1.1 In this Addendum, the following terms will have the meanings set out below:
1.1.1. “Agreement” means the agreement between Customer and Samsara that sets forth the terms and conditions pursuant to which Customer will access certain Samsara solutions and contract for certain services from Samsara.
1.1.2. “Customer Personal Data” means any Personal Data subject to Data Protection Laws contained in Customer Data that the Customer provides or has made available to Samsara and is Processed by Samsara on Customer’s behalf pursuant to the Agreement; and
1.1.3. “Data Protection Laws” means, as applicable, the EU General Data Protection Regulation (EU 2016/679) (the “EU GDPR”), its incorporation into the laws of England and Wales, Scotland, and Northern Ireland by virtue of the UK European Union (Withdrawal) Act 2018 (the “UK GDPR”) and/or the Swiss Federal Act on Data Protection (“FADP”) (together, the “GDPR”) and/or any applicable national legislation which supplements it.
1.2 The terms “Controller,” “Data Subject,” “Personal Data,” “Personal Data Breach,” “Processing,” “Processor,” and “Supervisory Authority” will have the same meaning as in the GDPR. Capitalized terms not otherwise defined herein will have the meaning given to them in the Agreement.
2. Processing of Customer Personal Data
2.1. As between the parties, Samsara acts as a Processor of the Customer Personal Data on Customer’s behalf. As a Processor, Samsara will:
2.1.1. Process Customer Personal Data in accordance with this Addendum (including, without limitation, Appendix A), Documentation and/or Customer’s documented instructions as set forth in the Agreement, or as otherwise required by applicable law to which Samsara is subject (the “Customer Instructions”). If Samsara is required by applicable UK, European Union and/or Member State law to Process Customer Personal Data other than in accordance with the Customer Instructions, Samsara will to the extent permitted by applicable UK, European Union and/or Member State law inform the Customer of that legal requirement before such Processing, unless that law prohibits such information on important grounds of public interest.
2.1.2. Not be responsible for obtaining consent, authorization, approval, agreement as may be required under applicable laws or policies, or for providing notices with regard to Customer Personal Data, in order to enable Samsara to receive and Process the Customer Personal Data in accordance with the Agreement. It will be the Customer's sole responsibility for the accuracy, quality and legality of the Customer Personal Data, the means by which it acquires and uses the Customer Personal Data, and for the Customer Instructions regarding the Processing of Customer Personal Data. Customer shall ensure that its acts or omissions, including its Customer Instructions, do not put Samsara in breach of any applicable laws or regulations. Where Samsara believes that an instruction would be in breach of applicable UK, European Union and/or Member State data protection provisions, Samsara shall notify Customer of such belief without undue delay. Samsara shall be entitled to suspending performance on such instruction until Customer confirms or modifies such instruction.
3. Samsara Personnel
3.1. Samsara will hold Customer Personal Data in confidence pursuant to the confidentiality provisions of the Agreement and will require Samsara personnel granted access to Customer Personal Data to protect all Customer Personal Data accordingly. Any person entitled to Process Customer Personal Data on behalf of Customer has undertaken a commitment to secrecy or is subject to an appropriate statutory obligation to secrecy. All such secrecy obligations shall survive the termination or expiration of such Processing.
4.1. Samsara will implement appropriate technical and organizational measures designed to safeguard Customer Personal Data and to ensure the adequate protection of Customer Personal Data, which measures shall fulfil the requirements of the GDPR and specifically its Article 32 GDPR. Samsara shall at least implement measures contained in the attached Security Description herein at Appendix B. Samsara may modify such measures from time to time, provided that such modifications will not materially reduce the overall level of protection for Customer Personal Data.
5.1. Customer authorizes each Samsara affiliates, as well as such other third parties noted in Documentation, to be sub-processors (each a “Subprocessor”). \ Samsara may disclose Customer Personal Data to its Subprocessor for the purposes of providing the Products provided that Samsara will impose substantially similar obligations on its Subprocessors regarding the security and confidentiality of Customer Personal Data as those set forth in this Addendum to meet the requirements of Data Protection Laws.
5.2. Customer shall be entitled to contradict any change of Subprocessors as notified by Samsara from time to time within thirty (30) calendar days of such notification, and only for materially important reasons. Where Customer fails to contradict such change within such period of time, Customer shall be deemed to have consented to such change. Where a materially important reason for such contradiction exists and is provided in writing to Samsara, and failing an amicable resolution of this matter by the parties (each party acting reasonably and in good faith), Customer shall be entitled to terminate the Agreement by providing written notice to Samsara.
5.3. Samsara will remain responsible for the acts or omissions of Subprocessors to the same extent required by Data Protection Laws as if the acts or omissions were performed by Samsara “Subprocessor Liability”), and shall be permitted to re-perform or to procure the re-performance of any such obligations and Customer acknowledges and accepts that such re-performance shall diminish any claim that Customer has against Samsara in respect of any Subprocessor Liability.
6.Data Subject Requests
6.1. Where Samsara directly receives requests from Data Subjects, or anyone acting on their behalf, to exercise their rights under Data Protection Laws (“Data Subject Request”), and provided Samsara can reasonably identify from the information provided that such request relates to the Customer and/or Customer Personal Data, then unless prohibited by applicable law, Samsara will (a) promptly notify Customer of such request; and (b) not respond to any such request unless required by applicable law to which Samsara is subject, in which case Samsara will, to the extent permitted by applicable law, inform Customer of that legal requirement before the responding to such request. Samsara may require the Customer to bear the actual costs incurred as a result of the assistance provided in accordance with this Section based on the then currently applicable service rates of Samsara.
6.2. For avoidance of doubt, Customer is responsible as Data Controller for responding to Data Subject Requests. Samsara’s Services include technical and organizational measures that have been designed, taking into account the nature of its Processing, to assist Customer, insofar as this possible, in fulfilling its obligations to respond to Data Subject requests.
7. Personal Data Breach
7.1. Samsara will notify Customer without undue delay upon Samsara becoming aware of a Personal Data Breach affecting Customer Personal Data. For the avoidance of any doubt, a Personal Data Breach shall not include (i) any incidents which are unlikely to result in a material risk to the rights and freedoms of natural persons that are the subject of the Customer Personal Data; (ii) acts or omissions which do not breach Samsara’s security or the security of any Subprocessor; (iii) port scans, authorized penetration tests, and denial of service attacks; or (iv) any access to or Processing of Customer Personal Data that is consistent with Customer Instructions. At Customer’s request, Samsara will provide reasonable assistance and co-operation to assist Customer in fulfilling any applicable notification obligations under applicable Data Protection Laws with respect to the Personal Data Breach. Samsara’s notification of, or response to, a Personal Data Breach shall not be construed as an acknowledgement by Samsara or, if relevant, its Subprocessors of any fault or liability with respect to the performance of Products. Samsara may require the Customer to bear the actual costs incurred as a result of the assistance provided in accordance with this Section based on the then currently applicable service rates of Samsara.
8. Data Protection Impact Assessment and Prior Consultation
8.1. At Customer’s request, Samsara will provide reasonable assistance to Customer with any data protection impact assessments and prior consultations with Supervising Authorities required by article 35 or 36 of the GDPR, in each case solely in relation to Samsara’s Processing of Customer Personal Data under the Agreement, and taking into account the nature of the Processing and information available to Samsara. Samsara reserves the right to charge a reasonable fee for such requested assistance, to the extent permitted by applicable law.
9. Audit rights
9.1. Samsara may retain independent third-party auditors to prepare a Service Organization Control 2 (Type I or II) report, or other industry-standard successor report (“Report”). Upon Customer’s written request, Samsara will provide to Customer at no cost a copy of the most recent Report, up to once a year. Such Reports will be Samsara’s Confidential Information under the confidentiality provisions of the Agreement. Customer agrees that the Reports will be used to satisfy any audit or inspection request by or on behalf of Customer in relation to Data Protection Laws, this Addendum, and/or Agreement.
9.2. If a Report is not available, Customer may request, upon 30 days’ prior written notice and up to once per calendar year, to perform a review at its own expense, with a scope, dates, duration, auditor and any security and/or confidentiality controls to be mutually agreed, of relevant Samsara policies and procedures governing Samsara’s handling of Customer Personal Data in connection with the Services, for purposes of verifying Samsara’s compliance with this Addendum. This review will be conducted in a manner that does not compromise confidentiality obligations to Samsara’s other customers. The parties acknowledge and agree that such policies and procedures are Samsara’s Confidential Information under the confidentiality provisions of the Agreement.
10. Data Transfers
10.1. Samsara may transfer Customer Personal Data to any country or territory, as reasonably necessary for the provision of the Services, consistent with this Addendum. To the extent the provision of Services under the Agreement involves a transfer of Customer Personal Data from a Customer in the European Union or the United Kingdom to a location that has not been deemed to provide an adequate level of data protection under the GDPR, Samsara agrees to abide by and process Customer Personal Data in compliance with the Standard Contractual Clauses (controller to processor) promulgated by the EU Commission Decision 2010/87/EU (“EU Model Clauses”) attached as Appendix C (including the appendices attached thereto), and subject to the interpretations set forth in Annex C. For such purposes, Samsara agrees that it is a "data importer" and Customer and/or its Affiliates, as applicable is/are the "data exporter" under the EU Model Clauses (notwithstanding that Customer and/or its Affiliates may be an entity or entities located outside of the European Union/Switzerland/the UK (as applicable). Please note that Samsara also remains certified under the E.U.-U.S. and Swiss-U.S. Privacy Shield Frameworks.
11. Retrieval and Deletion of Customer Personal Data
11.1. Customer hereby acknowledges and accepts the functionality of the Products and the data retention and deletion policies as provided to Customer by Samsara, which may impact Customer Personal Data. Samsara will enable Customer to delete Customer Personal Data during the term of the Agreement in a manner consistent with the functionality of the Products. Following termination or expiration of the Agreement, Customer will be entitled to retrieve its Customer Personal Data in accordance with the Agreement and Samsara will promptly delete Customer Personal Data from its systems following such retrieval period, unless applicable law requires storage of the Customer Personal Data.
DESCRIPTION OF PROCESSING ACTIVITIES
Samsara’s provision of the Products to the Customer.
Duration of the Processing
The term of the Agreement plus the period from the expiry or termination of the Agreement until deletion of all Customer Data by Samsara in accordance with the Agreement. Specific Customer Personal Data may have specific data retention and deletion policies in place (e.g., video data from dash cameras utilized by the customers located in the EEA, which is uploaded to the Hosted Software have a six months retention policy and deletion schedule in place as a default setting; which the Customer accepts, which can be amended due to Customer requirements).
Nature and Purpose of the Processing
Samsara will process Customer Personal Data for the purposes of providing the Products to the Customer in accordance with, and as otherwise permitted by, the Agreement, and for any disclosures compelled by law.
Categories of Personal Data
Personal Data relating to individuals provided to Samsara via the Products, by (or at the direction of) Customer or by any employee or end user of the Customer which include, without limitation, names, contact information (e.g., company, email, address, telephone number), ID data, connection data, location data, profile pictures, and images and video captured by the Products (e.g., images of individuals inside a vehicle operating a dash cam, and other information capable of identifying individuals from such imagery e.g., vehicle registration and license plates, signposts for buildings, houses and other landmarks).
Data subjects include the individuals about whom Personal Data is provided to Samsara via the Products by (or at the direction of) Customer or by any employee or end user of the Customer which include, without limitation, users, employees, officers, directors, contractors, agents, vendors, customers, clients, visitors, and such other individuals who may be captured by the Products.
Location of Processing
The Customer Personal Data may be Processed by Samsara and its Subprocessors in various locations and countries including, without limitation, in countries outside of the EEA in which Samsara or Subprocessors may maintain facilities, employees and/or infrastructure e.g., Amazon Web Services, Inc. in California, USA, for cloud hosting infrastructure services. Customer acknowledges and accepts that the applicable data protection laws and regulations in such countries may be less protective of individuals’ rights than that afforded in the EEA.
Samsara, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the Processing as well as the risk of varying likelihood and severity for the legally protected interests of natural persons, shall implement the necessary technical and organizational measures to ensure a level of security appropriate to the risk when Processing Personal Data, in particular as regards the processing of special categories of Personal Data.
These measures may include pseudonymization and encryption of personal data, if such means are possible in view of the purposes of Processing.
Samsara takes steps to restrict access to Customer Personal Data to Customer, its users, and authorized Samsara personnel and Subprocessors. In addition, Samsara has processes designed to protect its systems containing or accessing the Customer's Personal Data against Personal Data Breaches. The underlying infrastructure leverages Amazon AWS, which is ISO 27001 and SOC 1 Type II certified. Network devices, including firewall and other boundary devices, are in place to monitor and control communications at the external boundary of the network and at key internal boundaries within the network. These boundary devices employ rule sets, access control lists (ACL), and configurations to enforce the flow of information to specific information system services. ACLs, or traffic flow policies, are established on each managed interface, which manage and enforce the flow of traffic.
Data is logically separated across distributed databases with required authentication checks for every application-layer and data-layer access made to any tenant's data. The logical separation is designed to associate data with exactly one customer and required authentication checks at the application and data layers aim to isolate data by customer and accounts provisioned for that customer.
The Services employ a Virtual Private Cloud to provide resource isolation and minimize attack surface area. The Services are protected by IP- and port-based firewalls. Administrative access to Samsara’s infrastructure is restricted and verified by AWS Identity and Access Management. Distributed Denial of Service (DDoS) attacks can be mitigated with elastic load balancing and highly available DNS services.
When a storage device containing Customer Personal Data has reached the end of its useful life, procedures include a decommissioning process that is designed to prevent the data from being exposed to unauthorized individuals. Techniques detailed in DoD 5220.22-M (“National Industrial Security Program Operating Manual “) or NIST 800-88 (“Guidelines for Media Sanitization”) are used to destroy data as part of the decommissioning process. All decommissioned magnetic storage devices are degaussed and physically destroyed in accordance with industry-standard practices.
Samsara implements measures designed to enhance the physical security of its networks, servers, cloud and other information systems in which Customer Data is stored, processed, transmitted, or accessed and to maintain them in a secure manner that satisfies the requirements of this Appendix.
Samsara reviews information technology security measures annually. On an annual basis a qualified independent third-party conducts penetration tests of Samsara’s system for security vulnerabilities. Samsara maintains suitable processes to identify, isolate and remediate security vulnerabilities.
EU MODEL CLAUSES
Standard Contractual Clauses (Processors)
Name of the data exporting organisation: Customer and/or Affiliate (as applicable) as per Order Form
Address: as per Order Form
E-mail: as per Order Form
(the “data exporter” or “Customer”)
Name of the data importing organisation: Samsara Inc.
Address: 1990 Alameda Street, 5th Floor, San Francisco, CA 94103
(the “data importer” or “Samsara”),
each a “party”; together “the parties”,
HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.
For the purposes of the Clauses:
'personal data', 'special categories of data', 'process/processing', 'controller', 'processor', 'data subject' and 'supervisory authority' shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
'the data exporter' means the controller who transfers the personal data;
'the data importer' means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country's system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
'the subprocessor' means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
'the applicable data protection law' means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
'technical and organisational security measures' means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
Details of the transfer
The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.
Third-party beneficiary clause
The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.
Obligations of the data exporter
The data exporter agrees and warrants:
that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter's behalf and in accordance with the applicable data protection law and the Clauses;
that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;
that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
that it will ensure compliance with the security measures;
that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and
that it will ensure compliance with Clause 4(a) to (i).
Obligations of the data importer
The data importer agrees and warrants:
to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;
that it will promptly notify the data exporter about:
any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,
any accidental or unauthorised access, and
any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;
to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;
that the processing services by the subprocessor will be carried out in accordance with Clause 11;
to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.
The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.
If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity. The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.
If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.
Mediation and jurisdiction
The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
to refer the dispute to the courts in the Member State in which the data exporter is established.
The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.
Cooperation with supervisory authorities
The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).
The Clauses shall be governed by the law of the Member State in which the data exporter is established.
Variation of the contract
The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.
The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses. Where the subprocessor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor's obligations under such agreement.
The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.
The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter's data protection supervisory authority.
Obligation after the termination of personal data processing services
The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.
APPENDIX 1 TO THE STANDARD CONTRACTUAL CLAUSES
Please see details set forth in Appendix A to this Addendum
APPENDIX 2 TO THE STANDARD CONTRACTUAL CLAUSES
Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):
The technical and organizational security measures implemented by the data importer are described in Appendix B of this Addendum
APPENDIX 3 TO THE STANDARD CONTRACTUAL CLAUSES
All references to a “Member State” in the Model Clauses shall now mean a member state of the European Union, the United Kingdom or Switzerland. All references to “Supervisory Authority” in the Model Clauses shall now mean a supervisory authority of a member state of the European Union, the United Kingdom or Switzerland (as applicable). All references to Directive 95/46/EC in the Model Clauses shall now mean the EU GDPR, the UK GDPR or the FDAP (as applicable).Where the EU Model Clauses (Controller to Processor) ("EU Model Clauses") apply pursuant to Section 10 of the Addendum, then this Appendix 3 sets out the parties' interpretations of their respective obligations under specific provisions within the EU Model Clauses, as identified below. Where a party complies with the interpretations set out in this Appendix 3, that party shall be deemed by the other party to have complied with its commitments under the EU Model Clauses. When used below, the terms "data exporter" and "data importer" shall have the meaning given to them in the EU Model Clauses.
Nothing in the interpretations below is intended to vary or modify the EU Model Clauses or conflict with either party's rights or responsibilities under the EU Model Clauses and, in the event of any conflict between the interpretations below and the EU Model Clauses, the EU Model Clauses shall prevail to the extent of such conflict. Notwithstanding this, the parties expressly agree that any claims brought under the EU Model Clauses shall be exclusively governed by the limitations on liability set out in the Agreement. For the avoidance of any doubt, in no event shall any party limit its liability with respect to any data subject rights under the EU Model Clauses.
Clause 5(j): Disclosure of Subprocessor Agreements. The parties acknowledge the obligation of the data importer to send promptly a copy of any onward subprocessor agreement it concludes under the EU Model Clauses to the data exporter. Accordingly, the parties agree that upon the reasonable request of data exporter, data importer shall provide all relevant information evidencing compliance with Clause 5(j). Should the information provided by data importer be insufficient to demonstrate data importer’s compliance with Clause 5(j) then the parties shall promptly meet to discuss what information should be provided to demonstrate compliance with Clause 5(j). To the extent any information is provided in accordance with this Section, the parties agree such information provided to the data exporter shall constitute data importer’s Confidential Information under the Agreement and such information shall not be disclosed by data exporter to any third party without data importer’s prior written agreement.
Clause 6: Liability. Any claims brought under the EU Model Clauses shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations of liability set forth in the Agreement (as defined in the DPA). In no event shall any party limit its liability with respect to any data subject rights under these EU Model Clauses.
Clause 11: Onward Subprocessing. The parties acknowledge that, pursuant to FAQ II.1 in Article 29 Working Party Paper WP 176 entitled “FAQs in order to address some issues raised by the entry into force of the EU Commission Decision 2010/87/EU of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC” the data exporter may provide a general consent to onward subprocessing by the data importer. Accordingly, data exporter provides a general consent to data importer, pursuant to Clause 11 of these EU Model Clauses, to engage onward subprocessors. Such consent is conditional on data importer’s compliance with the requirements set out in Section 5 of this Addendum.