As of: SEPTEMBER 14, 2020
This Data Processing Agreement, including the Standard Contractual Clauses and their Appendices, (the “Agreement”) is incorporated into and forms a part of the written (including in electronic form) agreement between StepStone Group LP or one of its consolidated subsidiaries (the “Company”) and Vendor for the provision of the services identified in the relevant agreement (“Services”) between Company and Vendor (the “Main Contract”) to reflect the Parties’ agreement with regard to the Processing of Personal Data. For the avoidance of doubt, execution of the Main Contract shall be deemed to constitute signature and acceptance of the Standard Contractual Clauses incorporated herein, including their Appendices.
1 Subject matter and duration
1.1 Unless otherwise set out below, each capitalized term in this Agreement shall have the meaning set out in the Main Contract:
“Company Personal Data” means any Personal Data Vendor Processes in relation to the Services, including Personal Data (i) provided by or on behalf of Company to Vendor, (ii) obtained, developed, produced or otherwise Processed by Vendor, or its agents or Subprocessors, for purposes of providing the Services, and (iii) any information derived therefrom.
“Affiliates” means the current and future respective affiliated companies of Company.
“Applicable Data Protection Law” means all applicable laws, rules, regulations, and governmental requirements currently in effect, or as they become effective, relating in any way to the privacy, confidentiality, or security of Personal Data, including but not limited to the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et seq., including any amendments and implementing regulations thereto that become effective on or after the effective date of this Agreement, (the “CCPA”), the European Union General Data Protection Regulation 2016/679 of the European Parliament and of the Council (the “GDPR”) and any applicable national legislation implementing or supplementing the GDPR, the Swiss Federal Data Protection Act of 1992 and its Ordinance, in each case as amended, replaced or superseded from time to time, and all applicable legislation protecting the fundamental rights and freedoms of persons and their right to privacy with regard to the Processing of Personal Data.
“Controller” means the natural or legal person which alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
“Data Subject” means an identified, or identifiable, natural person to whom Personal Data relates.
“Personal Data” means any information relating to an identified or identifiable individual, or is otherwise “personal data,” “personal information,” “personally identifiable information,” or similar designation under and regulated by Applicable Data Protection Law.
“Process(ing)” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, adaptation or alteration, retrieval, consultation, use, modification, storage, disclosure, restriction, erasure or destruction. The nature and purpose of the Processing as well as the types of Personal Data and the categories of Data Subjects that are subject to this Agreement are set out in Appendix 1.
“Processor” means a natural or legal person which Processes Personal Data on behalf of the Controller subject to contractual restrictions consistent and in compliance with Applicable Data Protection Law, including a “processor” as such term is defined by the GDPR and a “service provider” as such term is defined by the CCPA.
“Subprocessor” means a natural or legal person engaged by the Vendor who Processes any Company Personal Data on behalf of the Vendor.
1.2 The subject matter of this Agreement is the Processing of Company Personal Data by Vendor.
1.3 The Parties acknowledge and agree that Vendor shall act as a Processor in relation to its Processing of Company Personal Data and Vendor shall only Process Company Personal Data in accordance with:
(a) the Main Contract and this Agreement, to the extent necessary to provide the Services to Company, and
(b) Company’s written instructions.
1.4 This Agreement shall commence with the signature by both Parties of the Main Contract and shall terminate automatically following the termination of the Main Contract upon the completion of the last Processing activity carried out thereunder. The right of either Party to terminate this Agreement with immediate effect for cause remains unaffected, provided that if this Agreement is terminated, the Parties acknowledge and agree that no further Processing of Company Personal Data is permitted under the Main Contract. Any notice of termination must be given in writing in order to be legally effective.
2 Processing location and Standard Contractual Clauses
2.1 The country/countries where Vendor will process Company Personal Data shall be set forth in Appendix 1. In the event that Vendor intends to change the country/countries it processes Company Personal Data, the Parties shall amend Appendix 1 in writing to reflect such change. Where required by Applicable Data Protection Law, the Parties will enter into standard contractual clauses or other similar documentation required by Applicable Data Protection Law for the international transfer of Company Personal Data to ensure an adequate level of data protection (“Standard Contractual Clauses”). Without limiting the foregoing, any Processor who will process data in a country that does not ensure an adequate level of data protection in accordance with EU Applicable Data Protection Law shall enter into the Standard Contractual Clauses appended to this Agreement.
2.2 In the event of a change in any Applicable Data Protection Law relating to the country/countries where an adequate level of data protection exists, the Parties will discuss and agree on an alternative solution permitting Vendor to continue to process the Personal Data in said country/countries.
2.3 In the case of any inconsistency between any of the provisions of the Main Contract, this Agreement and the Standard Contractual Clauses respectively, the provisions of the Standard Contractual Clauses shall prevail in preference to the Main Contract and this Agreement, and the provisions of this Agreement shall prevail over the provisions of the Main Contract. Notwithstanding the foregoing, if the Main Contract includes or references a security plan (“Security Plan”), the provisions of the Security Plan shall prevail over the provisions of this Agreement (including Appendix 2), and a provision in the Main Contract otherwise conflicting with a provision in this Agreement shall further prevail, in each case solely to the extent such provision relates to information other than Company Personal Data, provides greater protection for Company Personal Data or imposes additional restrictions on Vendor’s Processing of Company Personal Data.
3 Instructions of Company
3.1 Company has the sole right to give Vendor instructions with regard to the Processing of Company Personal Data.
3.2 Company herewith instructs Vendor to process the Company Personal Data to the extent required to provide the Services.
3.3 Instructions of Company will regularly be given in writing. Oral instructions will be confirmed in writing without undue delay.
3.4 If, in Vendor’s opinion, the execution of an instruction of Company would result in the breach of this Agreement, the Main Contract, the Standard Contractual Clauses (if any), or Applicable Data Protection Law, Vendor will immediately notify Company thereof in writing. Such notification shall be duly justified and documented. In such case, Vendor will suspend the execution of the instruction until the instruction is confirmed by Company in writing.
3.5 It is incumbent upon Vendor to prove that it has acted as a Processor under Company’s instruction pursuant to Applicable Data Protection Law when Processing Company Personal Data. Company remains the Controller of the Personal Data within the meaning of Applicable Data Protection Laws. As a consequence, Vendor recognizes and agrees that it is not permitted to sell, retain, use, disclose nor otherwise Process the Company Personal Data for its own commercial purposes or for any purpose other than for the specific purpose of performing the Services and Processing the Company Personal Data on Company’s written instructions.
4 General obligations of Vendor
4.1 Vendor will only Process Company Personal Data in accordance with the instructions given by Company, this Agreement, the Standard Contractual Clauses (if applicable), and Applicable Data Protection Law, and shall not cause Company to be in breach of Applicable Data Protection Law.
4.2 Vendor shall, however, have the right to Process Company Personal Data outside the scope set out in section 4.1: (a) in the case of Personal Data of Data Subjects resident in the European Union, to the extent required by the laws of the European Union or its member states; and (b) in the case of Personal Data of data subjects not resident in the European Union, to the extent required by any country’s laws to which Vendor may be subject. In such a case, Vendor shall inform Company of that legal requirement in writing before the Processing and provide such details as may be required by Company to evaluate whether the Data Subjects should be notified, unless to the extent that law prohibits such information.
4.3 Vendor will provide Company with such assistance and co-operation as Company may reasonably request to enable Company to comply with any obligations imposed on Company in relation to Company Personal Data including, but not limited to, providing any assistance with any data protection impact assessments and prior consultations of Company required under Applicable Data Protection Law, or other binding legal obligations, which may include litigation holds and responding to binding orders of a court or regulatory authority with jurisdiction.
4.4 Vendor shall inform Company immediately, in writing, of any inquiry, complaint, notice, or other communication it receives from any supervisory authority or other governmental body or any individual, relating to either Vendor’s or Company’s Processing of Company Personal Data or related compliance with Applicable Data Protection Law. Vendor shall present, upon request, to Company such inquiries, complaints, notices, or other communications and shall provide all necessary assistance to Company to enable Company to respond to such inquiries, complaints, notices, or other communications. For the avoidance of doubt, Vendor shall not respond to any such inquiry, complaint, notice, or other communication without the prior written consent of Company.
4.5 Vendor will notify Company as soon as possible, and as far as it is legally permitted to do so, of any access request for disclosure of data which concerns Company Personal Data (or any part thereof) by any governmental or other regulatory authority, or by a court or other authority of competent jurisdiction. For the avoidance of doubt and as far as it is legally permitted to do so, Vendor shall not disclose or release any Company Personal Data in response to such request served on Vendor without first consulting with, and obtaining the written consent of, Company.
5 Technical and organizational security measures
5.1 Vendor will monitor its compliance with this Agreement on an ongoing basis.
5.2 Vendor has designated or will designate a data protection officer and/or a representative in the EU and/or any other jurisdiction to the extent required under Applicable Data Protection Law. Vendor will notify Company of (and of any changes to) the identity and contact details of any data protection officer and/or representative (if any) without undue delay in writing.
5.3 Vendor will maintain a record of all categories of Processing activities carried out on behalf of Company by Vendor to the extent required to enable Company to comply with its obligations under Applicable Data Protection Law. Vendor will cause each Subprocessor it retains to maintain a record of all categories of Processing activities carried out on behalf of Vendor by the Subprocessor to the extent required to enable Company or Vendor to comply with its obligations under Applicable Data Protection Law. The records required by this section 5.3 must include, without limitation:
- a description of the categories of Company Personal Data being Processed and the categories of the Processing activities undertaken;
- where permitted in accordance with this Agreement, details of any transfer of Company Personal Data, including details of: (i) the country in which the recipient is located and, if applicable, the recipient international organization; and (ii) the suitable safeguards implemented for the protection of Company Personal Data; and
- a general description of the technical and organizational security measures implemented pursuant to section 5.6.
Vendor shall make available (and shall cause any Subprocessor to make available) to Company copies of such records in electronic form or such other form acceptable to Company on no less than an annual basis or without undue delay upon first demand from Company.
5.4 Vendor will notify Company prior to Vendor or its Subprocessors adopting or implementing a new type of Processing activities (including, without limitation, the use of new technology to continue current Processing) in respect of Company Personal Data, and at Company’s request, Vendor shall participate in a data protection impact assessment in respect of the new type of Processing which is being proposed, in accordance with Applicable Data Protection Laws.
5.5 Vendor will take reasonable steps to ensure the reliability of any person, including employees and other personnel, authorized by Vendor to Process Company Personal Data, and will ensure that such persons have committed themselves in writing to confidentiality or are under an appropriate obligation of confidentiality and an obligation to act in compliance with Applicable Data Protection Law. Vendor will make available to Company an electronic copy of such commitment or appropriate evidence of such obligation without undue delay upon first demand.
5.6 Vendor will implement and maintain appropriate technical and organizational data protection and security measures to ensure security of Company Personal Data; including without limitation protection against unauthorized or unlawful Processing (including without limitation unauthorized or unlawful disclosure of, access to and/or alteration of Company Personal Data) and against accidental loss, destruction or damage of or to it.
5.7 Vendor will implement and maintain as a minimum standard the measures set out in Appendix 2. Vendor will constantly improve such measures in line with the development of best market practices and technical standards. Vendor will notify Company in writing in advance of any material changes to such security measures. Any changes that may adversely affect the security of Company Personal Data require Company’s prior written consent.
6 Data breach notifications
6.1 Vendor will immediately notify Company in writing of any breach of this Agreement, the Standard Contractual Clauses (if any), Applicable Data Protection Law applicable to the Processing of Company Personal Data, or any instruction by Company in connection with the Processing of Company Personal Data under this Agreement.
6.2 Without limiting the generality of Section 6.1, Vendor shall notify Company without undue delay and, in any event, not later than 36 hours after the discovery of any possible breach of security that is likely to lead to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to (including unauthorized internal access to), Company Personal Data transmitted, stored, or otherwise Processed by Vendor or any of its Subprocessors, and reasonably cooperate in the investigation of any such possible breach of security.
6.3 Where, and insofar it is possible for Vendor, the notification shall at least:
- describe the nature of the possible breach including, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned; and
- describe the likely consequences of the possible breach and the measures taken or proposed to be taken to address the possible breach, including, where appropriate, measures to mitigate its possible adverse effects
Where, and in so far as it is not possible to provide the information at the same time, the information may be provided in phases without undue delay.
6.4 Vendor shall take all steps to restore, re-constitute, and/or reconstruct any Company Personal Data which is lost, damaged, destroyed, altered, or corrupted as a result of such a breach as if they were Vendor’s own data at its own cost with all possible speed.
Vendor shall, without undue delay, send Company a detailed report of all the measures implemented pursuant to section 6.4.
6.5 Vendor will provide any assistance with Company’s investigation of the possible breach and any obligation of Company under Applicable Data Protection Law to make any notifications to the Data Subjects, supervisory authorities, or the public in respect of such breach as reasonably requested by Company. Vendor will not make any statement or notification to any Data Subject, supervisory authority, or otherwise relating to such breach without the prior written approval of Company.
6.6 Vendor shall provide any assistance with any obligation of Company under Applicable Data Protection Law to document any such possible breach as reasonably requested by Company.
7 Rights of the Data Subjects
7.1 As between the Parties, Company shall have sole discretion in responding to the rights asserted by any Data Subjects in relation to Company Personal Information.
7.2 Vendor will forward to Company without undue delay any request received by the Vendor or any Subprocessor from a Data Subject in respect of the Company Personal Data, and shall not respond to the Data Subject without first consulting with and obtaining the written consent of Company.
7.3 While respecting the technical and organizational security measures, Vendor will provide any assistance in fulfilling any rights of the Data Subjects to the extent these rights relate to the Processing of Company Personal Data by Vendor as reasonably requested by Company, including:
- complying with any request from Company requiring Vendor to amend, transfer, or delete
Company Personal Data as soon as possible; and
- taking all technical and organizational measures allowing Company to comply with any right of portability request formulated pursuant to Applicable Data Protection Law; and
- implementing, so far as possible, appropriate technical and organizational measures to provide Company with co-operation and assistance in complying with any Data Subject rights requests received by, or on behalf of, Company.
7.4 At Company’s request, Vendor will immediately send evidence of the accomplishment of measures taken pursuant to section 7.3.
8 Deletion and return of data upon termination of this Agreement
8.1 Upon Company’s first demand or, at the latest, upon termination or expiration of this Agreement, Vendor will at the choice of Company, while respecting data protection and security measures, delete or return to Company all Company Personal Data Processed and delete all existing copies unless: (a) in the case of the Personal Data of Data Subjects resident in the European Union, the laws of the European Union or its member states require a longer retention period; and (b) in the case of the Personal Data of Data Subjects not resident in the European Union, to the extent any country’s laws to which Vendor is subject require a longer retention period. Vendor shall provide any evidence of such deletion of Company Personal Data as reasonably requested by Company.
9 Right to engage Subprocessors
9.1 Vendor shall not engage, and shall not transfer or disclose any Company Personal Data to, another party (including any other Processor or Subprocessor) without prior specific or general written authorization of Company.
9.2 In the case of general written authorization, Vendor shall inform Company of its intention to engage such other third party in writing at least sixty days in advance of the date of the intended commencement of the engagement. Company may object to such intended engagement by giving written notice at the latest two weeks in advance of the date of the intended commencement of the engagement.
9.3 Where Vendor engages a Subprocessor in accordance with this Agreement, obligations providing at least for the level of data protection as established by this Agreement shall be imposed on that other party by way of a written contract such as a data processing agreement. Vendor shall make available to Company an electronic copy of such written contract (redacted for commercial terms) or other evidence acceptable to Company, acting reasonably, without undue delay, upon first demand. Where the Subprocessor fails to fulfil its data protection obligations, Vendor shall remain fully responsible to Company for the performance of that other party’s obligations and shall be liable to Company for the acts and omissions of the Subprocessor as if they were the acts and omissions of the Vendor.
10 Audits and inspections of Company, co-operation obligations of Vendor, co-operation with supervisory authorities
10.1 Company (itself or through a third-party) has the right to reasonably inspect or audit Vendor’s compliance with this Agreement. For this purpose, Vendor will grant Company, or a designated third-party, access to its business premises during Vendor’s regular business hours and without undue delay make available all information necessary to demonstrate compliance with this Agreement as reasonably requested by Company.
10.2 Company will notify Vendor in writing of any such audit or inspection at least 2 weeks in advance. Company will not conduct more than one audit or inspection per calendar year. However, if: (i) Vendor has provided a notice under section 6.1 or 6.2 of this Agreement; or (ii) Company reasonably believes that
Vendor is in breach of this Agreement, the Standard Contractual Clauses (if any), Applicable Data Protection Law Applicable, or any direction by Company in connection with Processing of Company Personal Data; Company may, as the case may be without or with shorter prior notice, conduct such additional inspections within the same calendar year reasonably required to confirm compliance with this Agreement.
10.3 Vendor will provide any assistance in connection with any audits of any competent supervisory authority to the extent such audit relates to the Processing of Company Personal Data by Vendor under this Agreement as reasonably requested by Company.
10.4 Vendor shall ensure that substantially similar provisions are included in its agreements with Subprocessors.
11.1 Vendor agrees to indemnify, defend at its own expense and hold harmless, without setoff or deduction, Company from and against any and all claims, damages, costs and expenses (including, without limitation, reasonable legal costs) incurred by Company or its Affiliates arising from, or in connection with, the Processing of Company Personal Data by Vendor or breach of this Agreement by Vendor.
11.2 Any provision of this Agreement or the Main Contract excluding or limiting the liability of Vendor shall not apply to Vendor’s liability under Section 11.1 (Indemnification).
12 Insurance Obligation
12.1 At all times during the performance of Services pursuant to the Main Contract, Vendor shall (and shall cause Vendor personnel who are providing Services to) keep in full force and effect and maintain, at no additional cost to Company, technology/professional and network security/privacy (cyber) errors and omissions liability insurance covering acts, errors, omissions, breach of contract, and violation of any privacy or data protection laws (if applicable) arising out of Vendor’s operations or Services at levels consistent with prudent industry standards. Vendor shall notify the Company if it reduces materially the level or amount of insurance coverage during the performance of the Services.
12.2 By requiring insurance as provided in this Section 12, Company does not represent that coverage and limits shall be necessarily adequate to protect Company and Company’s Affiliates, and their officers, directors, employees and agents, and such limits shall not be deemed as a limitation of Vendor’s liability under this Agreement.
13 Final provisions
13.1 This Agreement is subject to the laws of the jurisdiction as stated in the Main Contract save that the Standard Contractual Clauses shall be governed by the law of the jurisdiction in which Company is established. The Parties exclusively submit to the courts of the chosen jurisdiction as set out in the Main Contract.
13.2 All rights granted to Company under this Agreement are for the benefit of Company and for the additional purpose of conferring the same benefit on each of its Affiliates as if they were a party hereto. Any claims in connection with this Agreement may be brought by Company, whether acting for itself or on behalf of an Affiliate.
13.3 Any amendments or supplements to, or a termination of, this Agreement must be in writing in order to be legally effective; this requirement applies accordingly to any waiver of this written form requirement. For the avoidance of doubt, any references to any written form requirement in this Agreement (e.g. “written” or “in writing”) include declarations and documents in electronic and text form whether bearing a signature or not (e.g. emails, fax copies or scans).
13.4 All notices, requests, consents, claims, demands, waivers, and other communications by Vendor to Company under this Agreement (each, a “Notice”) shall be made in writing and, at a minimum, delivered by email to firstname.lastname@example.org (with confirmation of transmission). Notice pursuant to Section 5.7 and 6.2 shall also be delivered by email to email@example.com (with confirmation of transmission), and Notice pursuant to Section 6.2 shall also be delivered by overnight mail to:
StepStone Group LP
Attention: 4225 Executive Square, Suite 1600
La Jolla, CA 92037, United States
Notice pursuant to Section 6.2 relating to Company Personal Data in or from the European Economic Area or the United Kingdom shall also be delivered by email to PrivacyEurope@stepstonegroup.com. Notice under this Agreement is only effective (a) upon receipt by Company, and (b) if Vendor has complied with the requirements of this Section.
13.5 If a provision of this Agreement is or becomes ineffective in whole or in part, or if there is an omission, the remaining provisions of this Agreement shall remain unaffected. In place of the ineffective provision, and to fill the omission, the Parties will agree on a reasonable provision which comes – to the extent legally possible – closest to what the Parties agreed or would have agreed if they had considered this point.
13.6 Either Party’s failure to enforce any provisions of this Agreement shall not constitute a waiver of that or any other provision and will not relieve the other Party from the obligation to comply with such provision.
13.7 Any claim or dispute between the Parties arising out of, or in connection with, this Agreement (a “Dispute”) that cannot be resolved by direct discussions between the Parties shall be resolved in accordance with the procedure set out in the Main Contract, if any.
STANDARD CONTRACTUAL CLAUSES For the purposes of Article 26(2) of Directive 95/46/EC and Article 46(1) of Regulation (EU) 2016/679 for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection.
Name of the data exporting organization: StepStone Group LP contracting for and on behalf of itself and as agent on behalf of its consolidated subsidiaries and affiliates.
Address: 4225 Executive Square, Suite 1600, La Jolla, CA 92037 Attn: Legal Department
Other information needed to identify the organization: Not applicable
(each and all the data exporter)
Name of the data importing organization: The data importer is the Vendor, as defined in the Main Contract.
(the data importer) each a “party”; together “the parties”,
HAVE AGREED on the following Contractual Clauses (the “Clauses“) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1. From and after 25 May, 2018, any reference to Directive 95/46/EC shall be a reference to the applicable provision of Regulation (EU) 2016/679.
For the purposes of the Clauses:
(a) ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
(b) ‘data exporter’ means the controller who transfers the personal data;
(c) ‘data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
(d) ‘sub-processor’ means any processor engaged by the data importer or by any other sub-processor of the data importer who agrees to receive from the data importer or from any other sub-processor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the
data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
(e) ‘applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of natural persons and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
(f) ‘technical and organizational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
Details of the transfer
The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.
Third-party beneficiary clause
1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
2. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
3. The data subject can enforce against the sub-processor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.
4. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.
Obligations of the data exporter
The data exporter agrees and warrants:
(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where
applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
(b) that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;
(c) that the data importer will provide sufficient guarantees in respect of the technical and organizational security measures specified in Appendix 2 to this contract;
(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
(e) that it will ensure compliance with the security measures;
(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
(g) to forward any notification received from the data importer or any sub-processor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for sub-processing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
(i) that, in the event of sub-processing, the processing activity is carried out in accordance with Clause 11 by a sub-processor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and
(j) that it will ensure compliance with Clause 4(a) to (i).
Obligations of the data importer
The data importer agrees and warrants:
(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(c) that it has implemented the technical and organizational security measures specified in Appendix 2 before processing the personal data transferred;
(d) that it will promptly notify the data exporter about:
(i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,
(ii) any accidental or unauthorized access, and
(iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorized to do so;
(e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
(f) at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
(g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for sub-processing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
(h) that, in the event of sub-processing, it has previously informed the data exporter and obtained its prior written consent;
(i) that the processing services by the sub-processor will be carried out in accordance with Clause 11;
(j) to send promptly a copy of any sub-processor agreement it concludes under the Clauses to the data exporter.
1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or sub-processor is entitled to receive compensation from the data exporter for the damage suffered.
2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his sub-processor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.
The data importer may not rely on a breach by a sub-processor of its obligations in order to avoid its own
3. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the sub-processor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the sub-processor agrees that the data subject may issue a claim against the data sub-processor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the sub-processor shall be limited to its own processing operations under the Clauses.
Mediation and jurisdiction
1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
(a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
(b) to refer the dispute to the courts in the Member State in which the data exporter is established.
2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.
Cooperation with supervisory authorities
1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any sub-processor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any sub-processor preventing the conduct of an audit of the data importer, or any sub-processor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).
The Clauses shall be governed by the law of the Member State in which the data exporter is established.
Variation of the contract
The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.
1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the sub-processor which imposes the same obligations on the sub-processor as are imposed on the data importer under the Clauses. Where the sub-processor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the sub-processor’s obligations under such agreement.
2. The prior written contract between the data importer and the sub-processor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.
3. The provisions relating to data protection aspects for sub-processing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.
4. The data exporter shall keep a list of sub-processing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.
Obligation after the termination of personal data processing services
1. The parties agree that on the termination of the provision of data processing services, the data importer and the sub-processor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
2. The data importer and the sub-processor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.
APPENDIX 1 TO THE STANDARD CONTRACTUAL CLAUSES
This Appendix forms part of the Agreement and the Clauses.
(please specify briefly activities relevant to the transfer):
The data exporter is providing personal data from the data subjects to the data importer for the purpose of obtaining the Services, as defined in the Agreement, which may require such data. This may include data transfers from the data exporter to the data importer using media or electronic transmission, on public or private networks, across national borders, and both within and without the European Union member states.
(please specify briefly activities relevant to the transfer):
The data importer is receiving personal data from the data exporter for the purpose of providing the Services, as defined in the Agreement, to the data exporter. This may include data transfers from the data exporter to the data importer using media or electronic transmission, on public or private networks, across national borders, and both within and without the European Union member states.
The personal data transferred concern the following categories of data subjects (please specify):
- Employees, contractors, temporary/agency workers, and consultants (collectively, “HR data”);
- Customers, including past, current and potential customers (collectively, “Customer data”); and
- Other third parties including representatives of and contacts at vendors, licensees, and other business partners (collectively, “B2B data”).
All of the above categories include current, past, and prospective data subjects.
Categories of data
The personal data transferred concern the following categories of data (please specify):
HR data includes:
- Personal details such as name (including known aliases or former names); prefix, personal and business email address, telephone number, and mailing address; date and place of birth; nationality; gender; marital status; language(s); signature; photograph(s); driver’s license and automobile license numbers or other national identification document(s); next of kin and emergency contact details; and dependent details (including names, date and place of birth, employment information, criminal records, addresses, email address, telephone number, and mailing address);
- Right to work and immigration information about employees such as social security, tax identification, or other government issued identification number (including copies of required identification documents); citizenship, residency, visa, or work permit information; identity card, passport, and/or birth certificate details; and, when required, the information necessary to obtain visa and work permit(s);
- Employment details such as job title, geographic location, area of responsibility, employee identification number; job title and grade level, including historical information regarding progression; department; location; supervisor; dates of employment; hours worked, absences, vacation dates; performance and evaluation records including review meetings and assessment interviews; disciplinary records or investigation records related to conduct impacting the workplace; training and attendance records; employer information (for contractors, consultants, agents, etc.); wage/salary records, records of overtime, bonuses and expenses; payroll records and severance pay records; statutory sick pay records; accident books and accident records/reports; business data, documents and administration concerning pension schemes and related subjects; and career and talent development programs, diversity programs, other HR policies;
- Talent, recruitment, education, and training details such as education and other academic and professional qualifications; details about previous experience, roles, and employment, including employment references; language and other relevant skills; resume, curriculum vitae, and application details; veteran status; and job applicant data;
- CCTV footage or other video recordings, such as information collected through video surveillance systems installed by StepStone Group for security purposes;
- Health information such as information necessary to provide health, disability, and life insurance or other benefits; to provide employees with parental, family, or disability leave, pay, or related benefits; information necessary for workers’ compensation claims; assessment of fitness to work; or to protect health and safety, including to monitor exposure to environmental or potentially hazardous conditions or provide urgent care for on-site injuries;
- Background-check information such as information related to offenses or criminal proceedings, outcomes, and sentences where required by law, relevant to job function, or necessary to protect the health and safety of personnel; certain other back-ground information including credit reports, pre-employment drug and alcohol testing where permitted by local law, driver’s records, or other reference checks;
- Data generated from monitoring programs; and
- Diversity and sensitive affiliation information such as information necessary to internally identify and review our equal opportunity employment practices, or in connection with the publication of aggregate information on the diversity of our workforce.
Customer data includes:
- Personal details such as name, date of birth, gender, driver’s license or passport number and expiration date; employer/company name, contact details for home, employer/company, or location stayed during travel, including address, telephone numbers, fax numbers, email addresses, and emergency contact details;
▪ Unique identification numbers;
▪ Location-based information;
▪ Financial information such as income; bank account information; anti-money laundering (AML) information; know your customer (KYC) information, and tax identification number;
▪ Customer relationship information such as customer agreements, customer offer and deal information; and customer payment and collection information;
▪ Data relating to lease objects, rent information, and lessee and landlord information;
▪ Recorded call information;
▪ Visitor and access control data, such as CCTV images or other video recordings; and
▪ Customer complaint information.
B2B data includes:
- Contact details such as name, gender, date of birth, email address, address, employer, and telephone and fax numbers;
- Complaints information;
- B2B relationship information such as contracts or agreements; and data relating to payments, expenses and collection;
- CCTV images or other video recordings; and
- Tax ID.
Special categories of data (if appropriate)
The personal data transferred concern the following special categories of data (please specify):
- Data concerning health;
- Criminal convictions;
- Religious beliefs; and
- Trade union membership.
The personal data transferred will be subject to the following basic processing activities (please specify):
The basic processing activities are as described in the Main Contract and include the following:
- Hosting of personal data on behalf of the data exporter;
- Providing services to customers;
- Processing and managing customer orders;
- Direct marketing;
- Human Resources modelling and strategy;
- Human resources administration;
- Document retention;
- Management and management reporting;
- Financial reporting;
- Dealing with vendors, licensees, agents, and other business partners in general business management;
- Risk management, compliance, legal, accounting, and audit functions; and
- Litigation and protecting the data exporter and/or data importer against injury, theft, legal liability, fraud, abuse, and other misconduct.
The personal data transferred will be processed in the following countries/locations (please specify):
- United States of America
- European Union
- Other – (please specify): Australia, Canada and Switzerland
APPENDIX 2 TO THE STANDARD CONTRACTUAL CLAUSES
This Appendix forms part of the Agreement and the Clauses.
Description of the technical and organizational security measures implemented by the data importer in accordance with the Agreement and Clauses 4(d) and 5(c) (or document/legislation attached):
I. GENERAL SECURITY MEASURES
1. The data importer maintains security documentation and supervises compliance with the rules therein.
2. The data importer ensures that persons authorized to process personal data are familiar with data protection rules (e.g. by training).
3. Only persons who are granted authorization by applicable database managers shall be allowed to carry out data processing (“Authorized Person”).
4. Database managers shall identify Authorized Persons upon granting access to a database.
5. The data importer shall ensure that Authorized Persons are obliged to keep personal data and the methods of their protection confidential.
1. The data importer shall keep and maintain written documentation regarding data security principles.
2. The documentation that is kept by the data importer consists of: (1) the Security Policy and (2) internal manuals setting out how to use the IT systems and how to secure data (the “IT Manuals”).
III. SPECIFIC SECURITY MEASURES
1. The data importer shall ensure that:
a. Buildings, premises, or parts comprising the area where data are processed are secured against access of unauthorized persons;
b. Any unauthorized person may have access to the area where personal data is processed only with the data importer’s consent, or in the presence of an Authorized Person;
c. Access control principles are applied in the IT system used for personal data processing;
d. A separate unique identifier (ID) is registered for each IT system user, so that an authentication procedure may be completed;
e. The policies provided to the Authorized Persons shall instruct Authorized Persons to take such precautions as may be necessary to ensure that the confidential component(s) (including the login credentials (e.g. identifier/username)) are kept secret and that the devices used and held exclusively by Authorized Persons are kept with due care;
f. Access to personal data is only be available after entering the Authorized Person’s login credentials (e.g. identifier/username and password);
g. The IT system used for processing personal data is secured in particular against:
i. software used for gaining unauthorized access to the IT system;
ii. loss of data which may be caused by a failure of power supply or line interference.
h. Upon notification by a system or database manager that an Authorized Person no longer has
a need to access the relevant data or system, authentication credentials for such Authorized Person shall be de-activated.
i. Passwords for user authentication are changed at least once every ninety (90) days and consist of at least eight characters, including small and capital letters, numbers and special characters;
j. Personal data being processed within the IT system are secured by making back-ups of the data filing systems, which ensures that:
i. Data is kept secure against any unauthorized takeover, change, damage or destruction;
ii. Data is deleted as soon as there is no business need to keep such data; and
iii. back-ups are carried out at a frequency and complexity necessary to ensure the availability of such systems, including daily backups where appropriate.
k. Appropriate instructions shall be given in advance, in writing, to clearly specify the mechanisms by which the data importer can ensure that data or electronic equipment are available in case the Authorized Person is either absent or unavailable for a long time and it is not possible to carry out certain data processing activities without further delay.
l. The data importer shall take measures to ensure that personal data is encrypted per data importer policies and cannot be read, copied, modified or removed without authorization, and that it is possible to check and establish to which parties the transfer of personal data by means of electronic transmission is envisaged. Where data importer-issued laptops are used to process personal data, special care is taken when the device is transported, stored or used, including cryptographic protection measures (such as encryption);
m. The data importer shall take measures to ensure that unused removable media containing personal data are destroyed or made unusable; alternatively, they may be re-used for another purpose provided that the data contained in them is not intelligible and cannot be re-constructed by any technical means. In case of the event of repairs or servicing, the data should be protected or removed before such activity is carried out.
n. it supervises the implementation and maintenance of security measures within the IT system;
o. the IT system used for processing personal data is secured against any dangers originating from the Internet by physical and logical security measures protecting against any unauthorized access (e.g. firewalls). In particular, the data importer shall protect sensitive data or data related to criminal offense and proceedings against unauthorized access by implementing appropriate measures; and
p. Cryptographic protection measures (e.g. encryption) are applied per data importer policies.
2. Where personal data is intended to be made publicly available, the provisions concerning the authentication process (set out above) shall not apply to the processing of such personal data. In any case, the importer shall ensure that health data, where processed, will not be publicly disseminated.
3. The data importer shall take measures to review data processing activities and the access levels given to Authorized Persons.
4. The data importer shall protect personal data against the risk of intrusion and the effects of malware by implementing suitable security measures, updated at least every six months.
5. The data importer shall carry out, at least annually, the regular update of computer programs aimed at preventing vulnerability and removing flaws (e.g. bugs). If sensitive data or data related to
criminal offenses and proceedings are processed, the data importer shall carry out such update out at least every six months.
6. If either the personal data or means of protecting the personal data have been damaged, the data importer shall adopt suitable measures to ensure that personal data access is restored within a specific period, which is compatible with data subjects’ rights and not in excess of seven days.
7. Where the data importer provides or procures the provision of IT services to the Controller (which consists of managing the Controller’s databases or IT systems), the data importer shall appoint, in writing, a system administrator who oversees such activities. A list of the system administrators shall be kept by the data importer for inspection by the Controller on request. The system administrators will be required to monitor access to the Controller’s systems and keep a copy of log/access files for 6 months. The data importer shall, on (at least) an annual basis, conduct an assessment on the activities of the system administrator.
8. Where personal data may – in accordance with this agreement – be processed by a sub-processor, the data importer shall take reasonable measures to ensure that the data are processed strictly in accordance with its / the Controller’s instructions.
9. The data importer shall take adequate measures to ensure that any personal data that have been collected for different purposes can be processed separately