XV. |
|
|
|
|
|
|
Jurisdiction-Specific Terms
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
To the extent that RSG is processing any personal data originating from or otherwise subject to the Data Protection Laws of any of the jurisdictions listed below, the terms specified therein with respect to the applicable jurisdiction(s) apply in addition to the foregoing terms. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
European Economic Area, United Kingdom and Switzerland |
|
|
|
|
|
|
|
|
|
|
|
|
|
1. |
|
To the extent that Customer transfers personal data from the European Economic Area (“EEA”), the United Kingdom (“UK”) or Switzerland to RSG located outside the EEA, UK or Switzerland, unless the parties may rely on an alternative transfer mechanism or basis under the data protection laws, the parties will be deemed to have entered into the standard contractual clauses approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 available at http://data.europa.eu/eli/dec_impl/2021/914/oj (“Clauses”) in respect of such transfer, whereby:
- Customer is the “data exporter” and RSG is the “data importer”;
- the footnotes, Clause 9(a) Option 1, Clause 11(a) Option and Clause 17 Option 1 are omitted, the time period in Clause 9(a) Option 2 is 14 days, and the applicable annexes are completed respectively with the information set out in the DPA and the Agreement;
- to the extent that Customer acts as a controller and RSG acts as a processor, Module Two applies and Modules One, Three and Four are omitted, and to the extent that each party acts as a processor, Module Three applies and Modules One, Two and Four are omitted;
- the “competent supervisory authority” is the supervisory authority in Ireland;
- the Clauses are governed by the law of Ireland;
- any dispute arising from the Clauses will be resolved by the courts of Ireland; and
- if there is any conflict between the terms of the Agreement and the Clauses, the Clauses will prevail.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2. |
|
In relation to transfers of personal data from the UK, the Clauses as implemented under section 1 above will apply subject to the following modifications:
- the Clauses are amended as specified by Part 2 of the international data transfer addendum to the European Commission’s standard contractual clauses issued under Section 119A of the UK Data Protection Act 2018, as may be amended or superseded from time to time (“UK Addendum”);
- tables 1 to 3 in Part 1 of the UK Addendum are completed respectively with the information set out in the DPA and the Agreement (as applicable); and
- table 4 in Part 1 of the UK Addendum is completed by selecting “neither party”.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3. |
|
In relation to transfers of personal data from Switzerland, the Clauses as implemented under section 1 above will apply subject to the following modifications:
- references to “Regulation (EU) 2016/679” shall be interpreted as references to the Swiss Federal Act on Data Protection (“FADP”);
- references to specific Articles of “Regulation (EU) 2016/679” shall be replaced with the equivalent article or section of the FADP;
- references to “EU”, “Union”, “a Member State” and “Member State law” shall be replaced with references to “Switzerland” or “Swiss law”, as applicable;
- the term “member state” shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of accessing their rights;
- Clause 13(a) and Part C of Annex I are not used and the “competent supervisory authority” is the Swiss Federal Data Protection Information Commissioner;
- the Clauses are governed by the law of Switzerland; and
- any dispute arising from the Clauses will be resolved by the courts of Switzerland.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
United States |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
California |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
To the extent that RSG is processing on behalf of Customer any personal information in scope of the California Consumer Privacy Act of 2018 (“CCPA”), as amended by the California Privacy Rights Act of 2020, and its implementing regulations (collectively, the “CPRA”), effective as of January 1, 2023:
|
|
|
|
|
|
1. |
|
RSG is prohibited from selling or sharing personal information it collects (as that term is defined in the CPRA) pursuant to the Agreement; |
|
|
|
|
|
2. |
|
The specific business purpose (as that term is defined in the CPRA) for which RSG is processing personal information pursuant to the Agreement is to provide, manage and secure the Services, and Customer is disclosing the personal information to RSG only for the limited and specified business purpose set forth in the Agreement; |
|
|
|
|
|
3. |
|
RSG is prohibited from retaining, using, or disclosing the personal information that it collected pursuant to the Agreement for any purpose other than for the business purpose specified in the Agreement or as otherwise permitted by the CPRA; |
|
|
|
|
|
4. |
|
RSG is prohibited from retaining, using, or disclosing the personal information that it collected pursuant to the Agreement for any commercial purpose (as that term is defined in the CPRA) other than the business purposes specified in the Agreement, unless expressly permitted by the CPRA; |
|
|
|
|
|
5. |
|
RSG is prohibited from retaining, using, or disclosing the personal information that it collected pursuant to the Agreement outside the direct business relationship between RSG and Customer, unless expressly permitted by the CPRA; |
|
|
|
|
|
6. |
|
RSG is required to comply with all applicable sections of the CPRA, including – with respect to the personal information that RSG collected pursuant to the Agreement – providing the same level of privacy protection as required of businesses by the CPRA; |
|
|
|
|
|
7. |
|
RSG grants Customer the right to take reasonable and appropriate steps to ensure that RSG uses the personal information that it collected pursuant to the Agreement in a manner consistent with Customer’s obligations under the CPRA; |
|
|
|
|
|
8. |
|
RSG is required to notify Customer after it makes a determination that it can no longer meet its obligations under the CPRA; |
|
|
|
|
|
9. |
|
RSG grants Customer the right, upon notice, to take reasonable and appropriate steps to stop and remediate RSG’s unauthorized use of personal information; and |
|
|
|
|
|
10. |
|
RSG is required to enable Customer to comply with consumer requests made pursuant to the CPRA or Customer is required to inform RSG of any consumer request made pursuant to the CPRA that they must comply with and provide the necessary information to RSG to comply with the request. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Virginia |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
To the extent that RSG is processing on behalf of Customer any personal data in scope of the Virginia Consumer Data Protection Act (VCDPA), effective as of January 1, 2023, RSG shall:
|
|
|
|
|
|
1. |
|
Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data; |
|
|
|
|
|
2. |
|
At Customer's direction, delete or return all personal data to Customer as requested at the end of the provision of the Services, unless retention of the personal data is required by law; |
|
|
|
|
|
3. |
|
Upon the reasonable request of Customer, make available to Customer all information in its possession necessary to demonstrate its compliance with the obligations under the VCDPA; |
|
|
|
|
|
4. |
|
Allow, and cooperate with, reasonable assessments by Customer or Customer’s designated assessor; alternatively, RSG may arrange for a qualified and independent assessor to conduct an assessment of RSG’s policies and technical and organizational measures in support of the obligations under the VCDPA using an appropriate and accepted control standard or framework and assessment procedure for such assessments. RSG shall provide a report of such assessment to Customer upon request; and |
|
|
|
|
|
5. |
|
Engage any subcontractor pursuant to a written contract in accordance with the VCDPA that requires the subcontractor to meet the obligations of RSG with respect to the personal data. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
South Africa |
|
|
|
|
|
|
|
|
|
|
|
|
|
1. |
|
To the extent that RSG is processing any personal information in scope of the South African Protection of Personal Information Act, No. 4 of 2013 (POPIA) for Customer, RSG will further establish and maintain the security measures referred to in section 19 of POPIA.
|
|
|
|
|
|
2. |
|
RSG will notify Customer immediately where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by
any unauthorised person.
|