New SCCs & the GDPR
In light of the new Standard Contractual Clauses adopted and approved by the European Commission, Checkealos has revised our Data Processing Agreement to incorporate the SCCs.
In addition to our new Data Processing Agreement, we are also updating our internal privacy compliance program to meet the requirements of the new SCCs, by the 28 December 2022 deadline.
As we approach this regulatory deadline, we will communicate with our existing customers and provide information on how they can execute new agreements with the new SCCs. Existing customers contact us to enter into a new agreement that utilizes the new EU SCCs.
If you have any questions regarding data privacy and protection, the new SCCs, or our commitment to the GDPR, you can contact us.
Data Processing Agreement
Last updated 21 September 2021
This Data Processing Agreement (“DPA”) is entered into between us and the Customer and is incorporated into and governed by the terms of our Master Subscription Agreement (the “Agreement”) at https://www.checkealos.com/master-subscription-agreement/.
This DPA supplements the Agreement and applies exclusively to Checkealos’s Processing of Customer Personal Data in providing Services under the Agreement.
Any capitalized term not defined in this DPA shall have the meaning given to it in the Agreement. This DPA is not intended to remove or lessen Customer’s obligations with respect to Personal Data under the Agreement.
“Applicable Laws” means any and all governmental laws, rules, directives, regulations or orders that are applicable to a particular Party’s performance under this DPA, which may include, as applicable, EU Data Protection Law, the California Consumer Privacy Act of 2018, sections 1798.100 through 1798.199 of the California Civil Code (“CCPA”), and the Brazilian Federal Law 13,709 (“LGPD”).
“EEA” means the European Economic Area, which constitutes the member states of the European Union (“EU”) and Norway, Iceland and Liechtenstein, as well as for purposes of this DPA, the United Kingdom.
“EU Data Protection Law” means (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the “GDPR”); (ii) the GDPR as incorporated into United Kingdom domestic law pursuant to Section 3 of the European Union (Withdrawal) Act 2018 (the “UK GDPR”).
“Personal Data” means any information relating to an identified or identifiable individual or any other information defined as ‘personal data’ or ‘personal information’ under Applicable Laws.
“Security Documentation” means the security documents located at https://checkealos.com/security/ as amended from time to time, or as otherwise made available by Checkealos;
“Standard Contractual Clauses” means (i) where the GDPR applies, the standard contractual clauses annexed to the European Commission’s Decision (EU) 2021/914 of 4 June 2021, available at https://eur-lex.europa.eu/legal- content/EN/TXT/?uri=CELEX%3A32021D0914&qid=1623940939861
(“EU SCCs”); and (ii) where the UK GDPR applies, the standard data protection clauses for processors adopted pursuant to or permitted under Article 46 of the UK GDPR (“UK SCCs”); in each case as may be amended, superseded or replaced from time to time;
“Subsidiary” means any entity that directly or indirectly controls, is controlled by, or is under the common control of a party. “Control”, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of a party;
“Sub-Processor” means any person or entity engaged by us (including a Subsidiary) to process Customer Personal Data in the provision of the Services to the Customer.
- Customer Data Subject to EU Data Protection Law
As used in Sections 2 through Section 11 herein, “Customer Personal Data” shall refer to Customer Data comprising Personal Data of Data Subjects located in the EEA and terms such as “Data Subject”, “Processing”, “Controller”, “Processor”, “Personal Data Breach”, and “Supervisory Authority” that are defined in the GDPR.
Other capitalized terms not otherwise defined in this DPA shall have the respective meanings assigned to them in Section 1 above.
- Purpose and Scope
An overview of the categories of Data Subjects, types of Customer Personal Data being Processed and the nature and purpose of the Processing is provided in Appendix 1. The Parties acknowledge and agree that with regard to the Processing of Customer Personal Data under EU Data Protection Law and this DPA, Customer is the Controller and Checkealos is the Processor. Each Party will comply with its respective obligations under EU Data Protection Law with respect to the Processing of Customer Personal Data.
By entering into this DPA, Customer instructs Checkealos to Process Customer Personal Data: (a) to provide the Services in accordance with the features and functionality of the Services and related documentation; (b) to enable Customer’s authorized user-initiated actions on and through the Services; (c) as set forth in the Agreement and applicable Orders, and (d) as further documented by written instructions given by Customer. Notwithstanding the foregoing, Checkealos will inform Customer promptly if it becomes aware that Customer’s instructions may violate applicable EU Data Protection Law.
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects, Checkealos shall in relation to Customer Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk (including those outlined in Annex 2 of this DPA, (“Security Measures”). In assessing the appropriate level of security, Checkealos shall take into account the risks that are presented by Processing Customer Personal Data including, in particular, the risks presented by a Customer Personal Data Breach (as defined in Section 6). Checkealos may make such changes to the Security Measures as Checkealos deems necessary or appropriate from time to time, including without limitation to comply with applicable law, but no such changes will materially reduce the overall level of protection for Customer Personal Data. Checkealos will take appropriate steps to ensure compliance with the Security Measures by its employees, agents, contractors and Sub-Processors to the extent applicable to their scope of performance, including ensuring that all persons authorized to Process Customer Personal Data have agreed to appropriate obligations of confidentiality.
- Data Subject Rights
If Checkealos receives a request from a Data Subject in relation to Customer Personal Data then, to the extent legally permissible, Checkealos will advise the Data Subject to submit their request to Customer and Customer will be responsible for responding to any such request including, where necessary, by using the functionality of the Services. Customer hereby agrees that Checkealos may confirm to a Data Subject that his or her requests relates to Customer. To the extent Customer is unable through its use of the Services to address a particular Data Subject request, Checkealos will, upon Customer’s request and taking into account the nature of Customer Personal Data Processed, provide reasonable assistance in addressing the Data Subject request (provided Checkealos is legally permitted to do so and that the Data Subject request was made in accordance with EU Data Protection Law). To the extent permitted by Applicable Law, Customer shall be responsible for any costs arising from Checkealos’s provision of such assistance.
- Customer Personal Data Breach
Checkealos will notify Customer without undue delay after becoming aware of a Personal Data Breach with respect to Customer Personal Data transmitted, stored or otherwise Processed by Checkealos or its Sub-Processors (a “Customer Personal Data Breach”). Such notice may be provided (1) by posting a notice in the Services; (2) by sending an email to the email address set forth on an applicable Order; (3) by sending a notice to Customer’s contact information listed on the signature page to this DPA; and/or (4) pursuant to the notice provisions of the Agreement. Customer shall ensure that its contact information is current and accurate at all times during the terms of this DPA. Checkealos will promptly take all actions relating to its Security Measures (and those of its Sub-Processors) that it deems necessary and advisable to identify and remediate the cause of a Customer Personal Data Breach. In addition, Checkealos will promptly provide Customer with: (i) reasonable cooperation and assistance with regard to the Customer Personal Data Breach, (ii) reasonable information in Checkealos’s possession concerning the Customer Personal Data Breach insofar as it affects Customer, including remediation efforts and any notification to Supervisory Authorities and, (iii) to the extent known: (a) the possible cause of the Customer Personal Data Breach; (b) the categories of Customer Personal Data involved; and (c) the possible consequences to Data Subjects. Checkealos’s notification of or response to a Customer Personal Data Breach under this Section will not constitute an acknowledgment of fault or liability with respect to the Customer Personal Data Breach, and the obligations herein shall not apply to Personal Data Breaches that are caused by Customer or its authorized users. If Customer decides to notify a Supervisory Authority, Data Subjects or the public of a Customer Personal Data Breach, Customer will provide Checkealos with advance copies of the proposed notices and, subject to Applicable Law (including any mandated deadlines under EU Data Protection Law), allow Checkealos an opportunity to provide any clarifications or corrections to those notices. Subject to Applicable Law, Checkealos will not reference Customer in any public filings, notices or press releases associated with the Customer Personal Data Breach without Customer’s prior consent.
The Controller acknowledges and agrees that:
(a) subsidiaries of the Processor may be used as Sub-Processors; and
(b) the Processor and its Subsidiaries respectively may engage Sub- Processors in connection with the provision of the Services.
As a condition to permitting a Sub-Processor to Process Customer Personal Data, Checkealos or will enter into a written agreement with the Sub-Processor containing data protection obligations no less protective than those in this DPA with respect to Customer Personal Data. Subject to this Section 7, Checkealos reserves the right to engage and substitute Sub-Processors as it deems appropriate, but shall:
(a) remain responsible to Customer for the provision of the Services and (b) be liable for the actions and omissions of its Sub-Processors undertaken in connection with Checkealos’s performance of this DPA to the same extent Checkealos would be liable if performing the Services directly.
Checkealos’s current list of Sub-Processors is available at https://checkealos.com/data-subprocessors/.
During the term of this DPA, the Checkealos shall provide the Customer with at least 14 days notification, via email (or in-application notice), of any changes new Sub- Processor(s) who may process Customer Personal Data before authorizing any new or replacement Sub-Processor(s) to process Customer Personal Data in connection with the provision of the Services. If the Customer objects to a new or replacement Sub-Processor within 14 days of such notice, and Checkealos is unable to take corrective steps to exclude such Sub-Processor, then the either party may terminate the Agreement with respect to those Services which cannot be provided by the Checkealos without the use of the new or replacement Sub- Processor. The Checkealos will refund the Customer any prepaid fees covering the remainder of the Term of the Agreement following the effective date of termination with respect to such terminated Services. If the Customer does not provide a timely objection notice with respect to a new Sub-Processor, Customer will be deemed to have authorized Checkealos to use of the Sub-Processor and to have waived its right to object. Checkealos may use a new or replacement Sub- Processor while the objection procedures under this Section 7 are in process.
Where required by EU Data Protection Law, Checkealos will allow Customer (directly or through a third-party auditor subject to written confidentiality obligations) to conduct an audit of Checkealos’s procedures relevant to the protection of Customer Personal Data to verify Checkealos’s compliance with its obligations under this DPA. In such case, any audit conducted under this DPA shall consist of examination of the most recent reports, certificates and/or extracts prepared by an independent auditor bound by confidentiality provisions similar to those set out in the Agreement. In the event that provision of the same is not sufficient under EU Data Protection Law, the Customer may at its own expense conduct a more extensive audit which will be:
- (a) limited in scope to matters specific to the Customer and agreed in advance with the Checkealos;
- (b) carried out during Australian business hours and upon reasonable notice which shall be not less than 4 weeks unless an identifiable material issue has arisen; and
- (c) conducted in a way which does not interfere with the Checkealos’s day-to-day business;
- (d) undertaken no more than once in any 12-month period, except where required by a competent Supervisory Authority or where an audit is required due to a Customer Personal Data Breach.
To that end and before the commencement of any such audit, Customer and Checkealos shall mutually agree upon the audit’s participants, schedule and scope, which shall in no event permit Customer or its third-party auditor to access the Services’ hosting sites, underlying systems or infrastructure. Representatives of Customer performing an audit shall protect the confidentiality of all information obtained through such audits in accordance with the Agreement, may be required to execute an enhanced mutually agreeable nondisclosure agreement and shall abide by Checkealos’s security policies while on Checkealos’s premises. Upon completion of an audit, Customer agrees to promptly furnish to Checkealos any written audit report or, if no written report is prepared, to promptly notify Checkealos of any non-compliance discovered during the course of the audit. Customer shall reimburse Checkealos for its time expended in connection with an audit at Checkealos’s then-current professional service rates, which shall be made available to Customer upon request and shall be reasonable taking into account the time and effort required by Checkealos.
- Impact Assessment and Additional Information
Checkealos will provide Customer with reasonable cooperation, information and assistance as needed to fulfill Customer’s obligation under EU Data Protection Law, including as needed to carry out a data protection impact assessment related to Customer’s use of the Services (in each case to the extent Customer does not otherwise have access to the relevant information, and such information is in Checkealos’s control). Without limiting the foregoing, Checkealos shall provide reasonable assistance to Customer in the cooperation or prior consultation with the Supervisory Authority in the performance of its tasks relating to this Section to the extent required by EU Data Protection Law.
- Data Deletion
Customer may delete Customer Personal Data using the functionality provided by the Services. For certain deletions, a recovery feature is offered by Checkealos to enable recovery from accidental deletions for up to 30 days. This recovery period may be overridden by Checkealos upon request by Customer. After any recovery period, Checkealos will permanently delete the Customer Personal Data from the live systems. On termination of any applicable Order, the Customer has the option to request the return or deletion of Customer Personal Data. This request must be made within 30 days of termination. Checkealos will make the data available for download by the Customer using functionality provided by the Services in a machine-readable format. Thereafter the Checkealos will permanently delete the Customer Personal Data from the live systems in any event. Following permanent deletion of Customer Personal Data from the live systems, partial data resides on the Checkealos’s archival and backup systems for a period of up to 14 days.
- Transfer Mechanisms
Subject to the terms and conditions of the Agreement and EU Data Protection Law, Checkealos currently makes available the Standard Contractual Clauses as a transfer mechanism. The Standard Contractual Clauses apply to any transfer of Customer Personal Data under this DPA from the EEA to a country which is not deemed to have Adequacy (to the extent such transfers are subject to EU Data Protection Law). The Standard Contractual Clauses and the terms of this Section 11 apply to the legal entity that executed the Standard Contractual Clauses as “data exporter” and its Participating Affiliates, all of which shall be deemed “data exporters.” For the purposes of the EU SCCs: (i) the module two (controller to processor) terms shall apply to the extent Customer is a Controller of Customer Personal Data and the module three (processor to processor) terms shall apply to the extent Customer is a Processor of the Customer Personal Data; (ii) Clause 9, Option 2 of the applicable module of the EU SCCs shall apply and Checkealos may engage Sub-Processors as described in Section 7 of this DPA; (iii) in Clause 11, the optional language shall be deleted; (iv) the audits described in Clauses 8.3 and 8.9 of the applicable module of the EU SCCs shall be carried out as set out in and subject to the requirements of Section 8 of this DPA; (v) pursuant to Clauses 8.5 and 16(d), upon termination of this DPA, Customer Personal Data will be returned and/or destroyed in accordance with Section 11 of this DPA; (vi) in Clause 17, Option 1 shall apply and the EU SCCs shall be governed by Irish law; (vii) in Clause 18(b), disputes shall be resolved before the courts of Ireland; (viii) the Annexes of the EU SCCs shall be populated with the information set out in the Annexes to this Addendum. For the purposes of the UK SCCs: (ix) the Appendices or Annexes of the UK SCCs shall be populated with the relevant information set out in the Annexes to this Addendum; and (x) the UK SCCs shall be governed by the laws of and disputes shall be resolved before the courts of England and Wales. If and to the extent the Standard Contractual Clauses conflict with any provision of this Addendum regarding the transfer of Customer Personal Data from Customer to Checkealos, the Standard Contractual Clauses shall prevail to the extent of such conflict.
- Customer Data Subject to CCPA
As used in this Section 12, “Commercial Purpose”, “Consumer”, “Personal Information”, “Sell”, and “Service Provider” have the meanings assigned to them in the CCPA.
If Customer Data comprises Personal Data subject to the CCPA (“CCPA Covered Data”), Checkealos is the Service Provider and, consistent with the requirements of the CCPA, shall not (a) Sell the CCPA Covered Data or (b) retain, use or disclose the CCPA Covered Data: (i) for any purpose, including any Commercial Purpose, other than for the specific purpose of providing and supporting the Services or (ii) outside of the Parties’ direct business relationship. Checkealos certifies that it understands these restrictions and will comply with them. Customer acknowledges nothing in this Paragraph removes or lessens Customer’s obligations with respect to Personal Data under the Agreement or this DPA.
Customer will be responsible for responding to Consumer requests in relation to CCPA Covered Data (each, a “Consumer Request”). If Checkealos receives a Consumer Request then, to the extent legally permissible, Checkealos will advise the Consumer to submit the Consumer Request to Customer, and Customer agrees that Checkealos may confirm to a Consumer that the Consumer Request relates to Customer. To the extent Customer is unable through its use of the Services to address a particular Consumer Request, Checkealos will, upon Customer’s request and taking into account the nature of the CCPA Covered Data, provide reasonable assistance in addressing the Consumer Request (provided Checkealos is legally permitted to do so and that Customer has verified the request in accordance with the CCPA).
- Customer Data Subject to LGPD
If Customer Data comprises Personal Data subject to the LGPD (“LGPD Covered Data”), then Customer Personal Data, as the term is used in Sections 2 through 10 of this DPA above, shall be deemed to include LGPD Covered Data.
- Customer Responsibilities
Without limiting its responsibilities under the Agreement, Customer is solely responsible for: (a) Account Data, Customer Credentials (including activities conducted with login credentials), and Customer Data, subject to Checkealos’s Processing obligations under the Agreement and this DPA; (b) providing any notices required by Applicable Laws to, and receiving any required consents and authorizations required by Applicable Laws from, persons whose Personal Data may be included in Account Data, Customer Credentials, and Customer Data; and (c) ensuring no Personal Data relating to criminal convictions and offenses (GDPR Article 10) are submitted for Processing by the Services. Further, no provision of this DPA includes the right to, and Customer shall not, directly or indirectly, enable any person or entity other than its authorized users to access and use the Services or use (or permit others to use) the Services other than as described in the applicable Order, the Agreement and this DPA, or for any unlawful purpose.
Each Party’s (and each of its Affiliate’s) liability taken together in the aggregate, arising out of or related to this DPA, including without limitation under the Standard Contractual Clauses, whether in contract, tort, or under any other theory of liability, is subject to the limitation of liability provisions of the Agreement, except to the extent such liability cannot be limited under Applicable Law.
- Term and Termination
Unless earlier terminated as provided herein, this DPA shall terminate automatically together with termination or expiry of the Agreement.
This DPA may be executed in counterparts, each of which shall be deemed an original, but all of which together shall be deemed to be one and the same agreement. Delivery of an executed counterpart of a signature page to this DPA by fax or by email of a scanned copy, or execution and delivery through an electronic signature service (such as DocuSign), shall be effective as delivery of an original executed counterpart of this DPA.
Nominate a contact to receive notifications.
Please sign and return the enclosed copy of this Agreement as instructed to acknowledge the supplementation of these terms to the Agreement.
On behalf of Customer (you):
Name (written in full) Signature
On behalf of Checkealos (us):
Name (written in full) Signature
List of Parties
Name: The Customer entity identified in the Agreement or on an applicable Order. Address: The Customer’s address specified on the Order.
Contact person’s name, position and contact details: The Customer’s contact nominated for receiving notifications, as set forth above in the DPA.
Activities relevant to the data transferred under the Standard Contractual Clauses: The data exporter is a customer of the data importer and utilizing the data importer’s services as described in more detail in the Agreement.
Role (controller/processor): Controller and/or Processor.
Name User Experience, SL. proprietary limited company registered in Spain with Spanish Business Number (CIF) ESB90117466
Address: Calle Imagen 6 6C 41003 Sevilla, Spain
Contact person’s name, position, and contact details: Alberto Morales Flores, Chief
Executive Officer, firstname.lastname@example.org.
Activities relevant to the data transferred under these Clauses: The data importer is providing certain services to the data exporter, as described in more detail in the Agreement.
Role (controller/processor): Processor.
Description of the Transfer
Categories of data subjects:
Individuals about whom data is uploaded to the Services by (or at the direction of) the data exporter or by its authorized users, Subsidiaries, and other participants whom the data exporter has granted the right to access the Services in accordance with the provisions of the Agreement.
Categories of personal data:
The Personal Data transferred may include but is not limited to the following categories of data:
Any data uploaded to the Services by (or at the direction of) the data exporter or by its authorized users, Subsidiaries and other participants whom the data exporter has granted the right to access the Services in accordance with the provisions of the Agreement.
Sensitive data transferred (if applicable) and applied restrictions or safeguards:
Special categories of data, if any, may be uploaded to the Services, by (or at the direction of) the data exporter or by its authorized users, Subsidiaries and other participants whom the data exporter has granted the right to access the Services in accordance with the provisions of the Agreement, in compliance with Applicable Law, and may include:
- race or ethnic origin;
- political opinions;
- religious or philosophical beliefs;
- trade-union membership;
- sex life; and
- sexual orientation.
Frequency of the transfer:
At data exporter’s discretion in using the Services, during the term of the Agreement
Nature of the processing:
Customer Personal Data transferred will be processed in accordance with the Agreement and any Order, and may be subject to the following basic processing activities:
- (a) Customer Personal Data will be processed to the extent necessary to provide the Services in accordance with both the Agreement and the data exporter’s instructions. The data importer processes Personal Data only on behalf of the data exporter. Processing operations include, but are not limited to the provision of the Services – this operation relates to all aspects of Personal Data processed.
- (b) Technical support, issue diagnosis and error correction to ensure the efficient and proper running of the systems and to identify, analyze and resolve technical issues both generally in the provision of the Services and specifically in answer to a data exporter query. This operation may relate to all aspects of Personal Data processed but will be limited to metadata where possible.
- (c) URL scanning for the purposes of the provision of targeted threat protection and similar service which may be provided under the Agreement. This operation relates to attachments and links in emails and will relate to any Personal Data within those attachments or links which could include all categories of Personal Data.
- (d) Disclosures in accordance with the Agreement, as compelled by Applicable Law.
Purpose(s) of the data transfer and further processing:
Personal Data is processed for the purposes of providing the Services in accordance with the Agreement and any applicable Order.
Period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period:
Personal Data will be retained until termination or expiry of the Agreement, in accordance with Section 10 of this DPA.
Competent Supervisory Authority
Where the data exporter is established in an EU Member State: The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer shall act as competent supervisory authority.
Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679: The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established shall act as competent supervisory authority.
Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679: The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behavior is monitored, are located shall act as competent supervisory authority.
Technical and Organizational Measures
Data importer has implemented and will maintain the technical and organizational security measures identified in the Security Documentation, which is posted to: https:// checkealos.com/security/.
These security measures are applicable to Customer Personal Data processed in the Services.