How to Make Data Protection Addendum Template in Simple Way
Data Protection Addendum Template forms part of the Terms (“Principal Agreement”) between: Certify Inc., including its brands Certify, Certify Travel, (“Vendor or Certify Inc.”) acting on its own behalf and as agent for each Vendor Affiliate; and its customer (“Company”) acting on its own behalf and as agent for each Company Affiliate.
The terms used in this data protection data protection addendum template shall have the meanings set forth in this Addendum. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Principal Agreement. Except as modified below, the terms of the Principal Agreement shall remain in full force and effect.
In consideration of the mutual obligations set out herein, the parties hereby agree that the terms and conditions set out below shall be added as an Addendum to the Principal Agreement. Except where the context requires otherwise, references in this data protection addendum template to the Principal Agreement are to the Principal Agreement as amended by, and including, this Addendum.
Certify Inc., warrants and represents that, before any Vendor Affiliate Processes any Company Personal Data on behalf of Company, entry of Certify Inc., into this data protection addendum template as agent for and on behalf of that Vendor Affiliate will have been duly and effectively authorized (or subsequently ratified) by that Vendor Affiliate.
Processing of Company Personal Data
Certify Inc., and each Vendor Affiliate shall:
- comply with all applicable Data Protection Laws in the Processing of Company Personal Data; and
- not Process Company Personal Data other than on the Company’s documented instructions unless Processing is required by Applicable Laws to which the relevant Contracted Processor is subject, in which case Certify Inc. or the relevant Vendor Affiliate shall to the extent permitted by Applicable Laws inform the Company of that legal requirement before the relevant Processing of that Personal Data
- instruct Certify Inc., and each Vendor Affiliate (and authorizes Certify Inc., and each Vendor Affiliate to instruct each Sub-processor) to:
- Process Company Personal Data;
- and in particular, transfer Company Personal Data to any country or territory, as reasonably necessary for the provision of the Services and consistent with the Principal Agreement; and
- warrants and represents that it is and will at all relevant times remain duly and effectively authorized to give the instruction set out in section 3.2.1 on behalf of each relevant Company Affiliate.
Certify Inc., and Vendor Affiliate Personnel
Certify Inc., and each Vendor Affiliate shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to the Company Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Company Personal Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with Applicable Laws in the context of that individual’s duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
Taking into account state of the art, the costs of implementation and the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Certify Inc., and each Vendor Affiliate, shall about the Company Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as necessary, the measures referred to in Article 32(1) of the GDPR.
Company authorizes Certify Inc., and each Vendor Affiliate to appoint (and permit each Sub-processor appointed in accordance with this section 6 to appoint) Sub-processors in accordance with this section 6 and any restrictions in the Principal Agreement.
Certify Inc., and each Vendor Affiliate may continue to use those Sub-processors already engaged by Certify Inc., or any Vendor Affiliate as at the date of this data protection addendum template, subject to Certify Inc., and each Vendor Affiliate in each case as soon as practicable meeting the obligations set out in section.
Data Subject Rights
Taking into account the nature of the Processing, Certify Inc., and each Vendor Affiliate shall assist Company by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfillment of Company’s obligations, as reasonably understood by Company, to respond to requests to exercise Data Subject rights under the Data Protection Laws.
Personal Data Breach
Certify Inc., shall notify Company without undue delay upon Certify Inc., or any Sub-processor becoming aware of a Personal Data Breach affecting Company Personal Data, providing Company with sufficient information to allow Company to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
Data Protection Impact Assessment and Prior Consultation
Certify Inc., and each Vendor Affiliate shall provide reasonable assistance to each Company with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Company reasonably considers to be required of Company by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Company Personal Data by, and taking into account the nature of the Processing and information available to, the Contracted Processors.
Deletion or return of Company Personal Data
Subject to sections 10.2 and 10.3 Certify Inc., and each Vendor Affiliate shall promptly and in any event within 90 days of the date of cessation of any Services involving the Processing of Company Personal Data (the “Cessation Date”), delete and procure the deletion, anonymization or pseudonymization of all copies of those Company Personal Data.
Subject to sections 11.2 to 11.4, Certify Inc., and each Vendor Affiliate shall make available to Company on request all information necessary to demonstrate compliance with this data protection data protection addendum template, and shall allow for and contribute to audits, including inspections, by Company or an auditor mandated by Company in relation to the Processing of the Company Personal Data by the Contracted Processors.
Subject to section 12.3, Company (as “data exporter”) and each Contracted Processor, as appropriate, (as “data importer”) hereby enter into the Standard Contractual Clauses in respect of any Restricted Transfer from Company to that Contracted Processor.
The Standard Contractual Clauses shall come into effect under section 12.1 on the later of:
- the data exporter becoming a party to them;
- the data importer becoming a party to them; and
- commencement of the relevant Restricted Transfer.
CONSULT US TODAY
Privacy Ninja provides GUARANTEED quality and results for the following services:
DPO-As-A-Service (Outsourced DPO Subscription)
PDPA Compliance Training
PDPA Compliance Audit
Digital Transformation Consultancy
Data Protection Trustmarks Certification Readiness Consultancy
PDPA Data Protection Software
Vulnerability Assessment & Penetration Testing (VAPT)
Smart Contract Audit