DATA PROCESSING EXHIBIT
The Customer and the Company hereby agree as follows:
"Customer" as used in this Data Processing Exhibit shall mean collectively, the Customer receiving the services and its affiliates.
"Data Subject Requests" means any requests from a Data Subject related to access, rectification, suppression, limitation, objection, portability and erasure of Personal Data or other requests authorized under Applicable Data Protection Law.
" for reporting Security Events, Data Subject Requests, and Personal Data Breach to the Processed Data. Means (i) firstname.lastname@example.org
and such additional contact as designated by the Company, and (ii) [Customer's valid email address] and such additional contact as designated by the Customer.
"GDPR" means EU General Data Protection Regulation 2016/679.
"Personnel" means Company or Customer's employees, contractors, subcontractors, agents and representatives.
"Security Event" means any attempt or activity that (i) is made to gain unauthorized access to Processed Data; (ii) interferes with the operation of any Company Systems or Customer Systems containing the Company or the Company third-party data or information; or (iii) may otherwise compromise the security or privacy of the Processed Data or its disclosure.
The terms, “Controller” "Data Subject", "Personal Data", "Personal Data Breach", "Processing", “Processor” and "Supervisory Authority" shall have the same meaning as in the Applicable Data Protection Laws.
2. DATA PROTECTION AND PRIVACY OF PERSONAL DATA
In addition to the other obligations set forth hereunder, each of Customer and Company shall:
comply with its respective obligations under Applicable Data Protection Laws in relation to all Customer Personal Data that may be processed in the performance and operation of this Exhibit;
the processing operations to be carried out in the performance of this Exhibit conform to the description set out under "Details of Processing" hereunder;
not Process Customer Personal Data in any country outside Israel, the UK or the EEA without the prior written consent of Customer; and
The Company shall provide reasonable assistance to the Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Customer's obligation to respond to requests for exercising the Data Subject's Requests. The Company shall not be liable in respect of any claim regarding Data Subject rights.
The Company shall promptly notify the Customer's Designated Contact if it receives a request from a Data Subject under any Applicable Data Protection Law in respect of the Processed Data; and ensure it responds to that request as required by Applicable Data Protection Laws.
4. PERSONAL DATA BREACH AND SECURITY EVENTS
The Company shall notify the Customer without undue delay upon becoming aware of a Personal Data Breach or a Security Event affecting the Processed Data. The Company shall not be liable in respect of any claim of Personal Data Breach or a Security Event.
Unless otherwise mandated by Applicable Data Protection Laws, the Customer shall instruct the Company if to report or inform Data Subjects of the Personal Data Breach, pursuant to the requirements under Applicable Data Protection Laws.
The Company shall take reasonable commercial steps in the investigation, mitigation and remediation of each such Personal Data Breach or a Security Event.
5. SUBPROCESSORS AND PERSONNEL
Customers shall ensure Personnel authorized to Process the Customer Personal Data are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
Customer hereby grants to the Company a general written authorization to use sub-processors for the provision of the services, provided that:
Customer shall ensure the security of the Customer Personal Data that it processes in accordance with the requirements of Applicable Data Protection Law.
Both parties shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
Both parties shall use best efforts to ensure (i) that any Processed Data that is inaccurate or incomplete is erased or rectified; (ii) establish an audit trail to document whether and by whom Processed Data have been entered into, modified in, or removed; and (iii) retain the Processed Data only as long as is necessary.
The Customer gives at least thirty (30) days' prior written notice to conduct such audit or inspection;
The auditor is subject to binding obligations of confidentiality; and
The audit or inspection is undertaken so as to cause minimal disruption to the Company's business and other customers.
8. DETAILS OF THE PROCESSING
Details of the Processing of the Personal Data (as required by Article 28(3) GDPR):
Last updated on July 18, 2021