Third party data protection terms

Return to legal center

1. Definitions

“Adequate Country”
means a country or territory that is recognised under EU and UK Data Protection Law as providing adequate protection for Personal Data.

“TPA”
means the Third-Party Agreement between the Third Party and Supplier governing the provision of the Licensed Products.

“TPA Personal Data”
means any Personal Data that is provided or made available by a Party (or on behalf of a Party) to the other Party (or to any third-party vendor acting on behalf of the other Party) under the Agreement in connection with the TPA, in respect of which each Party is a Controller or Business.

“Data Protection Law”
means all applicable laws governing the handling of Personal Data, including without limitation (1) EU Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR“), and the EU e-Privacy Directive (Directive 2002/58/EC) (the “e-Privacy Directive”) (collectively, “EU Data Protection Law”); and (2) the UK Data Protection Act 2018 and the UK GDPR as defined in the 2018 Act (together, “UK Data Protection Law”); (3) the Swiss Federal Act on Data Protection 2020 (“FADP” or “Swiss Data Protection Law”); (4) the US Data Protection Laws, in each case as amended, extended or re-enacted from time to time.

“EU Standard Contractual Clauses”
means the standard contractual clauses (“SCCs”) for Data Transfers, as approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, and currently located at https://commission.europa.eu/publications/standard-contractual-clauses-international-transfers_en.

“Controller”, “Processor”, “Business”, “Service Provider”, “Process”, “Processed”, “Processing” “Sub-processor”, “Data Subject”, “Personal Data Breach” and “Supervisory Authority”
have the meanings given under Data Protection Law. In the event that any of these terms are defined differently in applicable Data Protection Law, relevant to the processing of Personal Data under the Agreement, the equivalent terms will apply in each jurisdiction.

“Personal Data”
means any information that relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household, including without limitation any information that qualifies as “personal information” or “personal data” under Data Protection Law.

“Restricted Transfer”
means a transfer of TPA Personal Data to a country or territory to which such transfer is prohibited under Data Protection Law or subject to a requirement to take additional steps to adequately protect Personal Data for the transfer to be lawful under Data Protection Law.

“UK Addendum”
means the Addendum that has been issued by the UK Information Commissioner for Parties making Restricted Transfers, and currently located at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf.

“US Data Protection Laws”
means US state laws governing the processing of Personal Data, including but not limited to the California Consumer Privacy Act of 2018, the Colorado Privacy Act, the Connecticut Act Concerning Personal Data Privacy and Online Monitoring of 2022, the Utah Consumer Privacy Act of 2022, and the Virginia Consumer Data Protection Act, in each case as amended and including any regulations promulgated thereunder.

2. Role of the Parties

2.1 Each Party is an independent Controller or Business of TPA Personal Data that it processes under the Agreement.

2.2 To the extent that a Party processes Personal Data on behalf of the other Party under in connection with the TPA, in respect of which a Party is a Processor or Service Provider, the Parties shall enter into a separate agreement addressing such processing.

2.3 The information in Annex 1 of these Data Protection Terms contains the applicable scope of processing pursuant to the TPA. Should any processing activity be contemplated by or between the Parties which is not accounted for in Annex 1, the Agreement shall specify in writing the nature of processing.

3. Obligations of the Parties

TPA Personal Data

3.1 Each Party will in respect of TPA Personal Data:

(a) process TPA Personal Data in accordance with obligations that apply to it as a Controller or Business under Data Protection Law including but not limited to the principles of lawfulness, fairness, and transparency; purpose limitation; data minimization; accuracy; storage limitation and security;

(b) provide such information and assistance as the other Party may reasonably request to enable it to comply with its own obligations under Data Protection Law, including in the event of a Personal Data Breach;

(c) notify the other Party, and provide the other Party with such information, cooperation and assistance as the other Party may reasonably request, if it:

(i) receives any enquiry, complaint, notice or other communication from any Supervisory Authority that names or otherwise identifies or concerns the other Party; or

(ii) suffers a Personal Data Breach and wishes to name or otherwise identify the other Party in a notification of such breach to a Supervisory Authority or a Data Subject.

(d) process its own requests for Data Subjects to exercise their rights, and will cooperate with the other Party to honour any such rights requests (in particular any objections or opt-out requests) that have been received by the other Party, and which relate to TPA Personal Data that has been shared between the Parties;

(e) ensure that any person who is authorized to process TPA Personal Data shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).

3.2 A Party that has made TPA Personal Data available to the other Party under the Agreement (“Disclosing Party”) will have the right to:

(a) take reasonable and appropriate steps to help ensure that such other party (“Receiving Party”) uses such TPA Personal Data in a manner consistent with the Disclosing Party’s obligations under and as required by Data Protection Law; and

(b) upon reasonable prior written notice, take reasonable and appropriate steps to stop and remediate unauthorized use of such TPA Personal Data under Data Protection Law. The Receiving Party will notify the Disclosing Party if the Receiving Party determines that it can no longer meet its obligations under Data Protection Law.

 4. International Transfers

TPA Personal Data

4.1 To the extent a transfer of TPA Personal Data between the parties constitutes a Restricted Transfer under EU Data Protection Law, the parties hereby are deemed to conclude Module 1 of the EU Standard Contractual Clauses, which are incorporated herein by reference and as follows:

(a) in Clause 7, the optional docking clause applies;

(b) in Clause 11, the optional language is deleted;

(c) in Clauses 17 and 18, the governing law and forum for disputes for the Standard Contractual Clauses will be the law and courts of the Netherlands;

(d) in Clause 13(a) and Annex 1.C, the Autoriteit Persoonsgegevens (Netherlands) will act as competent Supervisory Authority;

(e) the information contained in Annex 1 and Annex 3 of these Data Protection Terms, together with the details of the parties set out in the Agreement, shall populate Annexes to the EU Standard Contractual Clauses (For the avoidance of doubt, where Third Party is the importer, Third Party will implement security measures consistent with those implemented by Supplier pursuant to Annex 3);

4.2 To the extent a transfer of TPA Personal Data between the parties constitutes a Restricted Transfer under UK Data Protection Law, the parties hereby conclude the UK Addendum, which is incorporated herein by reference and as follows:

(a) Tables 1, 2 and 3 of the UK Addendum will be deemed completed with the information set out in the Agreement together with the Annexes of these Data Protection terms and Table 4 will be deemed completed by selecting “neither party”;

(b) where applicable, the elections made in Clause 4.2 of these Data Protection Terms shall apply;

(c) any conflict between the terms of the EU Standard Contractual Clauses and the UK Addendum will be resolved in accordance with Section 10 and Section 11 of the UK Addendum.

4.3 To the extent a transfer of TPA Personal Data between the parties constitutes a Restricted Transfer under Swiss Data Protection Law, the parties hereby conclude Module 1 of the EU Standard Contractual Clauses, which are incorporated herein by reference with the following modifications:

(a) All references in the EU SCCs to “Regulation (EU) 2016/679” will be interpreted as references to the FADP, and references to specific Articles of “Regulation (EU) 2016/679” will be replaced with the equivalent article or section of the FADP; all references to the EU Data Protection Law in this DPA will be interpreted as references to the FADP.

(b) In Clause 13, the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner.

(c) In Clause 17 and 18, the governing law and forum for disputes will be the laws of Switzerland.

(d) All references to Member State will be interpreted to include Switzerland and Data Subjects in Switzerland are not excluded from enforcing their rights in their place of habitual residence in accordance with Clause 18(c).

5. Limitation of Liability

To the extent that the Third Party has an entitlement under Data Protection Law to claim from Supplier compensation paid by the Third Party to a Data Subject as a result of a breach of Data Protection Law to which Supplier contributed, Supplier shall be liable only for such amount as it directly relates to its responsibility for any damage caused to the relevant Data Subject.

Annex 1 Processing Information