This Data Processing Schedule ("DPS") represents the parties’ written agreement regarding the processing of any Personal Information, as required under Data Privacy Laws. All capitalised terms not defined below shall have the meaning set out in the Contract.
1. Definitions
1.1 As used in this DPS, the following terms shall have the meanings set out below:
"Business Contact Information" means name and surname, business email address, business telephone number, and other contact details of individuals as are relevant to the conduct of business between Sensat and the Customer;
"Contract" means the customer contract into which this Data Processing Schedule is incorporated;
"Controller Data" means any Personal Information processed by Sensat and the Customer as independent and separate controllers, such as the Business Contact Information;
"Data Privacy Laws" means applicable laws and regulations relating to the protection and processing of personal data and privacy, including (where applicable) UK Privacy Law and EU Privacy Law;
"Data Subject" means an individual who is the subject of Personal Information;
"EEA" means the Member States of the European Union plus Iceland, Liechtenstein and Norway, and for the avoidance of doubt does not include the United Kingdom;
"EU Privacy Law" means the General Data Protection Regulation (Regulation EU 2016/679), including in each case (for the avoidance of doubt) any subordinate laws or regulations relevant to privacy or data protection;
"EU Standard Contractual Clauses " or "EU SCCs " means the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, or any other standard contractual clauses that are adopted by the European Commission and supersede, update or replace the aforementioned standard contractual clauses;
"Personal Information" means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
"Processor Data" means any Personal Information processed under the Contract by Sensat as the Customer's data processor;
"Security Breach" means any breach of technical and organisational security measures leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Processor Data;
"Services" means all services provided under the relevant Contract;
"Standard Contractual Clauses" means: (i) where the EU GDPR applies, the EU SCCs; and (ii) where the UK GDPR applies, the UK Addendum;
"Sub-processor" shall mean any data processor engaged by Sensat to assist in the processing of Processor Data in connection with the Services;
"UK Addendum" means the 'International Data Transfer Addendum to the EU Commission Standard Contractual Clauses' issued by the UK Information Commissioner under s.119A(1) of the Data Protection Act 2018;
"UK Privacy Law" means the General Data Protection Regulation (Regulation EU 2016/679) as incorporated into the laws of the United Kingdom and amended by the European Union Withdrawal Act 2018 (as amended), including in each case (for the avoidance of doubt) any subordinate laws or regulations relevant to privacy or data protection; and
the terms "data controller", "data processor", and "processing" shall have the meanings given in UK Privacy Law or EU Privacy Law (as applicable) or, if any other Data Privacy Laws instead apply to the processing of the Processor Data, shall refer to the closest analogous terms that apply under such other Data Privacy Laws.
2. Scope and application
2.1 This DPS governs access to and processing of the Personal Information in connection with the Contract. For Processor Data processed in connection with the Contract, Customer serves as the data controller and Sensat serves as the data processor.
2.2 For Controller Data, each party shall be individually and separately responsible for complying with the obligations that apply to it under Data Privacy Laws and shall, at its own cost, provide reasonable cooperation and assistance to the other party so that the other party may meet its obligations under Data Privacy Laws and to comply with the rights of data subjects.
3. Agreed terms
3.1 The Customer shall ensure that it has the right to provide the Personal Information and shall provide Users with an appropriate privacy notice that shall permit the Customer to disclose the User's Personal Information to Sensat for processing in connection with the Contract.
3.2 The Customer confirms that it has complied, and will continue to comply, with its obligations under the Data Privacy Laws in obtaining and processing Personal Information. The Customer shall retain full responsibility for the processing of any Personal Data on its behalf by Sensat. For the avoidance of doubt, it shall be the Customer’s sole responsibility to ensure the accuracy, quality and legality of Personal Information and the means by which Customer acquires such Personal Data.
3.3 Where the Customer provides Processor Data, the Customer appoints Sensat as a processor. Accordingly, Sensat shall:
(a) process Processor Data only in accordance with the Customer's documented instructions or those of the Data Subject, including to process the Processor Data: (i) as set out in this DPS; (ii) as necessary to perform its obligations under the Contract; (iii) to improve, enhance or analyse the performance of the Services, including the aggregation or anonymization of data to create Sensat Materials; (iv) to comply with applicable laws and regulations; and (v) in accordance with User and Data Subject requests;
(b) implement appropriate technical and organisational measures to protect against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Processor Data. Should the Customer require Sensat to apply or adapt security measures greater than those specified in Exhibit B to the DPS, then Sensat reserves the right to either: (i) reject such request; or (ii) charge for doing so;
(c) at the Customer’s request and cost, taking into account the nature of the processing, assist the Customer by implementing appropriate technical and organisational measures, insofar as this is possible, to assist with the Customer's obligation to respond to requests from Data Subjects seeking to exercise their rights under Data Privacy Laws in connection with Sensat's processing of Processor Data (to the extent that the Processor Data is not accessible to the Customer through the Platform or Services);
(d) at the Customer’s request and cost, taking into account the nature of processing and the information available to Sensat, assist the Customer with its obligations under Articles 32 to 36 of the GDPR under UK Privacy Law or EU Privacy Law (as appropriate) in connection with Sensat's processing of Processor Data;
(e) ensure that personnel required to access the Processor Data are subject to a binding duty of confidentiality in respect of such Processor Data (whether statutory, contractual, or otherwise); and
(f) upon request by the Customer, delete or (at the Customer's cost) return to the Customer any such Processor Data after the end of the provision of the Services related to the processing of the Processor Data, unless applicable law requires longer storage of the Processor Data.
3.4 Sensat will allow Customer to require an audit of its compliance with this DPS if: (i) the Customer in its reasonable discretion believes that Sensat has violated a material obligation of this paragraph 3; or (ii) a competent data protection authority requests it. The Customer's rights under this paragraph shall be exercised only upon thirty (30) days' prior written notice, no more than once in any twelve (12) month period, and at the Customer's cost, Such audit will be either performed by: (i) Sensat or (ii) a suitably qualified and independent third party security auditor (the "Auditor"). In the course of an audit, the Auditor may enter Sensat's facilities (but not the facilities of Sensat’s third party providers) during normal business hours and without unreasonably impacting Sensat’s business (and in particular with no impact on IT security), and examine Sensat's work routines and technical infrastructure.
3.5 Sensat shall immediately inform the Customer if, in its opinion, it considers that an instruction from the Customer is in breach of Data Privacy Laws. Sensat shall be entitled (but not obliged) to suspend execution of the instructions concerned, until the Customer confirms such instructions in writing.
3.6 Where Sensat (or any of its Sub-processors) knows or reasonably suspects that a Security Breach has occurred, it shall notify the Customer without undue delay. Following any Security Breach, Sensat will evaluate and take corrective actions to remedy any identified deficiencies in its technical and organisational security measures.
3.7 A description of the Processor Data, setting out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, is set out in Exhibit A to the DPS.
4. International data transfers
4.1 Save for any transfer necessary to other Sensat Affiliates as provided for in this DPS, Sensat will not be entitled to transfer any Processor Data outside of the area comprising the EEA and the UK except on the instructions of, or with the prior approval of, the Customer or the Data Subject.
4.2 The Customer acknowledges and accepts that Processor Data may be transferred to and or shared with Affiliates to support Sensat in the processing and where necessary when providing services. Sensat warrants it has entered into transfer agreements with its Affiliates no less onerous than those terms contained within this DPS including where necessary entering into EU Standard Contractual Clauses as set out in this clause 4.
4.3 Third Country Processing
4.3.1 Transfers under EU Privacy Law
If Sensat or one of its Affiliates processes Processor Data that originated in the EEA in a territory outside of the EEA that has not been designated by the European Commission as ensuring an adequate level of protection pursuant to EU Privacy Laws, then the EU Standard Contractual Clauses for transfers to processors will be deemed entered into (and incorporated in the Contract by reference) and will apply to the Processing as follows:
a) Module Two will apply;
b) in Clause 7, the optional docking Clause will not apply;
c) in Clause 9, Option 2 will apply, and the time period for prior notice of sub-Processor changes shall be 30 days;
d) in Clause 11, the optional language will not apply;
e) in Clause 17, Option 1 will apply, and the EU SCCs will be governed by the laws of Ireland;
f) in Clause 18(b), disputes shall be resolved before the courts of Ireland;
g) in Annex I:
(i) Part A: the name and address of the Customer shall be deemed inserted as data exporter, which shall be specified as controller and the name and address of Sensat shall be deemed inserted as data importer, which shall be specified as processor. The identity and contact details of the parties' respective DPOs shall also be deemed inserted;
(ii) Part B: with the relevant information set out in Exhibit A to this DPS; and
(iii) Part C: in accordance with the criteria set out in Clause 13(a) of the EU Standard Contractual Clauses; and
h) Annex II: with the technical and organisational measures set out in Exhibit B to this DPS
4.3.2 Transfers under UK Privacy Law
Where the UK Privacy Law applies, the UK Addendum will apply as follows:
(a) the EU SCCs, completed as set out above, shall apply between the transferring Data Exporter and the Data Importer, and shall be modified by the UK Addendum (completed as set out in (b) below); and
(b) Tables 1 to 3 of the UK Addendum shall be deemed completed with relevant information from the EU SCCs, completed as set out above, and the options 'Exporter' and 'Importer' shall be deemed checked in Table 4. The start date of the UK Addendum (as set out in Table 1) shall be the Effective Date of the Contract.
4.3.3 Each Party enters into this paragraph 4.3 for and on behalf of itself and all of its relevant Affiliates and warrants that it has full authority to enter into such clauses and to vary or terminate them on behalf of its Affiliates.
4.4 Transfers to Third Parties: If Sensat transfers Processor Data that originated in the EEA or the UK to a third party outside of the EEA or the UK (as appropriate) it shall take such measures as are necessary to ensure the transfer is in compliance with Data Privacy Laws. Such measures may include (without limitation) transferring the Processor Data to a recipient in a country that the United Kingdom or the European Commission (as appropriate) has decided provides adequate protection for personal data, to a recipient that has achieved binding corporate rules authorisation in accordance with Data Privacy Laws, or to a recipient that has executed the EU Standard Contractual Clauses or UK Addendum (as appropriate) suitable for the transfer in question and contain any additional safeguards that are required in order to comply with Data Privacy Laws, and Sensat shall have the right to enter into such EU Standard Contractual Clauses or UK Addendum (as appropriate) for and on behalf of the Customer, whether on a named or an undisclosed basis.
4.5 To the extent UK Standard Contractual Clauses are required under paragraph 4.4, if the competent United Kingdom authority issues alternative standard contractual clauses to the UK Addendum, then Sensat shall use such new standard contractual clauses.
4.6 If paragraph 4.5 applies and the alternative standard contractual clauses permit a processor in the United Kingdom to transfer Personal Data to a data importer in a country outside the United Kingdom without having to act as agent for the controller, then Sensat may instead enter into those standard contractual clauses in its own right as a processor of the Processor Data.
4.7 Transfers to Customer: Where the Customer, its Affiliates, or Users are located in a third country outside of the EEA or the UK (as appropriate) that has not been designated by the European Commission or the appropriate UK supervisory authority (as appropriate) as ensuring an adequate level of protection pursuant to EU Privacy Laws or UK Privacy Laws (as appropriate), and Sensat is required to transfer Processor Data to it or them, the Customer acknowledges that Sensat may not be able to ensure that such transfer is subject to appropriate safeguards. The Customer nevertheless instructs Sensat to undertake such transfers as required for the proper provision of the Services.
4.8 In the event of any inconsistency between this DPS and the EU Standard Contractual Clauses or UK Addendum (as appropriate), the EU Standard Contractual Clauses or UK Addendum (as appropriate) shall take priority over the inconsistent provisions of this DPS in those circumstances in which they apply.
Exhibit A to the DPS: Description of transfer
Data subjects
The personal data transferred concern the following categories of data subjects:
- Employees, suppliers, contractors and authorised representatives of the Customer, and any other natural person identified as a User under the Contract.
Purposes of the transfer(s)
The transfer is made for the following purposes:
- To perform its obligations under the Contract.
- To improve, enhance or analyse the performance of the Services, including the aggregation or anonymization of data to create Sensat Materials.
- To comply with applicable laws and regulations.
- To satisfy User and Data Subject requests.
Categories of data
The personal data transferred concern the following categories of data:
- User name and surname, email address, job title, business organisation, IP address, profile picture or photo, cookies and similar tracking technologies, and credentials for accessing the Services
Recipients
The personal data transferred may be disclosed only to the following recipients or categories of recipients:
- Companies in the same group as the Customer: As necessary for the purposes described in, and subject to the protections set out in, this DPS.
- Sensat staff and agents: Employees, agents, advisors and independent contractors of Sensat with a reasonable business purpose for needing access to such personal data for the fulfilment of their roles and for the purposes described above.
- Sensat Affiliates: As necessary for the purposes described in, and subject to the protections set out in, this DPS.
- Third party service providers and professional advisors: Suppliers to Sensat that, in their performance of their obligations to data importer, must process such personal data acting on behalf of and pursuant to instructions from Sensat (including accountants, auditors, lawyers, IT support and hosting providers, payment processors, shipping/freight companies, returns/exchanges management providers, and similar third-party vendors and service providers assisting data importer in carrying out business activities.
- As required by applicable law: Any person (natural or legal) or organisation to whom the data importer may be required by applicable law or regulation to disclose personal data, including law enforcement authorities, central and local government.
Sensitive data (if appropriate)
The personal data transferred concern the following categories of sensitive data:
- The Customer does not anticipate the transfer of any sensitive data
Processing operations
(A) Duration and Object of Data Processing: The duration of data processing shall be for the period designated under the Contract between the Customer and Sensat. The objective of the data processing is to provide the Services to the Customer.
(B) Scope and Purpose of Data Processing: The scope and purpose of processing personal data is described in the Contract. Elements of the Sensat’s services are hosted by a sub-processor in a global network of data centres and management/support facilities, and processing will take place in the UK and the Customer's jurisdiction unless notified otherwise to Customer.
(C) Customer Data Deletion or Return: Upon expiration or termination of the Customer’s use of the Services, Sensat will delete personal data processed on behalf of Sensat except as required by law.
(D) Processing operations: Collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction and any other processing operation necessary to provide the Services and perform its obligations under the Contract.
Exhibit B to the DPS: Security Policies & Management
Sensat will comply with the following minimum of technical and organisational measures.
1. Confidentiality
Physical Access Control
1.1 No unauthorised access to data processing facilities, e.g.: magnetic or chip cards, keys, electronic door openers, facility security services and/or entrance security staff, alarm systems, video/CCTV systems.
Electronic Access Control
1.2 No unauthorised use of the data processing and data storage systems, e.g.: (secure) passwords, automatic blocking/locking mechanisms, two-factor authentication, encryption of data carriers/storage media.
Internal Access Control (permissions for user rights of access to and amendment of data)
1.3 No unauthorised reading, copying, changes or deletions of data within the system, e.g. rights authorisation concept, need-based rights of access, logging of system access events.
Isolation Control
1.4 The isolated processing of data, which is collected for differing purposes, e.g. multiple client support.
2. Integrity
Data Transfer Control
2.1 No unauthorised reading, copying, changes or deletions of data with electronic transfer or transport, e.g.: encryption, Virtual Private Networks (VPN), electronic signature.
Data Entry Control
2.2 Verification, whether and by whom personal data is entered into a data processing system, is changed or deleted, e.g.: logging, document management.
3. Availability and Resilience
Availability Control
3.1 Prevention of accidental or wilful destruction or loss, e.g.: backup strategy (online/offline; on-site/off-site), uninterruptible power supply (UPS), virus protection, firewall, reporting procedures and contingency planning, rapid recovery
4. Procedures for regular testing, assessment and evaluation
4.1 Data protection management.
4.2 Incident response management.
4.3 Data protection by design and default.
5. Other information
5.1 Further technical and organizational measures are set out in Sensat's internal information security policies, as updated or amended from time to time.