THIS DATA PROCESSING ADDENDUM is effective as of the date of the most recent signature in the execution section below, by and between:
Canary7 LTD, a Northern Irish company, whose registered number is NI685499 and principal place of business is at 7 Corchoney Road, Cookstown, BT80 9HU (Canary7); and
Each of Canary7 and Controller may be referred to herein as a party and together as the parties.
1.1 Canary7 provides to Customer certain software as a service (the Services) pursuant to the [non-disclosure agreement OR main agreement entered into between the parties either prior to, or on or around the date of this DPA (the Agreement), on the basis of Canary7’s general terms of service or other written agreement.]
1.2 The parties have agreed to enter into this DPA in order to ensure that adequate safeguards are put in place with respect to the protection of such Personal Data as required by Data Protection
1.3 In connection with the provision of the Services, the parties anticipate that Canary7 may process specific Personal Data regarding which Customer or Customer Group, or Customer’s End-Customer or End-Customer Group, may be a data controller under applicable Local Data Protection Laws or perform similar functions under similar Data Protection Laws, including outside of the European Economic Area (EEA), Switzerland and United Kingdom (UK).
1.4 This DPA sets out the additional data processing terms that apply to any such processing of such Personal Data by Canary7 on the Customer’s behalf to give the Customer comfort that adequate safeguards are in place to protect such Personal Data required by the Data Protection Laws.
1.5 Together with the Agreement, this DPA apply to the contract between the parties to exclude any other terms that the Customer may seek to impose or incorporate or implied by trade, custom, practice or course of dealing. This DPA forms an integral part of the Agreement. The provisions of the Agreement therefore apply to this DPA.
2.1 This DPA use the following definitions:
Adequate Country means a country or territory that is recognised under relevant Local Data Protection Laws as providing sufficient protection for Personal Data;
Affiliate means, concerning a party, any corporate entity that, directly or indirectly, Controls, is Controlled by, or is under Common Control with such party (but only for so long as such Control exists);
Agreement has the meaning given to it in clause 1.1 above;
Canary7 has the meaning given to it above;
Canary7 Group means Canary7 and any of its Affiliates and includes any one or more of such Affiliates as the context requires or permits;
Customer has the meaning given to it above;
Customer Group means the Customer and any of its Affiliates and includes any one or more of such Affiliates as the context requires or permits;
Data Subject Request means a request from or on behalf of a data subject relating to access to, or rectification, erasure or data portability in respect of that person’s Personal Data or an objection from or on behalf of a data subject to the processing of its Personal Data;
DPA means this data processing addendum;
Data Protection Laws mean the Local Data Protection Laws or any other directly applicable legislation and regulatory requirements force from time to time which applies to a party relating to the use of Personal Data (including, without limitation, the privacy of electronic communications) for the processing of Personal Data by Canary7 on the Customer’s behalf in connection with the Services;
End-Customer means an organisation to whom the Customer provides services from time to time under the Agreement and who, or a member of whose End-Customer Group, is a data controller of Personal Data under Local Data Protection Laws;
End-Customer Group means an End-Customer and any of its Affiliates established or doing business in the EEA, or the United Kingdom;
ISP means Canary7’s Information Security Policy [Note: link to ISP TBC];
Local Data Protection Laws mean all laws and regulations of the EU, the EEA, their member states, Switzerland and the UK, applicable to the processing of Personal Data under the Agreement, including (where applicable) (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (EU GDPR); and (ii) the EU GDPR as implemented in UK law by virtue of Section 3 of the UK European Union (Withdrawal) Act 2018 (UK GDPR);
Personal Data means all data which is defined as ‘personal data’ or personally identifiable information (PII) under relevant Data Protection Laws and which is provided by the Customer to Canary7 (directly or indirectly), and accessed, stored or otherwise processed by Canary7 as a data processor as part of its provision of the Service to the Customer and to which relevant Data Protection Laws apply from time to time;
processing, sub-processor, the data controller, the data subject, the supervisory authority and the data processor shall have the meanings ascribed to them in relevant Local Data Protection Laws; and
Services has the meaning given to it in clause 1.1 above;
Security Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed in connection with the provisioning of the Services;
Security Measures means those technical and organisational security measures described in Canary7’s ISP in respect of Personal Data it processes on behalf of the Customer, as well as any measures it is required to implement by law; and
Standard Contractual Clauses means (i) where the EU GDPR or Swiss Data Protection Laws apply, the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries adopted pursuant to or permitted under Article 46 of EU GDPR (EU SCCs); and (ii) where the UK GDPR applies, the international data transfer agreement adopted pursuant to or permitted under Article 46 of the UK GDPR (UK IDTA), provided that, in each case, same complies with the requirements of applicable Data Protection Laws from time to time.
An entity exercises Control over another entity if it: (a) holds a majority of the voting rights in it; (b) is a member or shareholder of it and has the right to remove a majority of its board of directors or equivalent managing body; (c) is a member or shareholder of it and controls alone or according to an agreement with other shareholders or members, a majority of the voting rights in it; or (d) has the right to exercise a dominant influence over it according to its constitutional documents or according to a contract; and two entities are treated as being in Common Control if either control the other (directly or indirectly) or both are controlled (directly or indirectly) by the same entity.
3. STATUS OF THE PARTIES
3.2 Each party warrants concerning Personal Data that it will comply (and will procure that any of its personnel comply and use commercially reasonable efforts to procure that its sub-processors comply) with the obligations imposed upon them respectively under Data Protection Laws. However, Canary7 is not responsible for determining the requirements of or compliance with any Data Protection Laws or other laws applicable to Customer, Customer Group or their industry that are not generally applicable to Canary7 as a service provider and processor of personal data made available to it via the Services.
3.3 As between the parties, the Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and how the Customer or its End-Customer(s) acquired Personal Data, and, without limitation, will ensure or procure that the data controller (if different from the Customer) has ensured that it has all necessary appropriate consents and notices in place to enable lawful transfer of any Personal Data provided to Canary7, for the duration and purposes of the Agreement, including where applicable that the relevant third parties have been informed of, and have given their consent to, such use, processing, and transfer as required by the Data Protection Laws.
3.4 Regarding the parties’ rights and obligations under this DPA regarding the Personal Data, the parties with this acknowledge and agree that the Customer or the relevant End-Customer(s) is/are the data controller, and Canary7 is the data processor. Accordingly, Canary7 agrees that it shall process all Personal Data per its obligations under this DPA and as per the Customer’s lawful written instructions set out in this DPA or the Agreement and the Customer’s use and configuration of features of the Services. Customer hereby gives Canary7 permission to use, transfer and Process such personal data as set forth in this DPA.
4. CANARY7 OBLIGATIONS
4.1 Concerning all Personal Data, Canary7 shall
4.2 Where Personal Data is not made available through self-Service access to Customer or Customer’s Authorised Users, Canary7 will, without undue delay and in accordance with any time period specified under the applicable Data Protection Laws either: (a) provide Customer, in its role of controller, with the direct ability through Canary7’s platform to access, correct, delete or otherwise fulfil requests from data subjects to exercise their rights under Data Protection Laws in respect of their personal data; or (b) otherwise provide assistance to Customer to access, correct, delete or otherwise fulfil requests from Data Subjects to exercise their rights under Data Protection Laws in respect of their the Personal Data in accordance with the instructions of Customer and insofar as this is possible. The Customer acknowledges and agrees that in the event such cooperation and assistance require additional resources on the part of Canary7, such effort will be chargeable at a fee as mutually agreed to by the Parties acting reasonably. Where Customer requests that Canary7 block, delete and/or return Personal Data, Customer understands, acknowledges, and agrees that it can affect Canary7’s ability to perform the Services as a result of Canary7 complying with such request. As such, Canary7 shall not have any liability for breach of performance or any losses incurred by Customer arising from or in connection with Canary7’s inability to perform the Services in accordance with the Agreement as consequence of Canary7 fulfilling Customer’s request.
5. CUSTOMER RESPONSIBILITIES
5.1 Customer shall comply with Data Protection Laws as well as any other Laws applicable to Customer or Customer’s industry. If compliance with any such specific laws requires any actions with regard to data protection on the part of Canary7 in addition to the obligations set forth in this DPA, such actions will only be taken upon mutual agreement between the Parties. For the avoidance of doubt, where agreed by the Parties, Canary7 will use commercially reasonable efforts to accommodate additional requirements. In any event, Customer will provide reasonable advance notice of the required actions, cooperate fully with Canary7 in respect thereof and compensate Canary7 for any such efforts that require additional services or investment or modifications in the Services, as agreed in advance by the Parties.
5.2 Customer warrants that, where it provides any personal data to Canary7 for Processing by Canary7:
5.3 Customer shall take reasonable steps to keep personal data up to date to ensure the data are not inaccurate or incomplete with regard to the purposes for which they are collected.
5.4 If a data subject contacts Canary7 directly in order to exercise his or her individual rights such as requesting a copy, correction or deletion of his or her data or wanting to restrict or object to the Processing activities, Canary7 will promptly, and in any event within five working days of receipt), direct such data subject to Customer. In support of the above, Canary7 may provide Customer’s basic contact information to the requestor (but shall not otherwise reply to same), and, to the extent disclosed by the data subject, data subject’s basic contact information and a summary of the request to Customer. Customer shall inform data subjects that they may exercise these rights solely vis-à-vis Customer. Customer agrees to answer to and comply with any such request of a data subject in accordance with applicable Data Protection Laws.
5.5 With regard to components that Customer provides or controls, including but not limited to workstations connecting to Canary7 Services, data transfer mechanisms used, and credentials issued to Customer Authorised Users, Customer shall implement and maintain the required technical and organisational measures for data protection.
5.6 Customer must notify Canary7 promptly about any possible misuse of its accounts or authentication credentials or any security issue related to its use of the Services.
6.2 Canary7 confirms that it has entered or (as the case may be) will join with the third-party processor into a written agreement substantially on that third party’s standard terms of business, which shall include an obligation to keep all personal data confidential and process it only in accordance with the purposes for which Canary7 has instructed them to deliver services, and applicable Local Data Protection Laws.
6.3 As between the Customer and Canary7, Canary7 shall remain fully liable for all acts or omissions of any third-party processor appointed by it according to this clause.
7.1 Unless legally prohibited from doing so, Canary7 shall promptly notify Customer if it or any of its sub-processors, with regard to Customer’s Personal Data:
7.2 Any notification under this DPA, including a Security Breach notification, will be delivered to one or more of Customer’s contact persons via e-mail. Upon request of Customer, Canary7 shall provide Customer with an overview of the contact information of the registered Customer’s contact persons. It is Customer’s sole responsibility to timely report any changes in contact information (including “Key Contact” and “Importer Data Subject Contact” as described below) and to ensure Customer’s contact persons maintain accurate contact information.
7.3 If either party is subject to an inquiry by a data protection authority, regulator or agency, the scope of which includes operations or information within the other party’s control, each party agrees to provide reasonable cooperation to the other party.
8. DATA TRANSFERS
8.1 The Customer acknowledges and agrees that Personal Data may be transferred or stored outside the EU, EEA, UK or the country where the relevant data subjects are located for Canary7 and its authorised sub-processors to provide the Services and fulfil Canary7’s other obligations under the Agreement. Any transfer from one territorial jurisdiction to another territorial jurisdiction (the EU constituting one single jurisdiction for the purpose of this Article) will only be undertaken in compliance with the applicable Data Protection Laws, such as the execution of an additional data transfer addendum, as required.
8.2 To the extent any processing of Personal Data relating to EU, EEA or UK data subjects by Canary7 takes place in any country outside the EEA (except if in an Adequate Country), the parties agree that the Standard Contractual Clauses will apply in respect of that processing. Canary7 will comply with the obligations of the ‘data importer’ or ‘Importer’ in the relevant Standard Contractual Clauses. The Customer will comply with the duties of the ‘data exporter’ or ‘Exporter’.
8.3 If, in the performance of this DPA or the Agreement, Canary7 transfers any Personal Data to a sub-processor located, or permits processing of any Personal Data by a sub-processor outside of the UK, EU or EEA except if in an Adequate Country (without prejudice to clause 4), Canary7 shall in advance of any such transfer ensure that a legal mechanism to achieve adequacy in respect of that processing, such as the Standard Contractual Clauses (where applicable). Where the transfer would be a restricted transfer but for the Standard Contractual Clauses being put in place, then the Standard Contractual Clauses shall, if they provide a lawful mechanism for such transfer, be deemed incorporated into the Agreement and will apply to such transfer.
9.1 This DPA is without prejudice to the parties’ rights and obligations under the Agreement, which shall continue to have full force and effect. Collectively, this DPA (including the Standard Contractual Clauses) and the Agreement constitute the complete agreement and merge all prior discussions and agreements between the parties regarding the Services. In the event of any conflict between the terms of this DPA and the terms of the Agreement, this DPA shall prevail so far as the subject matter concerns the processing of Personal Data, but the terms of the Agreement shall otherwise prevail.
9.3 This DPA comes into effect on the Effective Date and remains in force until processing of Personal Data by Canary7 is no longer required (a) in the framework of or pursuant to the Agreement or (b) for a period after termination of the Agreement or the relevant Services for any reason whatsoever, in accordance with Customer’s explicit instructions or other legally permissible basis.
9.4 Subject to the provisions of clause 4(ii) above, this DPA and any action related to it shall be governed by and construed per the laws of Northern Ireland, without giving effect to any conflicts of laws principles, and any disputes in respect of same subject to the exclusive jurisdiction of, and venue in, the courts of Northern Ireland for such purposes.