Effective Date: January 1, 2023
This Professional Personal Data Processing Addendum (“PPDPA”) forms part of, and is subject to, Master Services Agreement, the Enterprise Training Agreement, Sponsorship Agreement, Hiring Partner Agreement or other agreement(s) (including all SOWs, Orders and other ordering agreements entered into under any of the foregoing)(each a “Principal Agreement”) between PRESALES, LLC (“PSC”) and the counterparty(ies) to the applicable Principal Agreement (“Client”) pursuant to which PSC provides certain services to Client (“Services”) that may entail the Processing of Professional Personal Data (as defined below) and incorporates the terms of this PPDPA and the SCCs (as defined below) to the extent applicable.
Capitalized terms not otherwise defined herein shall have the meaning given to them in the Principal Agreement. To the extent this PPDPA conflicts with the Principal Agreement, this PPDPA will govern.
1. PERSONAL DATA COLLECTED
A. “Contracted Business Purposes” means the services described in the Principal Agreement for which PSC receives or accesses Personal Data.
B. “Controller” means the entity which determines the purposes and means of the Processing of Personal Data. For the avoidance of doubt, a Controller is also, where applicable, a “data controller” (as such term is defined under GDPR and UK GDPR) and a “business” (as such term is defined under the CCPA).
C. “Data Protection Laws” means all worldwide data protection and privacy laws and regulations applicable to the Processing of Professional Personal Data pursuant to a Principal Agreement , including, where applicable: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”); (ii) GDPR as it forms parts of the United Kingdom domestic law by virtue of Section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”); (iii) the California Consumer Privacy Act of 2018, California Civil Code 1798.100 et seq. (2018), as amended (“CCPA”); and (iv) any other similar data protection laws in any other applicable territory, each as amendment, replaced, supplemented or superseded.
D. “Data Subject” means those Client employees or contractors to which the Personal Data relates.
E. “Personal Data” means any information, in any form or format, that is subject to protections, obligations and/or restrictions of Data Protection Laws(s) that is made available to PSC by or on behalf of the Client pursuant to a Principal Agreement. Without limiting the breath of the foregoing and only for the sake of clarification; Personal Data includes such information and/or data defined under Data Protection Laws as “personal information,” “personal data,” “covered data” or similar and generally includes information that identifies, is linked to and/or is reasonably linkable to an individual or a consumer device.
F. “Processing” means any operation or set of operations which is performed on Personal Data, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction or erasure of Personal Data. The terms “Process”, “Processes” and “Processed” will be construed accordingly.
G. “Processor” means the entity which Processes Personal Data on behalf of the Controller. For the avoidance of doubt, a Processor is also, where applicable, a “data processor” (as such term is defined under GDPR and UK GDPR) and a “service provider” (as such term is defined under the CCPA).
H. “Professional Personal Data” or “PPD” means Personal Data of individuals acting in a commercial or employment context on behalf of the Client (e.g., Client employees, consultants, agents, etc.).
I. “SCCs” means the Standard Contractual Clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021.
J. “Sub-processor” means any natural or legal person, public authority, agency or other body that Processes PPD on behalf of PSC.
K. “Transfer” means the access by, transfer or delivery to, or disclosure to a person, entity, or system of Personal Data where such person, entity or system is located in a country or jurisdiction other than the country or jurisdiction from which the Personal Data originated.
“UK Addendum” means the SCCs as amended by Part 2 of the UK Addendum to the SCCs issued by the Information Commissioner under section 119A(1) of the Data Protection Act 2018.
2. PROCESSING OF PROFESSIONAL PERSONAL DATA.
A. Scope of PPDA. This PPDA applies only to the Processing of Professional Personal Data. For the avoidance of doubt, this PPDA does not apply to the Processing of Personal Data of Data Subjects acting in an individual or household context (i.e., acting as “consumers”).
B. Compliance with Data Protection Laws. Both parties will comply with all applicable requirements of Data Protection Laws in each of their respective Processing of PPD. For the avoidance of doubt any requirements of Data Protection Laws that only apply to the Processing of Personal Data of “consumers” are not applicable. This Section 2(B) is in addition to, and does not relieve, remove or replace, a party’s obligations under the Data Protection Laws.
C. Roles. Client shall serve as the Controller of PPD Processed under the Principal Agreement and PSC shall serve as Client’s Processor with respect to such Processing. Each Sub-processor shall serve as PSC’s Processor.
D. PSC Obligations. Without prejudice to the generality of Section 2(B), PSC shall:
- collect, use, retain, disclose or otherwise Process PPD solely for the Contracted Business Purposes for which Client provides or permits PPD access or on Client’s documented instructions;
- not collect, use, retain, disclose, sell, or otherwise Process PPD for PSC’s own commercial purposes or outside of PSC’s direct business relationship with Client; provided that, if a law to which PSC is subject requires PSC to disclose PPD for a purpose unrelated to the Contracted Business Purpose, PSC shall first inform Client of the legal requirement and give Client an opportunity to object or challenge the requirement, unless the law prohibits such notice;
- ensure that persons authorized to Process PPD have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
- not attempt to or actually re-identify any previously aggregated, deidentified, or anonymized data and will contractually prohibit downstream data recipients from attempting to or actually re-identifying such data. For the avoidance of doubt, PSC may aggregate, deidentify, or anonymize Personal Data so it no longer meets the Personal Data definition, and PSC’s obligations hereunder will not apply, and PSC will not be restricted from storing, disclosing, or otherwise using any such aggregated, deidentified, or anonymized data;
- maintain records as required by applicable Data Protection Laws; and
- promptly comply with Client’s reasonable requests or instructions requiring PSC to provide, amend, transfer, or delete PPD.
PSC certifies that it understands the above restrictions and requirements and it will comply with them.
E. Client Instruction. Client instructs PSC and authorizes PSC to instruct each Sub-processor to:
- Process Professional Personal Data in accordance with the Principal Agreement, as reasonably necessary to provide the Services specified in the Principal Agreement; and
- Transfer Professional Personal Data to any country or territory, as reasonably necessary to provide the Services specified in the Principal Agreement.
Client represents and warrants that it is and will at all relevant times remain duly and effectively authorized to give the above instruction and any other PPD Processing instructions it gives PSC.
3. CROSS-BORDER TRANSFERS OF PROFESSIONAL PERSONAL DATA.
A. Transfers of Non-European Data. If the parties intend to Transfer Personal Data originating in a jurisdiction other than the EEA or the UK cross-border and the applicable Data Protection Law requires certain measures to be implemented prior to such Transfer, then the parties agree to cooperate to implement such measures.
B. Transfers of European Data. The parties acknowledge that Personal Data made available by Client to PSC under a Principal Agreement that originates in the EEA and/or the UK will be Transferred to the United States and may be transferred to another jurisdiction which is not subject to an adequacy determination by the European Commission or UK authorities (as applicable) and, accordingly, agree that the SCCs are hereby incorporated by reference and form an integral part of the Principal Agreement in accordance with this Section as follows:
(i) EEA Transfers. To the extent that Personal Data is subject to the GDPR, the SCCs apply as follows:
(a) the ‘data exporter’ is Client and the ‘data importer’ is PSC;
(b) the Module Two terms apply;
(c) in Clause 7, the optional docking clause applies;
(d) in Clause 9, the Option 2 applies (general written authorization of sub-processors) and the specified time period to inform Client of changes to sub-processors will be thirty (30) days;
(e) in Clause 11, the optional language does not apply;
(f) in Clause 17, Option 1 applies, and the SCCs are governed by Irish law;
(g) in Clause 18(b), disputes will be resolved before the courts of Ireland;
(h) in Annex I.A and Annex I.B, the details of the parties and the transfer are set out in the Principal Agreement;
(i) in Annex I.C:
- In the event Client is established in an EU Member State, the competent supervisory authority shall be the supervisory authority with responsibility for ensuring compliance by Client with Regulation (EU) 2016/679;
- In the event Client is not established in an EU Member State but falls within the territorial scope of application of Regulation (EU) 2016/679 and has appointed a representative pursuant to Article 27(1), the competent supervisory authority shall be the supervisory authority of the Member State in which the representative is established; and
- in the event that Client is not established in an EU Member State but falls within the territorial scope of application of Regulation (EU) 2016/679 without however having to appoint a representative pursuant to Article 27(2), the Irish Data Protection Commissioner will act as competent supervisory authority.
(j) in Annex II, the description of the technical and organizational security measures is as follows:
The data importer shall ensure that: (I) persons entitled to use a Personal Data Processing system gain access only to such Personal Data as they are entitled to access in accordance with their access rights and that, in the course of Processing or use and after storage, Personal Data cannot be read, copied, modified or deleted without authorization (data access control): (II) Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage, and that the target entities for any transfer of Personal Data by means of data transmission facilities can be established and verified (data transfer control); (III) an audit trail is established to document whether and by whom Personal Data has been entered into, modified in, or removed from Personal Data Processing (entry control); (IV) Personal Data is protected against accidental destruction or loss (availability control); and (V) Personal Data collected for different purposes can be processed separately (separation control). Without limiting the generality of the foregoing, as part of its information security program, the data importer will:
- limit access to Personal Data to the minimum number of its personnel who require such access in order to perform its obligations under the Principal Agreement and this PPDPA;
- provide appropriate training to its personnel who process Personal Data;
- use multi-factor authentication for access to any systems storing Personal Data;
- use reputable services and/or tools to continuously monitor for malicious or unauthorized behavior; and
- encrypt Personal Data at rest and in transit.
(k) In Annex III, the list of PSC’s current sub-processors is available on PSC’s website at: [INSERT LINK TO SUBPROCESSOR TABLE].
ii. UK Transfers. To the extent the Personal Data is subject to Data Protection Law of the UK, the SCCs apply as amended by the UK Addendum, and Part 1 of the UK Addendum is deemed completed as follows:
- in Table 1, the details of the parties are set out in the Principal Agreement;
- in Table 2, the selected modules and clauses are set out in Section 3(B)(i) of this PPDPA;
- in Table 3, the List of Parties and Description of Transfer is set out in the Principal Agreement;
- in Table 3, the Technical and organizational measures to ensure the security of data is set forth in Section 5(B)(i)(j) of this PPDPA;
- in Table 3, the list of PSC’s sub-processors is available at [INSERT LINK TO SUBPROCESSOR TABLE]; and
- in Table 4, the ‘importer’ is elected.
4. MISCELLANEOUS.
A. In the event of a conflict between the terms of this PPDPA, the SCCs, and those of the Principal Agreement, the terms shall apply in the following order of precedence: the (i) SCCs; (ii) this PPDPA; and (iii) terms of the Principal Agreement. Except as modified herein, all terms and conditions of the Principal Agreement shall remain in full force and effect.
B. Should any provision of this PPDPA be invalid or unenforceable, then the remainder of this PPDPA shall remain valid and in force. The invalid or unenforceable provision shall be either: (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible; or (ii) if this is not possible, construed in a manner as if the invalid or unenforceable part had never been contained therein.
C. This PPDPA shall be governed by and construed in accordance with the laws governing the Principal Agreement, and any disputes shall be resolved by the courts agreed for resolution of disputes under the Principal Agreement.
D. Modifications to this PPDPA will be posted on PSC’s website. Changes will not apply retroactively and generally will become effective 14 days after they are posted. However, changes addressing new functions for a Service or made for legal reasons will be effective immediately. If Client does not agree to any terms in this PPDPA, Client must not use the Services. Client’s continued use of the Services after the effective date of this PPDPA or the effective date of any change constitutes Client’s acceptance of and agreement to follow and be bound by such changes.