Data Privacy Terms
These Data Privacy Terms shall be incorporated into and form part of the Agreement.
1. Definitions
In these Data Privacy Terms, the following terms shall have the following meanings:
"CCPA" means California Consumer Privacy Act of 2018, as amended, including by the California Privacy Rights Act.
“CCPA Data” means any information made available by the Customer to the Supplier in the
context of the Supplier's business relationship with the Customer in respect of which the CCPA applies.
"Data Protection Law" means as applicable: (a) the EU General Data Protection Regulation (Regulation 2016/679) ("GDPR") together with any national implementing laws in any member state of the European Union; and (b) any equivalent legislation, or legislation dealing with the same or substantially similar subject matter, anywhere in the world, in each case as amended, extended or replaced from time to time.
"Standard Contractual Clauses" means the Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (as amended, extended or replaced from time to time).
"Third Country" means a country which is not regarded for the purposes of Data Protection Law as providing an adequate level of protection for personal data.
"UK Addendum" means the UK Addendum to the Standard Contractual Clauses (as amended, extended or replaced from time to time).
The terms "data subject", "personal data", "controller", "processor", "process" (and related words) shall be construed in accordance with the meanings given to them under Data Protection Law.
Unless otherwise defined in these Data Privacy Terms, capitalised terms shall have the meaning given to them in the Terms and Conditions.
2. Controller to Controller Terms
2.1. To the extent that the Supplier acts as a controller of personal data to which Supplier has access in the context of providing the Services and/or any Deliverable ("Controller Personal Data"), the following provisions shall apply:
2.1.1. To the greatest extent permitted by Data Protection Law, the Supplier is acting as an independent controller in respect of the Controller Personal Data.
2.1.2. Without prejudice to the generality of paragraph 2.1.1 above, the Supplier agrees that it shall:
(a) only process the Controller Personal Data for the purposes of providing the Services and/or Deliverables under this Agreement; and
(b) process the Controller Personal Data at all times in accordance with Data Protection Law and shall not knowingly do anything or permit anything to be done which might lead to a breach of Data Protection Law.
3. Controller to Processor Terms
3.1. To the extent that the provision of the Services and/or any Deliverable involves the processing of personal data by the Supplier on behalf of the Customer ("Processor Personal Data"), the parties agree that:
3.1.1. the Customer shall act as controller and the Supplier shall act as processor in respect of such Processor Personal Data;
3.1.2. the subject matter and duration of the processing, the nature and purpose of the processing, the types of personal data and categories of data subjects in respect of such Processor Personal Data shall be as specified in the Purchase Order or as otherwise strictly required to provide the Services and/or any Deliverable under this Agreement.
3.2. The Supplier agrees that it shall:
3.2.1. only process Processor Personal Data in accordance with the documented instructions of the Customer and solely as strictly necessary for the provision of the Services and/or any Deliverable;
3.2.2. not transfer Processor Personal Data to a Third Country without the prior written consent of the Customer which consent may be conditional upon the execution of the Standard Contractual Clauses and/or UK Addendum by the Supplier;
3.2.3. ensure that the persons authorised by the Supplier to process Processor Personal Data are bound by appropriate obligations of confidentiality;
3.2.4. implement such technical and organisational security measures in respect of Processor Personal Data as are required to comply with the data security obligations under Data Protection Law including, as a minimum, the technical and organisational security measures set out in Schedule 1 of these Data Privacy Terms;
3.2.5. not engage any sub-processor in respect of Processor Personal Data without the prior written consent of the Customer. Where any sub-processor of the Supplier will be processing Processor Personal Data on behalf of the Customer, the Supplier shall ensure that a written contract exists between the Supplier and the sub-processor containing clauses equivalent to those imposed on the Supplier in these Data Privacy Terms in respect of Processor Personal Data. In the event that any sub-processor fails to meet its data protection obligations in respect of Processor Personal Data under such written contract between the Supplier and the sub-processor or under Data Protection Law, the Supplier shall remain fully liable to the Customer for any such failure of the sub-processor;
3.2.6. taking into account the nature of the processing, assist the Customer by implementing appropriate technical and organisational measures (insofar as this is possible) to assist the Customer in complying with requests from data subjects to exercise their rights under Data Protection Law in respect of Processor Personal Data;
3.2.7. in respect of Processor Personal Data, assist the Customer in ensuring compliance with its obligations in respect of security of personal data, data protection impact assessments and prior consultation requirements under Data Protection Law;
3.2.8. at the choice of the Customer:
3.2.8.1. return or delete Processor Personal Data to the Customer when the Supplier ceases to provide the Services; and
3.2.8.2. delete all existing copies of Processor Personal Data unless EU law or the laws of an EU member state require storage of the Processor Personal Data.
3.2.9. make available to the Customer all information necessary to demonstrate compliance with the obligations set out in these Data Privacy Terms;
3.2.10. allow for and assist with audits, including inspections, conducted by the Customer or another auditor mandated by the Customer for the purpose of verifying compliance by the Supplier with the provisions of these Data Privacy Terms;
3.2.11. taking into account the nature of the processing and the nature of the information available to the Supplier, notify the Customer without undue delay after becoming aware of any personal data breach in respect of Processor Personal Data and provide the Customer with such reasonable co-operation and assistance as may be required to mitigate against the effects of, and comply with any reporting obligations which may apply to the Customer in respect of any such personal data breach; and
3.2.12. process the Processor Personal Data at all times in accordance with Data Protection Law and shall not knowingly do anything or permit anything to be done which might lead to a breach of Data Protection Law.
4. Other agreements
The parties agree to perform such further acts and execute such further agreements governing the processing of Controller Personal Data or Processor Personal Data as may be reasonably necessary to comply with Data Protection Law including, where relevant the Standard Contractual Clauses and/or UK Addendum.
5. California Consumer Privacy Act
5.1. The Supplier acknowledges and confirms that it does not receive any CCPA Data as consideration for any services or other items that it provides to the Customer. The Supplier shall not have, derive or exercise any rights or benefits regarding CCPA Data. The Supplier must not sell or share any CCPA Data, as the terms “sell” and “share” are defined in the CCPA or under any other laws. The Supplier must not collect, retain, use, share, or disclose any CCPA Data for: (a) targeted or crossâcontext behavioural advertising; (b) any purpose other than the provision of the Services and/or the Deliverables; or (c) outside the direct business relationship with Customer. Supplier must not combine CCPA Data with other data if and to the extent this would be inconsistent with limitations on service providers under the CCPA or other laws.
5.2. Supplier must only process CCPA Data for a business purpose as defined in the CCPA. Business purpose(s) of the transfer to and further processing of CCPA Data by Supplier is to perform services on behalf of the Customer. Customer shall have the right, upon notice, to take reasonable and appropriate steps to stop and remediate the Supplier’s unauthorized use of CCPA Data, including but not limited to the right to request Supplier to provide sufficient documentation that verifies its compliance with its obligations under this Agreement. If Supplier receives a request from an individual, government agency or other entity to exercise rights under applicable law with respect to the CCPA Data, such as to access, correct or delete the personal data or restrict, object to, or control the processing of the personal data, Supplier must immediately inform Customer, hold off on responding or giving effect to the request without Customer's written consent and instruction unless Supplier is otherwise required to do so by applicable law, and promptly provide all information and assistance necessary for Supplier and Customer to comply with the request in accordance with applicable law.
5.3. The Supplier certifies that it understands the rules, requirements and definitions of the CCPA, and the restrictions set out in clause 5 of these Data Privacy Terms. The Supplier agrees to refrain from taking any action that would cause any transfers of CCPA Data to or from the Supplier to qualify under the CCPA or other laws as “sharing for advertising purposes or as “selling” personal information.
SCHEDULE 1 - TECHNICAL AND ORGANISATIONAL SECURITY MEASURES
Security and Disaster Recovery Schedule
1. Supplier agrees to implement the following information security requirements, or the substantial equivalent, as applicable:
- Develop, maintain, and communicate an information security program designed to protect the confidentiality, integrity, and availability of Customer information assets.
- Ensure that appropriate security controls are applied to Customer's information assets.
- Implement Human Resource controls that minimize the risk of theft, fraud, or misuse of Customer information assets. Require annual information security awareness training for employees whose job role may affect Customer information assets.
- Ensure that all facilities providing contracted services possess adequate controls to protect against unauthorized physical access, and that facility design includes protection against fire, flood, earthquakes and other natural or man-made disasters.
- Establish standards and procedures for the provisioning, management, backup, and retirement of Supplier systems involved with storing, transmitting, or processing Customer information assets.
- Implement sufficient monitoring controls to ensure system, security, and operational incidents are detected in a timely manner. Establish formal incident response and investigation procedures that include timely notification to Customer as required by Item 4.
- Protect Customer information assets as appropriate based upon the sensitivity or formal classification, as applicable.
- Provide access to Customer information assets in a manner consistent with the concept of Least Privilege and based upon business requirement and need-to-know.
- Maintain rigorous internal and external network security controls to protect Customer information assets from data transmission risks.
- Hold any third parties with access to Customer information assets to the same policies and standards as those detailed in this document.
- Develop configuration, change, and release management practices to ensure the environment in which Customer information assets reside is properly governed, administered, and remains compliant over time.
- Design business continuity and disaster recovery practices commensurate with the risk to Customer information assets and in compliance with any particular quantified SLA.
- Comply with all Supplier’s legal obligations relevant to the provisioning of services for Customer information assets.
- Maintain a comprehensive information security management program which protects Customer information assets relative to their sensitivity and classification.
- Implement event, incident, and problem management processes and controls designed to identify, respond to, and remediate information technology issues within systems engaged in servicing Customer.
2. Ensure that each Supplier employee or third party complies with relevant legal, regulatory, and professional/ethical obligations in regard to the collection, processing, and protection of personally identifiable information. Upon reasonable prior notice during regular business hours, Supplier grants to Customer the right to periodically audit Supplier's documentation as may be reasonably required solely to ensure compliance with these Security and Disaster Recovery Practices
3. Upon reasonable advance notice as reasonably requested by Customer, Supplier will provide documentation of the security posture of the Service(s) to the extent available. Such documentation shall include, but not be limited to, SSAE 16, SOC2 Type Ii, or the equivalent, or the summaries of any audit reports (or the successors thereto), ISO/PCI/HIPPA/HITECH certifications.
4. Upon reasonable request, Supplier agrees to provide Customer with reasonable summaries of its breach notification policy, and incident response plan. In the event of data breach, Supplier is required to notify Customer within 72 hours by emailing ITHD@bakermckenzie.com or calling one of the following numbers:
- U.S. Toll Free: +1 877-861-9800
- North and South America: +1 312-861-1366
- Europe: +44 20-7919-5400
- Asia-Pacific: +63-2-8194778
5. Upon reasonable request, Supplier agrees to provide Customer with summaries of Supplier's disaster recovery/business continuity plan.
6. Supplier agrees that any and all copies of information stored, transported or otherwise processed by Supplier on behalf of Customer, its business partners, vendors, or clients, including any archival or backup copies will be returned to Customer and/or destroyed in a secure manner upon request or termination of the relationship with Customer.