Data Protection
Definitions:
“Affiliate”: any entity that directly or indirectly owns or controls, is owned or controlled by, or is under common ownership or common control with EthosData or Customer, as the case may be.
“Applicable Laws”: means (a) European Union law or any laws of a member state of the European Union in respect of which EthosData or any EthosData Affiliate is subject to; and (b) any other applicable law in respect of which EthosData or any EthosData Affiliate is subject to;
“Contracted Processor”: means EthosData or a Subprocessor;
“Customer”: as set out in the Work Instruction above.
“Customer Personal Data”: means any Personal Data which may be Processed by a Contracted Processor on behalf of the Customer pursuant to or in connection with this Agreement;
“Data Protection Legislation”: means from 25 May 2018, the GDPR, and, to the extent applicable, the local data protection or privacy laws of any other country where EthosData is established and provides Services from pursuant to this Agreement, including the United Kingdom following any exit from the European Union;
“Data Room”: collectively those EthosData URLs, web site contents and features licensed by Customer through which Users may access, process, store and communicate User Files.
“EU”: means the European Union;
“GDPR”: means EU General Data Protection Regulation 2016/679;
“Services”: collectively all EthosData Data Rooms, EthosData web site features, software, application programming interfaces, systems, support, additional services, and all related materials and documentation, provided by or on behalf of EthosData to Customer pursuant to this Agreement.“Subprocessor” means any person (excluding an employee of EthosData) appointed by or on behalf of EthosData to Process Personal Data on behalf of any Customer;
“Term”: as set out in subsection 6(a).
“Work Instruction”: the Data Room Instruction set forth above and any written instruction for other or additional Services separately entered into by Customer and EthosData at or after the Contract Date.
“User(s)”: those persons (including without limitation employees and advisors of Customer or any third party) authorized from time to time by Customer or its designated Data Room managers, pursuant to methods directed by EthosData, to access, process, store and/or communicate User Files through Data Rooms. All Users are counted on a per-Data Room basis.
“User File(s)”: any printed, electronic or digital document or information that is uploaded or copied to a Data Room.
(a) The terms “Controller”, “Data Subject”, “member state”, “Personal Data”, “Personal Data Breach”, and “Processing” shall have the same meaning as in the GDPR.
(b) Processing of Customer Personal Data.
(b.1) Customer is the Controller and will comply with all obligations applicable to a Controller pursuant to the Data Protection Legislation. EthosData shall only process Customer Personal Data on the documented instructions of the Customer or their appointed representative (administrator), unless otherwise required by an Applicable Law to which EthosData is subject, in which case EthosData shall inform Customer of that legal requirement before such Processing, unless that law prohibits such information on important grounds of public interest.
(b.2) For the purpose of section (b.1) the Customer instructs EthosData (and authorises EthosData to instruct each Subprocessor) to Process Customer Personal Data and in particular to transfer Customer Personal Data to, and access Personal Data from, any country or territory, as reasonably necessary to provide the Services and comply with this Agreement. Customer warrants and represents that it is and will at all relevant times remain duly authorised to give this instruction.
(b.3) Annex 1 to this Agreement sets out certain information as required by Article 28(3) of the GDPR, and the Customer warrants it is an accurate reflection of the Processing activities pursuant to this Agreement.
(c) Personnel. EthosData will ensure that all employees or contractors of any Contracted Processor who have access to Customer Personal Data are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
(d) Security. During the Term, EthosData will implement appropriate technical and organisational measures, taking into account the measures required by Article 32 of the GDPR, which measures may be updated by EthosData from time to time provided that such updates shall not [materially] decrease the protection of Personal Data for Data Subjects. The Customer may implement its own additional measures, for example applying encryption before the data is transferred to any Contracted Processor (“Customer Security Measures”), provided always that no Contracted Processor shall be required to change any of its measures.
(d.3) The Customer warrants that on the date of this Agreement, all Customer Personal Data provided to any Contracted Processor has been collected and Processed by the Customer in accordance with all Applicable Laws and the Customer has ensured that there is and there will continue to be a lawful basis for the Contracted Processors to Process such Personal Data.
(e) Subprocessing.
(e.1) Customer authorises EthosData to appoint (and permit each Subprocessor to appoint) Subprocessors in accordance with this Agreement and any restrictions in this Agreement.
(e.2) Customer specifically authorises EthosData to permit any of its Affiliates to process Personal Data, further, as at the date of the agreement, the Customer generally authorises the subprocessors listed on EthosData’s sub-contracting webpage at [https://blog.ethosdata.com/dataroom-blog/subprocessors/] (“Subprocessor List”) to Process Customer Personal Data as required to provide the Services, subject to EthosData in each case, as soon as practicable, meeting the obligations set out in section (e.4) (in each case, an “Authorised Sub-Processor”).
(e.3) Provided the Customer has enrolled to receive automatic notifications of any updates to the Subprocessor List, EthosData shall ensure the Customer receives a notification of any updates to the list as soon as reasonably practicable of any intended changes concerning the addition or replacement of any of the Authorised Sub-Processors, save for any Affiliates, that will Process any Customer Personal Data (“New Sub-Processor”). If, within [14] calendar days of receipt of that notice, Customer notifies EthosData in writing of any objections (on reasonable grounds) to the proposed appointment of a New Sub-Processor, the parties will endeavour to agree (acting reasonably) the commercially reasonable steps to be taken to ensure that the New Subprocessor in question is compliant with Article 28(4) of the GDPR. Where the Customer considers, acting reasonably, that the risks involved with the subprocessing are still unacceptable in the context of Article 28(4), within 30 calendar days following the proposal in relation to the appropriate steps, the parties shall promptly seek to resolve the issues. Where the parties are unable to resolve the issues within such timeframe, Customer’s sole remedy will be to terminate this Agreement.
(e.4) With respect to each Subprocessor, EthosData shall: (i) ensure that the arrangement between EthosData and the Subprocessor is governed by terms and conditions or a service agreement which [are the same] OR [offers no less protection for Customer Personal Data] as those terms set out in this Agreement and (ii) if that arrangement involves the transfer of Personal Data to a country outside of the European Union that has not been determined to ensure an adequate level of protection for Personal Data, at EthosData’s discretion: either (a) ensure that an appropriate data transfer safeguard is in place in compliance with Chapter IV of the GDPR, including certification with the privacy shield framework, or (b) where required to ensure compliance with Data Protection Legislation, use commercially reasonable endeavours to procure that the Subprocessor enters into standard contractual clauses approved by the European Commission directly with the relevant Customer.
(f) Data Subject Rights.
(f.1) Customer shall, in the first instance, comply with requests received from any Data Subjects to exercise their rights pursuant to Chapter III of the GDPR by itself accessing the Customer Personal Data held on EthosData’s website platform.
(f.2) Subject to section (f.1) and taking into account the nature of the Processing, EthosData shall assist Customer, at the Customer’s cost, to comply with requests to exercise Data Subject rights under the Data Protection Legislation by notifying the Customer without undue delay if any Contracted Processor receives a formal request directly from a Data Subject to exercise any of its rights under Chapter III of any Data Protection Legislation in respect of Customer Personal Data.
(g) Personal Data Breach.
(g.1) EthosData shall notify the Customer without undue delay, [and in any event within 72 hours], upon EthosData becoming aware of a Personal Data Breach affecting Customer Personal Data, providing Customer with information (as and when available) to assist the Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Legislation.
(g.2) EthosData shall, at the Customer’s cost, co-operate with the Customer and take such reasonable commercial steps as are reasonably instructed by the Customer to assist in the investigation of each such Personal Data Breach.
(h) Data Protection Impact Assessment and Prior Consultation. Where the Services involve high risk Processing of Personal Data, EthosData shall, at the Customer’s cost, provide reasonable assistance to Customer with any data protection impact assessments, and prior consultations with Supervisory Authorities, which are required by Article 35 or 36 of the GDPR, in each case solely in relation to Processing of Customer Personal Data by, and taking into account the nature of the Processing and information available to, the Contracted Processors.
(i) Deletion or Return of Customer Personal Data. Subject to the requirements of any applicable exit plan in this Agreement, EthosData shall either return or delete and procure the deletion of all Customer Personal Data held by EthosData upon termination of this Agreement and following cessation of any Services involving the Processing of Customer Personal Data. Each Contracted Processor may retain Customer Personal Data to the extent required by Applicable Laws to the extent and for such period as required by Applicable Laws (and for clarity, it is acknowledged that EthosData may retain troubleshoot/service desk ticket information in an anonymised and aggregate manner).
(h) Audit Rights
(h.1) Subject to section (h.2) and (h.3), EthosData shall make available to Customer on reasonable request such information reasonably necessary to demonstrate compliance with Article 28(3) of the GDPR, but in any event EthosData is not obliged to provide permanent copies of such information (and, at EthosData’s discretion, EthosData may instead invite the Customer to attend on-site subject to supervision and a commitment to comply with reasonable security and confidentiality controls). In particular, EthosData shall inform Customer if, in its reasonable opinion, an instruction provided by the Customer pursuant to section (b.2) infringes the GDPR or any other Data Protection Legislation, save that EthosData shall not be obliged to conduct any legal review or analysis and in such instance, EthosData shall not be required to comply with such unlawful instruction until the Customer varies its instruction to ensure legal compliance.
(h.2) Where applicable, if the Customer is not otherwise satisfied by its audit rights pursuant to this Agreement, EthosData shall, at the Customer’s costs, allow for audits by an auditor mandated by Customer (subject to section (h.3) and to such auditor being subject to written confidentiality obligations in relation to such information) in relation to the Processing of the Customer Personal Data, provided that: (i) Customer shall give EthosData reasonable notice of any audit or inspection to be conducted; (ii) Customer shall take reasonable steps to ensure (and shall procure that each of its mandated auditors) it minimises the disruption to the Contracted Processors’ business in the course of such an audit or inspection and such audits or inspections shall be conducted during normal working hours; and (iii) a Contracted Processor need not contribute or allow for an inspection or audit more than once in any calendar year, except for any audit or inspections mandated by a regulator.
(h.3) EthosData may object in writing to an auditor mandated by the Customer if the auditor is, in EthosData’s reasonable opinion, not suitably qualified or independent, a competitor of EthosData, or otherwise unsuitable. In the event of such an objection, the Customer shall appoint another auditor or conduct the audit itself.
(i) Transfers. Customer and each Customer Affiliate (as “data exporter”) and EthosData on behalf of each Contracted Processor established outside the European Union (as “data importer”) with effect from the commencement of the relevant transfer hereby enter into the Processor EU Model Clauses in respect of any transfer (or onward transfer) where such transfer would otherwise be prohibited by Data Protection Legislation. Appendix 1 to the Processor EU Model Clauses shall be deemed to be prepopulated with the relevant sections of Annex 1 to this Agreement and the processing operations are deemed to be those described in this Agreement. Appendix 2 to the Processor EU Model Clauses shall be deemed to be prepopulated with the following “Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood for the rights and freedoms of natural persons, each Contracted Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including as appropriate the controls described in Article 32(1) of GDPR.”
(j) Costs. EthosData shall provide assistance pursuant to this Agreement upon reasonable prior written notice during normal working hours. Any effort beyond [two (2)] man days’ effort per annum (or its equivalent in hours) shall be at the Customer’s cost as per EthosData’s then current standard rate card.
ANNEX 1: DETAILS OF PROCESSING
This Annex 1 includes certain details of the Processing of Customer Personal Data as required by Article 28(3) GDPR.
Subject matter and duration of the Processing of Customer Personal Data. The subject matter are set out in this Agreement. The Customer Personal Data will be Processed for the duration of the term plus the period from the expiry until deletion in accordance with this Agreement.
The nature and purpose of the Processing of Customer Personal Data. The purpose of the processing is to allow Customer to utilize the Services for its operations. In particular, the Personal Data will be subject to the following basic processing operations, such as: use to set up, operate, monitor and provide the Services (including operational and technical support), data back-ups, fixes or upgrades, execution of Customer instructions and to ensure customer service of improvements in the platform.
The types of Customer Personal Data to be Processed. Data relating to individuals provided via the Services, by (or at the direction of) Customer or by end users, including name, email address and job details, and any other information uploaded by a Customer including name, address, phone number, email address, employment data. Information will also be collected automatically when a Customer or end-user logs on to the platform including, IP address, MAC address, website cookies, location data, log files, browser details.
Special Categories of Personal Data to be Processed. May reside in the files uploaded on the dataroom by the Customer, including information related to health of an individual. Such data will be stored on the dataroom but will not be accessed by EthosData.
The categories of Data Subject to whom the Customer Personal Data relates. Data subjects include the individuals about whom data is provided via the Services by (or at the direction of) Customer or by Customer end users.
The obligations and rights of Customer and Customer Affiliates. The obligations and rights of Customer and Customer Affiliates are set out in this Agreement. In addition, Data Controller agrees and declares as follows : (a) it is solely responsible for the accuracy of personal data and the means by which such personal data are acquired and the processing by the Data Controller, including instructing processing by Ethos Data, is and will be in accordance with the relevant provisions of the applicable data protection law particularly with respect to the security, protection and disclosure of personal data; (b) If processing by data processor involves any “special” or “sensitive” categories of personal data (as defined under the applicable data protection law), Data Controller warrants that it has collected such personal data in accordance with applicable data protection law; (c) the Data Controller will inform the data subjects (i) about its use of data processors to process their personal data including data processor and (ii) that their personal data may be processed outside of EU.