EMERGENETICS DATA
PROCESSING ADDENDUM
THIS EMERGENETICS DATA
PROCESSING ADDENDUM (“Addendum”) is made and entered into by and between The
Browning Group International, Inc. d/b/a Emergenetics International and its
affiliates (including STEP, LLC and Emergenetics Europe Limited) as applicable
(collectively, “Emergenetics”) and you (the “Client” or “Partner”, as applicable, each as defined below) (each
a “Party” and collectively the “Parties”). This Addendum governs your
Processing of Personal Data on the Emergenetics Platform. If you are accepting
the terms of this Addendum on behalf of an entity, you represent and warrant to
Emergenetics that you have the authority to bind that entity and its
affiliates, where applicable, to the terms and conditions of this Addendum.
This Addendum is effective as of the date on which you agree to it (the
“Addendum Date”) by clicking the “I Accept” button in the applicable online
form or webpage that makes reference to this Addendum.
RECITALS
WHEREAS, Emergenetics and you have executed an agreement
for services (the “Services Agreement”) involving the Processing of Personal
Data (as defined below) of Data Subjects (as defined below) that the Parties
now desire to amend as provided herein;
WHEREAS, in the course
of providing its services under the Services Agreement you, as
a Data Controller, Process certain Personal Data of Data Subjects;
WHEREAS, Emergenetics, as a Data Controller,
requires that you and any subsequent Personal Data recipients who, in the
course of your work with Emergenetics,
may Process Personal Data, take all necessary measures to handle such
information in compliance with the General Data Protection Regulation of the EU
(GDPR) and other applicable laws and regulations;
WHEREAS, whenever both
Parties jointly determine the purposes and means of Processing, they shall act
as Joint Controllers; and
WHEREAS, the Parties enter
into this Addendum wishing to comply with the principles and standards for data
protection as required by the GDPR and other applicable laws and regulations,
with respect to the Processing of Personal Data under the Services Agreement.
NOW, THEREFORE, in
consideration of the mutual agreements set forth in this Addendum and for other
good and valuable consideration, the receipt and sufficiency of which the
Parties both acknowledge, the Parties agree as follows:
DEFINITIONS
Capitalized terms used
but not defined in this Addendum shall have the meanings assigned to them in
the Services Agreement.
For purposes of this
Addendum, the following capitalized terms shall have the meanings ascribed to
them as set forth below wherever they appear within the provisions of this
Addendum:
·
“Applicable
Laws” means all laws applicable to the Processing of Personal Data, including
the GDPR, laws implementing or supplementing the GDPR, EU Directive 95/46/EC,
as transposed into domestic legislation of each Member State and as amended,
replaced, or superseded from time to time, other laws of the European Union or
any Member State thereof, and the laws of any other country to which the
Personal Data is subject;
·
“Client”
means a legal entity with whom Emergenetics has executed the Services Agreement
who uses the Platform for the benefit of its own employees, prospective
employees, or other organizational team members such as contractors;
·
“GDPR”
and “General Data Protection Regulation” means Regulation (EU) 2016/679 of the
European Parliament and of the Council of 27 April 2016 on the protection of
natural persons with regard to the Processing of personal data and on the free
movement of such data, and repealing Directive 95/46/EC;
·
“Data Controller” means the natural or legal person, public
authority, agency or other body which, alone or
jointly with others, determines the purposes and means of the Processing of
Personal Data; where the purposes and means of such Processing are determined
by Union or Member State law, the Data Controller or the specific criteria for
its nomination may be provided for by Union or Member State law. For the
purposes of this Addendum, Data Controller or Data Controllers also refers
specifically to a Party or the Parties to this Addendum;
·
“Data Processor” means a natural or legal person, public
authority, agency or other body which Processes Personal Data on Behalf of a
Data Controller;
·
“Joint
Controllers” means two or more Data Controllers that jointly determine the
purposes and means of Processing;
·
“Partner”
means a third-party contractor filling a role as an Emergenetics Associate,
Domain Administrator, Country Representative, or other applicable role on the
Platform as a member of Emergenetics’ network of licensed resellers of
Emergenetics products and services;
·
“Personal
Data” means any information relating to an identified or identifiable natural
person within the scope of this Addendum (“Data Subject“); an identifiable
natural person is one who can be identified, directly or indirectly, in
particular by reference to an identifier such as a name, an identification
number, location data, an online identifier or to one or more factors specific
to the physical, physiological, genetic, mental, economic, cultural or social
identity of that natural person;
·
“Personal
Data Breach” means a breach of security leading to the accidental or unlawful
destruction, loss, alteration, unauthorized disclosure of, or access to,
Personal Data transmitted, stored, or otherwise Processed;
·
“Platform”
means the Emergenetics web application(s), including Emergenetics+, ESP, or
STEP, as applicable;
·
“Processing”
means any operation or set of operations which is performed on Personal Data or
on sets of Personal Data, whether or not by automated
means, such as collection, recording, organization, structuring, storage, adaptation or alteration,
retrieval, consultation, use, disclosure by transmission, dissemination or
otherwise making available, alignment or combination, restriction, erasure or
destruction; and
·
“Restricted
Transfer” means any transfer of Personal Data that would be prohibited by
Applicable Laws (or by the terms of data transfer agreements put in place to
address the data transfer restrictions of Applicable Laws) in the absence of
the execution of the Standard Contractual Clauses or another lawful data
transfer mechanism, as set out in Section 12 below.
TERMS
The Parties agree as follows:
1.
Effective Date. The Terms of this Addendum shall take effect on the later of
the Addendum Date, or May 25, 2018 (the “Effective Date”) and continue on concurrently for the term of the Services
Agreement.
2.
Scope. This Addendum serves
as a framework for Personal Data Processing under the Services Agreement, as
applicable, alone or jointly, as well as Personal Data sharing between the
Parties as Data Controllers, and defines the
principles and procedures that the Parties shall adhere to and the respective
responsibilities of the Parties.
3.
Applicability. This
Addendum will not apply to the Processing of Personal Data, where such
Processing is not regulated by the Applicable Laws.
4.
Controllership Representations and Warranties. Each Party represents, warrants, and covenants
that:
a)
With respect to the Processing of Personal Data under the
Services Agreement, it is a Data Controller within the meaning of this Addendum
and the GDPR;
b)
all
Personal Data has been and will be collected, transferred, and otherwise
Processed in accordance with the GDPR;
c)
it will only conduct transfers of Personal Data, where such
transfers would be subject to mandatory requirements under the Applicable Laws (and no lawful
exemption or derogation applies), in compliance with all applicable conditions,
as laid down in the Applicable Laws;
d)
it will, upon
request of the respective
other Party, provide
that other Party with copies of all relevant data
protection laws or references to them (where relevant, and not including legal
advice).
5.
Joint Controllership
Representation and Warranties. Each Party, when acting as a Joint Controller together with
the other Party, warrants and covenants that:
a)
It will determine its respective responsibilities for
compliance with its obligations under the Applicable Laws;
b)
it will determine its respective
responsibilities vis-a-vis Data
Subjects, taking into account the circumstances of each specific Processing
situation, and, where necessary, duly communicate such information to the
respective other Data Controller in the Joint Controllership context;
c)
in
consideration of the fact, as set out in the GDPR, that irrespective of the
terms of the arrangement between the Parties, Data Subjects may exercise their
rights under the GDPR in respect of and against each of the Data Controllers,
each Data Controller in the Joint Controllership context will proactively, without having been requested to do so,
provide all due assistance and information to the respective other Data
Controller in the Joint Controllership context, including but not limited to
forwarding requests lodged by Data Subjects to exercise their rights under
Chapter III of the GDPR.
Where a Data Controller has not fulfilled its obligation under this provision,
it shall be fully liable with regard to the response,
or lack thereof, to the respective request by the Data Subject to exercise his
rights; and
d)
where
a conflict of competence occurs with regard to a specific set of Processing
operations in the Joint Controllership context, each Data Controller shall act
in good faith to communicate and resolve said conflict with the other
respective Data Controller in an amicable manner, by taking into account
and respecting, firstly, the interests and rights of the respective Data
Subject(s), and, secondly, the mutual interest of both Parties, so as to avoid
joint and several liability, where the Parties fail to respect the rights of a
Data Subject(s) because of an unresolved conflict of competence.
6.
Records
of Processing Activities. Each Data Controller agrees to maintain a record of
Processing activities of Personal Data under its responsibility, in accordance
with Article 30 of the GDPR.
7.
Processing
of Personal Data. Within the context of this Addendum, the Parties are joint
Controllers of the Personal Data of the Data Subjects. Clients and Partners
each jointly control the Personal Data Processed via the Emergenetics Platform
with Emergenetics. Processing of Personal Data by each of the Data Controllers
within the scope of this Addendum is subject to the following:
(a) Processing
is limited to those services and tasks outlined in the Services Agreement for
services and any subsequent orders, statements of work, or work orders executed
between the Parties.
(b) Each
Data Controller shall ensure that the Processing of the Personal Data for the
purposes set out in the Services Agreement, is performed only on lawful
grounds, as provided by Article 6 of the GDPR, and as further limited by
Article 9 of the GDPR, or the equivalent provisions of any Applicable Laws, as
the case may be.
(c)
The respective Data Controllers must ensure that persons they
authorize to Process the Personal Data have committed themselves to
confidentiality or are under an appropriate statutory obligation of
confidentiality.
8.
Security
Measures. Both Parties will implement appropriate technical and
organizational security measures to ensure and to be able to demonstrate that
Processing is performed in accordance with the GDPR, and as required by Article
24 of the GDPR.
9.
Data
Subject Requests. Each
Party will be responsible for responding to requests for the exercise of a Data
Subject’s rights under Chapter III of the GDPR or the equivalent provisions of
other Applicable Laws, with regard to the Personal
Data Processed by that
Party. Each Party will designate an appropriate point of contact for Data
Subject requests within its respective organization. Each Party will maintain a
record of Data Subjects’ requests to exercise their rights, the decisions made,
and any information that was exchanged. In situations where the Parties are
Joint Controllers, the Parties will provide notice to each other of all such
Data Subject requests they receive. Before deleting Personal Data or
restricting Processing in response to a Data Subject request, each Party will
obtain the approval of the other Party, which shall not be unreasonably
withheld by that other Party, so as to avoid the
possibility of one Party’s actions causing the other Party to be in breach of
this Addendum or any applicable laws. The Parties agree to provide
prompt and reasonable assistance to each other, if required, to enable them to
comply with Data Subject requests. Each Party will ensure that its relevant
privacy notices, where applicable, are published in accordance with the
requirements of the GDPR and other Applicable Laws and that no conflicts exist
among the Parties’ privacy notices that would create confusion or mislead Data
Subjects. In particular, each Party will ensure that
its relevant privacy notices, where applicable, contain accurate contact
information to which Data Subjects can submit requests to the respective Party
to exercise their rights under the GDPR and other Applicable Laws, as the case
may be.
10.Security
of Processing and Personal Data Breach Notifications. Both Parties agree to
implement and maintain technical and organizational security measures to ensure
that the level of security of Personal Data Processed by them is appropriate to
the risk, pursuant to Articles 32 to 36 of the GDPR, taking
into account the nature of Processing and the information available to
each Party. Each Party shall provide notification of a Personal Data
Breach to the competent supervisory authority or the affected Data Subject(s),
as required by Articles 33 and 34 of the GDPR, or the equivalent provisions of
other Applicable Laws, as the case may be, as well as all due assistance to the other respective
party, as necessary.
11.Processors. Each Party shall only engage a Data Processor to Process the
Personal Data on its behalf if that Data Processor provides sufficient
guarantees, by way of a written contract or other legal act under European
Union or Member State law, that it will implement the same data protection
obligations as this Addendum and the requirements of the GDPR. Such obligations
shall include, in particular, the requirement that the
Data Processor implements appropriate technical and organizational security
measures in such a manner that Processing will meet the requirements of the
GDPR, including, but not limited to, applicable requirements of Articles 28,
29, and 30 of the GDPR, and ensure the protection of the rights of the Data
Subject. Where that Data Processor fails to fulfill its data protection
obligations, the respective Party shall remain fully liable to Data Subjects
for the performance of that Data Processor's obligations.
12.Restricted Transfers. Emergenetics (as “data
exporter”) and the Client (as “data importer”) hereby enter
into, as of the Addendum Date, the Standard Contractual Clauses (as set
out in Exhibit A), which are incorporated by this reference and constitute an
integral part of this Addendum. The Parties are deemed to have accepted,
executed, and signed, where necessary, the Standard Contractual Clauses in
their entirety, including the appendices on the Effective Date.
13.With regard to any Restricted Transfer from Emergenetics to the Client
within the scope of this Addendum, one of the following transfer mechanisms
shall apply, in the following order of precedence:
(a) the Standard Contractual Clauses; or
(b) any other lawful basis, as laid down in
Applicable Laws, as the case may be.
In cases where the Standard Contractual Clauses apply, and
there is a conflict between the terms of the Addendum and the terms of the
Standard Contractual Clauses, the terms of the Standard Contractual Clauses
shall control.
14.Liability. Without prejudice to any form of direct liability of a Party
or a Data Processor before Data Subjects, each Party shall be liable to the
other respective non-defaulting Party for damages the defaulting Party has
caused to the non-defaulting Party by any breach of its obligations, as set out
in this Addendum.
15.Disputes. In the event of a
dispute or claim brought by a Data Subject or an EEA or UK data protection
authority concerning the Processing of Personal Data against either or both of
the Parties, the Parties will inform each other about any such disputes or claims, and will cooperate with a view to settling them
amicably in a timely fashion.
16.
Contact
Points for Data Protection Enquiries:
Emergenetics’
Data Protection Officer (DPO):
E-mail:
privacy@emergenetics.com
Name: Steven Douglas
Address: 2
Inverness Dr East, Suite 188, Centennial, CO 80112, USA
17.No
Further Amendment. Except as expressly provided in this Addendum, the Parties
intend no amendment or modification of the Services Agreement or in any other
document signed or otherwise entered into by the
Parties.
18.Primary
Agreement. The terms of the Services
Agreement, together with any addendum or supplemental
agreement executed prior to this Addendum, are preserved
and remain in full force and effect. To the extent that any terms of this
Addendum conflict with any terms contained within the Services Agreement, the
terms of this Addendum shall control with respect to the subject matter
described herein.
19.Confidentiality. This
Addendum is confidential information. Each Party agrees:
(a) to
not disclose this Addendum to any third parties except (1) to legal counsel or
privacy consultants who have executed a nondisclosure agreement or who are
under a statutory obligation of confidentiality; (2) as permitted or reasonably
anticipated by this Addendum; or (3) as required by the GDPR or other
Applicable Laws (each, a “Permitted Disclosure”); and
(b) to
exercise at least the same degree of care that each Party generally uses to
protect its own information of similar nature to protect this Addendum from any
possession, use, or disclosure that is not a Permitted Disclosure, but in no
case less than a reasonable degree of care.
(c)
Exhibit A
Commission Decision C(2004)5721
SET II
Standard
contractual clauses for the transfer of personal data from the Community to
third countries (controller to controller transfers)
Data transfer agreement
between
The Browning
Group International, Inc.
2 Inverness Dr East
Suite 189
Centennial, CO, 80112
U.S.A.
hereinafter “data exporter”
and
the Client, as defined in the Emergenetics Data Processing Addendum (the
“Addendum”) above
hereinafter “data importer”
each a “party”; together “the parties”.
Definitions
For the
purposes of the clauses:
a)
“personal data”, “special categories of
data/sensitive data”, “process/processing”, “controller”, “processor”, “data
subject” and “supervisory authority/authority” shall have the same meaning as
in Directive 95/46/EC of 24 October 1995 (whereby “the authority” shall mean
the competent data protection authority in the territory in which the data
exporter is established);
b)
“the data exporter” shall mean the controller
who transfers the personal data;
c)
“the data importer” shall mean the controller
who agrees to receive from the data exporter personal data for further
processing in accordance with the terms of these clauses and who is not subject
to a third country’s system ensuring adequate protection;
d)
“clauses” shall mean these contractual clauses, which are a
free-standing document that does not incorporate commercial business terms
established by the parties under separate commercial arrangements.
The
details of the transfer (as well as the personal data covered) are specified in
Annex B, which forms an integral part of the clauses.
I.
Obligations
of the data exporter
The data
exporter warrants and undertakes that:
a)
The personal data have been collected, processed
and transferred in accordance with the laws applicable to the data exporter.
b)
It has used reasonable efforts to determine that the data importer is able
to satisfy its legal obligations under these clauses.
c)
It will provide the data importer, when so requested, with copies of
relevant data protection laws or references to them (where relevant, and not
including legal advice) of the country in which the data exporter is
established.
d)
It will respond to enquiries from data subjects and the authority
concerning processing of the personal data by the data importer, unless the
parties have agreed that the data importer will so respond, in which case the data
exporter will still respond to the extent reasonably possible and with the
information reasonably available to it if the data importer is unwilling or
unable to respond. Responses will be made within a reasonable time.
e)
It will make available, upon request, a copy of the clauses to data
subjects who are third party beneficiaries under clause III, unless the clauses
contain confidential information, in which case it may remove such information.
Where information is removed, the data exporter shall inform data subjects in
writing of the reason for removal and of their right to draw the removal to the
attention of the authority. However, the data exporter shall abide by a
decision of the authority regarding access to the full text of the clauses by
data subjects, as long as data subjects have agreed to
respect the confidentiality of the confidential information removed. The data
exporter shall also provide a copy of the clauses to the authority where
required.
II.
Obligations
of the data importer
The data
importer warrants and undertakes that:
a)
It will have in place appropriate technical and organisational measures
to protect the personal data against accidental or unlawful destruction or
accidental loss, alteration, unauthorised disclosure
or access, and which provide a level of security appropriate to the risk
represented by the processing and the nature of the data to be protected.
b)
It will have in place procedures so that any third party it authorises
to have access to the personal data, including processors, will respect and
maintain the confidentiality and security of the personal data. Any person
acting under the authority of the data importer, including a data processor,
shall be obligated to process the personal data only on instructions from the
data importer. This provision does not apply to persons authorised or required
by law or regulation to have access to the personal data.
c)
It has no reason to believe, at the time of entering
into these clauses, in the existence of any local laws that would have a
substantial adverse effect on the guarantees provided for under these clauses,
and it will inform the data exporter (which will pass such notification on to
the authority where required) if it becomes aware of any such laws.
d)
It will process the personal data for purposes described in Annex B, and has the legal authority to give the warranties and
fulfil the undertakings set out in these clauses.
e)
It will identify to the data exporter a contact point within its
organisation authorised to respond to enquiries concerning processing of the
personal data, and will cooperate in good faith with
the data exporter, the data subject and the authority concerning all such
enquiries within a reasonable time. In case of legal dissolution of the data
exporter, or if the parties have so agreed, the data importer will assume
responsibility for compliance with the provisions of clause I(e).
f)
At the request of the data exporter, it will provide the data exporter
with evidence of financial resources sufficient to fulfil its responsibilities
under clause III (which may include insurance coverage).
g)
Upon reasonable request of the data exporter, it will submit its data
processing facilities, data files and documentation needed for processing to
reviewing, auditing and/or certifying by the data exporter (or any independent
or impartial inspection agents or auditors, selected by the data exporter and
not reasonably objected to by the data importer) to ascertain compliance with
the warranties and undertakings in these clauses, with reasonable notice and
during regular business hours. The request will be subject to any necessary
consent or approval from a regulatory or supervisory authority within the
country of the data importer, which consent or approval the data importer will
attempt to obtain in a timely fashion.
h)
It will process the personal data, at its option, in accordance with:
i.
the data protection laws of the country in which the data exporter is
established, or
ii.
the relevant provisions[1] of any
Commission decision pursuant to Article 25(6) of Directive 95/46/EC, where the
data importer complies with the relevant provisions of such an authorisation or
decision and is based in a country to which such an authorisation or decision
pertains, but is not covered by such authorisation or decision for the purposes
of the transfer(s) of the personal data[2], or
iii.
the data processing principles set forth in Annex A.
Data
importer to indicate which option it selects: Section II(h)(iii);
i)
It will not disclose or transfer the personal data to a third party data controller located outside the European
Economic Area (EEA) unless it notifies the data exporter about the transfer and
i.
the third party data controller processes the
personal data in accordance with a Commission decision finding that a third
country provides adequate protection, or
ii.
the third-party data controller becomes a signatory to these clauses or another data transfer agreement approved by a
competent authority in the EU, or
iii.
data subjects have been given the opportunity to object, after having
been informed of the purposes of the transfer, the categories of recipients and
the fact that the countries to which data is exported may have different data
protection standards, or
iv.
with regard to onward transfers of sensitive data, data subjects have
given their unambiguous consent to the onward transfer
III.
Liability
and third party rights
a)
Each party shall be liable to the other parties for damages it causes by
any breach of these clauses. Liability as between the parties is limited to
actual damage suffered. Punitive damages (i.e. damages
intended to punish a party for its outrageous conduct) are specifically
excluded. Each party shall be liable to data subjects for damages it causes by
any breach of third party rights under these clauses.
This does not affect the liability of the data exporter under its data
protection law.
b)
The parties agree that a data subject shall have the right to enforce as
a third party beneficiary this clause and clauses I(b), I(d), I(e), II(a),
II(c), II(d), II(e), II(h), II(i), III(a), V, VI(d) and VII against the data
importer or the data exporter, for their respective breach of their contractual
obligations, with regard to his personal data, and accept jurisdiction for this
purpose in the data exporter’s country of establishment. In cases involving
allegations of breach by the data importer, the data subject must first request
the data exporter to take appropriate action to enforce his rights against the
data importer; if the data exporter does not take such action within a
reasonable period (which under normal circumstances would be one month), the
data subject may then enforce his rights against the data importer directly. A
data subject is entitled to proceed directly against a data exporter that has
failed to use reasonable efforts to determine that the data importer is able to
satisfy its legal obligations under these clauses (the data exporter shall have
the burden to prove that it took reasonable efforts).
IV.
Law applicable
to the clauses
These
clauses shall be governed by the law of the country in which the data exporter
is established, with the exception of the laws and regulations relating to
processing of the personal data by the data importer under clause II(h), which
shall apply only if so selected by the data importer
under that clause.
V.
Resolution
of disputes with data subjects or the authority
a)
In the event of a dispute or claim brought by a data subject or the
authority concerning the processing of the personal data against either or both
of the parties, the parties will inform each other about any such disputes or claims, and will cooperate with a view to settling them
amicably in a timely fashion.
b)
The parties agree to respond to any generally available non-binding
mediation procedure initiated by a data subject or by the authority. If they do
participate in the proceedings, the parties may elect to do so remotely (such
as by telephone or other electronic means). The parties also agree to consider
participating in any other arbitration, mediation or other dispute resolution
proceedings developed for data protection disputes.
c)
Each party shall abide by a decision of a competent court of the data
exporter’s country of establishment or of the authority which is final and
against which no further appeal is possible.
VI.
Termination
a)
In the
event that the data importer is in breach of its obligations under these clauses,
then the data exporter may temporarily suspend the transfer of personal data to
the data importer until the breach is repaired or the contract is terminated.
b)
In the
event that:
i.
the transfer of personal data to the data importer has been temporarily
suspended by the data exporter for longer than one month pursuant to paragraph
(a);
ii.
compliance by the data importer with these clauses would put it in
breach of its legal or regulatory obligations in the country of import;
iii.
the data importer is in substantial or persistent breach of any
warranties or undertakings given by it under these clauses;
iv.
a final decision against which no further appeal is possible of a
competent court of the data exporter’s country of establishment or of the
authority rules that there has been a breach of the clauses by the data
importer or the data exporter; or
v.
a petition is presented for the administration or winding up of the data
importer, whether in its personal or business capacity, which petition is not
dismissed within the applicable period for such dismissal under applicable law;
a winding up order is made; a receiver is appointed over any of its assets; a
trustee in bankruptcy is appointed, if the data importer is an individual; a
company voluntary arrangement is commenced by it; or any equivalent event in
any jurisdiction occurs
then the
data exporter, without prejudice to any other rights which it may have against
the data importer, shall be entitled to terminate these clauses, in which case
the authority shall be informed where required. In cases covered by (i), (ii), or (iv) above the data importer may also
terminate these clauses.
c)
Either party may terminate these clauses if (i)
any Commission positive adequacy decision under Article 25(6) of Directive
95/46/EC (or any superseding text) is issued in relation to the country (or a
sector thereof) to which the data is transferred and processed by the data
importer, or (ii) Directive 95/46/EC (or any superseding text) becomes directly
applicable in such country.
d)
The parties agree that the termination of these clauses at any time, in
any circumstances and for whatever reason (except for termination under clause
VI(c)) does not exempt them from the obligations and/or conditions under the
clauses as regards the processing of the personal data transferred.
VII.
Variation
of these clauses
The
parties may not modify these clauses except to update any information in Annex
B, in which case they will inform the authority where required. This does not
preclude the parties from adding additional commercial clauses where required.
VIII.
Description
of the Transfer
The
details of the transfer and of the personal data are specified in Annex B. The
parties agree that Annex B may contain confidential business information which
they will not disclose to third parties, except as required by law or in
response to a competent regulatory or government agency, or as required under
clause I(e). The parties may execute additional annexes to cover additional
transfers, which will be submitted to the authority where required. Annex B
may, in the alternative, be drafted to cover multiple transfers.
ANNEX A
DATA
PROCESSING PRINCIPLES
1.
Purpose limitation: Personal data may be processed and subsequently used
or further communicated only for purposes described in Annex B or subsequently
authorised by the data subject.
2.
Data quality and proportionality: Personal data must be accurate and,
where necessary, kept up to date. The personal data must be adequate, relevant and not excessive in relation to the purposes for
which they are transferred and further processed.
3.
Transparency: Data subjects must be provided with information necessary
to ensure fair processing (such as information about the purposes of processing
and about the transfer), unless such information has
already been given by the data exporter.
4.
Security and confidentiality: Technical and organisational security
measures must be taken by the data controller that are appropriate to the
risks, such as against accidental or unlawful destruction or accidental loss,
alteration, unauthorised disclosure or access,
presented by the processing. Any person acting under the authority of the data
controller, including a processor, must not process the data except on
instructions from the data controller.
5.
Rights of access, rectification, deletion and objection: As provided in
Article 12 of Directive 95/46/EC, data subjects must, whether directly or via a
third party, be provided with the personal information about them that an
organisation holds, except for requests which are manifestly abusive, based on
unreasonable intervals or their number or repetitive or systematic nature, or
for which access need not be granted under the law of the country of the data
exporter. Provided that the authority has given its prior approval, access need
also not be granted when doing so would be likely to seriously harm the
interests of the data importer or other organisations dealing with the data
importer and such interests are not overridden by the interests for fundamental
rights and freedoms of the data subject. The sources of the personal data need
not be identified when this is not possible by reasonable efforts, or where the
rights of persons other than the individual would be violated. Data subjects
must be able to have the personal information about them rectified, amended, or
deleted where it is inaccurate or processed against these principles. If there
are compelling grounds to doubt the legitimacy of the request, the organisation
may require further justifications before proceeding to rectification, amendment or deletion. Notification of any rectification, amendment or deletion to third parties to whom the data have
been disclosed need not be made when this involves a disproportionate effort. A
data subject must also be able to object to the processing of the personal data
relating to him if there are compelling legitimate grounds relating to his particular situation. The burden of proof for any refusal
rests on the data importer, and the data subject may always challenge a refusal
before the authority.
6.
Sensitive data: The data importer shall take such additional measures (e.g. relating to security) as are necessary to protect such
sensitive data in accordance with its obligations under clause II.
7.
Data used for marketing purposes: Where data are processed for the
purposes of direct marketing, effective procedures should exist allowing the
data subject at any time to “opt-out” from having his data used for such
purposes.
8.
Automated decisions: For purposes hereof “automated decision” shall mean
a decision by the data exporter or the data importer which produces legal
effects concerning a data subject or significantly affects a data subject and
which is based solely on automated processing of personal data intended to
evaluate certain personal aspects relating to him, such as his performance at
work, creditworthiness, reliability, conduct, etc. The data importer shall not
make any automated decisions concerning data subjects, except when:
a) i. such
decisions are made by the data importer in entering into or performing a
contract with the data
subject, and
ii. the data subject is given an opportunity
to discuss the results of a relevant automated decision with a representative of the parties
making such decision or otherwise to make representations to that parties.
or
b) where
otherwise provided by the law of the data exporter.
ANNEX B
DESCRIPTION
OF THE TRANSFER
By entering into the
Standard Contractual Clauses, pursuant to Section 12 of the Addendum, the
parties are deemed to have signed this Annex B.
Data subjects
The personal data transferred concern the following categories of data
subjects:
The personal data transferred typically concern the individuals being evaluated
or assessed via the Emergenetics Platform.
Purposes of the transfer(s)
The transfer is made for the following purposes:
Enabling the data importer to offer and/or provide the Emergenetics services on
behalf of the data exporter.
Categories of data
The personal data transferred typically concern the following categories of
data:
Personal data typically include biographical data, contact data, learning/management and personality styles evaluation outcomes.
Recipients
The personal data transferred may be disclosed only to the following recipients
or categories of recipients:
Parties that would need such personal data to facilitate the provision of the
Emergenetics services.
Contact points for data protection enquiries shall be provided by both
parties, as set out in the Addendum.
[1] “Relevant provisions” means those provisions of any authorisation or decision except for the enforcement provisions of any authorisation or decision (which shall be governed by these clauses).
[2] However, the provisions of Annex A.5 concerning rights of access, rectification, deletion and objection must be applied when this option is chosen and take precedence over any comparable provisions of the Commission Decision selected.