1.EU Standard Contractual Clauses. To the extent applicable, the parties will abide by the requirements of European Economic Area and Swiss data protection law regarding the collection, use, transfer, retention, and other processing of Personal Data from the European Economic Area and Switzerland. All transfers of Customer Data out of the European Union, European Economic Area, and Switzerland will be governed by the Standard Contractual Clauses, as designated by the European Commission, made available by the Publisher at the applicable URL for such terms or as otherwise communicated to Customer.
2.Personal Data. Customer consents to the processing of Personal Data by Publisher and its Affiliates, and their respective agents and Subcontractors, as provided in this Agreement. Before providing Personal Data to Publisher, Customer will obtain all required consents from third parties (including Customer’s contacts, partners, distributors, administrators, and employees) under applicable privacy and Data Protection Laws.
3.Processing of Personal Data; GDPR. To the extent Publisher is a processor or subprocessor of Personal Data subject to the GDPR, the Standard Contractual Clauses govern that processing and the parties also agree to the following terms in this subsection (“Processing of Personal Data; GDPR”):
(1) Processor and Controller Roles and Responsibilities. Customer and Publisher agree that Customer is the controller of Personal Data and Publisher is the processor of such data, except when (a) Customer acts as a processor of Personal Data, in which case Publisher is a subprocessor or (b) stated otherwise in any Offering-specific terms. Publisher will process Personal Data only on documented instructions from Customer. In any instance where the GDPR applies and Customer is a processor, Customer warrants to Publisher that Customer’s instructions, including appointment of Processor as a processor or subprocessor, have been authorized by the relevant controller.
(2) Processing Details. The parties acknowledge and agree that:
(A) the subject-matter of the processing is limited to Personal Data within the scope of the GDPR;
(B) the duration of the processing will be for the duration of the Customer’s right to use the Offering and until all Personal Data is deleted or returned in accordance with Customer instructions or the terms of this Agreement;
(C) the nature and purpose of the processing will be to provide the Offering pursuant to this Agreement;
(D) the types of Personal Data processed by the Offering include those expressly identified in Article 4 of the GDPR; and
(E) the categories of data subjects are Customer’s representatives and end users, such as employees, contractors, collaborators, and customers, and other data subjects whose Personal Data is contained within any data made available to Publisher by Customer.
(3) Data Subject Rights; Assistance with Requests. Publisher will make information available to Customer in a manner consistent with the functionality of the Offering and Publisher’s role as a processor of Personal Data of data subjects and the ability to fulfill data subject requests to exercise their rights under the GDPR. Publisher will comply with reasonable requests by Customer to assist with Customer’s response to such a data subject request. If Publisher receives a request from Customer’s data subject to exercise one or more of its rights under the GDPR in connection with an Offering for which Publisher is a data processor or subprocessor, Publisher will redirect the data subject to make its request directly to Customer. Customer will be responsible for responding to any such request including, where necessary, by using the functionality of the Offering. Publisher will comply with reasonable requests by Customer to assist with Customer’s response to such a data subject request.
(4) Use of Subprocessors. Customer consents to Publisher using the subprocessors listed at the applicable Publisher URL or as otherwise communicated to Customer. Publisher remains responsible for its subprocessors’ compliance with the obligations herein. Publisher may update its list of subprocessors from time to time, by providing Customer at least 14-days notice before providing any new subprocessor with access to Personal Data. If Customer does not approve of any such changes, Customer may terminate any subscription for the affected Offering without penalty by providing, prior to expiration of the notice period, written notice of termination that includes an explanation of the grounds for non-approval.
(5) Records of Processing Activities. Publisher will maintain all records required by Article 30(2) of the GDPR and, to the extent applicable to the processing of Personal Data on behalf of Customer, make them available to Customer upon request.
All capitalized terms and expressions not otherwise defined herein shall have the meaning ascribed to them in the Standard Contract.