Data Processing Terms

ANNEX 2 DATA PROCESSING AGREEMENT

1.     DEFINITIONS AND CONSTRUCTION

1.1.   Definitions

 

Agreement” means this data processor Agreement including the Schedules, as amended from time to time.

 

“Assa Abloy” means [Assa Abloy contracting entity]

 

Business Day” means a day (other than a Saturday or Sunday or public holiday) on which commercial banks are open for general banking business in the jurisdiction where the Customer is incorporated, other than for Internet banking services only;

 

EU Model Clause Agreement” means the relevant EU model clauses for the transfer of personal data to third countries;

 

EU Personal Data Legislation” means (i) the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”) (ii) local legislations remaining in force after 25th May 2018, and (iii) any local legislations where additional regulatory requirements to the GDPR are implemented and any amendments made thereto;

 

Master Agreement” means as the Agreement defining the commercial relationship between the parties and further described in Schedule 1;

 

Party”/”Parties” means the Customer and Assa Abloy separately, or jointly, as the case may be;

 

Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed by Supplier, or a subcontractor, in the performance of services.

 

Project” means as described in Error! Reference source not found. and implemented by the Customer (including all associated services provided by Assa Abloy, from time to time);

 

Purpose” means as described in Error! Reference source not found.;

 

Regulatory Requirements” means the EU Personal Data Legislation , such legislation as may replace the aforementioned legislation from time to time, such local legal requirements specified by the local jurisdiction (and in case of discrepancies or contradictions between different rules or regulations, the one which provides the highest degree of privacy and/or information security shall apply) and any associated regulations or instruments and any other data protection laws, regulations, regulatory requirements and codes of practice applicable to Assa Abloy's provision of the services;

 

Supervisory Authority” means any court, regulatory agency or authority which, according to applicable laws and/or regulations (including the Regulatory Requirements), supervises privacy issues and/or the processing of personal data.

 

1.2.   Construction

 

Non-capitalised terms and expressions used in this Agreement, e.g. “data subject”, “controller”, “personal data”, “processing”, “processor”, “third country” etc., shall be construed in accordance with the meaning given to them in the EU Personal Data Legislation. The personal data processed by Supplier in its provision of the services is limited to the personal data transmitted by Customer, or on its behalf, or by end users, directly into the infrastructure where the service is hosted. The personal data types that may be used to perform the service are those specifically set forth in Schedule 1.

 

2.     SPECIAL UNDERTAKINGS OF THE PARTIES

 

2.1.   Roles, ownership of personal data, processing and purpose

 

2.1.1. The Customer shall be considered the controller of the personal data processed on its behalf and in accordance with its instructions, and Assa Abloy shall be considered a processor of the personal data processed on behalf of the Customer.

 

2.1.2. The Supplier may only process the Customer’s personal data for the Purpose and to the extent it is necessary for the fulfilment of Assa Abloy’s obligations under this Agreement or the Master Agreement. In the event that Assa Abloy infringes the Regulatory Requirements by determining the purposes and means of processing (e.g. by processing the personal data in violation of the Purpose), the processor will be regarded as the controller in respect of that processing and shall be fully liable as the controller for such processing under the Regulatory Requirements including in relation to any sanctions under the said provisions.

 

2.1.3. The Supplier acknowledges that, between the Parties, all rights, title and interest in the personal data processed as a result of this Agreement is vested solely in the Customer, irrespective of whether and to what extent Assa Abloy is considered to be a controller of the personal data.

 

2.2.   Special undertakings of the Customer

 

The Customer, undertakes to:

 

(a)      Ensure that there is a legal ground for processing the personal data covered by this Agreement;

 

(b)      Inform Assa Abloy about any erroneous, rectified, updated or deleted personal data subject to Assa Abloy’s processing.

 

(c)      To maintain any registration required by EU Personal Data Legislation.

 

Customer represents and warrants that the personal data it provides to Supplier for processing can be processed lawfully (e.g., lawful collection, compliance with obligation to inform, and compliance with the applicable data privacy law) and for the purpose of providing the services. Customer shall not, by any act or omission, put Supplier or its subcontractors in breach of any data privacy laws in connection with the processing of personal data. Customer shall ensure that personal data is accurate, adequate and complete. Additionally, if required, Customer warrants that it will provide all appropriate notices to end users and has obtained all appropriate consents to transfer personal data to Supplier, or to allow Supplier to lawfully collect personal data directly from end users, and allow its processing as necessary to provide the services in accordance with this Agreement.

 

2.3.   Special undertakings of Assa Abloy

 

Supplier undertakes to:

 

(a)     Only process personal data in accordance with Regulatory Requirements and the Customer’s documented instructions, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Regulatory Requirements; in such a case, Assa Abloy shall inform the Customer of that legal requirement before processing the personal data, unless such information is prohibited by the Regulatory Requirements on important grounds of public interest.

 

(b)     Ensure that only such employees (of Assa Abloy or its subcontractors) which must have access to the personal data in order to meet Assa Abloy’s obligations under this Agreement have received appropriate training and instructions regarding processing of personal data as well as committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

 

(c)      Taking into account the nature of the processing, implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (and as a minimum the security measures further described in Error! Reference source not found.) and assist the Customer by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer's obligation to respond to requests for exercising the data subject’s rights laid down in the EU Personal Data Legislation;

 

(d)     Assist the Customer in ensuring compliance with the obligations pursuant to GDPR, Articles 33 to 36 (e.g. assisting the Customer in case of Personal Data Breach, when conducting data protection impact assessments and prior consultations);

 

(e)     On termination or expiry of this Agreement, at the Customer's request, delete or return to the Customer all copies of personal data processed on behalf of the Customer, except where necessary to retain such personal data strictly for the purposes of compliance with law;

 

(f)       Make available to the Customer all documents and information necessary to demonstrate compliance with the obligations laid down in this Agreement and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by it, in accordance with Clause 4; and

 

(g)     Otherwise comply with the Regulatory Requirements in its daily business.

 

3.     SUBCONTRACTORS

 

3.1.   Should Assa Abloy wish to engage a subcontractor, it shall obtain the Customer’s prior written approval, which shall not be unreasonably withheld or delayed. For the avoidance of doubt, the Customer fully and explicitly consent to the use of the subcontractors with whom Assa Abloy has Agreements in place at the time this Agreement enters into force. The Supplier shall inform the Customer of any intended changes concerning the addition or replacement of other subcontractors, thereby giving the Customer the opportunity to object to such changes.

3.2.   The appointment of any subcontractor is subject to the subcontractor being bound by a written contract which states that it must adhere to substantially the same data protection and privacy as Assa Abloy under this Agreement. Upon request, the Customer shall be entitled a copy of the contract between Assa Abloy and the subcontractor.

 

3.3.   [INTENTIONALLY OMITTED]

 

3.4.   The Customer may decide that a subcontractor shall no longer be involved in the processing of personal data on behalf of the Customer if (i) the Customer can give reasonable grounds as to why it

 

considers the subcontractor’s performance to be materially deficient, or (ii) the Customer reasonably determines that the subcontractor is, or will be, unable to effectively perform its responsibilities in accordance with this Agreement. If the Customer makes such a decision, Assa Abloy shall either (i) remove such subcontractor as promptly as is reasonably possible; and (ii) permit Customer to terminate its use of the impacted services, without penalty.

 

3.5.   The Supplier shall remain responsible for all obligations performed and any omission to perform or comply with the provisions under this Agreement by subcontractors to the same extent as if such obligations were performed or omitted by Assa Abloy. The Supplier shall also remain the Customer’s sole point of contact.

 

4.     AUDIT RIGHTS AND LOCATIONS

 

4.1.   The Customer or an auditor of Customer's choice, or a Supervisory Authority shall have the right to perform audits of Assa Abloy’s processing of the Customer’s personal data (including such processing as may be carried out by Assa Abloy’s subcontractors, if any) in order to verify Assa Abloy’s, and any subcontractor’s, compliance with this Agreement.

 

4.2.   The Supplier will, during normal business hours and upon reasonable notice (whereby a notice period of thirty (30) Business Days shall always be deemed reasonable), provide to the Customer personnel or its hired consultants, its internal or external auditors, inspectors, and regulators reasonable access to the parts of facilities where Assa Abloy is carrying out processing activities, to personnel, and to all data and records (including tools and procedures) relating to the processing. The Customer’s auditors and other representatives shall comply with Assa Abloy’s reasonable work rules, security requirements and standards when conducting site visits.

 

If any Supervisory Authority:

 

(h)     contacts Assa Abloy with respect to its systems or any processing of personal data carried out by Assa Abloy,

 

(i)        (ii) conducts, or gives notice of its intent to conduct, an inspection of Assa Abloy with respect to the processing of personal data, or

 

(j)        (iii) takes, or gives notice of its intent to take, any other regulatory action alleging improper or inadequate practices with respect to any processing of personal data carried out by Assa Abloy, then Assa Abloy shall subject to any restrictions imposed by the Supervisory Authority, immediately notify the Customer shall subsequently supply the Customer with all information pertinent thereto to the extent permissible by law. Notwithstanding the aforesaid, any Supervisory Authority shall always have direct and unrestricted access to Assa Abloy’s premises, data processing equipment and documentation in order to investigate that Assa Abloy’s processing of the personal data is performed in accordance with the Regulatory Requirements.

 

4.3.   The Supplier shall at all times keep a comprehensive and up to date record of where the IT system(s) used to process personal data on behalf of the Customer is located. For the avoidance of doubt, this shall include the locations of any IT systems belonging to any subcontractor(s). Upon request, Assa Abloy shall promptly provide the Customer with a copy of the record.

 

4.4.   The Customer shall have the right to perform an audit of Assa Abloy’s processing of the Customer’s personal data (including such processing as may be carried out by Assa Abloy’s subcontractors, if any) without prior notice to Assa Abloy where the Customer has the knowledge that a breach involving the Customer’s personal data has been caused by Assa Abloy or Assa Abloy’s subcontractor. Where the audit demonstrates that Assa Abloy or Assa Abloy’s subcontractor has caused the breach, the cost of remediation and the cost of the audit will be met by Assa Abloy.

 

4.5.   Other than as described in Clause 4.5, each Party shall bear its own costs for audits set out herein except where the audit reveals non-compliance with this Agreement or the Regulatory Requirements, in which case Assa Abloy shall bear all costs of the audit.

 

4.6.   The supplier will use reasonable endeavours to enable the customer to perform a physical audit of subcontractor facilities in so far as the supplier is able to do so.

 

5.     INTERNATIONAL PERSONAL DATA TRANSFERS

 

5.1.   With respect to personal data originating from, or processed on behalf of, the Customer within EU/EEA and transferred to Assa Abloy’s subcontractors within the EU/EEA, what is set out in Clause 3 regarding subcontractors shall apply.

 

5.2.   With respect to personal data originating from, or processed on behalf of, the Customer within EU/EEA, but accessed or otherwise processed by Assa Abloy or a subcontractor in jurisdictions outside the EU/EEA (including through the use of cloud based IT solutions) Assa Abloy undertakes that no such transfer of the Customer’s personal data will take place without the prior written Agreement of the Customer and subject to having entered into the EU Model Clause Agreement either between Assa Abloy and the Customer and/or the Customer and the subcontractor. The Parties agree that any disputes arising under an EU Model Clause Agreement shall be treated as if they had arisen under this Agreement.

 

5.3.   Clause 5.2 shall not apply if (i) the jurisdiction in which Assa Abloy or subcontractor is established has been deemed by the European Union as a jurisdiction with adequate protection for personal data or

(ii) if Assa Abloy, and/or its subcontractors located in the U.S. has joined and continues to participate in Privacy Shield. In which case Assa Abloy undertakes to promptly inform the Customer if it is reliant on the provisions of this Clause 5.3 for any processing or sub-processing or if Assa Abloy and/or its subcontractors within the U.S. no longer would be eligible for transfers under the Privacy Shield. Should the European Union subsequently deem Privacy Shield as being inadequate for the transfer of personal data to the U.S. Assa Abloy agrees to replace reliance on Privacy Shield with whichever mechanism the Customer proposes as a replacement, such as the EU Model Clause Agreement.

 

6.     REMUNERATION

 

6.1.   The Supplier shall not be entitled to additional remuneration based on this Agreement.

 

7.     TERM AND TERMINATION

 

7.1.   This Agreement shall enter into force on the Effective Date and may be terminated by the Customer giving thirty (30) days written notice, unless terminated earlier due to a material breach of the terms of this Agreement, in which case this Agreement shall be terminated with immediate effect if the other Party fails to cure such breach in a satisfactory manner within fifteen (15) days after the other Party’s written demand thereof.

 

7.2.   On termination of this Agreement for any reason, Assa Abloy shall cease to process the personal data processed on behalf of the Customer and shall arrange for the prompt and safe return to the Customer (or its nominated third party) in a common readable format agreed by the parties, or destruction, at the Customer’s sole option, of all such personal data together with all copies in its possession or control unless storage of the personal data is required under the Regulatory Requirements. The Customer may require Assa Abloy to promptly confirm in writing to the Customer that Assa Abloy has returned or destroyed all copies of such personal data.

 

8.     LIABILITY AND INDEMNIFICATION

 

8.1.   Each Party shall indemnify and hold the other Party harmless from and against all losses due to claims from third parties including government/authority fines and penalties resulting from, arising out of or relating to any breach by such first-mentioned Party of this Agreement.

 

8.2.   Any loss suffered by a Party resulting from, arising out of or relating to a breach of this Agreement by the other Party that is not due to claims from third parties under Clause 8.1 shall be governed by the provisions regarding liability and limitation of liability in the Master Agreement.

 

9.     NOTICES

 

9.1.   All notices to a Party under this Agreement shall be in writing and sent to its address as set forth at the beginning of this Agreement or in the Accession Notice (as applicable), or to such other address as such Party has provided the other in writing for such purpose. Notices may be sent by post, courier, fax or email.

 

9.2.   Notices shall be deemed to have been duly given (i) on the day of delivery when delivered in person or by courier, (ii) three (3) Business Days after the day when the notice was sent when sent by post, and (iii) on the day when the receiver has manually confirmed that it is received when sent per fax or email.

 

10.   MISCELLANEOUS

 

10.1.              Neither Party may assign its rights or obligations under this Agreement without the prior written consent of the other Party.

 

10.2.              This Agreement sets forth and constitutes the entire Agreement and understanding between the Parties with respect to the subject matter hereof and all prior Agreements, understandings or promises with respect thereto are superseded hereby. For the avoidance of doubt, in the event of any inconsistencies between the provisions of this Agreement and any other Agreement between the Parties, the terms of this Agreement shall prevail with respect to the data protection obligations of the Parties, including the liability and indemnification regime set out in Clause 8 of this Agreement.

 

10.3.              No amendment, modification, release or discharge of this Agreement shall be binding upon the Parties unless in writing and duly executed by authorised representatives of the Parties.

 

11.   GOVERNING LAW AND DISPUTES

 

Provisions regarding governing law and disputes are set forth in the Master Agreement, or in the absence of a clear alternative in the Master Agreement this Agreement will be governed by and shall be construed in accordance with the laws of Republic of Ireland. The parties submit all their disputes arising out of or in connection with this Agreement to the exclusive jurisdiction of the Courts of England and Wales.

 

 

The parties have indicated their acceptance of this Agreement by signing the Order Form.

 

Purpose: The purpose of processing is for Assa Abloy to provide the Customer with Incedo™ Business Cloud and related services. Personal Data types processed are selected by the Customer.

 

Breakdown of data:

Personal Data types

Purpose of Processing

Data Retention Period

First and last name Email address

Job title Telephone number

Employer information Employer address

Onboarding the End User Organization to the service. Applies to Administrators

30 days from termination of the Service

First and last name Email address Title

Suffix

Identification of end users.

30 days from termination of the Service

Application state, events and usage statistics

Improving service performance and providing technical support.

3 years in deidentified form

 

Location of the Platform: Hosted by the company Amazon Web Services (“Hosting Provider”) – Platform currently located in the United States

 

Delivery of the data by client: API or user interface over HTTPS

 

Sub-processors:

Company

Country

Purpose

Google LLC

US

API Gateway, Google Analytics

Amazon Web Services

US, Ireland

Infrastructure, security and

integration services

HSL Mobile

UK

Deliver one-time passwords via SMS for two-factor authentication to mobile phones.

Rapid 7 LLC

US

Central storage and analysis of

application log files

Mixpanel

US

Usage analytics data from the HID Origo SDK

 

Location(s) of Support Services: US, India, Mexico, Brazil, UK, Hong Kong, China, Japan, Australia