Data Protection Addendum
Intango Ltd. and its subsidiaries and affiliated companies (collectively, or ‘Intango” or “we “, “us”, “our”), and the legal entity who entered into an agreement for the provision of the Services (“Services”) described in the Principle Agreement (as amended from time to time, the “Agreement”) regardless of the form of organization (“Customer”), are agreeing to these terms of this Data Protection Addendum (“Addendum” or “DPA”).
This Addendum will be effective and replace any previously applicable terms relating to their subject matter, as of the Agreement affective date.
If you are accepting this Addendum on behalf of Customer, you warrant that: (a) you have full legal authority to bind Customer to this Addendum; (b) you have read and understand this Addendum; and (c) you agree, on behalf of Customer, to this Addendum. If you do not have the legal authority to bind Customer, please do not accept this Addendum.
In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
“Applicable Laws” means (a) European Union or Member State laws with respect to any Company Personal Data; and (b) any other applicable law with respect to any Company Personal Data;
“Company Personal Data” means any Personal Data Processed by a Contracted Processor on behalf of Company pursuant to or in connection with the Principal Agreement;
“Customer Personal Data” means any Personal Data Processed by a Contracted Processor on behalf of Customer pursuant to or in connection with the Principal Agreement;
“Contracted Processor” means Company, Customer or a Subprocessor;
“Subprocessor” means any third-party processor appointed by or on behalf of the parties (or by any other Subprocessor appointed by the parties) to Process Personal Data on behalf of either the Company and/or Customer in connection with the Principal Agreement.
“Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;
“EEA” means the European Economic Area;
“EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;
“GDPR” means EU General Data Protection Regulation 2016/679;
“Restricted Transfer“ means:
a transfer of Company Personal Data from Company to a Contracted Processor; or
an onward transfer of Company Personal Data from a Contracted Processor to a Contracted Processor, or between two establishments of a Contracted Processor,
in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws) in the absence of a mechanism as approved by the European Commission to ensure adequate safeguards for Personal Data transferred from the EU to countries which the European Commission has not found to offer adequate protection for personal data;
“Services” means the services and other activities to be supplied to or carried out by or on behalf both the Customer and Company pursuant to the Principal Agreement;
The terms, “Commission“, “Controller“, “Data Subject“, “Member State“, “Personal Data“, “Personal Data Breach“, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
The word “include” shall be construed to mean include without limitation, and cognate terms shall be construed accordingly.
This DPA reflect the parties’ agreement on the processing of Personal Data in connection with the Data Protection Laws.
Any ambiguity in this DPA shall be resolved to permit the parties to comply with all Data Protection Laws.
In the event and to the extent that the Data Protection Laws impose stricter obligations on the parties than under this DPA, the Data Protection Laws shall prevail.
Application of this DPA
This DPA will only apply to the extent all of the following conditions are met:
Company (or a Subprocessor on its behalf) processes Personal Data that is made available by the Customer in connection with the Principal Agreement.
Customer (or a Subprocessor on its behalf) processes Personal Data that is made available by the Company in connection with the Principal Agreement.
The Data Protection Laws applies to the processing of Personal Data.
This DPA will only apply to the Services for which the parties agreed to in the Agreement, which incorporates the DPA by reference.
Processing of Personal Data
Independent Controllers. Each party:
may act as an independent Controller of Personal Data under the Data Protection Laws and as such, will individually determine the purposes and means of its processing of Personal Data; and
will comply with the obligations applicable to it under the Data Protection Laws with respect to the processing of Personal Data.
instruct the Contracted Processor (and authorise it to instruct each Subprocessor) with respect to the processing of its Personal Data and/or the transfer of Personal Data to any country or territory, as reasonably necessary for the provision of the Services and consistent with the Principal Agreement.
Contracted Processors. Each Party shall:
comply with all applicable Data Protection Laws in the Processing of each other’s Personal Data; and
not Process each other’s Personal Data other than on documented instructions unless Processing is required by Applicable Laws to which the relevant Contracted is subject, in which case it shall, to the extent permitted by Applicable Laws, inform the other Party of that legal requirement before the relevant Processing of that Personal Data.
Sharing of Personal Data. In performing its obligations under the Principle Agreement, a Party may provide Personal Data to the other Party. Each party shall process Personal Data only for (i) the purposes set forth in the Principle Agreement or as (ii) otherwise agreed to in writing by the parties, provided such processing strictly complies with (iii) Data Protection Laws, (ii) Relevant Privacy Requirements and (iii) its obligations under this DPA (the “Permitted Purposes”). Each Party shall not knowingly share any Personal Data with the other Party (i) that allows Data Subjects to be directly identified (for example by reference to their name and e-mail address); (ii) that contains Personal Data relating to children under 13 years.
Data Subject Rights. It is agreed that where either party receives a request from a Data Subject in respect of Personal Data controlled by such Party, then such Party shall be responsible to exercise the request, in accordance with Data Protection Laws.
Personal Data Transfers
Transfers of Personal Data Out of the European Economic Area. Either party may transfer Personal Data outside the European Economic Area if it complies with the provisions on the transfer of Personal Data to third countries in the Data Protection Laws (such as through the use model clauses or transfer of Personal Data to jurisdictions as may be approved as having adequate legal protections for data by the European Commission).
Security and Protection of Personal Data.
The parties will provide a level of protection for Personal Data that is at least equivalent to that required under Data Protection Laws. Both parties shall implement appropriate technical and organizational measures to protect the Personal Data. In the event that a party suffers a confirmed Security Incident, each party shall notify the other party without undue delay and the parties shall cooperate in good faith to agree and action such measures as may be necessary to mitigate or remedy the effects of the Security Incident.
Company authorises Customer (as a Contracted Processor) to appoint (and permit each Subprocessor appointed in accordance with this section to appoint) Subprocessors in accordance with this section and any restrictions in the Principal Agreement.
Customer may continue to use those Subprocessors already engaged by Customer as of the date of this Addendum, subject to Customer in each case as soon as practicable meeting relevant the obligations set out in this Addendum.
Customer shall give Company prior written notice of the appointment of any new Subprocessor, including full details of the Processing to be undertaken by the Subprocessor. If, within 30 days of receipt of that notice, Company notifies Customer in writing of any objections (on reasonable grounds) to the proposed appointment, Customer will not appoint (nor disclose any Company Personal Data to) the proposed Subprocessor except with the prior written consent of Company.
With respect to each Subprocessor, Customer shall:
before the Subprocessor first Processes Company Personal Data, carry out adequate due diligence to ensure that the Subprocessor is capable of providing the level of protection for Company Personal Data required by the Principal Agreement;
ensure that the arrangement between on the one hand (a) Customer, or (b) the relevant intermediate Subprocessor; and on the other hand, the Subprocessor, is governed by a written contract including terms which offer at least the same level of protection for Company Personal Data as those set out in this Addendum and meet the requirements of article 28(3) of the GDPR;
if that arrangement involves a Restricted Transfer, ensure the use of an approved mechanism for achieving adequacy, and
provide to Company for review such copies of the Contracted Processors’ agreements with Subprocessors (which may be redacted to remove confidential commercial information not relevant to the requirements of this Addendum) as Company may request from time to time.
Data Protection Impact Assessment and Prior Consultation
Customer shall provide reasonable assistance to Company with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Company reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Company Personal Data by, and taking into account the nature of the Processing and information available to, the Contracted Processors.
Deletion or return of Company Personal Data
Subject to sections 9.2 and 9.3 Customer shall promptly delete and procure the deletion of all copies of Company Personal Data upon cessation of any Services involving the Processing of Company Personal Data.
Each Contracted Processor may retain Company Personal Data to the extent required by Applicable Laws and only to the extent and for such period as required by Applicable Laws and always provided that Customer shall ensure the confidentiality of all such Company Personal Data and shall ensure that such Company Personal Data is only Processed as necessary for the purpose(s) specified in the Applicable Laws requiring its storage and for no other purpose.
Customer shall provide written certification to Company that it has fully complied with this section 10.
Notwithstanding anything else in the Agreement, the total liability of either party towards the other party under or in connection with this DPA will be limited to the maximum monetary or payment-based amount at which that party’s liability is capped under the Agreement (for clarity, any exclusion of indemnification claims from the Agreement’s limitation of liability will not apply to indemnification claims under the Agreement relating to the Data Protection Laws).
Governing law and jurisdiction
the parties to this Addendum hereby submit to the choice of jurisdiction stipulated in the Principal Agreement with respect to any disputes or claims howsoever arising under this Addendum, including disputes regarding its existence, validity or termination or the consequences of its nullity; and
this Addendum and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Principal Agreement.
Order of precedence1
Nothing in this Addendum reduces Customer’s obligations under the Principal Agreement in relation to the protection of Personal Data or permits Customer to Process (or permit the Processing of) Personal Data in a manner which is prohibited by the Principal Agreement. In the event of inconsistencies between the provisions of this Addendum and any other agreements between the parties, including the Principal Agreement and including (except where explicitly agreed otherwise in writing, signed on behalf of the parties) agreements entered into or purported to be entered into after the date of this Addendum, the provisions of this Addendum shall prevail.
Changes in Data Protection Laws
Company may propose any variations to this Addendum which Company reasonably considers to be necessary to address the requirements of any Data Protection Law.
If Company gives notice under section 11.4, the parties shall promptly discuss the proposed variations and negotiate in good faith with a view to agreeing and implementing those or alternative variations designed to address the requirements identified in Company’s notice as soon as is reasonably practicable.
Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.