Personal Data Processing Terms
April 25, 2021
1. Definitions and Interpretation
1.1. In this Agreement the following words shall have the following meanings:
“Data Protection Legislation” means all worldwide data protection and privacy laws and regulations applicable to the personal data in question, including EU/UK Data Protection Law;
"EU/UK Data Protection Law" means (i) the General Data Protection Regulation (Regulation (EU) 2016/679), ("GDPR"); (ii) the GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 (the "UK GDPR"); (iii) the EU e-Privacy Directive (Directive 2002/58/EC); and (iv) any and all applicable national data protection laws made under, pursuant to or that apply in conjunction with any of (i), (ii) or (iii); in each case as may be amended or superseded from time to time;
“Personal Data Breach” means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data;
“personal data”, “data subject”, “controller”, “processor” and “process” shall be interpreted in accordance with applicable EU/UKData Protection Legislation;
"Restricted Transfer" means: (i) where the GDPR applies, a transfer of personal data from the European Economic Area to a country outside the European Economic Area to a country outside of the European Economic Area which is not subject to an adequacy determination by the European Commission; and (ii) where the UK GDPR applies, a transfer of personal data from the United Kingdom to any other country which is not based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018;
“Standard Contractual Clauses”means: (i) where the EU GDPR applies, the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council ("EU SCCs"); and (ii) where the UK GDPR applies, standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR ("UK SCCs"). ;
“Supplier Agreements” means all agreements between Supplier and DataStax, Inc. (or its subsidiaries) existing from time to time under which Supplier provides any forms of software, personnel, goods and/or services to DataStax; and
1.2. Any reference to “includes” or “including” shall be construed without limitation.
2. Data Processing
2.1. The terms of this Agreement are applicable to all Supplier Agreements and set out the subject-matter and duration of the processing of DataStax personal data, the nature and purpose of the processing, the type of personal data and the categories of data subjects.
2.2 The parties agree that the detail of the data processing is set out in the DataStax Personal Data Processing Addendum as completed and executed by the Supplier, and which is incorporated by reference and forms part of this Agreement.
2.3. The parties shall amend this Agreement from time to time by written agreement.
3. Data Processing Requirements
3.1. Each party shall comply with its respective obligations under applicable Data Protection Legislation.
3.2. Supplier shall:
3.2.1 process DataStax personal data only in accordance with DataStax’s documented instructions, which instructions, where DataStax is a processor, shall reflect the instructions of its controller. Except to the extent Supplier is otherwise required by applicable law and provided that, unless prohibited by applicable law, Supplier shall notify DataStax of such requirement before such processing;
3.2.2. not process or transfer DataStax Personal Data outside the European Economic Area or UK without DataStax’s prior written consent (and if such consent has been obtained, Supplier shall comply with section 6 of this Agreement);
3.2.3. ensure that all individuals engaged in the processing of DataStax personal data under the Supplier Agreements are subject to strict obligations of confidentiality, non-disclosure and non-use in respect of such personal data for the duration of their processing of DataStax personal data; and
3.2.4. implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk involved in processing DataStax personal data pursuant to the Supplier Agreements and in accordance with good industry practice.
3.3. Without prejudice to the other obligations in the Supplier Agreements, Supplier shall implement the security measures identified in this Agreement and more specifically as identified at Part B of the DataStax Personal Data Processing Addendum for the processing of DataStax personal data.
4. Notifications and Assistance
4.1. If any data subject exercises its rights under applicable Data Protection Legislation against DataStax (or, where DataStax is a processor, its controller) that is connected to data processed under the Supplier Agreements, Supplier shall at no cost to DataStax:
4.1.1. provide all necessary information relating to the circumstances of the exercise of rights required by DataStax; and
4.1.2. assist DataStax in fulfilling DataStax's obligations as controller (or, where DataStax is a processor, its controller's obligations) following written request from DataStax.
4.2. If Supplier becomes aware of any potential, threatened or actual Personal Data Breach that may affect DataStax personal data in any way, it shall:
4.2.1. immediately notify DataStax (who, where DataStax is a processor, shall in turn inform its controller);
4.2.2. provide all necessary information relating to the circumstances of the Personal Data Breach required by DataStax; and
4.2.3. assist DataStax, as directed by DataStax, in connection with any required notification to the applicable Supervisory Authority and, where applicable, data subjects, taking into account the nature of processing and the information available to Supplier.
5. Supplemental Data Processing Requirements
5.1. Supplier may only engage other processors (“Sub Processors”) for the processing of DataStax personal data in accordance with the terms of the Supplier Agreements and which are specified in this Agreement (or which are otherwise agreed in writing by DataStax from time to time). A list of approved Sub Processors as at the date of this Agreement, is included in Part A of the DataStax Personal Data Processing Addendum. Supplier remains responsible and liable for all acts and omissions of all Sub Processors as if they were its own and Supplier shall ensure that each Sub Processor Supplier enters into an agreement with contains equivalent protections for DataStax personal data as are contained in this Agreement. If Supplier wishes to engage a new Sub Processor, Supplier shall provide at least 30 days prior notice before the new Sub Processor begins processing any DataStax personal data. If DataStax refuses to consent to Supplier's appointment of a third party Sub Processor on grounds relating to the protection of DataStax personal data, then either Supplier will not appoint the Sub Processor or DataStax may elect to suspend or terminate this Agreement without penalty.
5.2. If DataStax considers that the processing of personal data performed pursuant to the Supplier Agreements requires a privacy impact assessment to be undertaken, DataStax may inform Supplier in writing and Supplier shall provide all relevant information and assistance to DataStax to facilitate such privacy impact assessment at no additional cost to DataStax.
5.3. If Supplier considers that DataStax instructions relating to processing of DataStax personal data under the Supplier Agreements may infringe Data Protection Legislation, Supplier shall notify DataStax.
5.4. Except to the extent otherwise required by applicable law, following termination or expiry of the Supplier Agreements Supplier shall, at DataStax’s option, delete or return all DataStax personal data and all copies thereof in its possession or control (including any DataStax personal data subcontracted to a third party for processing) to DataStax. This requirement shall not apply to the extent that Supplier is required by any applicable EU (or any EU Member State) or UK law to retain some or all of the DataStax personal data, in which event Supplier shall isolate and protect the DataStax personal data from any further processing except to the extent required by such law until deletion is possible.
5.5. Supplier shall make available all information necessary to demonstrate Supplier’s compliance with this Agreement and shall permit and contribute to any data audits reasonably required by DataStax upon DataStax’s written request.
5.6. If at any time Supplier can no longer comply with the requirements in this Agreement Supplier shall inform DataStax immediately.
6. Restricted Transfers
6.1. If Supplier has secured prior written consent from DataStax in accordance with section 3.2.2, the parties agree that where a transfer of DataStax personal data from DataStax (as "data exporter") to Supplier (as "data importer") is a Restricted Transfer it shall be subject to the appropriate Standard Contractual Clauses as follows:
6.1.1. In relation to DataStax personal data that is protected by the GDPR, the EU SCCs will apply completed as follows:
(i) Module Two will apply to the extent that DataStax is a controller of the DataStax personal data, and Module Three will apply to the extent that DataStax is a processor of the DataStax personal data on behalf of a third party controller;
(ii) in Clause 7, the optional docking clause will apply;
(iii) in Clause 9, Option 1 will apply, and the time period for prior notice of Sub Processor changes shall be as set out in Clause 5.1 of this Agreement;
(iv) in Clause 11, the optional language will not apply;
(v) in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;
(vi) in Clause 18(b), disputes shall be resolved before the courts of Ireland;
(vii) Annex I of the EU SCCs shall be deemed completed with the information set out in Part A of the DataStax Personal Data Processing Addendum;
(viii) Annex II of the EU SCCs shall be deemed completed with the information set out in Part B of the DataStax Personal Data Processing Addendum;
(ix) Annex III of the EU SCCs shall be deemed completed with the information set out under "SubProcessor List" contained in the DataStax Personal Data Processing Addendum.
6.1.2. In relation to DataStax personal data that is protected by the UK GDPR, the UK SCCs will apply completed as follows:
(i) For so long as it is lawfully permitted to rely on standard contractual clauses for the transfer of personal data to processors set out in the European Commission’s Decision 2010/87/EU of 5 February 2010 (“Prior C2P SCCs”) for transfers of personal data from the United Kingdom, the Prior C2P SCCs shall apply between DataStax which, where DataStax is a processor on behalf of a third party controller, it enters into on behalf of that controller and the Supplier on the following basis:
- Appendix 1 shall be completed with the relevant information set out in Part A of the DataStax Personal Data Processing Addendum;
- Appendix 2 shall be completed with the relevant information set out in Part B of the DataStax Personal Data Processing Addendum; and
- the optional illustrative indemnification Clause will not apply.
- Where sub-clause 6.1.2(i) above does not apply, but DataStax and the Supplier are lawfully permitted to rely on the EU SCCs for transfers of personal data from the United Kingdom subject to completion of a “UK Addendum to the EU Standard Contractual Clauses” (“UK Addendum”) issued by the Information Commissioner’s Office under s.119A(1) of the Data Protection Act 2018, then:
- The EU SCCs, completed as set out above in Clause 6.1.1 of this Agreement shall also apply to transfers of such DataStax personal data, subject to sub-clause (B) below;
- The UK Addendum shall be deemed executed between DataStax and the Supplier, and the EU SCCs shall be deemed amended as specified by the UK Addendum in respect of the transfer of such DataStax personal data.
- If neither sub-clause 6.1.2(i) or sub-clause 6.1.2(ii) applies, then DataStax and the Supplier shall cooperate in good faith to implement appropriate safeguards for transfers of such DataStax personal data as required or permitted by the UK GDPR without undue delay.
6.1.3. in the event that any provision of this Agreement contradicts, directly or indirectly, the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
6.1.4. with respect to onward transfers, Supplier shall not participate in (nor permit any Sub Processor to participate in) any other Restricted Transfers of DataStax personal data (where as an exporter or an importer of such data) unless: (i) it has first obtained DataStax's prior written consent, which where DataStax is a processor on behalf a third party controller, shall reflect the controller's instructions; and (ii) the Restricted Transfer is made in full compliance with applicable Data Protection Legislation and pursuant to Standard Contractual Clauses implemented between the relevant exporter and importer of DataStax personal data.
7. Miscellaneous
7.1. In the event that there is any conflict or inconsistency between the terms of the Supplier Agreements and the terms of this Agreement, the terms of this Agreement shall prevail.
7.2. DataStax reserves the right to amend this Agreement on written notice to Supplier if required to comply with law relating to the protection or treatment of personal data.
7.3. Failure of either party to enforce rights under this Agreement is not a waiver of such rights and will not operate or be construed to waive any other provision of the Agreement. The rights and remedies herein provided are in addition to those available to either party at law or in equity.
7.4. Each party represents and warrants that it has the full power to enter into this Agreement and to perform its obligations under the Agreement. Additionally, in relation to the collection and provision of any data to DataStax under the Supplier Agreements, Supplier also warrants that: (i) it complies with all applicable laws and regulations when providing the data and services, especially, without limitation all applicable local data protection and marketing laws and/or regulations within the EU (and its member states) and the UK; (ii) during the collection, processing and use of individual personal information, the person to whom the data belongs (the “Data Subject”) has been informed of and consented to: (a) its right to object at no cost to the collection, processing and/or use of its data; (b) the purpose of the collection, processing and/or use of its data; (c) its rights to object at no cost to the use of its data for purposes of canvassing in particular for commercial purposes; and (d) being contacted by DataStax for marketing and other purposes; and (iii) they have the right to grant the licenses and other rights related to the use of personal data, including without limitation to the extent the processing of personal data has been collected through social public networking platforms or other public means.
7.5. Supplier will secure and maintain insurance against general liability and property damage in amounts sufficient to protect DataStax in the event of such liability or damage. Notwithstanding any limitations of liability specified in the Supplier Agreements, Supplier shall defend, indemnify and hold DataStax, its officers, directors, employees, contractors and agents harmless from and against any and all third party claims, demands, losses, damages or expenses, including reasonable attorneys’ fees and court costs (collectively, “Claims”), arising out of or in connection with any failure by Supplier to adhere to the requirements in this Agreement.
7.6. Subject to section 7.7, this Agreement will be construed in accordance with, and all disputes will be governed by, the laws of England and each party irrevocably consents to the exclusive jurisdiction of the courts of England and Wales, except where and to the extent otherwise required by applicable Data Protection Legislation..
7.7. Any dispute arising out of or in connection with this Agreement, including any question regarding its existence, validity or termination, shall be referred to and finally resolved by arbitration under the LCIA Rules, which Rules are deemed to be incorporated by reference into this Agreement. The number of arbitrators shall be one. The seat, or legal place, of arbitration shall be London. The language to be used in the arbitral proceedings shall be English.
7.8. Except as expressly provided herein, no modification of this Agreement will be effective unless contained in writing and signed by an authorized representative of each party. DataStax may make changes to terms located at a URL referenced in this Agreement, including these Personal Data Processing Terms (collectively, the “URL Terms”) from time to time. DataStax will post the amended terms and will update the “Last Updated Date” at the top. By continuing to provide the applicable services and/or products to Datastax after DataStax has provided Supplier with such notice of a change, Supplier is indicating that it agrees to be bound by the modified terms. If the change has a material adverse impact on Supplier and Supplier does not agree to the change, Supplier must notify DataStax within 30 days of the applicable Last Updated Date. If Supplier notifies DataStax as required, then Supplier will remain governed by the terms in effect immediately prior to the change.
7.9. This Agreement is a standalone agreement between the parties that shall not be varied, superseded or extinguished by any ‘entire agreement’ provisions, or any other terms, that appear in the Supplier Agreements. The terms of this Agreement will survive any expiration or termination of the Supplier Agreements.
7.10. The Agreement may not be assigned by either party by operation of law or otherwise, without the prior written consent of the other party, which consent will not be unreasonably withheld.
7.11. If any portion of this Agreement is for any reason found to be invalid, illegal or unenforceable, such portion shall be limited to the minimum extent necessary, and all other provisions shall remain in full force and effect.