Working with Open Assets Data Processing Addendum

Effective date: 07/07/2024

This Data Processing Agreement (the “DPA”) reflects the parties’ agreement to process Personal Data in accordance with the requirements of the Data Protection Laws and Regulations under the Open Assets Terms of Service. This DPA shall be automatically deemed incorporated by reference into the executed Software Licence Agreement between you and Open Applications Ltd (the “Agreement”).

This DPA is supplemental to, and forms an integral part of, the Agreement and is effective upon its incorporation into the Agreement, which may be specified in the Agreement, an Order Form or an executed amendment to the Agreement. In case of any conflict or inconsistency with the terms of the Agreement, this DPA will take precedence over the terms of the Agreement to the extent of such conflict or inconsistency

 Capitalized terms that are not defined herein shall have the meaning given to them in the Terms of Service.

Data Processing Terms

In the course of providing the Services (as defined below) to You, Open Assets may Process Personal Data on Your behalf. Open Assets agrees to comply with the following provisions with respect to any Personal Data submitted for Processing in the Open Assets Service by either You or Your third parties who have licenses to access the Open Assets Service.

 1. Definitions

1.1. These terms have the following meanings when used in this DPA:

 “Affiliate” means with respect to a party, any corporation, partnership, firm, joint venture, limited liability company, association, joint-stock company, trust, unincorporated organization, governmental organization or body that, directly or indirectly through one or more intermediaries, controls, is controlled by or is under common control with that party.

“Control” (including the terms “controlled by” and “under common control with”) means the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of such entity, organization or body, whether through the ownership of voting securities or otherwise;

"Data Controller" means you the entity that determines the purposes and means of the Processing of Personal Data;

 "Data Exporter" means you the entity that transfers Personal Data from the European Economic Area to the Data Importer;

"Data Importer" means Open Assets, as the entity that receives Personal Data from the Data Exporter;

"Data Processor" means Open Assets, the entity which Processes Personal Data on behalf of the Data Controller;

"Data Protection Laws and Regulations" means any and all applicable laws and regulations, including, without limitations, laws and regulations of the European Union, the European Economic Area and their member states, applicable to the Processing of Personal Data and the interception of communications under the Agreement, as same may be amended from time to time, including, without limitation, the General Data Protection Regulation (“GDPR”) (Regulation (EU) 2016/679);

"Data Subject" means the identified or identifiable natural person (who is or can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his/her physical, physiological, mental, economic, cultural or social identity) to whom Personal Data relates;

 "Data Subject Request" means a request from a Data Subject for access to, correction, amendment, transfer, or deletion of that person's Personal Data;

 "Effective Date" means the date this DPA is effective, which shall be the later of the dates beneath the parties’ signatures below; "Member State" shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

 "Personal Data" means any information relating to a Data Subject provided by You (or on Your behalf) to Open Assets under the Agreement;

 "Processing” or “Process" means any operation or set of operations which is performed by Open Assets or by Open Assets third parties as part of the Services upon Personal Data, whether or not by automatic means, including but not limited to storing, using, disclosing by transmission, disseminating or otherwise making available, aligning or combining, organizing, structuring, altering, accessing, copying, transferring, blocking, erasing, destroying, or disposing;

"Regulator" means, as applicable, any law enforcement or other agency having regulatory, supervisory, or governmental authority over all or any part of the Processing of Personal Data in connection with the provision or receipt of the Services, including, without limitation, the European data protection supervisory authorities;

 "Services" means the services being provided by Open Assets to You as described and/or defined, and as governed, by the Agreement;

 "Standard Contractual Clauses" means the agreement executed by and between You and Open Assets, and attached hereto as Attachment 2 pursuant to the European Commission's decision of 5 February 2010 on Standard Contractual Clauses for the transfer of Personal Data to processors established in Third Countries;

"Sub-processor" means a third party subcontractor engaged by Open Assets to Process Personal Data in connection with Open Assets delivery of the Services;

 "Third Country" means a country or recipient: (i) not recognized by the European Commission as providing an adequate level of protection for personal data; and (ii) not covered by a suitable framework recognized by the relevant authorities or courts as providing an adequate level of protection for personal data;

2. Relationship with the Agreement and the Standard Contractual Clauses

2.1. The parties acknowledge that the objective of this DPA is to amend the Agreement in order to meet the minimum requirements of the Data Protection Laws and Regulations and not to dilute existing protections in the Agreement. Therefore, if and to the extent there is any inconsistency between any provision of the Agreement addressing data privacy matters and the provisions of the DPA, the DPA shall prevail.

 2.2. If and to the extent that there is any inconsistency between the main body of the DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.

 3. Processing of Personal Data

 3.1. Roles of the Parties

The parties acknowledge and agree that with regard to the Processing of Personal Data, You are the Data Controller and Open Assets is the Data Processor.

 3.2. Data Controller’s Processing of Personal Data

3.2.1. You shall direct Open Assets regarding the legal Processing of Personal Data.

 3.2.2. As requested by You in writing, Open Assets will provide You with details of Open Assets Processing activities in order that You may comply with Your obligations under Data Protection Laws and Regulations.

 3.3. Open Assets Processing of Personal Data

 3.3.1. Open Assets undertakes to perform its obligations under the Agreement in a manner that

does not cause either party to breach the Data Protection Laws and Regulations or this DPA in relation to its Processing of Personal Data.

 3.3.2. Open Assets will inform You if, in its reasonable opinion, Open Assets believes that any instruction given by You pursuant to clause 3.3.3 or clause 11.3 below violates the Data Protection Laws and Regulations. The parties shall consult with their respective advisors regarding the potential violation and Open Assets shall not be responsible for following such instruction during the consultation period.

 3.3.3. Open Assets shall only Process Personal Data on behalf of and in accordance with Your instructions under the Agreement and shall treat Personal Data as confidential information under the Agreement. You hereby instruct Open Assets to Process Personal Data solely and exclusively in accordance with the Agreement, including this DPA, and only to the extent  necessary to deliver and perform the Services.

3.3.4. Open Assets may also Process Personal Data as required to respond to legally binding requests of relevant authorities and to otherwise comply with applicable laws and regulations, including the Data Protection Laws and Regulations, provided Open Assets will always:

(1) promptly inform You of the request, the data concerned, requested response time, the identity of the requesting authority, and the legal basis for the request, unless strictly prohibited by law from doing so;

(2) wait for Your instructions before disclosing any information, provided that the instruction is received from You within a reasonable period of time taking into account the time period afforded to You by the law enforcement agency or other third parties; and (3) where Open Assets is strictly prohibited from informing You about the law enforcement agency's or other third party's request, take all reasonable steps to have this prohibition waived and to make available to You relevant information about the request as soon as possible.

 3.4. Scope and Purpose; Categories of Personal Data and Data Subjects

The objective for the Processing of Personal Data by Open Assets is the performance of the Services pursuant to the Agreement. The types of Personal Data Processed and categories of Data Subjects under this DPA are further specified in Attachment 1 (Data Processing Details Addendum) to this DPA.

 3.5. Limitation on disclosure

Other than to the extent permitted by the Agreement and clauses 3.3.4, 6 and 13, Open Assets shall not disclose Personal Data to any third parties without Your prior written consent.

 4. Rights of Data Subjects

4.1. Correction, Blocking, and Deletion

Open Assets shall promptly comply with any request mandated by Data Protection Laws and Regulations applicable to Open Assets and made by You, to correct, block, or delete Personal Data.

 4.2. Data Subject Requests

Open Assets shall, to the extent legally permitted, promptly notify You if Open Assets receives a Data Subject Request. Open Assets shall not comply with such Data Subject Request until You have directed it in writing to comply with such Data Subject Request.

 4.3. Complaints or requests

Without limiting clause 4.2, Open Assets shall notify You promptly upon receipt of any complaint or request relating to: (a) Your obligations under the Data Protection Laws and Regulations;

(b) Personal Data; or

(c) any breach of this DPA, and shall provide all co-operation and assistance in relation to such complaint, request or breach reasonably requested by You.

 5. Open Assets Personnel

 5.1. Confidentiality

Open Assets shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities, and have executed written confidentiality agreements.

 5.2. Reliability

Open Assets shall take reasonable steps to ensure the reliability of any personnel, including any of its sub-contractors, engaged in Processing of Personal Data.

 5.3. Limitation of Access

Open Assets shall ensure that access to Personal Data is solely and exclusively limited to those of Open Assets personnel who require such access to perform the Services under the Agreement.

 6. Sub-processors

6.1. Appointment of Sub-processors

You acknowledge and agree that, unless prohibited under the Agreement, Open Assets may engage third party Sub-processors in connection with the provision of the Services.

 6.1.1. Sub-processing Agreement. Promptly after the Effective Date, Open Assets shall ensure that the agreement entered into with any Sub-processor imposes on the Sub-processor materially similar obligations as Open Assets is subject to under this DPA.

 6.1.2. List of Current Sub-processors and Notification of New Sub-processors. Upon request, Open Assets shall make available to You a current list of Open Assets Sub--processors for the Services ("Sub-processor List"). Open Assets  shall inform You of any intended change, including additions or replacements of Sub-processors, by updating the Sub-processor List and providing the updated Sub-processor List to You before implementing such change. You shall have the opportunity to reasonably object to such changes and Open Assets will work with You in good faith to address Your concerns. In the event You do not agree with the Sub-processor Open Assets has chosen, Your sole remedy is to cease using the functionality afforded by the replacement Sub-processor.

 6.2. Responsibility for Sub-processors. Subject to the mutually agreed limits of liability in the Agreement, Open Assets shall be responsible and liable for performance of Open Assets Subprocessors under this DPA, including where Open Assets subcontracts such performance.

Furthermore, Open Assets shall be responsible and liable for the acts, omissions, or defaults of Open Assets Sub-processors in the performance of their obligations under this DPA or otherwise as if they were Open Assets own acts, omissions or defaults.

 7. Security

 Open Assets shall:

7.1. implement appropriate procedural, technical, and organisational measures to prevent unlawful disclosure, unauthorised Processing of, or accidental loss, destruction, damage, or alteration to Personal Data, including the security measures set forth in Attachment 2, Schedule 2 (Security Measures); and

 7.2. maintain proper records of all Processing of Personal Data (including an up-to-date log of which of Open Assets personnel have or have had access to Personal Data at any time during the term of the Agreement, what Processing has been undertaken, which Sub-processors have been involved, and the geographic location of the Processing).

 8. Audits and Requests for Information and Assistance

Where requested by You, subject to reasonable and appropriate confidentiality undertakings,

Open Assets shall:

 8.1. permit You (or Your authorised representatives) to inspect and audit Open Assets data processing activities, including Open Assets facilities, and Open Assets will facilitate Your reasonable requests to audit and/or inspect the data processing activities of Open Assets Subprocessors;

 8.2. cooperate with, and comply with all reasonable requests or directions by You, to enable You to confirm that Open Assets is in full compliance with Open Assets data protection obligations under the Agreement and this DPA, including making available all information necessary to demonstrate such compliance;

 8.3. promptly take such remedial actions as are reasonably requested by You and agreed by Open Assets following such audit to ensure compliance with Data Protection Laws and Regulations; and

 8.4. upon written request by You and to the extent You do not otherwise have access to the relevant information required, provide You with such information and assistance as may be reasonably required for You to comply with any obligation under Data Protection Laws and Regulations to carry out an assessment of the impact the Processing operations may have on the protection of the Personal Data.

 9. Security Breach Management and Notification

 Open Assets shall:

 9.1. promptly notify You upon becoming aware of the occurrence of any incident which has resulted, or is reasonably likely to result, in a breach of security, including any accidental or unlawful loss, theft, deletion, disclosure or corruption of Personal Data and/or any unauthorised use or access to Personal Data (a "Security Incident");

 9.2. provide all cooperation and information reasonably requested by You in respect of a Security Incident, including notifying You as soon as possible following, and in any event, within twentyfour (24) hours of Open Assets detection of the Security Incident:

 9.3. provide details of the Security Incident, including (a) how the Security Incident was discovered and other circumstances surrounding the Security Incident; and (b) the categories and approximate number of Data Subjects concerned;

 9.4. provide details of the Personal Data compromised, including the categories and approximate number of Personal Data records concerned;

 9.5. where known, provide details of the likely consequences of the Security Incident;

 9.6. provide details of how the Security Incident is being investigated, and any mitigation and remediation steps already put in place or to be put in place; and

 9.7. indicate whether any regulatory authority, the Data Subjects themselves, and/or the media have been informed or is otherwise already aware of the Security Incident, and their response (if any).

 10. Deletion of Data

 10.1. At any time, You may request in writing that Open Assets cease to use or Process any Personal Data received from or on Your behalf under the Agreement, and destroy (at Your direction) any Personal Data in Open Assets possession or control.

 10.2. If requested by You in writing, the Personal Data, together with all copies or other reproductions in whole or in part thereof, shall be securely destroyed and written confirmation signed by a senior officer of Open Assets confirming such destruction shall be delivered to You by Open Assets. Notwithstanding the foregoing, Open Assets shall be permitted to retain one (1) copy of the Personal Data (i) if and as long as required by law, regulation, administrative or court order or for internal auditing purposes, and (ii) as electronic data stored due to automatic archiving and back-up procedures if and only to the extent such destruction would require unreasonable efforts and be overly burdensome (any information not returned or destroyed pursuant to the foregoing, the "Retained Information"). Open Assets shall keep (and shall ensure any of Open Assets Sub-processors keep) the Retained Information permanently confidential pursuant to the terms of the Agreement and this DPA, notwithstanding the termination of this DPA, until the date such Retained Information is destroyed.

 11. Additional Terms for EU Personal Data (Export Mechanism)

 11.1. Open Assets shall not transfer Personal Data of Data Subjects located in the European Economic Area ("EEA") to outside the EEA without Your prior written consent and, where You consent to such transfer.

 11.2. Application of Standard Contractual Clauses. The Terms of Service and this DPA will apply to the Processing of Personal Data of Data Subjects located in the EEA that is transferred from the EEA to outside the EEA, either directly or via onward transfer, to any Third Country outside.

 12. Instructions

This DPA and the Terms of Service are Your complete and final instructions to Open Assets for the Processing of Personal Data. Any additional or alternate instructions must be mutually agreed upon in a separate writing.

13. Cooperation with Regulators and Conduct of Claims

13.1. Open Assets shall notify You of all enquiries from a Regulator that Open Assets receives which relate to the Processing of Personal Data, the provision or receipt of the Services, or  either Party's obligations under the Agreement and/or this DPA, unless prohibited from doing so at law or by the Regulator.

 13.2. Unless otherwise agreed by the parties or directed by the Regulator:

 13.2.1. You shall be exclusively responsible for all communications or correspondence in relation to the Processing of Personal Data and the provision or receipt of the Services;

and

13.2.2. You will keep Open Assets informed of such communications or correspondence to the extent that they affect Open Assets obligations under the Agreement and/or this DPA.

 14. Indemnity for Third Party Claims

Subject to the indemnification terms in the Terms of Service, including any mutually agreed limitations of liability, each party shall, at all times during and after the term of the Agreement, indemnify the other party and keep the other party indemnified against all losses, damages, costs or expenses and other liabilities (including, without limitations, reasonable and substantiated legal fees, fines, sanctions and other penalties imposed by a Regulator or government or competent authority under Data Protection Laws and Regulations) incurred by or awarded against such party as a result of or in connection with any third party claims arising from any breach of the indemnifying party’s obligations under this DPA.

 15. Termination

This DPA will terminate when Open Assets ceases to Process Personal Data, unless otherwise agreed in writing between the parties.

16. Survival of Certain Provisions

The provisions of this DPA set forth in clauses 10and any remedy for breach thereof shall survive the termination of this DPA.

 17. Governing Law

To the extent required by applicable Data Protection Laws and Regulations (for example in relation to the governing law of the Standard Contractual Clauses), this DPA shall be governed by the laws of England and Wales.

18. Counterparts and Electronic Transmission

This DPA may be executed in any number of counterparts, all of which taken together shall constitute one and the same instrument, and either of the parties hereto may execute this DPA by signing any such counterpart. Delivery of an executed signature page by any party to this DPA by electronic transmission will be as effective as delivery of an original executed copy of the DPA by such party.

This DPA may be updated by mutual execution of an amendment to ensure compliance with applicable laws and regulations, which as updated will continue to be part of this DPA.

 Data Subjects:

 The Personal Data Processed may at any time during the life of the Agreement concern the following categories of Data Subjects:

 ·        Employee Data

·        Associated Third Parties

 Categories of Personal Data:

The Categories of Personal Data Processed may at any time during the life of the Agreement include the following:

·         Names

·         Aliases

·         Addresses

·         Insurance information

·         PII

·         Contact Details

 Processing operations

The Personal Data Processed may at any time during the life of the Agreement be subject to the following basic processing activities:

·         Storage

·         Updating of contact information as requested

·         Error analysis and correction in case of maintenance

·         Client Support as requested

·         Spreadsheet data loads

·         Automated data transfers from an external data source to the Service or from the Service to an external party

 MODEL CLAUSES

All capitalized terms not defined herein shall have the meaning set forth in the Agreement. Unless otherwise expressly set forth herein, these Model Clauses are subject to all the terms and conditions of the Agreement. The effective date of these Model Clauses is the later of the dates beneath the parties’ signatures below (“Model Clauses Effective Date”).

 I. BACKGROUND

(A) Open Applications Ltd., on behalf of itself and its Affiliates, is collectively, the “data importer”.

 (B) It is the parties’ intention to ensure that the data importer affords an adequate level of protection to all Personal Data of data exporter and of its Affiliates (as defined in the Agreement) Processed by the data importer through RMIS or otherwise, regardless of the origin the Personal Data.

The provisions of Title III of these Model Clauses describe the responsibilities of the data importer when Processing any Personal Data of data exporter. Title III is applicable to all Personal Data without distinction as to its origin.

 (C) The parties acknowledge that with respect to Personal Data originating from the European Economic Area (EEA) and Switzerland (collectively “European Region”), there are specific requirements related to the Processing of Personal Data, including in connection with the cross-border transfer of Personal Data originating in the European Region. These requirements follow from the EU Directive 95/46/EC on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (as implemented in national law), and with effect from 25 May 2018 these requirements follow from the Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“EU General Data Protection Regulation” or “GDPR”) (as implemented in national law in the case of EEA member states which are not part of the EU, and as amended from time to time), and the requirements also follow from the Swiss Federal Act on Data Protection, as the case may be.

 (D) The provisions of Title IV (“Controller to Processor Model Clauses”) to these Model Clauses describe the safeguards required for Personal Data originating from the European Region. In regards to Personal Data originating from the European Region, the provisions of Title III and Title IV apply simultaneously. If there is an inconsistency between any of the provisions of Title III and Title IV, the relevant provision in Title IV will prevail.

 (E) Data importer and data exporter are hereby entering into these Model Clauses under which data exporter has agreed to transfer, and data importer, as Processor, has agreed to receive, data exporter’s Personal Data intended for processing on data exporter’s and its Affiliates’ behalf in accordance with these Model Clauses.

 (F) To safeguard the applicable data exporter’s Personal Data, the parties have agreed to enter into these Model Clauses.

 II. SCOPE

These Model Clauses only applies to personal data submitted to data importer by or on behalf of data exporter in the context of the Agreement.

 III. STANDARD CLAUSES (collectively, the “Clauses”)

Clause 1 - Definitions

For the purposes of the Clauses:

(a) 'personal data', 'special categories of data', 'process/processing', 'controller', 'processor', 'data subject' and 'supervisory authority' shall have the same meaning as in GDPR; in Switzerland where the data protection laws also cover the data of legal entities, the term “personal data” also covers the data of legal entities

(b) 'the data exporter' means the controller who transfers the personal data;

(c) 'the data importer' means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country's system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;

(d) 'the subprocessor' means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;

(e) 'the applicable data protection law' means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;

(f) 'technical and organisational security measures' means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

 Clause 2 - Details of the transfer

The details of the transfer and in particular the special categories of personal data where applicable are specified in Schedule 1 which forms an integral part of the Clauses.

 Clause 3 - Third-party beneficiary clause

1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.

 2. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.

 3. The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.

 4. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.

 Clause 4 - Obligations of the data exporter

The data exporter agrees and warrants:

(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;

(b) that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter's behalf and in accordance with the applicable data protection law and the Clauses;

(c) that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Schedule 2 to this contract;

(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;

(e) that it will ensure compliance with the security measures;

(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;

(g) to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;

(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Schedule 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;

(i) that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and (j) that it will ensure compliance with Clause 4(a) to (i).

 Clause 5 - Obligations of the data importer

The data importer agrees and warrants:

(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(c) that it has implemented the technical and organisational security measures specified in Schedule 2 before processing the personal data transferred;

(d) that it will promptly notify the data exporter about:

(i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,

(ii) any accidental or unauthorised access, and

(iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;

(e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;

(f) at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;

(g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Schedule 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;

(h) that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;

(i) that the processing services by the subprocessor will be carried out in accordance with Clause 11;

(j) to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.

 Clause 6 - Liability

1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.

2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity. The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities. 

3. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.

4. The parties agree that if one party is held liable for a violation of the clauses committed by the other party, the latter will, to the extent to which it is liable, indemnify the first party for any cost, charge, damages, expenses or loss it has incurred.

Indemnification is contingent upon:

(a) The party seeking indemnification to promptly notify the other party of a claim;

and

(b) the party seeking indemnification being given the possibility to cooperate with the other party in the defence and settlement of the claim.

5. TO THE EXTENT PERMITTED BY APPLICABLE LAW AND TO THE EXTENT THAT EITHER PARTY INCURS LIABILITY UNDER THESE MODEL CLAUSES, THEN THE LIMITATION OF LIABILITY PROVISIONS IN THE MAIN AGREEMENT SHALL APPLY.

Clause 7 - Mediation and jurisdiction

1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:

(a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;

(b) to refer the dispute to the courts in the Member State in which the data exporter is established.

2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

Clause 8 - Cooperation with supervisory authorities

1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.

 2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.

 3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5(b).

 Clause 9 - Governing Law

These Model Clauses shall be governed by the law of the Member State in which the data exporter is established.

 Clause 10 - Variation of the contract

The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.

 Clause 11 - Subprocessing

1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses. Where the subprocessor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor's obligations under such agreement.

 2. The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.

3. The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.

Clause 12 - Obligation after the termination of personal data processing services

1. The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.

 2. The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.