other URL as may be notified to the Data Exporter from time to time).
Further, 42Gears exercises a set of layered security services and cryptographic framework that is in accordance with industry standard including:
- 42Gears conducts routine ISO 2700: 2013 audits
- 42Gears is SOC2 certified organization and listed in CAIQ recently.
- 42Gears is actively pursuing Cyber Essentials certification from UK government authority.
- Penetration tests are conducted regularly, and vulnerabilities are remedied promptly
- 42Gears conduct mandatory security awareness training which includes handling and securing of confidential information and sensitive information such as personally identifiable information, financial account information consistent with applicable law, and periodic security awareness communications that focus on end-user awareness.
- 42Gears employs logging and monitoring technology to help detect and prevent unauthorized access attempts to its networks and production systems. Also, monitoring includes a review of changes affecting systems' handling authentication, authorization, and auditing; privileged access to 42Gears's production systems.
- 42Gears regularly performs vulnerability scans and addresses detected vulnerabilities in accordance with their risk. 42Gears products are also subject to periodic vulnerability assessment and penetration testing.
- 42Gears performs periodic backups of production file systems and databases according to a defined schedule and maintains a formal disaster recovery plan for the production cloud data center, including regular testing.
- Third-party service providers or vendors (collectively, "Suppliers' ') with access to 42Gears's confidential information are subject to risk assessments to gauge the sensitivity of 42Gears's information being shared. Suppliers will be expected to comply with any pertinent contract terms relating to the security of 42Gears data, as well as any applicable 42Gears policies or procedures. Periodically, 42Gears may ask a Supplier to re- evaluate its security posture to help ensure compliance. Conducts Supplier’s audit periodically through engaging the third-party auditors.
Annex 3- Jurisdiction-Specific Terms
EUROPE:
- Objection to Sub-processors. Customers may object in writing to 42Gears’s appointment of a new Sub- processor within five (5) calendar days of receiving notice in accordance with Section 5.1 of DPA, provided that such objection is based on reasonable grounds relating to data protection. In such an event, the parties shall discuss such concerns in good faith with a view to achieving a commercially reasonable resolution. If no such resolution can be reached, 42Gears will, at its sole discretion, either not appoint such Sub-processor, or permit Customer to suspend or terminate the affected Service in accordance with the termination provisions in the Agreement without liability to either party (but without prejudice to any fees incurred by Customer prior to suspension or termination).
- Government data access requests. As a matter of general practice, 42Gears does not voluntarily provide government agencies or authorities (including law enforcement) with access to or information about 42Gears accounts (including Customer Data). If 42Gears receives a compulsory request (whether through a subpoena, court order, search warrant, or other valid legal process) from any government agency or authority (including law enforcement) for access to or information about a 42Gears account (including Customer Data) belonging to a Customer whose primary contact information indicates the Customer is located in Europe, 42Gears shall: (i) inform the government agency that 42Gears is a processor of the data; (ii) attempt to redirect the agency to request the data directly from Customer; and (iii) notify Customer via email sent to Customer’s primary contact email address of the request to allow Customer to seek a protective order or other appropriate remedy. As part of this effort, 42Gears may provide Customer’s primary and billing contact information to the agency. 42Gears shall not be required to comply with this paragraph 2 if it is legally prohibited from doing so, or it has a reasonable and good-faith belief that urgent access is necessary to prevent an imminent risk of serious harm to any individual, public safety, or 42Gears’s Site, or Service(s).
UK:
- Background:
The Information Commissioner considers this Addendum provides appropriate safeguards for the purposes of transfers of personal data to a third country or an international organization in reliance on Articles 46 of the UK GDPR and, with respect to data transfers from controllers to processors and/or processors to processors. - Interpretation of this Addendum
Where this Addendum uses terms that are defined in the Annex those terms shall have the same meaning as in the Annex. In addition, the following terms have the following meanings:This Addendum This Addendum to the Clauses The Annex The Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021. UK Data Protection Laws All laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018. UK GDPR The United Kingdom General Data Protection Regulation, as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018. UK The United Kingdom of Great Britain and Northern Ireland. - This Addendum shall be read and interpreted in the light of the provisions of UK Data Protection Laws, and so that it fulfills the intention for it to provide the appropriate safeguards as required by Article 46 GDPR.
- This Addendum shall not be interpreted in a way that conflicts with rights and obligations provided for in UK Data Protection Laws.
- Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re- enacted and/or replaced after this Addendum has been entered into.
- Hierarchy In the event of a conflict or inconsistency between this Addendum and the provisions of the Clauses or other related agreements between the Parties, existing at the time this Addendum is agreed or entered into thereafter, the provisions which provide the most protection to data subjects shall prevail.
- This Addendum incorporates the Clauses which are deemed to be amended to the extent necessary, so they operate:
- for transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter’s processing when making that transfer; and
- to provide appropriate safeguards for the transfers in accordance with Articles 46 of the UK GDPR Laws
- The amendments required by Section 7 above, include (without limitation): (a)References to the “Clauses” means this Addendum as it incorporates the Clauses. (b) Clause 6 Description of the transfer(s) is replaced with: “The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.” (c) References to “Regulation (EU) 2016/679” or “that Regulation” are replaced by “UK Data Protection Laws” and references to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK Data Protection Laws. (d)References to Regulation (EU) 2018/1725 are removed.(e) References to the “Union”, “EU” and “EU Member State” are all replaced with the “UK”. (f) Clause 13(a) and Part C of Annex II are not used; the “competent supervisory authority” is the Information Commissioner. (g) Clause 17 is replaced to state “These Clauses are governed by the laws of England and Wales”. (h) Clause 18 is replaced to state: “Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.” (i) The footnotes to the Clauses do not form part of the Addendum. Amendments to this Addendum.
- The Parties may agree to change Clause 17 and/or 18 to refer to the laws and/or courts of Scotland or Northern Ireland.
- The Parties may amend this Addendum provided it maintains the appropriate safeguards required by Art 46 UK GDPR for the relevant transfer by incorporating the Clauses and making changes to them in accordance with Section 7 above.
CALIFORNIA
1. Except as described otherwise, the definitions of: “controller” includes “Business”; "processor" includes “Service Provider”; “data subject” includes “Consumer”; “personal data” includes “Personal Information”; in each case as defined under CCPA.
2. For this “California” section of Annex 4 only, “42Gears Services” means the suite of unified endpoint management tools and products available for 42Gears Customers to use, including without limitation, SureMDM, SureFox etc. and other related support services made available through the 42Gears, as may be further described in the App and/or on the 42Gears Site.
For this “California” section of Annex 3 only, “Permitted Purposes” shall include processing Customer Data only for the purposes described in this DPA and in accordance with Customer’s documented lawful instructions as set forth in this DPA, as necessary to comply with applicable law, as otherwise agreed in writing, including, without limitation, in the Agreement, or as otherwise may be permitted for “service providers” under the CCPA.
42Gears’s obligations regarding data subject requests, as described in Section 8 of this DPA, apply to Consumer’s rights under the CCPA.
Notwithstanding any use restriction contained elsewhere in this DPA, 42Gears shall process Customer Data only to perform the 42Gears Services, for the Permitted Purposes and/or in accordance with Customer’s documented lawful instructions, except where otherwise required by applicable law.
42Gears may de-identify or aggregate Customer Data as part of performing the Service specified in this DPA and the Agreement.
Where Sub-processors process the personal data of Customer contacts, 42Gears takes steps to ensure that such Sub-processors are Service Providers under the CCPA with whom 42Gears has entered into a written contract that includes terms substantially similar to this DPA or are otherwise exempt from the CCPA’s definition of “sale”. 42Gears conducts appropriate due diligence on its Sub-processors.
CANADA:
- 42Gears takes steps to ensure that 42Gears's Sub-processors, as described in Section 5 (Sub-processing) of the DPA, are third parties under PIPEDA, with whom 42Gears has entered into a written contract that includes terms substantially similar to this DPA. 42Gears conducts appropriate due diligence on its Sub- processors.
- 42Gears will implement technical and organizational measures as set forth in Section 7 (Security) of the DPA.
ANNEX 4
List of Sub-processors
The controller has authorized the use of the sub-processors listed here in the link https://www.42gears.com/trust-center/legal/list-of-sub-processors/
42Gears engage third parties to support the services. These third parties assist us in providing information, products, or services to the customers.
Version 5.0