Data Processor Addendum (EU and UK)
This Data Processing Addendum (“DPA”) forms part of the Terms of Service or General Terms and Conditions (the “T&Cs”) for Compusense Inc. (“Compusense”), governing certain Software as a Service (SaaS) by Compusense (the “Services”). This DPA becomes part of the T&Cs upon execution by you (“Customer”) and Compusense of the [invoice] and is is incorporated into the T&Cs by reference.
1.1 The terms “process/processing”, “data subject”, “data processor”, “data controller”, “personal data”, “personal data breach”, and “data protection impact assessment” shall have the same meaning ascribed to them in Data Protection Laws;
1.2 “Addendum” means this Data Processor Addendum;
1.3 “Authorised Sub-processors” means (a) those Sub-processors (if any) set out in Annex 2 (Authorised Sub-processors); and (b) any additional Sub-processors consented to in writing by the Customer in accordance with section 5.1;
1.4 “Customer” means the Customer under these T&Cs;
1.5 “EU Data Protection Laws” means (i) the EU Data Protection Directive 95/46/EC and the EU Directive 2002/58/EC on privacy and electronic communications, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time and (ii) any applicable decisions, guidelines, guidance notes and codes of practice issued from time to time by courts, supervisory authorities and other applicable government authorities; in each case together with all laws implementing, replacing, amending or supplementing the same and any other applicable data protection or privacy laws;
1.6 “EEA” means the European Economic Area;
1.7 “GDPR” means EU General Data Protection Regulation 2016/679;
1.8 “Personal Data” means the data described in Annex 1 (Details of Processing of Personal Data) and any other personal data processed by Compusense on behalf of the Customer pursuant to or in connection with the Services (as defined below);
1.9 T&Cs “Services” means the services described in the T&Cs;
1.10 “Standard Contractual Clauses” means the standard contractual clauses for the transfer of personal data to processors established in third countries, as approved by the European Commission in Decision 2010/87/EU, which the European Commission replaced with the the Standard Contractual Clauses (for controller-to-processor data transfers) in Decision of 2021/914, but which the UK Information Commissioner’s Office has approved for applicable transfers from the UK, or any set of clauses approved by the European Commission which amends, replaces or supersedes these;
1.11 “Sub-processor” means any data processor (including any affiliate of Compusense) appointed by Compusense to process personal data on behalf of the Customer;
1.12 “Supervisory Authority” means (a) an independent public authority which is established by a Member Stateor the UK; and (b) any similar regulatory authority responsible for the enforcement of Data Protection Laws;
1.13 “Supplier” means Compusense under the T&Cs;
1.14 “UK Data Protection Laws” means all laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including: (a) the UK General Data Protection Regulation, as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the EU (Withdrawal) Act 2018 (the “UK GDPR”); and (b) the Data Protection Act 2018 (together with EU Data Protection Laws, “Data Protection Laws”); and
1.15 “UK” means the United Kingdom of Great Britain and Northern Ireland.
2. PROCESSING OF THE PERSONAL DATA
2.1 The parties agree that the Customer is a data controller and that Compusense is a data processor for the purposes of processing Personal Data.
2.2 Each party shall at all times in relation to processing connected with these T&Cs comply with Data Protection Laws.
2.3 Compusense shall only process the types of Personal Data relating to the categories of data subjects for the purposes of the T&Cs and for the specific purposes in each case as set out in Annex 1 (Details of Processing of Personal Data) to this Addendum and shall not process, transfer, modify, amend or alter the Personal Data or disclose or permit the disclosure of the Personal Data to any third party other than in accordance with the Customer’s documented instructions (whether in the T&Cs or otherwise) unless processing is required by applicable law to which Compusense is subject, in which case Compusense shall to the extent permitted by such law inform the Customer of that legal requirement before processing that Personal Data.
2.4 The Customer warrants to and undertakes with Compusense that all data subjects of the Personal Data have been or will be provided with appropriate notices and information to establish and maintain for the relevant term the necessary legal grounds under applicable Data Protection Laws for transferring the Personal Data to Compusense to enable Compusense to process the Personal Data in accordance with this Addendum and the T&Cs.
3. PROCESSOR PERSONNEL
3.1 Compusense shall treat all Personal Data as strictly confidential and shall inform all its employees, agents, contractors and/or Authorized Sub-processors engaged in processing the Personal Data of the confidential nature of such Personal Data.
3.2 Compusense shall take reasonable steps to ensure the reliability of any employee, agent, contractor and/or Authorized Sub-processor who may have access to the Personal Data, ensuring in each case that access is limited to those persons or parties who need to access the relevant Personal Data, as necessary for the purposes set out in section 2.1 above in the context of that person’s or party’s duties to Compusense.
3.3 Compusense shall ensure that all such persons or parties involved in the processing of Personal Data are subject to:
3.3.1 confidentiality undertakings or are under an appropriate statutory obligation of confidentiality; and
3.3.2 user authentication processes when accessing the Personal Data.
4.1.1 Compusense shall implement appropriate technical and organisational measures to ensure a level of security of the Personal Data appropriate to the risks that are presented by the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed.
5.1 Subject to section 5.4, Compusense shall not engage any Sub-processor to process Personal Data other than with the prior specific or general written authorisation of the Customer.
5.2 In the case of general written authorisation, Compusense shall inform the Customer of any intended changes concerning the addition or replacement of other processors, thereby giving the Customer the opportunity to object to such changes.
5.3 With respect to each Sub-processor, Compusense shall:
5.3.1 carry out adequate due diligence on each Sub-processor to ensure that it is capable of providing the level of protection for the Personal Data as is required by this Addendum including without limitation sufficient guarantees to implement appropriate technical and organisational measures in such a manner that Processing will meet the requirements of Data Protection Laws and this Addendum;
5.3.2 include terms in the contract between Compusense and each Sub-processor which are the same as those set out in this Addendum, and shall supervise compliance thereof;
5.3.3 insofar as that contract involves the transfer of Personal Data outside of the EEA, incorporate the Standard Contractual Clauses or such other mechanism as directed by the Customer into the contract between Compusense and each Sub-processor to ensure the adequate protection of the transferred Personal Data, or such other arrangement as the Customer may approve as providing an adequate protection in respect of the processing of Personal Data in such third country(ies); and
5.3.4 remain fully liable to the Customer for any failure by each Sub-processor to fulfil its obligations in relation to the Processing of any Personal Data.
5.4 As at the date of these T&Cs or (if later) implementation of this Addendum, the Customer hereby authorises Compusense to engage those Sub-processors set out in Annex 2 (Authorised Sub-processors).
6. DATA SUBJECT RIGHTS
6.1 Compusense shall without undue delay, and in any case within three (3) working days, notify the Customer if it receives a request from a data subject under applicable Data Protection Laws in respect of Personal Data, including requests by a data subject to exercise rights in applicable Data Protection Laws, and shall provide full details of that request.
6.2 Compusense shall co operate as reasonably requested by the Customer to enable the Customer to comply with any exercise of rights by a data subject under applicable Data Protection Laws in respect of Personal Data and to comply with any assessment, enquiry, notice or investigation under applicable Data Protection Laws in respect of Personal Data or the T&Cs, which shall include:
6.2.1 the provision of all information reasonably requested by the Customer within any reasonable timescale specified by the Customer in each case, including full details and copies of the complaint, communication or request and any Personal Data it holds in relation to a data subject;
6.2.2 where applicable, providing such assistance as is reasonably requested by the Customer to enable the Customer to comply with the relevant request within the timescales prescribed by Data Protection Laws; and
6.2.3 implementing any additional technical and organisational measures as may be reasonably required by the Customer to allow the Customer to respond effectively to relevant complaints, communications or requests.
7. INCIDENT MANAGEMENT
7.1 In the case of a personal data breach, Compusense shall without undue delay notify the personal data breach to the Customer providing the Customer with sufficient information which allows the Customer to meet any obligations to report a personal data breach under Data Protection Laws. Such notification shall include:
7.1.1 describe the nature of the personal data breach, the categories and numbers of data subjects concerned, and the categories and numbers of Personal Data records concerned;
7.1.2 communicate the name and contact details of Compusense’s data protection officer or other relevant contact from whom more information may be obtained;
7.1.3 describe the likely consequences of the personal data breach; and
7.1.4 describe the measures taken or proposed to be taken to address the data breach, including, where appropriate, measures to mitigate its possible adverse effects.
7.2 Compusense shall reasonably cooperate with the Customer and take such reasonable steps as are directed by the Customer to assist in the investigation, mitigation and remediation of each personal data breach, in order to enable the Customer to (i) perform a thorough investigation into the personal data breach, (ii) formulate a correct response and to take suitable further steps in respect of the personal data breach in order to meet any requirement under Data Protection Laws.
7.3 The parties agree to coordinate and cooperate in good faith on developing the content of any related public statements or any required notices for the affected persons. Compusense shall not inform any third party without first obtaining the Customer’s prior written consent, unless notification is required by law to which Compusense is subject, in which case Compusense shall to the extent permitted by such law inform the Customer of that legal requirement, provide a copy of the proposed notification and consider any comments made by the Customer before notifying the personal data breach.
8. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION
8.1 Subject to the parties signing a non-disclosure agreement, Compusense shall, at the Customer’s request, provide reasonable assistance to the Customer with applicable data protection impact assessments and any consultations with any Supervisory Authority of the Customer as may be required in relation to the processing of Personal Data by Compusense on behalf of the Customer.
9. DELETION OR RETURN OF CONTROLLER PERSONAL DATA
9.1 Upon request made by the Customer within thirty (30) days of the earlier of: (i) cessation of processing of Personal Data by Compusense; or (ii) termination of the T&Cs, Compusense shall return all Personal Data to the Customer. After such thirty (30) day period, Compusense shall securely dispose of Personal Data and delete all copies of it (except to the extent that any applicable law requires Compusense to retain a copy of such Personal Data) and Customer acknowledges that Compusense will have no obligation to maintain or provide such Personal Data.
10. AUDIT RIGHTS
10.1 Compusense shall make available to the Customer on request all information necessary to demonstrate compliance with this Addendum and Data Protection Laws. Compusense shall permit the Customer or another auditor mandated by the Customer during normal working hours and on reasonable prior notice to inspect, and copy any relevant records, processes and systems in order that the Customer may satisfy itself that the provisions of Data Protection Laws and this Addendum are being complied with.
11. INTERNATIONAL TRANSFERS OF CONTROLLER PERSONAL DATA
11.1 Compusense shall not (permanently or temporarily) process the Personal Data nor permit any Authorised Sub-processor to (permanently or temporarily) process the Personal Data in a country outside of the EEA without an adequate level of protection, other than in respect of those recipients in such countries listed in Annex 3 (Authorised Transfers of Personal Data), unless authorised in writing by the Customer in advance.
11.2 When requested by the Customer, Compusense shall promptly enter into (or procure that any relevant Sub-processor of Compusense enters into) an agreement with the Customer on Standard Contractual Clauses and/or such variation as Data Protection Laws might require, in respect of any processing of Personal Data in a country outside of the EEA without an adequate level of protection.
12.1 The disclaimers and limitations of liability set out under these T&Cs shall apply also to this Addendum.
13.1 The Customer shall pay any reasonable costs and expenses incurred by Compusense in meeting the Customer’s requests made under this Addendum.
14.1 Any obligation imposed on Compusense under this Addendum in relation to the processing of Personal Data shall survive any termination or expiration of these T&Cs.
14.2 With regard to the subject matter of this Addendum, in the event of any conflict or inconsistency between any provision of these T&Cs and any provision of this Addendum, the provision of this Addendum shall prevail. In the event of any conflict or inconsistency between these T&Cs or this Addendum and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
ANNEX 1: DETAILS OF PROCESSING OF PERSONAL DATA
This Annex 1 includes certain details of the processing of Personal Data as required by Article 28(3) GDPR.
Subject matter and duration of the processing of Personal Data
The subject-matter of the Processing is the performance of the services pursuant to the T&Cs. The duration of the Processing is the term of the T&Cs.
The nature and purpose of the processing of Personal Data
Personal Information is Processed for the following purposes: consumer and sensory science testing. The Personal Information will be subject to the following Processing operations: collection, storage, output and erasure.
The types of Personal Data to be processed
The Personal Information concerns the following categories: name, email, address, age, date of birth, allergies and product usage. The information collected is at the discretion of the data exporter.
The categories of data subject to whom the Personal Data relates
The Personal Information concerns the following categories of Individuals: employees and consumers. Type of information collected is noted above and at the discretion of the data exporter.
ANNEX 2: AUTHORISED SUB-PROCESSORS
Terago Data Centre, Ontario, Canada.
Biosystèmes SAS, Dijon, France.
Annex 3: Authorised Transfers of Controller Personal Data
Compusense Inc. located in Ontario, Canada.