Clause I
Purpose and scope
(a)The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free flow of such data (General Data Protection Regulation)for the transfer of personal data to a third country.
(b)The Parties:
(i)the natural or legal person(s),public authority/ies, agency/ies or other body/ies (hereinafter “entity/ies”)transferring the personal data, as listed in Annex I.A. (hereinafter each “data exporter”), and
(ii)the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A.(hereinafter each “data importer”)have agreed to these standard contractual clauses (hereinafter “Clauses”).
(c)These Clauses apply with respect to the transfer of personal data as specified in Annex I. B.
(d)The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.
Clause 2
Effect and invariability of the Clauses
(a)These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46 (2)(c)of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU)2016/679, provided they are not modified, except to select the appropriate Module(s)or to add or update information in the Appendix. This does not preclude the parties from incorporating the standard contractual clauses stipulated herein into a broader contract and/or adding other terms or additional safeguards, provided that such clauses do not directly or indirectly conflict with these clauses or infringe upon the fundamental rights or freedoms of the data subject.
(b)Pursuant to Regulation (EU) 2016/679, these clauses do not affect the obligations of the data exporter.
Clause 3
Third-party beneficiaries
(a)The data subject may invoke and enforce these clauses as a third-party beneficiary against the data exporter and/or data importer, except in the following circumstances:
(i)Clause 1, Clause 2, Clause 3, Clause 6;
(ii)Clause 7-Clause 7.1(b),7.9(a),(c),(d) and(e);
(iii)Clause 8-Clause 8(a),(c),(d) and(e);
(iv)Clause 11-Clause 11(a),(d) and(f);
(v)Clause 12;
(vi)Clause 14.1(c),(d) and(e);
(vii)Clause 15(e);
(viii)Clause 17-Clause 17(a)and(b).
(b)Clause (a) does not affect the rights of the data subject as enact forth under Regulation (EU) 2016/679.
Clause 4
interpretation of the clauses
(a)If these clauses use terms defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.
(b)These clauses shall comply with the provisions of Regulation (EU) 2016/679.
(c)These clauses shall comply with the provisions of Regulation (EU) 2016/679.
Clause 5
validity of the clauses
In the event of a conflict between this clause and the clauses of any other agreement between the parties, this clause shall prevail at the time of entering into this clause or any subsequent agreement.
Clause 6
Description of the data transfer(s)
Details regarding the data transfer, particularly the transfer and its purpose, are outlined in Annex I.B.
Clause 7
Data protection safeguards
The data exporter warrants that it has made appreciate efforts to ascertain that the data importer is capable of fulfilling its obligations under these clauses by implementing appropriate technical and organizational measures.
7.1 Instructions for data processing
(a) The data importer shall process personal data solely in accordance with the written instructions of the data exporter, which may be issued throughout the duration of the contract.
(b) If the data importer is unable to comply with the written instructions of the data exporter, it shall immediately notify the data exporter.
7.2 Purpose limitation
The data importer shall process personal data only for the purpose of the transfer as described in Annex I. B, unless otherwise instructed by the data exporter.
7.3 Transparency
At the request of the data subject, the data exporter shall provide a copy of these clauses, including the appendix filled out by both Parties, free of charge. To the extent necessary to protect trade secrets or other confidential information (including the measures and personal data described in Annex II), the data exporter may edit portions of the text of these clauses’ annexes prior to sharing the copy, but a summary must be provided to explain the content if the data subject cannot understand it or exercise their rights. Upon request, the parties reasons for the edited data to the data subject, to the extent possible without disclosing the edited information. This clause does not affect the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.
7.4 Accuracy
If the data importer becomes aware that the personal data it has received is inaccurate or no longer valid, it shall immediately notify the data exporter. In this case, both parties shall cooperate to delete or rectify the data in accordance with the data importer’s obligations to the data exporter.
7.5 Time period for data processing, deletion, or return
The data importer may only process personal data within the schedule specified in Annex I. B. Upon the conclusion of the processing services, the data importer shall, at the request of the data exporter, delete all personal data processed on behalf of the data exporter and provide evidence of such deletion as required, or return all personal data to the data exporter, deleting any existing copies. Before deleting or returning the data, the data importer shall continue to ensure compliance with these clauses. If local law prohibits the return or deletion of personal data, the data importer shall ensure continued compliance with these clauses and may only process such data to the extent and for the duration required by local law. Such processing shall not influence the requirements of Clause 13, particularly Clause 13(e), regarding the data importer. If the data exporter has reason to believe it may be subject to laws or practices that do not comply with the requirements of Clause 13(a), it shall notify the data exporter throughout the duration of the contract.
7.6 Security of data processing
(a) The data importer, as well as the data exporter during the transfer, shall implement appropriate technical and organisational measures to ensure the security of the data, including the prevention of accidental or unlawful destruction, loss, falsify, or unauthorized access (hereinafter referred to as “personal data breach”).In assessing the level of security, both parties shall consider the latest technology, implementation costs, the nature, scope, context, and purposes of processing, as well as the risks involved in the data subjects’ processing. The parties shall pay particular attention to the use of encryption or anonymization techniques to achieve the purposes of data processing, including during the data transfer. If anonymization techniques are used, personal data classified as additional information relating to specific data subjects shall always be controlled separately by the data exporter. In fulfilling the obligations set out in this clause, the data importer shall implement at least the technical and organizational measures specified in Annex II. The data importer shall conduct regular checks to ensure that these measures achieve the necessary level of security.
(b)The data importer shall restrict access to the personal data to personnel who require it within the scope of contract implementation, management and oversight. It shall ensure that those authorised to process the personal data have committed to confidentiality or are subject to appropriate legal confidentiality obligations.
(c) If a personal data breach occurs concerning personal data processed by the data importer under these clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also promptly notify the data exporter upon becoming aware of the breach. Such notification shall include detailed contact information for further inquiries, a description of the nature of the breach (including, where possible, categories and approximate numbers of affected data subjects and personal data records), its possible consequences, and appropriate measures taken or proposed to address the breach, includingmeasures to mitigate its possible adverse effects. In cases where it is not possible to provide all information at once, the initial notification shall contain the information available at the time, with further information provided without undue delay
(d)The data importer shall cooperate and assist the data exporter in fulfilling its obligations under Regulation (EU) 2016/679. In particular, it shall notify the relevant supervisory authority and affected data subjects when processing involves the nature of data processing and the use of information by the importer.
7.7 Sensitive data
If the data transfer involves personal data that can uniquely identify an individual’s race, ethnicity, political opinions, religious or philosophical beliefs, union membership, genetic data, biometric data, health data, sexual life or sexual orientation, or data related to criminal convictions and offenses (hereinafter referred to as “sensitive data”), the data importer shall limit the status of the data and/or implement additional safeguards described in Annex I. B.
7.8 Onward transfers
The data importer may disclose personal data to third parties only in accordance with the written instructions of the data exporter. Additionally, such disclosure may occur only if the third party is bound or agrees to be bound by these clauses under the appropriate module (in the same country as the data importer or in another third country, hereinafter “onward transfer”), or if:
(i)the onward transfer refer to a country benefitting from a decision made under Article 45 of Regulation (EU) 2016/679 regarding continued transfer;
(ii)the third party provides appropriate safeguards in accordance with Articles 46 or responds to relevant processing under Article 47 of Regulation (EU) 2016/679;
(iii)the onward transfer is necessary for the establishment, exercise, or defense of legal claims in specific administrative, regulatory, or judicial proceedings; or
(iv) the onward transfer is necessary to protect the vital interests of the data subject or another natural person.
Any onward transfer is subject to the data importer’s compliance with all other safeguards under these Clauses, particularly the principle of purpose limitation.
7.9 Documentation and compliance
(a)The data importer shall promptly and adequately address inquiries from the data exporter related to the processing under these clauses.
(b)The parties shall be able to demonstrate compliance with these clauses. In particular, the data importer shall maintain appropriate documentation regarding the processing activities carried out on behalf of the data exporter.
(c)The data importer shall provide the data exporter all necessary information to demonstrate compliance with the obligations set forth in these Clauses and, at the data exporter's request, allow and contribute to audits of the processing activities covered by these clauses, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or audit, the data exporter may consider any relevant certifications held by the data importer.
(d)The data exporter may choose to conduct the audit itself or appoint an independent auditor. Audits may include inspections of the premises or physical facilities of the data importer and shall, where appropriate, be conducted with reasonable notice.
(e)The Parties shall make the information referred to in paragraphs (b) and (c),
including the results of any audits, available to the competent supervisory authority upon request.
Clause 8
Engagement of sub-processors
(a)The data importer is granted controller's general authorization to engage sub-processors from an agreed list. The data importer shall provide the controller with written notice of any intended changes to that list, including the addition or replacement of sub-processors, at least ten (10)days in advance. This notice shall afford the controller sufficient time to raise any objections to such changes prior to the engagement of the sub-processor(s).The data importer shall supply the controller with the necessary information to exercise its right to object. Additionally, the data importer shall inform the data exporter of the engagement of the sub-processor(s).
(b)Where the data importer engages a sub-processor to perform specific processing activities on behalf of the controller, such engagement shall be governed by a written contract that imposes, in substance, the same data protection obligations as those binding the data importer under these clauses, including third-party beneficiary rights for data subjects. The Parties acknowledge that compliance with this clause fulfils the data importer’s obligations under Clause 7. 8. The data importer shall ensure that the sub-processor complies with the obligations to which the data importer is subject under these Clauses.
(c) At the request of the data exporter or controller, the data importer shall provide a copy of the sub-processor agreement and any subsequent amendments. To the extent necessary to protect trade secrets or other confidential information, including personal data, the data importer may redact portions of the agreement before sharing a copy.
(d)The data importer shall remain fully responsible to the data exporter for the performance of the sub-processor’s obligations under the contract with the data importer. The data importer shall promptly notify the data exporter of any failure by the sub-processor to fulfil its contractual obligations.
(e)The data importer shall establish a third-party beneficiary clause with the sub-processor, stipulating that, in the event the data importer has factually disappeared, ceased to exist in law, or become insolvent, the data exporter shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.
Clause 9
Data subject rights
(a)The data importer shall promptly notify the data exporter of any request it received from a data subject. It shall not respond to such a request unless explicity authorized by the data exporter to do so.
(b)The data importer shall assist the data exporter in fulfilling its obligations to respond to data subjects’ requests to exercise of their rights under Regulation (EU) 2016/679. The Parties outline in Annex II the appropriate technical and organisational measures to provide such assistance, considering the nature of the processing, and the scope and the extent of the assistance required.
(c)In fulfilling its obligations under paragraphs (a) and (b),the data importer shall
comply with the instructions provided by the data exporter.
Clause 10
Redress
(a)The data importer shall inform data subjects, in a transparent and easily accessible format, either through individual notice or on its website, of a contact point authorized to handle complaints. The data importer shall promptly address any complaints it receives from data subject.
(b)In the event of a dispute between a data subject and one of the parties concerning compliance with these clauses, that party shall make every efforts to resolve the issue amicably and in a timely manner. The parties shall keep each other informed of any such disputes and cooperate where appropriate in resolving them.
(c)Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to:
(i)lodge a complaint with the supervisory authority in the Member State of the data subject’s habitual residence or place of work, or the competent supervisory authority pursuant to Clause 12;or
(ii)refer the dispute to the competent courts, as defined in Clause 17.
(d)The Parties acknowledge that the data subject may be represented by a not-for-profit body, organization or association under the conditions set out in Article 80(1) of Regulation (EU)2016/679.
(e)The data importer shall comply with any binding decisions under applicable EU or Member State law.
(f)The data importer agrees that the data subject’s choice of action does not prejudice the data subject’s substantive or procedural rights to seek remedies in accordance with applicable laws.
Clause 11
Liability
(a)Each Party shall be liable to the other Party/Parties for any damages causes by its breach of these clauses.
(b)The data importer shall be liable to the data subject for any material or non-material damages caused by the data importer or its sub-processor as a result of breaching the third-party beneficiary rights under these clauses. The data subject shall be entitled to compensation for such damages.
(c)Notwithstanding paragraph(b), the data exporter shall also be liable to the data subject, and the data subject shall be entitled to Receive compensation, for any material or non-material damages caused by the data exporter, the data importer or its sub-processor, through a breach of the third-party beneficiary rights under these clauses. This dose not affect the liability of the data exporter and, if applicable, the liability of the controller when the data exporter is acting as a processor on behalf of a controller under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725.
(d) If the data exporter is held liable under paragraph (c) for damages caused by the data importer (or its sub-processor), the data exporter is entitled to claim back from the data importer the portion of compensation corresponding to the data importer’s responsibility for the damages.
(e)Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these clauses, all responsible parties shall be jointly and severally liable. The data subject may bring an action in court against any of the responsible parties.
(f) If one Party is held liable under paragraph (e), that Party is entitled to claim back from the other Party/Parties the portion of the compensation corresponding to their responsibility for the damages.
(g)The data importer may not avoid its own liability by invoking the conduct of a sub-processor.
Clause 12
Supervision
(a) The supervisory authority responsibility for ensuring the data exporter’s compliance with Regulation (EU)2016/679 regarding the data transfer, as specified in Annex IC, shall act as the competent supervisory authority.
(b)The data importer agrees to submit to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Clauses. Specifically, the data importer agrees to respond to enquiries, submit to audits, and comply any the measures adopted by the supervisory authority, including remedial and compensatory measures. The data importer shall provide written confirmation to the supervisory authority that the necessary actions have been taken.
Clause 13
Local laws and practices affecting compliance with the clauses
(a)The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination, applicable to the processing of the personal data by the data importer-including any requirements to disclose personal data or measures authorizing access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This understanding is based on the assumption that laws and practices which respect the essence of fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679 are not in conflict with these Clauses.
(b) In providing the warranty in paragraph (a), the Parties declare that they have duly considered the following elements:
(i)the specific circumstances of the transfer as following:
-the length of the processing chain, the number of actors involved;
-the transmission channels used;
-intended onward transfers;
-the type of recipient;
-the purpose of processing,;
-the categories and format of the transferred personal data;
-the economic sector in which the transfer occurs; the storage location of the data transferred.
(ii)the laws and practices of the third country of destination including those requiring the disclosure of data to public authorities or authorizing access by such authorities-relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards;
(iii)any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these clauses, including measures applied during transmission and to the processing of the personal data in the destination country.
(c)The data importer warrants that, in carrying out the assessment under paragraph(b), it has made its best efforts to provide the data exporter with relevant information and agrees to continue cooperating with the data exporter to ensure compliance with these Clauses.
(d)The Parties agree to document the assessment under paragraph(b) and to make it available to the competent supervisory authority upon request.
(e)The data importer agrees to promptly notify the data exporter if, after having agreed to these clauses and for the duration of the contract, it has reason to believe that it is, or has become, subject to laws or practices that are not aligned with the requirements under paragraph(a). This includes situations where there is a change in the laws of the third country or a measure (such as a disclosure request) that indicates the application of such laws in practice, contrary to the requirements of paragraph (a). The data exporter shall forward the notification to the controller.
(f)Following a notification pursuant to paragraph(e),or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these clauses, the data exporter shall promptly identify appropriate measures (e.g. technical and organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation, if necessary, in consultation with the controller. The data exporter shall suspend the data transfer if it determines that no appropriate safeguards for such transfer can be ensured, or if instructed to do so by the controller or the competent supervisory authority. In this case, the data exporter shall be entitled to terminate the contract to the extent it concerns the processing of personal data under these clauses. If the contract involves more than two parties, the data exporter may exercise this termination right only with respect to the relevant party, unless the parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 15(d) and (e) shall apply.
Clause 14
Obligations of the data importer in case of access by public authorities
14.1 Notification
(a)The data importer agrees to notify the data exporter and, where possible, the data subject promptly(with the assistance of the data exporter, if necessary) if it:
(i)receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination, for the disclosure of personal data transferred pursuant to these Clauses. Such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request, and the response provided; or
(ii)becomes aware of any direct access by public authorities to personal data transferred pursuant to these clauses, in accordance with the laws of the country of destination. Such notification shall include all available information. The data exporter shall forward the notification to the controller.
(b)If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts to demonstrate them upon request by the data exporter.
(c)Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible regarding the requests received (in particular, the number of requests, type of data requested, requesting authority/ies, whether requests have been challenged, and the outcome of such challenges, etc.).The data exporter shall forward this information to the controller.
(d)The data importer agrees to preserve the information referred to in paragraphs(a)to(c) for the duration of the contract and make it available to the competent supervisory authority upon request.
(e)Paragraphs (a)to(c) are without prejudice to the obligation under Clause 14(e) and Clause 16 to promptly inform the data exporter when it is unable to comply with these Clauses.
14.2 Review of legality and data minimization
(a)The data importer agrees to review the legality of the request for disclosure, specifically whether the request falls within the powers granted to the requesting public authority. The data importer shall challenge the request if, after careful assessment, it has reasonable grounds to consider the request unlawful under the laws of the country of destination, international law obligations, or principles of international comity. Under the same conditions, the data importer shall pursue all available appeal options. When challenging a request, the data importer shall seek interim measures to suspend the effects of the request until a competent judicial authority has decided on its merits. The data importer shall not disclose the requested personal data unless required to do so under applicable procedural rules. These requirements do not prejudice the data importer’s obligations under Clause 14(e).
(b)The data importer agrees to document its legal assessment and any challenge to the request for disclosure. To the extent permissible under the laws of the country of destination, it shall make the documentation available to the data exporter and, upon request, to the competent supervisory authority. The data exporter shall provide this assessment to the controller..
(c) When responding to a request for disclosure, the data importer agrees to provide the minimum amount of information necessary, based on a reasonable interpretation of the request.
Clause 15
Non-compliance with the clauses and termination
(a)The data importer must promptly inform the data exporter if it becomes unable to comply with these clauses, for any reason.
(b) If the data importer breaches these clauses or becomes unable to comply with them, the data exporter must suspend the transfer of personal data to the data importer until compliance is restored or the contract is terminated. This is without prejudice to Clause 13(f).
(c)The data exporter has the right to terminate the contract, insofar as it pertains to the processing of personal data under these Clauses, in the following cases:
(i)the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph(b), and compliance with these clauses is not restored within a reasonable period, and in any event, within one month of suspension;
(ii)the data importer is in substantial or persistent breach of these Clauses; or
(iii)the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these clauses.
In such cases, the data exporter must inform the competent supervisory authority and the controller of such non-compliance. Where the contract involves more than two parties, the data exporter may exercise this right to termination concerning the relevant Party, unless otherwise agreed by the parties.
(d)Personal data transferred prior to the termination of the contract pursuant to paragraph(c) shall, at the choice of the data exporter, be either immediately returned to the data exporter or deleted in its entirety. The same applies to any copies of the data. The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these clauses. In the event that local laws applicable to the data importer prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these clauses and will only process the data to the extent and for as long as required under such local law.
(e)Either Party may revoke its agreement to be bound by these Clauses if: (i)the European Commission adopts a decision pursuant to Article 45(3)of Regulation(EU) 2016/679 that covers the transfer of personal data to which these clauses apply; or(ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations that apply to the processing in question under Regulation (EU)2016/679.
Clause 16
Governing law
These Clauses shall be governed by the law of the EU Member State in which the data exporter is established. Where such law does not allow for third-party beneficiary rights, they shall be governed by the law of another EU Member State that does allow for third-party beneficiary rights. The Parties agree that this shall be the law of France.
Clause 17
Choice of forum and jurisdiction
(a)Any dispute arising out of these clauses will be resolved by the courts of an EU Member State.
(b) The parties agree that the courts of France will have jurisdiction.
(c)A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which the data subject habitual residence.
(d)The Parties agree to submit to the jurisdiction of such courts.