“Applicable Data Protection Law” means applicable data protection and privacy laws including, where applicable, EU Data Protection Law, UK Data Protection Law and the CCPA.
“Business”, “consumer”, “personal information” and “service provider” shall have the meanings given in Applicable Data Protection Law.
“CCPA” means the U.S. California Consumer Privacy Act of 2018, as amended or superseded from time to time, and any implementing regulations as promulgated by the California Attorney General.
“Controller“, “data subject“, “personal data“, “processor“, “processing” (and “process“‘) and “special categories of personal data” shall have the meanings given in Applicable Data Protection Law.
“EDPB Recommendations” means the European Data Protection Board’s Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data.
“EU Data Protection Law” means: (i) the EU General Data Protection Regulation (Regulation 2016/679); (ii) the EU e-Privacy Directive (Directive 2002/58/EC); and (iii) any and all EU Member State laws made under or pursuant to any of the foregoing; in each case as amended or superseded from time to time.
If any Data originates from the European Economic Area (“EEA”) under the Agreement, Môveo shall not transfer the Data outside of the EEA unless it has taken such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Law. Such measures may include (without limitation) transferring the Data to a recipient (a) in a country that the European Commission has decided provides adequate protection for personal data, (b) that has achieved binding corporate rules authorization in accordance with EU Data Protection Law, (c) that has executed standard contractual clauses adopted or approved by the European Commission. Where Data is governed by EU Data Protection Law and Môveo is party to the Agreement the Customer may enter into the applicable standard contractual clauses “SCC’s” with Môveo by executing a new “Standard contractual clauses Annex” which will form an integral part of this Data Processing Addendum. Prior to transferring Data to a country outside the EEA (“Third Country”), Môveo shall review the adequacy of data protection in the Third Country and shall apply (where necessary) the appropriate measures to ensure that the transferred Data is subject to an essentially equivalent protection as that guaranteed in its original jurisdiction. Môveo shall (i) notify Customer by email if Môveo is unable to comply with its legal or contractual obligations related to international transfers under EU Data Protection Law; and (ii) suspend the applicable transfers of Data until it is able to comply with such legal and contractual obligations.
If any data originates from a country (other than an EEA country) with laws imposing data transfer restrictions, then Customer shall inform Môveo of such data transfer restrictions before such data is input into the Software, in order to enable Customer and Môveo to ensure (where one is available) an appropriate and mutually agreed transfer mechanism is in place. Customer shall not use or access the Software in a manner that would require Customer’s Environment to be hosted in a country other than the Data Center location selected on the applicable Order Form in order to comply with applicable law (including data localization laws).
Môveo shall deal promptly and adequately with any enquiries from the Customer about the processing of Data in accordance with this Data Processing Addendum and make available all information reasonably necessary to demonstrate compliance with its obligations in this Data Processing Addendum for Customer’s review (“Review”). To the extent Customer cannot reasonably establish Môveo ‘s compliance pursuant to a Review, Môveo shall, upon reasonable notice (no less than forty-five (45) days) and payment of a reasonable fee, not more than once a year (unless there is a material Security Breach, in which case a second audit is permitted), allow its procedures and documentation to be inspected or audited (“Audit”) by Customer (or its designee, as agreed between the Parties) during business hours, and without interrupting Môveo’s business operations, in order to ascertain compliance with this Data Processing Addendum. For the avoidance of doubt, the scope of any Audit shall be limited to documents and records allowing the verification of Môveo ‘s compliance with this Data Processing Addendum and shall not include financial records of Môveo or any records concerning Môveo’s other customers. Remote audits shall be utilized where possible with on-site audits occurring only where a walkthrough of the premises is required. In deciding whether to undertake a Review or Audit, the Customer shall take into account the relevant certifications held by Môveo. Where required by a competent supervisory authority, the Parties shall make available any information provided pursuant to a Review or Audit to such supervisory authority.