DATA PROCESSING AGREEMENT FOR ENGAGE EHS
This Data Processing Agreement (the “DPA”), entered into by the Engage EHS customer identified on the applicable Engage EHS ordering document for Engage EHS services (“Customer”) and the BCD company identified on the ordering document (“Engage EHS”), governs the processing of personal data that Customer uploads or otherwise provides Engage EHS in connection with the services and the processing of any personal data that Engage EHS uploads or otherwise provides to Customer in connection with the services.
This DPA is incorporated into the relevant Engage EHS Service Agreement attached to or incorporated by reference into the ordering document previously executed by Customer, referred to generically in this DPA as the “Engage EHS Contract”. Collectively, the DPA (including the SCCs, as defined herein), the Engage EHS Contract, and the applicable ordering documents are referred to in this DPA as the “Agreement”. In relation to any Personal Data only, in the event of any conflict or inconsistency between any of the terms of the Agreement, the provisions of the following documents (in order of precedence) shall prevail: (i) the SCCs; (ii) this DPA; (iii) the Engage EHS Contract; and (iv) the applicable ordering document to the Engage EHS Contract. Except as specifically amended in this DPA, the Engage EHS Contract and applicable ordering document remain unchanged and in full force and effect.
“Customer Personal Data” means Personal Data: (i) that Customer uploads or otherwise provides Engage EHS in connection with its use of Engage EHS’s services; or (ii) for which Customer is otherwise a data controller.
“Controller” and “Processor” have the meanings given to them in Data Protection Law. In the context of this DPA, the Customer and/or its Affiliate is the Controller, Engage EHS is the Processor.
“Data Protection Law” means all laws and regulations, including laws and regulations of the European Union, the European Economic Area, Local Data Protection Laws and any amendments, replacements or renewals thereof, applicable to the processing of Personal Data, including where applicable the General Data Protection Regulation and any applicable national implementing laws, regulations and secondary legislation relating to the processing of Personal Data and the privacy of electronic communications, as amended, replaced or updated from time to time and Privacy Laws.
“EU Personal Data” means Personal Data the sharing of which pursuant to this Agreement is regulated by the General Data Protection Regulation and Local Data Protection Laws.
“General Data Protection Regulation” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.
“Local Data Protection Laws” means any subordinate legislation and regulation implementing the General Data Protection Regulation which may apply to the Agreement.
“Personal Data” means information about an individual that: (i) can be used to identify, contact or locate a specific individual, including data that Customer chooses to provide to Engage EHS from services such as applicant tracking systems (ATSs), Learning Management Systems (LMS) or customer-relationships management (CRM) systems; (ii) can be combined with other information that can be used to identify, contact or locate a specific individual; or (iii) is defined as “personal data” or “personal information” by Data Protection Law.
“Personal Data Breach” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.
“Privacy Laws” means all applicable laws, regulations, and other legal requirements relating to: (i) privacy, data security, consumer protection, marketing, promotion, and text messaging, email, and other communications; and (ii) the use, collection, retention, storage, security, disclosure, transfer, disposal, and other processing of any Personal Data.
“Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Security Policy” means the security documentation of the Processor available on request.
“SCCs” means the the EU model clauses for Personal Data transfer from controllers to processors c2010-593 - Decision 2010/87EU.
“Sub-processor” means any entity which provides processing services to Engage EHS in furtherance of Engage EHS’s processing on behalf of Customer.
“Supervisory Authority” means an independent public authority which is established by a European Union member state pursuant to Article 51 of the General Data Protection Regulation.
2. Nature of Data Processing
Each party agrees to process Personal Data received under the Agreement only for the purposes set forth in the Agreement. For the avoidance of doubt, the categories of Personal Data processed and the categories of data subjects subject to this DPA are described in Schedule A to this DPA.
3. Compliance with Laws
The parties shall each comply with their respective obligations under Data Protection Law.
4. Controller Obligations
The Controller agrees to:
4.1 Provide instructions to the Processor and determine the purposes and general means of the Processor’s processing of Customer Personal Data in accordance with the Agreement; and
4.2 Comply with its protection, security and other obligations with respect to Customer Personal Data prescribed by Data Protection Law for a Controller by: (i) establishing and maintaining a procedure for the exercise of the rights of the individuals whose Customer Personal Data are processed on behalf of Customer; (ii) processing only data that has been lawfully and validly collected and ensuring that such data will be relevant and proportionate to the respective uses; (iii) ensuring compliance with the provisions of this DPA by its Affiliates and any personnel or third-party accessing or using Customer Personal Data on its behalf; and (iv) implement appropriate technical and organisational procedures to protect Customer Personal Data, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. The Controller shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
4.3 The Controller acknowledges and agrees that some instructions from the Controller, including destruction or return of data, the Processor assisting with audits, inspections, DPIAs or providing any assistance under this DPA, may result in additional fees. The Processor shall be entitled to charge the Controller for its costs and expenses in providing any such assistance, provided that the parties agree such costs in advance.
5. Processor Obligations
5.1 Processing Requirements: The Processor shall:
a. Process Customer Personal Data: (i) only within the scope of this DPA; (ii) only on behalf of the Controller; (iii) only on the documented instructions of the Controller; and (iv) take steps to ensure that any person acting under the authority of the Processor who has access to Personal Data shall only process the Personal Data on the documented instructions of the Controller. The Controller shall not use or process the Customer Personal Data for any other purpose.
b. Promptly inform the Controller in writing if it cannot comply with the requirements under Sections 5-8 of this DPA, in which case the Controller may terminate the Agreement or take any other reasonable action, including suspending data processing operations;
c. Inform the Controller promptly if, in the Processor’s opinion, any of the instructions regarding the processing of Customer Personal Data provided by the Controller, breach any Data Protection Law;
d. Ensure that all employees, agents, officers and contractors involved in the handling of Customer Personal Data: (i) are aware of the confidential nature of the Personal Data and are contractually bound to keep the Personal Data confidential; (ii) have received appropriate training on their responsibilities as a data processor; and (iii) are bound by the terms similar to those in this DPA;
e. Implement appropriate technical and organisational procedures to protect Customer Personal Data, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, as set out in the Security Policy;
f. Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (i) the pseudonymisation and encryption of Customer Personal Data; (ii) the ability to ensure the on-going confidentiality, integrity, availability and resilience of processing systems and services; (iii) the ability to restore the availability and access to Customer Personal Data in a timely manner in the event of a physical or technical incident; (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. In assessing the appropriate level of security, account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Personal Data transmitted, stored or otherwise processed;
g. taking into account the nature of the processing and the information available to the Processor, assist the Controller by having in place appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising data subject's rights and the Controller’s compliance with the Controller’s data protection obligations in respect of the processing of Customer Personal Data;
h. Upon request, provide the Controller with the Processor’s security policy; and
i. Inform the Controller if the Processor undertakes an independent security review.
a. The Controller acknowledges and agrees that: (i) Affiliates of the Processor may be used as Sub-processors; and (ii) the Processor and its Affiliates respectively may engage Sub-processors in connection with the provision of the services.
b. All Sub-processors who process Customer Personal Data in the provision of the services on behalf of the Processor shall comply with the obligations of the Processor set out in this DPA.
c. The Controller authorises the Processor to use the Sub-processors already engaged by the Processor as at the date of the Agreement and identified in list of Sub-processors the Processor maintains online (currently available at https://www.effective-software.com/sub-processors/).
d. The Processor shall Inform the Controller of plans for any changes to this list or a Sub-processor 30 days in advance of using the new or replacement sub-processor.
e. The Controller may object to the use of a new or replacement Sub-processor, by notifying the Processor promptly in writing within fourteen (14) after receipt of the Processor’s notice. If the Controller objects to a new or replacement Sub-processor, the Controller may terminate the Agreement with respect to those services which cannot be provided by the Processor without the use of the new or replacement Sub-processor.
f. All Sub-processors who process Customer Personal Data shall comply with the obligations of the Processor set out in this DPA. The Processor shall prior to the relevant Sub-processor carrying out any processing activities in respect of the Customer Personal Data; (i) appoint each Sub-Processor under a written contract containing materially the same obligations to those of the Processor in this DPA enforceable by the Processor; and (ii) ensure each such Sub-Processor complies with all such obligations.
g. The Controller agrees that the Sub-processors may transfer EU or UK Customer Personal Data for the purpose of providing the services in accordance with the Agreement to countries outside the European Economic Area (EEA). The Processor confirms that such Sub-processor: (i) is located in a third country or territory recognised by the EU Commission to have an adequate level of protection; or (ii) has entered into SCCs with the Processor; or (iii) has other legally recognised appropriate safeguards in place, such as the EU-US Privacy Shield or Binding Corporate Rules.
5.3 Notice to Customer
The Processor will inform the Controller if the Processor becomes aware of:
a. Any non-compliance by the Processor or its employees with Sections 5-8 of this DPA or Data Protection Law relating to the protection of Customer Personal Data processed under this DPA;
b. Any legally binding request for disclosure of Customer Personal Data by a law enforcement authority, unless the Processor is otherwise forbidden by law to inform the Controller, for example to preserve the confidentiality of an investigation by law enforcement authorities;
c. Any notice, inquiry or investigation by a Supervisory Authority with respect to Customer Personal Data; or
d. Any complaint or request (in particular, requests for access to, rectification or blocking of Customer Personal Data) received directly from data subjects of the Controller. The Processor will not respond to any such request without the Controller’s prior written authorisation.
5.4 Assistance to the Controller
The Processor shall provide reasonable assistance to the Controller regarding:
a. Any requests from data subjects in respect of access to or the rectification, erasure, restriction, portability, blocking or deletion of Customer Personal Data that the Processor processes for the Controller. In the event that a data subject sends such a request directly to the Processor, the Processor shall promptly send such request to the Controller;
b. The investigation of Personal Data Breaches and the notification to the Supervisory Authority and data subjects regarding such Personal Data Breaches; and
c. Where appropriate, the preparation of data protection impact assessments and, where necessary, carrying out consultations with any Supervisory Authority.
5.5 Required Processing
If the Processor is required by Data Protection Law to process any Customer Personal Data for a reason other than providing the services described in the Agreement, the Processor will inform the Controller of this requirement in advance of any processing, unless the Processor is legally prohibited from informing the Controller of such processing (e.g., as a result of secrecy requirements that may exist under applicable EU member state laws).
5.6 Data Breach
The Processor shall:
a. Notify the Controller of any Personal Data Breach without undue delay and in any event within 48 hours of becoming aware of a Personal Data Breach.
b. The Processor shall take all commercially reasonable measures to secure the Customer Personal Data, to limit the effects of any Personal Data Breach, and to assist the Controller in meeting the Controller’s obligations under applicable law.
6. Audit, Certification
6.1 Supervisory Authority Audit. If a Supervisory Authority requires an audit of the data processing facilities from which the Processor processes Customer Personal Data in order to ascertain or monitor the Controller’s compliance with Data Protection Law, the Processor shall cooperate with such audit.
6.2 Audits. The Processor must, upon the Controller’s request (not to exceed one request per calendar year) by email to DPO@effective-software.com, certify compliance with Sections 5-8 of this DPA in writing.
6.3 Inspection. The Controller, or suitably qualified representatives appointed by the Controller, shall be entitled to inspect, test and audit compliance with the terms of this DPA. Such an inspection will take place during the regular business hours of the Processor, with reasonable advance written notice given to the Processor and subject to reasonable confidentiality procedures. Before the commencement of any such audit, the parties shall mutually agree upon the scope, timing, and duration of the audit. In the event of a suitably qualified representative being appointed, the Processor shall have the right to approve the representative as suitably qualified. The Controller shall promptly notify the Processor with information regarding any non-compliance discovered during the course of an audit. The Controller may not audit the Processor more than once annually, unless there is a Personal Data Breach. The Controller is responsible for all costs and fees related to such audit, including all reasonable costs and fees for any and all time the Processor expends for any such audit.
6.4 No limitation of rights. This clause 6 shall not modify or limit the rights of audit of the Controller, instead it is intended to clarify the procedures in respect of any audit undertaken pursuant thereto.
7. Data Transfers
Where EU or UK Customer Personal Data is transferred outside of the EEA the Processor shall process the Customer Personal Data in accordance with the provisions of the SCCs, unless the processing takes place: (i) in a third country or territory recognised by the EU Commission to have an adequate level of protection; or (ii) by an organisation located in a country which has other legally recognised appropriate safeguards in place, such as the EU-US Privacy Shield or Binding Corporate Rules;
8. Data Return and Deletion
The Processor shall at the choice of the Controller, upon receipt of a written request received within 30 days of the end of the provision of the services or the Agreement, delete or return Customer Personal Data to the Controller. The Processor shall in any event delete all copies of Customer Personal Data in its systems within 6 months of the effective date of termination of the Agreement unless: (i) applicable law or regulations require storage of the Customer Personal Data after termination; or (ii) partial Customer Personal Data is stored in backups, then such Customer Personal Data shall be deleted from backups up to 2 years after the effective date of termination of the Agreement.
This DPA shall remain in effect as long as the Processor carries out Personal Data processing operations on behalf of the Controller or until the termination of the Engage EHS Contract (and all Personal Data has been returned or deleted in accordance with Section 8 above).
The limitations on liability set out in the Engage EHS Contract apply to all claims made pursuant to any breach of the terms of this DPA.
The parties agree that the Processor shall be liable for any breaches of this DPA caused by the acts and omissions or negligence of its Affiliates or Sub-processors to the same extent the Processor would be liable if performing the services of each Affiliate or Sub-processor directly under the terms of the DPA, subject to any limitations on liability set out in the terms of the Engage EHS Contract.
The parties agree that the Controller shall be liable for any breaches of this DPA caused by the acts and omissions or negligence of its Affiliates as if such acts, omissions or negligence had been committed by the Controller itself.
The Controller shall not be entitled to recover more than once in respect of the same loss.
11. Governing Law, Juristiction, and Venue
Notwithstanding anything in the Agreement to the contrary (in particular the SCCs), this DPA shall be governed by the laws of Ireland, and any action or proceeding related to this DPA (including those arising from non-contractual disputes or claims) will be brought in Dublin, Ireland.
Schedule A: Nature of the Data Processing
Categories of Personal Data processed
Please provide details of any sensitive data to be processed. As per the GDPR, this means: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation) and personal data relating to criminal convictions and offences.
Categories of data subjects subject to this DPA
Other personal data may be processed, depending on the Customer requirements. This list states the minimum needed to enable use of the Engage EHS Platform for management various health and Safety related activities. Customer should add any additional data it provides to the above table.