Data Protection Addendum
This Data Protection Addendum ("Addendum") forms part of the Principal Agreement between:
[Legal Business Entity Name] (required, to be entered below)
By [Signature] (required, to be entered below)
[Address] (required, to be entered below)
[City, State, Zip] (required, to be entered below)
[Country] (required, to be entered below)
Hereafter: "Company" or "data exporter"
Voyant Communications, LLC
3905 Annapolis Lane, Suite 195
Plymouth, MN 55447
Hereafter: "Vendor" or "data importer"
- A. The Parties have entered into this Addendum to comply with the requirements of Articles 28 and 46 of Regulation (EU) 2016/679 of the European Parliament and of the Council, commonly known as the General Data Protection Regulation (“GDPR”).
- In the event of a conflict between this Addendum, and the Principal Agreement, the terms of this Addendum shall control. Except as modified below, the terms of the Principal Agreement shall remain in full force and effect.
- This Addendum shall terminate automatically upon termination of the Principal Agreement or as earlier terminated pursuant to the terms of this Addendum.
In consideration of the mutual obligations set forth herein, the Parties hereby agree that the terms and conditions contained herein shall be added as an addendum to the Principal Agreement.
Part I: Data Processing Provisions
- 'Applicable Laws’ means (a) European Union or Member State laws with respect to any Company Personal Data that is subject to GDPR and (b) any other Data Protection Laws governing the processing of Company Personal Data.
- ‘Company Personal Data’ means any personal data processed by Vendor on behalf of the Company pursuant to or in connection with the Principal Agreement including phone numbers, documents, user IDs, and user-generated document descriptions.
- ‘Data Protection Laws’ means GDPR and the data protection or privacy laws of any other country.
- ‘Restricted Transfer’ means a transfer of Company Personal Data where such transfer would be prohibited by Data Protection Laws in the absence of the Standard Contractual Clauses established herein.
- ‘Services’ means fax Services and other activities Vendor will carry out for the benefit of the Company pursuant to the Principal Agreement.
- ‘Standard Contractual Clauses’ means the standard contractual clauses set forth in Commission Decision 2010/87/EU (Feb. 5, 2010), which are set forth in Part II of this Addendum.
- ‘Sub-processor’ means any person (excluding employees of Vendor or any of its sub-contractors) appointed by Vendor to process personal data on behalf of the Company in connection with the Principal Agreement.
- The terms, ‘controller’, ‘data subject’, ‘personal data’, ‘personal data breach’, ‘process’, ‘processor’, ‘special categories of data’ and ‘supervisory authority’ shall have the same meaning as in the GDPR.
- Company is the controller and Vendor is the processor for purposes of this Addendum.
- Company hereby directs Vendor to transfer Company Personal Data to the United States so that Vendor can provide the Services pursuant to the Principal Agreement.
- Company hereby instructs Vendor to process Company Personal Data in order to successfully send and receive electronic documents as if they were sent and delivered via a fax machine. Vendor will not access or use Company Personal Data except as necessary to provide the services initiated by Company.
- Company may amend or supplement these instructions at any time by providing new written instructions to Vendor via email at: firstname.lastname@example.org. Company may terminate this Addendum if Vendor declines to follow additional instructions requested by Company that are outside the scope of this Addendum.
- Vendor shall comply with all applicable Data Protection Laws in its processing of Company Personal Data.
- Vendor shall only process Company Personal Data (a) in accordance with the documented instructions of the Company, or (b) as required by Applicable Laws, in which case Vendor shall, to the extent permitted by those laws, inform Company of that legal requirement before the relevant processing of the personal data.
- Vendor’s services provide Company with controls to enable Company to retrieve, correct, or delete Company Personal Data. Company is responsible for properly configuring the Company’s service account with Vendor, including but not limited to changing settings to ensure that faxes are not stored on Vendor’s systems and updating Company’s email contact information.
- 17. Vendor shall take reasonable steps to ensure that its personnel authorized to process Company Personal Data are required to preserve the confidentiality of the personal data.
Technical and Organizational Security3
- Vendor shall, in relation to the Company Personal Data, implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks including the measures referred to in GDPR Article 32(1).
- In assessing the appropriate level of security, Vendor shall consider risks that are presented by the processing of Company Personal Data including risks of accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.
- Company hereby authorizes Vendor to appoint sub-processors in accordance with the requirements of Paragraphs 2119 through 24 of this Addendum.
- Vendor may continue to use those sub-processors already engaged by Vendor as of the date of this Addendum.
- Vendor shall provide Company prior written notice of its intent to appoint any new sub-processor. Notice shall include the identity of the sub-processor and what processing will be undertaken by the new sub-processor. Company shall have 14 days in which to object, in writing, to the appointment of the new sub-processor.
- If Company timely objects to the appointment of the new sub-processor, then Vendor shall work with Company in good faith to make available a commercially reasonable change in the provision of the Services which would avoid the use of that proposed sub-processor. In the event such a change cannot be made within 14 days of Vendor’s receipt of Company’s objection, then notwithstanding anything in the Principal Agreement, Company may by written notice to Vendor with immediate effect terminate the Principal Agreement and this Addendum to the extent that it relates to the Services which require the use of the proposed sub-processor.
- With respect to each new sub-processor, Vendor shall: (a) conduct a due diligence investigation to ensure that the sub-processor is capable of providing the level of protection for Company Personal Data required by the Principal Agreement and this Addendum; and (b) ensure that the arrangement between Vendor and the sub-processor is governed by a written contract that includes terms requiring the sub-processor to offer at least the same data protection obligations for Company Personal Data as those set out in this Addendum.
Data Subject Rights5
- Vendor shall assist Company by implementing appropriate technical and organizational measures, insofar as this is possible, to help Company meet its obligations to respond to data subjects’ requests to exercise their rights under Data Protection Laws.
- Vendor shall promptly notify Company if it or any of its sub-processors receives a request from a data subject to exercise their rights under any Data Protection Law with respect to Company Personal Data.
- Neither Vendor nor any of its sub-processors shall respond to a data subject’s request except on the documented instructions of Company or as required by Applicable Laws to which Vendor or its sub-processor is subject, in which case Vendor shall to the extent permitted by Applicable Laws inform Company of that legal requirement before responding to the request.
Personal Data Breach6
- Vendor shall notify Company without undue delay upon Vendor or any of its sub-processors becoming aware of any unauthorized access to any Company Personal Data stored on Vendor’s equipment that results in loss, disclosure, or alteration of the Company Personal Data (each a “Security Incident”). a personal data breach affecting Company Personal Data. To the extent technologically feasible, Vendor such notice shall provide Company with information sufficient to allow Company it to meet any obligations to notify supervisory authorities and data subjects of the Security Incident.
- Vendor shall take commercially reasonable steps to investigate and correct the cause of any Security Incident.
- An unsuccessful Security Incident shall not be subject to this section of the Addendum. An unsuccessful Security Incident is one that results in no unauthorized access to Company Personal Data or Vendor’s equipment or facilities storing the data. Examples of unsuccessful Security Incidents include, but are not limited to, pings and other broadcast attacks on Vendor’s firewall, port scans, unsuccessful log-on attempts, denial of service attacks and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of Company Personal Data.
- Vendor’s obligation to report and respond to a Security Incident under this section is not and will not be construed as an admission by Vendor of that it is responsible for or in any way liable for the Security Incident.
- Vendor shall notify Company of Security Incidents by email. Company shall be responsible for ensuring that Vendor has accurate contact information for Security Incident notification purposes.
Data Protection Impact Assessment and Prior Consultation7
- Vendor will provide reasonable assistance to Company with respect to Company’s preparation of a Data Protection Impact Assessment (‘DPIA’) related to the Company Personal Data transferred pursuant to the Principal Agreement.
- Where necessary, Vendor will assist the Company with respect to its obligations to consult with supervisory authorities regarding the Company Personal Data transferred pursuant to the Principal Agreement
Deletion or Return of Company Personal Data8
- Subject to Paragraphs 36 and 37, Vendor shall promptly and in any event within 14 days of the date of cessation of any Services involving the processing of Company Personal Data (the “Cessation Date”), delete and procure the deletion of all copies of those Company Personal Data.
- Vendor and any of its sub-processors may retain Company Personal Data to the extent and for such period as required by Applicable Laws provided that Vendor and each sub-processor shall ensure (a) the confidentiality of all such data, and (c) that such data is only processed as necessary for the purposes specified in the Applicable Laws requiring its retention.
- Vendor may retain user email addresses and transmission logs to for the establishment, exercise, or defense of legal claims.
- Company shall not store fax files on Vendor’s systems.
- Vendor shall use an independent auditor or expert to assess Vendor’s compliance with the obligations set forth in this Addendum. This audit will: (a) be performed at least once every two years, (b) be performed by external third parties at Vendor’s selection and expense, and (c) be documented in a written audit report (“Audit Report”), which will constitute Vendor’s Confidential Information.
- Within a reasonable time of the Company’s request, Vendor shall provide Company with an Audit Report so that Company can verify make available to Company all information necessary to demonstrate Vendor’s compliance with the obligations set forth in this Addendum. This report shall constitute Vendor’s Confidential Information pursuant to the confidentiality provisions of the Principal Agreement. If the Principal Agreement does not include a provision protecting Vendor’s confidential information, then the report shall constitute Confidential Information pursuant to the Confidentiality Obligations of this Addendum.
- In the event that Company requests an audit of Vendor pursuant to the Standard Contractual Clauses set forth in Part II of this Addendum, Company agrees to exercise its audit right by instructing Vendor to execute an audit as described in this section of the Addendum.
- In the event that Company requests an audit of Vendor’s compliance with this Addendum other than as set forth above, Company shall (a) give Vendor reasonable notice of any request for an audit or inspection to be conducted under Paragraph 385, (b) and (b) take reasonable steps to avoid causing any damage, injury, or disruption to Vendor’s premises, equipment, personnel, and business during the course of the special audit or inspection., and (c) bear the costs of the special audit.
- Vendor need not give access to its premises for the purposes of such any special audit or inspection: (a) to any individual refusing to produce reasonable evidence of identity and authority; (b) outside normal business hours at those premises; or (c) for the purposes of more than one special audit in any calendar year.
- The limitation set forth in Paragraph 42(c)36(c) shall not apply where Company is required or requested to carry out the special additional audit by a Data Protection Law, a Supervisory Authority, or any similar regulatory authority responsible for the enforcement of Data Protection Laws in any country or territory.
- If an audit establishes that Vendor does not meet any obligations set forth in this Addendum, Vendor shall take all reasonably necessary steps to meet its obligations.
- Company (as ‘data exporter’) and Vendor (as ‘data importer’) hereby enter into the Standard Contractual Clauses set forth in Part II with respect to any Restricted Transfer from Company to Vendor.
- The Standard Contractual Clauses set forth in Part II of this Addendum shall come into effect on the later of: (a) the data exporter becoming a party to them; (b) the data importer becoming a party to them; and (c) commencement of the relevant Restricted Transfer.
- Notwithstanding Paragraphs 38 and 39, the Standard Contractual Clauses set forth in Part II shall not apply to a Restricted Transfer where Vendor has adopted an alternative recognized compliance standard for the lawful transfer of personal data (as defined in the GDPR) outside the European Economic Area.
- Confidentiality Obligations. Vendor’s Confidential Information is a critical asset of the Vendor, is not generally known in Vendor’s industry, could compromise the security of Vendor’s data systems, and must be kept strictly confidential to protect the Vendor’s goodwill. During the term of this Addendum, and for the longest period thereafter permitted by law, Company shall not disclose Vendor’s Confidential Information to any person other than its employees who (a) have a demonstrable need to know the information, and (b) are contractually required by Company (i) to keep the Confidential Information secret, and (ii) to not use the Confidential Information except in connection with their employment with Company. If Confidential Information is disclosed or used in violation of this paragraph, Vendor will suffer irreparable injury for which damages will be difficult to ascertain. Therefore, Vendor will be entitled to an injunction, without having to post any bond, to prevent the unauthorized use or disclosure of any Confidential Information, as well as consequential damages, in addition to any other rights or remedies it may have at law or in equity. In any action to enforce its rights under this paragraph, Company shall be responsible for paying any expenses, including attorney fees and expert witness costs, incurred by Vendor.
- Governing law and jurisdiction. Without prejudice to Clauses 7 and 9 of the Standard Contractual Clauses, (a) the Parties to this Addendum hereby submit to the choice of jurisdiction stipulated in the Principal Agreement with respect to any disputes or claims arising under this Addendum; and (b) this Addendum and all obligations arising out of or in connection with it are governed by the laws of the jurisdiction stipulated for this purpose in the Principal Agreement.
- Order of precedence.
- In the event of any conflict between this Addendum and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
- In the event of any conflict between this Addendum and any other agreements between the Parties, including the Principal Agreement, the provisions of this Addendum shall prevail.
- Nothing in this Addendum reduces the Parties’ obligations under the Principal Agreement in relation to the protection of personal data or permits Vendor to process personal data in a manner which is prohibited by the Principal Agreement.
- Severability. If any provision of this Addendum is found by a court of competent jurisdiction to be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
- Notice. All notices required or permitted to be given hereunder shall be in writing and may be delivered by hand, by facsimile, or by email. Notices delivered by hand, by facsimile, or by email shall be deemed given on the first business day following transmission. All notices shall be sent to the contact information above.
Part II: Data Transfer Provisions
Standard Contractual Clauses for the Cross-Border Transfer of Personal Data to Vendor's Servers10
The parties have agreed on the following Contractual Clauses (the ‘Clauses’) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.
For the purposes of the Clauses:
- ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Regulation (EU) 2016/679 of the European Parliament and of the Council, commonly known as the General Data Protection Regulation (‘GDPR’);
- ‘the data exporter’ means the controller who transfers the personal data;
- ‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 45 of the GDPR;
- ‘the sub-processor’ means any processor engaged by the data importer or by any other sub-processor of the data importer who agrees to receive from the data importer or from any other sub-processor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
- ‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
- ‘technical and organizational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing and include those identified in Article 32 of the GDPR.
Details of the transfer
The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.
Third-party beneficiary clause
- The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
- The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
- The data subject can enforce against the sub-processor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.
- The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.
Obligations of the data exporter
The data exporter agrees and warrants:
- that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
- that it has instructed and throughout the duration of the personal data-processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;
- that the data importer will provide sufficient guarantees in respect of the technical and organizational security measures specified in Appendix 2 to this contract;
- that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
- that it will ensure compliance with the security measures;
- that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Article 45 of the GDPR;
- to forward any notification received from the data importer or any sub-processor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
- to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for sub-processing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
- that, in the event of sub-processing, the processing activity is carried out in accordance with Clause 11 by a sub-processor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and
- that it will ensure compliance with Clause 4(a) to (i).
Obligations of the data importer
The data importer agrees and warrants:
- to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
- that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
- that it has implemented the technical and organizational security measures specified in Appendix 2 before processing the personal data transferred;11
- that it will promptly, and without undue delay,12 notify the data exporter about:
- any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;
- any accidental or unauthorized access;
- any request received directly from the data subjects without responding to that request, unless it has been otherwise authorized to do so;
- to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
- at the request of the data exporter to submit its data-processing facilities for, and contribute to,13 an audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
- to make available to the data subject upon request a copy of the Clauses, or any existing contract for sub-processing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
- that, in the event of sub-processing, it has previously informed the data exporter and obtained its prior written consent;
- that the processing services by the sub-processor will be carried out in accordance with Clause 11;
- to send promptly a copy of any sub-processor agreement it concludes under the Clauses to the data exporter.
- The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or sub-processor is entitled to receive compensation from the data exporter for the damage suffered.
- 2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his sub-processor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity. The data importer may not rely on a breach by a sub-processor of its obligations in order to avoid its own liabilities.
- If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the sub-processor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the sub-processor agrees that the data subject may issue a claim against the data sub-processor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the sub-processor shall be limited to its own processing operations under the Clauses.
Mediation and jurisdiction
- The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject: (a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority; (b) to refer the dispute to the courts in the Member State in which the data exporter is established.
- The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.
Cooperation with supervisory authorities
- The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
- The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any sub-processor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
- The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any sub-processor preventing the conduct of an audit of the data importer, or any sub-processor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5(b).
The Clauses shall be governed by the law of the Member State in which the data exporter is established as set forth on page 1 of this Addendum.
Variation of the contract
The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.
- The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the sub-processor which imposes the same obligations on the sub-processor as are imposed on the data importer under the Clauses. Where the sub-processor fails to fulfill its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the sub-processor’s obligations under such agreement.
- The prior written contract between the data importer and the sub-processor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.
- The provisions relating to data protection aspects for sub-processing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.
- The data exporter shall keep a list of sub-processing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5(j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.
Obligation after the termination of personal data-processing services
- The parties agree that on the termination of the provision of data-processing services, the data importer and the sub-processor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
- The data importer and the sub-processor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data-processing facilities for, and contribute to,14 an audit of the measures referred to in paragraph 1.
To the Standard Contractual Clauses
This Appendix forms part of the Clauses and must be completed and signed by the parties.
The data exporter is identified as “Company” in the Addendum.
The data importer is Voyant Communications, LLC, a Delaware limited liability company. Voyant is based in the United States and provides an application programming interface (“API”) that its customers (including the data exporter) use to integrate fax capabilities into their software systems.
Data subjects include the data exporter’s customers and end-users who use the Voyant API to fax documents.
Categories of Data
The following categories of personal data may be transferred pursuant to the Principal Agreement and Addendum 15:
- Online identifiers (including IP address, device identifiers)
- Financial information
- Documents to be faxed (Voyant is not informed of the document's contents)
- Other contact information (including telephone number, email address)
No special categories of personal data16 will be transferred.
The personal data transferred will be subject to the following basic processing activities: Data importer will collect, store, transmit, and delete the documents faxed using the Voyant API. Data importer will retain for at least 6 years logs containing the user ID, data, time, as well as the sending and destination phone number of each fax sent over the Voyant API.
To the Standard Contractual Clauses
This Appendix forms part of the Clauses and must be completed and signed by the parties. By signing the signature page on page 1 of this Addendum, the parties will be deemed to have signed this Appendix.
Description of the technical and organizational security measures17 implemented by data importer in accordance with Clauses 4(d) and 5(c):
All data stored on Voyant’s systems is encrypted both in transit and at rest. Voyant enforces HTTPS on all API requests and supports TLS v1.2 on API requests. The entire Voyant system undergoes penetration testing as well as quarterly vulnerability scans both internally and externally. The entire Voyant infrastructure is constantly monitored to detect any inappropriate intrusions or misuse. Additionally, Voyant reviews, maintains, and updates its policies around data security, protection and misuse while also making sure that employees are trained and educated in those fields.
1 GDPR Art. 28(3)(a)
2 GDPR Art. 28(3)(b)
3 GDPR Art. 28(3)(c)
4 GDPR Art. 28(3)(d)
5 GDPR Art. 28(3)(e)
6 GDPR Art. 28(3)(f), 33, 34
7 GDPR Art. 28(3)(f), 35, 36
8 GDPR Art. 28(3)(g)
9 GDPR Art. 28(3)(h)
10 The following Standard Contractual Clauses are from Commission Decision 2010/87/EU (Feb. 5, 2010) and apply to transfers conducted pursuant to Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995. The underlined provisions were added to ensure compliance with GDPR requirements and do not contradict any Clause.
11 See GDPR Art. 28(3)(c), 32
12 See GDPR Art. 33(2)
13 See GDPR Art. 28(3)(h)
14 See GDPR Art. 28(3)(h)
15 See GDPR Art. 4(1), 6(1)
16 See GDPR Art. 9(1).
17 See GDPR Art. 32