DATA PROCESSING ADDENDUM
This Data Processing Addendum (“DPA”) forms part of the Agreement between the party identified in the Agreement (“Customer”) and The Office, and applies to the extent that (i) The Office processes Personal Data on behalf of Customer in the course of providing Services and (ii) the Agreement expressly incorporates this DPA by reference. This DPA does not apply where The Office is the Controller. All capitalized terms not defined in this DPA will have the meanings set forth in the Agreement.
1.1 “Agreement” means the written or electronic agreement between Customer and The Office for the provision of the Services to Customer.
1.2 “Controller” means an entity that determines the purposes and means of the processing of Personal Data.
1.3 “Data Protection Law” means all data protection and privacy laws applicable to the processing of Personal Data under the Agreement, including, where applicable, EU Data Protection Law.
1.4 “EU Data Protection Law” means (i) prior to 25 May 2018, Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of Personal Data and on the free movement of such data (“Directive”); and (ii) on and after 25 May 2018, Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“GDPR”).
1.5 “EU Model Clauses” means the standard contractual clauses for Processors as approved by the European Commission pursuant to Decision C (2010)593, as they may be amended or replaced from time to time.
1.6 “Personal Data” means any information relating to an identified or identifiable natural person as contained within Content as defined in the Agreement.
1.7 “Personal Data Breach” means a breach of security of the Services leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
1.8 “Processor” means an entity that processes Personal Data on behalf of a Controller.
1.9 “Services” means any cloud service offering or customer support services provided by The Office to Customer pursuant to the Agreement.
1.10 “Sub-processor” means any Processor engaged by The Office or any member of its group of companies that processes Personal Data pursuant to the Agreement. Sub- processors may include third parties or any member of The Office’s group of companies.
2.1 Role of the Parties. As between The Office and Customer, The Office will process Personal Data under the Agreement only as a Processor acting on behalf of the Customer. Customer may act either as a Controller or as a Processor with respect to Personal Data.
2.2 Customer Processing of Personal Data. Customer will, in its use of the Services, comply with its obligations under Data Protection Law in respect of its processing of Personal Data and any processing instructions it issues to The Office. Customer represents that it has all rights and authorizations necessary for The Office to process Personal Data pursuant to the Agreement.
2.3 The Office Processing of Personal Data. The Office will comply with its processor obligations under Data Protection Law and will process Personal Data in accordance with Customer’s instructions. Customer agrees that the Agreement is its complete and final instructions to The Office in relation to the processing of Personal Data. Processing any Personal Data outside the scope of the Agreement will require prior written agreement between The Office and Customer by way of written amendment to the Agreement, and will include any additional fees that may be payable by Customer to The Office for carrying out such instructions. Upon notice in writing, Customer may terminate the Agreement if The Office
declines to follow Customer’s reasonable instructions that are outside the scope of, or changed from, those given or agreed to in the Agreement, to the extent such instructions are necessary to enable Customer to comply with Data Protection Laws.
2.4 Processing of Personal Data Details.
2.4.1 Subject matter. The subject matter of the processing under the Agreement is the Personal Data.
2.4.2 Duration. The duration of the processing under the Agreement is determined by Customer and as set forth in the Agreement.
2.4.3 Purpose. The purpose of the processing under the Agreement is the provision of the Services by The Office to Customer as specified in the Agreement.
2.4.4 Nature of the processing. The Office and/or its Sub-processors are providing Services or fulfilling contractual obligations to Customer as described in the Agreement. These Services may include the processing of Personal Data by The Office and/or its Sub-processors on systems which may contain Personal Data.
2.4.5 Categories of data subjects. The data subjects of Customer may include Customer’s end users, employees, contractors, suppliers, and other third parties.
2.4.6 Categories of data. Personal Data that is submitted to the Services by the Customer.
3.1 Use of Sub-Processors. The Office engages Sub-processors to provide certain services on its behalf. Customer consents to The Office engaging Sub-processors to process Personal Data under the Agreement. The Office will be responsible for any acts, errors, or omissions of its Sub-processors that cause The Office to breach any of The Office’s obligations under this DPA.
3.2 Obligations. The Office will enter into an agreement with each Sub-processor that obligates the Sub-processor to protect the Personal Data in a manner substantially similar to the standards set forth in the Agreement (to the extent applicable to the services provided by the Sub-processor).
4. SECURITY MEASURES
4.1 Security Measures by The Office. The Office will implement and maintain appropriate technical and organizational security measures to protect against Personal Data Breaches and to preserve the security and confidentiality of Personal Data processed by The Office on behalf of Customer in the provision of the Services (“Security Measures”). The Security Measures are subject to technical progress and development. The Office may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services purchased by the Customer.
4.2 Security Measures by Customer. Customer is responsible for using and configuring the Services in a manner which enables Customer to comply with Data Protection Laws, including implementing appropriate technical and organizational measures.
4.3 Personnel. The Office restricts its personnel from processing Personal Data without authorization (unless required to so by applicable law) and will ensure that any person authorized by The Office to process Personal Data is subject to an obligation of confidentiality.
4.4 Prohibited Data. Customer acknowledges and agrees that the Agreement may prohibit the submission of certain types of Personal Data (such as an individual’s financial or health information) to the Services. Customer must not submit to the Services any Personal Data unless Customer has entered into a business associate agreement with The Office.
5. PERSONAL DATA BREACH RESPONS
Upon becoming aware of a Personal Data Breach, The Office will notify Customer without undue delay and will provide information relating to the Personal Data Breach as reasonably requested by Customer. The Office will use reasonable endeavors to assist Customer in mitigating, where possible, the adverse effects of any Personal Data Breach.
6. AUDIT REPORTS
The Office audits its compliance against data protection and information security standards on a regular basis. Such audits are conducted by The Office’s internal audit team or by third party auditors engaged by The Office. The specific audits, and the data protection and information security certifications The Office has achieved, will necessarily vary depending upon the nature of the Services in question. Upon Customer’s written request, and subject to obligations of confidentiality, The Office will make available to Customer a summary of its most recent relevant audit report and/or other documentation reasonably required by Customer which The Office makes generally available to its customers, so that Customer can verify The Office’s compliance with this DPA.
7. DATA TRANSFERS AND EXPORTS
7.1 Data Transfers. The Office may transfer and process Personal Data to and in other locations around the world where The Office or its Sub-processors maintain data processing operations as necessary to provide the Services as set forth in the Agreement.
7.2 Data Transfers from the EEA and Switzerland. Where Personal Data is transferred from the European Economic Area and/or Switzerland to a member of The Office’s group of companies located in a country not recognized by the European Commission or the Swiss Federal Data Protection Authority as providing an adequate level of protection for Personal Data, Customer appoints The Office to enter into the EU Model Clauses on Customer’s behalf with such The Office entity based outside of the EEA and Switzerland and involved in the processing of Personal Data. The Office will provide a copy of those EU Model Clauses to Customer upon Customer’s written request. If The Office adopts Binding Corporate Rules or another alternative data export solution (as recognized under EU Data Protection Law), then the EU Model Clauses will cease to apply with effect from the date that The Office implements such new data export solution.
8. DELETION OF DATA
Following expiration or termination of the Agreement, The Office will delete or return to Customer all Personal Data in The Office’s possession as provided in the Agreement except to the extent The Office is required by applicable law to retain some or all the Personal Data (in which case The Office will archive the data and implement reasonable measures to prevent the Personal Data from any further processing). The terms of this DPA will continue to apply to such Personal Data.
9.1 Data Protection Requests. If The Office receives any requests from individuals or applicable data protection authorities relating to the processing of Personal Data under the Agreement, including requests from individuals seeking to exercise their rights under EU Data protection Law, The Office will promptly redirect the request to the Customer. The Office will not respond to such communication directly without Customer’s prior authorization, unless legally compelled to do so. If The Office is required to respond to such a request, The Office will promptly notify Customer and provide Customer with a copy of the request, unless legally prohibited from doing so.
9.2 Customer Requests. The Office will reasonably cooperate with Customer, at Customer’s expense, to permit Customer to respond to any requests from individuals or applicable data protection authorities relating to the processing of Personal Data under the Agreement to the extent that Customer is unable to access the relevant Personal Data in their use of the Services.
9.3 DPIAs and Prior Consultations. To the extent required by EU Data Protection Law, The Office will, upon reasonable notice and at Customer’s expense, provide reasonably requested information regarding the Services to enable Customer to carry out data protection impact assessments (“DPIAs”) and/or prior consultations with data protection authorities.
9.4 Legal Disclosure Requests. If The Office receives a legally binding request for the disclosure of Personal Data which is subject to this DPA, such request will be dealt with in accordance with the Agreement.
10.1 Relationship with Agreement. Any claims brought under this DPA will be subject to the terms and conditions of the Agreement, including the exclusions and limitations set forth in the Agreement, provided however that in no event will any party be deemed to have limited its liability under the Agreement with respect to any individual’s data protection rights under this DPA or pursuant to applicable law.
10.2 Conflicts. In the event of any conflict between this DPA and any privacy-related provisions in the Agreement, the terms of this DPA will prevail.
10.3 Modification and Supplementation. The Office may modify the terms of this DPA as provided in the Agreement, in circumstances such as (i) if required to do so by a supervisory authority or other government or regulatory entity, (ii) if necessary to comply with Data Protection Law, or (iii) to implement or adhere to standard contractual clauses, approved codes of conduct or certifications, binding corporate rules, or other compliance mechanisms, which may be permitted under Data Protection Law. Supplemental terms may be added as an Annex or Appendix to this DPA where such terms only apply to the processing of Personal Data under the Data Protection Law of specific countries or jurisdictions. The Office will provide notice of such changes to Customer, and the modified DPA will become effective, in accordance with the terms of the Agreement or as otherwise provided on The Office’s website if not specified in the Agreement.