Data Processing Addendum
This Data Processing Addendum ("Addendum") references the Master Agreement, Orders or addenda thereunder (each as may be amended from time to time), under which TekCor4 and its Affiliates have agreed to provide, and Customer and its Affiliates have agreed to receive, certain TekCor4 products and services, that have been entered into between: (i) the relevant members of the TekCor4 (“TekCor4”); and (ii) the relevant Customer or Subscriber that receives such products and services ("Customer" or “Subscriber”) (such agreement(s) being the "Relevant Order")
Unless otherwise specified, capitalized terms not otherwise defined herein shall have the meaning given to them in the Relevant Order. This Addendum and the terms herein shall (unless expressly stated otherwise) amend and be deemed to be incorporated into the Relevant Order solely to the extent that TekCor4 and/or its Affiliates collect, process or handle Customer Personal Data.
1. Data Processing Terms
1.1 In connection with the provision of applicable services to Customer and, where applicable, Customer’s Affiliates, TekCor4 and its Affiliates may Process Customer Personal Data.
2. Processing of Customer Personal Data
2.1 TekCor4 shall not Process Customer Personal Data other than (i) as reasonably necessary in connection with providing the services under the Relevant Order and, in such case, in accordance with the Applicable Law (ii) on Customer's documented instructions, or (iii) as is required by Applicable Laws to which TekCor4 is subject, in which case TekCor4 shall to the extent permitted by Applicable Laws inform Customer of that legal requirement before Processing Customer Personal Data.
2.2 For the purposes set out in section 2.1 above, TekCor4 shall be permitted to transfer Customer Personal Data to the recipients in Section 3 of any Data Processing Schedule as amended from time to time always provided that TekCor4 shall comply with section 5 and section 11.
3. TekCor4 Personnel
TekCor4 shall take reasonable steps to ensure compliance with the terms of this Addendum by any employee, agent or contractor engaged or employed by TekCor4 who may have access to Customer Personal Data. TekCor4 shall ensure that personnel authorised to process the Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
4. Security
4.1 TekCor4 shall, in relation to Customer Personal Data, implement appropriate technical and organizational measures in accordance with good industry practice to ensure a level of security appropriate to the risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
4.2 Customer agrees that, without prejudice to TekCor4’s obligations under this Addendum, Customer is solely responsible for its use of the relevant services provided under the Relevant Order, including: (i) making appropriate use of such services and any additional security controls that Customer believes are necessary to ensure a level of security appropriate to the risk in respect of the Customer Personal Data; (ii) securing the account authentication credentials, systems and devices Customer uses to access such services; and (iii) backing up its Customer Personal Data. TekCor4 has no obligation to protect Customer Personal Data that Customer elects to store or transfer outside of TekCor4’s and its Subprocessors’ systems (for example, offline or on premises storage).
5. Subprocessing
5.1 Customer specifically authorizes the engagement of TekCor4’s Affiliates as Subprocessors, including, but not limited to TekCor4 Technology Solutions Private Limited. In addition, Customer generally authorizes the engagement of any other third parties as Subprocessors. A list of current Subprocessors, if applicable, excluding TekCor4’s Affiliates, is included in Section 3 of the Data Processing Schedule attached to a Relevant Order.
5.2 With respect to each Subprocessor, TekCor4’s shall:
5.2.1 upon request provide Customer with reasonable details of the Processing to be undertaken by each Subprocessor;
5.2.2 carry out adequate due diligence on each Subprocessor to ensure that it is capable of providing the level of protection for Customer Personal Data as is required by this Addendum;
5.2.3 where appropriate, include terms in the contract between TekCor4 and each Subprocessor which are materially equivalent to those set out in this Addendum; and
5.2.4 remain liable to Customer for any failure by each Subprocessor to fulfil its obligations hereunder in relation to the Processing of any Customer Personal Data.
6. Data Subject Rights
6.1 TekCor4 shall assist Customer, at Customer’s reasonable cost (based on TekCor4’s reasonable costs), to respond to complaints, communications or requests made by a Data Subject in relation to the Customer Personal Data.
6.2 Subject to applicable laws, TekCor4 shall, as soon as reasonably practicable, notify Customer at the Notification Email Address if TekCor4 receives a request from a Data Subject under any Applicable Laws that relates to Customer Personal Data.
7. Personal Data Breach
7.1 Subject to applicable laws, TekCor4 shall, without undue delay notify Customer at the Notification Email Address upon TekCor4 or any Subprocessor becoming aware of a Personal Data Breach and provide Customer with a reasonable level of information to allow Customer to meet any reporting obligations under Applicable Laws.
7.2 TekCor4 shall cooperate, at Customer’s reasonable cost (based on TekCor4’s reasonable costs), with Customer and, where applicable, each Customer Affiliate, to assist in the investigation and remediation of any such Personal Data Breach.
7.3 TekCor4’snotification of or response to a Personal Data Breach under this section 7 will not be construed as an acknowledgement by TekCor4 of any fault or liability with respect to the Personal Data Breach. TekCor4 will not assess the contents of Customer Personal Data in order to identify information subject to any specific legal requirements. Customer is solely responsible for complying with incident notification laws applicable to Customer and fulfilling any third party notification obligations related to any Personal Data Breach(s).
8. Customer’s Security Assessment; Data Protection Impact Assessment and Prior Consultation
8.1 TekCor4 shall assist Customer, at Customer’s reasonable cost (based on TekCor4’s reasonable costs), with any data protection impact assessments which are mandatory under Article 35 of the GDPR and with any prior consultations to any Supervisory Authority of Customer or any Customer Affiliate which are mandatorily required under Article 36 of the GDPR, in each case solely in relation to the Processing of Customer Personal Data by TekCor4 on behalf of Customer, taking into account the nature of the Processing and the information available to TekCor4.
8.2 Customer is solely responsible for reviewing and evaluating for itself whether the services provided under the Relevant Order and TekCor4’s commitments under this Addendum will meet Customer’s needs, including with respect to any security obligations of Customer under Applicable Laws.
9. Deletion or Return of Customer Personal Data
9.1 Subject to section 9.2, TekCor4 shall promptly and in any event within 90 (ninety) calendar days of the termination of services delete and procure the deletion of any Customer Personal Data Processed by TekCor4 and/or any Authorised Subprocessor. Notwithstanding this paragraph and subject to section 9.2, TekCor4 may retain a copy of Customer Personal Data as part of its normal backup and archival systems and procedures.
9.2 TekCor4 may retain Customer Personal Data to the extent it is permitted to retain it or otherwise required to retain it by applicable laws, regulations or bona fide audit and compliance policies provided that TekCor4 shall ensure the confidentiality of such Customer Personal Data and that such Customer Personal Data is only Processed as necessary for the purpose(s) required by such applicable laws, regulations or audit and compliance policies, and for no other purpose.
10. Customer Personal Data Audit Rights
10.1 In addition to any audit rights granted pursuant to the Relevant Order upon prior written request by Customer, TekCor4 shall:
make available to Customer all information held by TekCor4 to the extent reasonably necessary to demonstrate TekCor4’scompliance with this Addendum; and/or
10.2 allow an inspection by Customer or an independent auditor mandated by Customer ("Mandated Auditor") of any premises where the Processing of Customer Personal Data takes place solely for the purpose to assess compliance with this Addendum, and which will permit reasonable access to relevant records, processes and systems.
10.3 Notwithstanding the aforementioned, the foregoing audit rights are subject to the following conditions:
(i) audits may only occur once per calendar year and during normal business hours, and only after reasonable notice to TekCor4 (not less than 30 Business Days);
(ii) audits will be conducted in a manner that does not have any adverse impact on TekCor4’snormal business operations;
(iii) Customer and/or the Mandated Auditor will comply with TekCor4’sstandard safety, confidentiality and security procedures in conducting any such audits and shall not have access to any proprietary or third party information or data;
(iv) any records, data or information accessed by the Customer and/or Mandated Auditor in the performance of any such audit will be deemed to be the confidential information of TekCor4, as applicable, and may be used for no other reason than to assess TekCor4’scompliance with the terms of this Addendum (in connection with the foregoing, TekCor4 may require Customer and any Mandated Auditor to enter into a customary confidentiality agreement prior to any such audit); and
(v) to the extent any such audit incurs or is reasonably likely to incur in excess of 10 hours of TekCor4 personnel time, TekCor4 shall be entitled to charge Customer USD500 per hour for any such excess hours.
10.4 TekCor4 may object in writing to a Mandated Auditor if the auditor is, in TekCor4’sreasonable opinion, not suitably qualified or independent, a competitor of TekCor4, or otherwise manifestly unsuitable. Any such objection by TekCor4 will require Customer to appoint another auditor or conduct the audit itself.
11. Restricted Transfers
11.1 If applicable, TekCor4 and each applicable TekCor4 Affiliate that is in possession of any Customer Personal Data hereby agree to comply with the Standard Contractual Clauses, which terms shall take precedence over those in this Addendum. In particular, with respect of any Personal Data relating to Data Subjects in:
11.1.1 the European Economic Area and the Dubai International Financial Centre, the Standard Contractual Clauses shall apply to such transfer;
11.1.2 the United Kingdom, the Standard Contractual Clauses interpreted in accordance with the UK Addendum shall apply to such transfer;
11.1.3 Switzerland, the Standard Contractual Clauses shall apply to such transfer subject to the following interpretations:
11.1.3.1 The competent supervisory authority in Annex I.C shall refer to the Swiss Federal Data Protection and Information Commissioner (FDPIC);
11.1.3.2 Clause 18 c shall be interpreted to permit data subjects in Switzerland to bring legal proceedings in Switzerland;
11.1.3.3 References to the General Data Protection Regulation should be understood as references to the FADP; and
11.1.3.4 The data of legal entities shall be protected as Personal Data to the extent such data is protected under the FADP.
11.2 If the Standard Contractual Clauses cease to be recognized as a legitimate basis for the transfer of Customer Personal Data to an entity located outside of the EEA, TekCor4 will cooperate with Customer to identify and implement, or otherwise will seek to adhere to, an alternative adequate transfer mechanism to the extent that one is required by, and available under, the Applicable Laws. TekCor4 shall notify Customer of any alternative adequate transfer mechanism for the transfer of Customer Personal Data upon which it intends to rely.
11.3 If applicable, TekCor4 and each applicable TekCor4 Affiliate that is in possession of any Customer Personal Data shall adhere to and comply with the Standard Contractual Clauses immediately upon the commencement of any relevant Restricted Transfer by such entity.
12. General Terms
12.1 Unless otherwise set out herein, any obligation imposed on TekCor4 under this Addendum in relation to the Processing of Customer Personal Data shall survive any termination or expiration of this Addendum for so long as TekCor4 retains and is Processing Customer Personal Data, and such data is governed by the relevant Applicable Law.
12.2 This Addendum shall be governed by the governing law (and subject to the jurisdiction(s)) of the Relevant Order.
12.3 With regard to the subject matter of this Addendum, the provisions of this Addendum shall prevail with regard to the parties’ data protection obligations for Customer Personal Data of a Data Subject from a Member State of the European Union.
12.4 TekCor4 may by at least 30 (thirty) calendar days' written notice to Customer from time to time make any modifications to this Addendum and the Standard Contractual Clauses which are required as a result of any change in Applicable Laws, or as a result of any decision by a Supervisory Authority, and propose any other modifications to this Addendum which TekCor4 reasonably considers to be necessary to address the requirements of any Applicable Laws. Customer will have 30 (thirty) calendar days to object after any such update is made available at the Privacy Portal.
12.5 Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either
(i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible; or
(ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
12.6 This Addendum shall become effective as to the date of signing this Order and will remain in effect until, and automatically expire upon, deletion of all Customer Personal Data by TekCor4 as described in this Addendum.
12.7 Whenever any notice, request, approval, consent or other communication is given by one Party to the other under the Relevant Order ("Notice"), such Notice shall be in writing and/or shall be delivered by posting such Notice on the Privacy Portal, by email to the Notification Email Address, courier service or registered or certified mail, addressed as set forth in the Relevant Order. The Parties agree that any notice, request, approval, consent or other communication may be validly delivered or provided by email or through the Privacy Portal.
Definitions
The following definition shall apply in this Addendum.
"Affiliate" shall have the same meaning as given to it in the Relevant Order;
"Applicable Laws" means all applicable privacy, data Processing, data protection and information security laws, rules, regulations and standards, as each may be amended from time to time, including the EU General Data Protection Regulation (EU 2016/679) (including as transposed into domestic legislation of each member state of the European Union), the UK General Data Protection Regulation, the California Consumer Privacy Act of 2018 (Cal. Civ. Code § 1798.100, et seq.) and its implementing regulations, and any equivalent legislation, or legislation dealing with the same subject matter, anywhere in the world;
"Authorised Subprocessors" means any Subprocessors appointed or used in accordance with section 5;
"Customer Personal Data" means any Personal Data Processed by TekCor4 or any TekCor4 Affiliate on behalf of Customer or any Customer Affiliate pursuant to or in connection with the Relevant Order, to the extent that it is governed by Applicable Laws;
"Data Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;
"Data Processor" means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
“Data Processing Schedule” means a schedule of the processing of personal data to be included in each Order to comply with the provisions of Article 28(3) of the GDPR.
"Data Subject" means an identified or identifiable natural person to whom the Personal Data relates;
"EEA" means the European Economic Area as well as any country for which the European Commission has published an adequacy decision as published at http://ec.europa.eu/justice/data- protection/international-transfers/adequacy/index_en.htm;
“Notification Email Address” means the email address provided TekCor4 in the Master Agreement for the purpose of sending notices, or such other email address as may be communicated to the Customer from time to time.
"Origin Jurisdiction” means any jurisdiction in relation to which Applicable Laws impose requirements in relation to international transfers of Personal Data from within to outside of that jurisdiction.
"Personal Data" means any information relating to a Data Subject;
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Personal Data;
"Processing" or “Process” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
“Restricted Transfer” means a transfer of Personal Data from within an Origin Jurisdiction, or that is otherwise subject to the Applicable Data Protection Laws of an Origin Jurisdiction, to a jurisdiction or a recipient in such jurisdiction in respect of which additional safeguards are required under the Applicable Data Protection Law of the Origin Jurisdiction in order to lawfully transfer personal data to that jurisdiction or recipient, including remote access from outside the Origin Jurisdiction;
"Special Categories of Personal Data" means Customer Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and genetic data (when used for the purpose of uniquely identifying a natural person), biometric data (when used for the purpose of uniquely identifying a natural person), data concerning health, and/or data concerning a Data Subject's sex life or sexual orientation;
"Standard Contractual Clauses" or sometimes also referred to the “EU Model Clauses” means the contractual clauses as set out at Standard Contractual Clauses (SCC) - European Commission as updated from time to time;
"Subprocessor" means any Data Processor (including any TekCor4 Affiliate) appointed by TekCor4 to Process Customer Personal Data on behalf of Customer or any Customer Affiliate.
“Supervisory Authority” means an independent public authority which is established by a Member State pursuant to Article 51 of the GDPR; and
“UK Addendum” means the document published by the Information Commissioners Office from time to time.
Data Processing Schedule
Section 1 - Data processing details
Processing of the Protected Data by the TekCor4 under the Agreement shall be for the subject-matter, duration, nature and purposes and involve the types of Personal Data and categories of Data Subjects set out in this Section 1 of this Schedule.
Personal Data Processing Schedule
Purposes and Details
Subject matter of processing: The provision of Services under the Agreement between the Customer and TekCor4.
Duration of processing: The processing will continue until 14 days after the completion of the Services.
Nature of processing: TekCor4 shall use data sets obtained from third parties to ‘cleanse’ the data in the Database. To do this, TekCor4 shall have access to the customers Database that contains certain personal data (as specified below).
Business Purposes: The provision of database cleansing services to enable the customer to receive a more accurate database.
Personal Data Categories: Vehicle Identification Number (VIN) and Vehicle Registration Mark (VRM)
Data Subject types: Vehicles of the Customer.
Section 2—Minimum technical and organisational security measures
1 Without prejudice to its other obligations, TekCor4 shall implement and maintain at least the following technical and organisational security measures to protect the Protected Data:
1.1. In accordance with the Data Protection Laws, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing of the Protected Data to be carried out under or in connection with this Agreement, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons and the risks that are presented by the processing, especially from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Protected Data transmitted, stored or otherwise processed, TekCor4 shall implement appropriate technical and organisational security measures appropriate to the risk, including, as appropriate, those matters mentioned in Articles 32(1)(a) to 32(1)(d) (inclusive) of the GDPR.
1.2. Without prejudice to its other obligations, TekCor4 shall adhere to the relevant principles of Article 28 of the GDPR