Version : 1.0, Last Updated on : 28 May 2021


DATA PROTECTION ADDENDUM

IQAX APPLICATIONS

This Data Protection Addendum including its attachments (this “DPA”) forms part of your Agreement with IQAX governing your use and receipt of the Services. By placing an order or using the Services, you agree to this DPA. IQAX may amend this DPA from time to time in accordance with the Terms of Use. Any Special Terms shall prevail over this DPA to the extent of any inconsistency.



1. APPLICATION


1.1 This DPA applies in respect of all personal data Posted by, or on behalf of, you (including by Your Users) on the IQAX Platform or to IQAX in connection with the Agreement (including your use and receipt of the Services) (“Posted Personal Data”).

1.2 You agree that you are an independent controller in respect of the Posted Personal Data or you have obtained authorisation from the relevant controller(s) to agree to the processing of the Posted Personal Data in connection with the Agreement. If you are not an independent controller in respect of the processing of the Posted Personal Data in connection with the Agreement, you agree to:
(A) inform IQAX of the identity and contact details of the relevant controller(s); and
(B) act for and on behalf of the relevant controller(s) as the single point of contact under this DPA and in respect of the rights and obligations of the relevant controller(s) under Applicable Data Protection Law.

1.3 You appoint IQAX as a processor in respect of the processing of the Posted Personal Data in connection with the Agreement.


2. PROCESSING


2.1 Details of the types of Posted Personal Data, the categories of data subjects and the nature, purpose, subject matter and duration of the processing of the Posted Personal Data in connection with the Agreement are set out in Attachment A to this DPA.

2.2 Subject to 2.3, IQAX shall process the Posted Personal Data only on your documented instructions, being those set out in Attachment A to this DPA or otherwise agreed in writing between you and IQAX.

2.3 IQAX may process the Posted Personal Data for other purposes where it is legally required to do so by Applicable Law to which IQAX is subject, provided that, to the extent permitted by Applicable Law, IQAX informs you of that legal requirement and of the proposed processing before such processing takes place.


3. TECHNICAL AND ORGANISATIONAL SECURITY MEASURES


3.1 IQAX shall ensure that any person acting under its authority who has access to the Posted Personal Data is subject to an appropriate contractual or statutory obligation of confidentiality.

3.2 IQAX shall take measures required by Applicable Data Protection Law, including implementing appropriate technical and organisational measures, to ensure a level of security appropriate to the risk in connection with the processing of the Posted Personal Data.

3.3 You agree that the technical and organisational measures set out in Attachment A to this DPA are appropriate with regard to the processing of your Posted Personal Data in accordance with the Agreement.


4. YOUR RESPONSIBILITIES


4.1 You agree that:
(A) you shall comply with Applicable Data Protection Law and your obligations in this DPA in connection with the Agreement and your use and receipt of the Services;
(B) you are solely responsible for determining whether the Services are sufficient to enable you (and, if applicable, the relevant controller(s)) to comply with Applicable Data Protection Law, and you have assessed the Services and the Agreement (including the matters set out in Attachment A to this DPA) and have determined that they are so sufficient;
(C) you shall (and shall ensure that Your Users) only Post personal data to IQAX or to the IQAX Platform where the processing of that personal data in accordance with the Agreement (including this DPA) is lawful under Applicable Data Protection Law;
(D) you shall not (and shall ensure that Your Users do not) Post any personal data other than the types of personal data set out in Attachment A to this DPA or as otherwise agreed in writing to IQAX or to the IQAX Platform (in particular, no Special Category Personal Data is to be Posted to IQAX or to the IQAX Platform);
(E) you shall ensure that sufficient fair and transparent processing information as required by Applicable Data Protection Law, and covering the processing that will take place in connection with the Agreement, has been provided to all data subjects to whom the Posted Personal Data relates;
(F) you shall ensure that all instructions you give to IQAX in connection with the processing of the Posted Personal Data comply with Applicable Data Protection Laws;
(G) you shall promptly inform IQAX if at any time you suspect that any processing of Posted Personal Data under the Agreement would violate Applicable Data Protection Laws;
(H) you (and the relevant controller(s)) are solely responsible for responding to, and complying with, requests relating to the exercise of data subjects’ rights under Applicable Data Protection Law (provided that IQAX shall provide assistance under 5 below);
(I) you shall notify IQAX promptly and in any event within 24 hours upon becoming aware of any Data Breach in connection with the Agreement; and
(J) nothing in the Agreement relieves you (or the relevant controller(s)) of any responsibilities or liabilities you have under Applicable Data Protection Laws.

4.2 You shall indemnify and keep indemnified IQAX against all losses, claims, damages, liabilities, fines, sanctions, interest, penalties, costs (including legal and professional advisor costs on a full indemnity basis), charges, amounts paid to data subjects and any other expenses (whether direct or indirect), arising out of or in connection with any breach by you of your obligations, or any failure by you to meet your responsibilities, under this DPA.


5. ASSISTANCE AND REQUESTS FROM DATA SUBJECTS


5.1 You (and the relevant controller(s)) shall be solely responsible for responding to, and complying with, requests relating to the exercise of data subjects’ rights under Applicable Data Protection Law, and IQAX shall direct any such requests it receives to you.

5.2 IQAX shall, taking into account the nature of the processing, assist you by appropriate technical and organisational measures in fulfilling its obligations to assist you to respond to requests relating to the exercise of data subjects’ rights under Applicable Data Protection Law.

5.3 IQAX shall promptly provide to you such assistance as you may from time to time reasonably require to enable you to comply with any security, breach notification, breach communication, documentation, data protection impact assessment, prior consultation, record keeping and audit responsibilities to which you are subject under Applicable Data Protection Law. If there is a Data Breach, IQAX shall notify you without undue delay after becoming aware of such Data Breach where such notification is required by Applicable Data Protection Law.

5.4 You shall reimburse IQAX promptly on demand for any and all reasonable additional expenses IQAX may incur in providing you with assistance under 5.1 to 5.3.


6. SUB-PROCESSORS


6.1 IQAX shall, subject to 6.2, have:
(A) specific authorisation to engage the additional processors set out in Attachment A to this DPA to process the Posted Personal Data; and
(B) general authorisation to engage additional or replacement processors to process the Posted Personal Data by amending the relevant list (and thereby the Agreement) and providing you with an opportunity to object to such amendments and, if your objection is rejected, to terminate the Agreement, in each case in accordance with the Terms of Use, each additional processor being a “Sub-Processor”.

6.2 IQAX shall ensure that each Sub-Processor is bound by contractual obligations with regard to its processing of Posted Personal Data that are no less onerous than those set out in this DPA (including guarantees to implement appropriate technical and organisational security measures). IQAX shall remain fully liable to you (to the extent set out in the Agreement) where a Sub-Processor fails to perform its obligations with regard to the processing of Posted Personal Data.


7. CROSS-BORDER PERSONAL DATA TRANSFERS


7.1 By placing an order or using the Services, you and IQAX enter into the agreement set out in Attachment B to this DPA, which shall apply, subject to 7.2, to the extent that Posted Personal Data is:
(A) exported from the European Economic Area to a jurisdiction outside the European Economic Area that is not the subject of a valid adequacy decision for the purposes of Chapter V of the GDPR (and any onwards transfers to such jurisdictions); or
(B) exported from the United Kingdom to a jurisdiction outside the United Kingdom that is not the subject of a valid adequacy decision for the purposes of Chapter V of the UK GDPR (and any onward transfers to such jurisdictions).

7.2 In the case of Posted Personal Data referred to in 7.1(A), references in Attachment B to this DPA to Directive 95/46/EC shall be treated as references to the relevant corresponding Articles of the GDPR.

7.3 In the case of Posted Personal Data referred to in 7.1(B), references in Attachment B to this DPA to:
(A) Directive 95/46/EC shall be treated as references to the relevant corresponding Articles of the UK GDPR;
(B) a Member State shall be treated as references to the United Kingdom; and
(C) a supervisory authority shall be treated as references to the United Kingdom Information Commissioner’s Office.

7.4 To the extent permitted by Applicable Law, the provisions of Attachment B to this DPA shall apply subject to the exclusions and limitations of liability in the Agreement.

7.5 Where you are not the sole controller in respect of any Posted Personal Data of the type referred to in 7.1(A) or 7.1(B), you agree that:
(A) you enter into the agreement in Attachment B to this DPA for and on behalf of the relevant controller(s): or
(B) you shall, prior to Posting the Posted Personal Data, procure that the relevant controller(s) execute(s) the agreement set out in Attachment B to this DPA as the data exporter with IQAX as the data importer.

7.6 To enable IQAX to engage Sub-Processors in respect of any Posted Personal Data of the type referred to in 7.1(A) or 7.1(B), you agree (or shall procure that the relevant controller(s) agree) that IQAX may enter into agreements on terms equivalent to Attachment B with IQAX’s Sub-Processors as data importers, as agent acting on behalf of you (or the relevant controller(s)) as data exporter.


8. INFORMATION AND AUDITS


8.1 Subject to 8.2 and 8.4, IQAX shall make available to you (on request) all reasonable information necessary to demonstrate its compliance with this DPA and shall allow for and contribute to audits and inspections conducted by you (or the relevant controller(s)) or another auditor specified by you.

8.2 You shall ensure that all requests for information or to exercise a right of audit or inspection under 8.1 are reasonable and are provided to IQAX in writing with no fewer than 60 days’ notice. Any such audit or inspection shall be strictly limited to auditing IQAX’s compliance with this DPA and shall be undertaken at your sole expense, during working hours and subject to any reasonable conditions IQAX may impose to prevent disruption IQAX’s operations and business. You shall ensure that a written report is produced with the findings of any audit or inspection and that a copy of this report is promptly provided to IQAX. Any information obtained or received shall only be used or disclosed to the extent strictly necessary to assess IQAX’s compliance with this DPA and not for any other purpose.

8.3 IQAX shall immediately inform you if, in its opinion, an instruction from you with regard to 8.1 infringes Applicable Data Protection Laws.

8.4 You shall reimburse IQAX promptly on demand for any and all reasonable expenses IQAX may incur in connection with any request for information or any audit or inspection under 8.1 to 8.3. The indemnity in 4.2 shall apply in respect of any breach by you (or your personnel or auditors) of the conditions in 8.2.


9. RETURN OR DELETION OF POSTED PERSONAL DATA
9.1 Within [120] days following the termination of the Agreement, IQAX shall (at your discretion) either return to you the Posted Personal Data or delete the Posted Personal Data, unless such Posted Personal Data is required to be retained under Applicable Data Protection Law. Some Posted Personal Data may remain in system backups until the expiry of those backups no later than 120 days following termination of the Agreement.


10. UPDATES


10.1 IQAX may amend this DPA from time to time in accordance with the Terms of Use. These amendments may include changes to the data protection particulars, including the technical and organisational security measures detailed in Attachment A. You may object to any amendments, and if your objection is rejected, terminate the Agreement, in accordance with the process set out in the Terms of Use.


11. INCONSISTENT DATA PROTECTION LAWS


11.1 There may be circumstances in which Applicable Data Protection Laws in different jurisdictions conflict or are inconsistent or incompatible or in which complying with a lawful request from a governmental authority in one jurisdiction may breach Applicable Data Protection Laws in another jurisdiction, in connection with the processing of personal data in the operation of the Platform (inconsistent data protection laws).

11.2 If you become aware of any problem of inconsistent data protection laws you shall cease to use the Services and notify IQAX of the problem. IQAX shall take into consideration the necessity to comply with the Applicable Data Protection Laws to the extent practicable and liaise with relevant supervisory authorities and/or other relevant governmental authorities to identify practical and constructive solution. Nonetheless, to the extent that no practical solution to the problem of inconsistent data protection laws can be found, IQAX may elect to withdraw some or all Services from one or more of the jurisdictions from which the inconsistent data protection laws arise.


12. IQAX DATA PROTECTION CONTACT


12.1 IQAX can be contacted in respect of any privacy and data protection matters at customerservices@iqax.com


13. DEFINITIONS


13.1 In this DPA, the following definitions shall apply:
“Applicable Data Protection Law” means all Applicable Law from time to time relating to the processing of personal data and privacy including (to the extent applicable):
(A) the GDPR;
(B) the UK GDPR;
(C) the UK Data Protection Act 2018; and
(D) the e-Privacy Directive and any implementing legislation;
“Data Breach” means any accidental, unlawful or unauthorised destruction, loss, alteration, disclosure of, or access to, the Posted Personal Data or any unauthorised or unlawful transmission, storage or other processing of the Posted Personal Data;
“GDPR” the General Data Protection Regulation (EU) 2016/679 of the European Parliament;
“Posted Personal Data” has the meaning given to it in 1.1;
“Privacy Policy” means IQAX’s privacy policy as updated from time to time, which can be found here: [https://www.iqax.com/pss.htm] ;
“Special Category Personal Data” means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, genetic data or biometric data processed for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation (or other sensitive personal data as may be specified by Applicable Data Protection Law);
“Sub-Processor” has the meaning given to it in 6.1; and
“UK GDPR” means the GDPR as it forms part of retained EU law (as defined in the European Union (Withdrawal) Act 2018).

13.2 Except as otherwise defined above, definitions set out in the Terms of Use apply to this DPA.

13.3 Terms and expressions used in this DPA that are not otherwise defined shall have the meanings assigned to them in Applicable Data Protection Law at the relevant time (including “controller”, “processor”, “data subject”, “personal data” and “process” (and its variants)).





ATTACHMENT A

DATA PROCESSING PARTICULARS

1. DETAILS OF POSTED PERSONAL DATA


1.1 The Posted Personal Data that will be processed in connection with the Agreement may include:
(A) name, title, role/job title and department, address, contact details (including mailing address, email address, phone number, fax number;
(B) digital identifiers such as usernames, hashed passwords, device or application IDs and IP addresses;
(C) digital usage information such as logs of access times and services and files accessed, created, modified or deleted.
1.2 It is not envisaged that any Special Category Personal Data will be processed in connection with the Agreement.
1.3 The categories of data subjects to which the Posted Personal Data relates are:
(A) users of the Services (including Your Users);
(B) personnel you identify as your directors, employees, representatives, contractors, affiliates and agents in relation to the Services;
(C) contacts at organisations in the shipping supply chain; and
(D) senders or recipients of shipments or consignments.
1.4 Additional details of the personal data that that may be processed in connection with the Agreement are set out in the Privacy Policy.
1.5 IQAX cannot control all of the personal data that you Post to the IQAX Platform or otherwise provide to IQAX. You agree not to Post personal data to IQAX or the IQAX Platform other than personal data of the type described above except with the prior written agreement of IQAX.


2. DETAILS OF PROCESSING


2.1 IQAX will process Posted Personal Data in connection with the Agreement for the purposes of:
(A) providing the Services to you and Your Users in accordance with the Agreement;
(B) setting up and managing/administering your account(s) and your agreement(s) with IQAX (including IQAX performing any of its obligations or exercise any of its rights under the Agreement); and
(C) IQAX’s legitimate business operations incidental to the provision of the Services under the Agreement (including monitoring, testing, modifying, improving the systems used, and services offered, by IQAX).
2.2 The processing operations that will be undertaken by IQAX and its Sub-Processors include (each to the extent permitted by the Agreement):
(A) collecting the Posted Personal Data from you and Your Users including logging of digital identifiers and digital usage information;
(B) organising, structuring and storing the Posted Personal Data;
(C) protecting the Posted Personal Data by encryption/decryption, restricting access to it; maintaining backups of it and performing security and business continuity/recovery testing in relation to it;
(D) using the Posted Personal Data including checking, analysing, aggregating, combining and adapting it;
(E) hosting the Posted Personal Data and making it available to users of the IQAX Platform including you and Your Users;
(F) transferring and communicating (including importing/exporting) the Posted Personal Data between you (and the relevant controller(s)), IQAX and IQAX’s Sub-Processors and otherwise as required by the Agreement (for example, to assist with an audit or with your compliance with data subjects’ requests); and
(G) returning the Posted Personal Data to you or deleting/erasing/disabling access to it.
2.3 The duration of the processing of the Posted Personal Data corresponds to the duration of the relevant Service(s) and for a limited period thereafter, unless otherwise stated in the Agreement.
2.4 Posted Personal Data may be stored, hosted and processed in a number of jurisdictions by IQAX and its Sub-Processors in connection with the provision of the Services. These jurisdictions include Singapore , Hong Kong, the People’s Republic of China and the United States of America.
2.5 Additional details of the processing of Posted Personal Data are set out in the Privacy Policy.


3. SUB-PROCESSORS


IQAX currently uses the Sub-Processors in connection with its provision of the Services as listed here: https://content.iqax.com/data-protection-addendum/sub-processor/data-processing-addendum.pdf


4. TECHNICAL AND ORGANISATIONAL SECURITY MEASURES


Except as detailed for specific Sub-Processors below, the following measures apply to all processing of Posted Personal Data in connection with the Agreement:
Network security and encryption IQAX implements network security such as firewalls, content filtering, network segmentation, cloud security posture management, regular vulnerability scanning and API management. IQAX looks to maintain and protect the confidentiality, integrity and availability of Posted Personal Data using measures such as encryption, role base access control, redundancy copies and backups. Data transmission to and from the IQAX Platform is encrypted using encryption such as TLS 1.2. IQAX enables disk encryption for each system component or service that stores data. If a Service includes management of cryptographic keys, IQAX maintains procedures for secure key generation, issuance, distribution, storage, rotation, revocation, recovery, backup, destruction, access and use. Physical media intended for off-site storage, if any, such as media containing backup files, will be encrypted prior to transport.
Access control/security policies IQAX implements measures designed to logically separate and prevent the Services from being exposed to, or accessed by, unauthorised persons. IQAX classifies Posted Personal Data and manages it according to IQAX’s access control and handling procedure. If IQAX requires access to data to provide the Services, and if such access is managed by IQAX, IQAX will restrict access to the minimum level required. Such access, including administrative access to any underlying components (privileged access), will be individual, role-based, and subject to approval and regular validation by authorised IQAX personnel following principles of segregation of duties. IQAX implements measures to identify and remove redundant and dormant accounts with privileged access and will promptly revoke such access upon the account owner's separation or upon the request of authorised IQAX personnel, such as the account owner's manager. IQAX maintains, for a reasonable period of time, audit logs of system usage and activity. IQAX maintains and follows its standard employment verification requirements for all new hires (including hires by wholly-owned IQAX subsidiaries). In accordance with IQAX internal processes and procedures, these requirements will be periodically reviewed and include educational and professional qualifications check, previous employment, character reference, proof of identity validation (HKID, Passport Number etc.), and additional checks as deemed necessary by IQAX. IQAX is responsible for implementing these requirements in its hiring process as applicable and permitted under local law. IQAX maintains and follows IT security policies and practices to control IQAX employees accessing IT systems. Access requests are assessed based on role and granted on a need-to-know basis.
Physical security measures IQAX uses cloud providers that adhere to ISO27001 compliant physical and environmental security controls to define a physical security perimeter and implement physical security controls securing offices, rooms, and facilities, against external and environmental threats, and to ensure these areas are secure. Aside from customer connections and certain services/web sites which are intended to be accessed via Internet, connections to IQAX Cloud Services networks are restricted. To the extent supported by native device and operating system functionality, IQAX will maintain computer protections including endpoint firewalls, full disk encryption, signature-based malware detection and removal, time-based screen locks, and endpoint management solutions that enforce security configuration and patching requirements. IQAX may use wireless networking technology, including to provide maintenance and support for the Services and associated Components. Such wireless networks communication will be encrypted and require secure authentication and will not provide direct access to IQAX cloud services networks.
Application security testing IQAX uses industry standard systems for application code vulnerability assessment and testing.
API security IQAX uses industry standard systems to manage, control and protect its APIs from cybersecurity threats. IQAX will maintain a documented security architecture for Services as a whole. IQAX will separately review such security architecture, including measures designed to prevent unauthorized network connections to systems, applications and network devices, for compliance with its network segmentation, isolation, and defence-in-depth standards prior to implementation.
Threat detection and response IQAX uses industry standard systems for security vulnerability scanning and malicious activity monitoring, detection, blocking and forensics on its servers. IQAX maintains an appropriate level of DDOS protection for its online systems. IQAX maintains an inventory of information technology systems used by it in the provision of the Services. IQAX continuously monitors and manages the health, including capacity and availability of the Services and underlying components. IQAX uses multiple third party public cloud services and each cloud vendor provides monitoring of privileged access and maintains security information and event management to: (1) identify unauthorised access; and (2) record access attempts (including where the wrong password is used). IQAX monitors abnormal usage such as unauthorised access and aims to facilitate a timely and appropriate response to these kind of activities. Logs in which privileged access and activity are recorded are retained in compliance with IQAX policies and procedures. IQAX implements measures designed to protect against unauthorised access, modification, and accidental or deliberate destruction of such logs.
Patches and updates IQAX takes steps to ensure that systems it uses to process Posted Personal Data are kept up to date with the latest patches for known security vulnerabilities. IQAX maintains policies and procedures designed to manage risks associated with the application of changes to the Services. Prior to implementation, changes to a Service, including its systems, networks, and underlying components, will be documented internally including recording a description of and reason for the change, implementation details and schedule, a risk statement addressing impact to the Services and IQAX’s clients, expected outcome, rollback plan, and documented approval by authorised personnel.
Business continuity management IQAX maintains regular backups to ensure that the most important data on its systems can be recovered and systems can be restored in the event of a disaster, malware or ransomware attack or cyber security incident.
ISO 27001 Compliance IQAX maintains up-to-date certification of compliance with ISO 27001 information security standards, provided that initial certification of compliance is due to take place by the end of 2021.

4.2 Posted Personal Data processed by the Sub-Processors set out in Section 3.1 above as a Sub-Processor is subject to the technical and organisational security measures as described here: https://content.iqax.com/data-protection-addendum/sub-processor/data-processing-addendum.pdf




ATTACHMENT B

STANDARD CONTRACTUAL CLAUSES (CONTROLLER TO PROCESSOR)

For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection you, as identified, and with the contract details specified, on your Order Form (the data exporter) And IQAX Limited, a company incorporated under the laws of Hong Kong with registration number 2941508 and its registered address at 31/F Harbour Centre, 25 Harbour Road, Wanchai, Hong Kong and which can be contacted using the contract details specified on your Order Form or as otherwise set out in IQAX’s Privacy Policy (the data importer) each a ‘party’; together ‘the parties’, HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.


Clause 1 Definitions


For the purposes of the Clauses:
(a) ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
(b) ‘the data exporter’ means the controller who transfers the personal data;
(c) ‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on its behalf after the transfer in accordance with its instructions and the terms of the Clauses and who is not subject to a third country's system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
(d) ‘the sub-processor’ means any processor engaged by the data importer or by any other sub-processor of the data importer who agrees to receive from the data importer or from any other sub-processor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with its instructions, the terms of the Clauses and the terms of the written subcontract;
(e) ‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
(f) ‘technical and organisational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.


Clause 2 Details of the transfer


The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.


Clause 3 Third-party beneficiary clause


1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
2. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
3. The data subject can enforce against the sub-processor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.
4. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.


Clause 4 Obligations of the data exporter


The data exporter agrees and warrants:
(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
(b) that it has instructed and throughout the duration of the personal data-processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;
(c) that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;
(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
(e) that it will ensure compliance with the security measures;
(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
(g) to forward any notification received from the data importer or any sub-processor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for sub-processing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
(i) that, in the event of sub-processing, the processing activity is carried out in accordance with Clause 11 by a sub-processor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and
(j) that it will ensure compliance with Clause 4(a) to (i).


Clause 5 Obligations of the data importer


The data importer agrees and warrants:
(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(c) that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;
(d) that it will promptly notify the data exporter about:
(i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;
(ii) any accidental or unauthorised access; and
(iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;
(e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
(f) at the request of the data exporter to submit its data-processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
(g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for sub-processing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
(h) that, in the event of sub-processing, it has previously informed the data exporter and obtained its prior written consent;
(i) that the processing services by the sub-processor will be carried out in accordance with Clause 11;
(j) to send promptly a copy of any sub-processor agreement it concludes under the Clauses to the data exporter.


Clause 6 Liability


1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or sub-processor is entitled to receive compensation from the data exporter for the damage suffered.
2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his sub-processor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.
The data importer may not rely on a breach by a sub-processor of its obligations in order to avoid its own liabilities.
3. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the sub-processor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the sub-processor agrees that the data subject may issue a claim against the data sub-processor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the sub-processor shall be limited to its own processing operations under the Clauses.


Clause 7 Mediation and jurisdiction


1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
(a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
(b) to refer the dispute to the courts in the Member State in which the data exporter is established.
2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.


Clause 8 Cooperation with supervisory authorities


1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any sub-processor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any sub-processor preventing the conduct of an audit of the data importer, or any sub-processor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5(b).


Clause 9 Governing Law


The Clauses shall be governed by the law of the Member State in which the data exporter is established, namely that specifically specified, or otherwise indicated by the address of the data exporter, on the Order Form.


Clause 10 Variation of the contract


The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clauses.


Clause 11 Sub-processing


1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the sub-processor which imposes the same obligations on the sub-processor as are imposed on the data importer under the Clauses. Where the sub-processor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the sub-processor’s obligations under such agreement.
2. The prior written contract between the data importer and the sub-processor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.
3. The provisions relating to data protection aspects for sub-processing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established, namely that specifically specified, or otherwise indicated by the address of the data exporter, on the Order Form.
4. The data exporter shall keep a list of sub-processing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5(j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.


Clause 12 Obligation after the termination of personal data processing services


1. The parties agree that on the termination of the provision of data-processing services, the data importer and the sub-processor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
2. The data importer and the sub-processor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data-processing facilities for an audit of the measures referred to in paragraph 1.




Appendix 1 to the Standard Contractual Clauses


This Appendix forms part of the Clauses.
Data exporter
The data exporter is (please specify briefly your activities relevant to the transfer): a user of the Services provided under the Agreement.
Data importer
The data importer is (please specify briefly activities relevant to the transfer): a provider of Services of the kind provided under the Agreement.
Data subjects
The personal data transferred concern the following categories of data subjects: details of the data subjects are set out in part 1 (Details of Posted Personal Data) of Attachment A (Data Processing Particulars) to this DPA.
Categories of data
The personal data transferred concern the following categories of data: details of the categories of personal data are set out in part 1 (Details of Posted Personal Data) of Attachment A (Data Processing Particulars) to this DPA.
Special categories of data (if appropriate)
The personal data transferred concern the following special categories of data: it is not envisaged that special categories of data will be exported under the Agreement.
Processing operations
The personal data transferred will be subject to the following basic processing activities: details of the processing of the personal data are set out in part 2 (Details of Processing) of Attachment A (Data Processing Particulars) to this DPA.
The data importer may engage sub-processors to process the personal data as detailed in the DPA and in part 3 (Sub-processors) of Attachment A (Data Processing Particulars) to this DPA.




Appendix 2 to the Standard Contractual Clauses


This Appendix forms part of the Clauses.
Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or documents/legislation attached):
Please refer to the description of the technical and organisational security measures set out in part 4 (Technical and Organisational Security Measures) of Attachment A (Data Processing Particulars) to this DPA.