STANDARD CONTRACTUAL CLAUSES
(CONTROLLER TO PROCESSORS)
The data exporter and the data importer, as defined in the signotive Data Processing Agreement or any other agreement or addendum governing the processing of personal data by the data importer on behalf of the data exporter, including all annexes, exhibits, and appendices thereto (“DPA”), have agreed on the following Contractual Clauses (“Clauses”) in order to provide adequate safeguards for the protection of personal data.
Clause 1 – Glossary
To the extent permitted by the Clauses:
(a) The terms ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’, and supervisory authority have the same meaning as in European Parliament and Council Directive 95/46/EC of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
(b) ‘the data exporter’ refers to the controller responsible for the transfer of personal data;
(c) ‘the data importer’ means the processor who agrees to accept personal data from the data exporter for processing on his behalf following the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system providing adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
(d)’subprocessor’ refers to any processor engaged by the data importer or any other sub processor of the data importer who agrees to receive personal data from the data importer or any other sub processor of the data importer exclusively for the purpose of processing activities to be performed on behalf of the data exporter following the transfer in accordance with his instructions, the terms of the Clauses, and the terms of the written subcontract;
(e) ‘applicable data protection law’ means the legislation protecting individuals’ fundamental rights and freedoms, in particular their right to privacy in connection with the processing of personal data, that is applicable to a data controller in the Member State where the data exporter is established;
(f) ‘technical and organizational security measures’ means those designed to safeguard personal data against accidental or unlawful destruction or loss, alteration, unauthorized disclosure, or access, particularly where data is transmitted over a network, and against all other unlawful forms of processing.
Clause 2 – Transfer specifics
The specifics of the transfer, including the special categories of personal data that may be sent, are detailed in Appendix 1, which is included in the Clauses.
Clause 3 – Clause relating to third-party beneficiaries
(1) As a third-party beneficiary, the data subject may enforce this Clause, Clauses 4(b) to I Clauses 5(a) to (e), and Clauses 5(g) to (j), Clauses 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12.
(2) The data subject may enforce against the data importer this Clause, Clauses 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, if the data exporter has ceased to exist in fact or in law unless a successor entity has assumed the data exporter’s entire legal obligations by contract or by operation of law, in which case the data subject may enforce against the successor entity.
(3) The data subject may enforce against the sub-processor this Clause, Clauses 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, if both the data exporter and the data importer have ceased to exist in fact or in law, or have become insolvent, unless a successor entity has assumed the data exporter’s entire legal obligations by contract or by operation of law, thereby acquiring the data exporter’ The sub-processors liability to third parties shall be restricted to its own processing operations pursuant to the Clauses.
(4) The parties do not object to a data subject being represented by an organization or another body if the data subject expressly requests it and national law permits it.
Clause 4 – The data exporter’s obligations
The data exporter certifies and agrees to the following:
(a) that the processing of the personal data, including the transfer itself, has been and will continue to be conducted in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State in which the data exporter is established) and does not violate those provisions;
(b) that it has instructed and will continue to instruct the data importer to process the personal data transferred solely on behalf of the data exporter and in compliance with applicable data protection law and the Clauses;
(c) that the data importer will give enough assurances on the technological and organizational security measures outlined in this contract’s Appendix 2;
(d) that, after considering the requirements of applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or loss, alteration, unauthorized disclosure or access, particularly where data is transmitted over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presupposed, and that these measures ensure a level of security appropriate to the risks presupposed.
(e) that it will ensure that security measures are adhered to;
(f) that, where the transfer involves special categories of data, the data subject has been informed or will be informed prior to, or as soon as possible after, the transfer that his or her data may be transmitted to a third country that does not provide an adequate level of protection under Directive 95/46/EC;
(g) must notify the data protection supervisory authority of any notification received from the data importer or any sub-processor according to Clause 5(b) and Clause 8(3) if the data exporter decides to resume the transfer or lift the suspension;
(h) to make available to data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for sub-processing services required to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case the commercial information will be removed;
(i) that, in the event of sub-processing, the processing activity is carried out in accordance with Clause 11 by a subprocessor that complies with the Clauses and provides at least the same degree of protection for personal data and data subject rights as the data importer; and
(j) that it will adhere to Clause 4(a) to (i).
Clause 5 – Importer’s obligations
The data importer certifies and agrees to the following:
(a) to process personal data solely on behalf of the data exporter and in accordance with the data exporter’s instructions and the Clauses; if it is unable to comply for any reason, it agrees to promptly notify the data exporter of its inability to comply, in which case the data exporter is entitled to suspend data transfer and/or terminate the contract;
(b) that it has no reason to believe that the legislation applicable to it prevents it from carrying out the data exporter’s instructions and fulfilling its contractual obligations and that in the event of a change in this legislation that is likely to have a material adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the data exporter of the change.
(c) that, prior to processing the personal data transferred, it has implemented the technical and organizational security measures indicated in Appendix 2;
(d) that it will promptly notify the data exporter of the following: I any legally binding request for disclosure of personal data by a law enforcement authority, unless otherwise prohibited, such as a prohibition under criminal law to protect the confidentiality of a law enforcement investigation; (ii) any accidental or unauthorized access; and (iii) any request received directly from data subjects without responding to that request, unless otherwise authorized.
(e) to respond immediately and appropriately to all queries from the data exporter on the data exporter’s processing of the personal data subject to the transfer, and to follow the supervisory authority’s advice regarding the data exporter’s processing of the transferred data;
(f) at the data exporter’s request, submit its data processing facilities for auditing the processing activities covered by the Clauses, which shall be conducted by the data exporter or an inspection body composed of independent members with the required professional qualifications and bound by a duty of confidentiality, selected by the data exporter, where applicable, in consultation with the supervisory authority;
(g) to make available to the data subject upon request a copy of the Clauses or any existing contract for sub-processing, unless the Clauses or contract contain commercial information, in which case the commercial information shall be removed, with the exception of Appendix 2, which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
(h) that, in the event of sub-processing, it has previously informed and acquired written agreement from the data exporter;
(i) that the sub-processor will perform the processing services in line with Clause 11;
(j) to quickly provide the data exporter with a copy of any subprocessor agreement it enters into according to the Clauses.
Clause 6 – Liability
(1) The parties agree that any data subject who suffers damage as a result of a breach of any of the duties set forth in Clause 3 or Clause 11 by any party or subprocessor is entitled to compensation from the data exporter.
(2) If a data subject is unable to bring a claim for compensation under paragraph 1 against the data exporter for a breach of any of the data importer’s or subprocessor’s obligations referred to in Clause 3 or Clause 11, because the data exporter has ceased to exist in fact or in law, or has become insolvent, the data importer agrees that the data subject may bring a claim against the data importer in the same manner as if it were the data exporter.
The data importer cannot rely on a subprocessor’s breach of its commitments to absolve itself of its own liabilities.
(3) If a data subject is unable to bring a claim against the data exporter or data importer referred to in paragraphs 1 and 2 arising from a breach by the subprocessor of any of the subprocessor’s obligations referred to in Clause 3 or Clause 11 due to the fact that both the data exporter and data importer have ceased to exist in fact or in law or have become insolvent, the subprocessor agrees that the data subject may bring a claim against the data The subprocessor’s obligation shall be confined to the processing operations described in the Clauses.
Clause 7 – Mediation and jurisdiction
(1) The data importer agrees that if the data subject asserts third-party beneficiary rights against it and/or seeks compensation for damages under the Clauses, the data importer will accept the data subject’s decision: (a) to refer the dispute to mediation, conducted by an independent person or, where applicable, the supervisory authority; or (b) to refer the dispute to the courts in the Member State in which the data exporter is established.
(2) The parties agree that the data subject’s choice will not jeopardize his or her substantive or procedural rights to seek redress under other provisions of national or international law.
Clause 8 – Cooperation with supervisory authorities
(1) The data exporter agrees to deposit a copy of this contract with the supervisory authority if the supervisory authority so requests or if the applicable data protection law requires such deposit.
(2) The parties agree that the supervisory authority may undertake an audit of the data importer and any sub-processor with the same scope and circumstances as an audit of the data exporter under applicable data protection law.
(3) The data importer should quickly notify the data exporter of any applicable legislation limiting the data importer or any subprocessor from conducting an audit in accordance with paragraph 2. In this circumstance, the data exporter may take the measures specified in Clause 5. (b).
Clause 9 – Governing Law
The Clauses are governed by the law of the Member State in which the data exporter has its principal place of business.
Clause 10 – Contractual modification
The parties agree to refrain from changing or amending the Clauses. This does not restrict the parties from including terms on business-related matters as necessary, provided they do not contradict the Clause.
Clause 11 – Sub-processing/contracting
(1) Without the prior written approval of the data exporter, the data importer shall not subcontract any of its processing operations done on behalf of the data exporter under the Clauses. Where the data importer, with the consent of the data exporter, subcontract its obligations under the Clauses, it shall do so only through a written agreement with the subprocessor imposing the same requirements on the subprocessor as those imposed on the data importer under the Clauses. If the subprocessor breaches its data protection responsibilities under such a signed agreement, the data importer remains fully accountable to the data exporter for the subprocessor’s execution of such requirements.
(2) The prior written contract between the data importer and the subprocessor shall also include a third-party beneficiary clause as defined in Clause 3 in the event that the data subject is unable to bring the claim for compensation referred to in Clause 6 paragraph 1 against the data exporter or data importer due to their factual disappearance, legal extinction, or insolvency, and no successor entity has assumed the entire legal obligation. The subprocessor’s liability to third parties shall be restricted to its own processing operations pursuant to the Clauses.
(3) The contents of the contract referred to in paragraph 1 relating to data protection issues for sub-processing shall be controlled by the law of the Member State in which the data exporter is based.
(4) The data exporter shall maintain a list of sub-processing agreements entered into subject to the Clauses and informed by the data importer in accordance with Clause 5 (j), which shall be updated at least once a year. The list shall be made available to the data exporter’s supervisory authority for data protection.
Clause 12 – Obligation following the termination of services for the processing of personal data
(1) The parties agree that upon the termination of data processing services, the data importer and subprocessor will either return all personal data transferred and copies thereof to the data exporter or will destroy all personal data and certify to the data exporter that they have done so unless the data importer is prohibited by applicable legislation from returning or destroying all or part of the personal data. In that event, the data importer guarantees that it will maintain the confidentiality of the personal data supplied and will cease active data processing.
(2) The data importer and the sub-processor warrant that, upon the data exporter’s and/or supervisory authority’s request, they will submit their data processing facilities for an audit of the procedures outlined in paragraph 1.
ANNEX A: ADDITIONAL REQUIREMENTS
(A) Regulation on the Protection of Personal Data: References throughout these Clauses to Directive 95/46/EC shall be construed as references to the General Data Protection Regulation (2016/679) (the “Regulation”), or, if the data exporter is based in the United Kingdom (the “UK”), to the Regulation and/or any UK local law that implements or supplements the Regulation, as applicable, and references to specific articles or provisions of the Directive shall be construed as references to the equivalence.
(B) Subcontracting: For the purposes of Clause 11 of these Clauses, the data exporter consents to the data importer subcontracting any or all of its data processing operations in line with the DPA.
(C) Data importers located in suitable countries: To the extent that RAYATT Australia Pty. Ltd. is the data controller and processor under these Clauses and is:
(i)I established in a jurisdiction recognized by the European Commission (or, if the data exporter is based in the United Kingdom, by the relevant authorities in the United Kingdom) as providing an adequate level of protection for personal data, the terms of the DPA regarding transfers of personal data to other countries shall apply, with the exception that these Clauses shall apply only to onward transfers of imported data to RAYATT’s sub-processors located in a jurisdiction recognized by the European Commission (or if the data
(ii) RAYATT Australia Pty. Ltd., which is incorporated in a jurisdiction not recognized by the European Commission as providing an acceptable level of protection for personal data, shall be the data importer for the purposes of these Clauses.
(D) Exporters of personal data located outside the European Economic Area: To the extent that an exporter of personal data pursuant to these Clauses is located outside the European Economic Area, these Clauses shall apply only to transfers of personal data relating to individuals residing within the European Economic Area. In such situations, references to “Member State” must be construed as references to the Member State applicable to the data exporter’s processing operations in connection with these Clauses that pertain to personal data of individuals located within the European Economic Area.
(E) Instructions: For the purposes of Clause 5(a) of the Standard Contractual Clauses, the processing described in the DPA and any other mutually agreed written instrument between the data exporter and data importer constitutes data exporter’s instructions to data importer to process Personal Data on data exporter’s behalf at the time of entering the DPA and/or such written instrument. Any extra or alternative instructions must adhere to the DPA’s requirements.
(F) Suspension of Data Transfers and Termination: If the data exporter wants to stop the transfer of personal data and/or terminate these Clauses in accordance with Clause 5(a), it shall notify the data importer and provide the data importer with a 30-day cure period (“Cure Period”). If the data importer does not remedy the non-compliance within the Cure Period or is unable to do so, the data exporter may immediately suspend or cancel the transfer of personal data. The data exporter is exempt from providing this warning if it believes that there is a serious risk of harm to data subjects or their personal data. Regardless of any other terms in this Section F, if these Clauses cease to be an adequate safeguard for the transfer of personal data in accordance with applicable data protection law as a result of a binding decision by a competent supervisory authority, the terms of the DPA regarding necessary modifications in response to legislative and regulatory changes shall apply.
(G) Assistance of the data importer: If the data exporter wishes to conduct an assessment of these Clauses’ suitability for protecting the personal data being transferred, the data importer shall provide reasonable assistance to the data exporter in conducting such an assessment.
(H) Audit Rights: The data exporter acknowledges and accepts that it will exercise its audit rights under Clauses 5(f) and 12.2 by requiring the data importer to adhere to the DPA’s audit measures.
(I) Transfers from Switzerland: Notwithstanding Section D above, these Clauses shall be read in line with Swiss legislation for data transfers from a data exporter based in Switzerland. In such cases, references to Directive 95/46/EC throughout these Clauses shall be construed as references to applicable Swiss legislation on data protection, privacy, data security, and the handling of personal information applicable to the data exporter, and defined terms in Clause 1 shall have the meanings assigned to them (or reasonably equivalent terms) in such legislation. The term “Member State” should be construed as referring to Switzerland. Without limiting Section A above, the parties agree that with respect to data transfers, where applicable privacy laws define “personal data” (or a reasonably equivalent term) to include information relating to legal entities, references to “personal data” in these Clauses shall include such information. Additionally, the parties agree that, as required by applicable law or at the request of the relevant supervisory authority, they will perform any additional acts reasonably necessary to give effect to this Section H, including (but not limited to) the execution of all papers.
APPENDIX 1 to the Uniform
Commercial Code
Exporter of data
The data exporter is the entity specified in the DPA as a “Customer” or “Controller.”
Importer of data
The data importer is RAYATT Australia Pty. Ltd., a web service provider, and/or its sub-processor (as that word is defined in the DPA), as decided by RAYATT Australia Pty. Ltd. in accordance with the DPA’s provisions regarding cross-border data transfers.
Data subjects
The transferred personal data relates to the categories of data subjects outlined in the DPA.
Data classifications
The personal data transferred are classified according to the DPA’s definitions.
Operational processing
Personal data transferred shall be processed in accordance with the DPA’s basic processing activities as described in Annex 1 to the DPA.
APPENDIX 2 to the Uniform
Commercial Code
The following is a description of the technological and organizational security measures that the data importer has adopted in compliance with Clauses 4(d) and 5(c) (or the document/legislation attached):
The data importer has implemented the technological and organizational security measures specified in the DPA.
Last modified on January 4, 2022.