Data Protection Addendum
This Data Protection Addendum (“DPA”) is made a part of your Subscriber Terms of Use (“Terms”), and governs solely to the extent that: (a) you, or any person (“Person”) from whom Pietential collects Personal Data (defined below), is located in the European Economic Area (“EEA”), the United Kingdom (“UK”), Canada, or Australia; (b) you and/or such Person is subject to Data Protection Laws (defined below); and (c) your access and use of the Pietential Platform involve the collection or processing of the Personal Data of an individual located in the EEA, the UK, Canada, or Australia. To the extent this DPA applies, and in consideration of the mutual obligations set out in this DPA, you and Pietential agree that this DPA is a binding part of the Terms.
Except as modified in this DPA, the terms and conditions of the Terms shall remain in full force and effect. If there is any conflict between this DPA and the Terms regarding Pietential’s privacy or security obligations, the provisions of this DPA shall control. Unless expressly defined in the DPA, all capitalized terms used herein will have the meaning assigned to them in the Terms.
Purpose: The purpose of compliance with Data Protection Laws concerning the processing of Personal Data on behalf of Pietential Platform users located in European Union (“EU”) Member States or members of the European Economic Area, the UK, Canada, and Australia, and incorporates (to the extent applicable) the terms of the EU Standard Contractual Clauses (“SCCs”). “Data Protection Law” means, as applicable, the European General Data Protection Regulation (EU 2016/679) (“GDPR”), including applicable laws implementing or supplementing the GDPR and as transposed into domestic legislation of Member States, as amended, replaced or superseded from time to time); the UK Data Protection Act of 2018, the Australian Privacy Principles and the Australian Privacy Act (1988); or the Canadian Federal Personal Information Protection and Electronic Documents Act. The terms P rocessor, Controller, processing (and process), personal data breach, data protection impact assessment and Personal Data shall have the meanings set out in Data Protection Laws. The term “ Personal Data” includes: first and last name, email address, telephone number, mailing address, and other information necessary to identify an individual for purposes of assisting Pietential with providing use of the Pietential Platform.
Context and Scope of Personal Data Processing: In order to provide the Subscribers with access and use of the Pietential Platform, it may be necessary for Pietential to collect Personal Data of such an individual or an employee or other representative or user of the Subscriber (each, a “Customer Representative”). Such data is collected when Customer Representatives provide their Personal Data directly to Pietential as an account holder, a designated point of contact between Subscriber and Pietential, or a user under the Subscriber account. That data is subsequently used by Pietential solely to provide access to the Pietential Platform and the Pietential Services under the Terms, or as may be necessary to assist with any requests regarding use and proper operation of the Pietential Platform.
Obligations under Data Protection Laws:
a. Processing as a Controller. Generally, Pietential shall act as the Controller of the Personal Data of each Customer Representative. As a Controller, Pietential will comply with all data protection requirements under the Data Protection Laws applicable to the Personal Data. Without limiting the foregoing, as a controller of the Personal Data, Pietential shall be responsible for providing notifications to, and respond to inquiries and requests from, the Customer Representatives; provided, however, that to the extent necessary, the Subscriber shall reasonably cooperate with Pietential for the purpose of responding to requests by Customer Representatives or any government authorities and of generally complying with Pietential ‘s obligations under the Data Protection Laws. To the extent applicable, nothing herein relieves the Subscriber of their own obligations under the applicable Data Protection Laws. The parties are not entering a relationship of joint controllership.
b. Processing as a Processor. In the event any personal data is processed by Pietential as a Processor, the parties shall specifically identify such personal data and the purposes of processing, as well as the measures undertaken to protect such data, by completing Appendix B (Controller-to-Processor). As a Processor, Pietential shall only process Personal Data in accordance with the Customer Representative’s documented instructions. As required under Data Protection Laws, Pietential shall assist the Customer Representative, where appropriate, in ensuring compliance with the Customer Representative’s obligations pursuant to Data Protection Laws, taking into account the nature and scope of Pietential’s Personal Data processing, which may include providing commercially reasonable cooperation and assistance with: (a) data subject requests (see below); (b) notifications or communications regarding personal data breaches; (c) data protection impact assessments; and (d) prior consultations with supervisory authorities.
With respect to any Personal Data processed by Pietential as a Processor pursuant to this DPA, Pietential shall: (a) in the event Pietential engages trusted third parties to process Personal Data (“Trusted Parties”), seek the prior specific or general written authorization of the Controller, which is hereby given in respect of any Trusted Parties expressly listed below (and in the case of general written authorization, the Processor shall inform the Controller of any intended changes concerning the addition or replacement of Trusted Parties, thereby giving the Controller the opportunity to object to such changes); (b) unless prohibited under applicable law, upon termination of the Services, at its option, either return or destroy the Personal Data (including all copies of it); (c) ensure that all persons authorized by Pietential to access the Personal Data on Pietential ’s behalf, are subject to obligations of confidentiality in accordance with confidentiality obligations set forth in the Terms; (d) remain fully liable to the Customer Representative or Subscriber for the failure of those persons authorized by Pietential to access the Personal Data on Pietential ’s behalf; and, (e) make available such information as may be necessary to demonstrate compliance with its obligations under Article 28 of the GDPR and will (at the Customer Representative’s cost and expense) contribute to and allow for appropriate reasonable audits.
The Trusted Parties currently engaged to process Personal Data on behalf of Pietential include the following:.
Security: Pietential limits its collection of Personal Data to only that which is relevant for purpose of providing the services under the Terms and retains Personal Data in a form that permits identification of data subjects (defined below) for no longer than is necessary to serve that purpose. Where no defined or legal retention period exists, the default standard retention period is six (6) years plus the year in which the record was created. Pietential shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
Data Subject Rights: Within the scope of Data Protection Laws, Customer Representatives located in the EEA, the UK, Canada, or Australia (“data subjects”) may have certain rights that they may exercise, based on jurisdiction, in relation to the processing of their Personal Data. Where applicable, these rights include: the right to access, correct, update, and delete that data subject’s Personal Data, to withdraw any consent to processing, to opt out of communications, to restrict processing of Personal Data, and to make any claim or complaint in relation to their rights under Data Protection Laws, Pietential shall respond to and offer reasonable assistance in responding to data subjects’ requests to exercise their data protection rights in accordance with applicable Data Protection Laws.
Cross Border Data Transfer Mechanisms : To the extent your access and use of the Pietential Platform requires an onward transfer mechanism to lawfully transfer personal data from a jurisdiction to Pietential outside of that jurisdiction, the terms set forth in this section will apply. In the event your access and use of the Pietential Platform is covered by more than one transfer mechanism, the transfer of Personal Data will be subject to a single transfer mechanism in accordance with the following order of precedence: (a) the applicable SCCs as set forth in this section; and, if not applicable, then (b) other applicable data transfer mechanisms permitted under Data Protection Laws.
EU Standard Contractual Clauses
a. Controller-to-Controller : Generally, and unless otherwise specifically identified in Appendix B (Controller to Processor) of this Addendum, all transfers of Personal Data from Subscriber to Pietential shall be deemed a controller-to-controller transfer and shall be made pursuant to Module 1 of the Standard Contractual Clauses adopted by the European Commission on June 4, 2021, as currently set out at in the Annex here(collectively, the “ Controller SCCs”).
b. Controller-to-Processor: Where Personal Data is transferred from Subscriber to Pietential on a controller-to-processor basis as specifically set forth in Appendix B (Controller to Processor) of this Addendum, the transfer shall be made pursuant to Module 2 of the Standard Contractual Clauses adopted by the European Commission on June 4, 2021, as currently set out in the Annex here(collectively, the “ Processor SCCs”).
The parties agree to observe the terms of the Processor SCCs without modification, except as to the following selections:
- In connection with Module 2, Option 2 of Clause 9(a) (Use of sub-processors) is selected and the applicable time period shall be 30 days.
- Clause 11(a) (Redress) does not select the Option.
- Clause 13(a): The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority.
- In Clause 14 (Local laws and practices affecting compliance with the Clauses), the provisions for Module 3 shall have no effect, and are hereby deemed deleted.
- In Clause 15 (Obligations of the data importer in case of access by public authorities), the provisions for Module 3 shall have no effect, and are hereby deemed deleted.
- In Clause 16 (Non-compliance with the Clauses and termination), the provisions for Module 4 shall have no effect, and are hereby deemed deleted.
- In Clause 18 (Choice of forum and jurisdiction), the selection in subclause (b) shall be Ireland.
In the event of inconsistencies between the provisions of the SCCs and this DPA or other agreements between the parties, the SCCs shall take precedence. The terms of the DPA shall not vary the SCCs in any way. The execution and delivery of this Addendum shall be deemed execution and delivery of the applicable SCCs. The governing law of any applicable SCCs shall be the Member State in which the Subscriber (as Data Exporter) is established, or, if applicable, the UK. Each of the parties’ signatures, authentications, or consents to the Terms shall be considered applicable to the DPA and SCCs as well. If so required by the laws or regulatory procedures of any jurisdiction, the parties shall execute or re-execute the SCCs as separate documents setting out the proposed transfers of Personal Data in such manner as may be required.
**********************************************************
APPENDIX A (CONTROLLER-TO CONTROLLER)
ANNEX I
A. LIST OF PARTIES
Data exporter(s):
1. Name: …
Address: …
Contact person’s name, position and contact details: …
Activities relevant to the data transferred under these Clauses: …
Signature and date: …
Role (controller/processor): …
Data importer(s):
1. Name: Pietential, LLC
Address: …
Contact person’s name, position and contact details: …
Activities relevant to the data transferred under these Clauses: …
Signature and date: …
Role (controller/processor): …
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
Representatives of Data Exporter
Categories of personal data transferred
First and last name, email address, telephone number, mailing address, and other information necessary to identify an individual for purposes of assisting Pietential with providing use of the Pietential Platform
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
None
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Continuous basis
Nature of the processing
Collection, recording, storage, backup and all other processing required for the functioning of the Data Importer’s Pietential Platform and the provision of Data Importer’s services to the Data Exporter
Purpose(s) of the data transfer and further processing
To enable Data Exporter’s Use of the Data Importer’s Pietential Platform and Pietential Services
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
The period will be for the duration of the services provided by Data Importer to Data Exporter and for any additional period necessary for Data Importer to maintain its backup data, to comply with legal requirements (including tax reporting purposes), and/or to assert or defend its legal rights in connection with Data Importer’s business relationship with the Data Exporter
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
All processing required for collecting, handling, and otherwise processing personal data to enable Data Importer to provide the services and the platform to Data Exporter
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13
Ireland
ANNEX II
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Measures of pseudonymisation and encryption of personal data
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing
Measures for user identification and authorisation
Measures for the protection of data during transmission
Measures for the protection of data during storage
Measures for ensuring physical security of locations at which personal data are processed
Measures for ensuring events logging
Measures for ensuring system configuration, including default configuration
Measures for internal IT and IT security governance and management
Measures for certification/assurance of processes and products
Measures for ensuring data minimisation
Measures for ensuring data quality
Measures for ensuring limited data retention
Measures for ensuring accountability
Measures for allowing data portability and ensuring erasure
For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter
All (sub-) processors are required to provide measures at least as protective as the measures provided by the Data Importer
APPENDIX B (CONTROLLER TO PROCESSOR)
[If applicable, complete duplicate information from Appendix A for Controller-to-Processor transfers]