2.Details Of The Processing
3.Processing Of Client Personal Data
5.Appointment Of Sub-Processors
7.Personal Data Breaches
8.Deletion or Return of Client Personal Data
10.Limitation of Liability
Annex A - EU Annex
Commission Decision C(2010)593
Standard Contractual Clauses (processors)
HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.
Clause 1 - Definitions
For the purposes of the Clauses:
Clause 2 - Details of the transfer
The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.
Clause 3 - Third-party beneficiary clause
Clause 4 - Obligations of the data exporter
The data exporter agrees and warrants:
Clause 5 - Obligations of the data importer
The data importer agrees and warrants:
Clause 6 - Liability
Clause 7 - Mediation and jurisdiction
Clause 8 - Cooperation with supervisory authorities
Clause 9 - Governing Law
Clause 10 - Variation of the contract
Clause 11 - Subprocessing
Clause 12 - Obligation after the termination of personal data processing services
Appendix 1 - To the Standard Contractual Clauses
Appendix 2 - To the Standard Contractual Clauses
Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):
Technical and Organizational Security Measures
The data importer uses Amazon Web Services (“AWS”) for processing and storing of data. Data on AWS is only accessible when the data exporter requests it. All AWS security and data privacy compliance can be reviewed at https://aws.amazon.com/compliance/programs/. The use of AWS provides the data importer with an industry-leading environment for the protection of its customers’ data.
Data processing systems shall be prevented from being used without authorization. All systems are protected by the use of personally identifiable access keys that are expired on employee change of role or departure from the organization.
Persons authorized to use a data processing system have access only to those data they are authorized to access, and that personal data cannot be read, copied, altered or removed without authorization during processing, use and after recording.
Personal data cannot be read, copied, altered or removed without authorization during electronic transfer or transport or while being recorded onto data storage media, and that it is possible to ascertain and check which bodies are to be transferred personal data using data transmission facilities. As the systems are located in Amazon Web Services, the data importer has no direct access to any of the physical media on which the personal data is stored. AWS compliance with physical media protection standards can be viewed at https://aws.amazon.com/compliance/programs/.
Personal data processed on behalf of a data exporter are processed strictly in compliance with the data exporter’s instructions. Data importer shall encrypt all personal data that it possesses, including electronic messages and attachments, strictly in compliance with the data exporter’s instructions.
Data must be protected against accidental destruction or loss.
Data collected for different purposes can be processed separately.
Any personnel of data importer entrusted with processing data exporter’s personal data have undertaken to comply with the principle of confidentiality in accordance with statutory law. The undertaking to confidentiality shall continue after the termination of the above-entitled activities. Prior to providing access to personal data, the data processor shall train its personnel concerning the implementation of, compliance with and enforcement of, the data processor’s security program and the handling of the personal data.
The technical and organizational security measures are subject to technical progress and development, and data importer may implement adequate alternative measures. Any material changes to technical and organizational measures must be documented. Data importer must provide data exporter with reasonable information in order to support data exporter’s reporting upon written request by the data exporter. Data importer will provide to data exporter any security assessments/certifications previously performed (and if data importer has not previously performed security assessments/certifications, it shall perform and provide such assessments/certifications at data exporter’s request).