RECITALS
WHEREAS, the Customer and Ideate entered into [SERVICE IDEATE AGREEMENT TITLE]
(the "Master Agreement") that may require Ideate to process Personal Information provided by or collected for the Customer; and
WHEREAS, this Data Processing Agreement (the "DPA") sets out the additional terms, requirements, and conditions on which Ideate will obtain, handle, process, disclose, transfer, or store Personal Information when providing services under the Master Agreement;
NOW, THEREFORE, in consideration of the mutual covenants and agreements hereinafter set forth and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the parties hereto agree as follows:
1.
Definitions and Interpretation
1.1 The following definitions and rules of interpretation apply in this DPA.
"Business Purpose"
means the services described in the Master Agreement or any other purpose specifically identified in Appendix A.
"Data Subject"
means an individual who is the subject of the Personal Information and to whom or about whom the Personal Information relates or identifies, directly or indirectly.
"Personal Information"
means any information Ideate processes for the Customer that (a) identifies or relates to an individual who can be identified directly or indirectly from that data alone or in combination with other information in Ideate's possession or control or that Ideate is likely to have access to, or (b) the relevant Privacy and Data Protection Requirements otherwise define as personal information. Personal Information includes, but is not limited to: names, signatures, addresses, telephone numbers, email addresses, employee identification numbers, government-issued identification numbers, user identification and account access credentials or passwords, financial account numbers, credit report information, software license information, user name, user computer name, user location (city), IP address and/or other personal identifiers.
"Processing, processes, or process"
means any activity that involves the use of Personal Information or that the relevant Privacy and Data Protection Requirements may otherwise include in the definition of processing, processes, or process. It includes obtaining, recording, or holding the data, or carrying out any operation or set of operations on the data including, but not limited to, organizing, amending, retrieving, using, disclosing, erasing, or destroying it. Processing also includes transferring Personal Information to third parties.
"Privacy and Data Protection Requirements"
means all applicable federal, state, local, and foreign laws and regulations relating to the processing, protection, privacy, or security of the Personal Information, including where applicable, the guidance and codes of practice issued by regulatory bodies in any relevant jurisdiction.
"Security Breach"
means any act or omission that compromises the security, confidentiality, or integrity of Personal Information or the physical, technical, administrative, or organizational safeguards put in place to protect it. The loss of or unauthorized access, disclosure, or acquisition of Personal Information is a Security Breach whether or not the incident rises to the level of a security breach under the Privacy and Data Protection Requirements.
"Standard Contractual Clauses (SCC)"
means, as applicable, the European Commission's or United Kingdom Information Commissioner’s Office’s standard contractual clauses for the transfer of personal data either from the European Union to third countries or from the United Kingdom to third countries.
1.2 This DPA is subject to the terms of the Master Agreement and is incorporated into the Master Agreement. Interpretations and defined terms set forth in the Master Agreement apply to the interpretation of this DPA.
1.3 The Appendices form part of this DPA and will have effect as if set out in full in the body of this DPA. Any reference to this DPA includes the Appendices.
1.4 A reference to writing or written includes faxes and email.
1.5 In the case of conflict or ambiguity between: any provision contained in the body of this DPA and any provision contained in the Appendices, the provision in the body of this DPA will prevail; the terms of any accompanying invoice or other documents annexed to this DPA and any provision contained in the Appendices, the provision contained in the Appendices will prevail; any of the provisions of this DPA and the provisions of the Master Agreement, the provisions of this DPA will prevail; and any of the provisions of this DPA and any executed Standard Contractual Clauses, the provisions of the executed Standard Contractual Clauses will prevail.
2.
Personal Information Types and Processing Purposes
2.1 The Customer retains control of the Personal Information and remains responsible for its compliance obligations under the applicable Privacy and Data Protection Requirements, including providing any required notices and obtaining any required consents, and for the processing instructions it gives to Ideate.
2.2 Appendix A describes the general Personal Information categories and related types of Data Subjects Ideate may process to fulfill the Business Purposes of the Master Agreement.
3. Ideate's Obligations
3.1 Ideate will only process, retain, use, or disclose the Personal Information to the extent, and in such a manner, as is necessary for the Business Purposes in accordance with the Customer's instructions. Ideate will not process, retain, use, or disclose the Personal Information for any other purpose or in a way that does not comply with this DPA or the Privacy and Data Protection Requirements. Ideate must notify the Customer if, in its opinion, the Customer's instruction would not comply with the Privacy and Data Protection Requirements.
3.2 Ideate must comply with any Customer request or instruction requiring Ideate to amend, transfer, or delete the Personal Information, or to stop, mitigate, or remedy any unauthorized processing.
3.3 Ideate will maintain the confidentiality of all Personal Information, will not sell it to anyone, and will not disclose it to third parties unless the Customer or this DPA specifically authorizes the disclosure, or as required by law. If a law requires Ideate to process or disclose Personal Information, Ideate must first inform the Customer of the legal requirement and give the Customer an opportunity to object or challenge the requirement, unless the law prohibits such notice.
3.4 The Customer acknowledges that Ideate is under no duty to investigate the completeness, accuracy, or sufficiency of any specific Customer instructions or the Personal Information other than as required under the Privacy and Data Protection Requirements.
4. Ideate's Personnel
4.1 Ideate will limit Personal Information access to: (a) those employees and contractors who require Personal Information access to meet Ideate's obligations under this DPA and the Master Agreement; and (b) the part or parts of the Personal Information that those employees and contractors strictly require for the performance of their duties.
4.2 Ideate will ensure that all employees and contractors are informed of the Personal Information's confidential nature and use restrictions and are obliged to keep the Personal Information confidential.
4.3 Ideate will take reasonable steps to ensure the reliability, integrity, and trustworthiness of all of Ideate's employees and contractors with access to the Personal Information.
5. Security.
Ideate must at all times implement appropriate technical, administrative, and organizational measures designed to safeguard Personal Information against unauthorized or unlawful processing, access, copying, modification, storage, reproduction, display, or distribution, and against accidental loss, destruction, unavailability, or damage, taking into account the scale and sensitivity of Ideate’s processing. Ideate must take reasonable precautions to preserve the integrity of any Personal Information it processes and to prevent any corruption or loss of the Personal Information, including but not limited to establishing effective back-up and data restoration procedures.
6. Security Breaches.
Ideate will promptly notify Customer if it becomes aware of any Security Breach. Immediately following any Security Breach, the parties will co-ordinate with each other to investigate the matter. Ideate will reasonably co-operate with the Customer in the Customer's handling of the matter.
7. Cross-Border Transfers of Personal Information
7.1 Appendix A lists all of the countries where Ideate may receive, access, transfer, or store Personal Information. Ideate must not receive, access, transfer, or store Personal Information outside the countries listed on Appendix A without the Customer's prior written consent.
7.2 If any Personal Information transfer between Ideate and the Customer requires execution of Standard Contractual Clauses in order to comply with the Privacy and Data Protection Requirements, the parties will complete all relevant details in, and execute, the most recent and up-to-date Standard Contractual Clauses, and take all other actions required to legitimize the transfer, including, implementing any needed supplementary measures or supervisory authority consultations.
7.3 Ideate will not transfer any Personal Information to another country unless the transfer complies with the Privacy and Data Protection Requirements.
8. Subcontractors
8.1 Ideate may only authorize a third party (subcontractor) to process the Personal Information if Ideate enters into a written contract with the subcontractor that contains terms substantially the same as those set out in this DPA.
8.2 Ideate must list all approved subcontractors in Appendix A.
8.3 Where the subcontractor fails to fulfill its obligations under such written agreement, Ideate remains fully liable to the Customer for the subcontractor's performance of its agreement obligations.
8.4 The Parties consider Ideate to control any Personal Information controlled by or in the possession of its subcontractors.
9. Complaints, Data Subject Requests, and Third Party Rights.
Ideate must notify the Customer if it receives any complaint, notice, or communication that directly relates to the Personal Information processing or to either party's compliance with the Privacy and Data Protection Requirements, including, any request from a Data Subject to exercise any rights the individual may have regarding their Personal Information, such as access or deletion. Ideate will reasonably cooperate with Customer in responding to any complaint, notice, communication, or Data Subject request. Ideate must not disclose the Personal Information to any Data Subject or to a third party unless the disclosure is either at the Customer's request or instruction, permitted by this DPA, or is otherwise required by law.
10. Term and Termination
10.1 This DPA will remain in full force and effect so long as: (a) the Master Agreement remains in effect; or (b) Ideate retains any Personal Information related to the Master Agreement in its possession or control (the "Term").
10.2 Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination of the Master Agreement in order to protect Personal Information will remain in full force and effect.
10.3 If a change in any Privacy and Data Protection Requirement prevents either party from fulfilling all or part of its Master Agreement obligations, the parties will suspend the processing of Personal Information until that processing complies with the new requirements. If the parties are unable to bring the Personal Information processing into compliance with the Privacy and Data Protection Requirement within the applicable required timeframe, either party may terminate the Master Agreement upon written notice to the other party.
11. Data Return and Destruction.
At the Customer's request, Ideate will give the Customer a copy of or access to all or part of the Customer's Personal Information in its possession or control in the format and on the media reasonably specified by the Customer. Except for any Personal Information Ideate has anonymized or aggregated, on termination of the Master Agreement for any reason or expiration of its term, Ideate will securely destroy or, if directed in writing by the Customer, return and not retain, all or any Personal Information related to this agreement in its possession or control, except for one copy that it may retain and use for audit purposes or in accordance with any law, regulation, or as required by any government or regulatory body. Ideate may only use this retained Personal Information for the required retention reason or audit purposes. Ideate may maintain and use anonymous or aggregated information indefinitely and for any purpose.
12. Records.
Ideate will keep detailed, accurate, and up-to-date records regarding any processing of Personal Information it carries out for the Customer, including but not limited to, the access, control, and security of the Personal Information, approved subcontractors and affiliates, the processing purposes, and any other records required by the applicable Privacy and Data Protection Requirements (the "Records"). One (1) time each calendar year, Ideate will, at Customer’s request, provide Customer with Records sufficient to demonstrate Ideate’s compliance with the DPA.
13. Warranties
13.1 Ideate warrants and represents that: (a) its employees, contractors, agents, and any other person or persons accessing Personal Information on its behalf are reliable and trustworthy; (b) it and anyone operating on its behalf will process the Personal Information in compliance with both the terms of this DPA and all applicable Privacy and Data Protection Requirements; and (c) it has no reason to believe that any Privacy and Data Protection Requirements prevent it from providing any of the Master Agreement's contracted services.
13.2 The Customer warrants and represents that Ideate's expected use of the Personal Information for the Business Purpose and as specifically instructed by the Customer will comply with all Privacy and Data Protection Requirements.
14. Notice
14.1 Any notice or other communication given to a party under or in connection with this DPA must be in writing and delivered to:
For the Customer: [CUSTOMER DATA PRIVACY CONTACT].
14.2 Section 14.1 does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution.