2. Processor and Controller Roles and Responsibilities.
- For purposes of this Exhibit 3 (Data Protection Terms), the parties agree that Client is the controller of Personal Data and Oversight is the processor of such data. Unless otherwise defined herein or in the Agreement, capitalized terms used in this Exhibit 3 have the meaning assigned under the GDPR.
- These Data Protection Terms apply to the processing of Personal Data, within the scope of the GDPR, by Oversight on behalf of Client.
- Oversight will ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- Oversight will take all measures required pursuant to Article 32 of the GDPR.
- Oversight shall immediately inform Client if, in its opinion, an instruction infringes the GDPR or other Union or Member State data protection provisions.
Oversight will process Personal Data only on documented instructions from Client and as set forth in the Agreement. Any additional or alternate instructions must be agreed to in an amendment to the Agreement. If the GDPR applies and Client is a processor, Client warrants to Oversight that Client’s instructions, including appointment of Oversight as a processor or subprocessor, have been authorized by the relevant controller.
3. Processing Details. The parties acknowledge and agree that:
- The subject-matter of the processing is limited to Personal Data within the scope of the GDPR;
- The duration of the processing shall be for the duration of the term of the Agreement and until all Personal Data is deleted or returned in accordance with the terms of the Agreement;
- The nature and purpose of the processing shall be to provide the Services pursuant to the Agreement;
- The types of Personal Data processed by Oversight are set forth in Section 9 of this Exhibit 3; and
- The categories of data subjects are set forth in Section 10 of this Exhibit 3.
- At the choice of Client, Oversight will delete or return all the Personal Data to Client after the end of the provision of the Services, and delete existing copies unless Union or Member State law requires storage of the Personal Data.
- Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Client and Oversight shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
- the pseudonymization and encryption of Personal Data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
- In assessing the appropriate level of security, account shall be taken of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise processed.'
4. Data Subject Rights; Assistance with Requests.
Oversight will make available to Client in a manner consistent with the functionality of the Services and Oversight’s role as a processor of the Personal Data of data subjects, the ability to fulfill data subject requests to exercise their rights under the GDPR. Oversight shall comply with reasonable requests by Client to assist with Client’s response to such a data subject request. If Oversight receives a request from Client’s data subject to exercise one or more of its rights under the GDPR in connection with the Services, Oversight will redirect the data subject to make its request directly to Client. Client will be responsible for responding to any such request. Oversight shall comply with reasonable requests by Client to assist with Client’s response to such a data subject request.
5. Records of Processing Activities.
Oversight shall maintain all records required by Article 30(2) of the GDPR and, to the extent applicable to the processing of Personal Data on behalf of Client, make them available to Client upon request. Oversight will make available to Client all information necessary to demonstrate compliance with the obligations set forth in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by Client or another auditor mandated by Client.
6. Data Security.
- Oversight will implement and maintain appropriate technical and organizational measures to protect Data and Personal Data. Those measures shall be set forth in Exhibit 2 to the Agreement. Oversight will make available such other information as is reasonably requested by Client regarding Oversight security practices and policies. Oversight will assist Client in demonstrating compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to Oversight.
7. Use of Sub-processors.
- If Oversight becomes aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Data or Personal Data while processed by Oversight (each a “Security Incident”), Oversight will promptly and without undue delay (1) notify Client of the Security Incident; (2) investigate the Security Incident and provide Client with detailed information about the Security Incident; (3) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Incident.
- Client is solely responsible for complying with its obligations under incident notification laws applicable to Client and fulfilling any third-party notification obligations related to any Security Incident; provided, however, Oversight shall make reasonable efforts to assist Client in fulfilling Client’s obligation under GDPR Article 33 or other applicable law or regulation to notify the relevant supervisory authority and data subjects about such Security Incident.
Oversight will not engage a third party processor without prior written authorization of Client. Oversight will inform Client of any intended addition of third party processors, thereby giving Client the opportunity to object. If Client objects to the use of a new sub-processor by notifying Oversight in writing within ten (10) business days after receipt of Oversight’s notice, Oversight will use reasonable efforts to recommend a commercially reasonable change to Client’s use of the Services to avoid processing of Personal Data by the objected-to new sub-processor without unreasonably burdening Client. If Oversight is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Client’s sole remedy is to terminate the applicable Order Form(s) with respect only to those Services which cannot be provided by Oversight without the use of the objected-to new sub-processor by providing written notice to Oversight. Oversight is liable for the acts and omissions of its sub-processors to the same extent Oversight would be liable if performing the services of each sub-processor directly under the terms of the Agreement.
8. Transfer Mechanisms.
Oversight will self-certify to and comply with the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks, as administered by the US Department of Commerce, and Oversight shall maintain such self-certifications to and compliance with the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks with respect to the processing of Personal Data that is transferred from the European Economic Area and/or Switzerland to the United States. If Client is not self-certified to the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks, upon Client’s request, Oversight will comply with the EU Commissions Controller to Processor Model Clauses.
9. Data Subjects.
Data Subjects may include:
- Personnel Client authorizes to access the Service.
- Personnel utilizing Client’s corporate card.
- Personnel and attendees submitting or listed in Client’s expense reports.
- Client’s purchase order requestors, purchase order buyers, and personnel creating, approving, or modifying data in Client’s procure-to-pay system.
10. Categories of Data.