1.Definitions: In this Annex the following terms shall have the following meanings:
“Applicable Data Protection Law” means applicable data protection and privacy laws including, where applicable, EU Data Protection Law, UK Data Protection Law and the CCPA.
“Business”, “consumer”, “personal information” and “service provider” shall have the meanings given in Applicable Data Protection Law.
“CCPA” means the U.S. California Consumer Privacy Act of 2018, as amended or superseded from time to time, and any implementing regulations as promulgated by the California Attorney General.
“Controller“, “data subject“, “personal data“, “processor“, “processing” (and “process“‘) and “special categories of personal data” shall have the meanings given in Applicable Data Protection Law.
“EDPB Recommendations” means the European Data Protection Board’s Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data.
“EU Data Protection Law” means: (i) the EU General Data Protection Regulation (Regulation 2016/679); (ii) the EU e-Privacy Directive (Directive 2002/58/EC); and (iii) any and all EU Member State laws made under or pursuant to any of the foregoing; in each case as amended or superseded from time to time.
“UK Data Protection Law” means the data privacy legislation adopted by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019/419 as supplemented by the terms of the Data Protection Act 2018 and the UK GDPR (Retained Regulation(EU)2016/679(UK GDPR) pursuant to section 3 of the European Union (Withdrawal) Act 2018).
2.Relationship of the Parties
Customer (the controller) appoints Môveo as a processor to process the personal data described in the Agreement (the “Data”) for the purposes described in the Agreement (or as otherwise agreed in writing by the parties) (the “Permitted Purpose”). Môveo shall not retain, use, or disclose the Data for any purpose other than for the Permitted Purpose, or as otherwise permitted by the Applicable Data Protection Law, including retaining, using, or disclosing the Data for a commercial purpose other than the Permitted Purpose. Môveo shall not buy or sell the Data.
3.International Transfers & Data Localization Laws
If any Data originates from the European Economic Area (“EEA”) under the Agreement, Môveo shall not transfer the Data outside of the EEA unless it has taken such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Law. Such measures may include (without limitation) transferring the Data to a recipient (a) in a country that the European Commission has decided provides adequate protection for personal data, (b) that has achieved binding corporate rules authorization in accordance with EU Data Protection Law, (c) that has executed standard contractual clauses adopted or approved by the European Commission. Where Data is governed by EU Data Protection Law and Môveo is party to the Agreement the Customer may enter into the applicable standard contractual clauses “SCC’s” with Môveo by executing a new “Standard contractual clauses Annex” which will form an integral part of this Data Processing Addendum. Prior to transferring Data to a country outside the EEA (“Third Country”), Môveo shall review the adequacy of data protection in the Third Country and shall apply (where necessary) the appropriate measures to ensure that the transferred Data is subject to an essentially equivalent protection as that guaranteed in its original jurisdiction. Môveo shall (i) notify Customer by email if Môveo is unable to comply with its legal or contractual obligations related to international transfers under EU Data Protection Law; and (ii) suspend the applicable transfers of Data until it is able to comply with such legal and contractual obligations.
If any data originates from a country (other than an EEA country) with laws imposing data transfer restrictions, then Customer shall inform Môveo of such data transfer restrictions before such data is input into the Software, in order to enable Customer and Môveo to ensure (where one is available) an appropriate and mutually agreed transfer mechanism is in place. Customer shall not use or access the Software in a manner that would require Customer’s Environment to be hosted in a country other than the Data Center location selected on the applicable Order Form in order to comply with applicable law (including data localization laws).
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of individuals, Môveo shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk (in accordance with Applicable Data Protection Law) to protect the Data (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorized disclosure of, or access to the Data (a “Security Breach”).
Customer consents to Môveo engaging subprocessors to process the Data for the Permitted Purpose. The current list of subprocessors “the Subprocessor List” is maintained by Moveo and can be shared with the Customer at any time as long as the Customer asks for it by email. Môveo shall (i) update the Subprocessor List with any change in subprocessors at least 30 days’ prior to such change (except to the extent shorter notice is required due to an emergency) and the Customer has the right to have access to the updated Subprocessor List (ii) impose data protection terms on any subprocessor it appoints that require it to protect the Data to the standard required by Applicable Data Protection Law; and (iii) remain liable for any breach of this Data Processing Addendum that is caused by an act, error or omission of its subprocessor. Customer may object to Môveo’s appointment of a subprocessor prior to its appointment, provided such objection is based on reasonable data protection grounds. In such event, Customer may suspend or terminate the Agreement (without prejudice to any fees incurred by Customer prior to suspension or termination).
6.Cooperation and Data Subjects’ Rights
Taking into account the nature of the processing, Môveo shall provide reasonable and timely assistance to Customer (at Customer’s expense) to enable Customer to respond to: (i) any request from a data subject to exercise its rights under Applicable Data Protection Law; and (ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Data. In the event that any such request, correspondence, enquiry or complaint is made directly to Môveo, Môveo shall promptly inform Customer providing full details of the same.
7.Assessment, Consultation and Assistance
Taking into account the nature of the processing, Môveo shall provide Customer with reasonable cooperation (at Customer’s expense) to enable Customer to (i) conduct any data protection or transfer impact assessments that it is required to undertake under Applicable Data Protection Law; and (ii) consult competent supervisory authorities prior to processing where required by Applicable Data Protection Law.
If it becomes aware of a Security Breach, Môveo shall inform Customer without undue delay and shall provide reasonable information and cooperation to Customer so that Customer can fulfill any data breach reporting obligations it may have under Applicable Data Protection Law. Môveo shall further take such reasonably necessary measures and actions to mitigate the effects of the Security Breach and shall keep Customer informed of all material developments in connection with the Security Breach. The Customer acknowledges that in the event of a Security Breach impacting a subprocessor of Môveo, the Customer may receive notification directly from the subprocessor in accordance with the Standard Contractual Clauses between Môveo and such subprocessor. In such an event, the Customer agrees to provide any reasonable co-operation or assistance required by Môveo and the subprocessor in order to facilitate such notification.
9.Deletion or Return of Data
Following termination of the Agreement, Customer shall have sixty (60) days to export its Data from the Software and after such time has passed Môveo may destroy all Data in its possession or control. This requirement shall not apply to the extent that: (i) Môveo is required by applicable law to retain some or all of the Data; or (ii) Data is archived on Môveo ‘s back-up and support systems, provided that Môveo shall continue to protect such Data in accordance with its obligations herein.
10.Review & Audit
Môveo shall deal promptly and adequately with any enquiries from the Customer about the processing of Data in accordance with this Data Processing Addendum and make available all information reasonably necessary to demonstrate compliance with its obligations in this Data Processing Addendum for Customer’s review (“Review”). To the extent Customer cannot reasonably establish Môveo ‘s compliance pursuant to a Review, Môveo shall, upon reasonable notice (no less than forty-five (45) days) and payment of a reasonable fee, not more than once a year (unless there is a material Security Breach, in which case a second audit is permitted), allow its procedures and documentation to be inspected or audited (“Audit”) by Customer (or its designee, as agreed between the Parties) during business hours, and without interrupting Môveo’s business operations, in order to ascertain compliance with this Data Processing Addendum. For the avoidance of doubt, the scope of any Audit shall be limited to documents and records allowing the verification of Môveo ‘s compliance with this Data Processing Addendum and shall not include financial records of Môveo or any records concerning Môveo’s other customers. Remote audits shall be utilized where possible with on-site audits occurring only where a walkthrough of the premises is required. In deciding whether to undertake a Review or Audit, the Customer shall take into account the relevant certifications held by Môveo. Where required by a competent supervisory authority, the Parties shall make available any information provided pursuant to a Review or Audit to such supervisory authority.
Môveo will not disclose or provide access to any Data to any public authorities unless required by law. Where the Data impacted by the request is governed by EU Data Protection Law, Môveo commits to (i) reviewing the legality of the public authority’s data requests and to challenging them where lawful and appropriate; and (il) where the Legal Request is incompatible with Art. 46 of the GDPR, to inform the public authority of the same.