Chronicle Services: EU
Standard Contractual Clauses (Module 4: Processor-to-Controller)
Last
modified: September 21, 2022
Capitalized terms used but not defined in
these Clauses (including the Appendix) have the meanings given to them in the
agreement into which these Clauses are incorporated (the
"Agreement"). If the Agreement authorizes the resale or supply of Services
under a Chronicle partner or reseller agreement or program, then all references
in these Clauses to: (a) Customer mean Partner or Reseller (as applicable), and
(b) Customer Personal Data mean Partner Personal Data.
STANDARD CONTRACTUAL CLAUSES
SECTION I
Clause 1
Purpose and scope
(a)The purpose of these standard contractual
clauses is to ensure compliance with the requirements of Regulation (EU)
2016/679 of the European Parliament and of the Council of 27 April 2016 on the
protection of natural persons with regard to the processing of personal data
and on the free movement of such data (General Data Protection Regulation) (1)
for the transfer of personal data to a third country.
(b)The Parties:
(i)the natural or
legal person(s), public authority/ies, agency/ies or other body/ies
(hereinafter ‘entity/ies’) transferring the personal
data, as listed in Annex I.A (hereinafter each ‘data exporter’), and
(ii)the entity/ies in
a third country receiving the personal data from the data exporter, directly or
indirectly via another entity also Party to these Clauses, as listed in Annex
I.A (hereinafter each ‘data importer’)
have agreed to these standard contractual
clauses (hereinafter: ‘Clauses’).
(c)These Clauses apply with respect to the
transfer of personal data as specified in Annex I.B.
(d)The Appendix to these Clauses containing the
Annexes referred to therein forms an integral part of these Clauses.
Clause 2
Effect and invariability of the Clauses
(a)These Clauses set out appropriate safeguards,
including enforceable data subject rights and effective legal remedies,
pursuant to Article 46(1) and Article 46(2)(c) of Regulation (EU) 2016/679 and,
with respect to data transfers from controllers to processors and/or processors
to processors, standard contractual clauses pursuant to Article 28(7) of
Regulation (EU) 2016/679, provided they are not modified, except to select the
appropriate Module(s) or to add or update information in the Appendix. This
does not prevent the Parties from including the standard contractual clauses
laid down in these Clauses in a wider contract and/or to add other clauses or
additional safeguards, provided that they do not contradict, directly or
indirectly, these Clauses or prejudice the fundamental rights or freedoms of
data subjects.
(b)These Clauses are without prejudice to
obligations to which the data exporter is subject by virtue of Regulation (EU)
2016/679.
Clause 3
Third-party beneficiaries
(a)Data subjects may invoke and enforce these
Clauses, as third-party beneficiaries, against the data exporter and/or data
importer, with the following exceptions:
(i)Clause 1,
Clause 2, Clause 3, Clause 6, Clause 7;
(ii)Clause 8 – Clause 8.1 (b) and Clause 8.3(b);
(iii)Clause 9 – Not applicable;
(iv)Clause 12 – Not applicable;
(v)Clause 13 - Not applicable;
(vi)Clause 15.1(c), (d) and (e);
(vii)Clause 16(e);
(viii)Clause 18.
(b)Paragraph (a) is without prejudice to rights
of data subjects under Regulation (EU) 2016/679.
Clause 4
Interpretation
(a)Where these Clauses use terms that are
defined in Regulation (EU) 2016/679, those terms shall have the same meaning as
in that Regulation.
(b)These Clauses shall be read and interpreted
in the light of the provisions of Regulation (EU) 2016/679.
(c)These Clauses shall not be interpreted in a
way that conflicts with rights and obligations provided for in Regulation (EU)
2016/679.
Clause 5
Hierarchy
In the event of a contradiction between
these Clauses and the provisions of related agreements between the Parties,
existing at the time these Clauses are agreed or entered into thereafter, these
Clauses shall prevail.
Clause 6
Description of the transfer(s)
The details of the transfer(s), and in
particular the categories of personal data that are transferred and the
purpose(s) for which they are transferred, are specified in Annex I.B.
Clause 7 – Not used
SECTION II – OBLIGATIONS OF THE PARTIES
Clause 8
Data protection safeguards
The data exporter warrants that it has used
reasonable efforts to determine that the data importer is able, through the
implementation of appropriate technical and organisational
measures, to satisfy its obligations under these Clauses.
8.1Instructions
(a)The data exporter shall process the personal
data only on documented instructions from the data importer acting as its
controller.
(b)The data exporter shall immediately inform
the data importer if it is unable to follow those instructions, including if
such instructions infringe Regulation (EU) 2016/679 or other Union or Member State
data protection law.
(c)The data importer shall refrain from any
action that would prevent the data exporter from fulfilling its obligations
under Regulation (EU) 2016/679, including in the context of sub-processing or
as regards cooperation with competent supervisory authorities.
(d)After the end of the provision of the
processing services, the data exporter shall, at the choice of the data
importer, delete all personal data processed on behalf of the data importer and
certify to the data importer that it has done so, or return to the data
importer all personal data processed on its behalf and delete existing copies.
8.2Security of processing
(a)The Parties shall implement appropriate
technical and organisational measures to ensure the
security of the data, including during transmission, and protection against a
breach of security leading to accidental or unlawful destruction, loss,
alteration, unauthorised disclosure or access
(hereinafter ‘personal data breach’). In assessing the appropriate level of
security, they shall take due account of the state of the art, the costs of
implementation, the nature of the personal data (7), the nature, scope, context
and purpose(s) of processing and the risks involved in the processing for the
data subjects, and in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the
purpose of processing can be fulfilled in that manner.
(b)The data exporter shall assist the data
importer in ensuring appropriate security of the data in accordance with
paragraph (a). In case of a personal data breach concerning the personal data
processed by the data exporter under these Clauses, the data exporter shall
notify the data importer without undue delay after becoming aware of it and
assist the data importer in addressing the breach.
(c)The data exporter shall ensure that persons authorised to process the personal data have committed
themselves to confidentiality or are under an appropriate statutory obligation
of confidentiality.
8.3Documentation and compliance
(a)The Parties shall be able to demonstrate
compliance with these Clauses.
(b)The data exporter shall make available to
the data importer all information necessary to demonstrate compliance with its
obligations under these Clauses and allow for and contribute to audits.
Clause 9 - Not
applicable
Clause 10
Data subject rights
The Parties shall assist each other in
responding to enquiries and requests made by data subjects under the local law
applicable to the data importer or, for data processing by the data exporter in
the EU, under Regulation (EU) 2016/679.
Clause 11
Redress
(a)The data importer shall inform data subjects
in a transparent and easily accessible format, through individual notice or on
its website, of a contact point authorised to handle
complaints. It shall deal promptly with any complaints it receives from a data
subject.
Clause 12
Liability
(a)Each Party shall be liable to the other
Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.
(b)Each Party shall be liable to the data
subject, and the data subject shall be entitled to receive compensation, for
any material or non-material damages that the Party causes the data subject by
breaching the third-party beneficiary rights under these Clauses. This is
without prejudice to the liability of the data exporter under Regulation (EU)
2016/679.
(c)Where more than one Party is responsible for
any damage caused to the data subject as a result of a breach of these Clauses,
all responsible Parties shall be jointly and severally liable and the data
subject is entitled to bring an action in court against any of these Parties.
(d)The Parties agree that if one Party is held
liable under paragraph (c), it shall be entitled to claim back from the other
Party/ies that part of the compensation corresponding
to its/their responsibility for the damage.
(e)The data importer may not invoke the conduct
of a processor or sub-processor to avoid its own liability.
Clause 13 - Not
applicable
SECTION III – LOCAL LAWS AND OBLIGATIONS IN
CASE OF ACCESS BY PUBLIC AUTHORITIES
Clause 14
Local laws and practices affecting
compliance with the Clauses
Transfer processor to controller
(where the EU processor combines the
personal data received from the third country-controller with personal data
collected by the processor in the EU)
(a)The Parties warrant that they have no reason
to believe that the laws and practices in the third country of destination
applicable to the processing of the personal data by the data importer,
including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data
importer from fulfilling its obligations under these Clauses. This is based on
the understanding that laws and practices that respect the essence of the
fundamental rights and freedoms and do not exceed what is necessary and
proportionate in a democratic society to safeguard one of the objectives listed
in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with
these Clauses.
(b)The Parties declare that in providing the
warranty in paragraph (a), they have taken due account in particular of the
following elements:
(i)the specific
circumstances of the transfer, including the length of the processing chain,
the number of actors involved and the transmission channels used; intended
onward transfers; the type of recipient; the purpose of processing; the
categories and format of the transferred personal data; the economic sector in
which the transfer occurs; the storage location of the data transferred;
(ii)the laws and practices of the third country
of destination– including those requiring the disclosure of data to public
authorities or authorising access by such authorities
– relevant in light of the specific circumstances of the transfer, and the
applicable limitations and safeguards (12);
(iii)any relevant contractual, technical or organisational safeguards put in place to supplement the
safeguards under these Clauses, including measures applied during transmission
and to the processing of the personal data in the country of destination.
(c)The data importer warrants that, in carrying
out the assessment under paragraph (b), it has made its best efforts to provide
the data exporter with relevant information and agrees that it will continue to
cooperate with the data exporter in ensuring compliance with these Clauses.
(d)The Parties agree to document the assessment
under paragraph (b) and make it available to the competent supervisory
authority on request.
(e)The data importer agrees to notify the data
exporter promptly if, after having agreed to these Clauses and for the duration
of the contract, it has reason to believe that it is or has become subject to
laws or practices not in line with the requirements under paragraph (a),
including following a change in the laws of the third country or a measure
(such as a disclosure request) indicating an application of such laws in
practice that is not in line with the requirements in paragraph (a).
(f)Following a notification pursuant to
paragraph (e), or if the data exporter otherwise has reason to believe that the
data importer can no longer fulfil its obligations under these Clauses, the
data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and
confidentiality) to be adopted by the data exporter and/or data importer to
address the situation . The data exporter shall suspend the data transfer if it
considers that no appropriate safeguards for such transfer can be ensured, or
if instructed by the competent supervisory authority to do so. In this case,
the data exporter shall be entitled to terminate the contract, insofar as it
concerns the processing of personal data under these Clauses. If the contract
involves more than two Parties, the data exporter may exercise this right to
termination only with respect to the relevant Party, unless the Parties have
agreed otherwise. Where the contract is terminated pursuant to this Clause,
Clause 16(d) and (e) shall apply.
Clause 15
Obligations of the data importer in case of
access by public authorities
Transfer processor to controller
(where the EU processor combines the
personal data received from the third country-controller with personal data
collected by the processor in the EU)
15.1Notification
(a)The data importer agrees to notify the data
exporter and, where possible, the data subject promptly (if necessary with the
help of the data exporter) if it:
(i)receives a legally
binding request from a public authority, including judicial authorities, under
the laws of the country of destination for the disclosure of personal data
transferred pursuant to these Clauses; such notification shall include
information about the personal data requested, the requesting authority, the
legal basis for the request and the response provided; or
(ii)becomes aware of any direct access by public
authorities to personal data transferred pursuant to these Clauses in
accordance with the laws of the country of destination; such notification shall
include all information available to the importer.
(b)If the data importer is prohibited from
notifying the data exporter and/or the data subject under the laws of the
country of destination, the data importer agrees to use its best efforts to
obtain a waiver of the prohibition, with a view to communicating as much
information as possible, as soon as possible. The data importer agrees to
document its best efforts in order to be able to demonstrate them on request of
the data exporter.
(c)Where permissible under the laws of the
country of destination, the data importer agrees to provide the data exporter,
at regular intervals for the duration of the contract, with as much relevant
information as possible on the requests received (in particular, number of
requests, type of data requested, requesting authority/ies,
whether requests have been challenged and the outcome of such challenges,
etc.).
(d)The data importer agrees to preserve the
information pursuant to paragraphs (a) to (c) for the duration of the contract
and make it available to the competent supervisory authority on request.
(e)Paragraphs (a) to (c) are without prejudice
to the obligation of the data importer pursuant to Clause 14(e) and Clause 16
to inform the data exporter promptly where it is unable to comply with these
Clauses.
15.2Review of legality and data minimisation
(a)The data importer agrees to review the
legality of the request for disclosure, in particular whether it remains within
the powers granted to the requesting public authority, and to challenge the
request if, after careful assessment, it concludes that there are reasonable
grounds to consider that the request is unlawful under the laws of the country
of destination, applicable obligations under international law and principles
of international comity. The data importer shall, under the same conditions,
pursue possibilities of appeal. When challenging a request, the data importer
shall seek interim measures with a view to suspending the effects of the
request until the competent judicial authority has decided on its merits. It
shall not disclose the personal data requested until required to do so under
the applicable procedural rules. These requirements are without prejudice to
the obligations of the data importer under Clause 14(e).
(b)The data importer agrees to document its
legal assessment and any challenge to the request for disclosure and, to the
extent permissible under the laws of the country of destination, make the
documentation available to the data exporter. It shall also make it available
to the competent supervisory authority on request.
(c)The data importer agrees to provide the
minimum amount of information permissible when responding to a request for disclosure,
based on a reasonable interpretation of the request.
SECTION IV – FINAL PROVISIONS
Clause 16
Non-compliance with the Clauses and
termination
(a)The data importer shall promptly inform the
data exporter if it is unable to comply with these Clauses, for whatever
reason.
(b)In the event that the data importer is in
breach of these Clauses or unable to comply with these Clauses, the data
exporter shall suspend the transfer of personal data to the data importer until
compliance is again ensured or the contract is terminated. This is without
prejudice to Clause 14(f).
(c)The data exporter shall be entitled to
terminate the contract, insofar as it concerns the processing of personal data
under these Clauses, where:
(i)the data
exporter has suspended the transfer of personal data to the data importer
pursuant to paragraph (b) and compliance with these Clauses is not restored
within a reasonable time and in any event within one month of suspension;
(ii)the data importer is in substantial or
persistent breach of these Clauses; or
(iii)the data importer fails to comply with a
binding decision of a competent court or supervisory authority regarding its
obligations under these Clauses.
In these cases, it shall inform the
competent supervisory authority of such non-compliance. Where the contract
involves more than two Parties, the data exporter may exercise this right to
termination only with respect to the relevant Party, unless the Parties have
agreed otherwise.
(d)Personal data collected by the data exporter
in the EU that has been transferred prior to the termination of the contract
pursuant to paragraph (c) shall immediately be deleted in its entirety,
including any copy thereof. The data importer shall certify the deletion of the
data to the data exporter. Until the data is deleted or returned, the data
importer shall continue to ensure compliance with these Clauses. In case of
local laws applicable to the data importer that prohibit the return or deletion
of the transferred personal data, the data importer warrants that it will
continue to ensure compliance with these Clauses and will only process the data
to the extent and for as long as required under that local law.
(e)Either Party may revoke its agreement to be
bound by these Clauses where (i) the European
Commission adopts a decision pursuant to Article 45(3) of Regulation (EU)
2016/679 that covers the transfer of personal data to which these Clauses
apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of
the country to which the personal data is transferred. This is without
prejudice to other obligations applying to the processing in question under
Regulation (EU) 2016/679.
Clause 17
Governing law
These Clauses shall be governed by the law
of a country allowing for third-party beneficiary rights. The Parties agree
that this shall be the law of Ireland.
Clause 18
Choice of forum and jurisdiction
Any dispute arising from these Clauses
shall be resolved by the courts of Ireland.
(
1
)
Where the data exporter is a processor subject to Regulation (EU)
2016/679 acting on behalf of a Union institution or body as controller,
reliance on these Clauses when engaging another processor (sub-processing) not
subject to Regulation (EU) 2016/679 also ensures compliance with Article 29(4)
of Regulation (EU) 2018/1725 of the European Parliament and of the Council of
23 October 2018 on the protection of natural persons with regard to the
processing of personal data by the Union institutions, bodies, offices and
agencies and on the free movement of such data, and repealing Regulation (EC) No
45/2001 and Decision No 1247/2002/EC (
OJ L 295, 21.11.2018, p. 39
), to
the extent these Clauses and the data protection obligations as set out in the
contract or other legal act between the controller and the processor pursuant
to Article 29(3) of Regulation (EU) 2018/1725 are aligned. This will in
particular be the case where the controller and processor rely on the standard
contractual clauses included in Decision 2021/915.
(
7
)
This includes whether the transfer and further processing involves
personal data revealing racial or ethnic origin, political opinions, religious
or philosophical beliefs, or trade union membership, genetic data or biometric
data for the purpose of uniquely identifying a natural person, data concerning
health or a person’s sex life or sexual orientation, or data relating to
criminal convictions or offences.
(
12
)
As regards the impact of such laws and practices on compliance with
these Clauses, different elements may be considered as part of an overall
assessment. Such elements may include relevant and documented practical
experience with prior instances of requests for disclosure from public
authorities, or the absence of such requests, covering a sufficiently
representative time-frame. This refers in particular to internal records or
other documentation, drawn up on a continuous basis in accordance with due
diligence and certified at senior management level, provided that this
information can be lawfully shared with third parties. Where this practical
experience is relied upon to conclude that the data importer will not be
prevented from complying with these Clauses, it needs to be supported by other
relevant, objective elements, and it is for the Parties to consider carefully
whether these elements together carry sufficient weight, in terms of their
reliability and representativeness, to support this conclusion. In particular,
the Parties have to take into account whether their practical experience is
corroborated and not contradicted by publicly available or otherwise
accessible, reliable information on the existence or absence of requests within
the same sector and/or the application of the law in practice, such as case law
and reports by independent oversight bodies.
APPENDIX
EXPLANATORY NOTE:
It must be possible to
clearly distinguish the information applicable to each transfer or category of
transfers and, in this regard, to determine the respective role(s) of the
Parties as data exporter(s) and/or data importer(s). This does not necessarily
require completing and signing separate appendices for each transfer/category
of transfers and/or contractual relationship, where this transparency can achieved through one appendix. However, where necessary to
ensure sufficient clarity, separate appendices should be used.
ANNEX I
A.LIST OF
PARTIES
Data exporter(s):
Name: Chronicle
Address: As specified in the
Agreement.
Contact person’s name, position and
contact details: Contact details for the data exporter are specified in the
Agreement. The data exporter’s data protection team can be contacted as
described in the Data Processing and Security Terms.
Activities relevant to the data
transferred under these Clauses: The data exporter provides the Services to the
data importer in accordance with the Agreement.
Signature and date: The parties
agree thatexecution of the Agreement by
the data importer and the data exporter shall constitute execution of these
Clauses by both parties (a) as of 27 September 2021, where the Effective Date
is on or before 27 September 2021, or (b) otherwise, as of the Effective Date.
Role (controller/processor):
processor
Data importer(s):
Name: Customer
Address: As specified in the
Agreement.
Contact person’s name, position and
contact details: Contact details for the data importer are specified in the
Agreement. Details about the data importer’s data protection officer are
available to the data exporter in the Agreement (where such details have been
provided by the data importer).
Activities relevant to the data
transferred under these Clauses: The data exporter provides the Services to the
data importer in accordance with the Agreement.
Signature and date: The parties
agree thatexecution of the Agreement by
the data importer and the data exporter shall constitute execution of these
Clauses by both parties (a) as of 27 September 2021, where the Effective Date
is on or before 27 September 2021, or (b) otherwise, as of the Effective Date.
Role (controller/processor):
controller and/or processor, as applicable.
B.DESCRIPTION OF
TRANSFER
Categories of data subjects whose personal data is
transferred
Data
subjects are the individuals whose personal data is processed by the data
exporter under the data importer’s instructions as specified in the Agreement
(“Transferred Personal Data”). These individuals may include, for
example: employees, other staff such as contractors and temporary workers,
customers and clients (including their staff), other end users, suppliers
(including their staff), relatives and associates of the above, advisers,
consultants and other professional experts, shareholders, members or
supporters, and students and pupils.
Categories of personal data transferred
Transferred
Personal Data may include, for example:
●
Personal
details, including any information that identifies the data subject and their
personal characteristics, including: name, address, contact details, age, date
of birth, sex, and physical description.
●
Employment
details, including information relating to the employment of the data subject,
including employment and career history, recruitment and termination details,
attendance records, performance appraisals, training records, and security
records.
●
Financial
details, including information relating to the financial affairs of the data
subject, including income, salary, assets and investments, payments, credit worthiness,
loans, benefits, grants, insurance details, and pension information.
●
Education
and training details, including information which relates to the education and
any professional training of the data subject, including academic records,
qualifications, skills, training records, professional expertise, student and
pupil records.
●
Personal
details issued as an identifier by a public authority, including passport
details, national insurance numbers, identity card numbers, driving licence details.
●
Family,
lifestyle and social circumstances, including any information relating to the
family of the data subject and the data subject’s lifestyle and social
circumstances, including details of family and other household members, habits,
housing, travel details, leisure activities, and membership of charitable or
voluntary organisations.
Sensitive data transferred (if applicable) and applied
restrictions or safeguards that fully take into consideration the nature of the
data and the risks involved, such as for instance strict purpose limitation,
access restrictions (including access only for staff having followed specialised training), keeping a record of access to the
data, restrictions for onward transfers or additional security measures.
Transferred Personal
Data
may include special categories of personal data (as defined in the GDPR). This
may include, for example: personal data revealing racial or ethnic origin,
political opinions, religious or philosophical beliefs, or trade union
membership, and the processing of genetic data, biometric data for the purpose
of uniquely identifying a natural person, data concerning health or data
concerning a natural person’s sex life or sexual orientation.
The
restrictions and safeguards specified in Appendix 2 to the Data Processing and
Security Terms apply to these categories of personal data (if any).
The frequency of the transfer (e.g. whether the data is
transferred on a one-off or continuous basis).
Transferred Personal Data may be
transferred on a continuous basis until it is deleted in accordance with the
terms of the Data Processing and Security Terms.
Nature of the processing
The data exporter will process Transferred
Personal Data to provide, secure and monitor the Services and Chronicle TSS in
accordance with the Agreement.
Purpose(s) of the data transfer and further processing
The data exporter will process Transferred
Personal Data to provide, secure and monitor the Services and Chronicle TSS in
accordance with the Agreement.
The period for which the personal data will be retained,
or, if that is not possible, the criteria used to determine that period
The data exporter will retain Transferred
Personal
Data until its deletion in accordance with the provisions of the Data
Processing and Security Terms.
For transfers to (sub-) processors, also specify subject
matter, nature and duration of the processing
Not
applicable
C.COMPETENT
SUPERVISORY AUTHORITY - Not applicable
…
ANNEX II - Not applicable
ANNEX III - Not applicable