Data Processing Addendum ("DPA")
This agreement is made between Customer who is Party to the Master Access Agreement and, if applicable, the SOW (“Customer”) and dscout, Inc., a company constituted under the laws of the state of Delaware in the United States with an address at 222 N LaSalle Street, Suite 650, Chicago IL 60601 (“dscout”) (together, the “Parties”).
WHEREAS the Parties have entered into a Master Access Agreement (the “Agreement”);
In consideration of the ongoing obligations of the parties under applicable data protection laws and under the Agreements referred to above, the parties agree as follows:
1. DATA PROTECTION
1.1 Each Party shall comply with the obligations imposed on such Party by applicable data protection laws, including the EU General Data Protection Regulation and EU member states laws implementing the same, and the California Consumer Privacy Act (“Data Protection Legislation”) to the extent that those obligations are applicable to performing the obligations under the Agreement and the data processed in connection with such Agreement.
1.2 The terms "Data Controller", “Business,” “Data Processor,” “Service Provider,” "Data Subject", “Personal Data Breach,” and "Personal Data" shall be interpreted in accordance with the applicable Data Protection Legislation. For the purpose of this DPA, Personal Data includes “Personal Information” as defined by applicable Data Protection Legislation. All other terms are defined in the Agreement, as applicable.
1.3 2021 Standard Contractual Clauses,” means the clauses issued pursuant to the EU Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at http://data.europa.eu/eli/dec_... and completed as described in the “Data Transfer” section below.
1.4 “j. “UK SCCs” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (available as of the Effective Date at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/), completed as set forth in “Data Transfers” below.
2. ROLES OF THE PARTIES
2.1 The Parties agree that each party acts as an independent Data Controller or Business with respect to Personal Data provided by Scouts and data collected from Scouts through the dscout Platform, including but not limited to Scout Profile Information, Screener Data and Mission Entries (collectively, “Scout Data”) for the purposes of the Data Protection Legislation. Scout Data is not “transferred” to dscout by Customer.
2.2 With respect to Scout information, such as name as email address, that is provided directly by Customer or Customer employee information provided by Customer solely to enable access to the dscout platform (together, “Customer Data”), dscout shall act as a Data Processor or a Service Provider.
2.2 Each Party represents, warrants and undertakes to the other that they have complied and shall at all times continue to comply with, all obligations imposed on them by the Data Protection Legislation.
2.3 No Party shall take any action or make any omission in relation to Personal Data which would cause the other Party to breach its obligations under the Data Protection Legislation.
3. DATA CONTROLLER OBLIGATIONS
3.1 Data Incidents: Each Party shall notify the other promptly without undue delay and in any event within 48 hours of becoming aware of any loss or unauthorized access to Personal Data of the other (a “breach”) and provide reasonable assistance to the other in order to address such breach.
3.2 Data Subject Requests: Each Party shall be responsible for responding to and, if required, complying with, any data subject requests to exercise rights under Data Protection Legislation with respect to Personal Data over which it is a Controller, or a request purporting to exercise such rights, (collectively, a “Request”), or a complaint related to the Processing of such data. Without limiting the foregoing:
3.2.1 Where either Party knowingly receives a Request relating to Personal Data processed under the Agreement and over which the other Party is a Controller, the Party shall notify the other Party as soon as reasonably practical and in any event within three (3) business days of the Request and permit such other Party to manage the response which respect to the Personal Data in such other Party’s possession.
3.3 Supervisory Requests: Each Party shall provide reasonable assistance to and cooperation with the other Party for their consultation with supervisory authorities in relation to the transfer, control, and processing of Personal Data involved in this Agreement.
4. DATA PROCESSOR OBLIGATIONS
Data Processor shall, in relation to Customer Data containing Personal Data processed in connection with the performance of its obligations under this DPA:
4.1 process that Customer Data only on the documented written instructions of the Customer, which includes this DPA and the Master Access Agreement, unless the Data Processor is required by applicable laws to otherwise process that personal data in which case Data Processor shall, unless legally prohibited, promptly notify the Customer of this before performing the processing required by the applicable laws;
4.2 ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Customer Data;
4.3 ensure that all personnel who have access to and/or process Customer Data are obliged to keep the Customer Data confidential;
4.4 not transfer any Customer Data outside of the European Economic Area and the United Kingdom unless either: the Commission has decided, in accordance with Article 45 of the General Data Protection Regulation ((EU) 2016/679), that the third country (or sector thereof), territory, or international organisation to which personal data is to be transferred, ensures an adequate level of protection; or pursuant to an transfer mechanism that is compliant with Data Protection Legislation, which may include but is not limited to approved Standard Contractual Clauses;
4.5 assist the Customer, at the Customer’s cost, in responding to any request from a data subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
4.6 notify the Customer without undue delay, and where practicable, within 48 hours, on becoming aware of a breach of Customer Data;
4.7 at the written direction of the Customer, delete or return Customer Data and copies thereof to the Customer on termination of the DPA unless required by applicable law to store the Customer Data;
4.8 maintain complete and accurate records and information to demonstrate its compliance with this Section 4 and allow for audits by the Customer or the Customer’s designated auditor, only so far as is necessary in order to demonstrate compliance and no more than once a year, provided that the Customer: provides no less than 30 days’ written notice of such audit or inspection; and the parties agree the scope, duration, and purpose of such audit or inspection in advance. Customer shall conduct its audit in a manner that will result in minimal disruption to Data Processor’s business operations and shall not be entitled to receive data or information of other clients of Data Processor or any other confidential information of Data Processor that is not directly relevant for the authorized purposes of the audit. If the Customer becomes privy to any confidential information of the Data Processor as a result of this Section, the Customer shall hold such confidential information in confidence and, unless required by law, not make the confidential information available to any third party, or use it for any other purpose. The Customer acknowledges that the Data Processor shall only be required to use reasonable endeavors to assist the Data Controller in procuring access to any third-party assets, records or information as part of any audit; and
4.9 inform the Customer immediately if, in the Data Processor’s opinion, an instruction from the Customer infringes (or, if acted upon, might cause an infringement of) the Data Protection Legislation.
4.10 Third-party processors
4.10.1 Customer acknowledges and consents generally to the appointment by the Data Processor of third parties as sub-processors of the Customer Data being processed under this DPA.
4.10.2 Data Processor confirms that: (a) it shall impose on all sub-processors the same data protection obligations as set out in Section 4; and (b) the Data Processor shall remain fully liable for the actions of its sub-processors’ processing of Personal Data in connect with the Agreement.
4.10.3 Data Processor shall give the Customer notice of the appointment of any new sub-processors. Customer may reasonably object to such appointment within ten (10) U.S. business days of such notice. If Customer objects to such changes, Customer will give Data Processor the opportunity to make a change in the service or recommend a commercially reasonable change to Customer’s configuration to avoid processing of personal data by the objected-to new subprocessor without unreasonably burdening Customer.
5.DATA TRANSFER
5.1 With respect to processing pursuant to Section 2.2 and to the extent legally required and when a legal derogation or a data transfer framework does not apply, with respect to Personal Data transferred from the EEA and Switzerland, the parties are deemed to have signed the 2021 Standard Contractual Clauses, which are incorporated by reference and will be deemed completed as set forth below.
- 5.1.1 Module 2 of the 2021 Standard Contractual Clauses applies;
- 5.1.2 Clause 7 (the optional docking clause) is not included;
- 5.1.3 Under Clause 9 (Use of sub-processors), the parties select Option 2 (General written authorization). The initial list of sub-processors is provided upon request. dscout shall update that list and provide notice to Customer at least ten (10) days in advance of any intended additions or replacements of sub-processors.
- 5.1.4 Under Clause 11, the optional language does not apply;
- 5.1.5 Under Clause 17, the parties choose Option 1 (the law of an EU Member State that allows for third-party beneficiary rights). The parties select the laws of Ireland;
- 5.1.6 Under Clause 18, the parties select the courts of Ireland;
- 5.1.7 Annexes I and II of the 2021 Standard Contractual Clauses are set forth below.
- 5.1.8 With respect to transfers of Personal Data that are subject to the Switzerland Federal Act on Data Protection (“FADP”):
- 5.1.8.1.1 References to the GDPR are to be understood as references to the FADP insofar as the data transfers are subject exclusively to the FADP.
- 5.1.8.1.2 The term “member state” shall not be interpreted to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c).
- 5.1.8.1.3 References to personal data in the 2021 Standard Contractual Clauses also refer to data about identifiable legal entities until the entry into force of revisions to the FADP that eliminate this broader scope.
- 5.1.8.1.4 Under Annex I(C): Where the transfer is subject exclusively to the FADP, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner. Where the transfer is subject to both the FADP and the GDPR, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner insofar as the transfer is governed by the FADP, and the supervisory authority is as set forth in the 2021 Standard Contractual Clauses insofar as the transfer is governed by the GDPR.
5.2 Data Transfers Outside of the United Kingdom. With respect to processing pursuant to Section 2.2 and to the extent legally required and when a legal derogation or a data transfer framework does not apply, with respect to Personal Data transferred from the United Kingdom (UK), for which UK Data Protection Law (and not the law in any European Economic Area jurisdiction or Switzerland) governs the international nature of the transfer, the UK SCCs form part of this DPA and take precedence over the rest of this DPA as set forth in the UK SCCs, unless the United Kingdom issues updates to the UK SCCs, in which case the updated UK SCCs will control. Undefined capitalized terms used in this provision shall mean the definitions in the UK SCCs. For purposes of the UK SCCs, they shall be deemed completed as follows:
- 5.2.1 Table 1 of the UK SCCs:
- 5.2.1.1.1 The Parties’ details shall be the Parties and their affiliates to the extent any of them is involved in such transfer, including those set forth in Annex I.
- 5.2.1.1.2 The Key Contact shall be the contacts set forth in Annex I.
5.2.2 Table 2 of the UK SCCs: The Approved 2021 Standard Contractual Clauses as executed by the Parties.
5.2.3 Table 3 of the UK SCCs: Annex 1A, 1B, and II shall be set forth in Annex I. Annex III is inapplicable.
5.2.4 Table 4 of the UK SCCs: dscout may end this DPA as set out in Section 19 of the UK SCCs.
5.2.5 By entering into this DPA, the Parties are deemed to be signing the UK SCCs and its applicable Tables and Appendix Information.
Any data transferred under Section 2.1 shall be governed by the data transfer provisions in the Master Access Agreement.
ANNEX I
A. LIST OF PARTIES
Data exporter (s): The entity identified as “Customer” in the Agreement, and if applicable, the SOW.
Address: The address for Customer associated as specified in the Agreement, and if applicable, the SOW.
Contact person’s name, position and contact details: The contact details associated with Customer’s account, or as specified in the Agreement, and if applicable, the SOW.
Activities relevant to the data transferred under these Clauses: The activities specified in the Agreement.
Signature and date: By using the Platform, the data exporter will be deemed to have signed this Annex I.
Role (controller / processor): Controller
Data importer(s): dscout as identified in the Agreement.
Address: The address for dscout is specified in the Agreement.
Contact person’s name, position and contact details: The contact details for dscout specified in the Agreement and if applicable, the SOW.
Activities relevant to the data transferred under these Clauses: The activities specified in the Agreement.
Signature and date: By using the Platform, the data impoter will be deemed to have signed this Annex I.
Role (controller / processor): Processor for Customer Data
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
- Customer Data: Scouts and/or Customer Employees
Categories of personal data transferred
- Customer Data: Employee contact information (e.g., name, email address) and, if provided directly by Customer to invite Scout to the service, Scout contact information (e.g., name and email address).
Sensitive data transferred (if applicable) and applied restrictions.
- N/A
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
- In accordance with Customer’s instructions.
Nature of the processing
- As set forth in the Agreement and DPA.
Purpose(s) of the data transfer and further processing
- To provide the Platform as set forth in the Agreement and DPA.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
- In accordance with Customer’s instructions and/or as set forth in the Agreement and DPA.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
- As set forth in the Agreement and DPA.
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13
Irish Data Protection Commission
ANNEX II
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA