3. PROCESSING OF PERSONAL DATA
3.1. Scope. The use of the Platform by the Customer and the Customer management relationship may entail the Processing of Customer Data by Globalization Partners as a Processor or Service Provider on behalf of Customer.
3.2. Instructions. Globalization Partners will process Customer Data in accordance with Customer’s documented instructions. Customer agrees that this Addendum, the Master Agreement, and Annex I attached hereunder, comprise Customer’s complete instructions to Globalization Partners regarding the Processing of Customer Data. Any additional or alternate instructions must be agreed between the parties in writing, including the costs (if any) associated with complying with such instructions. Globalization Partners is not responsible for determining if Customer’s instructions are compliant with applicable law. However, if Globalization Partners is of the opinion that a Customer instruction infringes applicable Data Protection Laws, Globalization Partners shall notify Customer as soon as reasonably practicable and shall not be required to comply with such infringing instruction.
3.3. Details of Processing. Details of the subject matter of the Processing, its duration, nature and purpose, and the type of Customer Data and data subjects are as specified in Annex I attached hereto.
3.4. Compliance. Customer and Globalization Partners agree to comply with their respective obligations under Data Protection Laws applicable to the Customer Data that is Processed as specified in Annex I. Customer has sole responsibility for complying with Data Protection Laws regarding the lawfulness of the Processing of Customer Data prior to disclosing, transferring, or otherwise making available, any Customer Data to Globalization Partners. For the avoidance of doubt, in all cases, Customer shall obtain, where required, any consents from the Data Subjects for Globalization Partners to Process Customer Data as directed by Customer.
3.5. Subprocessors. Customer authorizes Globalization Partners to appoint and use Processors (“Subprocessors”) to Process the Customer Data in connection with the Services. Subprocessors may include third parties or any member of the Globalization Partners group of companies. Globalization Partners may continue to use those Subprocessors already engaged by Globalization Partners as of the date of this Addendum, and a list of such Subprocessors is available in Annex III attached hereunder. Where a Subprocessor fails to fulfil its data protection obligations as specified above, Globalization Partners shall be liable to the Customer for the performance of the Subprocessor’s obligations. Globalization Partners shall notify Customer of any changes to its list of Subprocessors. If, within 10 (ten) days of the receipt of that notice, Customer legitimately objects to the addition or removal of a Subprocessor on data protection grounds and Globalization Partners cannot reasonably accommodate Customer’s objection, the parties will discuss Customer’s concerns in good faith with a view to resolving the matter.
3.6. Technical and organizational security measures. Taking into account industry standards, the costs of implementation, the nature, scope, context and purposes of the Processing, and any other relevant circumstances relating to the Processing of the Customer Data within the Platform, Globalization Partners shall implement appropriate technical and organizational security measures to ensure security, confidentiality, integrity, availability and resilience of processing systems and services involved in the Processing of the Customer Data are commensurate with the risk in respect of such Customer Data. Globalization Partners will periodically (i) test and monitor the effectiveness of its safeguards, controls, systems and procedures and (ii) identify reasonably foreseeable internal and external risks to the security, confidentiality and integrity of the Customer Data, and ensure these risks are addressed.
3.7. Confidentiality. Globalization Partners shall ensure that persons authorized to access the Customer Data (i) have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and (ii) access the Customer Data only upon documented instructions from Globalization Partners, unless required to do so by applicable law.
3.8. Personal Data Breach. Globalization Partners will notify the Customer without undue delay after becoming aware of a Data Breach in relation to the Processing of Customer Data and will use reasonable efforts to assist the Customer in mitigating, where possible, the adverse effects of any Data Breach.
3.9. International Transfers. Globalization Partners is authorized, in the normal course of business, to make worldwide transfers of Customer Data to its affiliates and/or Subprocessors. When making such transfers, Globalization Partners shall ensure appropriate protection is in place to safeguard the Customer Data transferred under or in connection with the Master Agreement, as following:
-
3.9.1. Where Globalization transfers Customer Data to countries outside the EEA (which are not subject to an adequacy decision under Privacy Laws), Globalization Partners shall execute and comply with its obligations under the EU SCCs, which are incorporated into this Addendum by this reference and completed as follows:
-
Module 2 (Controller to Processor) will apply where Customer is a Controller of Personal Data and Globalization Partners is a Processor of Personal Data;
-
in Clause 7, the optional docking clause will apply;
-
in Clause 9, option 2 will apply with 10 days;
-
in Clause 11, the optional language will not apply;
-
in Clause 12, any claims brought under the EU SCCs shall be subject to the terms and conditions set forth in the Agreement;
-
in Clause 17, Option 1 will apply, EU SCCs will be governed by Irish Law;
-
in Clause 18(b), disputes shall be resolved before the courts of Ireland;
-
Annex I of the EU SCCs shall be deemed completed with the information set out in Annex I to this Addendum;
-
Annex II of the EU SCCs shall be deemed completed with the information set out in Annex II to this Addendum; and
-
Annex III of the EU SCCs shall be deemed completed with the information set out in Annex III to this Addendum.
-
3.9.2. In relation to Customer Data that is protected by the UK GDPR, the Parties are lawfully permitted to rely on the EU SCCs for Restricted Transfers from the United Kingdom subject to the UK Addendum which is incorporated into this Addendum by this reference and completed as defined in Annex IV attached hereto. If this section 3.9.2 does not apply, then Globalization Partners Exporting Company and the Customer shall cooperate in good faith to implement appropriate safeguards for transfers of such Personal Data as required or permitted by the UK GDPR without undue delay.
-
3.9.3. Nothing in the interpretations in this Section 3.9 is intended to conflict with either Party’s rights or responsibilities under the EU SCCs and/or the UK Addendum and, in the event of any such conflict, the EU SCCs and/or the UK Addendum, as applicable, shall prevail.
3.10. Deletion of Personal Data. Upon termination of the Services (for any reason) and if requested by Customer in writing, Globalization Partners shall, as soon as reasonably practicable, return or delete the Customer Data stored in the Platform unless applicable law requires storage of the Customer Data for a longer period. For such retention the provisions of this Addendum shall continue to apply to such Customer Data.
3.11. Data Subject Requests. Globalization Partners shall promptly inform Customer of any Data Subjects’ requests regarding Customer Data. Customer is responsible for responding to such requests. Globalization Partners will reasonably assist Customer to respond to such Data Subject requests to the extent that Customer is unable to access the relevant Customer Data in its use of the Platform.
3.12. Third party requests. If Globalization Partners receives any requests from third parties or an order of any court, tribunal, regulator or government agency with competent jurisdiction to which Globalization Partners is subject relating to the Processing of Customer Data under the Agreement, Globalization Partners will promptly redirect the request to the Customer. Globalization Partners will not respond to such requests without Customer’s prior authorization unless legally compelled to do so. Globalization Partners will, unless legally prohibited from doing so, inform the Customer in advance of making any disclosure of Customer Data and will reasonably co-operate with Customer to limit the scope of such disclosure to what is legally required.
3.13. Data Protection Impact Assessment and Prior Consultation. To the extent required by Data Protection Laws, Globalization Partners shall provide reasonable assistance to Customer to carry out a data protection impact assessment in relation to the Processing of Customer Data undertaken by Globalization Partners and/or any required prior consultation(s) with supervisory authorities. Globalization Partners reserves the right to charge Customer a reasonable fee for the provision of such assistance.
3.14. Demonstrating Compliance. Globalization Partners regularly conducts external audits on organization’s security, availability, processing integrity, confidentiality and privacy controls and will provide Customer with a copy of the most recent summary audit report or certification upon written request. If the Customer prefers to conduct its own audit in addition to the provided third party certifications or reports, such audit shall be conducted: i) no more than once per each 12 (twelve) months period; ii) during normal business hours and without disrupting Globalization Partners’ day-to-day business; iii) with thirty (30) days prior written notice; iv) at the Customer’s sole expense (including Globalization Partner’s time spent assisting the Customer during the audit based on the daily rate of a security manager); v) based upon mutually agreed parameters and scope, limited to the specific scope of services, systems in use and/or processing activities contemplated and be specific to the actual requirement; vi) based upon mutually agreed in advance date, subject to reasonable postponement by Customer upon Globalization Partners’ reasonable request; and vii) in accordance with all confidentiality obligations and restrictions. Notwithstanding the forgoing, no audit right is granted after termination of the Master Agreement, except for legal obligations that will have to be demonstrated by the Customer. Any third-party representative selected to perform an audit on behalf of Customer must not have an ownership interest in or affiliation with an EOR Services agency, a related organization or consultant.
3.15. No Information Selling. Globalization Partners shall not derive or exercise any rights or benefits regarding Personal Data except as provided in this Addendum . For the avoidance of doubt, Globalization Partners will not retain, use, share or disclose Customer Data for any purpose other than for the specific purpose of providing the Platform to the Customer in accordance with the Master Agreement. Globalization Partners shall not sell any Personal Data, as the term “sell” is defined in the CCPA. Globalization Partners represents and warrants that it understands the rules, requirements and definitions of the CCPA and agrees to refrain from taking any action that would cause any transfers of Personal Data to or from Globalization Partners to qualify as “selling personal information” under the CCPA.