Global Data Processing Addendum

The parties to the Palmfairs LLC Master Subscription Agreement (“Agreement”) have mutually agreed to this Data Processing Addendum (“Addendum” or “DPA”) to augment the terms of that agreement.

“Customer” or “Client”) of ____________________________________
as well
Palmfairs LLC (“Company”).

Any terms that are not defined in this Addendum will have the meaning that is provided in the Agreement or, in the absence of such definition, in the relevant Data Protection Law. This Addendum incorporates the terms of the Agreement.

Considering that,

(A) The client is either the data controller themselves or someone else’s processor.

(B) The Customer is interested in contracting with the Company (Data Processor) to provide specific services that involve the processing of personal data.

(C) The current legal framework in relation to data processing and any applicable security and privacy laws and regulations require the Parties to implement a data processing agreement that complies with these requirements. This includes, but is not limited to, the CCPA and the EU General Data Protection Regulation 2016/679 (“GDPR”).

(D) The Parties would like to establish their respective rights and responsibilities.

The components of this DPA are as follows: (a) the main body of the document; and (b) the standard contractual clauses, which are part of Module 2: Controller to Processor and Module 3: Processor to Processor, along with Annexe I, II, and III.

1) Definitions

1.1 “Customer Account Data” refers to personally identifiable information linked to the Customer’s interaction with the Company, such as the names and contact details of people the Customer has granted access to their account, as well as the billing information of those people. In order to manage its relationship with Customer, verify the Customer’s identity, or comply with relevant laws and regulations, the Company may need to gather additional data that is considered Customer Account Data.

1.2 “Customer Usage Data” refers to information about how customers use the Services that the company gathers and processes as part of providing those services. This includes details like the IP address and country of origin of a communication, as well as activity logs and other data used for service optimisation, maintenance, and abuse investigation and prevention.

According to Section 17014 of Title 18 of the California Code of Regulations, a “consumer” is defined as a natural person residing in California in the context of the CCPA.

1.4 A “data centre” is an establishment that houses a complex network, compute, and storage infrastructure that enables shared access to applications and data.

1.5 “Data Exporter” denotes the Client.

The term “Data Importer” refers to a business.

1.7 “Data Protection Laws” refer to all relevant laws and regulations that govern the use or processing of personal data. This includes, but is not limited to: (i) the California Consumer Privacy Act (“CCPA”), (ii) the General Data Protection Regulation (Regulation (EU) 2016/679) (“EU GDPR” or “GDPR”), (iii) the Swiss Federal Act on Data Protection, (iv) the EU GDPR as it is incorporated into English and Wales law by section 3 of the European Union (Withdrawal) Act 2018 (“the UK GDPR”); (v) the UK Data Protection Act 2018; and (vi) the Privacy and Electronic Communications (EC Directive) Regulations 2003, as amended or replaced from time to time. The The definitions provided in the General Data Protection Regulation (GDPR) will apply to the following terms: “Data Subject,” “Personal Data,” “Personal Data Breach,” “processing,” “processor,” “controller,” and “supervisory authority.” 1.

8 A “Data Subject” is an individual whose personal information is handled by a data controller or processor.

1.9 A “Personal Data Breach” occurs when there is an unauthorised change, deletion, loss, alteration, disclosure, or access to personal information that has been transmitted, stored, or processed in any way.

The term “processing” refers to any action or series of actions taken on personal data, whether manually or automatically, including but not limited to: collecting, recording, organising, structuring, storing, retrieval, consultation, use, disclosure through transmission, dissemination, or other availability, alignment or combination, restriction, erasure, or destruction.

1.11 “Personal Data” refers to any information that pertains to a specific individual, whether that individual is specifically identified or not. An identifiable individual can be found using various means of identification, such as a name, a number, location data, an online identifier, or any combination of characteristics that are specific to their physical, physiological, genetic, mental, economic, cultural, or social characteristics.

1.12 “Restricted Transfer” refers to (i) a request for the transfer of controller personal data from the controller to a processor, or (ii) a request for the transfer of controller personal data from a processor to another processor, or between two processor locations, in each instance where the transfer would be forbidden by data protection laws or data transfer agreements.

1.13 “Standard Contractual Clauses” refer to the set of terms and conditions that businesses and organisations must follow when transferring personal information to countries that the European Commission has determined do not provide a sufficient level of protection for such data (as amended and updated from time to time).

1.4 “Subprocessor” refers to a third party that is subsequently authorised under Clause 9 of the SCCs included in this Addendum or is either (1) listed in Annexe III or (2) has a legitimate need to know or access Customer’s Personal Data in order for Company to fulfil its obligations under the Agreement or this Addendum.

1.5 As defined in the Agreement, “Services” shall have the meaning assigned to it.

2) Processing of Personal Data

2.1 Both parties consent that Palmfairs is the Data Processor and that Client is either the Data Controller or a processor to the Data Controller with respect to the Processing of Client Personal Data.

2.2 Unless it is prohibited by law, Palmfairs will notify the Client of any legal requirement to process their personal data before any subprocessors process it. Subprocessors will only process client data based on documented instructions from the client or as required by applicable laws to which Palmfairs or subprocessors are subject.

2.3 The client gives Palmfairs instructions to process their personal data, transfer it to any country or territory as long as it complies with Section 10 (Cross-border Transfers) below, and engage any subprocessors as long as it complies with Section 9 (Subprocessing) below. The client also gives Palmfairs the necessary authority to instruct each subprocessor. Client Data will be stored in a Data Centre in the EU if requested and as specified in an Agreement by Palmfairs. According to what is stated in the relevant Agreement or what is otherwise communicated to Client, there may be technical limitations that apply to the use of a Data Centre in the European Union.

2.4 In compliance with the CCPA, Palmfairs will process Client Personal Data as needed to deliver the Services outlined in the Agreement and exclusively for the purposes specified by Client in a way that is compatible with this Addendum. To clarify, Palmfairs is not allowed to keep, use, or disclose Client Personal Data for any reason other than to carry out the Services. This includes any reason unrelated to the direct business relationship between Client and Palmfairs, as well as any other commercial purpose. For financial or other valuable consideration, Palmfairs will not share, sell, rent, release, disclose, disseminate, transfer, or otherwise communicate any of our clients’ personal information to any outside parties. Palmfairs affirms that it is familiar with and will adhere to the limitations outlined in this Section 2.4. In order to run and improve Palmfairs services and operations, as well as for research, analytics, and related purposes, Client agrees that Palmfairs may aggregate or de-identify Client Personal Data and other data associated with the Services to make it Anonymous Data. The Agreement and this Addendum will no longer apply to Anonymous Data that Palmfairs chooses to keep for its own records and information. “Anonymous Data” refers to information that has been stripped of any personally identifying information and/or combined with other datasets in such a way that it cannot be used to identify any particular client or person.

2.5 The client acknowledges and agrees that (a) the data protection laws will be followed when the client submits their personal data and instructions for processing that data, and (b) the client will always have the proper authorisation to give the instructions for processing that data. (b) Through the use of the Services, the Client shall Process Personal Data in compliance with Data Protection Laws.
(c) In relation to the Processing of Client Personal Data, the Client shall notify and obtain consent from Data Subjects as specified in this Addendum and the Agreement, or as otherwise instructed by the Client.

2.6 Annex 1 to this Addendum sets out the subject matter and duration of the Processing, the nature and purpose of the Processing, and the categories of Personal Data and Data Subjects, as required by Article 28(3) of the GDPR. Either of the parties may make reasonable amendments to Annex 1 as they reasonably consider necessary to meet the requirements of Article 28(3) of the GDPR by providing the other party with an updated or an additional Annex 1.

3) Palmfairs Personnel

If an employee, agent, or contractor of Palmfairs has access to Client Personal Data, the company will take reasonable precautions to verify their reliability and to hold them to their professional or legal confidentiality obligations.

4) Security

In order to protect Client Personal Data from the risks associated with its processing, Palmfairs will adhere to the technical and organisational measures outlined in Annexe 2 (Technical and Organisational Measures). The risks associated with Processing, such as the accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access to Personal Data during transmission, storage, or Processing, will be carefully considered by Palmfairs when determining the appropriate level of security.

5) Personal Data Breach

In the event that Palmfairs learns of a Personal Data Breach affecting Client’s Personal Data, it will inform Client without undue delay and provide information (where available) to help Client fulfil any reporting requirements imposed by Data Protection Laws. Palmfairs will assist with the investigation, mitigation, and remediation of each data breach by cooperating with the client and taking reasonable steps as agreed upon in good faith by the parties. Client agrees to pay Palmfairs all reasonable and proper expenses, including internal and third-party costs, including legal fees, incurred by Palmfairs in performing its obligations under this Section, to the extent that Client is responsible for a Personal Data Breach.

6) Data Subject and Consumer Rights

If any Data Subject or Consumer who is entitled to exercise a request under applicable law receives a request pertaining to Client Personal Data as it pertains to that Data Subject or Consumer, Palmfairs will notify Client promptly. To help Client meet its legal obligations in responding to requests regarding their personal data, Palmfairs will offer reasonable assistance upon request. Assisting the Client in effectively responding to such requests may involve, depending on the nature of the Processing, implementing reasonable and appropriate organisational and technical measures.

7) Data Protection Impact Assessment and Prior Consultation

Client may request and receive reasonable assistance from Palmfairs in conducting data protection impact assessments and prior consultations with any Supervisory Authority as required by applicable data protection law, depending on the type of processing and information available to Palmfairs . Client shall pay Palmfairs the full amount of any and all expenses, whether internal and external, including legal fees, that Palmfairs reasonably and properly incurs in carrying out its duties under this Section.

2.4 Recovery on Major Failures

8.1 In response to a written request from the Client, Palmfairs will provide the Client with the information needed to prove that Palmfairs complies with this Addendum. Additionally, Palmfairs will cooperate with and facilitate inspections by an independent, qualified third party auditor that the Client has appointed to review how Palmfairs or its sub processors have processed Customer Personal Data.

8.2 In the event that an audit or inspection is to be carried out in accordance with this Section, the client shall provide Palmfairs with adequate notice. The client shall also take all reasonable precautions to ensure that the audit does not harm, disrupt, or damage the property, equipment, employees, or business of Palmfairs or any Subprocessor. Any audit or inspection will only take place during regular business hours a maximum of once per calendar year, unless otherwise mandated by relevant Supervisory Authorities or by law. The Client is fully responsible for paying back Palmfairs for any expenses, whether they are related to internal operations, third parties (including legal fees), or audits of other Subprocessors, that Palmfairs reasonably and properly incurs in carrying out its obligations under this Section. Client shall ensure that any auditor, agent, personnel, or other individual or entity involved in the audit is bound by suitable written confidentiality obligations, and shall not disclose any information obtained under this Section to any third party without Palmfairs prior written consent.

9) Sub processing

9.1 The client gives Palmfairs permission to appoint subprocessors and each subprocessor appointed under this section is also given the authority to appoint subprocessors. The Client acknowledges and agrees that Palmfairs is free to retain the services of any other Subprocessors it has contracted with up until the date of this Addendum.

9.2 In the event that Client objects to the appointment of any Subprocessors, the parties will endeavour to resolve these objections in good faith. It is possible that the Services will be affected during this time; the Client understands and agrees that Palmfairs will not be held responsible for any such impact. Within 90 days of Client’s objection, Palmfairs may state that it cannot provide the Services without the objected-to Subprocessor; in such case, Client may terminate the Agreement without penalty and Palmfairs will refund any prepaid amounts for the portion of the Agreement that has not been used; otherwise, the Agreement will remain fully effective.

9.3 With respect to each Subprocessor, Palmfairs will: (a) exercise commercially reasonable care in the assessment, appointment and oversight of the relevant Processing activities of Subprocessors; (b) include terms in the contract between Palmfairs and each Subprocessor which offer an equivalent level of protection for Client Personal Data as those set out in this Addendum, taking into account the nature of the services performed by the Subprocessor; (c) if the arrangement involves a Restricted Transfer of Client Personal Data Palmfairs will ensure that the Standard Contractual Clauses are at all relevant times incorporated into the agreement between Palmfairs and the Subprocessor; and (d) remain liable to the Client for any failure by each Subprocessor to fulfil its obligations in relation to the Processing of Client Personal Data as if such failure was its own.

10) Cross-border Transfers

In order to protect the Client’s personal information in the case of a Restricted Transfer, the Client and Palmfairs, in their roles as data exporter and importer, have agreed to the Standard Contractual Clauses that are attached to this email. In the Standard Contractual Clauses, “jurisdiction” is used instead of “Member State” or “State” for Client Personal Data subject to Data Protection Laws other than those of the EEA or the UK that apply to Restricted Transfers. The term “supervisory authority” refers to the relevant data protection regulator or other government body with the power to enforce Data Protection Laws. The terms “applicable data protection laws” and “Directive 95/46/EC” are replaced with the “applicable Data Protection Laws” as defined here.

11) Deletion or Return of Personal Data

Unless otherwise specified in a subsequent agreement, and to the fullest extent permitted by law, Palmfairs shall, within 90 days after the Agreement expires or terminates, either return or cease Processing the Client’s personal data. Client will be considered to have chosen deletion if Palmfairs is not notified of Client’s preference to return or delete such Client Personal Data within 30 days after the Agreement’s termination or expiration. At the end of the Agreement, neither party is requiring the other to return or delete any Anonymous Data.

12) Limitation of Liability

The limitations on liability in the Agreement shall apply to the aggregate liability of Palmfairs arising out of or related to this Addendum, whether in contract, tort, or any other theory of liability. Liability between the Company and Client in the Standard Contractual Clauses will be governed by the limitations of liability between the parties, to the extent that this is allowed by Data Protection Law. However, this provision will not affect the liability to a Data Subject as outlined in the Standard Contractual Clauses.

13) Miscellaneous.

13.1 How to Understand It. The Agreement’s terms and conditions will take precedence over this DPA’s, but if there is a clear inconsistency between the two regarding data protection, this DPA will take precedence.

13.2 Adjustments. Unless both parties’ authorised representatives sign off on the change in writing, this DPA remains in full force and effect.

13.3 Non-Conformity. The invalid or unenforceable provision of this DPA will be replaced with a valid and enforceable provision that closely follows the original intent, and the remaining provisions of the DPA will remain in effect, if any, according to applicable law.

13:4 Time frame. This DPA will be enforceable as of the Agreement’s effective date or, if completed after that date, as of the date the last party signs it. Until the Agreement is terminated, the DPA will be in force.

13.5 Keeping alive. Except as expressly set out in this DPA to remain in effect after its termination, the parties’ rights and responsibilities hereunder shall remain in full force and effect.

13.6.1 No Third Party Beneficiaries – With the exception of what is specifically mandated by data protection laws for data subjects in the standard contractual clauses, no part of this addendum is meant to benefit anyone who isn’t a party to it. Similarly, no one who isn’t a party to this addendum has the right to seek enforcement or recovery of any remedy related to it.

ASSENT TO THIS DPA, the undersigned parties hereto have executed it.

On behalf of Palmfairs, LLC:

CLIENT:

Signatures:________________________

Name:______________________

Title:__________________________

Date:_________________________

Signatures:________________________

Name:______________________

Title:___________________________

Date:__________________________

STANDARD CONTRACTUAL CLAUSES

SECTION I

Clause 1

Purpose and scope

(a) When transferring data to a third country, these standard contractual clauses will make sure that everything complies with the General Data Protection Regulation (EU) 2016/679, which protects individuals’ rights with respect to their personal data and allows for its free movement.

(b) Everyone Involved:

With a business address at [ _______________________ ], [Customer Name] is a legal entity organised under the laws of [ ________________].

In cases where the data exporter is a processor under Regulation (EU) 2016/679 acting on behalf of a Union institution or body as controller, relying on these Clauses when engaging another processor (sub-processing) that is not subject to Regulation (EU) 2016/679 also ensures compliance with Article 29(4) of Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices, and agencies, as well as on the free movement of such data. This regulation repeals Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39), to the extent that these Clauses and the data protection obligations as outlined in the contract or other legal act between the controller and the controll The standard contractual clauses included in Decision 2021/915 will be relied upon by the controller and processor in these cases.

As well

The legal name of this company is Palmfairs LLC, and it is based out of 1510 Randolph St, Ste. 208, Carrollton, TX 75006.

(i) the entity or entities (whether natural or legal), public authority, agency, or other body (hereinafter referred to as “entity” or “data exporter”) that is transferring the personal data, as specified in Annexe I.A., and

(ii) the entity or entities in a third country [hereafter referred to as “data importer”] that receive the personal data from the data exporter, either directly or indirectly through another entity that is also a Party to these Clauses, as listed in Annexe I.A.

are in agreement with the following standard contractual provisions (the “Clauses” from here on out).

(d) These Clauses are supplemented and made up entirely of the Appendix that contains the Annexes mentioned therein.

Clause 2

Effect and invariability of the Clauses

a) In accordance with Article 46(1) and Article 46(2)(c) of Regulation (EU) 2016/679, these Clauses establish relevant protections, such as data subject rights and effective legal remedies, and, in relation to data transfers from controllers to processors and/or processors to processors, standard contractual clauses according to Article 28(7) of Regulation (EU) 2016/679. These provisions shall remain unchanged, with the exception of any modifications made to choose the correct Module(s) or to add or update information in the Appendix. The Parties are free to incorporate the standard contractual clauses outlined in these Clauses into a broader contract and/or to add other safeguards, as long as they don’t directly or indirectly contradict these Clauses or violate the data subjects’ fundamental rights or freedoms.

(b) The obligations that the data exporter is bound to by Regulation (EU) 2016/679 are not affected by these Clauses.

Clause 3

Third-party beneficiaries

(a) Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:

(i) Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;

(ii) Clause 8 – Module One: Clause 8.5 (e) and Clause 8.9(b); Module Two: Clause 8.1(b), 8.9(a), (c), (d) and (e); Module Three: Clause 8.1(a), (c) and (d) and Clause 8.9(a), (c), (d), (e), (f) and (g); Module Four: Clause 8.1 (b) and Clause 8.3(b);

(iii) Clause 9 – Module Two: Clause 9(a), (c), (d) and (e); Module Three: Clause 9(a), (c), (d) and (e);

(iv) Clause 12 – Module One: Clause 12(a) and (d); Modules Two and Three: Clause 12(a), (d) and (f);

(v) Clause 13;

(vi) Clause 15.1(c), (d) and (e);

(vii) Clause 16(e);

(viii) Clause 18 – Modules One, Two and Three: Clause 18(a) and (b); Module Four: Clause 18.

(b) Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.

Clause 4

Interpretation

(a) Terms defined in Regulation (EU) 2016/679 shall have the same meaning as in that Regulation whenever they are used in these Clauses.

(b) These clauses must be read and interpreted in accordance with Regulation (EU) 2016/679.

Clause 5

Hierarchy

Should these clauses conflict with the terms of related agreements between the parties that were in effect at the time these clauses were agreed upon or subsequently entered into, these clauses will take precedence.

Clause 6

Description of the transfer(s)

Annexe I.B. documents the specifics of the transfer or transfers, including the types of personal data that are transferred and the purpose or purposes for which they are transferred.

Clause 7 – Optional

Docking clause

(a) An organisation that is not a party to these clauses may, at any time, accede to them as a data importer or exporter with the consent of the parties by filling out the Appendix and signing Annexe I.A.

(b) The acceding entity will become a Party to these Clauses and have the rights and obligations of a data exporter or data importer in accordance with its designation in Annexe I.A. after completing the Appendix and signing Annexe I.A.

(c) From the time before becoming a Party, the acceding entity will not have any rights or obligations arising under these Clauses.

SECTION II – OBLIGATIONS OF THE PARTIES

Clause 8 – Optional

Docking clause

The data exporter guarantees that it has made a good faith effort to ascertain that the data importer can fulfil its responsibilities under these Clauses by putting in place the necessary organisational and technical safeguards.

Module 2: Move the controller to the processor

8.1 Guidelines

(a) Personal data must only be processed by the data importer in accordance with written instructions from the data exporter. Such instructions may be given by the data exporter at any point during the contract’s duration.

(b) If the data exporter is unable to comply with those instructions, the data importer must notify it right away.

8.2 Purpose limitation

Unless instructed otherwise by the data exporter, the data importer may only process the personal data for the specific purpose or purposes of the transfer as specified in Annexe I.B.

8.3 Transparency

A free copy of these Clauses, including the Parties’ completed Appendix, will be provided to the data subject upon request from the data exporter. Before sharing a copy, the data exporter may redact portions of the Appendix to these Clauses if necessary to protect business secrets or other confidential information, including the measures outlined in Annexe II and personal data. However, in cases where the data subject would not otherwise be able to understand the content or exercise his or her rights, the data exporter must provide a meaningful summary. If the data subject requests it, the Parties will, to the greatest extent feasible, explain the rationale behind the redactions without disclosing the information that has been redacted. The data exporter’s responsibilities under Articles 13 and 14 of Regulation (EU) 2016/679 are unaffected by this clause.

8.4 Accuracy

The data importer must notify the data exporter right away if it learns that the personal information it has received is erroneous or out-of-date. In this situation, the importer of the data must work with the exporter of the data to remove or correct the data.

8.5 Duration of processing and erasure or return of data

Only during the time frame listed in Annexe I.B. may the data importer process the data. Following the completion of processing services, the data importer must either return all processed personal data to the data exporter and remove any copies that are still there, or the data exporter may request that the data importer delete all processed personal data on its behalf and certify to the data exporter that it has done so. The data importer is responsible for maintaining adherence to these clauses until the data is removed or returned. The data importer guarantees that it will continue to ensure compliance with these clauses and will only process the personal data to the extent and for the duration required by any applicable local laws that forbid the return or deletion of such data. This does not affect Clause 14, specifically the obligation under Clause 14(e) for the data importer to inform the data exporter during the term of the contract if it has reasonable suspicion that it is or has become subject to laws or practices that do not comply with the requirements under Clause 14(a).

8.6 Security of processing

(a) The importer of the data and the exporter of the data during transmission must put in place the proper organisational and technical safeguards to guarantee the data’s security, including defence against a security breach that could result in the data’s unintentional or illegal destruction, loss, alteration, unauthorised disclosure, or access (henceforth referred to as a “personal data breach”). The Parties shall consider the state of the art, implementation costs, the nature, scope, context, and purpose(s) of processing, as well as the risks associated with the processing for the data subjects, when determining the proper level of security. When the processing goal can be achieved in this way, the Parties will specifically take into consideration using encryption or pseudonymization, even during transmission. When pseudonymization occurs, the data exporter will, if at all possible, retain sole control over the extra information needed to link the personal data to a particular data subject. The data importer must at the very least put the organisational and technical measures listed in Annexe II into place in order to fulfil its responsibilities under this paragraph. To make sure that these precautions continue to offer a suitable degree of security, the data importer must perform routine checks.

(b) The data importer must only allow personnel access to personal data when it is absolutely required for the execution, administration, and oversight of the contract. It will make sure that those who are permitted to handle personal data have vowed to keep it private or are subject to a suitable legal duty to do so.

(c) Should there be a breach involving personal data that the data importer processes in accordance with these Clauses, the importer is required to take the necessary actions to resolve the breach, including steps to lessen its negative consequences. Additionally, as soon as the data importer learns of the breach, they must promptly notify the data exporter. A description of the breach’s nature (including, if feasible, the categories and approximate number of data subjects and personal data records involved), its likely repercussions, and the actions taken or planned to address the breach—including, where appropriate, steps to mitigate its potential negative effects—must all be included in this notification, along with the contact information for additional information. If and to the extent that it is not feasible to provide all of the information at once, the first notification will include the information that is currently available, and any additional information will be provided as soon as it becomes available.

(d) Considering the nature of processing and the information at the data importer’s disposal, the data importer must collaborate and support the data exporter in order to enable the data exporter to fulfil its responsibilities under Regulation (EU) 2016/679, specifically informing the relevant supervisory authority and the impacted data subjects.

8.7 Sensitive data

The data importer must implement the particular restrictions and/or additional safeguards outlined in Annexe I.B. in cases where the transfer involves personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data for the purpose of uniquely identifying a natural person, health information, a person’s sex life or sexual orientation, or information relating to criminal convictions and offences (collectively, “sensitive data”).

8.8 Onward transfers

The data importer is only allowed to share personal information with a third party upon written request from the data exporter. Furthermore, only if the third party is or agrees to be bound by these Clauses, under the relevant Module, may the data be disclosed to a third party situated outside the European Union(2) (in the same nation as the data importer or in another third country, hereinafter referred to as “onward transfer”).

(i) according to Article 45 of Regulation (EU) 2016/679, which deals with the onward transfer, the transfer is made to a nation that benefits from an adequacy decision;

(ii) the third party, in accordance with Articles 46 or 47 of Regulation of (EU) 2016/679, provides suitable protections for the processing in question;

(iii) in the context of particular administrative, regulatory, or judicial proceedings, the subsequent transfer is required for the establishment, exercise, or defence of legal claims; or

(iv) The data subject’s or another natural person’s vital interests must be safeguarded by the subsequent transfer.

Any subsequent transfer is contingent upon the data importer adhering to all other protections outlined in these clauses, including purpose limitation.

(2) The European Union’s internal market will be extended to Iceland, Liechtenstein, and Norway under the terms of the Agreement on the European Economic Area (EEA Agreement). The Regulation (EU) 2016/679 and other Union data protection laws are included in Annexe XI of the EEA Agreement and are covered by it. ere Furthermore, for the purposes of these clauses, any disclosure made by the data importer to a third party situated within the EEA is not considered an onward transfer. 8.9

Documentation and compliance

(a) The data importer must respond to the data exporter’s enquiries about the processing under these clauses in a timely and sufficient manner.

(b) Both parties must be able to prove that they have complied with these clauses. In In particular, the data importer is required to maintain the proper records of the processing operations performed on behalf of the data exporter.

c) At reasonable intervals or if there are signs of non-compliance, the data importer must provide the data exporter with all the information required to prove compliance with the duties outlined in these clauses. Additionally, the data importer must permit and assist in audits of the processing activities covered by these clauses upon the data exporter’s request. In The data exporter may consider pertinent certifications held by the data importer when choosing between a review and an audit.

d) The data exporter has the option of hiring an outside auditor or performing the audit themselves. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice.

(e) The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request.

MODULE THREE: Transfer processor to processor

8.1 Instructions

(a) The data exporter has notified the data importer that it processes data in accordance with directives from its controller or controllers, which the data exporter must provide to the importer before processing.

(b) Only documented instructions from the controller, as conveyed to the data importer by the data exporter, and any further documented instructions from the data exporter may be used by the data importer to process the personal data. Such additional instructions shall not conflict with the instructions from the controller. The additional documented instructions about data processing may be provided by the controller or data exporter during the term of the contract.

c) The data importer shall immediately inform the data exporter if it is unable to follow those instructions. Where the data importer is unable to follow the instructions from the controller, the data exporter shall immediately notify the controller.

(d) The data exporter warrants that it has imposed the same data protection obligations on the data importer as set out in the contract or other legal act under Union or Member State law between the controller and the datar (5)

(5) See Article 28(4) of Regulation (EU) 2016/679 and, where the controller is an EU institution or body, Article 29(4) of Regulation (EU) 2018/1725.

8.2 Purpose limitation

The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annexe I. B., unless on further instructions from the controller, as communicated to the data importer by the data exporter, or from the data exporter.

8.3 Transparency

On request, the data exporter shall make a copy of these clauses, including the appendix as completed by the parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including personal data, the data exporter may redact part of the text of the appendix prior to sharing a copy but shall provide a meaningful summary where the data subject would otherwise not be able to understand its content or exercise his/her rights. On request, the parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information.

8.4 Accuracy

The data importer must notify the data exporter right away if it learns that the personal information it has received is erroneous or out-of-date. In this situation, the data importer and exporter must work together to correct or remove the data.

.5 Duration of processing and erasure or return of data

Only during the time frame listed in Annexe I.B. may the data importer process the data. After the processing services are completed, the data importer must either return all personal data processed on the controller’s behalf to the data exporter and erase any copies that are still there, or it must delete all personal data processed on the controller’s behalf and certify to the data exporter that it has done so. The data importer is responsible for maintaining adherence to these clauses whether the data is erased or returned. of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).

8.6 Security of processing

(a) The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access to that data (hereinafter ‘personal data breach’). In assessing the appropriate level of security, they shall take due account of the state of the art, the costs of implementation, the nature, scope, context, and purpose(s) of processing, and the risks involved in the processing for the data subject. The parties shall in particular consider having recourse to encryption or pseudonymization, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymization, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter or the controller. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in Annexe II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.

(b) The data importer shall grant access to the data to members of its personnel only to the extent strictly necessary for the implementation, management, and monitoring of the contract. It shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

(c) In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify, without undue delay, the data exporter and, where appropriate and feasible, the controller after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences, and the measures taken or proposed to address the data breach, including measures to mitigate its possible adverse effects. Where, and insofar as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available, and further information shall, as it becomes available, subsequently be provided without undue delay.

(d) The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify its controller so that the latter may in turn notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer.

8.7 Sensitive data

Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; genetic data or biometric data for the purpose of uniquely identifying a natural person; data concerning health or a person’s sex life or sexual orientation; or data relating to criminal convictions and offences (hereinafter ‘sensitive data’), the data importer shall apply the specific restrictions and/or additional safeguards set out in Annexe I.B.

8.8 Onward transfers

The data importer shall only disclose the personal data to a third party on documented instructions from the controller, as communicated to the data importer by the data exporter. In addition, the data may only be disclosed to a third party located outside the Europeann (6)

(6) The Agreement on the European Economic Area (EEA Agreement) provides for the extension of the European Union’s internal market to the three EEA States: Iceland, Liechtenstein, and Norway. The Union data protection legislation, including Regulation (EU) 2016/679, is covered by the EEA Agreement and has been incorporated into Annexe XI thereto. Therefore, any disclosure by the data importer to a third party located in the EEA does not qualify as an onward transfer for the purposes of these clauses. (in the same country as the data importer or in another third country, hereinafter ‘onward transfer’) if the third party is or agrees to be bound by these clauses under the appropriate module, or if

(i) the onward transfer is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;

(ii) the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 of Regulation (EU) 2016/679;

(iii) the onward transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or

(iv) the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person.

Any onward transfer is subject to compliance by the data importer with all the other safeguards under these clauses, in particular purpose limitation.

8.9 Documentation and compliance

(a) Enquiries from the controller or data exporter regarding processing under these clauses must be promptly and appropriately handled by the data importer.

(b) The Parties will be able to prove that they have complied with these agreements. In particular, the data importer shall keep appropriate documentation on the processing activities carried out on behalf of the controller.

(c) ThAll information needed to demonstrate compliance with the obligations specified in these clauses must be given by the data importer to the data exporter, who must then deliver it to the controller. (d)

The data importer must allow and support the data exporter in auditing the processing activities covered by these clauses if there are indications of non-compliance or at reasonable intervals. The same shall apply where the data exporter requests an audit on instructions of the controller. In deciding on an audit, the data exporter may take into account relevant certifications held by the data importer.

(e) If(f) If the audit is carried out as directed by the controller, the data exporter is required to give the controller access to the results.

An independent auditor may be required, or the data exporter may decide to carry out the audit independently. Audits may involve physical facility inspections at the data importer’s location and, if applicable, must be conducted with adequate notice.

The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request.

Clause 9

Use of sub-processors

MODULE TWO: Transfer Controller to processor

(a) GENERAL WRITTEN AUTHORIZATION: The data importer has the data exporter’s general authorization for the engagement of sub-processor(s) from an agreed list. The data importer must notify the data exporter in writing about any planned changes to the list of sub-processors, such as adding or replacing them, at least 30 days ahead of time, so the data exporter has enough time to raise any objections before the sub-processor(s) are engaged. The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.

(b) Where the data importer engages a subprocessor to carry out specific processing activities (on behalf of the data exporter), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those binding the data importer under these Clauses, including in terms of third-party beneficiary rights for data subjects. (3) The Parties agree that, by complying with this Clause, the data importer fulfills its obligations under Clause 8.8. The data importer shall ensure that the sub-processor complies with the obligations to which the data importer is subject pursuant to these clauses.

(c) The data importer shall provide, at the data exporter’s request, a copy of such a sub-processor agreement and any subsequent amendments to the data exporter. To the extent necessary to protect business secrets or other confidential information, including personal data, the data importer may redact the text of the agreement prior to sharing a copy.

(d) The data importer shall remain fully responsible to the data exporter for the performance of the sub-processor’s obligations under its contract with the data importer. The data importer must inform the data exporter of any instances where the sub-processor fails to meet its obligations under that contract.

(e) The data importer must include a clause with the sub-processor that allows the data exporter to end the sub-processor contract and tell the sub-processor to delete or return the personal data if the data importer is no longer around, has stopped existing legally, or is bankrupt.

3) This requirement may be satisfied by the subprocessor acceding to these clauses under the appropriate module, in accordance with Clause 7.

MODULE THREE: Transfer processor to processor

GENERAL WRITTEN AUTHORISATION The data importer has the controller’s general authorization for the engagement of sub-processor(s) from an agreed list. The data importer must inform the controller in writing about any intended changes to the list of sub-processors, including additions or replacements, at least [specify time period] in advance. This notification will provide the controller with enough time to object to these changes before the sub-processor(s) are engaged. The data importer shall provide the controller with the information necessary to enable it to exercise its right to object. The data importer shall inform the data exporter of the engagement of the sub-processor(s).

(b) Where the data importer engages a sub-processor to carry out specific processing activities (on behalf of the controller), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those binding the data importer under these Clauses, including in terms of third-party beneficiary rights forr data subjects. (9)

(9) This requirement may be satisfied by the subprocessor acceding to these clauses under the appropriate module, in accordance with Clause 7. The parties agree that, by complying with this clause, the data importer fulfills its obligations under Clause 8.8. The data importer shall ensure that the sub-processor complies with the obligations to which the data importer is subject pursuant to these clauses.

(c) The data importer shall provide, at the data exporter’s or controller’s request, a copy of such a sub-processor agreement and any subsequent amendments. To the extent necessary to protect business secrets or other confidential information, including personal data, the data importer may redact the text of the agreement prior to sharing a copy.

(e) The data importer shall agree to a third-party beneficiary clause with the sub-processor whereby—in the event the data importer has factually disappeared, ceased to exist in law, or has become insolvent—the data exporter shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.

Clause 10

Data subject rights

MODULE TWO: Transfer controller to processor

(a) The data importer is required to notify the data exporter immediately in the event that a data subject requests something. It will not answer that request on its own unless the data exporter has given it permission to do so.

(b) The data importer shall assist the data exporter in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679. In this regard, the Parties shall set out in Annexe II the appropriate technical and organizational measures, taking into account the nature of the processing by which the assistance shall be provided, as well as the scope and the extent of the assistance required.

(c) In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions from the data exporter.

MODULE THREE: Transfer processor to processor

(a) The data importer shall promptly notify the data exporter and, where appropriate, the controller of any request it has received from a data subject, without responding to that request unless it has been authorized to do so by the controller.

(b) The data importer will help the data exporter and the controller respond to requests from data subjects about their rights under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, if needed. In this regard, the Parties shall set out in Annexe II the appropriate technical and organizational measures, taking into account the nature of the processing by which the assistance shall be provided, as well as the scope and the extent of the assistance required.

Clause 11

Redress

(a) The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorized to handle complaints. It shall deal promptly with any complaints it receives from a data subject.

[OPTION: The data importer agrees that data subjects may also lodge a complaint with an independent dispute resolutiony (4) at no cost to the data subject. It shall inform the data subjects, in the manner set out in paragraph (a), of such redress mechanism and that they are not required to use it, or follow a particular sequence in seeking redress.]

(b) In case of a dispute regarding compliance with these clauses, the party involved shall use its best efforts to resolve the issue amicably and in a timely manner with the data subject. The parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them.

(c) Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to:

(i) lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work, or the competent supervisory authority pursuant to Clause 13;

(ii) refer the dispute to the competent courts within the meaning of Clause 18.

(d) The Parties accept that the data subject may be represented by a not-for-profit body, organization, or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679.

(e) The data importer shall abide by a decision that is binding under the applicable EU or Member State law.

(f) The data importer agrees that the choice made by the data subject will not prejudice his/her substantive and procedural rights to seek remedies in accordance with applicable laws.

(4) The data importer may offer independent dispute resolution through an arbitration body only if it is established in a country that has ratified the New York Convention on the Enforcement of Arbitration Awards.

Clause 12

Liability

(a) Each party shall be liable to the other party/parties for any damages it causes the other party/parties by any breach of these clauses.

(b) The data importer must pay the data subject for any harm caused by the data importer or its sub-processor if they break the rights of the data subject outlined in these clauses.

(c) However, the data exporter will also be responsible to the data subject, and the data subject can receive compensation for any material or non-material damages caused by the data exporter or the data importer (or its sub-processor) breaching the third-party beneficiary rights under these clauses. This does not affect the liability of the data exporter, and if the data exporter is acting as a processor on behalf of a controller, it also does not affect the liability of that controller under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable.

(d) The Parties agree that if the data exporter is held liable under paragraph (c) for damages caused by the data importer (or its sub-processor), it shall be entitled to claim back from the data importer that part of the compensation corresponding to the data importer’s responsibility for the damage.

(e) Where more than one party is responsible for any damage caused to the data subject as a result of a breach of these clauses, all responsible parties shall be jointly and severally liable, and the data subject is entitled to bring an action in court against any of these parties.

(f) The Parties agree that if one Party is held liable under paragraph (e), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its/their responsibility for the damage.

(g) The data importer may not invoke the conduct of a sub-processor to avoid its own liability.

Clause 13

Supervision

[Where an EU Member State is the location of the data exporter:] The competent supervisory authority will be the one tasked with making sure the data exporter complies with Regulation (EU) 2016/679 regarding the data transfer, as stated in Annex I.C.

[Where the data exporter has designated a representative in line with Article 27(1) of Regulation (EU) 2016/679 and is not based in an EU Member State but is within the territorial scope of application of Regulation (EU) 2016/679 in line with its Article 3(2):] As stated in Annex I.C., the competent supervisory authority will be the supervisory authority of the Member State where the representative established under Article 27(1) of Regulation (EU) 2016/679 is located.

[Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without, however, having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679:] The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behavior is monitored, are located, as indicated in Annex I.C, shall act as the competent supervisory authority.

(b) The data importer agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these clauses. In particular, the data importer agrees to respond to inquiries, submit to audits, and comply with the measures adopted by the supervisory authority, including remedial and compensatory measures. It shall provide the supervisory authority with written confirmation that the necessary actions have been taken.

SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES

Clause 14

Local laws and practices affecting compliance with the Clauses

(a) The parties guarantee that they have no reason to suspect that the third country of destination’s laws and customs pertaining to the data importer’s processing of personal data, such as any disclosure requirements or measures granting public authorities access, will hinder the data importer’s ability to carry out its responsibilities under these clauses. This is predicated on the knowledge that laws and practices that uphold the core principles of fundamental freedoms and rights and do not go beyond what is required and appropriate in a democratic society to protect one of the goals specified in Regulation (EU) 2016/679’s Article 23(1) are not in conflict with these provisions.

(b) The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:

(i) the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;

(ii) the laws and practices of the third country of destination—including those requiring the disclosure of data to public authorities or authorising access by such authorities—relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards(5);

(iii) any relevant contractual, technical, or organizational safeguards put in place to supplement the safeguards under these clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.

(c) The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these clauses.

(d) The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.

(e) The data importer agrees to notify the data exporter promptly if, after having agreed to these clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a).

(f) Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfill its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g., technical or organizational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured or if instructed by the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract insofar as it concerns the processing of personal data under these clauses. If the contract involves more than two parties, the data exporter may exercise this right to termination only with respect to the relevant party, unless the parties have agreed otherwise. Where the contract is terminated pursuant to this clause, Clause 16(d) and (e) shall apply.

(5)A thorough assessment of the impact of such laws and practices on compliance with these provisions may consider a number of factors.ch eIncluded may be pertinent and documented real-world experience with previous cases of disclosure requests from public authorities, or the lack of such requests, spanning a sufficiently representative period of time.refers in particular to internal records or other documentation, drawn up on a continuous basis in accordance with due diligence and certified at the senior management level, provided that this information can be lawfully shared with third parties. Where this practical experience is relied upon to conclude that the data importer will not be prevented from complying with these clauses, it needs to be supported by other relevant, objective elements, and it is for the parties to consider carefully whether these elements together carry sufficient weight, in terms of their reliability and representativeness, to support this conclusion. In particular, the parties have to take into account whether their practical experience is corroborated and not contradicted by publicly available or otherwise accessible, reliable information on the existence or absence of requests within the same sector and/or the application of the law in practice, such as case law and reports by independent oversight bodies.

Clause 15

Obligations of the data importer in case of access by public authorities

15.1 Notification

(a) The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it:

(i) receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or

(ii) becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.

(b) If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them at the request of the data exporter.

(c) Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.).

(d) The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.

(e) Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these clauses.

15.2 Review of legality and data minimisation

(a) The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law, and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).

(b) The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request.

(c) The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.

SECTION IV – FINAL PROVISIONS

Clause 16

Non-compliance with the Clauses and termination

(a) If the importer of the data is unable to comply with these clauses for any reason, it must notify the exporter of the data immediately.

(b) Should the data importer violate these terms or be unable to do so, the data exporter will stop sending personal information to the data importer until compliance is restored or the contract is cancelled. The provisions of Clause 14(f) remain unaffected.

(c) Insofar as these clauses pertain to the processing of personal data, the data exporter may terminate the agreement in the following situations:

(i) The transfer of personal data to the data importer has been halted by the data exporter in accordance with paragraph (b), and compliance with these clauses has not been restored within a reasonable amount of time—at least not within a month after the suspension;

(ii) there is a significant or ongoing violation of these clauses by the data importer; or

(iii) the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these clauses.

In these cases, it shall inform the competent supervisory authority of such non-compliance. Where the contract involves more than two parties, the data exporter may exercise this right to termination only with respect to the relevant party, unless the parties have agreed otherwise.

(d) Personal data that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall, at the choice of the data exporter, immediately be returned to the data exporter or deleted in its entirety. The same shall apply to any copies of the data. The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these clauses and will only process the data to the extent and for as long as required under that local law.

(e) Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.

Clause 17

Governing law

The laws of one of the EU member states will apply to these clauses, so long as those laws permit third-party beneficiary rights. The Parties agree that this shall be the law of EU Member State in which the data exporter is established.

Clause 18

Choice of forum and jurisdiction

(a) Any dispute arising from these clauses shall be resolved by the courts of an EU member state.

(b) The Parties agree that those shall be the courts of theEU Member State in which the data exporter is established.

(c) A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence.

(d) The Parties agree to submit themselves to the jurisdiction of such courts.

APPENDIX

EXPLANATORY NOTE:

The information that applies to each transfer or category of transfers must be easily distinguished, and in this way, the parties’ respective roles as data importers and/or exporters must be identified. One appendix can provide this transparency, negating the need to fill out and sign distinct appendices for every transfer, transfer category, and/or contractual relationship. However, separate appendices should be used where necessary to ensure adequate clarity.

ANNEX I

ANNEX I

LIST OF PARTIES

Data exporter(s): [Name and contact information of the data exporter(s) and, if relevant, of their representative or data protection officer in the EU]

Name: ___________________________________________

Address: _________________________________________

Please provide the contact person’s name, their position, and their contact details: _________________________

___________________________________________________________________

The following activities are relevant to the data transferred under these clauses:

Processing as necessary for virtual events of Customer on the Palmfairs platform and any other services in accordance with the DPA and the Service Agreement

__________________________________________________________________

___________________________________________________________________

Signature and date: ___________________________________________________

Role: Controller

Data importer(s): [Identity and contact details of the data importer(s), including any contact person with responsibility for data protection]

Name: Palmfairs LLC ________________________________________

Address: 1510 Randolph St Ste 208, Carrollton, TX 75006, USA __________

The contact person’s name, position, and contact details are as follows: _________________________

Rizwan Tanveer, Data Protection Officer, privacy@Palmfairs.com

The following activities are relevant to the data transferred under these clauses:

Processing as necessary for virtual events of Customer on the Palmfairs platform and any other services in accordance with the DPA and the Service Agreement

Signature and date: _____________________________

Role: Processor

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

The company transfers personal data to virtual event participants, exhibitors, speakers, and other data subjects as required for the services they offer to the customer.

Categories of personal data transferred

Company processes personal data contained in customer account data, customer usage data, and any personal data provided by the customer or collected by the company to provide the services or as otherwise set forth in the agreement or this addendum. Categories of personal data may include first name, last name, email ID, IP address, etc.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully consider the nature of the data and the risks involved, such as, for instance, strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers, or additional security measures.

Not Applicable

The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis).

During the term of the Agreement on a periodic basis and at the discretion of the Customer.

Nature of the processing

Company will process Customer’s Personal Data as necessary to provide the Services under the Agreement, for the purposes specified in the Agreement and this Addendum, and in accordance with Customer’s instructions as set forth in this Addendum.

Purpose(s) of the data transfer and further processing

Processing as necessary for virtual events of Customer on the Company platform and any other services in accordance with the DPA and the Service Agreement

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

Company will process Customer’s Personal Data as long as required (i) to provide the Services to Customer under the Agreement; (ii) for Company’s legitimate business needs; or (iii) by applicable law or regulation. Customer account data and customer usage data will be processed and stored as set forth in the company’s privacy policy.

For transfers to (sub-)processors, also specify subject matter, nature and duration of the processing

Refer to Annex III.

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with Clause 13.

The supervisory authority shall be the supervisory authority of the Data Exporter, as determined in accordance with Clause 13.

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

EXPLANATORY NOTE:

The technical and organizational measures must be described in specific (and not generic) terms. See also the general comment on the first page of the Appendix, in particular on the need to clearly indicate which measures apply to each transfer/set of transfers.

Description of the technical and organizational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context, and purpose of the processing and the risks for the rights and freedoms of natural persons.

Technical and Organizational Security Measure	Details
Measures of pseudonymization and encryption of personal data	The company has deployed methods and protocols for secure transmission of confidential or sensitive information over public networks. Databases housing personal customer data are encrypted at rest. The company uses only recommended secure cipher suites and protocols to encrypt all traffic in transit, and customer data is encrypted with strong ciphers and configurations when at rest.
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services	The company’s customer agreements contain strict confidentiality obligations. Additionally, the company requires every downstream subprocessor to sign confidentiality provisions that are substantially similar to those contained in Segment’s customer agreements. The company has undergone a SOC 2 Type 2 audit that includes the Security and Processing Integrity Trust Service Criteria.
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident	Daily and weekly backups of production data datastores are taken. Backups are periodically tested in accordance with information security and data management policies.
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing	The company has undergone a SOC 2 Type 2 audit that includes the Security and Processing Integrity Trust Service Criteria.
Measures for user identification and authorization	The company uses secure access protocols and processes and follows industry standard practices for authentication, including multifactor authentication and single sign-on (SSO). All production access requires the use of two-factor authentication, and network infrastructure is configured to vendor and industry practices to block all unnecessary ports, services, and unauthorized network traffic.
Measures for the protection of data during transmission	The company has deployed methods and protocols for secure transmission of confidential or sensitive information over public networks. Company uses only recommended secure cipher suites and protocols to encrypt all traffic in transit (i.e., TLS 1.2)
Measures for the protection of data during storage	Encryption-at-rest is automated using AWS’s transparent disk encryption, which uses industry-standard AES-256 encryption to secure all volume (disk) data.
Measures for ensuring physical security of locations at which personal data are processed	We use AWS to host our infrastructure. AWS manages the physical security of its data centers with state-of-the-art controls. https://aws.amazon.com/compliance/data-center/controls/
Measures for ensuring events logging	The company monitors access to applications, tools, and resources that process or store customer data, including cloud services. Monitoring of security logs is managed by the security and engineering teams. Log activities are investigated when necessary and escalated appropriately.
Measures for ensuring system configuration, including default configuration	The company adheres to a change management process to administer changes to the production environment for the services, including changes to its underlying software, applications, and systems. All production changes are automated through CI/CD tools to ensure consistent configurations.
Measures for internal IT and IT security governance and management	The company maintains a risk-based information security governance program. The framework for the company’s security program includes administrative, organizational, technical, and physical safeguards reasonably designed to protect the services and confidentiality, integrity, and availability of customer data.
Measures for certification/assurance of processes and products	The company undergoes an annual SOC 2 Type II audit.
Measures for ensuring data minimisation	Company’s customers unilaterally determine what customer PII data they route through the services. As such, the company operates on a shared responsibility model. The company gives customers control over exactly what PII data enters the platform. Additionally, Company has built in self-service functionality to the Services that allows Customers to delete and suppress PII at their discretion.
Measures for ensuring data quality	The company has a multi-tiered approach for ensuring data quality. These measures include: (i) unit testing to ensure quality of logic used to process API calls, (ii) database schema validation rules which execute against data before it is saved to our database, (iii) a schema-first API design using GraphQL and strong typing to enforce a strict contract between official clients and API resolvers. Company applies these measures across the board, both to ensure the quality of any Usage Data that Company collects and to ensure that the Company Platform is operating within expected parameters. Company ensures that data quality is maintained from the time a Customer sends Customer Data into the Services and until that Customer Data is presented or exported.
Measures for ensuring limited data retention	Company Customers determine what Customer Data they route through the Services. As such, Company operates on a shared responsibility model. If a Customer is unable to delete Customer PII Data via the self-services functionality of the Services, then the Company deletes Customer Data upon the Customer’s written request, within the timeframe specified in the Data Protection Addendum and in accordance with Applicable Data Protection Law. All Customer Data is deleted from the Services following service termination.
Measures for ensuring accountability	Company has adopted measures for ensuring accountability, such as implementing data protection and information security policies across the business, recording and reporting Security Incidents involving Personal Data, and formally assigning roles and responsibilities for information security and data privacy functions. Additionally, the Company conducts regular third-party audits to ensure compliance with our privacy and security standards.
Measures for allowing data portability and ensuring erasure	All PII in the Services may be deleted by the Customer or at the Customer’s request. PII is incidental to the Company’s Services. Based on Privacy by Design and Data Minimization principles, Company severely limits the instances of PII collection and processing within the Services. Most use cases for porting PII from Company are not applicable. However, Company will respond to all requests for data porting in order to address Customer needs.
Technical and organizational measures of sub-processors	The Company enters into Data Processing Agreements with its Authorized Sub-Processors with data protection obligations substantially similar to those contained in this Addendum.

For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter

The Company enters into Data Processing Agreements with its Authorized Sub-Processors with data protection obligations substantially similar to those contained in this Addendum.

ANNEX III

LIST OF SUB-PROCESSORS

The controller has given permission for the following subprocessors to be used:

Name: Amazon AWS, USA

Description of processing: Infrastructure Host

Name: Zoom, USA

Description of processing: Live Webinar Host

Name: Pubnub, USA

Description of processing: Integrated Chat Platform

Name: Vimeo, USA

Description of processing: Video Hosting

Name: Whereby, Norway

Description of processing: Video Conferencing

Engage Your Audience with a Virtual Event That's Amazing

Online events will increase your return on investment. Let's show you how:

Request a Demo

Products

Event Registration & Ticketing

Virtual Events

Badge Printing & Check-in

Event Mobile Apps

Lead Capture App

Event Ticketing Software

Solutions

Event Management Features

Event Registration

Event Ticketing Software

Event Planning

Event Reporting & Analytics

Attendee Experience

Event Gamification

Event Content Management

Event Sponsorships

Abstract Management

Event Marketing Tools

Event Networking

Sponsor & Exhibitor Management

Solutions

Event Mobile Apps

Badge Printing / Check-in

Lead Capture

Virtual Environment

Virtual Exhibit Hall

Webinars & Sessions

Event Builder

Matchmaking

Other Highlights

Accessibility

AI-driven Event Content

Integrations

Customer Support

Industries

Non-Profit

Education

Retail

Pharma

Financial Services

Event Agencies

Associations

Healthcare

Information Technology

Corporations

Telecom

Featured Resources

Case Studies

Customer Videos

Industries

Blog

Guides

Product Updates

Video Demo Library

Case Studies

EpicEvents Podcast

Come Meet Us

Join the Newsletter

News & Press

Featured Resources