This Data Processing Addendum(“DPA”) is entered into between Sebenzai (“Company”) and you on behalf ofyourself (“You”, “Yourself” or “Your”) for the processing of Personal Data byYou in connection with the Contract(s).
(1) You have entered into one or more contracts, agreements or other agreements(as may be amended from time to time) with Company (the “Contract(s)”) pursuantto which You have agreed to provide certain labelling and annotation servicesto Company, as more particularly described in the Contract(s) (the “Services”).In providing the Services, You may process data, including Personal Datacontrolled by Company and/or its customers, contacts or partners.
(3) Accordingly, Company’ engagement of You to provide the Services isconditioned upon Your agreement to this DPA.
“Affiliate” means any entity under the control of a party where “control” means ownership of or the right to control greater than 50% of the voting securities of such entity.
“Applicable Privacy Law(s)” means all worldwide data protection and privacy laws and regulations applicable to the Personal Data in question, including, where applicable, EU Data Protection Law.
“EU Data Protection Law” means (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“GDPR”), together with any national laws implementing the same; and (ii) European Directive 2002/58/EC (the “e-Privacy Directive”) together with any national laws implementing the same. The terms “Controller”, “Processor,” “processing,” “Personal Data”, “Data Subject”, “Supervisory Authority,” and “Special Categories of Data” shall have the meanings given to them in the GDPR.
“EEA” means, for the purposes of this DPA, the member states of the European Union and European Economic Area, the United Kingdom and Switzerland.
“Effective Date” means the date on which this DPA is executed by both parties.
“Model Clauses” means the standard contractual clauses for Processors as approved by the European Commission and available at http://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32010D0087 (as amended or updated from time to time).
“Security Incident” means any unauthorized or unlawful breach of security leading to, or reasonably believed to have led to, the accidental or unlawful destruction, loss, or alteration of, or unauthorized disclosure or access to, data, including Personal Data.
“Term” means (a) the term of the Contract(s); and (b) any period after the termination or expiry of the Contract(s) during which You processes Personal Data, until You have deleted, destroyed or returned such Personal Data in accordance with the terms of this DPA.
- Role and Scope of Processing
2.1 You shall process Personal Data under the Contract(s) only as a Processor acting on behalf of Company (itself a Processor acting on behalf of third party Controllers). You agree that You will comply with the requirements of this DPA, at no additional cost to Company, at all times during the Term of the Contract(s) and process Personal Data about members of the public that may be captured by Company’s customers through cameras, videos and sensors, such as facial imagery, vehicle information, and location information. The processing will be carried out by You for the duration of the Term and will involve the viewing of video recordings to support the Services in controlled online session supported by Company software and systems.
2.2 Each Party shall comply with its obligations under Applicable Privacy Law(s) in respect of any Personal Data it Processes under this DPA.
2.3 You shall at all times: (i) process the Personal Data only as necessary for the purpose of providing the Services to Company under the Contract(s) and in accordance with Company’ documented instructions; (ii) not process the Personal Data for its own purposes or those of any third party.
2.4 You shall promptly notify Company in writing if You become aware or believe that any data processing instruction from Company violates Applicable Privacy Law(s) or You are unable to comply with Company’ data processing instructions for any reason; or You are unable to comply with the terms of the Contract(s) or this DPA.
3.1 You shall not subcontract any processing of the Personal Data to a Subcontractor without the prior written consent of Company.
4.1 You shall, taking into account the nature of the processing, reasonably cooperate with Company to enable Company (or its third party Controller) to respond to any requests, complaints or other communications from Data Subjects and governmental, regulatory or judicial bodies relating to the processing of Personal Data under the Contract(s), including requests from Data Subjects seeking to exercise their rights under Applicable Privacy Laws. In the event that any such request, complaint or communication is made directly to You, You shall promptly pass this onto Company and shall not respond to such communication without Company’s express authorization.
4.2 You will provide all reasonable assistance required by Company (or its third party Controller) to conduct a data protection impact assessment and, where legally required, consult with applicable data protection authorities in respect of any proposed processing activity that present a high risk to Data Subjects.
- Data Access & Security Measures
5.1 Only You are authorized to process any Personal Data as part of the Services. At all times, You shall ensure that you comply with the Company Security Measures.
5.2 You will implement and maintain all appropriate technical and organizational security measures to protect from Security Incidents and to preserve the security, integrity and confidentiality of Personal Data, in accordance with the Company’s Acceptable Use Policy (“Company Security Measures”).
- Security Incidents
6.1 In the event of a Security Incident, You shall immediately inform Company and provide written details of the Security Incident, as directed by Company. Furthermore, in the event of a Security Incident, and without prejudice to any other right or remedy available to Company, You shall:
(a) provide timely information and cooperation as Company may require to fulfil Company’ data breach reporting obligations under Applicable Privacy Laws; and
(b) promptly take all such measures and actions as directed by Company to remedy or mitigate the effects of the Security Incident and shall keep Company up-to-date about all developments in connection with the Security Incident.
- Security Reports & Inspections
7.1 You shall maintain records sufficient to demonstrate Your compliance with the obligations set out in this DPA, and retain such records for a period of one (1) year after the termination of the Contract(s). Company shall have the right to review, audit and copy such records at Your home and/or offices during regular business hours.
7.2 Company (or its appointed representatives) may carry out an inspection of Your operations and facilities during normal business hours and subject to reasonable prior notice where Company considers it necessary or appropriate (for example, without limitation, where Company has reasonable concerns about Your data protection compliance, following a Security Incident (for which no prior notice will be required) or following instruction from a data protection authority or the relevant third party Controller).
- International Transfers
8.1 You are a recipient of Personal Data under this DPA that originates in the EEA. Your receipt of that Personal Data shall be conditional on You complying with the Model Clauses, which are incorporated herein in full by reference and form an integral part of this DPA. Purely for the purposes of the descriptions in the Model Clauses and only as between You and Company, You agree that You are a “data importer” and Company is the “data exporter” under the Model Clauses (notwithstanding that Company is located outside the EEA and may itself be a Processor acting on behalf of third party Controllers). Further, the information contained in Section 2 of the DPA and the Company Security Measures will take the place of Appendixes 1 and 2 of the Model Clauses respectively.
8.2 The parties agree that in the event that a supervisory authority and/or Applicable Privacy Law no longer allows the lawful transfer of Personal Data to You and/or requires that Company adopt an alternative transfer solution that complies with Applicable Privacy Law, You will fully co-operate with Company to discuss and agree an amendment to this DPA to remedy such non-compliance and/or cease processing of Personal Data.
8.3 It is not the intention of either party, nor the effect of this DPA, to contradict or restrict any of the provisions set forth in the Model Clauses. Accordingly, if and to the extent the Model Clauses conflict with any provision of this DPA, the Model Clauses shall prevail. In no event does this DPA restrict or limit the rights of any Data Subject or of any competent Supervisory Authority.
- Deletion & Return
9.1 Upon Company’ request, or upon termination or expiration of this DPA for whatever reason, You shall promptly destroy or return to Company all Personal Data (including copies) in its possession or control. This requirement shall not apply to the extent that You are required by any applicable law to retain some or all of the Personal Data, in which event You shall isolate and protect the Personal Data from any further processing except to the extent required by such law.
10.1 This DPA shall take effect on the Effective Date and unless terminated earlier in accordance with this Clause 10.1, will continue for the Term. The parties acknowledge and agree that any breach by You of this DPA shall constitute a material breach of this DPA and the Contract(s), in which event and without prejudice to any other right or remedy available to it, Company may elect to immediately terminate the Contract(s) (in whole or in part) in accordance with the termination provisions in the Contract(s). If there is any conflict between any provision in this DPA and any provision in the Contract(s), this DPA controls and takes precedence, except as expressly set forth herein. The terms and conditions in this DPA constitute the entire agreement between the parties with respect to the subject matter hereof and supersedes and extinguishes all previous agreements, promises, assurances, warranties, representations and understandings between them, whether written or oral, with respect to its subject matter. The parties agree that notwithstanding any termination of the Contract(s) and/or this DPA, the terms of this DPA shall continue in force until You have deleted, destroyed or returned the Personal Data processed under this DPA in accordance with the terms of this DPA. This DPA may not be modified except by a subsequent written instrument issued by Company. If any part of this DPA is held unenforceable, the validity of all remaining parts will not be affected.
10.2 Unless otherwise required by Applicable Laws, this DPA and any dispute or claim (including non-contractual disputes or claims) arising under or in connection with it or its subject matter or formation shall be governed by and construed in accordance with the laws of England and Wales and each party agrees that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with this DPA or its subject matter or formation.
10.3 The Parties hereby acknowledge and agree that any remedies arising from any Security Incident or any breach by You of the terms of this DPA or Applicable Privacy Law are not and shall not be subject to any exclusion or limitation of liability provision that applies to You under the Contract(s).