Controller to Processor
“Affiliate” means any company or other entity which directly or indirectly controls, is controlled by or is under common control with RCG, or any limited partnership or limited liability partnership whose general partner or managing member is an aforementioned company or entity;
“Data Protection Legislation” means the GDPR, Directive 2002/58/EC, FADP, the California Consumer Privacy Act and any legislation and/or regulation implementing or made pursuant to them, or which amends, replaces, re-enacts or consolidates any of them, and all other applicable laws relating to processing of personal data and privacy that may exist in any relevant jurisdiction, including, where applicable, the guidance and codes of practice issued by supervisory authorities;
“EU personal data” means the processing of personal data to which data protection legislation of the European Union, or of a Member State of the European Union or European Economic Area, was applicable prior to its processing by Counterparty;
“FADP” means the Swiss Federal Act on Data Protection;
“Fair and Lawful Processing Notice Obligations” means such notice, transparency and fair and lawful processing obligations as arising under applicable Data Protection Legislation including any obligation to obtain consent from a data subject;
“GDPR” means, in each case to the extent applicable to the processing activities: (i) Regulation (EU) 2016/679; and (ii) UK GDPR;
“Good Industry Standards” means the exercise of that degree of skill, diligence, prudence and foresight which would reasonably and ordinarily be expected from a skilled and experienced operator engaged in the same type of undertaking under the same or similar circumstances seeking to meet its obligations to the fullest extent possible;
“Order Form” means the relevant order form which sets out particulars about the services being provided by the Counterparty, details of processing and lists any sub-processors used by the Counterparty (to the extent applicable);
“Protected Area” means:
in the case of EU personal data, the members states of the European Union and the European Economic Area and any country, territory, sector or international organisation in respect of which an adequacy decision under Art.45 GDPR is in force;
in the case of UK personal data, the United Kingdom and any country, territory, sector or international organisation in respect of which an adequacy decision under United Kingdom adequacy regulations is in force; and
in the case of Swiss personal data, any country, territory, sector or international organisation which is recognised as adequate under the laws of Switzerland;
“Relevant Law” means:
in the case of EU personal data, any legislation of the European Union, or of a Member State of the European Union or European Economic Area;
in the case of UK personal data, any legislation of any part of the United Kingdom; and
in the case of Swiss personal data, any legislation of Switzerland;
“Schedule” means this Data Protection Schedule together with its schedules and annexes and any document expressly cross referenced from it in its final form;
“Security Breach” means any accidental, unauthorised or unlawful destruction, loss, alteration, or disclosure of, or access to the personal data that the Counterparty, its staff or sub-contractors process in the course of providing the Services;
“Shared Personal Data” means personal data which one Party or its Affiliate passes, makes available or allows the other Party or its Affiliate to access pursuant to this Schedule and can include EU, Swiss or UK personal data;
“Standard Contractual Clauses” mean:
in respect of EU personal data, the standard contractual clauses for the transfer of personal data to third countries pursuant to the GDPR, adopted by the European Commission under Commission Implementing Decision (EU) 2021/914, including the text from module two of such clauses and not including any clauses marked as optional (“EU Standard Contractual Clauses”);
in respect of Swiss personal data, the EU Standard Contractual Clauses, provided that any references in the clauses to the GDPR shall refer to the FADP; the term ‘member state’ must not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence in accordance with clause 18(c) of the clauses; and the clauses shall also protect the data of legal persons until the entry into force of the revised FADP;
in respect of UK personal data:
template Addendum B.1.0 issued by the United Kingdom Information Commissioner’s Office and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it may be revised under Section 18 thereof (the “UK Addendum”) but, as permitted by clause 17 of such addendum, the parties agree to change the format of the information set out in Part 1 of the addendum so that:
the details of the parties in table 1 shall be as set out in the Order Form (with no requirement for signature);
for the purposes of table 2, the addendum shall be appended to the EU Standard Contractual Clauses (including the selection of modules and disapplication of optional clauses as noted above) and clause 1.14.1 below selects the option and timescales for clause 9; and
the appendix information listed in table 3 is set out in the Order Form and RCG Information Security Addendum.
“Swiss personal data” means personal data to which the FADP was applicable prior to its processing by Counterparty;
“UK GDPR” means the GDPR as applicable as part of UK domestic law by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (as amended);
“UK personal data” means the processing of personal data to which data protection laws of the United Kingdom were applicable prior to its processing by Counterparty; and “controller”, “processor”, “data subject”, “personal data”, “processing” and “appropriate technical and organisational measures” shall be interpreted in accordance with the GDPR.
The parties agree the provisions of this Schedule shall apply to the personal data processed by and on behalf of the Counterparty in the course of providing the Services and/or otherwise pursuant to this Agreement on behalf of RCG and its Affiliates. The parties agree that RCG and its Affiliates are the controllers and the Counterparty is the processor in relation to the personal data that the Counterparty processes in the course of providing the Services.
The subject-matter of the data processing is the performance of the Services. The obligations and rights of RCG and its Affiliates are as set out in this Schedule. The Order Form sets out the nature, duration and purpose of the processing, the types of personal data the Counterparty processes and the categories of data subjects whose personal data is processed.
When the Counterparty processes personal data in the course of providing the Services the Counterparty will:
process the personal data only in accordance with documented instructions from RCG or its Affiliates, (which may be specific instructions or instructions of a general nature as set out in this Schedule or as otherwise notified by RCG to the Counterparty from time to time). If the Counterparty is required to process the personal data for any other purpose by Relevant Law to which the Counterparty is subject, the Counterparty will inform RCG of this requirement first, unless such law(s) prohibit this on important grounds of public interest; and
at all times comply with applicable Data Protection Legislation and notify RCG immediately if, in the Counterparty’s opinion, an instruction for the processing of personal data given by RCG infringes applicable Data Protection Legislation.
The Counterparty shall ensure that personnel required to access the personal data are subject to a binding duty of confidentiality in respect of such personal data and take reasonable steps to ensure the reliability and competence of the Counterparty’s personnel who have access to the personal data.
The Counterparty shall assist RCG and its Affiliates, always taking into account the nature of the processing at no extra cost:
by appropriate technical and organisational measures and in so far as is possible, in fulfilling the RCG’s and Affiliates’ obligations to respond to requests from data subjects exercising their rights;
in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the information available to the Counterparty; and
by making available to the RCG all information which the RCG reasonably requests to allow RCG to demonstrate that the obligations set out in Article 28 of the GDPR relating to the appointment of processors have been met.
The Counterparty shall implement and maintain appropriate technical and organisational measures to protect the personal data against unauthorised or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful processing, accidental loss, destruction, damage or theft of the personal data and having regard to the nature of the personal data which is to be protected. As a minimum, these measures shall be provided in accordance with Good Industry Standards and should include the requirements set out in the Order Form and the RCG Information Security Addendum.
In the event of a suspected Security Breach, the Counterparty will:
take action immediately to investigate the suspected Security Breach and to identify, prevent and mitigate the effects of the suspected Security Breach and to remedy the Security Breach;
notify RCG without undue delay and provide RCG with a detailed description of the Security Breach including:
notify RCG without undue delay and provide RCG with a detailed description of the Security Breach including:
the likely impact of the Security Breach;
and the risk posed by the Security Breach to individuals; and
the measures taken or proposed to be taken by the Counterparty to address the Security Breach and to mitigate its adverse effects, and provide timely updates to this information and any other information RCG may reasonably request relating to the Security Breach; and
not release or publish any filing, communication, notice, press release, or report concerning the Security Breach without RCG’s prior written approval (except where required to do so by law).
The Counterparty shall not give access to or transfer any personal data to any third party (including any affiliates, group companies or sub-contractors) without the prior written consent of RCG. RCG agrees that the Counterparty’s affiliates may be engaged as sub-processors for the processing of personal data; and the Counterparty may engage third-party sub-processors for the purposes of processing personal data under this Schedule subject to clause 1.9 below.
A list of third-party sub-processors approved by RCG as at the date of this Schedule is set out in in the Order Form. The Counterparty can at any time appoint a new sub-processor provided that RCG is given thirty (30) days’ prior written notice and RCG does not object to such changes within that timeframe. If RCG objects to the appointment of a new sub-processor within such period the Counterparty shall use reasonable efforts to make available to RCG a change in the Services or recommend a change to RCG’s configuration or use of the Services, in each case to avoid the processing of RCG Personal Data by the objected-to sub-processor for RCG’s consideration and approval. If the Counterparty is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days from the date of objection by RCG, or RCG does not approve any such changes proposed by Counterparty, RCG may, by providing written notice to Counterparty, terminate the Service which cannot be provided by Counterparty without the use of the objected-to sub-processor. Such termination shall be without prejudice to any accrued rights and liabilities of the parties, provided that no termination fees, expenses or other compensation will be payable by RCG or RCG’s Affiliates in connection with such termination and the Counterparty shall repay to RCG within thirty (30) days of such termination any fees prepaid by RCG or RCG Affiliates to Counterparty in respect of the Services being terminated for the period following termination.
The Counterparty must include in any contract with the third party provisions in favour of RCG which are in all material respects the same as those in this Schedule and as are required by applicable Data Protection Legislation. For the avoidance of doubt, where Counterparty’s sub-processor causes Counterparty to be in breach of its obligations under this Schedule or any applicable Data Protection Legislation, the Counterparty will remain fully liable to RCG for the fulfilment of the Counterparty’s obligations under these terms.
The Counterparty will allow RCG and its respective auditors or authorised agents to conduct audits or inspections during the term of the Agreement and for 12 months thereafter which will include providing access to the premises, resources, and personnel of Counterparty and the Counterparty’s sub-processors use in connection with the provision of the Services, and provide all reasonable assistance in order to assist RCG in exercising its audit rights under this clause 1.11. The purposes of an audit pursuant to this clause include verifying that the Counterparty and its subcontractors are processing personal data in accordance with the obligations under this clause.
Counterparty shall not, and shall ensure that none of its affiliates or contractors, transfer, access or use EU, Swiss or UK personal data outside of the Protected Area without RCG’s prior authorisation.
RCG hereby consents to and authorises the transfers set out in the Order Form and the Counterparty and RCG agree to comply with the obligations set out in the Standard Contractual Clauses as though they were set out in full in this Schedule, with RCG as the ‘data exporter’ and Counterparty as the ‘data importer’, with the parties signature and dating of the Agreement being deemed to be the signature and dating of the Standard Contractual Clauses and with the Appendices to the Standard Contractual Clauses being as set out in in the Order Form.
For the purposes of the EU Standard Contractual Clauses, the following shall apply:
Clause 9 option 2: general written authorisation for sub-processors and the parties agree that the time period for submitting requests for changes to sub-processors shall be thirty (30) days;
Clause 13 (Supervision):
Where RCG or an RCG Affiliate is established in an EU member state, the supervisory authority with responsibility for ensuring compliance by RCG or an RCG Affiliate with the Data Protection Legislation as regards the data transfer shall act as competent supervisory authority.
Where RCG or an RCG Affiliate is not established in an EU member state the Irish Data Protection Authority shall act as competent supervisory authority.
Where RCG or an RCG Affiliate is established in the United Kingdom, the UK Information Commissioner’s Office shall act as competent supervisory authority.
Where RCG or an RCG Affiliate is established in Switzerland, the Federal Data Protection and Information Commissioner (FDPIC) shall act as competent supervisory authority insofar as the relevant data transfer is governed by FADP.
Clause 17 (Governing law): the clauses shall be governed by the laws of Ireland;
Clause 18 (Choice of forum and jurisdiction) the courts of Ireland shall have jurisdiction.
In the event that RCG gives its consent to the Counterparty transferring personal data outside the Protected Area and a relevant European Commission decision or other valid adequacy method under applicable Data Protection Legislation on which RCG has relied in authorising the data transfer is held to be invalid, or that any supervisory authority requires transfers of personal data made pursuant to such decision to be suspended, then RCG may, at its discretion, require the Counterparty to cease processing personal data to which this paragraph applies, or co-operate with it and facilitate use of an alternative transfer mechanism.
At the end of the Services, upon RCG’s request, the Counterparty shall securely destroy or return such personal data to RCG and/or any affected RCG Affiliates and delete existing copies unless Relevant Law require storage of such personal data.