EU Data Processing Addendum
- “EU Data Protection Laws” means (i) the national laws from EU Member States implementing the Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the Processing of EU Personal Data and on the free movement of such data (the “Directive”), (ii) from May 25, 2018, the General Data Protection Regulation (EU 2016/679) and the national laws from EU Member States and the United Kingdom supplementing or replacing the General Data Protection Regulation (EU 2016/679) (together the “GDPR”) and (iii) any applicable data protection legislation that amends, re-enacts, replace or supplements the GDPR and which arises from the withdrawal of the United Kingdom from the European Union.
- “Personal Data”, “Process”, “Controller”, “Processor”, “Data Subject”, and “Supervisory Authority” shall have the same meaning as defined by the GDPR and interpreted by the EU Data Protection Laws.
- “EEA” means the European Economic Area and includes the European Union member states, Iceland, Liechtenstein, and Norway.
2. Processing of EU Personal Data.
- You acknowledge that it may be necessary for You to provide access or transfer EU Personal Data to Safeter in the United States in order for the EU Personal Data to be included in the Platform and for the You to receive the services. To the extent that Safeter shall Process any EU Personal Data, the parties agree that (i) Safeter shall be the Data Processor and the You the Data Controller and (ii) the parties will enter into appropriate Controller-to- Processor Standard Contractual Clauses approved by the European Commission.
- Safeter shall provide such assistance as You require in relation to EU Personal Data in order for You to (a) respond to requests relating to Safeter’s Processing of EU Personal Data from Data Subjects and (b) the preparation of any necessary data protection impact assessments and the undertaking of any necessary data protection consultations that are required pursuant to EU Data Protection Laws.
- Safeter shall make available, upon Your written request and at Your expense, information necessary to demonstrate compliance with this EU Data Processing Addendum. If EU Data Protection Laws require Safeter to provide You with access to Safeter’s facilities or information, then Safeter shall permit You to audit Safeter’s compliance with the data security and data protection obligations under this EU Data Processing Addendum. You may request such audit no more than once in each twelve (12) month period and such audit shall be conducted during regular business hours. In order to request an audit of Safeter’s facilities and information, You shall (a) notify Safeter in writing sixty (60) days in advance, detailing the dates and duration of the audit and the identity and the qualifications of the auditor, (b) agree in writing with Safeter on the scope of the audit and the security and confidentiality controls required for access to the information, facilities or processes in scope of such audit and (c) cause such auditor to sign a non-disclosure agreement that is satisfactory to Safeter, with Safeter. Safeter may object to any external auditor if, in Safeter’s reasonable opinion, the auditor is not qualified, does not have an appropriate security clearance, is a competitor to Safeter, or is not independent. If Safeter objects to the identity or qualifications of any proposed auditor, Safeter shall provide reasons for such objection and You will be required to propose another auditor. All information provided or made available to You or its auditor pursuant to such audit shall be considered Safeter’s Confidential Information.
- Safeter shall promptly provide all assistance and information which is requested by any Supervisory Authority regarding EU Personal Data. Safeter shall immediately notify You of any request regarding EU Personal Data that it receives from any Supervisory Authority for assistance or information, unless prohibited by applicable law.
- Safeter shall maintain and provide to You upon request, records of all Processing activities related to EU Personal Data carried out on behalf of You, including the different types of Processing being carried out and of any sub-Processors, any transfers of EU Personal Data outside of the EEA or UK, including the identification of the relevant country or international organization and any documentation required to demonstrate suitable safeguards.
- Safeter shall not engage any third party, including without limitation, an affiliate of Safeter to carry out Processing of EU Personal Data in connection with its obligations under the Agreement (“Sub-Processor”) without Your consent. You hereby consents to each Safeter affiliate and the third parties identified at https://www.Safeter.work/eu-data-partners.html (“Notice URL”), as well as any additions or replacements included in the Notice URL from time to time. In the event that You do object to such addition or replacement, Safeter shall have the right to either (i) accept the objection and ensure such Sub-Processor does not Process any EU Personal Data of You or (ii) terminate the Subscription module(s) for which such Sub- Processor will process EU Personal Data as part of its services to Safeter. Safeter shall enter into a written agreement with the Sub-Processor and each Sub-Processor and sub-contractor to such Sub-Processor shall provide sufficient guarantees to implement appropriate technical and organizational measures to comply with its applicable obligations under EU Data Protection Laws when processing EU Personal Data. Safeter shall be liable for such obligations of its Sub-Processors to the extent required under EU Data Protection Laws.
- Upon the expiration or termination of the Agreement, Safeter shall procure that each Subprocessor shall destroy all copies of EU Personal Data, except to the extent that such EU Personal Data is required to be kept pursuant to applicable law.
2. Processing of EU Personal Data.
- In the event that Safeter can no longer meet its obligations under section 2 above, Safeter shall (i) promptly notify You in writing and work with You to take all reasonable steps to stop and remediate, to the extent possible, any Processing until such Processing meets the requirements of section 2 above; and (ii) promptly stop, and cause all Sub-Processors to promptly, stop Processing EU Personal Data, if in Your sole discretion, You determines that Safeter cannot correct any non-compliance with section 2 above within a reasonable time. You may consider Safeter’s inability to meet its obligations under section 2 above a material breach in accordance with the Terms.