Schedule 1 – Data Prossesing
- Definitions
- The following terms shall have the meaning attributed to them unless there is another meaning, which shall be clear, in the clause in which the word or term is used. Terms not defined herein shall have the meaning in the Terms and Conditions:
“Affiliate” means an entity that, directly or indirectly, owns or controls, is owned or is controlled by, or is under common ownership or control with a Party and is a beneficiary of the Agreement;
“Approved Addendum” means the template addendum, version B.1.0 issued by the UK Information Commissioner under S119A(1) Data Protection Act 2018 and laid before the UK Parliament on 2 February 2022, as it may be revised according to Section 18 of the Mandatory Clauses;
“CCPA” means the California Consumer Privacy Act, Cal. Civ. Code §§ 1798.100 et seq., including any amendments and any replacement or additional regulations that become effective on or after the Effective Date of the Agreement;
“Controller” is the Customer who determines the purposes and means of the Processing of personal data and has the meaning in the Data Protection legislation.
“Client Personal Data” means the Personal Data processed by SuperReach on behalf of Client or Client Affiliate in connection with the provision of the Services and includes Client Data and Enhanced Data as defined in the Terms and Conditions;
“Third Party Data Provider” means Designated Third Party Provider or a Client Third Party Provider as defined in the Terms and Conditions;
“Data Protection Legislation” means EU GDPR, UK GDPR, CCPA, Swiss data protection laws and any other relevant data protection legislation as applicable and amended from time to time.
“EEA” means the European Economic Area;“”EUGDPR” means Regulation (EU) 2016/679;
“UK GDPR” means the retained EU law version of the General Data Protection Regulation ((EU) 2016/679) as defined in the Data Protection Act 2018;
“Mandatory Clauses“ means “Part 2: Mandatory Clauses” of the Approved Addendum;
“Member State” means a member state of the EEA, being a member state of the European Union, Iceland, Norway, or Liechtenstein;
“Personal Data” means any information relating to an identified or identifiable individual or device, or is otherwise “personal data,” “personal information,” “personally identifiable information” and similar terms, and such terms shall have the same meaning as defined by applicable data protection laws;
“Processor(s)/Sub Processor” has the meaning in Data Protection Legislation.
“Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to (including unauthorised internal access to), Client Personal Data;
“Annex” any annex to a Schedule and shall be an integral part of it.
“Standard Contractual Clauses” or “SCCs” means Module Two (controller to processor) and/or Module Three (processor to processor) of the Standard Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914;
“UK” means the United Kingdom of Great Britain and Northern Ireland.
- The terms “sell” and “service provider” shall have the same meaning as set out in the CCPA./li>
- Client and Affiliates Responsibility
- When requesting SuperReach to process Client Personal Data under the Agreement, the Client warrants it is duly authorised by or and on behalf of any Client Affiliates whose Personal Data is also being processed and, subject to clause 2.2, each Client Affiliate has expressly acknowledged and agreed to be bound by the terms of the Agreement as if they were the Client.
- Client further warrants that it is duly mandated by any Client Affiliates on whose behalf SuperReach processes Client Personal Data in accordance with this Schedule to:
- enforce the terms of this Schedule on behalf of the Client Affiliates, and to act on behalf of the Client Affiliates in the administration and conduct of any claims arising in connection with this Schedule; and
- receive and respond to any notices or communications under this Schedule on behalf of Client Affiliates.
- The parties agree that any notice or communication sent by SuperReach to Client shall satisfy any legal obligation to send such notice or communication to a Client Affiliate.
- The Data that we Process
- SuperReach has set out the general categories of personal data that is processes in Annex 1 to this Schedule. The Client Personal Data and Enhanced Data shall be processed under the instructions of the Client.
- SuperReach will process Client’s contact data provided by the Client which includes the Client’s customers or prospects name, email address, telephone number and postal address (“Contact Data”).
- SuperReach will process information contained in or relating to Client Communications. Client Communications may include the communication content and metadata associated with Client Communications . We will generate the metadata associated with Client Communications using the Information provided to us and our Client.
- Super Reach processes data if instructed by the Client, about the use of website, services or other requirement as detailed by the Client (“usage data”). The usage data may include customer IP address, geographical location, browser type and version, operating system, referral source, length of visit, page views and website navigation paths, as well as information about the timing, frequency and pattern of use of any Service.
- If any of data is considered Special Category Data, the Client must obtain express permission for its collection and use in accordance with the Agreement in accordance with Annex 1 clause 5.
- If instructed to process any customer Personal Data which would be in violation of any applicable law or regulation or outside the scope of this Schedule or the Agreement, SuperReach shall promptly inform the Client, unless they are prohibited by law.
- SuperReach shall also collect and process the Client Personal Data as detailed in Annex 1 to this Schedule.
- SuperReach’s Use of Sub-Processors
- The Client grants SuperReach a general authorisation to engage Sub-processors, subject to clause 4.2, from an agreed list. SuperReach’s current Sub-processors as of the Commencement Date are listed at https://www.superreach.com/legal/subprocessors.
- SuperReach shall:
- enter into a written agreement with each Sub-processor imposing data protection obligations no less protective of Client Personal Data than SuperReach’s obligations under this Schedule to the extent applicable to the nature of the services provided by such Sub-processor; and
- remain liable for each Sub-processor’s compliance with the obligations under this Schedule.
- SuperReach shall provide Client with at least fifteen (15) days’ notice of any proposed changes to the Sub-processors it uses to process Client Personal Data, including any addition or replacement of any Sub-processors. Client may object to SuperReach’s use of a new Sub-processor (including when exercising its right to object under clause 9(a) of the SCCs) by providing SuperReach with written notice of the objection within ten (10) days after SuperReach has provided notice to Client of such proposed change (an “Objection“). In the event Client objects to SuperReach’s use of a new Sub-processor, Client and SuperReach will work together in good faith to find a mutually acceptable resolution to address such Objection. If the parties are unable to reach a mutually acceptable resolution within a reasonable timeframe, either party may, as its sole and exclusive remedy, terminate the Agreement by providing written notice to the other party. During any such Objection period, SuperReach may suspend the affected portion of the Services.
- Purposes of Processing and Legal Basis
- SuperReach has set out the purposes for which it may process personal data and the legal bases of the processing it for the purposes of the Agreement in this clause.
- Operations – We may process personal data for the purposes of the Agreement between SuperReach and its Client. The legal basis for this processing is the performance of a contract between SuperReach and the Client.
- Record keeping – SuperReach may process personal data for the purposes of creating and maintaining databases, back-up copies of databases and business records generally. The legal basis for this processing legitimate interests, namely ensuring that we have access to all the information needed to properly and efficiently run our business in accordance with the Agreement.
- Security – SuperReach may process personal data for the purposes of security and the prevention of fraud and other criminal activity. The legal basis of this processing is our legitimate interests, namely the protection of business, and the protection of our Client and others.
- Insurance and risk management – SuperReach may process personal data where necessary for the purposes of obtaining or maintaining insurance coverage, managing risks and/or obtaining professional advice. The legal basis for this processing is legitimate interests, namely the proper protection of our business against risks.
- Legal claims – SuperReach may process personal data where necessary for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure. The legal basis for this processing is legitimate interests, namely the protection and assertion of legal rights or the legal rights of or Client or others.
- Legal compliance and vital interests – SuperReach may also process personal data where such processing is necessary for compliance with a legal obligation to which we are subject or in order to protect vital interests or the vital interests others.
- In addition to the processing we may be required to disclose specific details of personal data. We may disclose personal data where such disclosure is necessary for compliance with a legal obligation to which we are subject, or in order to protect vital interests or the vital interests of our Client or others. We may also disclose personal data where such disclosure is necessary for the establishment, exercise, or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure.
- International Transfers of your Personal Data
- SuperReach will provide, to the Client, information about and any requested support to enable the Client to comply with the transfer of Client Personal Data and Enhanced Data to third countries, including EEA, UK, and Switzerland.
- SuperReach upon Client’s request, will provide information to Client which is reasonably necessary for Client to complete a transfer impact assessment (“TIA“). SuperReach will implement the supplementary measures agreed upon and set forth in Annex 4 of this Schedule in order to enable Client’s compliance with requirements imposed on the transfer of personal data to third countries. SuperReach may charge Client, and Client shall reimburse SuperReach, for any assistance provided by SuperReach with respect to any TIAs, data protection impact assessments or consultation with any supervisory authority of Client.Other Jurisdictions
- To the extent that the processing of any Client Personal Data is subject to UK or Swiss data protection laws, the following apply:UK Data Protection Laws
- With respect to any transfers of Client Personal Data and Enhanced Data falling within the scope of the UK GDPR from Client (as data exporter) to SuperReach (as data importer):SWISS Data Protection Laws
- The Swiss Addendum at Annex 5 shall apply to any processing of Client Personal Data subject to Swiss data protection laws or to both Swiss data protection law and the GDPR.
- Retention and Deletion of Personal Data
- SuperReach shall, within ninety (90) days of the date of termination, the end of the Term or expiry of the Agreement:
- if requested, in writing, to do so by Client within that period, return a copy of all Customer Personal Data and Enhanced Data or provide self-service functionality allowing Client to do the same; and
- delete and use all reasonable efforts to procure the deletion of all other copies of Client Personal Data and Enhanced Data processed by SuperReach or any Sub-processors.
- SuperReach, to ensure compliance with our legal obligations in relation to the retention and deletion of personal data shall also;
- ensure that any personal data that is processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
- Notwithstanding the other provisions of this Section 7, We may retain personal data where such retention is necessary for compliance with a legal obligation to which we are subject, or in order to protect any vital interests or the vital interests of another person. This may entail data being retained for longer period.
- Notwithstanding any termination of the Agreement, how so ever determined, the provisions of this Schedule will remain in effect until, and automatically expire upon, SuperReach’s deletion of all Client Personal Data and Enhanced Data as described in this Schedule.
- SuperReach shall, within ninety (90) days of the date of termination, the end of the Term or expiry of the Agreement:
- Standard Contractual Clauses
- The Parties agree that the terms of the EU Standard Contractual Clauses Module Two (Controller to Processor) and Module Three (Processor to Processor), as further specified in Annex 3 of this Schedule, are hereby incorporated by reference and shall be deemed to have been executed by the parties and apply to any transfers of Client Personal Data and Enhanced Data falling within the scope of EU GDPR from Client (as data exporter) to SuperReach (as data importer).
- The Parties agree that the terms of the UK Standard Contractual Clauses or International Data Transfer Agreement as available from time to time shall apply for international transfers of personal data outside from the UK to outside the EEA.
- Security and Audits of Personal Data
- SuperReach will take appropriate technical and organisational precautions to secure personal data and to prevent the loss, misuse or alteration of Client Personal Data and Enhanced Data.
- SuperReach will implement and maintain appropriate technical and organisational data protection and security measures designed to ensure security of Client Personal Data, and Enhanced Data including, without limitation, protection against unauthorised or unlawful processing (including, without limitation, unauthorised or unlawful disclosure of, access to and/or alteration of Client Personal Data) and against accidental loss, destruction, or damage of or to it.
- SuperReach will implement and maintain as a minimum standard the measures set out in Annex 2. SuperReach may update or modify the security measures set out in Annex 2 from time to time, including (where applicable) following any review by SuperReach of such measures in accordance with clause 8.6 of the SCCs, provided that such updates and/or modifications do not reduce the overall level of protection afforded to the Client Personal Data by SuperReach under this Schedule.
- Security Incidents
- SuperReach will promptly notify Client in writing in the event of any breach of this Schedule, applicable law or any instruction by Client in connection with the processing of Client Personal Data under this Schedule.
- SuperReach shall notify Client in writing after becoming aware of any Security Incident, cooperate in any required investigation of any Security Incident and any obligation of Client under applicable law to make any notifications to individuals, supervisory authorities, governmental or other regulatory authority, or the public in respect of such Security Incident.
- SuperReach shall take reasonable steps to contain, investigate, and mitigate any Security Incident, and shall, send Client information about the Security Incident, including, but not limited to, the nature of the Security Incident, the measures taken to mitigate or contain the Security Incident, and the status of the investigation. SuperReach’s notification of or response to a Security Incident under this clause 11 will not be construed as an acknowledgement by SuperReach of any fault or liability with respect to the Security Incident.
- Data Subjects Right Request
- We have summarised the rights that a Data Subject has under UK GDPR. Further information can be found at https://ico.org.uk/. If the Data Subjects are in Europe their rights can be found here https://EC.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en and for the US the Data Subjects rights can be found at The Federal Trade Commission at www.ftc.gov .
- The Data Subjects principal rights under data protection law are:(a) the right to access – They can ask for copies of Your personal data;(b) the right to rectification – They can ask Us to rectify inaccurate personal data and to complete or incomplete personal data;(c) the right to erasure – They can ask Us to erase Your personal data;(d) the right to restrict processing – They can ask you to restrict the processing of Your personal data;(e) the right to object to processing – They can object to the processing of Your personal data;(f) the right to data portability – They can ask that We transfer Your personal data to another organisation or to You;(g) the right to complain to a supervisory authority – they can complain about Our processing of Your personal data; and(h) the right to withdraw consent – to the extent that the legal basis of Our processing of personal data is consent, a Data Subject can withdraw that consent unless the processing is necessary for the performance of a task carried out for reasons of public interest.
- As between the Parties, Client shall have sole discretion and responsibility in responding to the rights asserted by any individual in relation to Client Personal Data (“Data Subject Request”).
- SuperReach will forward to Client without undue delay any Data Subject Request received by SuperReach or any Sub-processor from an individual in relation to their Personal Data and may advise the individual to submit their request directly to Client.
- SuperReach will (taking into account the nature of the processing of Client Personal Data) provide Client with self-service functionality through the Services or other reasonable assistance as necessary for Client to fulfil its obligation under applicable law to respond to Data Subject Requests, including if applicable, Client’s obligation to respond to requests for exercising the rights set out in the applicable Data Protection Legislation. SuperReach may charge Client, and Client shall reimburse SuperReach, for any such assistance beyond providing self-service features included as part of the Services.
- Personal Data Under California Consumer Privacy Act (CCPA)
- If Client or Client Affiliates provide SuperReach any Client Personal Data that is “personal information” under the CCPA, SuperReach will:
- act as a service provider with regard to such personal information;
- retain, use, and disclose such personal information solely for the purpose of performing the Services or as otherwise permitted under the CCPA;
- not sell Client Personal Data to another business or third party. Notwithstanding the foregoing, disclosures to a third party in the context of a merger, acquisition, bankruptcy, or other transaction shall be permitted in accordance with the terms of the Agreement; and
- provide reasonable assistance to Client in responding to requests from consumers pursuant to the CCPA with regard to their personal information, and in accordance with clause 6 of this Schedule.
- SuperReach certifies that it understands the foregoing obligations and shall comply with them for the duration of the Agreement and for as long as SuperReach processes Client Personal Data.
- If Client or Client Affiliates provide SuperReach any Client Personal Data that is “personal information” under the CCPA, SuperReach will:
- Children’s Data
- SuperReach will not accept any data from children, being under the age of 16 and unable to give legal consent to its collection.
- If We have reason to believe that we hold personal data of a person under that age in our databases, We will delete that personal data.
- act as a service provider with regard to such personal information;
- Updating Information
- Client shall update any Client Personal Data or Enhanced Data as soon as possible so that Personal Data held it updated, inline with the current requirements under applicable laws.
ANNEX 1 – Details of Processing
A. List of Parties
- Data Exporter
Client and/or the Client Affiliates operating in the countries which comprise the European Economic Area, UK and/or Switzerland and/or – to the extent agreed by the Parties – Client and/or the Client Affiliates in any other country to the extent the GDPR or corresponding Swiss law applies.Client and Client Affiliate’s contact person’s position and contact details as well as (if appointed) the data protection officer’s and (if relevant) the representative’s contact details will be notified to SuperReach prior to the processing of personal data via email to support@superreach.com.The activities relevant to the data transfer under these Clauses are defined by the Agreement and the data exporter who decides on the scope of the processing of personal data in connection with the Services further described in this Schedule 1 and in the Agreement. - Data Importer
SuperReach Limited, 2-4 Packhorse Road, Gerrards Cross, Buckinghamshire, England, SL9 7QE, :
The data importer’s contact person can be contacted at support@superreach.com.
The data importer’s activities relevant to the data transfer under these Clauses are as follows: the data importer processes personal data provided by the data exporter on behalf of the data exporter in connection with providing the Services to the data exporter as further specified in clause 7 and 8 of this Annex 1 and in the Agreement. - Categories of data subjects
The categories of data subjects whose personal data are transferred: Employees of Client and Client Affiliates, as well as Client’s customers and their employees, as well as the individual recipients of marketing communications and other individuals being targets of other marketing activities of the Client and/or Client Affiliates’ or their customers.
B. Description of Transfer
- Categories of data subjects
The categories of data subjects whose personal data are transferred: Employees of Client and Client Affiliates, as well as Client’s customers and their employees, as well as the individual recipients of marketing communications and other individuals being targets of other marketing activities of the Client and/or Client Affiliates’ or their customers. - Categories of personal data
Client Personal Data and Enhanced Data where obtained in accordance with the Agreement.as detailed below:
The categories of personal data are: Determined by Client’s configuration of the Services, and may include name, phone number, email address, address data, IP address, device identifiers, usage data (such as interactions between a user and SuperReach’s online system, website or email, used browser, used operating system, referrer URL).
Moreover, Client and Client Affiliate may include further personal data of data subjects as specified above (in particular in unstructured form) in connection with their use the Services according to the Agreement. - Special categories of personal data (if applicable)
The transferred personal data includes the following special categories of data: None SuperReach’s Acceptable Use Policy prohibits Clients from using the Services to solicit, display, store, process, send or transmit special categories of data.The applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures are: None - Frequency of the transfer
The transfer is performed on a continuous basis and is determined by Client’s configuration of the Services. - Subject matter and nature of the processing
To provide a data analytics and marketing automation platform to Client. - Purpose(s) of the data transfer and further processing
The purpose/s of the data transfer and further processing is: to provide the Services to Client pursuant to the Agreement so that Client can analyse customer data, enhance its customer relationships and send marketing and other communications to its customers. - Duration
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: the duration is defined in clause 8 of the Data Protection Schedule. - Sub-processor (if applicable)
For transfers to sub-processors, specify subject matter, nature, and duration of the processing: as stipulated in clause 6.1 of the Data Protection Schedule. The Sub-processors may have access to the Personal Data for the term of this Schedule or until the service contract with the respective Sub-processor is terminated or the access by the Sub-processor has been excluded as agreed between SuperReach and Client.
C. Competent Supervisory Authority
Identify the competent supervisory authority/ies in accordance with clause 112 and 3 of the SCCs.
Where the data exporter is established in an EU Member State: The supervisory authority of the country in which the data exporter established is the competent authority.
Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of the GDPR in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of the GDPR: The competent supervisory authority is the one of the Member State in which the representative is established.
Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of the GDPR in accordance with its Article 3(2) without, however, having to appoint a representative pursuant to Article 27(2) of the GDPR: The competent supervisory authority is the supervisory authority in Ireland, namely the Data Protection Commission (https://www.dataprotection.ie/).
ANNEX 2 – Technical and Organisational Measures
SuperReach has implemented the following technical and organisational measures (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context, and purpose of the processing, as well as the risks for the rights and freedoms of natural persons:
- Organisational management and dedicated staff responsible for the development, implementation, and maintenance of SuperReach’s information security program.
- Audit and risk assessment procedures for the purposes of periodic review and assessment of risks to SuperReach’s organisation, monitoring and maintaining compliance with SuperReach’s policies and procedures, and reporting the condition of its information security and compliance to internal senior management.
- Utilisation of commercially available and industry standard encryption technologies for Customer Personal Data that is:
a) being transmitted by SuperReach over public networks (i.e., the Internet) or when transmitted wirelessly; or
b) at rest or stored on portable or removable media (i.e., laptop computers, CD/DVD, USB drives, back-up tapes). - Data security controls which include at a minimum, but may not be limited to, logical segregation of data, logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions, (e.g., granting access on a need-to-know and least privilege basis, use of unique IDs and passwords for all users, periodic review, and revoking/changing access promptly when employment terminates or changes in job functions occur).
- Password controls designed to manage and control password strength, expiration and usage including prohibiting users from sharing passwords and requiring that SuperReach’s passwords that are assigned to its employees: (i) be at least eight (8) characters in length, (ii) not be stored in readable format on SuperReach’s computer systems; (iii) must have defined complexity; (iv) must have a history threshold to prevent reuse of recent passwords; and (v) newly issued passwords must be changed after first use.
- System audit or event logging and related monitoring procedures to proactively record user access and system activity for routine review.
- Physical and environmental security of data centre, server room facilities and other areas containing Personal Data designed to: (i) protect information assets from unauthorised physical access, (ii) manage, monitor, and log movement of persons into and out of SuperReach facilities, and (iii) guard against environmental hazards such as heat, fire, and water damage.
- Operational procedures and controls to provide for configuration, monitoring and maintenance of technology and information systems according to prescribed internal and adopted industry standards, including secure disposal of systems and media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from SuperReach’s possession.
- Change management procedures and tracking mechanisms designed to test, approve, and monitor all changes to SuperReach’s technology and information assets.
- Incident / problem management procedures design to allow SuperReach to investigate, respond to, mitigate, and notify of events related to SuperReach’s technology and information assets.
- Network security controls that provide for the use of firewall systems, and intrusion detection systems and other traffic and event correlation procedures designed to protect systems from intrusion and limit the scope of any successful attack.
- Vulnerability assessment, patch management and threat protection technologies and scheduled monitoring procedures designed to identify, assess, mitigate, and protect against identified security threats, viruses, and other malicious code.
- Business resiliency/continuity and disaster recovery procedures in an effort to maintain service and/or recovery from foreseeable emergency situations or disasters.
ANNEX 3 – Standard Contractual Clauses
For the purposes of the Standard Contractual Clauses:
- Module Two and Module Three shall apply in the case of processing under clause 9.1.
- Clause 7 of the Standard Contractual Clauses (Docking Clause) does not apply.
- Clause 9(a) Option 2 (General written authorisation) is selected, and the time period to be specified is determined in clause 4.3 of the Data Protection Schedule.
- The option in Clause 9.1 of the Standard Contractual Clauses (Independent dispute resolution body) does not apply. An Escalation and Dispute Resolution clause is at Clause 21.
- With regard to Clause 7 of the Standard Contractual Clauses (Governing law), the Parties agree that option one shall apply. The parties agree that the governing law shall be the law of the Republic of England and Wales.
ANNEX 4 – Additional Supplementary Measures
SuperReach further commits to implementing supplementary measures based on guidance provided by EU supervisory authorities in order to enhance the protection of Client Personal Data in relation to the processing in a third country, as described in this Annex 4.
- Additional Technical Measures (Encryption)
- The personal data is transmitted (between the Parties and by SuperReach between data centres as well as to a Sub-processor and back) using strong encryption.
- The personal data at rest is stored by SuperReach using strong encryption
- Additional Organisational Measures
- Internal policies for governance of transfers especially with groups of enterprisesa) Adoption of adequate internal policies with clear allocation of responsibilities for data transfers, reporting channels and standard operating procedures for cases of formal or informal requests from public authorities to access the data.
b) Development of specific training procedures for personnel in charge of managing requests for access to personal data from public authorities, which should be periodically updated to reflect new legislative and jurisprudential developments in the third country and in the EEA. - Transparency and accountability measures
Regular publication of transparency reports or summaries regarding governmental requests for access to data and the kind of reply provided, insofar publication is allowed by local law. - Organisational methods and data minimisation measures
Development and implementation of best practices by both Parties to appropriately and timely involve and provide access of information to their respective data protection officers, if existent, and to their legal and internal auditing services on matters related to international transfers of personal data transfers. - Others
Adoption and regular review by SuperReach of internal policies to assess the suitability of the implemented complementary measures and identify and implement additional or alternative solutions when necessary, to ensure that an essentially equivalent level of protection to that guaranteed within the EEA of the personal data transferred is maintained.
- Internal policies for governance of transfers especially with groups of enterprisesa) Adoption of adequate internal policies with clear allocation of responsibilities for data transfers, reporting channels and standard operating procedures for cases of formal or informal requests from public authorities to access the data.
- Additional Contractual Measures
- Transparency obligations
a) SuperReach declares that (1) it has not purposefully created back doors or similar programming that could be used to access the system and/or personal data, (2) it has not purposefully created or changed its business processes in a manner that facilitates access to personal data or systems, and (3) that national law or government policy does not require SuperReach to create or maintain back doors or to facilitate access to personal data or systems or for SuperReach to be in possession or to hand over the encryption key.b) SuperReach will verify the validity of the information provided for the TIA questionnaire on a regular basis and provide notice to Customer in case of any changes without delay. Clause 14(e) of the SCCs shall remain unaffected. - Obligations to take specific actions
In case of any order to disclose or to grant access to the personal data, SuperReach commits to inform the requesting public authority of the incompatibility of the order with the safeguards contained in the Article 46 GDPR transfer tool and the resulting conflict of obligations for SuperReach. - Empowering data subjects to exercise their rights
a) SuperReach commits to fairly compensate the data subject for any material and non-material damage suffered because of the disclosure of his/her personal data transferred under the chosen transfer tool in violation of the commitments it contains.
b) Notwithstanding the foregoing, SuperReach shall have no obligation to indemnify the data subject to the extent the data subject has already received compensation for the same damage.
c) Compensation is limited to material and non-material damages as provided in the GDPR and excludes consequential damages and all other damages not resulting from SuperReach´s infringement of the GDPR. - Additional obligations in case of requests or access by public authorities
- SuperReach shall promptly inform Client:
a) Of any legally binding requests from a law enforcement or other government authority (“Public Authority”) to disclose the personal data shared by Client(“Transferred Personal Data”); such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided. Such notification shall occur prior to the disclosure of any personal data in response to such requests.
b) If it becomes aware of any direct access by public authorities to transferred personal data in accordance with the laws of the country of destination, such notification shall include all information available to SuperReach.
c) If SuperReach is prohibited from notifying Client and/or the data subject, SuperReach agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicate as much information and as soon as possible. SuperReach agrees to document its best efforts in order to be able to demonstrate them upon request of the data exporter. - SuperReach agrees to review, under the laws of the country of destination, the legality of the public authority’s request, notably whether it remains within the powers granted to the requesting public authority and exhaust all available remedies to challenge the request if, after a careful assessment, SuperReach concludes that there are grounds under the laws of the country of destination to do so. When challenging a request, SuperReach shall seek interim measures with a view to suspend the effects of the request until the court has decided on the merits. SuperReach shall not disclose or provide access to the personal data requested until required to do so under the applicable procedural rules and, at such time, shall provide only the minimum amount of information required to comply with the request, based on a reasonable interpretation of the request.
- SuperReach agrees to preserve the information required to comply with this Annex 4 for the duration of the Agreement and, unless prohibited by applicable law, make it available to the competent supervisory authority upon request and when required by applicable law.
- SuperReach shall promptly inform Client:
- Transparency obligations
ANNEX 5 – Approved Addendum
The Approved Addendum as further specified in this Approved Addendum shall form part of this Schedule, and the Standard Contractual Clauses shall be read and interpreted in light of the provisions of the Approved Addendum, to the extent necessary according to Clause 12 of the Mandatory Clauses.
- In deviation to Table 1 of this Approved Addendum and in accordance with Clause 16 of the Mandatory Clauses, the parties are further specified in Schedule 1 clause A of this Schedule.
- The selected Modules and Clauses to be determined according to Table 2 of the Approved Addendum are further specified in Schedule 3 of this Schedule as amended by the Mandatory Clauses.
- Annex 1 A and B of Table 3 to the Approved Addendum are specified by Schedule 1 of this Schedule, Annex II of the Approved Addendum is further specified by Schedule 2 of this Schedule, and Annex III of the Approved Addendum is further specified by Schedule 1 clause B.10 of this Schedule.
- SuperReach (as data importer) may end this Schedule, to the extent the Approved Addendum applies, in accordance with clause 19 of the Mandatory Clauses.
- Clause 16 of the Mandatory Clauses shall not apply.
- Interpretation of this Addendum
- Where this Addendum uses terms that are defined in the Standard Contractual Clauses as further specified in Schedule 3 of this Schedule, those terms shall have the same meaning as in the Standard Contractual Clauses. In addition, the following terms have the following meanings:
– “This Addendum” means This Addendum to the Clauses.
– “Clauses” means The Standard Contractual Clauses as further specified in Schedule 3 of this Schedule.
– “Swiss Data Protection Laws” means The Swiss Federal Act on Data Protection of 19 June 1992 and the Swiss Ordinance to the Swiss Federal Act on Data Protection of 14 June 1993, and any new or revised version of these laws that may enter into force from time to time. - This Addendum shall be read and interpreted in the light of the provisions of Swiss Data Protection Laws, and so that if fulfils the intention for it to provide the appropriate safeguards as required by Article 46 GDPR and/or Article 6(2)(a) of the Swiss Data Protection Laws, as the case may be.
- This Addendum shall not be interpreted in a way that conflicts with rights and obligations provided for in Swiss Data Protection Laws.
- Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Addendum has been entered into.
- Where this Addendum uses terms that are defined in the Standard Contractual Clauses as further specified in Schedule 3 of this Schedule, those terms shall have the same meaning as in the Standard Contractual Clauses. In addition, the following terms have the following meanings:
- Hierarchy
In the event of a conflict or inconsistency between this Addendum and the provisions of the Clauses or other related agreements between the Parties, existing at the time this Addendum is agreed or entered into thereafter, the provisions which provide the most protection to data subjects shall prevail. - Incorporation of the Clauses
- In relation to any processing of personal data subject to Swiss Data Protection Laws or to both Swiss Data Protection Laws and the GDPR, this Addendum amends the DPA including as further specified in Schedule 3 of this Schedule to the extent necessary so they operate:
- for transfers made by the data exporter to the data importer, to the extent that Swiss Data Protection Laws or Swiss Data Protection Laws and the GDPR apply to the data exporter’s processing when making that transfer; and
- to provide appropriate safeguards for the transfers in accordance with Article 46 of the GDPR and/or Article 6(2)(a) of the Swiss Data Protection Laws, as the case may be.
- To the extent that any processing of personal data is exclusively subject to Swiss Data Protection Laws, the amendments to the DPA including the SCCs, as further specified in Schedule 3 of this Schedule and as required by clause 2.1 of this Swiss Addendum, include (without limitation):
- References to the “Clauses” or the “SCCs” means this Swiss Addendum as it amends the SCCs.and
- Clause 6 Description of the transfer(s) is replaced with:
“The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are those specified in Schedule 1 of this Schedule where Swiss Data Protection Laws apply to the data exporter’s processing when making that transfer.” - References to “Regulation (EU) 2016/679” or “that Regulation” or ““GDPR” are replaced by “Swiss Data Protection Laws” and references to specific Article(s) of “Regulation (EU) 2016/679” or “GDPR” are replaced with the equivalent Article or Section of Swiss Data Protection Laws extent applicable.
- References to Regulation (EU) 2018/1725 are removed.
- References to the “European Union”, “Union”, “EU” and “EU Member State” are all replaced with “Switzerland”.
- Clause 13(a) and Part C of Annex I are not used; the “competent supervisory authority” is the Federal Data Protection and Information Commissioner (the “FDPIC”) insofar as the transfers are governed by Swiss Data Protection Laws;
- Clause 17 is replaced to state:
“These Clauses are governed by the laws of Switzerland insofar as the transfers are governed by Swiss Data Protection Laws”. - Clause 18 is replaced to state:
“Any dispute arising from these Clauses relating to Swiss Data Protection Laws shall be resolved by the courts of Switzerland. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of Switzerland in which he/she has his/her habitual residence. The Parties agree to submit themselves to the jurisdiction of such courts.” - Until the entry into force of the revised Swiss Data Protection Laws, the Clauses shall also protect personal data of legal entities and legal entities shall receive the same protection under the Clauses as natural persons.
- To the extent that any processing of personal data is subject to both Swiss Data Protection Laws and the GDPR, the DPA including the Clauses as further specified in Schedule 3 of this Schedule will apply (i) as is and (ii) additionally, to the extent that a transfer is subject to Swiss Data Protection Laws, as amended by clauses 2.1 and 2.3 of this Swiss Addendum, with the sole exception that Clause 17 of the SCCs shall not be replaced as stipulated under clause 2.3(b)(vii) of this Swiss Addendum.
- Customer warrants that it and/or Customer Affiliates have made any notifications to the FDPIC which are required under Swiss Data Protection Laws.