This Data Processing Addendum (the “Addendum”) is made as of the date of the Client’s signature below
BETWEEN:
(1) The "Client" as identified on the signature page of this Addendum or as otherwise identified in an executed Agreement that explicitly incorporates this Addendum; and
(2) Each Diligent Group Entity which is party to an Agreement (as defined below) with Client (each hereinafter referred to as “Vendor”).
(Client and Vendor together "the Parties" and separately "a Party")
CONSTRUCTION OF THIS ADDENDUM:
Where (1) Client is incorporated in any member state of the European Economic Area ("EEA"), Switzerland, or the United Kingdom, or is otherwise subject to Data Protection Laws, and transfers Personal Data directly or via onward transfer to Vendor, (2) Vendor is incorporated in any member state of the EEA, Switzerland, or the United Kingdom, or is otherwise subject to Data Protection Laws, and transfers Personal Data directly or via onward transfer to Client, or (3) where Client will make available to Vendor any Personal Data regulated by the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., and its implementing regulations (“CCPA”), the following terms in this Addendum shall be incorporated into and form part of an agreement for Vendor’s online services (including professional services or related components delivered by Vendor) (“Agreement”) between Client and Vendor, and the Agreement and this Addendum shall be read as one document. In the event of conflict with any other terms of the Agreement, this Addendum shall prevail. For the avoidance of doubt, this Addendum need not be separately executed by the Parties if this Addendum is already explicitly incorporated into a fully executed Agreement, in which event the Parties’ signature to such Agreement shall be deemed signature to this Addendum.
The Parties enter into this Addendum with respect to the Personal Data (1) that is provided to Vendor by or on behalf of Client and which is Processed by Vendor as Processor, or (2) that is shared between the Parties on a Controller to Controller basis. In the event that Data Protection Laws are amended, replaced or repealed, the Parties shall where necessary negotiate in good faith a solution to enable the transfer of Personal Data to be conducted in compliance with Data Protection Laws.
For the avoidance of doubt, if the Client is not a party to an Agreement with any Diligent Group Entity, this Addendum is void and of no effect. The Client should request that a Client entity who is a party to an Agreement with a Vendor entity execute this Addendum. For the avoidance of doubt, only the Diligent Group Entity that is a party to an Agreement with Client shall be a Party to this Addendum.
1. DATA PROTECTION
A Vendor shall act as a Processor when Processing any Personal Data contained within Client Data or User Data provided to it by Client for the purposes of (a) providing the software-as-a-service subscription purchased by Client under the Agreement, and/or any other services Vendor provides under the Agreement, or (b) otherwise performing Vendor’s obligations under the Agreement (the “Services”). In these circumstances, Vendor shall:
(1) process the Personal Data on behalf of Client only in accordance with the Agreement, this Addendum, Client’s written instructions, and Data Protection Laws; and
(2) not collect, retain, use, disclose, or sell the Personal Data for any other purpose. For the avoidance of doubt, Client instructs Vendor to Process the Personal Data as reasonably necessary and proportionate to achieve Client’s and Vendor’s business purposes to the extent permitted by Data Protection Laws.
B Vendor agrees that it will, to the extent required by applicable Data Protection Laws when acting as a Processor in the provision of the Services:
(1) process the Personal Data only for the purpose of providing the Services or as otherwise instructed in writing by Client. If Vendor is legally required to process Personal Data otherwise than as instructed by Client, it will notify Client before such processing occurs, unless the law requiring such processing prohibits Vendor from notifying Client;
(2) inform Client if any instruction contradicts any legal requirements to which Vendor is subject;
(3) keep all Personal Data confidential as required under the Agreement and ensure that persons authorised by Vendor to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
(4) provide access to Personal Data only to those of its employees, Affiliates or Subprocessors who need access to such data for the purposes set out in clause 1.A;
(5) take appropriate technical and organizational security measures designed to safeguard Personal Data against unauthorized access, destruction, disclosure, transfer, or other improper use;
(6) provide Client with access to the Personal Data which have been provided by Client to enable Client to comply with its obligations to Data Subjects exercising their rights under Data Protection Laws. Vendor shall refer such Data Subjects to Client and shall also, at the request of Client, use its reasonable endeavors to either (a) amend, correct, delete, add to, cease using or restrict the use of Personal Data relating to such Data Subjects to ensure that their Personal Data are accurate and complete or (b) provide the Client with the ability to directly amend, correct, delete, add to, cease using or restrict the use of Personal Data relating to such Data Subjects through the Services;
(7) promptly notify Client of any accidental or unauthorized access, destruction, disclosure, transfer of Personal Data that have been supplied by Client, after Vendor becomes aware of any such access, destruction, disclosure, transfer or
other improper use, or of any complaints by individuals or third parties that involve or pertain to such Personal Data, and shall, taking into account the nature of the Processing and the information available to Vendor, provide such assistance to Client as may be reasonable in the circumstances to enable Client meet its obligations to notify any Supervisory Authority or any other regulatory or governmental authorities or Data Subjects of such event where Client is required to do so by law;
(8) taking into account the nature of the Processing and the information available to Vendor, use reasonable endeavors to assist Client (a) in complying with Client’s obligation to implement appropriate technical and organizational security measures; and (b) in relation to any privacy impact assessments or consultations with Supervisory Authorities about the Processing of Personal Data in the context of the provision of the Services or any inquiry, complaint or claim in relation to the Processing by Vendor of Personal Data provided by Client;
(9) make available to Client all information necessary to demonstrate that Vendor is in compliance with Data Protection Laws;
(10) allow Client to audit Vendor by receiving reasonably reliable documentation regarding the adequacy of the Processing by the Vendor of Personal Data on behalf of the Client. Such documentation may: (a) be an annual SOC2 (or subsequent successor) audit of the Vendor's security policies and procedures; (b) be in accordance with ISO 27001 standards or such alternative standards that are substantially equivalent to ISO 27001; or (c) otherwise provide for demonstrable assurances of adequacy of the data processing facilities used by the Vendor to Process Personal Data on behalf of the Client, including penetration tests or vulnerability scans ("Audit Report"). If the Client requests in writing, Vendor will provide the Client with a copy of the Audit Report or related documentation so that the Client can reasonably verify the Vendor's compliance with the security obligations under Data Protection Laws. Unless otherwise required by a Supervisory Authority or mutually agreed by the Parties in writing, any audit of Vendor shall be limited to the provision of the Audit Report;
(11) at the termination of the Agreement or this Addendum, at Client's election, delete or return the Personal Data to Client, provided that Client acknowledges and agrees that any Personal Data stored within the software-as-service offerings provided by Vendor to Client shall be deleted either as specified within the Agreement or, if the Agreement is silent, within thirty (30) days of termination of the Agreement; and
(12) the Client acknowledges and agrees that Vendor may retain Affiliates and other third parties as Subprocessors in connection with this Agreement, having imposed on such Subprocessors substantially similar data protection obligations as are imposed on Vendor under this Agreement. Vendor shall remain liable to the Client for the act and omissions of the Subprocessors under this Agreement as if they were Vendor’s own acts and omissions. Any updates to
Subprocessors are available at https://diligent.com/gdpr-subscription or a successor website as made available by Vendor for this purpose and notified to Client (the “Subprocessor Site”). Client may be informed of new Subprocessors by visiting the Subprocessor Site or by subscribing for Subprocessor updates using the process outlined on the Subprocessor Site. In the event Vendor adds or replaces a Subprocessor, Client may object to the use of a new Subprocessor by sending a notification to privacy@diligent.com within ten (10) business days of receipt of notice of a new Subprocessor provided that the Client reasonably believes that use of such Subprocessor presents an unreasonable risk to or prevents the Client from complying with applicable law. If Client so objects, Vendor shall either (a) not use the new Subprocessor to process the Client Personal Data or (b) shall find an alternative way of reasonably resolving Client’s objection. If neither (a) nor (b) is reasonably feasible within thirty (30) days of receipt of Client’s objection, then Client shall either rescind its objection or may terminate any services for which the new Subprocessor would be used by providing written notice to Vendor at the address for notices indicated in the Agreement. For the avoidance of doubt, in the event Client does not object to a new Subprocessor in accordance with this clause, Client shall be deemed to have consented to the new Subprocessor.
C Controller Relationships
(1) Clauses 1.A, B, and E do not apply where Vendor is acting as a Controller. Vendor may make available certain Services that enable the Client to access Content. To the extent that Client Processes any Personal Data contained within such Content, the relationships of the Parties shall be that of independent Controllers with respect to such Personal Data (and not joint controllers as defined under the GDPR) and each Party shall comply with its respective obligations under the Data Protection Laws and any applicable privacy policy.
(2) To the extent that Client Processes any Personal Data contained within such Content, Client agrees and warrants that it will:
(a) process Personal Data contained within the Content for the purposes of its obligations under this Addendum or Agreement and in accordance with Data Protection Laws;
(b) not share any Personal Data contained within the Content with any third party without Vendor's prior consent or authorization;
(c) ensure that any Personal Data contained within the Content is processed fairly, lawfully, and in a transparent manner;
(d) provide reasonable cooperation and assistance to Vendor, upon Vendor's request, in relation to Personal Data contained within the Content, including complaints or requests from Data Subjects to exercise their rights, or any request, instruction, complaint, investigation or audit by any Supervisory Authority;
(e) notify Vendor without undue delay upon becoming aware of any Personal
Data Breach affecting any Personal Data contained within the Content
and taking reasonable action to minimize the impact of such event and prevent such event recurring; and
(f) implement and maintain appropriate and technical and organizational measures to protect any Personal Data within the Content against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.
(3) To the extent that Vendor Processes Personal Data provided to it by Client for purposes other than as set forth in clause 1.A above, Vendor acknowledges that it will be a Controller of that Personal Data, and Vendor agrees to Process such Personal Data in accordance with Data Protection Laws.
(4) Where the Vendor, acting as a Controller (and as Data Exporter), transfers Personal Data that is subject to the GDPR, Swiss law, or United Kingdom law to the Client (as Data Importer) in accordance with Clause 1.C(1), and the Client is located and/or Processes the Personal Data in a country outside the EEA which is not considered under an adequacy decision of the European Commission to provide for a level of data protection as considered adequate in the European Union, the Parties shall transfer such Personal Data in accordance with the Transfer Clauses (Module 1), which are incorporated herein by reference, and Data Protection Laws.
D In relation to all Personal Data provided by Client to Vendor for Processing under the Agreement, Client shall ensure that:
(1) where consent is required for Vendor’s Processing under applicable Data Protection Laws, all relevant Data Subjects have consented (in accordance with applicable Data Protection Laws) to their Personal Data being disclosed to Vendor for Processing in accordance with the Agreement;
(2) the disclosure of Personal Data by Client to Vendor will be in each case and in all respects lawful;
(3) notice of the disclosure of their Personal Data to Vendor for Processing in accordance with the Agreement and this Addendum will be provided to all relevant Data Subjects (including any Users) prior to any such disclosure and, if requested by Vendor, Client shall provide evidence that it has provided such notice;
(4) Client complies with, and represents and warrants that it has complied with, applicable Data Protection Laws in relation to the disclosure of such Personal Data to Vendor, its use of the Services and the performance of the Agreement by Client and its Users;
(5) it shall not, by any act or omission, put Vendor or any of its Affiliates or subsidiaries in breach of any Data Protection Laws; and
(6) it shall do and execute, or arrange to be done and executed, each act, document and thing necessary or desirable in order to comply with this clause 1.D.
E Export of Personal Data and Country/Territory Specific Provisions
(1) Where Client provides Personal Data to Vendor in order for Vendor to provide the Services in the circumstances described in clause 1.A, Vendor is a Processor in respect of that Personal Data, and Client and Vendor shall only transfer such Personal Data in accordance with the Data Protection Laws.
(2) To the extent that the provision of the Services in accordance with clause 1.E(1) involves the transfer of Personal Data that is subject to the GDPR, Swiss law, or United Kingdom law by Client (as Data Exporter) to Vendor (as Data Importer) outside the EEA (either directly or via onward transfer), and Vendor is not located in a country which has been recognised by the European Commission as offering an adequate level of protection for Personal Data transferred to it, the Parties agree to either (a) comply with the terms of Module 2 of the Transfer Clauses (where Client acts as a Controller) or Module 3 of the Transfer Clauses (where Client acts as a Processor retaining Vendor as an additional Processor), which Transfer Clauses are incorporated herein by reference; or (b) otherwise Process such Personal Data using a valid transfer mechanism in accordance with Data Protection Laws.
(3) Where the Vendor, acting as a Processor (and as Data Exporter), transfers Personal Data that is subject to the GDPR to the Client acting as a Controller (and as Data Importer), and the Client is located and/or Processes the Personal Data in a country which is not considered under an adequacy decision of the European Commission to provide for a level of data protection as considered adequate in the European Union, the Parties shall transfer such Personal Data in accordance with the Transfer Clauses (Module 4), which are incorporated herein by reference, and Data Protection Laws.
(4) Where Modules 1, 2 or 3 of the Transfer Clauses would otherwise apply under this Agreement but the Client is in a non-EEA country in which the local Data Protection Laws do not recognize the Transfer Clauses as a lawful transfer mechanism (but instead still recognize the Legacy Transfer Clauses for restricted transfers of Personal Data to or from Vendor or its Subprocessors located outside such non-EEA country), such transfers will be governed by (a) the Legacy C-to-P Transfer Clauses where Modules 2 or 3 would otherwise apply under this Agreement; and (b) the Legacy C-to-C Transfer Clauses where Vendor is transferring Personal Data to the Client where Module 1 would otherwise apply under this Agreement. For the avoidance of doubt, as soon as the Transfer Clauses are recognized by local Data Protection Laws in the relevant non-EEA country, such transfers shall be governed solely by the applicable Module of the Transfer Clauses. F. Transfer Clauses.
(1) Where the Transfer Clauses apply under this Addendum:
(a) Client and Vendor agree to observe the terms of the Transfer Clauses without modification and the Transfer Clauses shall be considered to be
duly executed by the Parties immediately upon the date on which this Addendum enters into force;
(b) the rights and obligations afforded by the Transfer Clauses will be exercised in accordance with the terms of this Addendum; in case of any conflict between the terms of the Transfer Clauses and any other part of this Addendum or the Agreement, the Transfer Clauses shall prevail;
(c) the Parties elect to add the optional Clause 7 (Docking Clause) of the Transfer Clauses and do not elect to add the additional optional language under Clause 11(a) (Redress) of the Transfer Clauses;
(d) for purposes of Clause 17 (Governing Law) of the Transfer Clauses, the Parties elect Option 1, and the Parties agree that this shall be the law of the Republic of Ireland;
(e) for purposes of Clause 18 (Choice of Forum and Jurisdiction) of the Transfer Clauses, the Parties agree that any dispute arising from these Clauses shall be resolved by the courts of an EU Member State. The Parties agree that those shall be the courts of the Republic of Ireland.
(f) the Parties' signature to this Addendum or an Agreement that explicitly incorporates this Addendum shall be considered as signature to the Transfer Clauses;
(g) if so required by the laws or regulatory procedures of any jurisdiction, the Parties shall execute or re-execute the Transfer Clauses as separate documents setting out the proposed transfers of Personal Data in such manner as may be required; and
(h) in the event that the Transfer Clauses are amended, replaced or otherwise invalidated by the European Commission or under the Data Protection Laws, the Parties shall work together in good faith to enter into any updated version of such Transfer Clauses or negotiate in good faith a solution to enable a transfer of the Personal Data to meet the requirements of Chapter V of the GDPR.
(2) In addition, with respect to Module 2 and/or Module 3 of the Transfer Clauses, the following additional provisions shall apply:
(a) the Parties agree that the certification of deletion of Personal Data that is described in Clause 8.5 of the Transfer Clauses shall be provided by the Data Importer to the Data Exporter only upon Data Exporter’s written request;
(b) the Parties agree that the audits described in Clause 8.9 of the Transfer Clauses shall be carried out in accordance with clause 1.B(9) and (10) of this Addendum; and
(c) for purposes of Clause 9(a) of the Transfer Clauses, the Parties elect
Option 2 (General Written Authorisation), it being understood that Client
provides the general authorisation and instruction for the engagement of the Subprocessors from the agreed list of Subprocessors available on the Subprocessor Site, and the Parties agree to observe the provisions set out in clause 1.B(12) of this Addendum in relation to any additions or replacements of Subprocessors on such list; for purposes of Clause 9(a) of Module 3 of the Transfer Clauses, where Client acts as Processor, the Client (1) warrants that it has the authority to provide such general authorisation and instruction on behalf of the Controller, and (2) agrees to inform the Controller of any addition or replacement of Subprocessors on the agreed list for and on behalf of Vendor (thereby enabling the Vendor to comply with its obligation under Clause 9(a) of the Transfer Clauses);
(d) for purposes of Clause 8.6(c) and (d) (Security of Processing) of Module 3 of the Transfer Clauses, where Client acts as Processor, the Parties acknowledge and agree that it will not be appropriate and feasible for Vendor to directly notify the Controller of a Personal Data Breach concerning Personal Data Processed by Vendor under the Transfer Clauses, and Client agrees to forward to the Controller any such notification of a Personal Data Breach without undue delay.
(e) for purposes of Clause 8.9 (Documentation and Compliance) of
Module 3 of the Transfer Clauses, where Client acts as Processor, Client agrees that all inquiries from the Controller shall be provided to Vendor by the Client (for and on behalf of the Controller) and, except as determined necessary by Vendor to ensure that inquiries are promptly and adequately be dealt with, all relevant communication shall be handled solely via the Client. In case Vendor receives an inquiry directly from the Controller, it shall promptly forward the inquiry to the Client.
(f) for purposes of Clause 10 of Module 3 (Data Subject Rights) of the Transfer Clauses, where Client acts as Processor, the Parties acknowledge and agree that it will not be appropriate for Vendor to directly notify the Controller of any request it has received from a Data Subject, and Client agrees to promptly forward to the Controller any such notification and to be primarily responsible to assist the Controller in fulfilling the relevant obligations to respond to any such request, it being understood that Vendor will provide assistance and cooperation to Client in accordance with this Addendum.
(g) for the avoidance of doubt, Vendor’s relationships with Subprocessors may still be governed by previous iterations of the Transfer Clauses as of the date of this Addendum, and this shall not be treated as a breach of this Addendum or the Agreement until such time as such previous iterations are no longer recognized as having legal impact under GDPR;
(h) for purposes of Clause 13 of the Transfer Clauses, Client acknowledges that it must identify a competent supervisory authority on the signature page of this Addendum (which is incorporated into Annex I.C of the Transfer Clauses) and accordingly, if Client does not so identify a competent supervisory authority on the signature page of this Addendum, the Parties agree that competent supervisory authority as determined by Clause 13(a) of the Transfer Clauses shall be deemed completed on the signature page of this Addendum (and be incorporated into Annex I.C of the Transfer Clauses); and
(i) Schedules 1 and 2 of this Addendum shall serve as Annexes I and II respectively of the Transfer Clauses.
(3) In addition, with respect to Module 1 of the Transfer Clauses, the following additional provisions shall apply:
(a) Schedule 3 of this Addendum shall serve as Annex I of the Transfer Clauses.
(4) In addition, with respect to Module 4 of the Transfer Clauses, the following additional provisions shall apply:
(a) Schedule 4 of this Addendum shall serve as Annex I of the Transfer Clauses.
(5) Where either set of the Legacy Transfer Clauses apply under this Addendum:
(a) Client and Vendor agree to observe the terms of the Legacy Transfer Clauses without modification and the Legacy Transfer Clauses shall be considered to be duly executed by the Parties immediately upon the date on which this Addendum enters into force;
(b) in case of any conflict between the terms of the applicable Legacy Transfer Clauses and any other part of this Addendum or the Agreement, the Legacy Transfer Clauses shall prevail;
(c) the names and addresses of Client and Vendor shall be considered to be incorporated into the Legacy Transfer Clauses;
(d) the Parties' signature to this Addendum or an Agreement that explicitly incorporates this Addendum shall be considered as signature to the Legacy Transfer Clauses;
(e) Client and Vendor shall also either (i) comply with the provisions of the Legacy Transfer Clauses or (ii) otherwise Process Personal Data using a valid transfer mechanism in accordance with Data Protection Laws in all cases where Personal Data which were originally exported in the circumstances described in 1.E(4) above are subsequently re-exported to another country that has not been found to provide adequate protection with respect to the Processing of Personal Data by the European Commission; and
(f) where Legacy Transfer Clauses apply, if so required by the laws or regulatory procedures of any jurisdiction, the Parties shall execute or re-
execute the Legacy Transfer Clauses as separate documents setting out the proposed transfers of Personal Data in such manner as may be required.
(6) In addition, with respect to the Legacy C-to-P Transfer Clauses, the following additional provisions shall apply:
(a) the Parties agree that the certification of deletion of Personal Data that is described in Clause 12(1) of the Legacy C-to-P Transfer Clauses shall be provided by the Data Importer to the Data Exporter only upon Data Exporter’s written request;
(b) the Parties agree that the copies of the Subprocessor agreements that must be sent by the Vendor to the Client pursuant to Clause 5(j) of the Legacy C-to-P Transfer Clauses may have all commercial information, or clauses unrelated to the Legacy C-to-P Transfer Clauses or their equivalent, removed by the Vendor beforehand; and, that such copies will be provided by Vendor only upon reasonable written request by
Client;
(c) the Parties agree that the audits described in Clauses 5(f) and 12(2) of the Legacy C-to-P Transfer Clauses shall be carried out in accordance with clause 1.B(9) and (10); and
(d) the governing law in Clause 9 of the Legacy C-to-P Transfer Clauses shall be the law of the country in which the Client is established;
(e) Schedules 1 and 2 of this Addendum shall serve as Appendix 1 and 2 respectively of the Legacy C-to-P Transfer Clauses.
(7) In addition, with respect to the Legacy C-to-C Transfer Clauses, the following additional provisions shall apply:
(a) Schedule 3 shall serve as Annex B of the Legacy C-to-C Transfer Clauses; and
(b) for purpose of Section II(h) of the Legacy C-to-C Transfer Clauses, the data importer will process the personal data in accordance with the data processing principles set forth in Annex A of the Legacy C-to-C Transfer Clauses, and the Vendor’s signature to this Addendum or an Agreement that explicitly incorporates this Addendum shall be considered as confirmation of Vendor’s initials in respect of option “(iii)” chosen in clause II(h) of the Legacy C-to-C Transfer Clause.
G For the purposes of this Addendum:
(1) "Affiliate" means, with respect to any legally recognizable entity, any other entity Controlling, Controlled by, or under common Control with such entity. “Control”
means direct or indirect (i) ownership of more than fifty percent (50%) of the outstanding shares representing the right to vote for members of the board of directors or other managing officers of such entity, or (ii) for an entity that does not have outstanding shares, more than fifty percent (50%) of the ownership interest representing the right to make decisions for such entity. An entity will be deemed an Affiliate only so long as Control exists.
(2) "Client Data" means all data uploaded by the Client using the software-as-aservice offerings purchased by the Client;
(3) "Content" means any data, data structure, metadata, metrics, charts, graphs, literature, or other content in any form and/or any derivatives thereof that are made available by Vendor within any of its Services, including, where applicable, all updates delivered thereto (but at all times excluding Client Data);
(4) the terms "Controller", "Personal Data Breach", “Processor”, "Process(ing)", and "Data Subject", with respect to Personal Data subject to the GDPR, each have the meaning given to such terms in the GDPR, and with respect to all other Personal Data, “Controller” means the entity responsible for deciding the purpose and means for Processing Personal Data and “Processor” means the entity that Processes Personal Data on behalf of the Controller. Any references to Vendor as a “Processor” shall include, as applicable, Vendor as a “service provider” as that term is defined in the CCPA;
(5) the terms "Data Exporter" and "Data Importer" have the meaning given to them in the Transfer Clauses;
(6) the term "Data Protection Laws" means any applicable laws, regulations, or other binding obligations (including any and all legislative and/or regulatory amendments or successors thereto), each as updated from time to time, of the European Union, the EEA, Switzerland, the United Kingdom, the United States, or any other jurisdiction that govern or otherwise apply to Personal Data Processed under the Agreement, including the GDPR and the CCPA;
(7) the term "Diligent Group Entity" shall mean each of those entities which has signed this Addendum or an Agreement that explicitly incorporates this Addendum, such entities being Diligent Corporation, Diligent Canada Inc., Diligent Boardbooks Limited, Diligent Boardbooks GmbH, AMA Partners B.V.,
Diligent APAC Board Services Pte Ltd, Diligent Software Pty Ltd, Diligent Board Services Australia Pty Ltd, and Diligent Board Member Services NZ Limited;
(8) “Personal Data” means any information that relates to, identifies, describes, is capable of being associated with, or could reasonably be linked to, directly or indirectly, an identified or identifiable individual, or to the extent applicable under Data Protection Laws, an identified or identifiable household;
(9) "Services" shall have the meaning described in clause 1.A;
(10) "Subprocessor" means a Processor appointed by Vendor to assist with the provision of the Services to the Client or the performance of Vendor’s obligations under the Agreement;
(11) the term “Supervisory Authority” shall mean the data protection authority in the applicable Member State of the European Union and the equivalent authorities in each other state within the EEA, Switzerland, the United Kingdom or any other jurisdiction whose Data Protection Laws apply to the Processing of the Personal Data subject to this Addendum;
(12) the term “GDPR" shall mean European Union Regulation 2016/679 and includes any relevant implementing measure in each relevant Member State, or any successor legislation thereto;
(13) the term "Legacy C-to-C Transfer Clauses" shall mean the Standard
Contractual Clauses for the Transfer of Personal Data to Controllers Established in Third Countries approved by EC Commission Decision of 27 December 2004;
(14) the term "Legacy C-to-P Transfer Clauses" shall mean the Standard Contractual Clauses for the Transfer of Personal Data to Processors
Established in Third Countries approved by EC Commission Decision of 5 February 2010;
(15) the term "Legacy Transfer Clauses" means, as the context requires, the "Legacy C-to-P Transfer Clauses" and/or "Legacy C-to-C Transfer Clauses";
(16) the term "Transfer Clauses" shall mean the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 approved by Commission Implementing Decision (EU) 2021/914 of 4 June 2021;
(17) "User Data" means any Personal Data of Users which is required to provide the Services, such as User ID, User type, name, company affiliation, contact information (business address, phone number, and email address); and
(18) “User” means any individual authorized to make use of the Services pursuant to the Agreement.
(19) Any capitalized terms not defined in this clause 1.G shall be defined as they are under the Agreement.
2. GOVERNING LAW AND MISCELLANEOUS
The Parties will enter into all such additional agreements or terms as may be necessary to ensure the lawful Processing of Personal Data for the purposes of Data Protection Laws and the Agreement and to ensure the receipt of all necessary approvals for such Processing from appropriate regulatory authorities where applicable, and will co-operate with each other as reasonably necessary in order to obtain such approvals or execute such additional agreements or terms as soon as reasonably possible. Except with respect to the Transfer Clauses, this
Addendum and any dispute or claim arising out of or in connection with it or its subject matter
or formation (including non-contractual disputes or claims) shall be governed in all respects by, and construed in accordance with, the governing law of the Agreement.
Except as otherwise stated herein, this Addendum shall supersede and replace all previous provisions of the Agreement related to Data Protection Laws. Any pre-existing audit rights are superseded by clause 1.B(9) and (10) of this Addendum.
Should any provision of this Addendum be invalid or unenforceable, then the remainder of this
Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties’
intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
IN WITNESS WHEREOF, the Parties hereto, each acting under due and proper authority, have executed this Addendum as of the date of last signature. The Parties agree that execution of this Addendum via an electronic signature process shall constitute valid execution hereof.
Client
|
Legal Name: ________________________
|
Diligent Corporation |
|
Signature: __________________________ |
Signature: __________________________ |
|
Print Name: __________________________ |
Print Name: _________________________ |
|
Title: ________________________________ |
Title: __________________________ |
|
Date: __________________________ _____ |
Date: __________________________ |
|
Address*: _______________________ |
Address: 111 West 33rd Street, 16th Floor, |
|
_______________________________ |
New York, NY 10120, USA |
Contact Person’s Name*: _________________
Contact Person’s Position*: _______________
Contact Person’s Address*: _______________
_____________________________________
Competent EU Supervisory Authority for purposes of Modules 2 and/or 3 of the Transfer Clauses:
_____________________________________
*If blank, these fields shall be deemed to be the same as the address and notice contact of the Client entity under the Agreement
|
Diligent Canada Inc.
|
Diligent APAC Board Services Pte Ltd |
|
Signature: ___________________________ |
Signature: __________________________ |
|
Print Name: __________________________ |
Print Name: _________________________ |
|
Title: ________________________________ |
Title: __________________________ |
|
Date: __________________________ _____ |
Date: __________________________ |
|
Address: C/O SE Corporate Services Ltd |
Address: 6 Raffles Boulevard, Marina Square, |
|
Suite 1700, Park Place, 666 Burrard Street |
#03-308, Suite 3102, Singapore 039594 |
|
Vancouver BC V6C 2X8, Canada |
|
|
Diligent Boardbooks GmbH
|
Diligent Software Pty Ltd |
|
Signature: ___________________________ |
Signature: __________________________ |
|
Print Name: __________________________ |
Print Name: _________________________ |
|
Title: ________________________________ |
Title: __________________________ |
|
Date: __________________________ _____ |
Date: __________________________ |
|
Address: c/o Hogan Lovells International LLP, |
Address: B4 Century Square, Heron Crescent, |
Karl-Scharnagl-Ring 5 80539, Munich, Germany Century City 7441, South Africa
|
Diligent Board Services Australia Pty Ltd
|
Diligent Board Member Services NZ Limited |
|
Signature: ___________________________ |
Signature: __________________________ |
|
Print Name: __________________________ |
Print Name: _________________________ |
|
Title: ________________________________ |
Title: __________________________ |
|
Date: __________________________ _____ |
Date: __________________________ |
|
Address: Suite 01, Level 46, 25 Martin |
Address: Level 1, 518 Colombo Street, |
|
Place, Sydney NSW 2000, Australia
|
Christchurch, 8011, New Zealand |
|
Diligent Boardbooks Limited
|
AMA Partners B.V. |
|
Signature: __________________________ |
Signature: __________________________ |
|
Print Name: __________________________ |
Print Name: _________________________ |
|
Title: ________________________________ |
Title: __________________________ |
|
Date: __________________________ _____ |
Date: __________________________ |
|
Address: 1 Northumberland Avenue, |
|
|
Traflagar Square, London WC2N 5BW, |
Signature: __________________________ |
|
United Kingdom |
Print Name: _________________________ |
|
|
Title: __________________________ |
|
|
Date: __________________________ |
|
|
Address: 1 Northumberland Avenue, |
|
|
Traflagar Square, London WC2N 5BW, |
United Kingdom
SCHEDULE 1 Details of the processing activities
This Schedule forms part of the Addendum and also serves as Annex I to Module 2 and/or Module 3 of the Transfer Clauses.
A. List of Parties
Data Exporter
Name: the Client entity as identified on the signature page to this Addendum or in the Agreement that explicitly incorporates this Addendum.
Address: as identified on the signature page to this Addendum or in the Agreement that explicitly incorporates this Addendum.
Contact person’s name, position and contact details: as identified on this signature page to this Addendum or in the Agreement that explicitly incorporates this Addendum.
Activities relevant to the data transferred under Module 2 and/or 3 of the Transfer Clauses:
Client shall be providing Personal Data as necessary to receive the Services pursuant to the Agreement and this Addendum, and as Vendor is further instructed by Client in writing in its use of the Services, specifically including Processing as reasonably necessary and proportionate and, to the extent such Processing by Processors is permitted by Data Protection Laws and
Regulations, to achieve Vendor’s business purposes.
Role: Controller or Processor (as appropriate)
Data Importer
Name: the Vendor entity (or entities) as defined under this Addendum.
Address: as identified on the signature page to this Addendum or in the Agreement that explicitly incorporates this Addendum.
Contact person’s name, position and contact details: John Van Arsdale, Data Protection Officer of the
Diligent group of companies, privacy@diligent.com
Activities relevant to the data transferred under Module 2 of the Transfer Clauses:
With respect to Module 2 of the Transfer Clauses, Vendor shall Process Personal Data as necessary to perform the Services pursuant to the Agreement and this Addendum, and as further instructed by Client in writing in its use of the Services, specifically including Processing as reasonably necessary and proportionate and, to the extent such Processing by Processors is permitted by Data Protection Laws and Regulations, to achieve Vendor’s business purposes. Role: Processor
B. Description of the Transfer and Processing
Categories of Data Subjects whose personal data is transferred or otherwise processed
Client may submit Personal Data to the Vendor, the extent of which is determined and controlled by the Client in its discretion, and which may include, but is not limited to Personal Data relating to the following categories of Data Subjects: Client’s customers, business partners and vendors of Client, employees, directors, officers, contact persons, and Users authorized to use the Vendor services.
Categories of personal data transferred or otherwise processed
The Client may submit Personal Data in the course of using the Services, the extent of which is determined and controlled by the Client in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data: Name; home address; photograph; professional email address; professional telephone number (including mobile telephone number); personal email address; personal telephone number (including mobile telephone number); data related to transactions including transactions' purposes; tax ID; government identification number; customer numbers; complaints; bank account details; marketing preferences; IP address; cookie data; login credentials (username and password); traffic data including web logs; images.
Special categories of data/Sensitive data transferred (if applicable)
The Client may, subject to any restrictions set forth in the Agreement, submit special categories of data to the Vendor, the extent of which is determined and controlled by the Client in its sole discretion, and which is for the sake of clarity is Personal Data with information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the Processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or sex life or sexual orientation. In any event, any such Personal Data may only be submitted as Client Data. Vendor personnel shall avoid accessing any such Personal Data except where Client specifically elects to provide such Personal Data to Vendor.
Frequency of the Transfer
The Personal Data will be transferred on a continuous basis for the Term unless otherwise specifically agreed elsewhere between Client and Vendor.
Nature of the Processing
Vendor will Process Personal Data as necessary to perform the Services pursuant to the Agreement and this Addendum on behalf of the Client, and as further instructed by Client in writing in its use of the Services, specifically including Processing as reasonably necessary and proportionate and, to the extent such Processing by Processors is permitted by Data Protection Laws and Regulations, to achieve Vendor’s business purposes.
Purpose(s) of the Data Transfer and Processing
The purpose of the data transfer and processing is to fulfil the objectives of the Agreement between
Vendor and Client, in particular delivery of the Services as contemplated under the Agreement and this Addendum.
The Period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
For the Duration as set forth below and as otherwise agreed upon by the Parties or specifically required by applicable law.
Subject Matter of the Processing
The subject matter of the Processing is enabling the Client to receive the value of the Services as contemplated under this Addendum and the Agreement, including enabling the Vendor to deliver support, customer success, and the Services, including enabling the security of Services. For the avoidance of doubt, if the Client elects to host Client Data outside the European Union, the Transfer Clauses shall apply to such transfer.
Duration
The Personal Data will be Processed by Vendor for the duration of the Services.
C. Competent Supervisory Authority
The competent supervisory authority in accordance with Clause 13 of the Transfer Clauses shall be the EU supervisory authority as identified on the signature page to this Addendum and/or as specified by Clause 1.F(2)(h) of the Addendum.
SCHEDULE 2
Technical and organisational measures
This Schedule forms part of the Addendum and serves as Annex II to the Transfer Clauses.
Description of the technical and organisational measures implemented and maintained by the Vendor (or document/legislation attached):
Vendor will maintain administrative, physical and technical safeguards for protection of the security, confidentiality and integrity of Personal Data, including those measures specified in the Agreement.
Vendor’s relevant security Documentation as applicable to the Services, including audit reports and/or security test reports where applicable, is available upon request.
Vendor provide Client with access to the Personal Data which have been provided by Client to enable
Client to comply with its obligations to Data Subjects exercising their rights under Data Protection Laws. Vendor shall refer such Data Subjects to Client and shall also, at the request of Client, use its reasonable endeavors to either (a) amend, correct, delete, add to, cease using or restrict the use of Personal Data relating to such Data Subjects to ensure that their Personal Data are accurate and complete or (b) provide the Client with the ability to directly amend, correct, delete, add to, cease using or restrict the use of Personal Data relating to such Data Subjects through the Services;
SCHEDULE 3
Details of the processing activities
This Schedule serves as Annex I to Module 1 of the Transfer Clauses where applicable.
A. List of Parties
Data Exporter
Name: the Vendor entity (or entities) as defined under this Addendum.
Address: as identified on the signature page to this Addendum or in the Agreement that explicitly incorporates this Addendum.
Contact person’s name, position and contact details: John Van Arsdale, Data Protection Officer of the
Diligent group of companies, privacy@diligent.com
Activities relevant to the data transferred under Module 1 of the Transfer Clauses:
With respect to Module 1 of the Transfer Clauses, Vendor shall provide Personal Data as necessary to perform the Services pursuant to the Agreement and this Addendum where such Services include the delivery of Content to the Client.
Role: Controller
Data Importer
Name: the Client entity as identified on the signature page to this Addendum or in the Agreement that explicitly incorporates this Addendum.
Address: as identified on the signature page to this Addendum or in the Agreement that explicitly incorporates this Addendum.
Contact person’s name, position and contact details: as identified on this signature page to this Addendum or in the Agreement that explicitly incorporates this Addendum.
Activities relevant to the data transferred under Module 2 of the Transfer Clauses:
Client shall receive Personal Data in the course of receiving Services pursuant to the Agreement and this Addendum where such Services include the delivery of Content to the Client. Role: Controller
B. Description of the Transfer and Processing
Categories of data subjects whose personal data is transferred
The personal data transferred concern the following categories of Data Subjects:
• corporate directors, officers, and employees, as well as others whose activities in each case are a matter of public interest in relation to corporate governance, risk management, and compliance.
Categories of personal data transferred
The personal data transferred concern personal data which may include (without limitation):
• name; job title and level; date of birth; employer; departments; work location; age; gender; remuneration; shareholdings; corporate directorships and tenure; nationality; education (qualification/degree, major, honors, duration); sectoral experience; disciplinary history; peer associations; appearances in publications; photograph.
Special categories of data/Sensitive data transferred (if applicable) None anticipated.
Frequency of the Transfer
The Personal Data will be transferred on a continuous basis for the Term unless otherwise specifically agreed elsewhere between Client and Vendor.
Nature of the Processing
Personal Data shall be transferred to Client by Vendor in the course of Client receiving certain Content as part of the Services where Client has subscribed to such Services.
Purpose(s) of the Data Transfer and further Processing The transfer is made for the following purposes:
• to provide certain subscription services involving the delivery of Content that may contain personal data of public interest, including reference data and benchmarking related to corporate governance, compensation, and company well-being, as well as curated news content, to Client.
The Period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
For the Term of the subscription to the relevant services and as otherwise agreed upon by the Parties or specifically required by applicable law. Each of Vendor and Client shall be required to follow its own data retention policies, which shall at all times comply with the requirements of applicable law.
C. Competent Supervisory Authority
The competent supervisory authority in accordance with Clause 13 of the Transfer Clauses shall be the Data Protection Commissioner of the Republic of Ireland.
SCHEDULE 4
Details of the processing activities
This Schedule serves as Annex I to Module 4 of the Transfer Clauses where applicable.
A. List of Parties
Data Exporter
Name: the Vendor entity (or entities) as defined under this Addendum.
Address: as identified on the signature page to this Addendum or in the Agreement that explicitly incorporates this Addendum.
Contact person’s name, position and contact details: John Van Arsdale, Data Protection Officer of the
Diligent group of companies, privacy@diligent.com
Activities relevant to the data transferred under Module 4 of the Transfer Clauses:
With respect to Module 4 of the Transfer Clauses, Vendor shall Process Personal Data as necessary to perform the Services pursuant to the Agreement and this Addendum, and as further instructed by Client in writing in its use of the Services, specifically including Processing as reasonably necessary and proportionate and, to the extent such Processing by Processors is permitted by Data Protection Laws and Regulations, to achieve Vendor’s business purposes. Role: Processor
Data Importer
Name: the Client entity as identified on the signature page to this Addendum or in the Agreement that explicitly incorporates this Addendum.
Address: as identified on the signature page to this Addendum or in the Agreement that explicitly incorporates this Addendum.
Contact person’s name, position and contact details: as identified on this signature page to this Addendum or in the Agreement that explicitly incorporates this Addendum.
Activities relevant to the data transferred under Module 4 of the Transfer Clauses:
Client shall provide and subsequently receive Personal Data from the Vendor in the course of receiving Services pursuant to the Agreement and this Addendum where such Services involves the Processing Personal Data by the Processor.
Role: Controller
B. Description of the Transfer and Processing
Categories of Data Subjects whose personal data is transferred or otherwise processed
Client may submit Personal Data to the Vendor, the extent of which is determined and controlled by the Client in its discretion, and which may include, but is not limited to Personal Data relating to the following categories of Data Subjects: Client’s customers, business partners and vendors of Client, employees, directors, officers, contact persons, and Users authorized to use the Vendor services.
Categories of personal data transferred or otherwise processed
The Client may submit Personal Data in the course of using the Services, the extent of which is determined and controlled by the Client in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data: Name; home address; photograph; professional email address; professional telephone number (including mobile telephone number); personal email address; personal telephone number (including mobile telephone number); data related to transactions including transactions' purposes; tax ID; government identification number; customer numbers; complaints; bank account details; marketing preferences; IP address; cookie data; login credentials (username and password); traffic data including web logs; images.
Special categories of data/Sensitive data transferred (if applicable)
The Client may, subject to any restrictions set forth in the Agreement, submit special categories of data to the Vendor, the extent of which is determined and controlled by the Client in its sole discretion, and which is for the sake of clarity is Personal Data with information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the Processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or sex life or sexual orientation. In any event, any such Personal Data may only be submitted as Client Data. Vendor personnel shall avoid accessing any such Personal Data except where Client specifically elects to provide such Personal Data to Vendor.
Frequency of the Transfer
The Personal Data will be transferred on a continuous basis for the Term unless otherwise specifically agreed elsewhere between Client and Vendor.
Nature of the Processing
Vendor will Process Personal Data as necessary to perform the Services pursuant to the Agreement and this Addendum on behalf of the Client, and as further instructed by Client in writing in its use of the Services, specifically including Processing as reasonably necessary and proportionate and, to the extent such Processing by Processors is permitted by Data Protection Laws and Regulations, to achieve Vendor’s business purposes.
Purpose(s) of the Data Transfer and further Processing The transfer is made for the following purposes:
• to provide certain subscription services to the Client, including where Client may upload Client
Data to Diligent’s software-as-a-service offerings (which may be hosted within the European Economic Area) and Client then subsequently accesses, exports or otherwise processes the Client Data.
The Period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
For the Term of the subscription to the relevant services and as otherwise agreed upon by the Parties or specifically required by applicable law. Each of Vendor and Client shall be required to follow its own data retention policies, which shall at all times comply with the requirements of applicable law.
Subject Matter of the Processing
The subject matter of the Processing is enabling the Client to receive the value of the Services as contemplated under this Addendum and the Agreement, including enabling the Vendor to deliver support, customer success, and the Services, including enabling the security of Services.
Duration
The Personal Data will be Processed by Vendor for the duration of the Services.