ProSciento Data Processing Addendum

PROSCIENTO DATA PROCESSING ADDENDUM – SERVICE PROVIDERS

Jurisdiction Specific Terms (as of 12 March 2024)

These Jurisdiction Specific Terms (including its Appendix 1) are an integral part of the ProSciento Data Processing Addendum for Service Providers (“Addendum”). Capitalized terms which are used but not defined in this document shall have the meaning given to those terms in the Addendum. By signing the Addendum, the Parties have agreed to comply with these Jurisdiction Specific Terms which apply to the extent that the Service Provider Processes ProSciento Personal Data originating from, or protected by, Applicable Data Protection Laws in one of the jurisdictions identified herein. 

1. Argentina

  • 1.1. Applicability. Wherever the Processing pursuant to this Addendum falls within the scope of the Argentine Republic’s Personal Data Protection Law 25,326, Regulatory Decree 1558/2001, or any other corresponding decrees, regulations, or guidance governing the Processing of Personal Data in Argentina (collectively “Argentine Data Protection Laws”), the provisions of this Addendum and this Section shall apply to such Processing.
  • 1.2. Restricted Transfers. With regards to any Restricted Transfer subject to Argentine Data Protection Laws between the Parties one of the following transfer mechanism shall apply, in the following order of precedence:
    • (a) A valid adequacy decision adopted by the Argentine National Bureau of Personal Data Protection (“NBPDP”);
    • (b) the appropriate Standard Contractual Clauses, as promulgated by the NDPDP from time to time; or
    • (c) Any other lawful data transfer mechanism, as laid down in Argentine Data Protection Laws.
  • 1.3. Standard Contractual Clauses.
    • (a) Where it is necessary to do so, this Addendum incorporates by reference the Standard Contractual Clauses. The Parties are deemed to have accepted, executed, and signed the Standard Contractual Clauses where necessary in its entirety.
    • (b) The Parties agree that any references to annexures within this Section shall be deemed to be the same as the cognate and corresponding references within any appropriate, updated Standard Contractual Clauses as may be applicable from time to time pursuant to the Addendum.
    • (c) For the purposes of the annexures to Annex II of the Standard Contractual Causes promulgated by the NDPDP in its Provision 60-E/2016 (“Argentine SCCs”) and any substantially similar SCCs which may be adopted by the relevant authorities in the future, the content of Annex A of the Argentine SCCs is set forth in Exhibit A.
    • (d) In cases where Annex II of the Standard Contractual Clauses applies and there is a conflict between the terms of this Addendum and the terms of the Standard Contractual Clauses, the terms of the Standard Contractual Clauses shall prevail with regard to the Restricted Transfer in question.
  • 1.4. Termination. Upon termination of the Agreement, Service Provider shall destroy all Personal Data it has Processed on behalf of ProSciento after the end of the provision of Services relating to the Processing and destroy all copies of the Personal Data unless applicable law requires or permits storage of such Personal Data.

2. Australia

When applicable, the Processing of ProSciento Personal Data shall be compliant with the Australian Privacy Principles, the Australian Privacy Act (1988), or any other applicable law, regulation, or decree of Australia pertaining to the protection of such information.

3. Brazil

When applicable, the Processing of ProSciento Personal Data shall be compliant with Brazil’s Lei Geral de Proteção de Dados, Law No. 13.709 of 14 August 2018 and any corresponding decrees, regulations, or guidance.

4. Bulgaria

  • 4.1. Applicability. Wherever the Processing pursuant to this Addendum falls within the scope of Bulgaria’s Personal Data Protection Act (as amended in November 2019), or any other corresponding decrees, regulations, or guidance, the provisions of this Addendum and this Section shall apply to such Processing.
  • 4.2. General. Service Provider shall:
    • (a) return to ProSciento any Personal Data Processed pursuant to this Addendum within a period of one month after having become aware of any Personal Data that has been disclosed (i) without a legal basis pursuant Article 6 (1) of the GDPR, or (ii) contrary to the principles under Article 5 of the GDPR; or, if this is impossible or would involve disproportionate efforts, erase or destroy the Personal Data; and
    • (b) if the Personal Data is erased or destroyed in accordance with Section 4.2(a) of these Jurisdiction Specific Terms above, document such erasure and destruction.

5. Canada

When applicable, the Processing of ProSciento Personal Data shall be compliant with the Canadian Federal Personal Information Protection and Electronic Documents Act and any other applicable Canadian privacy or data protection laws.

6. Colombia

  • 6.1. Applicability. Wherever the Processing pursuant to this Addendum falls within the scope of Colombia’s Data Protection Law No. 1581 of 2012 (“Data Protection Law No. 1581”), Data Protection Decree No. 1377 of 2013 (“Data Protection Decree”), and any corresponding decrees, regulations, or guidance (collectively “Colombian Data Protection Laws”), the provisions of this Addendum and this Section shall apply to such Processing.
  • 6.2. General. Service Provider shall comply with all requirements applicable to Processors under the Columbian Data Protection Laws, including but not limited to obligations under Article 18 of Data Protection Law No. 1581 and Articles 11, 23, and 25 of the Data Protection Decree. Service Provider shall also comply with ProSciento’s Information Processing Policy, if any.
  • 6.3. This Addendum sets out the additional required contractual elements under Article 25 of the Data Protection Decree, such as the scope of Processing, the activities that Service Provider is authorized to perform on ProSciento’s behalf, Service Provider’s obligations relative to ProSciento and Data Subjects, and Service Provider’s obligations to safeguard the security and confidentiality of Personal Data.

7. European Economic Area

  • 7.1. Definitions
    • (a) “EEA” means the European Economic Area, consisting of the EU Member States, and Iceland, Liechtenstein, and Norway.
    • (b) “EEA Data Protection Laws” means the EU GDPR and all laws and regulations of the EU and the EEA countries applicable to the Processing of ProSciento Personal Data.
    • (c) “EU GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, as may be amended from time to time.
    • (d) “EU 2021 Standard Contractual Clauses” means the contractual clauses adopted by the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
  • 7.2. Restricted Transfers. With regard to any Restricted Transfer subject to EEA Data Protection Laws one of the following transfer mechanisms shall apply, in the following order of precedence:
    • (a) A valid adequacy decision adopted by the European Commission on the basis of Article 45 of the EU GDPR ;
    • (b) The appropriate Standard Contractual Clauses adopted by the European Commission from time to time; or
    • (c) Any other lawful data transfer mechanism, as laid down in EEA Data Protection Laws, as the case may be.
  • 7.3. Standard Contractual Clauses:
    • (a) This Addendum hereby incorporates by reference the Standard Contractual Clauses. The Parties are deemed to have accepted, executed, and signed the Standard Contractual Clauses where necessary in their entirety (including the annexures thereto)
    • (b) The Parties agree that any references to clauses, annexures, modules, and choices within the Standard Contractual Clauses shall be deemed to be the same as the cognate and corresponding references within any appropriate, updated Standard Contractual Clauses as may be applicable from time to time pursuant to this Addendum.
    • (c) For the purposes of the the EU 2021 Standard Contractual Clauses and any substantially similar Standard Contractual Clauses which may be adopted by the relevant authorities in the future:
      • i. the Parties agree to apply the following module[s]:
        • (A) Module Two with respect to Controller-to-Processor Restricted Transfers;
        • (B) Module Three with respect to Processor-to-Sub-Processor Restricted Transfers; and
        • (C) Module Four with respect to Processor-to-Controller Restricted Transfers;
      • ii. Clause 7: The Parties choose not to include the optional docking clause.
      • iii. Clause 9(a): The Parties choose Option 1, “Specific Authorization” and the time period set forth in Section 6.3 of this Addendum. The procedures for designation and notification of new Contracted Processors are set forth in more detail in Section 6 of this Addendum.
      • iv. Clause 11: The Parties choose not to include the optional language relating to the use of an independent dispute resolution body.
      • v. Clause 13 (Annex I.C): The competent Supervisory Authority is the Data Protection Commission of Ireland.
      • vi. Clause 17: The clauses shall be governed by the laws of the Republic of Ireland.
      • vii. Clause 18: The Parties agree that any dispute arising from the Standard Contractual Clauses shall be resolved by the courts of the Republic of Ireland.
      • viii. Annex I(A and B): The content of Annex I(A) is set forth in Part A of Exhibit A.
      • ix. Annex II: The content of Annex II is set forth in Appendix I to Exhibit A.
      • x. Annex III: The contents of Annex III is set out in Appendix II to Exhibit A.
      • 7.4. The terms contained in Appendix I to the Jurisdiction Specific Terms supplement the Standard Contractual Clauses.
      • 7.5. In cases where the Standard Contractual Clauses apply and there is a conflict between the terms of this Addendum and the terms of the Standard Contractual Clauses, the terms of the Standard Contractual Clauses shall prevail with regard to the Restricted Transfer in question.

8. Israel

  • 8.1. Applicability. Wherever the Processing pursuant to this Addendum falls within the scope of Israel’s Protection of Privacy Law, 1981, the Protection of Privacy Regulations (Data Security) 5777-2017, and any corresponding decrees, regulations, or guidance (collectively “Israeli Data Protection Laws”), the provisions of this Addendum and this Section shall apply to such Processing.
  • 8.2. Deletion or Return of Personal Data. After returning or deleting ProSciento Personal Data pursuant to Section 10 of the Addendum, Service Provider shall provide ProSciento with written confirmation that it no longer possesses any ProSciento Personal Data.
  • 8.3. General. Service Provider shall notify ProSciento, at least once annually (and in a format to be agreed upon by the Parties), on the manner in which Service Provider has implemented its obligations in the Addendum.

9. Singapore

  • 9.1. Applicability. Wherever the Processing pursuant to the Addendum falls within the scope of Singapore’s Personal Data Protection Act 2012, Personal Data Protection (Amendment) Bill 2020, Personal Data Protection Regulations 2021, and any corresponding decrees, regulations, or guidance, the provisions of the Addendum and this Section shall apply to such Processing.
  • 9.2. Retention of Personal Data. Service Provider shall not retain ProSciento Personal Data (or any documents or records containing ProSciento Personal Data, electronic or otherwise) for any period of time longer than is necessary to serve the purposes of the Agreement.]
  • 9.3. Deletion or Return of Personal Data. After returning or deleting ProSciento Personal Data pursuant to Section 10 of the Addendum, Service Provider shall provide ProSciento with written confirmation that it no longer possesses any ProSciento Personal Data.

10. Switzerland

  • 10.1 Definitions
    • (a) “FDPIC” means the Swiss Federal Data Protection and Information Commissioner.
    • (b) “Swiss Data Protection Laws” includes the Federal Act on Data Protection as amended (“FADP”) and the Ordinance to the Federal Act on Data Protection.
  • 10.2 Restricted Transfers. With regard to any Restricted Transfer subject to Swiss Data Protection Laws between the Parties one of the following transfer mechanisms shall apply, in the following order of precedence:
    • (a) a valid adequacy decision adopted by the FDPIC on the basis of Article 6 of the FADP;
    • (b) the Standard Contractual Clauses adopted by the FDPIC; or
    • (c) any other lawful transfer mechanism, as laid down in Swiss Data Protection Laws.
  • 10.3 Standard Contractual Clauses:
    • (a) This Addendum hereby incorporates by reference the EU 2021 Standard Contractual Clauses, which have been adopted for use by the FDPIC with certain modifications. The Parties are deemed to have accepted, executed, and signed the EU 2021 Standard Contractual Clauses where necessary in their entirety (including the annexures thereto).
    • (b) The Parties incorporate and adopt the EU 2021 Standard Contractual Clauses for Restricted Transfers subject to Swiss Data Protection Laws in the same manner set forth in Section 7.3 of these Jurisdiction Specific Terms, subject to the following:
      • i. Clause 13 (Annex I.C): The competent authority shall be the FDPIC. Nothing about the Parties’ designation of the competent Supervisory Authority shall be interpreted to preclude Data Subjects in Switzerland from applying to the FDPIC for relief.
      • ii. Clause 17: The clauses shall be governed by the laws of Switzerland.
      • iii. Clause 18: The Parties agree that any dispute arising from the Standard Contractual Clauses shall be resolved by the courts of Switzerland. The Parties’ selection of forum may not be construed as forbidding Data Subjects habitually resident in Switzerland from suing for their rights in Switzerland.
      • iv. References to “Regulation (EU) 2016/679” and specific articles therein shall be replaced with references to the FADP and the equivalent articles or sections therein, insofar as there any Restricted Transfers subject to Swiss Data Protection Laws.
  • 10.4 In cases where the Standard Contractual Clauses apply and there is a conflict between the terms of this Addendum and the terms of the Standard Contractual Clauses, the terms of the Standard Contractual Clauses shall prevail with regard to the Restricted Transfer in question.

11. United Kingdom

  • 11.1. Definitions
    • (a) “UK Data Protection Laws” (as used in this Section) includes the Data Protection Act 2018 and the UK GDPR (as defined below).
    • (b) “UK GDPR” (as used in this Section) means the United Kingdom General Data Protection Regulation, as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018.
    • (c) “UK ICO” (as used in this Section) means the UK Information Commissioner’s Office.
    • (d) “UK IDTA (as used in this Section) means the International Data Transfer Agreement issued pursuant to Section 119A(1) of the Data Protection Act 2018 and approved by the UK Parliament.
  • 11.2. Restricted Transfers. With regard to any Restricted Transfer subject to UK Data Protection Lawsone of the following transfer mechanisms shall apply, in the following order of precedence:
    • (a) A valid adequacy decision adopted pursuant to Article 45 of the UK GDPR;
    • (b) The UK IDTA;
    • (c) Any other lawful data transfer mechanism, as laid down in the UK Data Protection Laws, as the case may be.
  • 11.3. UK IDTA:
    • (a) This Addendum hereby incorporates by reference the UK IDTA. The Parties are deemed to have accepted, executed, and signed the UK IDTA where necessary in its entirety.
    • (b) For the purposes of the tables to the UK IDTA:
      • i. Table 1: The information required by Table 1 appears within Part A of Exhibit A.
      • ii. Table 2:
        • (A) The UK IDTA, shall be governed by the laws of England and Wales.
        • (B) The Parties agree that any dispute arising from the UK IDTA shall be resolved by the courts of England and Wales.
        • (C) The Parties’ controllership and data transfer roles are set out in Part A of Exhibit A.
        • (D) The UK GDPR applies to the Data Importer’s Processing of the Personal Data.
        • (E) This Addendum and the Agreement set out the instructions for Processing Personal Data.
        • (F) The Data Importer shall Process Personal Data for the time period set out in Part B of Exhibit A. The Parties agree that the Data Importer and / or the Data Exporter may terminate the UK IDTA before the end of such time period [by serving one month’s written notice.
        • (G) The Data Importer may only transfer Personal Data to authorized Contracted Processors (if applicable), as set out within Section 6 of this Addendum, or to such third parties that the Data Exporter authorizes in writing or within the Agreement.
        • (H) Each Party must review this Addendum at regular intervals, to ensure that this Addendum remains accurate and up to date and continues to provide appropriate safeguards to the Personal Data. Each Party will carry out these reviews as frequently as each time there is a change to the Personal Data, purposes for Processing, Data Importer information, or risk assessment or sooner.
      • iii. Table 3: The content of Table 3 is set forth in Part B of Exhibit A and may be updated in accordance with Section 3.3 of this Addendum.
      • iv. Table 4: The content of Table 4 is set forth in Appendix I to Exhibit A and may be updated in accordance with Section 3.3 of this Addendum.
    • (c) Part 2 (Extra Protection Clauses) and Part 3 (Commercial Clauses) of the UK IDTA are noted throughout this Addendum.
    • (d) The terms contained in Appendix I to the Jurisdiction Specific Terms supplement the UK IDTA.
    • (e) In cases where the UK IDTA applies and there is a conflict between the terms of this Addendum and the terms of the UK IDTA, the terms of the UK IDTA shall prevail.

12. United States of America

  • 12.1. Applicability. Wherever the Processing pursuant to the Addendum falls within the scope of United States Data Protection Laws (defined below), the provisions of the Addendum and this Section shall apply to such Processing.
  • 12.2. Definitions.
    • (a) “United States Data Protection Laws” include, individually and collectively, enacted state and federal laws, acts, and regulations of the United States of America that apply to the Processing of Personal Data, as may be amended from time to time. Such laws include, without limitation:
      • i. the California Consumer Privacy Act of 2018, as amended, including as amended by the California Privacy Rights Act of 2020 (Cal. Civ. Code § 1798.100 et seq.)., and the California Consumer Privacy Act Regulations, together with all implementing regulations;
      • ii. the Colorado Privacy Act, Colo. Rev. Stat. § 6-1-1301 et seq., together with all implementing regulations;
      • iii. the Connecticut Act Concerning Data Privacy and Online Monitoring, Pub. Act No. 22015;
      • iv. the Utah Consumer Privacy Act, Utah Code Ann. S 13-61-101 et seq.; and
      • v. the Virginia Consumer Data Protection Act, Va. Code Ann. § 59.1-571 et seq.
    • (b) “Personal Data Breach” (as used in the Addendum) includes “Breach of Security” and “Breach of the Security of the System” as defined under applicable United States Data Protection Laws.
    • (c) The terms “Business Purpose”, “Commercial Purpose”, “Sell”, and “Share” shall have the same meanings as under applicable United States Data Protection Laws, and their cognate and corresponding terms shall be construed accordingly.
  • 12.3. Processing of ProSciento Personal Data.
    • (a) ProSciento discloses ProSciento Personal Data to Service Provider solely for: (i) valid Business Purposes; and (ii) to enable Service Provider to perform the Services.
    • (b) Service Provider shall not: (i) Sell or Share ProSciento Personal Data; (ii) retain, use or disclose ProSciento Personal Data for a Commercial Purpose other than providing the Services specified in the Agreement or as otherwise permitted by United States Data Protection Laws; (iii) retain, use, or disclose ProSciento Personal Data except where permitted under the Agreement nor (iv) combine ProSciento Personal Data with other information that Service Provider Processes on behalf of other persons or that Service Provider collects directly from the Data Subject, with the exception of Processing for Business Purposes. Service Provider certifies that it understands these prohibitions and agrees to comply with them.
  • 12.4. Termination. Upon termination of the Agreement, Service Provider shall, as soon as reasonably practicable, destroy all Personal Data it has Processed on behalf of ProSciento after the end of the provision of Services relating to the Processing and destroy all copies of the Personal Data unless applicable law requires or permits storage of such Personal Data.

Appendix I to the Jurisdiction Specific Terms

Supplemental Clauses to the Standard Contractual Clauses

By this Appendix I (this “Appendix”), the Parties provide additional safeguards and redress to the Data Subjects whose Personal Data is transferred to Service Provider pursuant to Standard Contractual Clauses. This Appendix supplements and is made part of, but is not in variation or modification of, the Standard Contractual Clauses that may be applicable to the Restricted Transfer.

1. Definitions

  • 1.1. For the purpose of interpreting this Appendix, the following terms shall have the meanings set out below:
    • (a) “EO 12333” means the U.S. Executive Order 12333.
    • (b) “FISA” means the U.S. Foreign Intelligence Surveillance Act.
    • (c) “Schrems II Judgment” means the judgment of the European Court of Justice in Case C-311/18, Data Protection Commissioner v. Facebook Ireland Limited and Maximilian Schrems.

2. Applicability of Surveillance Laws to Data Importer and its Contracted Processors

  • 2.1. U.S Surveillance Laws
    • (a) Data Importer represents and warrants that, as of the Effective Date, it has not received any national security orders of the type described in Paragraphs 150-202 of the Schrems II judgment.
    • (b) Data Importer represents that it reasonably believes that it is not eligible to be required to provide information, facilities, or assistance of any type under FISA Section 702 because:
      • i. No court has found Data Importer to be an entity eligible to receive legal process issued under FISA Section 702: (i) an “electronic communication service provider” within the meaning of 50 U.S.C. § 1881(b)(4); or (ii) an entity belonging to any of the categories of entities described within that definition.
      • ii. If Data Importer were to be found eligible for process under FISA Section 702, which it believes it is not, it is nevertheless also not the type of provider that is eligible to be subject to UPSTREAM collection pursuant to FISA Section 702, as described in paragraphs 62 and 179 of the Schrems II judgment.
  • (c) EO 12333 does not provide the U.S. government the ability to order or demand that Data Importer provide assistance for the bulk collection of information and Data Importer shall take no action pursuant to EO 12333.

3. Backdoors

  • 3.1. Data Importer certifies that:
    • (a) It has not purposefully created backdoors or similar programming for governmental agencies that could be used to access Data Importer’s systems or ProSciento Personal Data subject to the Standard Contractual Clauses.
    • (b) It has not purposefully created or changed its business processes in a manner that facilitates governmental access to ProSciento Personal Data or systems.
    • (c) National law or government policy does not require Data Importer to create or maintain back doors or to facilitate access to ProSciento Personal Data or systems.
  • 3.2. Data Exporter will be entitled to terminate the contract on short notice in cases in which Data Importer does not reveal the existence of a back door or similar programming or manipulated business processes or any requirement to implement any of these or fails to promptly inform Data Exporter once their existence comes to its knowledge.

4.Information About Legal Prohibitions

Data Importer will provide Data Exporter information about the legal prohibitions on Data Importer to provide information under this Appendix. Data Importer may choose the means to provide this information.

5. Additional Measures to Prevent Authorities from Accessing ProSciento Personal Data

  • 5.1. Notwithstanding the application of the security measures set forth in this Addendum, Data Importer will implement internal policies establishing that:
    • (a) Data Importer must require an official, signed document issued pursuant to the applicable laws of the requesting third party before it will consider a request for access to transferred ProSciento Personal Data;
    • (b) Data Importer’s Data Protection Officer shall be notified upon receipt of each request or order for transferred ProSciento Personal Data;
    • (c) Data Importer shall scrutinize every request for legal validity and, as part of that procedure, will reject any request Data Importer considers to be invalid;
    • (d) If Data Importer is legally required to comply with an order, it will respond as narrowly as possible to the specific request; and
    • (e) If Data Importer receives a request from public authorities to cooperate on a voluntary basis, ProSciento Personal Data transmitted in plain text may only be provided to public authorities with the express agreement of Data Exporter.

6. Termination

This Appendix shall automatically terminate with respect to the Processing of ProSciento Personal Data transferred in reliance of the Standard Contractual Clauses if the European Commission or a competent regulator approves a different transfer mechanism that would be applicable to the Restricted Transfers covered by the Standard Contractual Clauses (and if such mechanism applies only to some of the data transfers, this Appendix will terminate only with respect to those transfers) and that does not require the additional safeguards set forth in this Appendix.