Capitalized terms used but not defined in these Clauses (including the Appendix) have the meanings given to them in the agreement into which these Clauses are incorporated (the “Agreement”).
STANDARD CONTRACTUAL CLAUSES
SECTION I
Clause 1
Purpose and scope
(a) The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (1) for the transfer of personal data to a third country.
(b) The Parties:
(i) the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter ‘entity/ies’) transferring the personal data, as listed in Annex I.A (hereinafter each ‘data exporter’), and
(ii) the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A (hereinafter each ‘data importer’)
have agreed to these standard contractual clauses (hereinafter: ‘Clauses’).
(c) These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.
(d) The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.
Clause 2
Effect and invariability of the Clauses
(a) These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46(2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.
(b) These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.
Clause 3
Third-party beneficiaries
(a) Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:
(i) Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;
(ii) Clause 8 – Clause 8.1(a), (c) and (d) and Clause 8.9(a), (c), (d), (e), (f) and (g);
(iii) Clause 9 – Clause 9(a), (c), (d) and (e);
(iv) Clause 12 – Clause 12(a), (d) and (f);
(v) Clause 13;
(vi) Clause 15.1(c), (d) and (e);
(vii) Clause 16(e);
(viii) Clause 18 – Clause 18(a) and (b);
(b) Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.
Clause 4
Interpretation
(a) Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.
(b) These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.
(c) These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.
Clause 5
Hierarchy
In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.
Clause 6
Description of the transfer(s)
The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.
Clause 7 – Not used
SECTION II – OBLIGATIONS OF THE PARTIES
Clause 8
Data protection safeguards
The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.
8.1 Instructions
(a) The data exporter has informed the data importer that it acts as processor under the instructions of its controller(s), which the data exporter shall make available to the data importer prior to processing.
(b) The data importer shall process the personal data only on documented instructions from the controller, as communicated to the data importer by the data exporter, and any additional documented instructions from the data exporter. Such additional instructions shall not conflict with the instructions from the controller. The controller or data exporter may give further documented instructions regarding the data processing throughout the duration of the contract.
(c) The data importer shall immediately inform the data exporter if it is unable to follow those instructions. Where the data importer is unable to follow the instructions from the controller, the data exporter shall immediately notify the controller.
(d) The data exporter warrants that it has imposed the same data protection obligations on the data importer as set out in the contract or other legal act under Union or Member State law between the controller and the data exporter (5).
8.2 Purpose limitation
The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B., unless on further instructions from the controller, as communicated to the data importer by the data exporter, or from the data exporter.
8.3 Transparency
On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including personal data, the data exporter may redact part of the text of the Appendix prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information.
8.4 Accuracy
If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to rectify or erase the data.
8.5 Duration of processing and erasure or return of data
Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the controller and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).
8.6 Security of processing
(a) The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter ‘personal data breach’). In assessing the appropriate level of security, they shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subject. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter or the controller. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.
(b) The data importer shall grant access to the data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
(c) In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify, without undue delay, the data exporter and, where appropriate and feasible, the controller after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the data breach, including measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
(d) The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify its controller so that the latter may in turn notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer.
8.7 Sensitive data
Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter ‘sensitive data’), the data importer shall apply the specific restrictions and/or additional safeguards set out in Annex I.B.
8.8 Onward transfers
The data importer shall only disclose the personal data to a third party on documented instructions from the controller, as communicated to the data importer by the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union (6) (in the same country as the data importer or in another third country, hereinafter ‘onward transfer’) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:
(i) the onward transfer is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;
(ii) the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 of Regulation (EU) 2016/679;
(iii) the onward transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or
(iv) the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person.
Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.
8.9 Documentation and compliance
(a) The data importer shall promptly and adequately deal with enquiries from the data exporter or the controller that relate to the processing under these Clauses.
(b) The Parties shall be able to demonstrate compliance with these Clauses. In particular, the data importer shall keep appropriate documentation on the processing activities carried out on behalf of the controller.
(c) The data importer shall make all information necessary to demonstrate compliance with the obligations set out in these Clauses available to the data exporter, which shall provide it to the controller.
(d) The data importer shall allow for and contribute to audits by the data exporter of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. The same shall apply where the data exporter requests an audit on instructions of the controller. In deciding on an audit, the data exporter may take into account relevant certifications held by the data importer.
(e) Where the audit is carried out on the instructions of the controller, the data exporter shall make the results available to the controller.
(f) The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice.
(g) The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request.
Clause 9
Use of sub-processors
(a) The data importer shall not sub-contract any of its processing activities performed on behalf of the data exporter under these Clauses to a sub-processor without the prior specific written authorisation of the controller. The data importer shall submit the request for specific authorisation at least prior to the data exporter’s entry into the applicable agreement or 30 days prior to the engagement of the sub-processor, together with the information necessary to enable the controller to decide on the authorisation. It shall inform the data exporter of such engagement. The list of sub-processors already authorised by the controller can be found in Annex III. The Parties shall keep Annex III up to date.
(b) Where the data importer engages a sub-processor to carry out specific processing activities (on behalf of the controller), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those binding the data importer under these Clauses, including in terms of third-party beneficiary rights for data subjects. (9) The Parties agree that, by complying with this Clause, the data importer fulfils its obligations under Clause 8.8. The data importer shall ensure that the sub-processor complies with the obligations to which the data importer is subject pursuant to these Clauses.
(c) The data importer shall provide, at the data exporter’s or controller’s request, a copy of such a sub-processor agreement and any subsequent amendments. To the extent necessary to protect business secrets or other confidential information, including personal data, the data importer may redact the text of the agreement prior to sharing a copy.
(d) The data importer shall remain fully responsible to the data exporter for the performance of the sub-processor’s obligations under its contract with the data importer. The data importer shall notify the data exporter of any failure by the sub-processor to fulfil its obligations under that contract.
(e) The data importer shall agree a third-party beneficiary clause with the sub-processor whereby – in the event the data importer has factually disappeared, ceased to exist in law or has become insolvent – the data exporter shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.
Clause 10
Data subject rights
(a) The data importer shall promptly notify the data exporter and, where appropriate, the controller of any request it has received from a data subject, without responding to that request unless it has been authorised to do so by the controller.
(b) The data importer shall assist, where appropriate in cooperation with the data exporter, the controller in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable. In this regard, the Parties shall set out in Annex II the appropriate technical and organisational measures, taking into account the nature of the processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required.
(c) In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions from the controller, as communicated by the data exporter.
Clause 11
Redress
(a) The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject.
(b) In case of a dispute between a data subject and one of the Parties as regards compliance with these Clauses, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them.
(c) Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to:
(i) lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work, or the competent supervisory authority pursuant to Clause 13;
(ii) refer the dispute to the competent courts within the meaning of Clause 18.
(d) The Parties accept that the data subject may be represented by a not-for-profit body, organisation or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679.
(e) The data importer shall abide by a decision that is binding under the applicable EU or Member State law.
(f) The data importer agrees that the choice made by the data subject will not prejudice his/her substantive and procedural rights to seek remedies in accordance with applicable laws.
Clause 12
Liability
(a) Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.
(b) The data importer shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data importer or its sub-processor causes the data subject by breaching the third-party beneficiary rights under these Clauses.
(c) Notwithstanding paragraph (b), the data exporter shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data exporter or the data importer (or its sub-processor) causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter and, where the data exporter is a processor acting on behalf of a controller, to the liability of the controller under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable.
(d) The Parties agree that if the data exporter is held liable under paragraph (c) for damages caused by the data importer (or its sub-processor), it shall be entitled to claim back from the data importer that part of the compensation corresponding to the data importer’s responsibility for the damage.
(e) Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.
(f) The Parties agree that if one Party is held liable under paragraph (e), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its/their responsibility for the damage.
(g) The data importer may not invoke the conduct of a sub-processor to avoid its own liability.
Clause 13
Supervision
(a) Where the data exporter is established in an EU Member State: The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority.
Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679: The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority.
Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679: The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.
(b) The data importer agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Clauses. In particular, the data importer agrees to respond to enquiries, submit to audits and comply with the measures adopted by the supervisory authority, including remedial and compensatory measures. It shall provide the supervisory authority with written confirmation that the necessary actions have been taken.
SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES
Clause 14
Local laws and practices affecting compliance with the Clauses
(a) The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.
(b) The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:
(i) the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;
(ii) the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards (12);
(iii) any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.
(c) The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.
(d) The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.
(e) The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a). The data exporter shall forward the notification to the controller.
(f) Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation, if appropriate in consultation with the controller. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by the controller or the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.
Clause 15
Obligations of the data importer in case of access by public authorities
15.1 Notification
(a) The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it:
(i) receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or
(ii) becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.
The data exporter shall forward the notification to the controller.
(b) If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.
(c) Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.). The data exporter shall forward the information to the controller.
(d) The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.
(e) Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses.
15.2 Review of legality and data minimisation
(a) The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).
(b) The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request. The data exporter shall make the assessment available to the controller.
(c) The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.
SECTION IV – FINAL PROVISIONS
Clause 16
Non-compliance with the Clauses and termination
(a) The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.
(b) In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).
(c) The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:
(i) the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;
(ii) the data importer is in substantial or persistent breach of these Clauses; or
(iii) the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.
In these cases, it shall inform the competent supervisory authority and the controller of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.
(d) Personal data that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall at the choice of the data exporter immediately be returned to the data exporter or deleted in its entirety. The same shall apply to any copies of the data. The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.
(e) Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.
Clause 17
Governing law
These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of Ireland (specify Member State).
Clause 18
Choice of forum and jurisdiction
(a) Any dispute arising from these Clauses shall be resolved by the courts of an EU Member State.
(b) The Parties agree that those shall be the courts of Ireland (specify Member State).
(c) A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence.
(d) The Parties agree to submit themselves to the jurisdiction of such courts.
(1) Where the data exporter is a processor subject to Regulation (EU) 2016/679 acting on behalf of a Union institution or body as controller, reliance on these Clauses when engaging another processor (sub-processing) not subject to Regulation (EU) 2016/679 also ensures compliance with Article 29(4) of Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39), to the extent these Clauses and the data protection obligations as set out in the contract or other legal act between the controller and the processor pursuant to Article 29(3) of Regulation (EU) 2018/1725 are aligned. This will in particular be the case where the controller and processor rely on the standard contractual clauses included in Decision 2021/915.
(2) Not applicable
(3) Not applicable
(4) Not applicable
(5) See Article 28(4) of Regulation (EU) 2016/679 and, where the controller is an EU institution or body, Article 29(4) of Regulation (EU) 2018/1725.
(6) The Agreement on the European Economic Area (EEA Agreement) provides for the extension of the European Union’s internal market to the three EEA States Iceland, Liechtenstein and Norway. The Union data protection legislation, including Regulation (EU) 2016/679, is covered by the EEA Agreement and has been incorporated into Annex XI thereto. Therefore, any disclosure by the data importer to a third party located in the EEA does not qualify as an onward transfer for the purposes of these Clauses.
(7) Not applicable
(8) Not applicable
(9) This requirement may be satisfied by the sub-processor acceding to these Clauses under the appropriate Module, in accordance with Clause 7.
(10) Not applicable
(11) Not applicable
(12) As regards the impact of such laws and practices on compliance with these Clauses, different elements may be considered as part of an overall assessment. Such elements may include relevant and documented practical experience with prior instances of requests for disclosure from public authorities, or the absence of such requests, covering a sufficiently representative time-frame. This refers in particular to internal records or other documentation, drawn up on a continuous basis in accordance with due diligence and certified at senior management level, provided that this information can be lawfully shared with third parties. Where this practical experience is relied upon to conclude that the data importer will not be prevented from complying with these Clauses, it needs to be supported by other relevant, objective elements, and it is for the Parties to consider carefully whether these elements together carry sufficient weight, in terms of their reliability and representativeness, to support this conclusion. In particular, the Parties have to take into account whether their practical experience is corroborated and not contradicted by publicly available or otherwise accessible, reliable information on the existence or absence of requests within the same sector and/or the application of the law in practice, such as case law and reports by independent oversight bodies.
APPENDIX
EXPLANATORY NOTE:
It must be possible to clearly distinguish the information applicable to each transfer or category of transfers and, in this regard, to determine the respective role(s) of the Parties as data exporter(s) and/or data importer(s). This does not necessarily require completing and signing separate appendices for each transfer/category of transfers and/or contractual relationship, where this transparency can achieved through one appendix. However, where necessary to ensure sufficient clarity, separate appendices should be used.
ANNEX I
A. LIST OF PARTIES
Data exporter(s):
Name: The Google entity that is a party to the Agreement (“Google”)
Address: As specified in the Agreement.
Contact person’s name, position and contact details: Contact details for the data exporter are specified in the Agreement. The data exporter’s data protection team can be contacted via the Google contact details specified in the Agreement (and/or via such other means as Google may provide from time to time).
Activities relevant to the data transferred under these Clauses: The data importer provides the Services to the data exporter in accordance with the Agreement.
Signature and date: Agreement to the Subprocessor Data Protection Addendum (“SDPA”) by the data importer and the data exporter shall constitute execution of these Clauses by both Parties (a) if the data importer and the data exporter agreed to the SDPA on a date before the date these Clauses were made available by the data exporter to the data importer (“SCC Date”), then 30 days after the SCC Date, or (b) otherwise, as of the effective date of the SDPA.
Role (controller/processor): processor
Data importer(s):
Name: Subprocessor
Address: As specified in the Agreement.
Contact person’s name, position and contact details: Contact details for the data importer are specified in the Agreement. Details about the data importer’s data protection officer or appropriate contact are available to the data exporter as specified in the SDPA.
Activities relevant to the data transferred under these Clauses: The data importer provides the Services to the data exporter in accordance with the Agreement.
Signature and date: Agreement to the SDPA by the data importer and the data exporter shall constitute execution of these Clauses by both Parties (a) if the data importer and the data exporter agreed to the SDPA on a date before the SCC Date, then 30 days after the SCC Date, or (b) otherwise, as of the effective date of the SDPA.
Role (controller/processor): processor
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
Data subjects are the individuals whose personal data is provided to the data exporter or its affiliate in connection with the Specified Processor Products by, at the direction of, or on behalf of customers of the Specified Processor Products (“SPP Personal Data”). These individuals may include, for example: employees, other staff such as contractors and temporary workers, customers and clients (including their staff), other end users, suppliers (including their staff), relatives and associates of the above, advisers, consultants and other professional experts, shareholders, members or supporters, and students and pupils.
Categories of personal data transferred
SPP Personal Data may include, for example:
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
SPP Personal Data may include special categories of personal data (as defined in the GDPR). This may include, for example: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
The restrictions and safeguards specified in Annex II apply to these categories of SPP Personal Data (if any).
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
SPP Personal Data may be transferred on a continuous basis until it is deleted in accordance with the terms of the Agreement (including the SDPA).
Nature of the processing
The data importer will process SPP Personal Data to enable the following basic processing activities: as applicable to the Services and the relevant instructions, collecting, recording, organising, structuring, storing, altering, retrieving, using, disclosing, combining, erasing and destroying personal data for the purpose of providing the Services to the data exporter in accordance with the Agreement.
Purpose(s) of the data transfer and further processing
The data importer will process SPP Personal Data to provide the Services in accordance with the Agreement.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
The data importer will retain SPP Personal Data until its deletion in accordance with the provisions of the Agreement (including the SDPA).
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
As above.
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13
Data Protection Commission, Ireland
ANNEX II
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
The data importer will implement and maintain security standards at least as protective as those set out in the Agreement (including the SDPA).
The technical and organisational measures taken by the data importer to assist the data exporter in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679 are set out in the SDPA.
ANNEX III
LIST OF SUB-PROCESSORS
The controller has authorised the use of the following sub-processors:
The sub-processors authorised for performance of any part of the Services in accordance with Section 11 (Third Party Providers) (or such other corresponding section) of the SDPA.
ANNEX IV
SUPPLEMENTARY TERMS FOR SWISS FDPA TRANSFERS ONLY
The following terms supplement these Clauses only if and to the extent Standard Contractual Clauses forming part of a Google Customer Contract apply with respect to transfers of SPP Personal Data subject to the Swiss FDPA:
References to the GDPR will be interpreted as references to the Swiss FDPA, to the extent applicable.
References to the EU and EU Member States will be interpreted to mean Switzerland, to the extent applicable.
The term ’Member State’ will be interpreted in such a way as to allow data subjects in Switzerland to exercise their rights under the Clauses in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the Clauses.
The competent supervisory authority/ies for purposes of Annex I.C (Competent Supervisory Authority) of the Clauses will be the Federal Data Protection and Information Commissioner in Switzerland (or its replacement or successor).
ANNEX V
SUPPLEMENTARY TERMS FOR UK GDPR TRANSFERS ONLY
The following terms supplement these Clauses only if and to the extent Standard Contractual Clauses forming part of a Google Customer Contract apply with respect to transfers of SPP Personal Data subject to the UK GDPR:
International Data Transfer Addendum to the EU Commission Standard Contractual Clauses
VERSION B1.0, in force 21 March 2022
This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.
Part 1: Tables
Table 1: Parties
Start date | a) 21 September 2022, where the effective date of the Agreement is before 21 September 2022; or (b) otherwise, on the effective date of the Agreement. | |
The Parties | Exporter (who sends the Restricted Transfer) | Importer (who receives the Restricted Transfer) |
Parties’ details | Full legal name: Google Trading name (if different): As specified in the Agreement. Main address (if a company registered address): As specified in the Agreement. Official registration number (if any) (company number or similar identifier): As specified in the Agreement. | Full legal name: Subprocessor Trading name (if different): As specified in the Agreement. Main address (if a company registered address): As specified in the Agreement. Official registration number (if any) (company number or similar identifier): As specified in the Agreement. |
Key Contact | Contact details for the data exporter are specified in the Agreement. The data exporter’s data protection team can be contacted via the Google contact details specified in the Agreement (and/or via such other means as the data exporter may specify from time to time). | Contact details for the data importer are specified in the Agreement. Details about the data importer’s data protection officer or appropriate contact are available to the data exporter as specified in the SDPA. |
Signature (if required for the purposes of Section 2) | The parties agree that execution of the Agreement by the data importer and the data exporter shall constitute execution of this Addendum. | The parties agree that execution of the Agreement by the data importer and the data exporter shall constitute execution of this Addendum. |
Start date
a) 21 September 2022, where the effective date of the Agreement is before 21 September 2022; or
(b) otherwise, on the effective date of the Agreement.
The Parties
Exporter (who sends the Restricted Transfer)
Importer (who receives the Restricted Transfer)
Parties’ details
Full legal name: Google
Trading name (if different): As specified in the Agreement.
Main address (if a company registered address): As specified in the Agreement.
Official registration number (if any) (company number or similar identifier): As specified in the Agreement.
Full legal name: Subprocessor
Trading name (if different): As specified in the Agreement.
Main address (if a company registered address): As specified in the Agreement.
Official registration number (if any) (company number or similar identifier): As specified in the Agreement.
Key Contact
Contact details for the data exporter are specified in the Agreement. The data exporter’s data protection team can be contacted via the Google contact details specified in the Agreement (and/or via such other means as the data exporter may specify from time to time).
Contact details for the data importer are specified in the Agreement. Details about the data importer’s data protection officer or appropriate contact are available to the data exporter as specified in the SDPA.
Signature (if required for the purposes of Section 2)
The parties agree that execution of the Agreement by the data importer and the data exporter shall constitute execution of this Addendum.
The parties agree that execution of the Agreement by the data importer and the data exporter shall constitute execution of this Addendum.
Table 2: Selected SCCs, Modules and Selected Clauses
Addendum EU SCCs | The version of the Approved EU SCCs which this Addendum is appended to, detailed below, including the Appendix Information: Date: 4 June 2021 Reference (if any): Module 3: Processor-to-Processor Other identifier (if any): N/A |
Addendum EU SCCs
The version of the Approved EU SCCs which this Addendum is appended to, detailed below, including the Appendix Information:
Date: 4 June 2021
Reference (if any): Module 3: Processor-to-Processor
Other identifier (if any): N/A
Table 3: Appendix Information
“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:
Annex 1A: List of Parties: Annex I(A) |
Annex 1B: Description of Transfer: Annex I(B) |
Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: Annex II |
Annex III: List of Sub processors (Modules 2 and 3 only): Annex III |
Annex 1A: List of Parties: Annex I(A)
Annex 1B: Description of Transfer: Annex I(B)
Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: Annex II
Annex III: List of Sub processors (Modules 2 and 3 only): Annex III
Table 4: Ending this Addendum when the Approved Addendum Changes
Ending this Addendum when the Approved Addendum changes | Which Parties may end this Addendum as set out in Section 19: ☐ Importer ☐ Exporter ✔ neither Party |
Ending this Addendum when the Approved Addendum changes
Which Parties may end this Addendum as set out in Section 19:
☐ Importer
☐ Exporter
✔ neither Party
Part 2: Mandatory Clauses
Mandatory Clauses | Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses. |
Mandatory Clauses
Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses.
STANDARD CONTRACT FOR THE TRANSFER OF PERSONAL DATA ABROAD - 3
(FROM DATA PROCESSOR TO DATA PROCESSOR)
Capitalized terms used but not defined in these Clauses (including the Annexes) have the meanings given to them in the agreement into which these Clauses are incorporated (the “Agreement”).
SECTION ONE
General Provisions
Clause 1 - Purpose and Scope
(a) The purpose of this standard contract is to ensure compliance with the provisions of Law No. 6698 on Protection of Personal Data dated March 24, 2016 (hereinafter will be referred to as “the Law”) and the Regulation on Procedures and Principles for Transferring of Personal Data Abroad (“Regulation”) which has been published in the Official Gazette of June 10, 2024 with number 32598, during transfer of personal data abroad.
(b) Data processor who transfers personal data abroad (hereinafter will be referred to as “data exporter”) and the data processor abroad who receives personal data from the data exporter (hereinafter will be referred to “data importer”) have agreed to this standard contract (hereinafter will be referred to as the “Contract”).
(c) This Contract will be applied to the transfer of personal data abroad details of which have been provided in Annex-I.
(d) The Appendix to this Contract (hereinafter will be referred to as “Appendix”) form an inseparable part of this Contract.
Clause 2 - Effect and Invariability of the Contract
(a) Provided that no addition, subtraction, or modification will be made, this Contract shall regulate the appropriate safeguards while transfer of personal data abroad including the existence of data subjects’ opportunity to exercise their rights and to apply to effective legal remedies in the country to which transfer has been made as per Clause 9 (4) and the Regulation.
(b) This Contract does not prejudice the obligations that the data exporter is subject to as per the Law, Regulation and other relevant legislation.
Clause 3 - Rights of Third-Party Beneficiaries
(a) Data subjects, subject to below exceptions, may enforce the provisions of this Contract against data exporters and/or data importers as third-party beneficiaries:
(i) Clause 1, Clause 2, Clause 3 and Clause 6.
(ii) Clause 7.1(a), (c) and (d) and Clause 7.9 (a), (c), (d), (e), (f) and (g).
(iii) Clause 8 (a), (c), (d) and (e).
(iv) Clause 11(a), (d) and (f).
(v) Clause 12.
(b) Clause (a) does not prejudice the rights of data subjects in scope of the Law.
Clause 4 - Interpretation
(a) Where this Contract uses terms that are in the Law, Regulation and other legislation, definitions of such as set forth in the relevant legislation shall prevail.
(b) This Contract shall be interpreted in accordance with the Law, Regulation, and other relevant legislation.
(c) This Contract shall not be interpreted in a way that conflicts with rights and obligations provided for in the Law, Regulation and other relevant legislation.
Clause 5 - Rule of Contradiction
In the event of a contradiction between the provisions of this Contract and the provisions of the related agreements between the Parties, which existed at the time of approval of this Contract or entered into thereafter, the provisions of this Contract shall prevail.
Clause 6 - Details of the Transfer
The details of the transfer that will be carried out in scope of this Contract, in particular the details of categories of personal data that are subject to the transfer, legal purpose of the transfer and purpose of the transfer or purposes, are as specified in Annex-I.
SECTION TWO
Obligations of the Parties
Clause 7 - Safeguards in Relation to Protection of Personal Data
Data exporter that the data importer makes reasonable efforts to determine that it is qualified to have the adequacy to carry out its obligations that arise out of this Contract by taking the technical and administrative measures.
Clause 7.1 - Instructions
(a) Data exporter, prior to engaging in processing activities, informs the data importer that it is a data processor that acts in accordance with the instructions of the data controller/controllers notified to the data importer.
(b) Data importer, as informed by the data exporter, only processes personal data in accordance with the instructions of the data controller and additional instructions of the data exporter. Such additional instructions cannot contradict with the instructions of the data controller. Data controller or data exporter may give such instructions on data processing activities so long as the data importer engages in data processing activities on behalf of the data exporter.
(c) In the event that the data importer is not able to fulfill these instructions, it shall inform the data exporter without delay. In the event that the data importer is not able to fulfill the instructions of the data controller, data exporter shall notify the data controller without delay.
(d) Data exporter warrants that the data importer is under the same obligations that it has undertaken with respect to personal data processing activities carried out on behalf of the data controller.
Clause 7.2 - Being Relevant to the Purpose, Limited and Proportional
Data importer processes personal data in a manner that is relevant to the purpose/purposes, limited and proportional as set forth in Annex-I.
Clause 7.3 - Being Accurate and Up to Date where Necessary
In the event that the data importer becomes aware that the transferred personal data is inaccurate or is no longer up to date, data importer shall notify the data exporter without delay. In such a case, data importer shall collaborate with the data exporter to in the destruction or correction of personal data.
Clause 7.4 - The Length of Processing Activity and Complete Destruction or Return of Data
Processing by the data importer shall only take place for the duration specified in Annex I. In the event of ending of data processing activity of the data importer on behalf of the data exporter, at the choice of data exporter, data importer shall return all personal data and its copies back to the data exporter or shall completely delete all the personal data. Even in case of provisions that prohibit the fulfillment of this obligation in legislation, data importer warrants that it will continue to ensure compliance with this Contract, will take necessary technical and administrative measures to safeguard privacy of personal data subject to the transfer and will only continue processing activities to the proportion and length necessitated by the legislation. Provision of Clause 13 is reserved. Data importer shall certify to the data exporter that data has been destroyed. Data importer shall continue to comply with this Contract until the data has been returned or completely destroyed.
Clause 7.5 - Obligation to Clarify
Data exporter, upon request, shall provide the data subject with a copy of this Contract, including its Appendix as completed by the Parties, free of charge. To the extent that it is necessary to protect business secrets or other confidential information including measures and personal data specified in Annex-II, data exporter may make changes by redacting part of the text in the Appendix of the copy that will be shared with the data subject. However, unless content cannot be understood or data subject’s rights cannot be exercised, Parties shall provide a meaningful summary to the data subject. Upon request, parties, to the extent possible, shall inform the data subject of the reasons for the changes without an explanation of the redacted information.
Clause 7.6 - Data Security
(a) Data importer and during transmission data exporter, shall take all technical and administrative measures to prevent processing of personal data unlawfully, prevent accessing of personal data unlawfully, ensure retention of personal data and prevent its accidental loss, destruction or damage in order to ensure appropriate security levels in accordance with the nature of the personal data. In determining the appropriate level of security, they shall take due account of the state-of-the-art technology, the costs of implementation, the nature, scope, context and purposes of processing and the risks against fundamental rights and freedoms involved in the processing for the data subject. In fulfilling its obligations under this provision, data importer is obligated to technical and administrative measures specified in Annex-II at the minimum. Data importer, carries out routine controls to confirm that such measures continue to ensure an appropriate level of security.
(b) Data importer shall ensure that the access of its personnel to personal data subject to the transfer, is absolutely proportional to the extent necessary and limited in scope for the data processing activity it carries out on behalf of the data exporter and ensures that only relevant personnel can access such personal data. Data importer ensures that the real persons that it has authorized with respect to accessing of personal data do not disclose personal data that they learn to third parties as opposed to this Contract and do not use such personal data other than the purpose of processing.
(c) In the event that personal data processed by the data importer in scope of this Contract is unlawfully acquired by others, data importer shall take necessary measures to mitigate the personal data breach and possible negative effects of this data breach. Besides, the data importer, without causing any delay, shall inform the situation to the data exporter and data controller where appropriate. Such notification shall be made by using the “Data Breach Form” determined by the Board and announced through the website of the Data Protection Authority (hereinafter will be referred to as “the Authority”). In the event that the information included in the Form cannot be provided at the same time, such information shall be provided without giving rise to delay and gradually.
(d) Data importer, in order for a notification to be made to the Board and data subjects, by first notifying the data controller on behalf of whom it carries out data processing activities, in order to ensure that its obligations in scope of the Law are fulfilled, collaborates with the data exporter and assists the data exporter by taking into account the nature of the data processing activity and the information that it becomes aware of.
Clause 7.7 - Special Categories of Personal Data
(a) Data importer shall take additional technical and administrative measures that are appropriate for the sensitive nature of the special categories of personal data.
(b) In the processing of special categories of personal data, it is required to take adequate measures as determined by the Board.
Clause 7.8 - Onward Transfers
(a) Personal data that is transferred to the data importer, may be transferred to a third-party located abroad (in the same country as the data importer or in another country) by the data importer only with the instruction of the data exporter and under the situations described below:
(i) When onward transfer is made to a country for which an adequacy decision has been granted as per Clause (9) (1) of the Law.
(ii) Fulfilment by the third-party to which transfer will be made, of one of the appropriate safeguards stipulated under Clause 9 (4).
(iii) When transfer of personal data is required for the establishment, use or protection of a right in connection with certain administrative or judicial procedures.
(iv) When transfer of personal data is required for the protection of life or bodily integrity of a person who is unable to express consent due to factual impossibility or whose consent will not be deemed legally valid.
(b) In any other onward transfer, in particular with the principles of being relevant to the purpose, limited and proportional, the data importer is obligated to act in accordance with all other safeguards in scope of this Contract.
(c) Prior to the notification of this Contract to the Authority, in the event that recipients of onward transfers are determined, such recipients and recipient groups shall be specified in Annex-I. Upon notification of this Contract to the Authority, in the event of a change on the recipients or recipient groups to which onward transfer will be made, Annex-I shall be updated and such situation shall be notified to the Authority.
Clause 7.9 - Certification and Compliance
(a) Data importer responds without delay and adequately to the questions received from the data exporter or data controller in relation to its data processing activities in scope of this Contract.
(b) Parties should demonstrate that they are in compliance with this Contract. Data importer is obligated to retain and preserve information, documents, and records regarding data processing activities carried out on behalf of the data controller.
(c) Data importer shall provide all information and documents that are necessary to demonstrate that it complies with the obligations set forth in this Contract with the data exporter. Data exporter shall transmit such information to the data controller.
(d) Data importer, in reasonable intervals or in the existence of signs that it is not in compliance with the Contract, or in the event that data exporter requests to conduct an audit with the instruction of the data controller, allows data exporter to audit its data processing activities in scope of this Contract and assists with the process.
(e) In the event that the audit is conducted pursuant to instructions of the data controller, data exporter shall transmit the outcome of the audit to the data controller.
(f) Data exporter can carry out the audit itself and may also appoint an independent auditor. During the audit, the premises or physical establishments of the data importer may be examined. Where appropriate, a notification will be made that an audit will be conducted prior to a reasonable time.
(g) Parties shall present information specified under provisions (b) and (c), including the outcome of the audit carried out on the data importer to the Board, upon request.
Clause 8 - Sub-Processors
GENERAL AUTHORIZATION: (a) The data importer may delegate the processing activities carried out on behalf of the data exporter pursuant to this Contract to sub-processor(s) included in a list to which the data controller has given prior consent. The data importer shall notify the controller in writing at least [specify time period] prior to the substitution of the sub-processor(s) on the list or the addition of new sub-processors to the list and shall allow the controller sufficient time to object to such changes prior to the accession of the new sub-processor(s). The data importer shall provide the data controller with the information necessary for the data controller to exercise the right of objection. The data importer shall inform the data exporter about the participation of new sub-processors. The list of sub-processors authorized by the data controller is provided in Annex III. Following the notification of this Contract to the Authority, if there is a change in the sub-processors, Annex III shall be updated and this situation shall be notified to the Authority].
(b) The data importer shall conclude a written contract with the sub-processor if it delegates certain personal data processing activities (to be carried out on behalf of the controller). The contract must contain, as a minimum, the safeguards contained in this Contract, including third party beneficiary rights for data subjects. The parties agree that the data importer fulfills its obligations under Article 7.8 if such contract is concluded. The data importer shall ensure that the sub-processor complies with the obligations to which the data importer is subject under this Contract.
(c) The data importer shall, upon request of the data exporter or the data controller, provide the data exporter or the data controller with a copy of such a sub-processing contract and of each subsequent amendment. To the extent necessary for the protection of trade secrets or other confidential information, including personal data, the data importer may modify the copy to be shared and remove the relevant parts.
(d) The data importer is fully responsible to the data exporter for the fulfillment of the obligations of the sub-processor under the contract with the sub-processor. The data importer shall notify the data exporter in case the sub-processor fails to fulfill its obligations under the said contract.
(e) The data importer agrees with the sub-processor that the sub-processing contract shall include a third-party beneficiary clause in favor of the data importer stipulating that the data importer shall have the right to terminate the sub-processing contract and to instruct the sub-processor to completely destroy or return the personal data subject to the transfer, together with their back-ups, in the event that the data importer ceases to be a legal person or becomes bankrupt.
Clause 9 - Data Subject Rights
(a) The data importer shall immediately inform the data exporter of each request received from the data subject and without finalizing the request itself unless authorized by the data exporter.
(b) The data importer shall assist the data controller in fulfilling its obligation to finalize requests made by data subjects to exercise their rights under the Law with the collaboration with data exporter where appropriate. In this regard, the Parties shall set out in Annex II appropriate technical and administrative measures, taking into account the scope of the assistance required as well as the nature of the processing activity for which the assistance is to be provided.
(c) In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions of the data controller as conveyed by the data exporter.
Clause 10 - Methods of Seeking Remedy
(a) In the event of a dispute arising between the data subject and the data importer regarding third party beneficiary rights under this Contract, the data subject may submit his or her requests to the data importer. The data importer shall inform the data subjects of an authorized contact point to conclude their requests in a transparent and easily accessible format, either by notifying the data subjects in person or by publishing it on its website. The data importer shall address the requests of data subjects without delay.
(b) Where a dispute arises between the data subject and a Party concerning compliance with this Contract, that Party shall use its best efforts to resolve the dispute amicably and as soon as possible. The Parties shall keep each other informed of such disputes and shall cooperate as appropriate in resolving them.
(c) Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data importer agrees that the data subject has the right to lodge a complaint with the Board and to apply to the competent courts under Clause 18.
(d) The data importer undertakes to comply with decisions that are binding under Turkish law.
(e) The data importer agrees that the application of one of the above-mentioned remedies by the data subject shall not prejudice to any other rights that the data subject may claim in accordance with the current legislation.
Clause 11 - Liability
(a) Each Party shall be liable to the other Party for any damage that arose due to any breach of this Contract.
(b) The data importer shall be liable to the data subject. The data subject shall be entitled to receive compensation, for any material or non-material damages the data importer or its sub-processor causes the data subject by breaching the third-party beneficiary rights under this Contract.
(c) Notwithstanding paragraph (b), the data exporter shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data exporter or the data importer (or its sub-processor) causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter under the Law.
(d) If the data exporter is held liable under paragraph (c) for damages caused by the data importer (or its sub-processor), it shall be entitled to claim back from the data importer that part of the compensation corresponding to the data importer’s responsibility for the damage.
(e) Where either Parties are responsible for any damage caused to the data subject as a result of a breach of this Contract, all responsible Parties shall be jointly liable, and the data subject is entitled to bring an action in court against any of these Parties.
(f) The Parties agree that if one Party is held liable under paragraph (e), it shall be entitled to claim back from the other Party that part of the compensation corresponding to its/their responsibility for the damage.
(g) The data importer may not invoke the conduct of a sub-processor to avoid its own liability.
Clause 12 - Supervision
The data importer agrees to cooperate with the Authority in all kinds of works and transactions to ensure compliance with this Contract, to be subject to the authority of the Board and to comply with the decisions granted by the Board. In particular, the data importer agrees to send the information and documents requested by the Board regarding the investigation subject, to provide the opportunity for on-site inspection when necessary, and to comply with the instructions given by the Board to eliminate the identified unlawfulness. It shall provide the Board with information and documents confirming the necessary actions that have been taken.
SECTION THREE
Obligations in terms of Local Laws and in case Access by Public Authorities
Clause 13 - Local Laws and Practices Affecting Compliance with the Contract
The data importer agrees, declares, and undertakes that there is no local regulation or practice contrary to this Contract in relation to the personal data to be transferred within the scope of this Contract. In the event of a change in legislation or practice that is likely to affect the data importer's fulfillment of its obligations under this Contract during the term of this Contract, the data importer immediately notifies the data exporter. Data exporter conveys this notification to the data controller. Data importer agrees that the data exporter shall have the right to suspend the data transfer or terminate this Contract in this case.
Clause 14 - Obligations of the Data Importer in case of Access by Public Authorities
The data importer, within the scope of this Contract, shall immediately notify the data exporter of any request from an administrative or judicial authority regarding the personal data transferred or if an administrative or judicial authority has direct access to personal data transferred within the scope of this Contract. Data exporter conveys this notification to the data controller. In this case, the data importer agrees that the data exporter shall have the right to suspend the data transfer or terminate this Contract depending on the nature of the request or access.
SECTION FOUR
Final Provisions
Clause 15 - Non-compliance with the Contract and Termination
(a) The data importer shall promptly inform the data exporter if it is unable to comply with this Contract, for whatever reason.
(b) In the event that the data importer is in breach of this Contract or unable to comply with this Contract, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. Provisions of Clause 13 and Clause 14 are reserved.
(c) The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under this Contract, where:
(i) the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with this Contract is not restored within a reasonable time and in any event within one month of suspension.
(ii) the data importer is in substantial or persistent breach of this Contract.
(iii) the data importer fails to comply with a decision of a competent court or Board regarding its obligations under this Contract.
In these cases, the data importer shall inform the Board and the data controller.
(d) In case of termination of the contract within the scope of paragraph (c), the data importer shall, depending on the choice of the data exporter; send the personal data that are subject to the transmission back to the data exporter together with their copies or destroy the personal data completely. The data importer shall continue to comply with this Contract even if there are provisions in the legislation that prevent it from complying with this obligation, shall take the necessary technical and administrative measures to ensure the confidentiality of the personal data subject to transfer, and shall continue processing only to the extent and for the period required by the legislation. The data importer shall certify the deletion of the data for the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with this Contract.
Clause 16 - Notification of the Contract to the Authority
(It may be included in the contract depending on the preference of the parties.)
[Data exporter/data importer] notifies this Contract to the Authority within five business days following the completion of the signatures.
Clause 17 - Governing Law
This Contract shall be governed by the Turkish Law.
Clause 18 - Competent and Authorized Court
(a) Any dispute arising out of this Contract shall be submitted to the Turkish courts.
(b) General provisions shall apply with respect to jurisdiction and competence.
(c) The Parties agree to submit themselves to the jurisdiction of the Turkish courts.
Data exporter: Google (as defined in the Agreement) Address: As stated in the Agreement Name and Surname, Title and Contact information of the Contact Point: Contact details for the data exporter are specified in the Agreement. The data exporter’s data protection team can be contacted via the Google contact details specified in the Agreement (and/or via such other means as Google may provide from time to time). Name, Surname and Title of the Signatory: As stated in the Agreement in relation to the signatory of the Agreement or, if signed after the Agreement, the Subprocessor Data Protection Addendum (“SDPA”). Signature and Date: Agreement to the SDPA by the data importer and the data exporter shall constitute execution of these Clauses by both Parties (a) if the data importer and the data exporter agreed to the SDPA on a date before the date these Clauses were made available by the data exporter to the data importer (“SCC Date"), then 30 days after the SCC Date, or (b) otherwise, as of the effective date of the SDPA. | Data importer: Subprocessor (as defined in the Agreement) Address: As stated in the Agreement Name and Surname, Title and Contact information of the Contact Point: Contact details for the data importer are specified in the Agreement. Details about the data importer’s data protection officer or appropriate contact are available to the data exporter as specified in the SDPA. Name, Surname and Title of the Signatory: As stated in the Agreemen in relation to the signatory of the Agreement or, if signed after the Agreement, the Subprocessor Data Protection Addendum (“SDPA”). Signature and Date: Agreement to the SDPA by the data importer and the data exporter shall constitute execution of these Clauses by both Parties (a) if the data importer and the data exporter agreed to the SDPA on a date before the date these Clauses were made available by the data exporter to the data importer (“SCC Date"), then 30 days after the SCC Date, or (b) otherwise, as of the effective date of the SDPA. |
Data exporter: Google (as defined in the Agreement)
Address: As stated in the Agreement
Name and Surname, Title and Contact information of the Contact Point: Contact details for the data exporter are specified in the Agreement. The data exporter’s data protection team can be contacted via the Google contact details specified in the Agreement (and/or via such other means as Google may provide from time to time).
Name, Surname and Title of the Signatory: As stated in the Agreement in relation to the signatory of the Agreement or, if signed after the Agreement, the Subprocessor Data Protection Addendum (“SDPA”).
Signature and Date: Agreement to the SDPA by the data importer and the data exporter shall constitute execution of these Clauses by both Parties (a) if the data importer and the data exporter agreed to the SDPA on a date before the date these Clauses were made available by the data exporter to the data importer (“SCC Date"), then 30 days after the SCC Date, or (b) otherwise, as of the effective date of the SDPA.
Data importer: Subprocessor (as defined in the Agreement)
Address: As stated in the Agreement
Name and Surname, Title and Contact information of the Contact Point: Contact details for the data importer are specified in the Agreement. Details about the data importer’s data protection officer or appropriate contact are available to the data exporter as specified in the SDPA.
Name, Surname and Title of the Signatory: As stated in the Agreemen in relation to the signatory of the Agreement or, if signed after the Agreement, the Subprocessor Data Protection Addendum (“SDPA”).
Signature and Date: Agreement to the SDPA by the data importer and the data exporter shall constitute execution of these Clauses by both Parties (a) if the data importer and the data exporter agreed to the SDPA on a date before the date these Clauses were made available by the data exporter to the data importer (“SCC Date"), then 30 days after the SCC Date, or (b) otherwise, as of the effective date of the SDPA.
ANNEXES
ANNEX I
DETAILS OF THE TRANSFER
Activities of the Data Exporter Regarding the Personal Data Transferred Under This Contract
The data importer provides the Services to the data exporter in accordance with the Agreement.
Activities of the Data Importer Regarding Personal Data Transferred Under This Contract
The data importer provides the Services to the data exporter in accordance with the Agreement.
Data Subject Group or Groups
Data subjects are the individuals whose personal data is provided to the data exporter or its affiliate in connection with the Specified Processor Products by, at the direction of, or on behalf of customers of the Specified Processor Products (“SPP Personal Data”). These individuals may include, for example: employees, other staff such as contractors and temporary workers, customers and clients (including their staff), other end users, suppliers (including their staff), relatives and associates of the above, advisers, consultants and other professional experts, shareholders, members or supporters, and students and pupils.
Categories of Transferred Personal Data
SPP Personal Data may include, for example:
(If any) Special Categories of Personal Data Transferred
SPP Personal Data may include special categories of personal data (as defined by the Turkish Law on the Protection of Personal Data No. 6698 dated April 7, 2016 (“Turkish Data Protection Law”). This may include personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. The restrictions and safeguards specified in Annex II apply to these categories of personal data (if any).
Legal Grounds for Transfer
The relevant data controller (for whom the data exporter acts as data processor) has determined that the transfers are necessary for purposes of the legitimate interests pursued by the data controller, and do not violate the fundamental rights and freedoms of the data subjects for the following reasons:
Transfer Frequency
(e.g. whether the data can be transferred on a one off or permanent basis)
SPP Personal Data may be transferred on a continuous basis until it is deleted in accordance with the Agreement (including the SDPA).
Nature of Processing Activity
The data importer will process SPP Personal Data to enable the following basic processing activities, as applicable to the Services and the relevant instructions: collecting, recording, organising, structuring, storing, altering, retrieving, using, disclosing, combining, erasing and destroying personal data for the purpose of providing the Services to the data exporter in accordance with the Agreement.
Purposes of Data Transfer and Further Processing Activities
The data importer will process SPP Personal Data to provide the Services in accordance with the Agreement.
Retention Period of Personal Data
(The retention period of the transferred personal data is stated. If it is not possible to determine this period, the criteria used to determine the retention period are explained.)
The data importer will retain SPP Personal Data until its deletion in accordance with the Agreement (including the SDPA).
Subject, Nature and Duration of the Processing Activity in Transfers to the (Sub) Data Processor
As above.
Importers or Importer Groups
Name: Subprocessor (as defined in the Agreement)
Address: As specified in the Agreement.
Contact person’s name, position and contact details: Contact details for the data importer are specified in the Agreement. The data importer’s data protection team can be contacted as described in the Agreement.
Activities relevant to the data transferred under this Contract: The data importer provides the Services to the data exporter in accordance with the Agreement.
Role (controller/processor): processor
ANNEX II
TECHNICAL AND ADMINISTRATIVE MEASURES
(In case of transfer of special categories of personal data, the technical and administrative measures taken for such data shall be specified separately).
A. Technical and administrative measures taken by Data Exporter
The data exporter is responsible for implementing and maintaining the technical and organizational measures (including in relation to any special categories of personal data) as described in the data exporter’s agreements entered into with customers of the Specified Processor Products.
B. Technical and administrative measures taken by Data Importer
The data importer will implement and maintain the technical and organizational measures (including in relation to any special categories of personal data) as described in the Agreement.
The technical and organisational measures to be taken by the data importer to assist the data exporter in fulfilling its obligations with respect to data subjects’ requests for the exercise of their rights under the Turkish Data Protection Law, including in relation to any special categories of personal data, are set out in the SDPA.
ANNEX III
LIST OF SUB-DATA PROCESSORS
The data controller has authorized the following sub-data processors (as applicable):
The data controller has authorized the data exporter’s engagement as subprocessors of those entities whose names, locations and activities are disclosed below:
CLÁUSULAS-PADRÃO CONTRATUAIS
Seção I - Informações Gerais
CLÁUSULA 1. Identificação das partes
1.1. Pelo presente instrumento contratual, o Exportador e o Importador (doravante, Partes), abaixo identificados, resolvem adotar as cláusulas-padrão contratuais (doravante Cláusulas) aprovadas pela Autoridade Nacional de Proteção de Dados (ANPD), para reger a Transferência Internacional de Dados descrita na Cláusula 2, em conformidade com as disposições da Legislação Nacional.
Nome: A entidade Google que é parte no Contrato (“Google”). Para fins destas Cláusulas, “Contrato” significa o contrato entre Exportador e Importador ao qual essas Cláusulas se integram. Qualificação: Conforme especificado no Contrato Endereço principal: Conforme especificado no Contrato Endereço de e-mail: juridicobrasil@google.com Contato para o Titular: O titular dos dados pode entrar em contato com a equipe de proteção de dados aqui. Outras informações: Não aplicável. |
Nome: A entidade Google que é parte no Contrato (“Google”). Para fins destas Cláusulas, “Contrato” significa o contrato entre Exportador e Importador ao qual essas Cláusulas se integram.
Qualificação: Conforme especificado no Contrato
Endereço principal: Conforme especificado no Contrato
Endereço de e-mail: juridicobrasil@google.com
Contato para o Titular: O titular dos dados pode entrar em contato com a equipe de proteção de dados aqui.
Outras informações: Não aplicável.
Exportador/Operador
Nome: Suboperador (Subprocessor) Qualificação: Conforme especificado no Contrato Endereço principal: Conforme especificado no Contrato Endereço de e-mail: Conforme especificado no Contrato Contato para o Titular: Os dados de contato do Importador estão especificados no Contrato. Os detalhes sobre o responsável pela proteção de dados do Importador ou o contato apropriado estão disponíveis para o Exportador, conforme especificado no Contrato, incluindo os anexos Subprocessor Data Protection Addendum (“SDPA") ou Information Protection Addendum (“IPA") (conforme aplicável). Outras informações: Não aplicável. |
Nome: Suboperador (Subprocessor)
Qualificação: Conforme especificado no Contrato
Endereço principal: Conforme especificado no Contrato
Endereço de e-mail: Conforme especificado no Contrato
Contato para o Titular: Os dados de contato do Importador estão especificados no Contrato. Os detalhes sobre o responsável pela proteção de dados do Importador ou o contato apropriado estão disponíveis para o Exportador, conforme especificado no Contrato, incluindo os anexos Subprocessor Data Protection Addendum (“SDPA") ou Information Protection Addendum (“IPA") (conforme aplicável).
Outras informações: Não aplicável.
Importador/Operador
CLÁUSULA 2. Objeto
2.1. Estas Cláusulas se aplicam às Transferências Internacionais de Dados do Exportador para o Importador, conforme a descrição abaixo.
Descrição da transferência internacional de dados: O importador fornece os Serviços ao Exportador de acordo com o Contrato.
Principais finalidades da transferência: O Importador tratará dados pessoais para fornecer os Serviços de acordo com o Contrato. Categorias de dados pessoais transferidos: Os dados pessoais transferidos podem incluir, por exemplo:
Os dados pessoais transferidos podem incluir Dados Pessoais Sensíveis. Período de armazenamento dos dados: O Importador armazenará os dados pessoais até sua eliminação, de acordo com as disposições do Contrato (incluindo o SDPA ou o IPA, conforme aplicável). Outras informações: Não aplicável. |
Principais finalidades da transferência: O Importador tratará dados pessoais para fornecer os Serviços de acordo com o Contrato.
Categorias de dados pessoais transferidos: Os dados pessoais transferidos podem incluir, por exemplo:
Os dados pessoais transferidos podem incluir Dados Pessoais Sensíveis.
Período de armazenamento dos dados: O Importador armazenará os dados pessoais até sua eliminação, de acordo com as disposições do Contrato (incluindo o SDPA ou o IPA, conforme aplicável).
Outras informações: Não aplicável.
CLÁUSULA 3. Transferências Posteriores
OPÇÃO A. 3.1. O Importador não poderá realizar Transferência Posterior dos Dados Pessoais objeto da Transferência Internacional de Dados regida por estas Cláusulas, salvo nas hipóteses previstas no item 18.3.
CLÁUSULA 4. Responsabilidades das Partes
4.1. Considerando que ambas as Partes atuam, exclusivamente, como Operadores no âmbito da Transferência Internacional de Dados regida por estas Cláusulas, o Exportador declara e garante que a transferência é efetuada em conformidade com as instruções fornecidas por escrito pelo Terceiro Controlador identificado no quadro abaixo.
Informações de identificação do Terceiro Controlador: Cliente ou Revendedor, conforme definido no contrato celebrado entre o Google e seu cliente ou parceiro/revendedor (“Contrato de Cloud”) Nome: Cliente ou Revendedor, conforme definido no Contrato de Cloud Qualificação: Cliente ou Revendedor, conforme definido no Contrato de Cloud Endereço principal: Cliente ou Revendedor, conforme definido no Contrato de Cloud Endereço de e-mail: Cliente ou Revendedor, conforme definido no Contrato de Cloud Contato para o Titular: Cliente ou Revendedor, conforme definido no Contrato de Cloud Informações sobre Contrato Coligado: Não aplicável |
Informações de identificação do Terceiro Controlador: Cliente ou Revendedor, conforme definido no contrato celebrado entre o Google e seu cliente ou parceiro/revendedor (“Contrato de Cloud”)
Nome: Cliente ou Revendedor, conforme definido no Contrato de Cloud
Qualificação: Cliente ou Revendedor, conforme definido no Contrato de Cloud
Endereço principal: Cliente ou Revendedor, conforme definido no Contrato de Cloud
Endereço de e-mail: Cliente ou Revendedor, conforme definido no Contrato de Cloud
Contato para o Titular: Cliente ou Revendedor, conforme definido no Contrato de Cloud
Informações sobre Contrato Coligado: Não aplicável
4.2. O Exportador responde, solidariamente, pelos danos causados pela Transferência Internacional de Dados caso está seja realizada em desconformidade com as obrigações da Legislação Nacional ou com as instruções lícitas do Terceiro Controlador, hipótese em que o Exportador se equipara a Controlador, observado o disposto na Cláusula 17.
4.3. Caso verificada a equiparação a Controlador de que trata o item 4.2, caberá ao Exportador o cumprimento das obrigações previstas nas Cláusulas 14, 15 e 16.
4.4. Ressalvado o disposto nos itens 4.2. e 4.3, não se aplica às Partes, na condição de Operadores, o disposto nas Cláusulas 14, 15 e 16.
4.5. As Partes fornecerão, em qualquer hipótese, todas as informações de que dispuserem e que se demonstrarem necessárias para que o Terceiro Controlador possa atender a determinações da ANPD e cumprir adequadamente obrigações previstas na Legislação Nacional relacionadas à transparência, ao atendimento a direitos dos titulares e à comunicação de incidentes de segurança à ANPD.
4.6. As Partes devem promover assistência mútua com a finalidade de atender às solicitações dos Titulares.
4.7. Em caso de recebimento de solicitação de Titular, a Parte deverá:
(a) atender à solicitação, quando dispuser das informações necessárias;
(b) informar ao Titular o canal de atendimento disponibilizado pelo Terceiro Controlador; ou
(c) encaminhar a solicitação para o Terceiro Controlador o quanto antes, a fim de viabilizar a resposta no prazo previsto na Legislação Nacional.
4.8. As Partes devem manter o registro de incidentes de segurança com dados pessoais, nos termos da Legislação Nacional.
Seção II - Cláusulas Mandatórias
CLÁUSULA 5. Finalidade
5.1. Estas Cláusulas se apresentam como mecanismo viabilizador do fluxo internacional seguro de dados pessoais, estabelecem garantias mínimas e condições válidas para a realização de Transferência Internacional de Dados e visam garantir a adoção das salvaguardas adequadas para o cumprimento dos princípios, dos direitos do Titular e do regime de proteção de dados previstos na Legislação Nacional.
CLÁUSULA 6. Definições
6.1. Para os fins destas Cláusulas, serão consideradas as definições do art. 5° da Lei nº 13.709, de 14 de agosto de 2018, e do art. 3º do Regulamento de Transferência Internacional de Dados Pessoais, sem prejuízo de outros atos normativos expedidos pela ANPD. As Partes concordam, ainda, em considerar os termos e seus respectivos significados, conforme exposto a seguir:
(a) Agentes de tratamento: o controlador e o operador;
(b) ANPD: Autoridade Nacional de Proteção de Dados;
(c) Cláusulas: as cláusulas-padrão contratuais aprovadas pela ANPD, que integram as Seções I, II e III;
(d) Contrato Coligado: instrumento contratual firmado entre as Partes ou, pelo menos, entre uma destas e um terceiro, incluindo um Terceiro Controlador, que possua propósito comum, vinculação ou relação de dependência com o contrato que rege a Transferência Internacional de Dados;
(e) Controlador: Parte ou terceiro (“Terceiro Controlador”) a quem compete as decisões referentes ao tratamento de Dados Pessoais;
(f) Dado Pessoal: informação relacionada a pessoa natural identificada ou identificável;
(g) Dado Pessoal Sensível: dado pessoal sobre origem racial ou étnica, convicção religiosa, opinião política, filiação a sindicato ou a organização de caráter religioso, filosófico ou político, dado referente à saúde ou à vida sexual, dado genético ou biométrico, quando vinculado a uma pessoa natural;
(h) Eliminação: exclusão de dado ou de conjunto de dados armazenados em banco de dados, independentemente do procedimento empregado;
(i) Exportador: agente de tratamento, localizado no território nacional ou em país estrangeiro, que transfere dados pessoais para Importador;
(j) Importador: agente de tratamento, localizado em país estrangeiro ou que seja organismo internacional, que recebe dados pessoais transferidos por Exportador;
(k) Legislação Nacional: conjunto de dispositivos constitucionais, legais e regulamentares brasileiros a respeito da proteção de Dados Pessoais, incluindo a Lei nº 13.709, de 14 de agosto de 2018, o Regulamento de Transferência Internacional de Dados e outros atos normativos expedidos pela ANPD;
(l) Lei de Arbitragem: Lei nº 9.307, de 23 de setembro de 1996;
(m) Medidas de Segurança: medidas técnicas e administrativas adotadas para proteger os dados pessoais de acessos não autorizados e de situações acidentais ou ilícitas de destruição, perda, alteração, comunicação ou difusão;
(n) Órgão de Pesquisa: órgão ou entidade da administração pública direta ou indireta ou pessoa jurídica de direito privado sem fins lucrativos legalmente constituída sob as leis brasileiras, com sede e foro no País, que inclua em sua missão institucional ou em seu objetivo social ou estatutário a pesquisa básica ou aplicada de caráter histórico, científico, tecnológico ou estatístico;
(o) Operador: Parte ou terceiro, incluindo um Subcontratado, que realiza o tratamento de Dados Pessoais em nome do Controlador;
(p) Parte Designada: Parte do contrato designada, nos termos da Cláusula 4 (“Opção A”), para cumprir, na condição de Controlador, obrigações específicas relativas à transparência, direitos dos Titulares e comunicação de incidentes de segurança;
(q) Partes: Exportador e Importador;
(r) Solicitação de Acesso: solicitação de atendimento obrigatório, por força de lei, regulamento ou determinação de autoridade pública, para conceder acesso aos Dados Pessoais objeto da Transferência Internacional de Dados regida por estas Cláusulas;
(s) Subcontratado: agente de tratamento contratado pelo Importador, sem vínculo com o Exportador, para realizar tratamento de Dados Pessoais após uma Transferência Internacional de Dados;
(t) Terceiro Controlador: Controlador dos Dados Pessoais que fornece instruções por escrito para a realização, em seu nome, da Transferência Internacional de Dados entre Operadores regida por estas Cláusulas, na forma da Cláusula 4 (“Opção B”);
(u) Titular: pessoa natural a quem se referem os Dados Pessoais que são objeto da Transferência Internacional de Dados regida por estas Cláusulas;
(v) Transferência: modalidade de tratamento por meio da qual um agente de tratamento transmite, compartilha ou disponibiliza acesso a Dados Pessoais a outro agente de tratamento;
(w) Transferência Internacional de Dados: transferência de Dados Pessoais para país estrangeiro ou organismo internacional do qual o país seja membro; e
(x) Transferência Posterior: transferência Internacional de Dados, originada de um Importador, e destinada a um terceiro, incluindo um Subcontratado, desde que não configure Solicitação de Acesso.
CLÁUSULA 7. Legislação aplicável e fiscalização da ANPD
7.1. A Transferência Internacional de Dados objeto das presentes Cláusulas submete-se à Legislação Nacional e à fiscalização da ANPD, incluindo o poder de aplicar medidas preventivas e sanções administrativas a ambas as Partes, conforme o caso, bem como o de limitar, suspender ou proibir as transferências internacionais decorrentes destas Cláusulas ou de um Contrato Coligado.
CLÁUSULA 8. Interpretação
8.1. Qualquer aplicação destas Cláusulas deve ocorrer de acordo com os seguintes termos:
(a) estas Cláusulas devem sempre ser interpretadas de forma mais favorável ao Titular e de acordo com as disposições da Legislação Nacional;
(b) em caso de dúvida sobre o significado de termos destas Cláusulas, aplica-se o significado que mais se alinha com a Legislação Nacional;
(c) nenhum item destas Cláusulas, incluindo-se aqui um Contrato Coligado e as disposições previstas na Seção IV, poderá ser interpretado com o objetivo de limitar ou excluir a responsabilidade de qualquer uma das Partes em relação a obrigações previstas na Legislação Nacional; e
(d) as disposições das Seções I e II prevalecem em caso de conflito de interpretação com Cláusulas adicionais e demais disposições previstas nas Seções III e IV deste instrumento ou em Contratos Coligados.
CLÁUSULA 9. Possibilidade de adesão de terceiros
9.1. Em comum acordo entre as Partes, é possível a um agente de tratamento aderir a estas Cláusulas na condição de Exportador ou de Importador, por meio do preenchimento e assinatura de documento escrito, que integrará o presente instrumento.
9.2. A parte aderente terá os mesmos direitos e obrigações das Partes originárias, conforme a posição assumida de Exportador ou Importador e de acordo com a categoria de agente de tratamento correspondente.
CLÁUSULA 10. Obrigações gerais das Partes
10.1. As Partes se comprometem a adotar e, quando necessário, demonstrar a adoção de medidas eficazes e capazes de comprovar a observância e o cumprimento das disposições destas Cláusulas e da Legislação Nacional e, inclusive, da eficácia dessas medidas e, em especial:
(a) utilizar os Dados Pessoais somente para as finalidades específicas descritas na Cláusula 2, sem possibilidade de tratamento posterior de forma incompatível com essas finalidades, observadas, em qualquer caso, as limitações, garantias e salvaguardas previstas nestas Cláusulas;
(b) garantir a compatibilidade do tratamento com as finalidades informadas ao Titular, de acordo com o contexto do tratamento;
(c) limitar o tratamento ao mínimo necessário para a realização de suas finalidades, com abrangência dos dados pertinentes, proporcionais e não excessivos em relação às finalidades do tratamento de Dados Pessoais;
(d) garantir aos Titulares, observado o disposto na Cláusula 4.
(d.1.) informações claras, precisas e facilmente acessíveis sobre a realização do tratamento e os respectivos agentes de tratamento, observados os segredos comercial e industrial;
(d.2.) consulta facilitada e gratuita sobre a forma e a duração do tratamento, bem como sobre a integralidade de seus Dados Pessoais; e
(d.3.) a exatidão, clareza, relevância e atualização dos Dados Pessoais, de acordo com a necessidade e para o cumprimento da finalidade de seu tratamento;
(e) adotar as medidas de segurança apropriadas e compatíveis com os riscos envolvidos na Transferência Internacional de Dados regida por estas Cláusulas;
(f) não realizar tratamento de Dados Pessoais para fins discriminatórios ilícitos ou abusivos;
(g) assegurar que qualquer pessoa que atue sob sua autoridade, inclusive subcontratados ou qualquer agente que com ele colabore, de forma gratuita ou onerosa, realize tratamento de dados apenas em conformidade com suas instruções e com o disposto nestas Cláusulas; e
(h) manter registro das operações de tratamento dos Dados Pessoais objeto da Transferência Internacional de Dados regida por estas Cláusulas, e apresentar a documentação pertinente à ANPD, quando solicitado.
CLÁUSULA 11. Dados pessoais sensíveis
11.1. Caso a Transferência Internacional de Dados envolva Dados Pessoais sensíveis, as Partes aplicarão salvaguardas adicionais, incluindo medidas de segurança específicas e proporcionais aos riscos da atividade de tratamento, à natureza específica dos dados e aos interesses, direitos e garantias a serem protegidos, conforme descrito na Seção III.
CLÁUSULA 12. Dados pessoais de crianças e adolescentes
12.1. Caso a Transferência Internacional de Dados envolva Dados Pessoais de crianças e adolescentes, as Partes aplicarão salvaguardas adicionais, incluindo medidas que assegurem que o tratamento seja realizado em seu melhor interesse, nos termos da Legislação Nacional e dos instrumentos pertinentes de direito internacional.
CLÁUSULA 13. Uso legal dos dados
13.1. O Exportador garante que os Dados Pessoais foram coletados, tratados e transferidos para o Importador de acordo com a Legislação Nacional.
CLÁUSULA 14. Transparência
14.1. A Parte Designada publicará, em sua página na Internet, documento contendo informações facilmente acessíveis redigidas em linguagem simples, clara e precisa sobre a realização da Transferência Internacional de Dados, incluindo, pelo menos, informações sobre:
(a) a forma, a duração e a finalidade específica da transferência internacional;
(b) o país de destino dos dados transferidos;
(c) a identificação e os contatos da Parte Designada;
(d) o uso compartilhado de dados pelas Partes e a finalidade;
(e) as responsabilidades dos agentes que realizarão o tratamento;
(f) os direitos do Titular e os meios para o seu exercício, incluindo canal de fácil acesso disponibilizado para atendimento às suas solicitações e o direito de peticionar contra o Controlador perante a ANPD; e
(g) Transferências Posteriores, incluindo as relativas aos destinatários e à finalidade da transferência.
14.2. O documento referido no item 14.1. poderá ser disponibilizado em página específica ou integrado, de forma destacada e de fácil acesso, à Política de Privacidade ou documento equivalente.
14.3. A pedido, as Partes devem disponibilizar, gratuitamente, ao Titular uma cópia destas Cláusulas, observados os segredos comercial e industrial.
14.4. Todas as informações disponibilizadas aos titulares, nos termos destas Cláusulas, deverão ser redigidas na língua portuguesa.
CLÁUSULA 15. Direitos do Titular
15.1. O Titular tem direito a obter da Parte Designada, em relação aos Dados Pessoais objeto da Transferência Internacional de Dados regida por estas Cláusulas, a qualquer momento, e mediante requisição, nos termos da Legislação Nacional:
(a) confirmação da existência de tratamento;
(b) acesso aos dados;
(c) correção de dados incompletos, inexatos ou desatualizados;
(d) anonimização, bloqueio ou eliminação de dados desnecessários, excessivos ou tratados em desconformidade com estas Cláusulas e com o disposto na Legislação Nacional;
(e) portabilidade dos dados a outro fornecedor de serviço ou produto, mediante requisição expressa, de acordo com a regulamentação da ANPD, observados os segredos comercial e industrial;
(f) eliminação dos Dados Pessoais tratados com o consentimento do Titular, exceto nas hipóteses previstas na Cláusula 20;
(g) informação das entidades públicas e privadas com as quais as Partes realizaram uso compartilhado de dados;
(h) informação sobre a possibilidade de não fornecer consentimento e sobre as consequências da negativa;
(i) revogação do consentimento mediante procedimento gratuito e facilitado, ratificados os tratamentos realizados antes do requerimento de eliminação;
(j) revisão de decisões tomadas unicamente com base em tratamento automatizado de dados pessoais que afetem seus interesses, incluídas as decisões destinadas a definir o seu perfil pessoal, profissional, de consumo e de crédito ou os aspectos de sua personalidade; e
(k) informações a respeito dos critérios e dos procedimentos utilizados para a decisão automatizada, observados os segredos comercial e industrial.
15.2. O titular pode opor-se a tratamento realizado com fundamento em uma das hipóteses de dispensa de consentimento, em caso de descumprimento ao disposto nestas Cláusulas ou na Legislação Nacional.
15.3. O prazo para atendimento às solicitações previstas nesta Cláusula e no item 14.3. é de 15 (quinze) dias contados da data do requerimento do titular, ressalvada a hipótese de prazo distinto estabelecido em regulamentação específica da ANPD.
15.4. Caso a solicitação do Titular seja direcionada à Parte não designada como responsável pelas obrigações previstas nesta Cláusula ou no item 14.3., a Parte deverá:
(a) informar ao Titular o canal de atendimento disponibilizado pela Parte Designada; ou
(b) encaminhar a solicitação para a Parte Designada o quanto antes, a fim de viabilizar a resposta no prazo previsto no item 15.2.
15.5. As Partes deverão informar, imediatamente, aos Agentes de Tratamento com os quais tenham realizado uso compartilhado de dados a correção, a eliminação, a anonimização ou o bloqueio dos dados, para que repitam idêntico procedimento, exceto nos casos em que esta comunicação seja comprovadamente impossível ou implique esforço desproporcional.
15.6. As Partes devem promover assistência mútua com a finalidade de atender às solicitações dos Titulares.
CLÁUSULA 16. Comunicação de Incidente de Segurança
16.1. A Parte Designada deverá comunicar à ANPD e aos Titulares, no prazo de 3 (três) dias úteis, a ocorrência de incidente de segurança que possa acarretar risco ou dano relevante para os Titulares, observado o disposto na Legislação Nacional.
16.2. O Importador deve manter o registro de incidentes de segurança nos termos da Legislação Nacional.
CLÁUSULA 17. Responsabilidade e ressarcimento de danos
17.1. A Parte que, em razão do exercício da atividade de tratamento de Dados Pessoais, causar dano patrimonial, moral, individual ou coletivo, em violação às disposições destas Cláusulas e da Legislação Nacional, é obrigada a repará-lo.
17.2. O Titular poderá pleitear a reparação do dano causado por quaisquer das Partes em razão da violação destas Cláusulas.
17.3. A defesa dos interesses e dos direitos dos Titulares poderá ser pleiteada em juízo, individual ou coletivamente, na forma do disposto na legislação pertinente acerca dos instrumentos de tutela individual e coletiva.
17.4. A Parte que atuar como Operador responde, solidariamente, pelos danos causados pelo tratamento quando descumprir as presentes Cláusulas ou quando não tiver seguido as instruções lícitas do Controlador, ressalvado o disposto no item 17.6.
17.5. Os Controladores que estiverem diretamente envolvidos no tratamento do qual decorreram danos ao Titular respondem, solidariamente, por estes danos, ressalvado o disposto no item 17.6.
17.6. Não caberá responsabilização das Partes se comprovado que:
(a) não realizaram o tratamento de Dados Pessoais que lhes é atribuído;
(b) embora tenham realizado o tratamento de Dados Pessoais que lhes é atribuído, não houve violação a estas Cláusulas ou à Legislação Nacional; ou
(c) o dano é decorrente de culpa exclusiva do Titular ou de terceiro que não seja destinatário de Transferência Posterior ou subcontratado pelas Partes.
17.7. Nos termos da Legislação Nacional, o juiz poderá inverter o ônus da prova a favor do Titular quando, a seu juízo, for verossímil a alegação, houver hipossuficiência para fins de produção de prova ou quando a produção de prova pelo Titular resultar-lhe excessivamente onerosa.
17.8. As ações de reparação por danos coletivos que tenham por objeto a responsabilização nos termos desta Cláusula podem ser exercidas coletivamente em juízo, observado o disposto na legislação pertinente.
17.9. A Parte que reparar o dano ao titular tem direito de regresso contra os demais responsáveis, na medida de sua participação no evento danoso.
CLÁUSULA 18. Salvaguardas para Transferência Posterior
18.1. O Importador somente poderá realizar Transferências Posteriores dos Dados Pessoais objeto da Transferência Internacional de Dados regida por estas Cláusulas se expressamente autorizado, conforme as hipóteses e condições descritas na Cláusula 3.
18.2. Em qualquer caso, o Importador:
(a) deve assegurar que a finalidade da Transferência Posterior é compatível com as finalidades específicas descritas na Cláusula 2;
(b) deve garantir, mediante instrumento contratual escrito, que as salvaguardas previstas nestas Cláusulas serão observadas pelo terceiro destinatário da Transferência Posterior; e
(c) para fins destas Cláusulas, e em relação aos Dados Pessoais transferidos, será considerado o responsável por eventuais irregularidades praticadas pelo terceiro destinatário da Transferência Posterior.
18.3. A Transferência Posterior poderá, ainda, ser realizada com base em outro mecanismo válido de Transferência Internacional de Dados previsto na Legislação Nacional, independentemente da autorização de que trata a Cláusula 3.
CLÁUSULA 19. Notificação de Solicitação de Acesso
19.1. O Importador notificará o Exportador e o Titular sobre Solicitação de Acesso relacionada aos Dados Pessoais objeto da Transferência Internacional de Dados regida por estas Cláusulas, ressalvada a hipótese de vedação de notificação pela lei do país de tratamento dos dados.
19.2. O Importador adotará as medidas legais cabíveis, incluindo ações judiciais, para proteger os direitos dos Titulares sempre que houver fundamento jurídico adequado para questionar a legalidade da Solicitação de Acesso e, se for o caso, a vedação de realizar a notificação referida no item 19.1.
19.3. Para atender às solicitações da ANPD e do Exportador, o Importador deve manter registro de Solicitações de Acesso, incluindo data, solicitante, finalidade da solicitação, tipo de dados solicitados, número de solicitações recebidas e medidas legais adotadas.
CLÁUSULA 20. Término do tratamento e eliminação dos dados
20.1. As Partes deverão eliminar os Dados Pessoais objeto da Transferência Internacional de Dados regida por estas Cláusulas após o término do tratamento, no âmbito e nos limites técnicos das atividades, autorizada a conservação apenas para as seguintes finalidades:
(a) cumprimento de obrigação legal ou regulatória pelo Controlador;
(b) estudo por Órgão de Pesquisa, garantida, sempre que possível, a anonimização dos Dados Pessoais;
(c) transferência a terceiro, desde que respeitados os requisitos previstos nestas Cláusulas e na Legislação Nacional; e
(d) uso exclusivo do Controlador, vedado seu acesso por terceiro, e desde que anonimizados os dados.
20.2. Para fins desta Cláusula, considera-se que o término do tratamento ocorrerá quando:
(a) alcançada a finalidade prevista nestas Cláusulas;
(b) os Dados Pessoais deixarem de ser necessários ou pertinentes ao alcance da finalidade específica prevista nestas Cláusulas;
(c) finalizado o período de tratamento;
(d) atendida solicitação do Titular; e
(e) determinado pela ANPD, quando houver violação ao disposto nestas Cláusulas ou na Legislação Nacional.
CLÁUSULA 21. Segurança no tratamento dos dados
21.1. As Partes deverão adotar medidas de segurança que garantam proteção aos Dados Pessoais objeto da Transferência Internacional de Dados regida por estas Cláusulas, mesmo após o seu término.
21.2. As Partes informarão, na Seção III, as Medidas de Segurança adotadas, considerando a natureza das informações tratadas, as características específicas e a finalidade do tratamento, o estado atual da tecnologia e os riscos para os direitos dos Titulares, especialmente no caso de dados pessoais sensíveis e de crianças e adolescentes.
21.3. As Partes deverão realizar os esforços necessários para adotar medidas periódicas de avaliação e revisão visando manter nível de segurança adequado às características do tratamento de dados.
CLÁUSULA 22. Legislação do país destinatário dos dados
22.1. O Importador declara que não identificou leis ou práticas administrativas do país destinatário dos Dados Pessoais que o impeçam de cumprir as obrigações assumidas nestas Cláusulas.
22.2. Sobrevindo alteração normativa que altere esta situação, o Importador notificará, de imediato, o Exportador para avaliação da continuidade do contrato.
CLÁUSULA 23. Descumprimento das Cláusulas pelo Importador
23.1. Havendo violação das salvaguardas e garantias previstas nestas Cláusulas ou a impossibilidade de seu cumprimento pelo Importador, o Exportador deverá ser comunicado imediatamente, ressalvado o disposto no item 19.1.
23.2. Recebida a comunicação de que trata o item 23.1 ou verificado o descumprimento destas Cláusulas pelo Importador, o Exportador adotará as providências pertinentes para assegurar a proteção aos direitos dos Titulares e a conformidade da Transferência Internacional de Dados com a Legislação Nacional e as presentes Cláusulas, podendo, conforme o caso:
(a) suspender a Transferência Internacional de Dados;
(b) solicitar a devolução dos Dados Pessoais, sua transferência a um terceiro, ou a sua eliminação; e
(c) rescindir o contrato.
CLÁUSULA 24. Eleição do foro e jurisdição
24.1. Aplica-se a estas Cláusulas a legislação brasileira e qualquer controvérsia entre as Partes decorrente destas Cláusulas será resolvida perante os tribunais competentes do Brasil, observado, se for o caso, o foro eleito pelas Partes na Seção IV.
24.2. Os Titulares podem ajuizar ações judiciais contra o Exportador ou o Importador, conforme sua escolha, perante os tribunais competentes no Brasil, inclusive naqueles localizados no local de sua residência.
24.3. Em comum acordo, as Partes poderão se valer da arbitragem para resolver os conflitos decorrentes destas Cláusulas, desde que realizada no Brasil e conforme as disposições da Lei de Arbitragem.
Seção III - Medidas De Segurança
O Importador e o Exportador possuem suas próprias políticas de segurança da informação documentadas, abrangendo a governança e a supervisão dos processos internos. Cada um também adota medidas de segurança técnicas e administrativas adequadas, conforme exigido pela LGPD. As medidas de segurança são detalhadas no Contrato, incluindo o SDPA ou IPA, conforme aplicável. |
O Importador e o Exportador possuem suas próprias políticas de segurança da informação documentadas, abrangendo a governança e a supervisão dos processos internos. Cada um também adota medidas de segurança técnicas e administrativas adequadas, conforme exigido pela LGPD. As medidas de segurança são detalhadas no Contrato, incluindo o SDPA ou IPA, conforme aplicável.
Seção IV - Cláusulas Adicionais e Anexos
Os termos em maiúsculas usados, mas não definidos nestas Cláusulas têm os significados atribuídos a eles no Contrato. Conforme disposto na Cláusula 24.1, o foro de eleição das Partes será aquele descrito no Contrato. |
Os termos em maiúsculas usados, mas não definidos nestas Cláusulas têm os significados atribuídos a eles no Contrato.
Conforme disposto na Cláusula 24.1, o foro de eleição das Partes será aquele descrito no Contrato.
STANDARD CONTRACTUAL CLAUSES
Section I - General Information
CLAUSE 1. Identification of the Parties
1.1. By this agreement, the Exporter and the Importer (hereinafter, “Parties”), identified below, have agreed to these standard contractual clauses (hereinafter, “Clauses”) approved by the National Data Protection Authority (ANPD), to govern the International Data Transfer described in Clause 2, in accordance with the provisions of the National Legislation.
Name: The Google entity that is a party to the Agreement (“Google”). For purposes of these Clauses, “Agreement” means the agreement between Exporter and Importer to which these Clauses are integrated. Qualification: As specified in the Agreement Main Address: As specified in the Agreement E-mail Address: As specified in the Agreement Contact for the Data Subject: The data subject can contact the data protection team here. Other information: Not applicable |
Name: The Google entity that is a party to the Agreement (“Google”). For purposes of these Clauses, “Agreement” means the agreement between Exporter and Importer to which these Clauses are integrated.
Qualification: As specified in the Agreement
Main Address: As specified in the Agreement
E-mail Address: As specified in the Agreement
Contact for the Data Subject: The data subject can contact the data protection team here.
Other information: Not applicable
Exporter / Processor
Name: Subprocessor Qualification: As specified in the Agreement Main Address: As specified in the Agreement E-mail Address: As specified in the Agreement Contact for the Data Subject: Contact details for the Importer are specified in the Agreement. Details about the Importer’s data protection officer or appropriate contact are available to the Exporter in the Agreement, including as specified in the Subprocessor Data Protection Addendum (“SDPA") or the Information Protection Addendum (“IPA") (as applicable). Other information: Not applicable |
Name: Subprocessor
Qualification: As specified in the Agreement
Main Address: As specified in the Agreement
E-mail Address: As specified in the Agreement
Contact for the Data Subject: Contact details for the Importer are specified in the Agreement. Details about the Importer’s data protection officer or appropriate contact are available to the Exporter in the Agreement, including as specified in the Subprocessor Data Protection Addendum (“SDPA") or the Information Protection Addendum (“IPA") (as applicable).
Other information: Not applicable
Importer / Processor
CLAUSE 2. Object
2.1. This Clauses shall apply to International Transfers of Personal Data between Data Exporters and Data Importers, as described below.
Description of the international data transfer: The Importer provides the Services to the Exporter in accordance with the Agreement.
Main purposes of the transfer: The Importer will process personal data to provide Services in accordance with the Agreement. Categories of personal data transferred: Transferred personal data may include, for example:
Transferred personal data may include Sensitive Personal Data. Period of data storage: The Importer will retain transferred personal data until its elimination in accordance with the provisions of the Agreement (including the SDPA or IPA, as applicable). Other information: Not applicable. |
Main purposes of the transfer: The Importer will process personal data to provide Services in accordance with the Agreement.
Categories of personal data transferred: Transferred personal data may include, for example:
Transferred personal data may include Sensitive Personal Data.
Period of data storage: The Importer will retain transferred personal data until its elimination in accordance with the provisions of the Agreement (including the SDPA or IPA, as applicable).
Other information: Not applicable.
CLAUSE 3. Onward Transfers
OPTION A. 3.1. The Importer may not carry out an Onward Transfer of Personal Data subject to the International Data Transfer governed by these Clauses, except in the cases provided for in item 18.3.
CLAUSE 4. Responsibilities of the Parties
4.1. Considering that both Parties act exclusively as Processors within the scope of the International Data Transfer governed by these Clauses, the Exporter declares and guarantees that the transfer is carried out in accordance with the written instructions provided by the Third Party Controller identified in the chart below.
Identification information of the Third-Party Controller: Customer or Reseller, as specified in the agreement between Google and its customer or partner/reseller (“Cloud Agreement") Name: Customer or Reseller, as specified in the Cloud Agreement Qualification: Customer or Reseller, as specified in the Cloud Agreement Main address: Customer or Reseller, as specified in the Cloud Agreement E-mail address: Customer or Reseller, as specified in the Cloud Agreement Contact for the Data Subject: Customer or Reseller, as specified in the Cloud Agreement Related Contract: Not applicable |
Identification information of the Third-Party Controller: Customer or Reseller, as specified in the agreement between Google and its customer or partner/reseller (“Cloud Agreement")
Name: Customer or Reseller, as specified in the Cloud Agreement
Qualification: Customer or Reseller, as specified in the Cloud Agreement
Main address: Customer or Reseller, as specified in the Cloud Agreement
E-mail address: Customer or Reseller, as specified in the Cloud Agreement
Contact for the Data Subject: Customer or Reseller, as specified in the Cloud Agreement
Related Contract: Not applicable
4.2. The Exporter shall be jointly liable for the damage caused by the International Data Transfer if it is carried out in breach of the obligations of the National Legislation or the lawful instructions of the Third-Party Controller, in which case the Exporter shall be deemed to the Controller, observing the provisions of Clause 17.
4.3. In the event of being deemed a Controlling Party as referred to in item 4.2, the Exporter shall be responsible for complying with the obligations set out in Clauses 14, 15 and 16.
4.4. With the exception of the provisions of items 4.2 and 4.3, the provisions of Clauses 14, 15 and 16 shall not apply to the Parties as Processors.
4.5. The Parties shall, in any event, provide all the information at their disposal that proves necessary for the Third-Party Controller to comply with ANPD’s determinations and to adequately fulfill the obligations provided for in the National Legislation relating to transparency, compliance with the rights of data subjets and the reporting of security incidents to ANPD.
4.6. The Parties shall promote mutual assistance in order to meet the requests of the Data Subject.
4.7. In the event of receiving a request from a Data Subject, the Party shall:
(a) respond to the request, when it has the necessary information;
(b) inform the Data Subject of the service channel provided by the Third-Party Controller; or
(c) forward the request to the Third-Party Controller as soon as possible, to enable a response within the period provided for in the National Legislation.
4.8. The Parties must keep a record of security incidents involving personal data, in accordance with national legislation.
Section II - Mandatory Clauses
CLAUSE 5. Purpose
5.1. These Clauses are presented as a mechanism to enable the secure international flow of personal data, establish minimum guarantees and valid conditions for carrying out the International Data Transfer and aim to guarantee the adoption of adequate safeguards for compliance with the principles, the rights of the Data Subject and the data protection regime provided for in National Legislation.
CLAUSE 6. Definitions
6.1. For the purposes of these Clauses, the definitions in art. 5 of LGPD, and art. 3 of the Regulation on the International Transfer of Personal Data shall be considered, without prejudice to other normative acts issued by ANPD. The Parties also agree to consider the terms and their respective meanings, as set out below:
(a) Processing agents: the controller and the processor;
(b) ANPD: National Data Protection Authority;
(c) Clauses: the standard contractual clauses approved by ANPD, which are part of Sections I, II and III;
(d) Related Contract: contractual instrument signed between the Parties or, at least, between one of them and a third -party, including a Third -Party Controller, which has a common purpose, link or dependency relationship with the contract that governs the International Data Transfer;
(e) Controller: Party or third-party (“Third Controller”) responsible for decisions regarding the processing of Personal Data;
(f) Personal Data: information related to an identified or identifiable natural person;
(g) Sensitive Personal Data: personal data on racial or ethnic origin, religious belief, political opinion, affiliation to trade unions or a religious, philosophical or political organization, data regarding health or sexual life, genetic or biometric data, whenever related to a natural person;
(h) Erasure: exclusion of data or dataset from a database, regardless of the procedure used;
(i) Exporter: processing agent, located in the national territory or in a foreign country, who transfers personal data to the Importer;
(j) Importer: processing agent, located in a foreign country who receives personal data from the Exporter;
(k) National Legislation: set of Brazilian constitutional, legal and regulatory provisions regarding the protection of Personal Data, including the LGPD, the International Data Transfer Regulation and other normative acts issued by ANPD;
(l) Arbitration Law: Law No. 9,307, of September 23, 1996;
(m) Security Measures: technical and administrative measures able to protect Personal Data from unauthorized access and from accidental or unlawful events of destruction, loss, alteration, communication or dissemination;
(n) Research Body: body or entity of the government bodies or associated entities or a non-profit private legal entity legally established under Brazilian laws, having their headquarter and jurisdiction in the Brazilian territory, which includes basic or applied research of historical, scientific, technological or statistical nature in its institutional mission or in its corporate or statutory purposes;
(o) Processor: Party or third party, including a Subprocessor, which processes Personal Data on behalf of the Controller;
(p) Designated Party: Party or a Third-Party Controller, under the terms of CLAUSE 4, designated to fulfill specific obligations regarding transparency Data Subjects’ rights and notifying security incidents;
(q) Parties: Exporter and Importer;
(r) Access Request: request for mandatory compliance, by force of law, regulation or determination of public authority, to grant access to the Personal Data subject to the International Data Transfer governed by these Clauses;
(s) Subprocessor: processing agent hired by the Importer, with no link with the Exporter, to process Personal Data after an International Data Transfer
(t) Third-Party Controller: Personal Data Controller who authorizes and provides written instructions for the carrying out of the International Data Transfer between Processors governed by these Clauses, on his behalf, pursuant to Clause 4 (“Option B”);
(u) Data Subject: natural person to whom the Personal Data which are subject to the International Data Transfer governed by these Clauses relate;
(v) Transfer: processing modality through which a processing agent transmits, shares or provides access to Personal Data to another processing agent;
(w) International Data Transfer: transfer of Personal Data to a foreign country or to an international organization which Brazil is a member of; and
(x) Onward Transfer: transfer of Personal Data, within the same country or to another country, by an Importer to a third-party, including a Subprocessor, provided that it does not constitute an Access Request.
CLAUSE 7. Applicable legislation and ANPD supervision
7.1. The International Data Transfer subject to these Clauses shall subject to the National Legislation and to the supervision of ANPD, including the power to apply preventive measures and administrative sanctions to both Parties, as appropriate, as well as the power to limit, suspend or prohibit the international transfers arising from this agreement or a Related Contract.
CLAUSE 8. Interpretation
8.1. Any application of these Clauses shall occur in accordance with the following terms:
(a) these Clauses shall always be interpreted more favorably to the Data Subject and in accordance with the provisions of the National Legislation;
(b) in case of doubt about the meaning of any term in these Clauses, the meaning which is most in line with the National Legislation shall apply;
(c) no item in these Clauses, including a Related Agreement and the provisions set forth in Section IV, shall be interpreted limiting or excluding the liability of any of the Parties in relation to obligations set forth in the National Legislation; and
(d) provisions of Sections I and II shall prevail in case of conflict of interpretation with additional clauses and other provisions set forth in Sections III and IV of this agreement or in Related Agreements.
CLAUSE 9. Docking Clause
9.1. By mutual agreement between the Parties, it shall be possible for a processing agent to adhere to these Clauses, either as a Data Exporter or as a Data Importer, by completing and signing a written document, which shall form part of this contract.
9.2. The acceding party shall have the same rights and obligations as the originating parties, according to the position assumed of Exporter or Importer and according to the corresponding category of treatment agent.
CLAUSE 10. General obligations of the Parties
10.1. The Parties undertake to adopt and, when necessary, demonstrate the implementation of effective measures capable of demonstrating observance of and compliance with the provisions of these Clauses and the National Legislation, as well as with the effectiveness of such measures, and, in particular:
(a) use the Personal Data only for the specific purposes described in Clause 2, with no possibility of subsequent processing incompatible with such purposes, subject to the limitations, guarantees and safeguards provided for in these Clauses;
(b) guarantee the compatibility of the processing with the purposes informed to the Data Subject, according to the processing activity context;
(c) limit the processing activity to the minimum required for the accomplishment of its purposes, encompassing pertinent, proportional and non-excessive data in relation to the Personal Data processing purposes;
(d) guarantee to the Data Subjects, subject to the provisions of Clause 4.
(d.1.) clear, accurate and easily accessible information on the processing activities and the respective processing agents, with due regard for trade and industrial secrecy;
(d.2.) facilitated and free of charge consultation on the form and duration of the processing, as well as on the integrity of their Personal Data; and
(d.3.) accuracy, clarity, relevance and updating of the Personal Data, according to the necessity and for compliance with the purpose of their processing;
(e) to adopt the appropriate security measures and compatible with the risks involved in the International Data Transfer governed by these Clauses;
(f) not to process Personal Data for abusive or unlawful discriminatory purposes;
(g) ensure that any person acting under their authority, including sub-processors or any agent who collaborates with them, whether for reward or free of charge, only processes data in compliance with their instructions and with the provisions of these Clauses
(h) keep a record of the Personal Data processing operations of the International Data Transfer governed by these Clauses, and submit the relevant documentation to ANPD, when requested.
CLAUSE 11. Sensitive personal data
11.1. If the International Data Transfer involves Sensitive Personal Data, the Parties shall apply additional safeguards, including specific Security Measures which are proportional to the risks of the processing activity, to the specific nature of the data and to the interests, rights and guarantees to be protected, as described in Section III.
CLAUSE 12. Personal data of children and adolescents
12.1. In case the International Data Transfer governed by these Clauses involves Personal Data concerning children and adolescents, the Parties shall implement measures to ensure that the processing is carried out in their best interest, under the terms of the National Legislation and relevant instruments of international law.
CLAUSE 13. Legal use of data
13.1. The Exporter guarantees that Personal Data has been collected, processed and transferred to the Importer in accordance with the National Legislation.
CLAUSE 14. Transparency
14.1. The Designated Party shall publish, on its website, a document containing easily accessible information written in simple, clear and accurate language on the conduction of the International Data Transfer, including at least information on:
(a) the form, duration and specific purpose of the international transfer;
(b) the destination country of the transferred data;
(c) the Designated Party's identification and contact details;
(d) the shared use of data by the Parties and its purpose;
(e) the responsibilities of the agents who conduct the processing;
(f) the Data Subject's rights and the means for exercising them, including an easily accessible channel made available to respond to their requests, and the right to file a petition against the Exporter and the Importer before ANPD; and
(g) Onward Transfers, including those relating to recipients and to the purpose of such transfer.
14.2. The document referred to in item 14.1. shall be made available on a specific website page or integrated, in a prominent and easily accessible format, to the Privacy Policy or equivalent document.
14.3. Upon request, the Parties shall make a copy of these Clauses available, to the Data Subject free of charge, complying with trade and industrial secrecy.
14.4. All information made available to Data Subjects, under the terms of these Clauses, shall be written in Portuguese.
CLAUSE 15. Rights of the data subject
15.1. The Data subject shall have the right to obtain from the Designated Party, as regards the Personal Data subject to the International Data Transfer governed by these Clauses, at any time, and upon request, under the terms of the National Legislation:
(a) confirmation of the existence of processing;
(b) access to data;
(c) correction of incomplete, inaccurate or outdated data;
(d) anonymization, blocking or erasure of unnecessary, or excessive data or data processed in noncompliance with these Clauses and the provisions of National Legislation;
(e) portability of data to another service or product provider, upon express request, in accordance with ANPD regulations, complying with trade and industrial secrecy;
(f) erasure of Personal Data processed under the Data Subject’s consent, except for the events provided in Clause 20;
(g) information on public and private entities with which the Parties have shared data;
(h) information on the possibility of denying consent and on the consequences of the denial;
(i) withdrawal of consent through a free of charge and facilitated procedure, remaining ratified the processing activities carried out before the request for elimination;
(j) review of decisions taken solely on the basis of automated processing of personal data affecting their interests, including decisions aimed at defining their personal, professional, consumer and credit profile or aspects of their personality; and
(k) information on the criteria and procedures adopted for the automated decision.
15.2. Data subject may oppose to the processing based on one of the events of waiver of consent, in case of non-compliance with the provisions of these Clauses or National Legislation.
15.3. The deadline for responding to the requests provided for in this Clause and in item 14.3. is 15 (fifteen) days from the date of the data subject's request, except in the event of a different deadline established in specific ANPD regulations.
15.4. In case the Data Subject’'s request is directed to the Party not designated as responsible for the obligations set forth in this Clause or in item 14.3., the referred Party shall:
(a) inform the Data Subject of the service channel made available by the Designated Party; or
(b) forward the request to the Designated Party as early as possible, to enable the response within the period provided in item 15.2.
15.5. The Parties shall immediately inform the Data Processing Agents with whom they have shared data with the correction, deletion, anonymization or blocking of the data, for them to follow the same procedure, except in cases where this communication is demonstrably impossible or involves a disproportionate effort.
15.6. The Parties shall promote mutual assistance to respond to the Data Subjects’ requests.
CLAUSE 16. Security Incident Reporting
16.1. The Designated Party shall notify ANPD and the Data Subject, within 3 (three) working days, of the occurrence of a security incident that may entail a relevant risk or damage to the Data Subjects, according to the provisions of National Legislation.
16.2. The Importer must keep a record of security incidents in accordance with National Legislation.
CLAUSE 17. Liability and compensation for damages
17.1. The Party which, when performing Personal Data processing activities, causes patrimonial, moral, individual or collective damage, for violating the provisions of these Clauses and of the National Legislation, shall compensate for it.
17.2. Data Subject may claim compensation for damage caused by any of the Parties as a result of a breach of these Clauses.
17.3. The defense of Data Subjects' interests and rights may be claimed in court, individually or collectively, in accordance with the provisions in relevant legislation regarding the instruments of individual and collective protection.
17.4. The Party acting as Processor shall be jointly and severally liable for damages caused by the processing activities when it fails to comply with these Clauses or when it has not followed the lawful instructions of the Controller, except for the provisions of item 17.6.
17.5. The Controllers directly involved in the processing activities which resulted in damage to the Data Subject shall be jointly and severally liable for these damages, except for the provisions of item 17.6.
17.6. Parties shall not be held liable if they have proven that:
(a) they have not carried out the processing of Personal Data attributed to them;
(b) although they did carry out the processing of Personal Data attributed to them, there was no violation of these Clauses or National Legislation; or
(c) the damage results from the sole fault of the Data Subject or of a third-party which is not a recipient of the Onward Transfer or not subcontracted by the Parties.
17.7. Under the terms of the National Legislation, the judge may reverse the burden of proof in favor of the Data Subject whenever, in his judgement, the allegation is credible, there is a lack of sufficient evidence or when the Data Subject would be excessively burdened by the production of evidence.
17.8. Judicial proceedings for compensation for collective damages which intend to establish liability under the terms of this Clause may be collectively conducted in court, with due regard for the provisions in relevant legislation.
17.9. The Party which compensates the damage to the Data Subject shall have a right of recourse against the other responsible parties, to the extent of their participation in the damaging event.
CLAUSE 18. Safeguards for Onward Transfers
18.1. The Importer shall only carry out Onward Transfers of Personal Data subject to the International Data Transfer governed by these Clauses if expressly authorized, in accordance with the terms and conditions described in Clause 3.
18.2. In any case, the Importer:
(a) shall ensure that the purpose of the Onward Transfer is compatible with the specific purposes described in Section 2;
(b) shall guarantee, by means of a written contractual instrument, that the safeguards provided in these Clauses shall be ensured by the third-party recipient of the Onward Transfer; and
(c) for the purposes of these Clauses, and regarding the Personal Data transferred, shall be considered responsible for any eventual irregularities committed by the third-party recipient of the Onward Transfer.
18.3. The Onward Transfer shall also be carried out based on another valid modality of International Data Transfer provided in National Legislation, regardless of the authorization referred to in Clause 3.
CLAUSE 19. Access Request Notification
19.1. The Importer shall notify the Exporter and the Data Subject of any Access Request related to the Personal Data subject to the International Data Transfer governed by these Clauses, except in the event that notification is prohibited by the law of the country in which the data is processed.
19.2. The Importer shall implement the appropriate legal measures, including legal actions, to protect the rights of the Data Subjects whenever there is adequate legal basis to question the legality of the Access Request and, if applicable, the prohibition of issuing the notification referred to in item 19.1.
19.3. To comply with both the ANPD’s and the Exporter’s requests, the Importer shall keep a record of Access Requests, including date, requester, purpose of the request, type of data requested, number of requests received, and legal measures implemented.
CLAUSE 20. Termination of processing and erasure of data
20.1. Parties shall erase the Personal Data subject to the International Data Transfer governed by these Clauses after the ending of their processing, being their storage authorized only for the following purposes:
(a) compliance with a legal or regulatory obligation by the Controller;
(b) study by a Research Body, guaranteeing, whenever possible, the anonymization of Personal Data;
(c) transfer to a third-party, upon compliance with requirements set forth in these Clauses and in the National Legislation; and
(d) exclusive use of the Controller, being the access by a third-party prohibited, and provided data have been anonymized.
20.2. For the purposes of this Clause, processing of personal data shall cease when:
(a) the purpose set forth in these Clauses has been achieved;
(b) Personal Data are no longer necessary or pertinent to attain the intended specific purpose set forth in these Clauses;
(c) at the termination of the treatment period;
(d) Data Subject's request is met; and
(e) at the order of ANPD, upon violation of the provisions of these Clauses or National Legislation.
CLAUSE 21. Data processing security
21.1. Parties shall implement Security Measures which guarantee sufficient protection of the Personal Data subject to the International Data Transfer governed by these Clauses, even after its termination.
21.2. Parties shall inform, in Section III, the Security Measures implemented, considering the nature of the processed information, the specific characteristics and the purpose of the processing, the technology current state and the probability and severity of the risks to the Data Subjects’ rights, especially in the case of sensitive personal data and that of children and adolescents.
21.3. The Parties shall make the necessary efforts to implement periodic evaluation and review measures to maintain the appropriate level of data security.
CLAUSE 22. Legislation of country of destination
22.1. The Importer declares that it has not identified any laws or administrative practices of the country receiving the Personal Data that prevent it from fulfilling the obligations assumed in these Clauses.
22.2. In the event of a regulatory change which alters this situation, the Importer shall immediately notify the Exporter to assess the continuity of the contract.
CLAUSE 23. Non-compliance with the Clauses by the Importer
23.1. In the event of a breach in the safeguards and guarantees provided in these Clauses or being the Importer unable to comply with any of them, the Exporter shall be immediately notified, subject to the provisions in item 19.1.
23.2. Upon receiving the communication referred to in item 23.1 or upon verification of non-compliance with these Clauses by the Importer, the Exporter shall implement the relevant measures to ensure the protection of the Data Subjects' rights and the compliance of the International Data Transfer with the National Legislation and these Clauses, and may, as appropriate:
(a) suspend the International Data Transfer;
(b) request the return of the Personal Data, its transfer to a third-party, or its erasure; and
(c) terminate the contract.
CLAUSE 24. Choice of forum and jurisdiction
24.1. Brazilian legislation applies to these Clauses and any controversy between the Parties arising from these Clauses shall be resolved before the competent courts in Brazil, observing, if applicable, the forum chosen by the Parties in Section IV.
24.2. Data Subjects may file lawsuits against the Exporter or the Importer, as they choose, before the competent courts in Brazil, including those in their place of residence.
24.3. By mutual agreement, Parties may use arbitration to resolve conflicts arising from these Clauses, provided that the procedure is carried out in Brazil and in accordance with the provisions of the Arbitration Law.
Section III - Security Measures
Importer and Exporter each maintains a documented information security policy, covering governance and supervision of internal processes, and adopts adequate technical and administrative security measures, as required by LGPD and as further detailed in the Agreement, including the SDPA or the IPA (as applicable). |
Importer and Exporter each maintains a documented information security policy, covering governance and supervision of internal processes, and adopts adequate technical and administrative security measures, as required by LGPD and as further detailed in the Agreement, including the SDPA or the IPA (as applicable).
Section IV - Additional Clauses and Annexes
Unless defined in Clause 6 above, capitalized terms used but not defined in these Clauses have the meanings given to them in the Agreement. As provided in Clause 24.1, the chosen venue will be as described in the Agreement. |
Unless defined in Clause 6 above, capitalized terms used but not defined in these Clauses have the meanings given to them in the Agreement.
As provided in Clause 24.1, the chosen venue will be as described in the Agreement.