1. Defined Terms.
“data controller”, “data processor”, “data subject”, “process/processing”, and “supervisory authority” shall have the meanings set out in the applicable Privacy Laws;
“CCPA” means the California Consumer Privacy Act of 2018, as amended.
“Data Protection Laws” means rules and regulations applicable with respect to the processing of Personal Data under the Agreement and this DPA, including the European Data Protection Laws and the CCPA.
“European Data Protection Laws” means all Privacy Laws in the European Territories and which are applicable to the Personal Data in question including, where applicable, Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“GDPR"), the UK Data Protection Act 2018, and any regulations, instruments or codes of practice issues pursuant to that Act, and any applicable associated or supplementary data protection laws or regulations, each as updated, amended or replaced from time to time.
“European Territories” means collectively (i) the European Economic Area (“EEA”), namely the European Union (“EU”) Member States and Iceland, Lichtenstein and Norway, (ii) the United Kingdom (“UK”) and (iii) Switzerland.
“Personal Data” means Data that, alone or in combination with other information, is about, related to, or can be used to identify an identifiable living natural person. For clarity purposes, hashed, truncated, or encrypted versions of the foregoing that are unusable to uniquely identify an individual are not Personal Data for purposes of this DPA.
“Subprocessor” means any third party, appointed by Oversight to process a Client’s Personal Data.
For purposes of this Exhibit 3 DPA, the parties agree that Client is the data controller of Personal Data and Oversight is the data processor of such data.
This DPA applies to the processing of Personal Data by Oversight on behalf of Client.
Oversight will ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
Oversight will take all measures required pursuant to Article 32 of the GDPR.
Oversight is prohibited from: (i) selling the Information (as “selling” is defined in §1798.140(t) of the CCPA; (ii) retaining, using, or disclosing the Personal Data for any purpose other than for the specific purpose of performing the services specified in Agreement; and (iii) retaining, using, or disclosing the Personal Data outside of the direct business relationship between Oversight and Client.
Oversight shall immediately inform Client if, in its opinion, an instruction infringes the Data Protection Laws.
3. Processor and Controller Roles and Responsibilities. Oversight will process Personal Data only on documented instructions from Client and as set forth in the Agreement. Any additional or alternate instructions must be agreed to in an amendment to the Agreement. If the GDPR applies and Client is a processor, Client warrants to Oversight that Client’s instructions, including appointment of Oversight as a processor or subprocessor, have been authorized by the relevant controller.
4. Processing Details. The parties acknowledge and agree that:
The subject-matter of the processing is limited to Personal Data within the scope Data Protection Laws;
The duration of the processing shall be for the duration of the term of the Agreement and until all Personal Data is deleted or returned in accordance with the terms of the Agreement;
Client is solely responsible for the accuracy, quality, and legality of (i) the Personal Data provided to Oversight by or on behalf of Client, and (ii) the means by which Client acquired any such Personal Data;
The nature and purpose of the processing shall be to provide the Services pursuant to the Agreement;
The types of Personal Data processed by Oversight are set forth in Section 9 of this Exhibit 3; and
The categories of data subjects are set forth in Section 10 of this Exhibit 3.
At the choice of Client, Oversight will delete or return all the Personal Data to Client after the end of the provision of the Services and securely delete existing copies unless Data Protection Laws requires the continued storage of the Personal Data.
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Client and Oversight shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
the pseudonymization and encryption of Personal Data;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
In assessing the appropriate level of security, account shall be taken of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise processed.
5. Data Subject Rights; Assistance with Requests. Oversight will make available to Client in a manner consistent with the functionality of the Services and Oversight’s role as a processor of the Personal Data of data subjects, the ability to fulfill data subject requests to exercise their rights under Data Protection Laws. Oversight shall comply with reasonable requests by Client to assist with Client’s response to such a data subject request. If Oversight receives a request from Client’s data subject to exercise one or more of its rights under Data Protection Laws in connection with the Services, Oversight will redirect the data subject to make its request directly to Client. Client will be responsible for responding to any such request. Oversight shall comply with reasonable requests by Client to assist with Client’s response to such a data subject request.
6. Records of Processing Activities. Oversight shall maintain all records required by Article 30(2) of the GDPR and, to the extent applicable to the processing of Personal Data on behalf of Client, make them available to Client upon request. Oversight will make available to Client all information necessary to demonstrate compliance with the obligations set forth in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by Client or another auditor mandated by Client.
Oversight has implemented and maintains appropriate technical and organizational measures to protect Data and Personal Data as set forth in Exhibit 2 to the Agreement. Oversight will make available such other information as is reasonably requested by Client regarding Oversight security practices and policies. Oversight will assist Client in demonstrating compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to Oversight.
If Oversight becomes aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Data or Personal Data while processed by Oversight (each a “Security Incident”), Oversight will promptly and without undue delay (1) notify Client of the Security Incident; (2) investigate the Security Incident and provide Client with detailed information about the Security Incident; (3) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Incident.
Client is solely responsible for complying with its obligations under incident notification laws applicable to Client and fulfilling any third-party notification obligations related to any Security Incident; provided, however, Oversight shall make reasonable efforts to assist Client in fulfilling Client’s obligation under GDPR Article 33 or other applicable law or regulation to notify the relevant supervisory authority and data subjects about such Security Incident.
8. Use of Sub-processors. Oversight will not engage any additional third-party processors without prior written authorization of Client. Oversight will inform Client of any intended addition of third-party processors, thereby giving Client the opportunity to object. If Client objects to the use of a new sub-processor by notifying Oversight in writing within ten (10) business days after receipt of Oversight’s notice, Oversight will use reasonable efforts to recommend a commercially reasonable change to Client’s use of the Services to avoid processing of Personal Data by the objected-to new sub-processor without unreasonably burdening Client. If Oversight is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Client’s sole remedy is to terminate the applicable Order Form(s) with respect only to those Services which cannot be provided by Oversight without the use of the objected-to new sub-processor by providing written notice to Oversight. Oversight is liable for the acts and omissions of its sub-processors to the same extent Oversight would be liable if performing the services of each sub-processor directly under the terms of the Agreement.
9. Data Protection Indemnity. Each party will, at its expense, defend, and will indemnify and hold harmless the other party, its Affiliates, and their respective officers, directors, employees, or agents from and against any amounts payable (including costs, expenses or liability, including reasonable attorney’s fees and costs, related to an allegation) resulting from, any third party claim or suit, to the extent such third party claim or suit alleges loss of data or damages resulting from a failure to comply with the provisions set forth in this Exhibit 3.
10. Transfer Mechanisms. Oversight has self-certified to and complies with the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks, as administered by the US Department of Commerce. Oversight shall maintain such self-certifications to and compliance with the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks with respect to the processing of Personal Data that is transferred from European Territories to the United States. Upon Client’s request, Oversight will also enter into the EU Commissions Controller to Processor Standard Contractual Clauses with Client.
Data Subjects may include:
Personnel Client authorizes to access the Service.
Individuals initiating, reviewing, modifying or approving corporate-spend.
Personnel listed as attendees in Client’s expense reports
11. Categories of Data. The categories of Personal Data transferred may contain: company name, employee name, attendee name, title, corporate email address, email contents, corporate telephone number, userid, employee id, IP address, employee-initiated spend details including location, employee home country.