This Data Processing Addendum (DPA) and its applicable DPA Exhibits apply to the Processing of Personal Data by Rio Paloma Holdings II dba Atmospheric G2 (AG2) on behalf of Client (Client Personal Data) subject to the General Data Protection Regulation 2016/679 (GDPR) or any other data protection laws identified at https://ag2june2023.wpengine.com/dpa/dpl (together ‘Data Protection Laws’) in order to provide services (Services) pursuant to the Agreement between Client and AG2. DPA Exhibits for each Service will be provided in the applicable Transaction Document (TD). This DPA is incorporated into the Agreement. Capitalized terms used and not defined herein have the meanings given them in the applicable Data Protection Laws. In the event of conflict, the DPA Exhibit prevails over the DPA which prevails over the rest of the Agreement.
- Processing
- Client is: (a) a Controller of Client Personal Data; or (b) acting as Processor on behalf of other Controllers and has been instructed by and obtained the authorization of the relevant Controller(s) to agree to the Processing of Client Personal Data by AG2 as Client’s subprocessor as set out in this DPA. Client appoints AG2 as Processor to Process Client Personal Data. If there are other Controllers, Client will identify and inform AG2 of any such other Controllers prior to providing their Personal Data, in accordance with the DPA Exhibit.
- A list of categories of Data Subjects, types of Client Personal Data, Special Categories of Personal Data and the processing activities is set out in the applicable DPA Exhibit for a Service. The duration of the Processing corresponds to the duration of the Service, unless otherwise stated in the DPA Exhibit. The purpose and subject matter of the Processing is the provision of the Service as described in the Agreement.
- AG2 will Process Client Personal Data according to Client’s documented instructions. The scope of Client’s instructions for the Processing of Client Personal Data is defined by the Agreement, and, if applicable, Client’s and its authorized users’ use and configuration of the features of the Service. Client may provide further legally required instructions regarding the Processing of Client Personal Data (Additional Instructions) as described in Section 10.2. If AG2 notifies Client that an Additional Instruction is not feasible, the parties shall work together to find an alternative. If AG2 notifies the Client that neither the Additional Instruction nor an alternative is feasible, Client may terminate the affected Service, in accordance with any applicable terms of the Agreement. If AG2 believes an instruction violates the Data Protection Laws, AG2 will immediately inform Client, and may suspend the performance of such instruction until Client has modified or confirmed its lawfulness in documented form.
- Client shall serve as a single point of contact for AG2. As other Controllers may have certain direct rights against AG2, Client undertakes to exercise all such rights on their behalf and to obtain all necessary permissions from the other Controllers. AG2 shall be discharged of its obligation to inform or notify another Controller when AG2 has provided such information or notice to Client. Similarly, AG2 will serve as a single point of contact for Client with respect to its obligations as a Processor under this DPA.
- AG2 will comply with all Data Protection Laws in respect of the Services applicable to AG2 as Processor. AG2 is not responsible for determining the requirements of laws or regulations applicable to Client’s business, or that a Service meets the requirements of any such applicable laws or regulations. As between the parties, Client is responsible for the lawfulness of the Processing of the Client Personal Data. Client will not use the Services in a manner that would violate applicable Data Protection Laws.
- Technical and organizational measures
- Client and AG2 agree that AG2 will implement and maintain the technical and organizational measures set forth in the applicable DPA Exhibit which ensure a level of security appropriate to the risk for AG2’s scope of responsibility. TOMs are subject to technical progress and further development. Accordingly, AG2 reserves the right to modify the TOMs provided that the functionality and security of the Services are not degraded.
- Data Subject Rights and Requests
- AG2 will inform Client of requests from Data Subjects exercising their Data Subject rights (e.g., including but not limited to rectification, deletion and blocking of data) addressed directly to AG2 regarding Client Personal Data. Client shall be responsible to handle such requests of Data Subjects. AG2 will reasonably assist Client in handling such Data Subject requests in accordance with Section 10.2.
- If a Data Subject brings a claim directly against AG2 for a violation of their Data Subject rights, Client will reimburse AG2 for any cost, charge, damages, expenses or loss arising from such a claim, to the extent that AG2 has notified Client about the claim and given Client the opportunity to cooperate with AG2 in the defense and settlement of the claim. Subject to the terms of the Agreement, Client may claim from AG2 damages resulting from Data Subject claims for a violation of their Data Subject rights caused by AG2’s breach of its obligations under this DPA and the respective DPA Exhibit.
- Third Party Requests and Confidentiality
- AG2 will not disclose Client Personal Data to any third party, unless authorized by the Client or required by law. If a government or Supervisory Authority demands access to Client Personal Data, AG2 will notify Client prior to disclosure, unless such notification is prohibited by law.
- AG2 requires all of its personnel authorized to Process Client Personal Data to commit themselves to confidentiality and not Process such Client Personal Data for any other purposes, except on instructions from Client or unless required by applicable law.
- Audit
- AG2 shall allow for, and contribute to, audits, including inspections, conducted by the Client or another auditor mandated by the Client in accordance with the following procedures:
- Upon Client’s written request, AG2 will provide Client or its mandated auditor with the most recent certifications and/or summary audit report(s), which AG2 has procured to regularly test, assess and evaluate the effectiveness of the TOMs, to the extent set out in the DPA Exhibit.
- AG2 will reasonably cooperate with Client by providing available additional information concerning the TOMs, to help Client better understand such TOMs.
- If further information is needed by Client to comply with its own or other Controllers audit obligations or a competent Supervisory Authority’s request, Client will inform AG2 in writing to enable AG2 to provide such information or to grant access to it.
- To the extent it is not possible to otherwise satisfy an audit right mandated by applicable law or expressly agreed by the Parties, only legally mandated entities (such as a governmental regulatory agency having oversight of Client’s operations), the Client or its mandated auditor may conduct an onsite visit of the AG2 facilities used to provide the Service, during normal business hours and only in a manner that causes minimal disruption to AG2’s business, subject to coordinating the timing of such visit and in accordance with any audit procedures described in the DPA Exhibit in order to reduce any risk to AG2’s other customers.
- AG2 shall allow for, and contribute to, audits, including inspections, conducted by the Client or another auditor mandated by the Client in accordance with the following procedures:
Any other auditor mandated by the Client shall not be a direct competitor of AG2 with regard to the Services and shall be bound to an obligation of confidentiality.
- Each party will bear its own costs in respect of paragraphs a. and b. of Section 5.1, otherwise Section 10.2 applies accordingly.
- Return or Deletion of Client Personal Data
- Upon termination or expiration of the Agreement AG2 will either delete or return Client Personal Data in its possession as set out in the respective DPA Exhibit, unless otherwise required by applicable law.
- Subprocessors
- Client authorizes the engagement of other Processors to Process Client Personal Data (Subprocessors). A list of the current Subprocessors is set out in the respective DPA Exhibit. AG2 will notify Client in advance of any addition or replacement of the Subprocessors as set out in the respective DPA Exhibit. Within 30 days after AG2’s notification of the intended change, Client can object to the addition of a Subprocessor on the basis that such addition would cause Client to violate applicable legal requirements. Client’s objection shall be in writing and include Client’s specific reasons for its objection and options to mitigate, if any. If Client does not object within such period, the respective Subprocessor may be commissioned to Process Client Personal Data. AG2 shall impose substantially similar but no less protective data protection obligations as set out in this DPA on any approved Subprocessor prior to the Subprocessor initiating any Processing of Client Personal Data.
- If Client legitimately objects to the addition of a Subprocessor and AG2 cannot reasonably accommodate Client’s objection, AG2 will notify Client. Client may terminate the affected Services as set out in the Agreement, otherwise the parties shall cooperate to find a feasible solution in accordance with the dispute resolution process.
- Transborder Data Processing
- In the case of a transfer of Client Personal Data to a country not providing an adequate level of protection pursuant to the Data Protection Laws (Non-Adequate Country), the parties shall cooperate to ensure compliance with the applicable Data Protection Laws as set out in the following Sections. If Client believes the measures set out below are not sufficient to satisfy the legal requirements, Client shall notify AG2 and the parties shall work together to find an alternative.
- By entering into the Agreement, Client is entering into EU Standard Contractual Clauses as set out in the applicable DPA Exhibit (EU SCC) with (i) each Subprocessor listed in the respective DPA Exhibit that is an AG2 affiliate located in a Non-Adequate Country (AG2 Data Importers) and (ii) AG2, if located in a Non-Adequate Country, as follows:
- if Client is a Controller of all or part of the Client Personal Data, Client is entering into the EU SCC in respect to such Client Personal Data; and
- if Client is acting as Processor on behalf of other Controllers of all or part of the Client Personal Data, then Client is entering into the EU SCC:
- as back-to-back EU SCC in accordance with Clause 11 of the EU Standard Contractual Clauses (Back-to-Back SCC), provided that Client has entered into separate EU Standard Contractual Clauses with the Controllers; or
- on behalf of the other Controller(s).
Client agrees in advance that any new AG2 Data Importer engaged by AG2 in accordance with Section 7 shall become an additional data importer under the EU SCC and/or Back-to-Back SCC.
- If a Subprocessor located in a Non-Adequate Country is not an AG2 Data Importer (Third Party Data Importer) and EU SCC are entered into in accordance with Section 8.2, then, AG2 or an AG2 Data Importer shall enter into Back-to-Back SCC with such a Third Party Data Importer. Otherwise, Client on its own behalf and/or, if required, on behalf of other Controllers shall enter into separate EU Standard Contractual Clauses or Back-to-Back SCC as provided by AG2.
- If Client is unable to agree to the EU SCC or Back-to-Back SCC on behalf of another Controller, as set out in section 8.2 and 8.3, Client will procure the agreement of such other Controller to enter into those agreements directly. Additionally, Client agrees and, if applicable, procures the agreement of other Controllers that the EU SCC or the Back-to-Back SCC, including any claims arising from them, are subject to the terms set forth in the Agreement, including the exclusions and limitations of liability. In case of conflict, the EU SCC and Back-to-Back SCC shall prevail.
- Personal Data Breach
- AG2 will notify Client without undue delay after becoming aware of a Personal Data Breach with respect to the Services. AG2 will promptly investigate the Personal Data Breach if it occurred on AG2 infrastructure or in another area AG2 is responsible for and will assist Client as set out in Section 10.
- Assistance
- AG2 will assist Client by technical and organizational measures for the fulfillment of Client’s obligation to comply with the rights of Data Subjects and in ensuring compliance with Clients obligations relating to the security of Processing, the notification and communication of a Personal Data Breach and the Data Protection Impact Assessment, including prior consultation with the responsible Supervisory Authority, if required, taking into account the nature of the processing and the information available to AG2.
- Client will make a written request for any assistance referred to in this DPA. AG2 may charge Client no more than a reasonable charge to perform such assistance or an Additional Instruction, such charges to be set forth in a quote and agreed in writing by the parties, or as set forth in an applicable change control provision of the Agreement. If Client does not agree to the quote, the parties agree to reasonably cooperate to find a feasible solution in accordance with the dispute resolution process.