EU Data Protection Addendum
Last Modified: July 2024
1. Data Protection
1.1. Definitions: In this Clause, the following terms shall have the following meanings:
(a) “controller“, “processor“, “data subject“, “personal data” and “processing” (and “process”) shall have the meanings given in EU/UK Data Protection Law;
(b) “Applicable Data Protection Law” means all worldwide data protection and privacy laws and regulations, to the extent applicable to the parties and the nature of the personal data processed under the Agreement, including, where applicable, (i) EU/UK Data Protection Law; and (ii) the California Consumer Privacy Act (the “CCPA”).
(c) “EU/UK Data Protection Law” means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the “EU GDPR“); (ii) the EU GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (the “UK GDPR“); (iii) the EU e-Privacy Directive (Directive 2002/58/EC); and (iv) any and all applicable national data protection laws made under, pursuant to or that apply in conjunction with any of (i), (ii) or (iii); in each case as may be amended or superseded from time to time;
(d) “Restricted Transfer” means: (i) where the EU GDPR applies, a transfer of personal data from the European Economic Area to a country outside of the European Economic Area which is not subject to an adequacy determination by the European Commission; and (ii) where the UK GDPR applies, a transfer of personal data from the United Kingdom to any other country which is not based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018; and
(e) “Standard Contractual Clauses” means: (i) where the EU GDPR applies, the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCCs“); and (ii) where the UK GDPR applies, standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR (“UK SCCs“).
(a) “controller“, “processor“, “data subject“, “personal data” and “processing” (and “process”) shall have the meanings given in EU/UK Data Protection Law;
(b) “Applicable Data Protection Law” means all worldwide data protection and privacy laws and regulations, to the extent applicable to the parties and the nature of the personal data processed under the Agreement, including, where applicable, (i) EU/UK Data Protection Law; and (ii) the California Consumer Privacy Act (the “CCPA”).
(c) “EU/UK Data Protection Law” means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the “EU GDPR“); (ii) the EU GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (the “UK GDPR“); (iii) the EU e-Privacy Directive (Directive 2002/58/EC); and (iv) any and all applicable national data protection laws made under, pursuant to or that apply in conjunction with any of (i), (ii) or (iii); in each case as may be amended or superseded from time to time;
(d) “Restricted Transfer” means: (i) where the EU GDPR applies, a transfer of personal data from the European Economic Area to a country outside of the European Economic Area which is not subject to an adequacy determination by the European Commission; and (ii) where the UK GDPR applies, a transfer of personal data from the United Kingdom to any other country which is not based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018; and
(e) “Standard Contractual Clauses” means: (i) where the EU GDPR applies, the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCCs“); and (ii) where the UK GDPR applies, standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR (“UK SCCs“).
1.2. Relationship of the parties: Controller instructs Processor to process the personal data that is the subject of the Agreement (the “Data“) on its behalf. In respect of such processing, Controller shall be the controller and Processor shall be a processor. Each party shall comply with the obligations that apply to it under Applicable Data Protection Law.
1.3. Prohibited data: Controller shall not disclose (and shall not permit any data subject to disclose) any special categories of Data to Processor for processing except where and to the extent expressly disclosed in Annex I.
1.4. Purpose limitation: Processor shall process the Data for the purposes described in Annex I and strictly in accordance with the documented instructions of Controller (the “Permitted Purpose”), except where otherwise required by law(s) that are not incompatible with Applicable Data Protection Law. In no event shall Processor process the Data for its own purposes or those of any third party. Processor shall immediately inform Controller if it becomes aware that such processing instructions infringe Applicable Data Protection Law (but without obligation to actively monitor Controller’s compliance with Applicable DataProtection Law).Protection Law).
1.5. Restricted transfers: The parties agree that when the transfer of Data from Controller to Processor is a Restricted Transfer it shall be subject to the appropriate Standard Contractual Clauses as follows:
(a) in relation to Data that is protected by the EU GDPR, the EUSCCs will apply completed as follows:
(i) Module Two will apply;
(ii) in Clause 7, the optional docking clause will apply;
(iii) in Clause 9, Option 2 will apply, and the time period for prior notice of subprocessor changes shall be as set out in Clause 1.9 of this DPA;
(iv) in Clause 11, the optional language will not apply;
(v) in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;
(vi) in Clause 18(b), disputes shall be resolved before the courts of Ireland;
(vii) Annex I of the EU SCCs shall be deemed completed with the information set out in Annex I to this DPA;
(viii) Annex II of the EU SCCs shall be deemed completed with the information set out in Annex II to this DPA; and
(ix) Annex III of the EU SCCs shall be deemed completed with the information set out in Annex III to this DPA;
(b) in relation to Data that is protected by the UK GDPR, the “UK Addendum to the EU Standard Contractual Clauses” (“UK Addendum”) issued by the Information Commissioner’s Office under s.119A(1) of the Data Protection Act 2018, will be completed as follows:
(A) The EU SCCs, completed as set out above in clause 1.5(a) ofthis DPA shall also apply to transfers of such Data, subject tosub-clause (B) below;
(A) The UK Addendum shall be deemed executed betweenthe transferring Controller and the Processor, and the EU SCCs shallbe deemed amended as specified by the UK Addendum in respect of thetransfer of such Controller Data.
(c) in the event that any provision of this DPA contradicts,directly or indirectly, the. Standard Contractual Clauses, the StandardContractual Clauses shall prevail.
(a) in relation to Data that is protected by the EU GDPR, the EUSCCs will apply completed as follows:
(i) Module Two will apply;
(ii) in Clause 7, the optional docking clause will apply;
(iii) in Clause 9, Option 2 will apply, and the time period for prior notice of subprocessor changes shall be as set out in Clause 1.9 of this DPA;
(iv) in Clause 11, the optional language will not apply;
(v) in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;
(vi) in Clause 18(b), disputes shall be resolved before the courts of Ireland;
(vii) Annex I of the EU SCCs shall be deemed completed with the information set out in Annex I to this DPA;
(viii) Annex II of the EU SCCs shall be deemed completed with the information set out in Annex II to this DPA; and
(ix) Annex III of the EU SCCs shall be deemed completed with the information set out in Annex III to this DPA;
(b) in relation to Data that is protected by the UK GDPR, the “UK Addendum to the EU Standard Contractual Clauses” (“UK Addendum”) issued by the Information Commissioner’s Office under s.119A(1) of the Data Protection Act 2018, will be completed as follows:
(A) The EU SCCs, completed as set out above in clause 1.5(a) ofthis DPA shall also apply to transfers of such Data, subject tosub-clause (B) below;
(A) The UK Addendum shall be deemed executed betweenthe transferring Controller and the Processor, and the EU SCCs shallbe deemed amended as specified by the UK Addendum in respect of thetransfer of such Controller Data.
(c) in the event that any provision of this DPA contradicts,directly or indirectly, the. Standard Contractual Clauses, the StandardContractual Clauses shall prevail.
1.6. Onward transfers: Processor shall not participatein (nor permit any subprocessor to participate in) any other RestrictedTransfers of Data (whether as an exporter or an importer of the Data)unless:
(i) it has first obtained Controller’s prior written consent; and
(ii) the Restricted Transfer is made in full compliance withApplicable Data Protection Law.
(i) it has first obtained Controller’s prior written consent; and
(ii) the Restricted Transfer is made in full compliance withApplicable Data Protection Law.
Such measures may include (without limitation) transferring theData to a recipient in a country that the European Commission has decidedprovides adequate protection for personal data, to a recipient that hasachieved binding corporate rules authorisation in accordance withApplicable Data Protection Law, or pursuant to StandardContractual Clauses implemented between the relevant exporter and importerof the Data.
1.7. Confidentiality of processing: Processor shallensure that any person that it authorises to process the Data (includingProcessor’s staff, agents and subprocessors) (an “Authorised Person”)shall be subject to a strict duty of confidentiality (whether a contractualduty or a statutory duty), and shall not permit any person to process theData who is not under such a duty of confidentiality. Processor shallensure that all Authorised Persons process the Data only as necessary forthe Permitted Purpose.
1.8. Security: The processor shall implementappropriate technical and organisational measures to protect the Data fromaccidental or unlawful destruction, loss, alteration, or unauthoriseddisclosure or access (a “Security Incident”). Such measures shall haveregard to the state of the art, the costs of implementation and thenature, scope, context and purposes of processing as well as the risk ofvarying likelihood and severity for the rights and freedoms of naturalpersons. Such measures shall include, as appropriate:
(a) the pseudonymisation and encryption of personal data;
(b) the ability to ensure the ongoing confidentiality, integrity,availability and resilience of processing systems and services;
(c) the ability to restore the availability and access to personaldata in a timely manner in the event of a physical or technical incident;
(d) a process for regularly testing, assessing and evaluating theeffectiveness of technical and organisational measures for ensuring thesecurity of the processing. At a minimum, such measures shall include themeasures identified in Annex II.
(a) the pseudonymisation and encryption of personal data;
(b) the ability to ensure the ongoing confidentiality, integrity,availability and resilience of processing systems and services;
(c) the ability to restore the availability and access to personaldata in a timely manner in the event of a physical or technical incident;
(d) a process for regularly testing, assessing and evaluating theeffectiveness of technical and organisational measures for ensuring thesecurity of the processing. At a minimum, such measures shall include themeasures identified in Annex II.
1.9. Subprocessing: Processor shall not subcontractany processing of the Data to a third party subprocessor without the priorwritten consent of Controller. Not withstanding this, Controller consents toProcessor engaging third party subprocessors to process the Data provided that:
(i) Processor provides at least 30 days’ prior notice of theaddition of any subprocessor (including details of the processing it performsor will perform);
(ii) Processor imposes data protection terms on any subprocessorit appoints that protect the Data, in substance, to the same standard providedfor by this DPA; and
(iii) Processor remains fully liable for any breach of this DPAthat is caused by an act, error or omission of its subprocessor. A list ofapproved subprocessors as at the date of this DPA is attached at Annex III, andProcessor shall maintain and provide updated copies of this list to Controllerupon request. If Controller refuses to consent to Processor’s appointment of athird party subprocessor on reasonable grounds relating to the protection ofthe Data, then either Processor will not appoint the subprocessor or Controllermay elect to suspend or terminate the Agreement without penalty. Allsubprocessors shall be service providers for purposes of the CCPA.
(i) Processor provides at least 30 days’ prior notice of theaddition of any subprocessor (including details of the processing it performsor will perform);
(ii) Processor imposes data protection terms on any subprocessorit appoints that protect the Data, in substance, to the same standard providedfor by this DPA; and
(iii) Processor remains fully liable for any breach of this DPAthat is caused by an act, error or omission of its subprocessor. A list ofapproved subprocessors as at the date of this DPA is attached at Annex III, andProcessor shall maintain and provide updated copies of this list to Controllerupon request. If Controller refuses to consent to Processor’s appointment of athird party subprocessor on reasonable grounds relating to the protection ofthe Data, then either Processor will not appoint the subprocessor or Controllermay elect to suspend or terminate the Agreement without penalty. Allsubprocessors shall be service providers for purposes of the CCPA.
1.10. Cooperation and data subjects’ rights: Processorshall provide all reasonable and timely assistance (including by appropriatetechnical and organisational measures) to Controller to enable Controller torespond to: (i) any request from a data subject to exercise any of its rightsunder Applicable Data Protection Law (including its rights of access,correction, objection, erasure and data portability, as applicable); and (ii)any other correspondence, enquiry or complaint received from a data subject, regulatoror other third party in connection with the processing of the Data. In theevent that any such request, correspondence, enquiry or complaint is madedirectly to Processor, Processor shall promptly inform Controller providingfull details of the same.
1.11. Data Protection Impact Assessment: If Processorbelieves or becomes aware that its processing of the Data is likely toresult in a high risk to the data protection rights and freedoms of datasubjects, it shall promptly inform Controller and Processor shall provideController with all such reasonable and timely assistance as Controller mayrequire in order to enable it to conduct a data protection impact assessment inaccordance with Applicable Data Protection Law including, if necessary, toassist Controller to consult with its relevant data protection authority.
1.12. Security incidents: Upon becoming aware of aSecurity Incident, Processor shall inform Controller without undue delay (andwithin 48 hours in any event) and shall provide all such timely information andcooperation as Controller may require in order for Controller to fulfil itsdata breach reporting obligations under (and in accordance with the timescalesrequired by) Applicable Data Protection Law. Processor shall further take allsuch measures and actions as are necessary to remedy or mitigate the effects ofthe Security Incident and shall keep Controller informed of all developments inconnection with the Security Incident.
1.13. Deletion or return of Data: Upon termination or expiry of the Agreement, Processor shall (at Controller’s election destroy or return to Controller all Data (including all copies of the Data) in its possession or control (including any Data subcontracted to a third party for processing). This requirement shall not apply to the extent that Processor is required by any applicable law to retain some or all of the Data, in which event Processor shall isolate and protect the Data from any further processing except to the extent required by such law until deletion is possible.
1.14. Audit: Processor shall make available to Controller all information necessary todemonstrate compliance with the obligations laid down in this DPA. In fulfilment of thisrequirement:
(a) Controller acknowledges that Processor is regularly audited against SSAE 18 SOC 2 standards by independent third auditors. Upon request, Processor shall supply a summary copy of its audit report(s) to Controller, which reports shall be subject to the confidentiality provisions of the Agreement.
(b) Processor shall also respond to any written audit questionssubmitted to it by Controller, provided that Controller shall not exercise thisright more than once per year. By signing below, each party acknowledges thatit has read and understood the terms of this DPA and agrees to be bound bythem, effective as of the date that both parties sign below.
(a) Controller acknowledges that Processor is regularly audited against SSAE 18 SOC 2 standards by independent third auditors. Upon request, Processor shall supply a summary copy of its audit report(s) to Controller, which reports shall be subject to the confidentiality provisions of the Agreement.
(b) Processor shall also respond to any written audit questionssubmitted to it by Controller, provided that Controller shall not exercise thisright more than once per year. By signing below, each party acknowledges thatit has read and understood the terms of this DPA and agrees to be bound bythem, effective as of the date that both parties sign below.
Annex I
Personal information
This Annex I forms part of the DPA and describes the processingthat the processor will perform on behalf of the controller.
A. LIST OF PARTIES
Controller(s) / Data exporter(s): [Identity and contact details of the controller(s) /data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]
1. | Name: | |
Addres: | ||
Contact person’s name, position and contact details: | ||
Activities relevant to the data transferred under these Clauses: | The Controller is a customer of Processor’s that will provide Personal Data to Processor in order to allow Processor to provide services to Controller pursuant to a services agreement entered by and between the parties. | |
Signature and date: | ||
Role (controller / processor): | Controller |
Processor(s) / Data importer(s): [Identity and contact details of the processor(s) /data importer(s), including any contact person with responsibility for data protection]
1. | Name: | |
Addres: | ||
Contact person’s name, position and contact details: | ||
Activities relevant to the data transferred under these Clauses: | The processing activities that are necessary in order to provide ____________ software and services to the controller, which shall include hosting, storage, providing customer service, ______________________. | |
Signature and date: | ||
Role (controller / processor): | Processor |
В. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred: | The Data Exporter’s ____________________, and any other individuals whose personal data are uploaded or transmitted via the Data Importer’s software application. |
Categories of personal data transferred: | Personal information such as the name, email, mailing address, ______________________of data subjects mentioned above and other data in an electronic form provided to Data Importer when using the services covered in the agreement between Data Exporter and Data Importer. |
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: | None |
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): | Personal data will be transferred continuously throughout the duration of the underlying agreement to purchase the Processor’s software and services. |
Nature of the processing: | The personal data transferred will be subject to the processing activities that are necessary to provide the Processor’s software and services to the Controller, including hosting, storage, __________________, and applying analytics. |
Purpose(s) of the data transfer and further processing: | To provide the Processor’s software and services to the Controller pursuant to a separate agreement between the parties governing the provision of the software and services. |
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: | For the duration of the underlying agreement to purchase the Processor’s software and services, unless the personal data is deleted prior to the termination or expiration of that contract by the Controller or by the Processor at the Controller’s instruction. |
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: | Personal data is transferred to the Processor’s sub-processors for the purpose of providing the Processor’s software and services to the Controller for the duration of the underlying purchase agreement, unless the personal data is deleted prior to the termination or expiration of that contract by the Controller or by the Processor at the Controller’s instruction. |
1. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance (e.g. in accordance with Clause 13 SCCs) | Where the EU GDPR applies, the competent supervisory authority shall be the Irish Data Protection Commissioner.Where the UK GDPR applies, the competent supervisory authority shall be the UK Information Commissioner’s Office. |
Annex II
Technical and Organisational
Security Measures
Description of the technical and organisational measures implemented by the processor(s) / data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
Measure | Description |
---|---|
Measures of pseudonymisation and encryption of personal data | Industry standard encryption technologies for Personal Data that is: (i) transmitted over public networks (i.e., the Internet) or when transmitted wirelessly; or (ii) at rest. |
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services | Organisational management and dedicated staff responsible for the development, implementation and maintenance of Data Importer’s information security program. Data security controls which include at a minimum, but may not be limited to, logical segregation of data, restricted (e.g., role-based) access and monitoring, and utilisation of commercially available and industry standard encryption technologies for Personal Data, as described above. Network security controls that provide for the use of stateful firewalls and layered DMZ architectures and other traffic and event correlation procedures designed to protect systems from intrusion and limit the scope of any successful attack. Vulnerability assessment, patch management and threat protection technologies and scheduled monitoring procedures designed to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code. A highly available redundant infrastructure and offsite backups are utilised. Business resiliency/continuity and disaster recovery procedures designed to maintain service and/or recovery from foreseeable emergency situations or disasters. |
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident | Incident / problem management procedures designed to allow Data Importer to investigate, respond to, mitigate and notify of events related to Data Importer’s technology and information assets. |
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing | Audit and risk assessment procedures for the purposes of periodic review and assessment of risks to Data Importer’s organisation, monitoring and maintaining compliance with Data Importer’s policies and procedures, and reporting the condition of its information security and compliance to internal senior management. |
Measures for user identification and authorisation | Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions, (e.g., granting access on a need-to-know and least privilege basis, use of unique IDs and passwords for all users, periodic review and revoking/changing access promptly when employment terminates or changes in job functions occur). Password controls designed to manage and control password strength, expiration and usage including prohibiting users from sharing passwords and requiring that Processor’s passwords that are assigned to its employees: (i) be at least eight (8) characters in length, (ii) not be stored in readable format on Data Importer’s computer systems, (iii) must have defined complexity, and (iv) must have a history threshold to prevent reuse of recent passwords. Multi-factor authentication, where available, must always be used. All remote access requires MFA. |
Measures for the protection of data during transmission | Industry standard encryption technologies for Personal Data that is transmitted over public networks (i.e., the Internet) or when transmitted wirelessly. |
Measures for the protection of data during storage | Industry standard encryption technologies for Personal Data that is at rest. |
Measures for ensuring physical security of locations at which personal data are processed | Physical and environmental security of data center, server room facilities and other areas containing Personal Data designed to: (i) protect information assets from unauthorised physical access, (ii) manage, monitor and log movement of persons into and out of Data Importer facilities, and (iii) guard against environmental hazards such as heat, fire and water damage (iv) provide adequate level of redundancy to protect against data loss. |
Measures for ensuring events logging | System audit or event logging and related monitoring procedures to proactively record user access and system activity for routine review. |
Measures for ensuring system configuration, including default configuration | Operational procedures and controls to provide for configuration, monitoring and maintenance of technology and information systems according to prescribed internal and adopted industry standards, including creating secure system baselines and following formal change management procedures. Including secure disposal of systems and media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from Data Importer’s possession. |
Measures for internal IT and IT security governance and management | Change management procedures and tracking mechanisms designed to test, approve and monitor all changes to Data Importer’s technology and information assets. Vulnerability and patch management programs ensuring vulnerabilities and misconfigurations are identified on a regular basis and patched promptly. |
Measures for certification/assurance of processes and products | Organisational management and dedicated staff responsible for the development, implementation and maintenance of Data Importer’s information security program. This includes annual third party audits of the security program and its policies, procedures, and controls. |
Measures for ensuring data minimisation | Not applicable to Data Importer. Data Importer is processing the Personal Data on behalf of the Data Exporter for the sole purpose of providing services to the Data Importer for the duration of the services agreement entered into between the Data Importer and the Data Exporter. The Data Exporter has complete control over the collection, modification, and deletion of Personal Data (subject to the data retention section, below). |
Measures for ensuring data quality | Not applicable to Data Importer. Data Importer is processing the Personal Data on behalf of the Data Exporter for the sole purpose of providing services to the Data Importer for the duration of the services agreement entered into between the Data Importer and the Data Exporter. The Data Importer does not have the ability to monitor the quality of the Personal Data. |
Measures for ensuring limited data retention | The Data Exporter is permitted to set its own retention rules per a dedicated feature within the application and can self-service delete the personal data it has collected at any point during the term of the underlying Agreement. All Personal Data in the Data Exporter’s account is automatically deleted ninety (90) days following expiration or termination of the services agreement entered into between the Data Exporter and Data Importer, or earlier upon request, subject to the Data Importer’s standard 30 day backup schedule. |
Measures for ensuring accountability | The Data Importer takes responsibility for complying with the EU GDPR and the UK GDPR, at the highest management level and throughout our organisation. The Data Importer keeps evidence of the steps taken to comply with the EU GDPR and the UK GDPR. The Data Importer puts in place appropriate technical and organisational measures, such as: (i) adopting and implementing data protection policies (where proportionate), (ii) putting written contract in place with organisations that process personal data on our behalf, (iii) maintaining documentation of our processing activities, (iv) implementing appropriate security measures, (v) recording and, where necessary, reporting personal data breaches, and (vi) carrying out data protection impact assessments for uses of personal data that are likely to result in high risk to individuals’ interests. We review and update our accountability measures at appropriate intervals. |
Measures for allowing data portability and ensuring erasure | Most of the data within the system can be exported by the Data Exporter in an industry standard format. The Data Importer has procedures in place to export additional data at the Data Exporters request. Policies and procedures in place to ensure secure disposal of systems and media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from Data Importer’s possession. |
For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller (and, for transfers from a processor to a sub-processor, to the data exporter).
Measure | Description |
---|---|
Processor Self-Service Features | At all times during the term of the underlying services Agreement, the Controller will have access to its own Processor Account and the ability to delete or modify any personal data stored therein. Any deletions or modifications by Controller will automatically be reflected in Processor’s databases as well. |
Annex III
Approved Sub-processors
To support the delivery of Services, Allbound may engage third-party services providers, referred to as Sub-processors. A list of our sub-processors and the purpose and location for each sub-processor is available at https://www.allbound.com/sub-processors/