RCL $173.16 -$1.80 (-1.03%)

Data Protection Schedule

Controller to Controller / Controller to Processor

Definitions:

Affiliate” means any company or other entity which directly or indirectly controls, is controlled by or is under common control with a company, or any limited partnership or limited liability partnership whose general partner or managing member is an aforementioned company or entity;

Data Protection Legislation” means the GDPR, Directive 2002/58/EC, FADP, the California Consumer Privacy Act and any legislation and/or regulation implementing or made pursuant to them, or which amends, replaces, re-enacts or consolidates any of them, and all other applicable laws relating to processing of personal data and privacy that may exist in any relevant jurisdiction, including, where applicable, the guidance and codes of practice issued by supervisory authorities;

Data Subject Rights Requests” means requests made by data subjects exercising their rights as available to them under applicable Data Protection Legislation;

EU personal data” means the processing of personal data to which data protection legislation of the European Union, or of a Member State of the European Union or European Economic Area, is applicable;

FADP” means the Swiss Federal Act on Data Protection;

Fair and Lawful Processing Notice Obligations” means such notice, transparency and fair and lawful processing obligations as arising under applicable Data Protection Legislation including any obligation to obtain consent from a data subject;

GDPR” means, in each case to the extent applicable to the processing activities: (i) Regulation (EU) 2016/679 (EU GDPR); and (ii) UK GDPR;

Good Industry Standards” means the exercise of that degree of skill, diligence, prudence and foresight which would reasonably and ordinarily be expected from a skilled and experienced operator engaged in the same type of undertaking under the same or similar circumstances seeking to meet its obligations to the fullest extent possible;

Order Form” means the relevant order form which sets out particulars about the services being provided by the Counterparty, details of processing and lists any sub-processors used by the Counterparty (to the extent applicable);

Protected Area” means:

i.

in the case of EU personal data, the members states of the European Union and the European Economic Area and any country, territory, sector or international organisation in respect of which an adequacy decision under Art.45 GDPR is in force;

ii.

in the case of UK personal data, the United Kingdom and any country, territory, sector or international organisation in respect of which an adequacy decision under United Kingdom adequacy regulations is in force; and

iii.

in the case of Swiss personal data, any country, territory, sector or international organisation which is recognised as adequate under the laws of Switzerland;

RCG Information Security Addendum” means RCG’s information security addendum which sets out details of the minimum security measures that need to be implemented by the Counterparty;

Relevant Law” means:

i.

in the case of EU personal data, any legislation of the European Union, or of a Member State of the European Union or European Economic Area; 

ii.

in the case of UK personal data, any legislation of any part of the United Kingdom; and

iii.

in the case of Swiss personal data, any legislation of Switzerland;

Schedule” means this Data Protection Schedule together with its schedules and annexes and any document expressly cross referenced from it in its final form;

Security Breach” means any accidental, unauthorised or unlawful destruction, loss, alteration, or disclosure of, or access to Shared Personal Data;

Shared Personal Data” means personal data which one Party or its Affiliate passes, makes available or allows the other Party or its Affiliate to access pursuant to this Schedule and can include EU, Swiss or UK personal data;

Standard Contractual Clauses” mean:

i.

in respect of EU personal data, the standard contractual clauses for the transfer of personal data to third countries pursuant to the GDPR, adopted by the European Commission under Commission Implementing Decision (EU) 2021/914, including the text from the modules indicated in the Order Form, the selections set out in clause 1.10 and not including any clauses marked as optional (“EU Standard Contractual Clauses”);

ii.

in respect of Swiss personal data, the EU Standard Contractual Clauses, provided that any references in the clauses to the GDPR shall refer to the FADP; the term ‘member state’ must not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence in accordance with clause 18(c) of the clauses; and the clauses shall also protect the data of legal persons until the entry into force of the revised FADP;

iii.

in respect of UK personal data:

a.

template Addendum B.1.0 issued by the United Kingdom Information Commissioner’s Office and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it may be revised under Section 18 thereof (the “UK Addendum”) but, as permitted by clause 17 of such addendum, the parties agree to change the format of the information set out in Part 1 of the addendum so that:

i.

the details of the parties in table 1 shall be as set out in the Order Form (with no requirement for signature);  

ii.

for the purposes of table 2, the addendum shall be appended to the EU Standard Contractual Clauses (including the selection of modules and disapplication of optional clauses as noted in clause 1.10); and

iii.

the appendix information listed in table 3 is set out in the Order Form and the RCG Information Security Addendum.

Swiss personal data” means personal data to which the FADP is applicable;

UK GDPR” means the GDPR as applicable as part of UK domestic law by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (as amended);

UK personal data” means the processing of personal data to which data protection laws of the United Kingdom is applicable; and

controller”, “processor”, “data subject”, “personal data”, “processing” and “appropriate technical and organisational measures” shall be interpreted in accordance with the GDPR

DATA PROTECTION

1.1

The parties agree the provisions of this Schedule shall apply to the processing of Shared Personal Data. The parties consider that RCG and Counterparty are each independent controllers in relation to the Shared Personal Data, however, in cases where Counterparty or its Affiliates act as processors on behalf of RCG or any of its Affiliates, then in addition to obligations under clauses 1.3 to 1.10 the Counterparty and its Affiliates shall also comply with the obligations set out in clause 1.11.

1.2

The parties agree that: (a) the party which discloses Shared Personal Data to the other pursuant to this Schedule will be responsible for meeting the Fair and Lawful Processing Notice Obligations as are applicable to enable it to make Shared Personal Data available to the other party; and (b) the other party shall be responsible for meeting all other Fair and Lawful Processing Notice Obligations in respect of processing activities to be carried out for and on its behalf with the Shared Personal Data.

1.3

Each party shall promptly notify the other in writing if it receives or becomes aware of a data subject complaint or supervisory authority enquiry or potential enforcement action regarding the other party in relation to the Shared Personal Data. Each party shall promptly provide reasonable information to the other in respect of the same.

1.4

Each party is responsible for meeting Data Subject Rights Requests received in respect of its or its Affiliates’ processing activities in respect of Shared Personal Data undertaken as a controller in compliance with applicable Data Protection Legislation. To the extent that Data Subject Rights Requests relate to processing activities undertaken for or on behalf of the other party (or its Affiliates) as a controller, the other party shall be responsible for promptly meeting the request in compliance with applicable Data Protection Legislation at its own expense.

1.5

The Counterparty undertakes to ensure at all times that appropriate technical and organisational measures are implemented and maintained to protect the Shared Personal Data against being the subject of a Security Breach. These measures shall be appropriate to the harm which might result from a Security Breach having regard to the nature of the personal data involved. As a minimum, these measures shall be provided in accordance with Good Industry Standards and shall include the requirements set out in the RCG Information Security Addendum and the Order Form.

1.6

In the event of an actual or suspected Security Breach of which the Counterparty, its staff or subcontractors become aware, the Counterparty will on an ongoing basis: (a) take action immediately to investigate the suspected Security Breach and to identify, prevent and mitigate its effects and to remedy the Security Breach; and (b) notify RCG without undue delay and promptly provide RCG such information regarding the Security Breach as it reasonably requests, including: the risks posed by the Security Breach to individuals; and the measures taken or proposed to be taken to address the Security Breach and to mitigate its adverse effects.

1.7

The Counterparty, its Affiliates, staff and subcontractors shall not use Shared Personal Data made available pursuant to this Schedule for any purpose which will negatively affect RCG or its Affiliates’ reputations or bring any of them into disrepute. 

1.8

Counterparty shall ensure that any third party to which it or its Affiliates give access to the Shared Personal Data process the same in compliance with applicable Data Protection Legislation. Counterparty shall not, and shall ensure that none of its Affiliates or contractors, transfer, access or use EU, Swiss or UK personal data outside of the Protected Area other than in compliance with applicable Data Protection Legislation.

1.9

Counterparty acknowledges and agrees that the transfer mechanisms listed below shall apply to transfers outside of the Protected Area and can be directly enforced by the parties:

1.9.1

where RCG or its Affiliates are a controller and a data exporter of Shared Personal Data and Counterparty or its Affiliates are a processor and data importer in respect of that Shared Personal Data, the parties shall comply with module 2 of the EU Standard Contractual Clauses, subject to the additional terms in clause 1.10; and/or

1.9.2

where RCG and its Affiliates are a controller and a data exporter of Shared Personal Data and Counterparty or its Affiliates are a controller and data importer in respect of that Shared Personal Data, the parties shall comply with module 1 of the EU Standard Contractual Clauses, subject to the additional terms in clause 1.10; and

1.9.3

without prejudice to the foregoing, in each case where the transfer outside the Protected Area of Shared Personal Data involves UK personal data, the parties shall comply with the UK Addendum as though it was set out in full in this Schedule and appended to (i) module 2 of the EU Standard Contractual Clauses in the case of clause 1.9.1 above and/or (ii) module 1 of the EU Standard Contractual Clauses in the case of clause 1.9.2 above.

1.10

Counterparty agrees to comply with the obligations set out in the Standard Contractual Clauses as though they were set out in full in this Schedule, with the parties signature and dating of the Agreement being deemed to be the signature and dating of the Standard Contractual Clauses and with the information required in the Annexes and/ or Appendices to the Standard Contractual Clauses being as set out as indicated below in this clause and as set out in the Order Form and the RCG Information Security Addendum. For the purposes of the EU Standard Contractual Clauses, the following shall apply:

1.10.1

Clause 9 option 2: general written authorisation for sub-processors and the parties agree that the time period for submitting requests for changes to sub-processors shall be thirty (30) days;

1.10.2

Clause 13 (Supervision):

Where RCG or an RCG Affiliate is established in an EU member state, the supervisory authority with responsibility for ensuring compliance by RCG or an RCG Affiliate with the Data Protection Legislation as regards the data transfer shall act as competent supervisory authority.

Where RCG or an RCG Affiliate is not established in an EU member state the Irish Data Protection Authority shall act as competent supervisory authority.

Where RCG or an RCG Affiliate is established in the United Kingdom, the UK Information Commissioner’s Office shall act as competent supervisory authority.

Where RCG or an RCG Affiliate is established in Switzerland, the Federal Data Protection and Information Commissioner (FDPIC) shall act as competent supervisory authority insofar as the relevant data transfer is governed by FADP.

1.10.3

Clause 17 (Governing law): the clauses shall be governed by the laws of Ireland;

1.10.4

Clause 18 (Choice of forum and jurisdiction) the courts of Ireland shall have jurisdiction;

1.10.5

Annex 1 Part A this shall be completed as set out in the Order Form;

1.10.6

Annex 1 Part B this shall be completed as set out in the Order Form;

1.10.7

Annex 1 Part C this shall be as set out above for clause 13 of the EU Standard Contractual Clauses; and

1.10.8

Annex II, details of technical and organisational measures shall be as set out in the RCG Information Security Addendum and the Order Form.

1.11

In the event that the Counterparty or its Affiliates processes Shared Personal Data for and on behalf RCG and/or its Affiliates as a processor then in addition to its obligations under clauses 1.3 to 1.10 the Counterparty undertakes to:

1.11.1

only process the Shared Personal Data in accordance with RCG’s or its Affiliate’s documented instructions from time to time, which include all processing necessary to meet obligations imposed under and pursuant to this Schedule. If the Counterparty reasonably believes that instructions received may conflict with the requirements of applicable Data Protection Legislation, it shall immediately notify RCG;

1.11.2

ensure that any third party that it authorises to process the Shared Personal Data shall be subject to a duty of confidentiality (whether a contractual duty or a statutory duty);

1.11.3

without prejudice to the provisions of clause 1.4, assist RCG and its Affiliates (without cost to them) by appropriate technical and organisational measures in responding to, and complying with, requests from data subjects relating to Shared Personal Data which Counterparty / its Affiliates process as data processors;

1.11.4

taking into account the nature of the processing and the information available to it, provide RCG and its Affiliates with assistance in ensuring compliance with its obligations pursuant to Articles 32 to 36 of the EU GDPR and UK GDPR;

1.11.5

not engage any sub-processor to process any of the Shared Personal Data without: (a) the prior written consent of RCG and (b) ensuring that the requirements of Article 28 of the EU GDPR and UK GDPR are first met in respect of the engagement of that sub-processor; RCG agrees that the Counterparty’s Affiliates may be engaged as sub-processors for the processing of personal data; and the Counterparty may engage third-party sub-processors for the purposes of processing personal data under this Schedule subject to clause 1.11.6 below;

1.11.6

provide a list of third-party sub-processors which shall be approved by RCG as at the date of this Schedule and will be set out in the Order Form. The Counterparty can at any time appoint a new sub-processor provided that RCG is given thirty (30) days’ prior written notice and RCG does not object to such changes within that timeframe. If RCG objects to the appointment of a new sub-processor within such period the Counterparty shall use reasonable efforts to make available to RCG a change in the Services or recommend a change to RCG’s configuration or use of the Services, in each case to avoid the processing of RCG Personal Data by the objected-to sub-processor for RCG’s consideration and approval. If the Counterparty is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days from the date of objection by RCG, or RCG does not approve any such changes proposed by Counterparty, RCG may, by providing written notice to Counterparty, terminate the Service which cannot be provided by Counterparty without the use of the objected-to sub-processor. Such termination shall be without prejudice to any accrued rights and liabilities of the parties, provided that no termination fees, expenses or other compensation will be payable by RCG of RCG’s Affiliates in connection with such termination and the Counterparty shall repay to RCG within thirty (30) days of such termination any fees prepaid by RCG or RCG Affiliates to Counterparty in respect of the Services being terminated for the period following termination;

1.11.7

shall ensure that any sub-processor which it appoints to process Shared Personal Data is contractually obliged to meet the obligations of applicable Data Protection Legislation in respect of that processing. Counterparty shall remain liable for all acts or omissions of its and its Affiliates’ sub-processors which cause the Counterparty to breach its obligations under this Schedule;

1.11.8

not transfer the Shared Personal Data to third parties located, or that will process the same in, an area outside the Protected Area without, prior to the relevant transfer outside the Protected Area being made, putting in place a lawful transfer mechanism to enable such transfer outside the Protected Area to comply with applicable Data Protection Legislation, and provide RCG upon written request with evidence of the relevant measures taken. Such transfer mechanism may include executing the Standard Contractual Clauses; and

1.11.9

on expiry or termination of the arrangement to process Shared Personal Data as a processor, at RCG’s direction, to return or destroy (as directed in writing) all such Shared Personal Data that it, its staff, subcontractors or Affiliates have in their possession or control and promptly delete existing copies unless and solely to the extent that applicable law requires storage of such Shared Personal Data.