Data Processing Addendum
This data processing addendum (“DPA”) supplements and modifies the Terms and Conditions (“TAC”) governing the use of EPIC Services Group LLC (“EPIC”) Products and Services. This DPA is pursuant to the General Data Protection Regulation (“GDPR”) and in particular addresses Article 28 (Processor Terms) and incorporates Standard Contractual Clauses for Controller to Processor transfers of Personal Data to third countries.
This Data Processing Addendum (“Addendum”) forms an integral part of the Terms and Conditions (“TAC”) governing the use of the EPIC Software platform as between each EPIC Services end-user or licensee (“Customer / Controller”) acting with respect to its own data and on behalf of data it controls for its own customers and leads; and (ii) EPIC Services Group LLC (“EPIC”) (acting on its own behalf and as agent for any of its Affiliates)
The terms used in this Addendum shall have the meanings set forth in this Addendum. Capitalized terms not otherwise defined herein shall have the meaning given to them in the TAC. Except as modified below, the terms of the TAC shall remain in full force and effect.
In consideration of the mutual obligations set out herein, the parties hereby agree that the terms and conditions set out below shall be added as an Addendum to the TAC. Except where the context requires otherwise, references in this Addendum to the TAC are to the TAC as amended by, and including, this Addendum.
1 .1 “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Process/Processing”, “Processor”, “Special Categories of Data”, and “Supervisory Authority” shall respectively have the meanings set forth in the GDPR with regard to the processing of Personal Data and the free movement of such data and their cognates shall be construed accordingly;
1 .2 In this Addendum, the following additional terms shall have the meanings set out below and cognate terms shall be construed accordingly:
1.2.1 “Applicable Laws” means (a) the laws of the European Union or any Member State with respect to any Personal Data in respect of which EPIC is subject to EU Data Protection Laws; and (b) any other applicable law with respect to any Customer/Controller Personal Data in respect of which EPIC is subject to any other Data Protection Laws.
1.2.2 “Affiliate” means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with a Party, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.
1.2.3 “EPIC” means EPIC Services Group LLC or any of its Affiliates.
1.2.4 “Customer/Controller Personal Data” means any Personal Data processed by EPIC or a Contracted Processor on behalf of EPIC pursuant to or in connection with the TAC or Customer/Controller’s use of EPIC Products and Services.
1.2.5 “Contracted Processor” means a Processor or a Subprocessor contracted by EPIC.
1.2.6 “Data Exporter” means the party who transfers the Personal Data, as a Controller, or as a Processor on behalf of the Controller, in accordance with the terms of the Standard Contractual Clauses provided in Annex 2 or as amended.
1.2.7 “Data Importer” means the party who agrees to receive Personal Data from the Data Exporter, in accordance the terms of the Standard Clauses and instructions from the Data Exporter;
1.2.8 “Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;
1.2.9 “EEA” means the European Economic Area;
1.2.10 “EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;
1.2.11 “GDPR” means EU General Data Protection Regulation 2016/679;
1.2.12 “Restricted Transfer” means:
18.104.22.168 A transfer of Customer/Controller Personal Data from EPIC to a Contracted Processor; or
22.214.171.124 An onward transfer of Customer/Controller Personal Data from a Contracted Processor to a different Contracted Processor, or an intracompany transfer between two locations of a particular Contracted Processor,
In each case, where such transfer would otherwise be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws) in the absence of the Standard Contractual Clauses provided herein below. For the avoidance of doubt: (a) without limitation to the generality of the foregoing, the parties to this Addendum intend that transfers of Personal Data from the UK to the EEA or from the EEA to the UK, following any exit by the UK from the European Union shall not be Restricted Transfers until such time as it is formally determined by an appropriate authority that such transfers are prohibited by Data Protection Laws of the UK or EU Data Protection Laws (as the case may be) in the absence of the Standard Contractual Clauses provided herein; and (b) where a transfer of Personal Data is of a type authorized by Data Protection Laws in the exporting country, for example in the case of transfers from within the European Union to a country (such as Switzerland) or under a scheme (such as the US Privacy Shield) which is approved by the Commission as ensuring an adequate level of protection or any transfer which falls within a permitted derogation, such transfer shall not be a Restricted Transfer.
1.2.13 “Services” means the services and other activities to be supplied to or carried out on behalf of Customer/Controller by EPIC pursuant to the TAC.
1.2.14 “Standard Contractual Clauses” or “Controller-To-Processor Clauses” means the Standard Contractual Clauses between controllers and processors for Data Transfers, as approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, and currently located at https://epicnetwork.com/standard-contractual-clauses/ and also set out in Annex 2, as amended in that Annex and/or under section 13.4.
1.2.15 “Subprocessor” means any person (excluding an employee of Customer/Controller or any of its sub-contractors) appointed by a Contracted Processor to Process Personal Data on behalf of EPIC in connection with the TAC; and
1 .3 The word “include” shall be construed to mean include without limitation, and cognate terms shall be construed accordingly.
EPIC warrants and represents that before any Contracted Processor processes any Customer/Controller Personal Data on behalf of EPIC, EPIC will use commercially reasonable efforts to ensure that Contracted Processor has been duly and effectively authorized (or subsequently ratified) to process such data in a manner compliant with the requirements of the GDPR. Customer/Controller warrants and represents that, Customer/Controller is lawfully in possession of such data and has a lawful basis for providing such data to EPIC for processing or for authorizing EPIC to process the Customer/Controller Personal Data on behalf of Customer/Controller under this Addendum.
3.1 EPIC shall and each Contracted Processor shall be obligated to:
3.1.1 Comply with all applicable Data Protection Laws in the Processing of Customer/Controller Personal Data; and
3.1.2 Not Process Customer/Controller Personal Data other than on the relevant Customer/Controller’s documented instructions unless Processing is authorized under / by Applicable Laws to which EPIC or the Contracted Processor is subject. In the latter case EPIC shall where reasonable or to the extent required by Applicable Laws inform the Customer/Controller before the relevant Processing of that Personal Data.
3.2.1 Shall instruct EPIC (and authorizes EPIC and each Contracted Processor to instruct each Subprocessor) to:
126.96.36.199 Process Customer/Controller Personal Data; and
188.8.131.52 In particular, transfer Customer/Controller Personal Data to or from any country or territory, as reasonably necessary for the provision of the Services and consistent with the TAC; and
3.2.2 Shall obtain any and all required consents with respect to any data collected by it, or with respect to which it instructs EPIC or any Contracted Processor to act on its behalf
3.2.3 Warrants and represents that it is and will at all relevant times remain duly and effectively authorized to give the instruction set out in section 3.2.1 on behalf of itself and any Customer/Controller Affiliate.
3.3 Annex 1 to this Addendum sets out certain information regarding the Contracted Processors’ Processing of the Customer/Controller Personal Data as required by article 28(3) of the GDPR (and, possibly, equivalent requirements of other Data Protection Laws). EPIC may make reasonable amendments to Annex 1 by written notice to Customer/Controller from time to time, as EPIC reasonably considers necessary to meet those requirements. Nothing in Annex 1 (including as amended pursuant to this section 3.3) confers any right or imposes any obligation on any party to this Addendum.
EPIC shall take reasonable steps to ensure the reliability of any of its employees, agents, or contractors, and those of any Contracted Processor who may have access to the Customer/Controller Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Customer/Controller Personal Data, as strictly necessary for the purposes of the TAC, or to carry out the Services in compliance with Applicable Laws in the context of that individual’s duties to EPIC or the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
5.1 Taking into account the state of the art, the costs of implementation, practicality, and the nature, scope, context, purposes of Processing as well as the risks to the rights and freedoms of natural persons, EPIC shall in proportion thereto implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
5.2 In assessing the appropriate level of security, EPIC shall take account the likely risks that are presented by Processing, in particular from the perspective of a Personal Data Breach.
6.1 Customer/Controller authorizes EPIC to appoint Processors and Subprocessors in accordance with this section 6 and any restrictions in the TAC, and to permit each Processor or Subprocessor duly appointed in accordance with this section 6 to appoint further Processors or Subprocessors.
6.2 EPIC may continue to use those Processors and Subprocessors already engaged by EPIC as at the date of this Addendum, subject to EPIC in each case as soon as practicable meeting the obligations set out in section 6.4.
6.3 To the extent required under the GDPR, EPIC shall give Customer/Controller prior written notice of the appointment of any new Processors or Subprocessor, including full details of the Processing to be undertaken by the Processor or Subprocessor. Such appointment shall be effective unless within 10 (ten) days of receipt of such notice, Customer/Controller provides EPIC written objections (on reasonable grounds) to the proposed appointment. EPIC shall not appoint (or disclose any Customer/Controller Personal Data to) that proposed Subprocessor until reasonable steps have been taken to address the objections raised by Customer/Controller and Customer/Controller has been provided with a reasonable written explanation of the steps taken.
6.4 With respect to each Processor or Subprocessor, EPIC shall:
6.4.1 before the Processor or Subprocessor first Processes Customer/Controller Personal Data (or, where relevant, in accordance with section 6.2), carry out adequate due diligence under the circumstances to ensure that the Processor or Subprocessor is capable of providing the level of protection for Customer/Controller Personal Data required by the Applicable Law, this Addendum, or under the TAC.
6.4.2 ensure that the arrangement between on the one hand, EPIC, or the relevant intermediate Processor or Subprocessor; and on the other hand the Processor or Subprocessor, is governed by a written contract including terms which offer at least the same level of protection for Customer/Controller Personal Data as those set out in this Addendum and meet the requirements of article 28(3) of the GDPR.
6.4.3 if that arrangement involves a Restricted Transfer, ensure that the Standard Contractual Clauses are at all relevant times incorporated into the agreement between on the one hand, EPIC, or the relevant intermediate Processor or Subprocessor; and on the other hand the Processor or Subprocessor, or before the Processor or Subprocessor first Processes Customer/Controller Personal Data procure that it enters into an agreement incorporating the Standard Contractual Clauses with EPIC, or the relevant intermediate Processor or Subprocessor; and
6.4.4 provide to Customer/Controller for review such copies of the Contracted Processors’ agreements with Processor or Subprocessor (which may be redacted to remove confidential commercial information not relevant to the requirements of this Addendum, or Applicable Law) as Customer/Controller may request from time to time.
6.5 Customer/Controller and each Customer/Controller Affiliate shall ensure that each Processor or Subprocessor performs the obligations under sections 3.1, 4, 5, 7.1, 8.2, 9 and 11.1, as they apply to Processing of Customer/Controller Personal Data carried out by that Processor or Subprocessor, as if it were party to this Addendum in place of Customer/Controller.
7.1 Nothing herein shall relieve Customer/Controller from affording any required right to any Data Subject including any requirement to obtain adequate consent from a Data subject prior to collection of Personal Data.
7.2 Taking into account the nature of the Processing, EPIC shall assist Customer/Controller by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Customer/Controller’s obligations, as reasonably understood by EPIC, to respond to requests to exercise Data Subject rights under the Data Protection Laws.
7.3 EPIC shall:
7.3.1 promptly notify Customer/Controller if any Contracted Processor receives a request from a Data Subject under any Data Protection Law in respect of Customer/Controller Personal Data; and
7.3.2 ensure that the Contracted Processor does not respond to that request except on the documented instructions of Customer/Controller or as required by Applicable Laws to which the Contracted Processor is subject, in which case EPIC shall to the extent permitted by Applicable Laws inform Customer/Controller of that legal requirement before the Contracted Processor responds to the request.
8.1 EPIC shall notify Customer/Controller without undue delay upon EPIC, a Contracted Processor or any Subprocessor becoming aware of a Personal Data Breach affecting Customer/Controller Personal Data, providing Customer/Controller with sufficient information to allow Customer/Controller to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
8.2 EPIC shall co-operate with Customer/Controller and take such reasonable commercial steps as are directed by Customer/Controller to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
To the extent required under Applicable Law, EPIC shall provide reasonable assistance to Customer/Controller with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Customer/Controller reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Customer/Controller Personal Data by, and taking into account the nature of the Processing and information available to the Contracted Processors.
10.1 Subject to sections 10.2 and 10.3 Customer/Controller and each Customer/Controller Affiliate shall promptly and in any event within 21 (twenty-one) days of the date of cessation of any Services involving the Processing of Customer/Controller Personal Data (the “Cessation Date”), delete and procure the deletion of all copies of those Customer/Controller Personal Data. For the sake of clarity, for purposes of this Section 10 “delete” means redacting, blocking or restricting access, permanently removing, or obliterating such that it cannot be recovered or reconstructed, as circumstances reasonably permit and Applicable Law permits.
10.2 Subject to section 10.3, Customer/Controller may in its discretion request, by written notice to EPIC within 21 (twenty-one) days of the Cessation Date, that EPIC (a) return a complete copy of all Customer/Controller Personal Data to EPIC by secure file transfer in such format as is reasonably requested by Customer/Controller or in which the data are stored in the normal course of business; and (b) delete and procure the deletion of all other copies of Customer/Controller Personal Data Processed by any Contracted Processor. EPIC shall comply with any such written request within 30 (thirty) days of the Cessation Date.
10.3 Each Contracted Processor may retain Customer/Controller Personal Data to the extent required by Applicable Laws and only to the extent and for such period as required by Applicable Laws. EPIC shall reasonably ensure that such Customer/Controller Personal Data is only Processed or retained as provided herein as necessary for the purpose(s) specified in the Applicable Laws.
10.4 Where requested in writing, EPIC shall provide written confirmation to Customer/Controller that it has fully complied with this section 10 within 30 (thirty) days of the Cessation Date.
11.1 Subject to the provisions of this Section, EPIC shall make available to Customer/Controller on request all information reasonably necessary to demonstrate compliance with this Addendum, and shall allow for and contribute to audits, including inspections, by Customer/Controller or an auditor appointed by Customer/Controller in relation to the Processing of the Customer/Controller Personal Data by the Contracted Processors.
11.2 Information and audit rights of the Customer/Controller only arise under section 11.1 to the extent that the TAC does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law (including, where applicable,
article 28(3)(h) of the GDPR).
11.3 A Customer/Controller may only mandate an auditor for the purposes of section 11.1 if the auditor is identified at least sixty (60) days in advance in writing and approved by EPIC. EPIC shall not unreasonably withhold or delay approval of an auditor. Reasonable grounds for refusing Customer/Controller’s choice of auditor shall be provided in writing, after which a new auditor shall be identified.
11.4 Audits shall be conducted only by agreement on reasonable notice of any audit or inspection to be conducted hereunder and shall use best efforts (and ensure that each of its mandated auditors makes such efforts) to avoid causing (or, if it cannot avoid, to minimize) any damage, injury, delay, or disruption to the Contracted Processors’ premises, equipment, personnel and business while its personnel are on those premises in the course of such an audit or inspection. A Contracted Processor need not give access to its premises for the purposes of such an audit or inspection:
11.4.1 to any individual unless he or she produces reasonable evidence of identity and authority;
11.4.2 outside normal business hours at those premises, unless the audit or inspection needs to be conducted on an emergency basis and Customer/Controller has given notice to EPIC that this is the case before attendance outside those hours begins; or
11.4.3 for the purposes of more than one audit or inspection, in respect of each Contracted Processor, in any year period, except for any additional audits or inspections which:
184.108.40.206 Customer/Controller undertaking an audit reasonably considers necessary because of genuine concerns as to EPIC compliance with this Addendum; or
220.127.116.11 Customer/Controller is required or requested to carry out by Data Protection Law, a Supervisory Authority or any similar regulatory authority responsible for the enforcement of Data Protection Laws in any country or territory, where Customer/Controller undertaking an audit has identified its concerns or the relevant requirement or request in its notice to EPIC of the audit or inspection.
12.1 Subject to section 12.3, Customer/Controller (as “Data Exporter”) and EPIC and each of its Contracted Processor, as appropriate, (as “Data Importer”); or EPIC (as “Data Exporter”) and each Contracted Processor or Customer/Controller have entered and/or hereby enter into the Standard Contractual Clauses in respect of any Restricted Transfer from Customer/Controller to EPIC or its Contracted Processor or from EPIC to Customer/Controller or a Contracted Processor.
12.2 The Standard Contractual Clauses shall come into effect under section 12.1 on the later of:
12.2.1 the Data Exporter becoming a party to them;
12.2.2 the Data Importer becoming a party to them; and
12.2.3 commencement of the relevant Restricted Transfer.
12.3 Section 12.1 shall not apply to a Restricted Transfer unless its effect, together with other reasonably practicable compliance steps (which, for the avoidance of doubt, do not include obtaining further or additional consents from Data Subjects), is to allow the relevant Restricted Transfer to take place without breach of applicable Data Protection Law.
12.4 EPIC warrants and represents that, before the commencement of any Restricted Transfer to a Subprocessor entry into the Standard Contractual Clauses under section 12.1, and agreement to variations to those Standard Contractual Clauses made under section 13.4.1, as agent for and on behalf of that Subprocessor will have been duly and effectively authorized (or subsequently ratified) by that Subprocessor.
Governing law and jurisdiction
13.1 Without prejudice to clauses 7 (Mediation and Jurisdiction) and 9 (Governing Law) of the Standard Contractual Clauses:
13.1.1 the parties to this Addendum hereby submit to the choice of jurisdiction stipulated in the TAC with respect to any disputes or claims howsoever arising under this Addendum, including disputes regarding its existence, validity, or termination, or the consequences of its nullity; and
13.1.2 this Addendum and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the TAC.
Order of Precedence
13.2 Nothing in this Addendum alters either party’s obligations under the TAC in relation to the protection of Personal Data or permits either party to Process (or to permit the Processing of) Personal Data in a manner which is prohibited by the TAC or Applicable Law. In the event of any conflict or inconsistency between this Addendum, and/or the TAC, and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
13.3 Subject to section 13.2, with regard to the subject matter of this Addendum, in the event of inconsistencies between the provisions of this Addendum and any other agreements between the parties, including the TAC and including (except where explicitly agreed otherwise in writing, signed on behalf of the parties) agreements entered into or purported to be entered into after the date of this Addendum, the provisions of this Addendum shall prevail.
Changes in Data Protection Laws
13.4 EPIC may:
13.4.1 by at least 30 (thirty) calendar days’ written notice to Customer/Controller from time to time make any variations to the Standard Contractual Clauses (including any Standard Contractual Clauses entered into under section 12.1), as they apply to Restricted Transfers which are subject to a particular Data Protection Law, which are required, as a result of any change in, or decision of a competent authority under, that Data Protection Law, to allow those Restricted Transfers to be made (or continue to be made) without breach of that Data Protection Law; and
13.4.2 propose any other variations to this Addendum which EPIC reasonably considers to be necessary to address the requirements of any Data Protection Law.
13.5 If EPIC gives notice under section 13.4.1:
13.5.1 The parties shall promptly co-operate (and ensure that any affected Contracted Processors and/or Subprocessors promptly co-operate) to ensure that equivalent variations are made to any agreement put in place under section 6.4.3; and
13.5.2 Customer/Controller shall not unreasonably withhold or delay agreement to any consequential variations to this Addendum proposed by EPIC to protect the Contracted Processors against additional risks associated with the variations made hereunder.
13.6 If EPIC gives notice under section 13.4.2, it shall propose reasonable variations with a view to implementing those or reasonable alternative variations designed to address the requirements identified in EPIC’s notice as soon as is reasonably practicable.
13.7 Neither EPIC nor Customer/Controller shall require the consent or approval of any Affiliate to amend this Addendum pursuant to this section 13.5 or otherwise.
13.8 Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
ANNEX 1: DETAILS OF PROCESSING OF COMPANY PERSONAL DATA
This Annex 1 includes certain details of the Processing of Customer/Controller Personal Data as required by Article 28(3) GDPR.
Subject matter and duration of the Processing of Customer/Controller Personal Data
The subject matter and duration of the Processing of the Customer/Controller Personal Data are set out in the TAC and this Addendum and relate to EPIC’s obligations to provide the requested Products or Services in connection with the EPIC Product or Services.
The nature and purpose of the Processing of Customer/Controller Personal Data
EPIC processed Personal Data in order to provide the Services contemplated in the TAC in connection with the use of the EPIC Product or Services. Among the purposes of processing are to monitor transactions (including purchases, payments, and refunds), to track helpdesk tickets and/or support requests as the case may be, and responses thereto, to provide access to memberships, associated lists, and associated sequences of actions, to enable communications in connection with any of the foregoing.
The types of Customer/Controller Personal Data to be Processed.
The types of Personal Data to be processed by EPIC include but are not limited to Name, Email, Phone, Address, Country, IP address, and Username.
The categories of Data Subject to whom the Customer/Controller Personal Data relates.
Categories to which the Personal Data to be processed relate include demographic/external data, financial data, historical data, internal data (including preferences and interests) and social data.
Except where specifically required for the provision of contracted services or as incidental to the above, EPIC does not collect or track data racial or ethnic origin, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation or any other Special Category of Data.
The obligations and rights of EPIC and Customer/Controller
The obligations and rights of EPIC and EPIC Affiliates are set out in the TAC and this Addendum.
ANNEX 2: STANDARD CONTRACTUAL CLAUSES
These Clauses shall be deemed to be amended from time to time, to the extent that they relate to a Restricted Transfer which is subject to the Data Protection Laws of a given country or territory, to reflect (to the extent possible without material uncertainty as to the result) any change (including any replacement) made in accordance with those Data Protection Laws (by the Commission to or of the equivalent contractual clauses approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 or the GDPR (in the case of the Data Protection Laws of the European Union or a Member State); or (ii) by an equivalent competent authority to or of any equivalent contractual clauses approved by it or by another competent authority under another Data Protection Law otherwise). A copy of the SCCs can be found here: https://epicnetwork.com/standard-contractual-clauses/
Standard Contractual Clause
For the purposes of this Addendum and the Directive, transfers of Personal Data from a party in one country to any party in another country shall be governed by these Standard Clauses unless other permissible on other grounds.
The Data Exporter and the Data Importer, each a “party”; together “the parties”,
HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the Data Exporter to the Data Importer of the Personal Data specified in Annex 1.
EPIC and, the Data Controller or Data Processor currently uses the following Processors or Subprocessors:
The Data Exporter has entered into a data processing addendum (“DPA”) with the Data Importer. Pursuant to the terms of the DPA, it is contemplated that services provided by the Data Importer will involve the transfer of Personal Data to Data Importer. Data importer is located in a country not ensuring an adequate level of data protection. To ensure compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 and applicable data protection law, the controller agrees to the provision of such Services, including the processing of Personal Data incidental thereto, subject to the Data Importer’s execution of, and compliance with, the terms of these Clauses.
Clause 1: Definitions
For the purposes of the Clauses:
(a) ‘Personal Data’, ‘Special Categories of Data’, ‘Process/Processing’, ‘Controller’, ‘Processor’, ‘Data Subject’ and ‘Supervisory Authority’ shall have the same meaning as with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of Personal Data and on the free movement of such data; with the proviso where permitted by Applicable Law, if these Clauses govern a transfer of data relating to identified or identifiable corporate (as well as natural) persons, the definition of “Personal Data” is expanded to include those data
(b) ‘Data Exporter’ means the party who transfers the Personal Data in accordance with the terms of these Standard Clauses;
(c) ‘Data Importer’ means the party who agrees to receive Personal Data from the Data Exporter in accordance with instructions from the Data Exporter and the terms of these Clauses;
(d) ‘Subprocessor’ means any processor engaged by the Data Importer or by any other Subprocessor of the Data Importer who agrees to receive from the Data Importer or from any other Subprocessor of the Data Importer Personal Data exclusively intended for processing activities to be carried out on behalf of the Data Exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
(e) ‘Applicable Data Protection Law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of Personal Data applicable to a data controller in the jurisdiction in which the Data Exporter is established;
(f) ‘Technical and Organizational Security Measures’ means those measures aimed at protecting Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
Clause 2: Details of the transfer
The details of the transfer and in particular the special categories of Personal Data where applicable are specified in Annex 1 which forms an integral part of the Clauses.
Clause 3: Third-party beneficiary clause
Clause 4: Obligations of the Data Exporter
The Data Exporter agrees and warrants:
(a) that the processing, including the transfer itself, of the Personal Data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the jurisdiction where the Data Exporter is established) and does not violate the relevant provisions of that jurisdiction;
(b) that it has instructed and throughout the duration of the Personal Data processing services will instruct the Data Importer to process the Personal Data transferred only on the Data Exporter’s behalf and in accordance with the applicable data protection law and the Clauses;
(c) that the Data Importer will provide sufficient guarantees in respect of the technical and organizational security measures specified in Appendix 2 to this contract;
(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
(e) that it will ensure compliance with the security measures;
(f) that, if the transfer involves Special Categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection of the data;
(g) to forward any notification received from the Data Importer or any Subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the Data Exporter decides to continue the transfer or to lift the suspension;
(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for Subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
(i) that, in the event of Subprocessing, the processing activity is carried out in accordance with Clause 11 by a Subprocessor providing at least the same level of protection for the Personal Data and the rights of data subject as the Data Importer under the Clauses; and
(j) that it will ensure compliance with Clause 4(a) to (i).
Clause 5: Obligations of the Data Importer
The Data Importer agrees and warrants:
(a) to process the Personal Data only on behalf of the Data Exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the Data Exporter of its inability to comply, in which case the Data Exporter is entitled to suspend the transfer of data and/or terminate the contract;
(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the Data Exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the Data Exporter as soon as it is aware, in which case the Data Exporter is entitled to suspend the transfer of data and/or terminate the contract;
(c) that it has implemented the technical and organizational security measures specified in Appendix 2 before processing the Personal Data transferred;
(d) that it will promptly notify the Data Exporter about:
(i) any legally binding request for disclosure of the Personal Data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,
(ii) any accidental or unauthorized access, and
(iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorized to do so;
(e) to deal promptly and properly with all inquiries from the Data Exporter relating to its processing of the Personal Data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
(f) at the request of the Data Exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the Data Exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the Data Exporter, where applicable, in agreement with the supervisory authority;
(g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for Subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the Data Exporter;
(h) that, in the event of Subprocessing, it has previously informed the Data Exporter and obtained its prior written consent; (0 that the processing services by the Subprocessing will be carried out in accordance with Clause 11;
(j) to send promptly a copy of any Subprocessing agreement it concludes under the Clauses to the Data Exporter.
Clause 6: Liability
Clause 7: Mediation and jurisdiction
(a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
(b) to refer the dispute to the courts in the jurisdiction in which the Data Exporter is established.
Clause 8: Cooperation with supervisory authorities
Clause 9: Governing Law
The Clauses shall be governed by the law of the jurisdiction in which the Data Exporter is established.
Clause 10: Variation of the contract
The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.
Clause 11: Subprocessing
Clause 12: Obligation after the termination of Personal Data processing services
shall destroy all the Personal Data and certify to the Data Exporter that it has done so, unless legislation imposed upon the Data Importer prevents it from returning or destroying all or part of the Personal Data transferred. In that case, the Data Importer warrants that it will guarantee the confidentiality of the Personal Data transferred and will not actively process the Personal Data transferred anymore.
Accepted on behalf of:
Customer/Controller Name: ______________________________________
Signatory Name: ____________________________________________________________
EPIC Services Group LLC:
Signatory Name: ______________________________________________