Privacy at iResearch Services Is More Than Just a Policy.
Our privacy program is not about long documents and fancy words, nor is it for mere legal compliance. It’s about genuinely caring about your privacy and doing right by you and your data.
Together with iResearch Services’ privacy, security, and legal teams, we set out to build and lead our privacy program to new heights. We continue to empower our clients who trust us with their data and protect the privacy of those millions of individuals whose data we store.
Our clients’ and respondents’ data belongs to them. Your personal data is yours. We’re here to secure that, honor your trust in us, and ensure that your privacy and rights are protected.
- If you have read through everything and still haven’t found what you were looking for, or if you have any suggestions on how we can improve, please drop us a line at email@example.com.
- We appreciate any and all feedback received, as we look to do our best by you and your data.
Data Protection Officer at iResearch Services – firstname.lastname@example.org
iResearch Services is responsible for how it holds your personal information. When we say “we” in this notice, this means iResearch Services Pvt. Ltd., India and its 100% wholly owned subsidiaries. We are required by law to look after the information we hold about you; this notice tells you how we do this.
Personal information is any information which is about you, from which you can be identified.
What Is Dpo?
Data protection Officers (DPO’s) act as an independent advocate for the proper care and use of customer’s information. The role of a data protection officer was formally laid out by the European Union as part of its General Data Protection Regulation (GDPR). The data protection officer keeps up on laws and practices around data protection, conducts privacy assessments internally, and ensures that all other matters of compliance pertaining to data are up-to-date.
What Personal Information We Might Hold About You?
We don’t process any special category data and only Common category data.
- Your full name, photograph.
- Your work/home address, work/home telephone number, and mobile number;
- Your work/personal email address;
- Device ID, including IP address;
- Browser and device information, including operating system;
- Aggregated information such as “click stream” information such as entry and exit points for the Websites (including referring URLs or domains), certain Websites traffic statistics, page views, and impressions;
- Geolocation (if using a mobile application and you consent to providing it);
Information We Receive From, and Share With, Other People or Companies
We may receive your information from gated downloads, contact us forms, direct emails, mailers, direct dials, tradeshows, client provided, and/or subscriptions. This will include your name, email, phone number. We may choose to contact you from the information you provide us to attend your requests.
We may also gather your personal information from paid or free database providers and/or social media whom you consented to list your personal information. These may include wide-ranging licensed & unlicensed databases. We may choose to contact you from the available personal information for survey research and/or lead generation with your consent where applicable and you will always have a right to object to the processing of your data. We may do so on the directive of our clients, to service their reasonable business requirements.
We may share your data as is necessary to maintain usual course of business operations, which includes licensed software(s) used by iResearch Services. They include,
- Office365 owned by Microsoft is our partner delivering our business suite of tools used by our staff to communicate and deliver our core services.
- Cookie Yes and Open Sense platforms used by our marketing teams to analyse data and connect with our current and potential clients.
- Monday.com owned by Roy Mann and Eran Zinman is a cloud-based project collaboration software used by our operations team to manage, measure, store and monitor entire operational functions.
- Mailchimp, a cloud-based marketing automation platform, which is used by our teams for email marketing, engaging with our current and potential clients to build our brand.
These licenses are granted to individuals who are working with iResearch Services as a full-time/part-time employee. The servers storing your personal information might located outside European Economic Area and may change at the discretion of service providers. We take all steps reasonably and legally necessary to ensure that your information is safe.
Also, when you request pages on our websites, for example, our servers automatically log your internet protocol (IP) address. The IP address is a unique number assigned to your computer to identify it whenever you are surfing the Web. We use the IP address to understand the web pages you visit. The IP address does not identify you personally, but it allows us to maintain communications with you as you move about the Website. Generally, these types of data elements (“Other Information”) do not reveal your identity or do not relate directly to you or any other individual.
if we are processing your personal data in order to fulfil our contractual obligations to you, then you can submit a request that we transfer your personal data to another data controller.
We rely on cloud-based software applications and other technology provided by other people to handle your information. These include our dialer systems, survey scripting systems, text and email messaging communications, and co-ordination tools. The companies we use to deliver these applications are carefully chosen by us to ensure that your information is kept secure. We may share your details under special circumstances such as when we believe in good faith that it is required by law.
Third Party Processors
Our carefully selected partners and service providers may process personal information about you on our behalf as described below:
Digital Marketing Service Providers
We periodically appoint digital marketing agents to conduct marketing activity on our behalf, such activity may result in the compliant processing of personal information. Our appointed data processors include:
We have a custom CRM service provider who may access your personal information for purposes of compliant database maintenance activities. Our appointed data processors include:
You can contact “App It Simple” at +1 740-848-2535 or email at email@example.com
How We Use Your Information
We will use the information you give us as is necessary to provide you with the information and services that you request from us (to service you, and to deal with any queries you may have). We also use your information to promote the objects and interests of our company, ensuring the most efficient management and ensuring that our legal obligations are adhered to; and as a part of our system. . As we are communicating with you in the context of your corporate activity and identity and not in relation to your private life, we believe this to be reasonable and fair behaviour in the context of our audience. Of course, you will always have the opportunity to object as detailed below. These are known as “legitimate interests”.
Where We Need Your Consent
We will seek your permission if we decide to post any photographs of you on any of our marketing materials (including our brochures or website); you may withdraw your permission should you wish.
Transfer of Personal Information Outside the Country
Sometimes your information will need to be transferred to and stored outside the EU & UK. We try to limit this, but it may be necessary where, e.g. one of our suppliers stores your information outside Europe. There are Standard Contractual Clauses present in such cases which safeguard your information.
- Right to request access to your personal information (a “subject access request” or “SAR”) https://www.iresearchservices.com/privacy-dsar.
- Right to request correction of the personal information that we hold about you.
- Right to request deletion of your personal information.
- Right to object to processing of your personal information.
- Right to request the restriction of processing of your personal information.
- Right to request the transfer of your personal information to another organization
- Right to complain to the Information Commissioners Office about what we are doing with your information: https://ico.org.uk/concerns/.
- Right to complain to your respective European DPA about what we are doing with your information: https://edpb.europa.eu/about-edpb/about-edpb/members_en.
Automated Decision Making
iResearch Services does not use any automated decision-making tools currently however in case we do start using it the policy would be updated accordingly.
How Long We Keep Your Personal Information for
We will not keep any personal information about you for any longer than is necessary. We follow a personal data retention policy which determines how long we keep specific types of personal information. For further information you can contact firstname.lastname@example.org. For any data provided to us by our clients, we are governed by their data retention rules as specified by them.
Link to Other Websites
We may publish content our website from other sites, this privacy notice does not cover to other websites and organizations. We encourage you to read the privacy statements on the other websites you visit.
California Consumer Privacy Act (CCPA)
We at iResearch Services value your privacy, that is why we have taken the necessary precautions to follow the California Consumer Privacy Act (CCPA). You can opt-out of the processing of your data any time with effect for the future Right to Opt Out. CCPA gives consumers the ability to direct a business not to sell/share their personal information to a third party. Additionally, you can make use of your rights under the CCPA by contacting us at email@example.com.
Changes to This Privacy Notice
We may change this notice. Please be sure you are aware of these policy terms while you use our site. should our terms change, these will be shown on this page.
Contact Us if You Have Further Questions
If you have any questions about this notice, then please speak to your project manager, sales representative. We have a Data Protection Co-Ordinator, Siddharth Srinivasan, who can explain in more detail how your information is looked after. Our Data Protection Officer has overall responsibility for your information, if you need further information, please email firstname.lastname@example.org
The contact details for our EU Representative are as below
Company Name: Instant EU GDPR Representative Ltd
Name: Adam Brogden
Tel+ 353 15 549 700
DSAR Link: https://www.iresearchservices.com/privacy-dsar
EU Dublin Address: INSTANT EU GDPR REPRESENTATIVE LIMITED Office 2 12A Lower Main Street, Lucan Co.
Dublin K78 X5P8 Ireland
iResearch Services uses certain monitoring and tracking technologies, such as cookies, beacons, pixels, tags, and scripts (collectively, “Cookies”). These technologies are used in order to provide, maintain, and improve our website and platform or any other website or webpage operated by us (the “Services”), to optimize our offerings and marketing activities, and to provide our visitors, customers, and users (“you”) with a better experience (for example, in order to track users’ preferences, to better secure our Services, to identify technical issues, and to monitor and improve the overall performance of our Services).
What Are Cookies?
Cookies are small text files stored through the browser on your computer or mobile device (for example, Google Chrome or Safari). They allow websites to store information like user preferences. You can think of Cookies as providing a so-called ‘memory’ for the website so that it can recognize you when you come back and respond appropriately. Cookies are typically classified as either ‘session cookies,’ which are automatically deleted when you close your browser, or ‘persistent cookies,’ which will usually remain on your device until you delete them or they expire.
iResearch Services uses several different types of Cookies on our website and platform:
Performance Cookies: This type of Cookie helps us secure and better manage the performance of our Services. It remembers your preferences for features found on the Services, so you don’t have to reset them each time you visit.
Analytics Cookies: Every time you visit our Services, the analytics tools and services we use generate Cookies that can tell us (so long as they are allowed and not deleted) whether or not you have visited our Services in the past and provide additional information regarding how visitors and users use our Services (such as how many visitors we have on a certain landing page, how often they visit, or where users tend to click on our Services). Your browser will tell us if you have these Cookies. If you don’t have them but allow new Cookies to be placed, we will typically generate and place new ones.
Registration Cookies: When you register and sign into our Services, we generate Cookies that let us know whether you are signed in or not and maintain your login session.
Our servers use these Cookies to work out which account on our Services you are signed into and if you are allowed access to a particular area or feature on such account.
While you are signed in to our Services, we combine information from your Registration Cookies with Analytics Cookies, which we could use to learn, for example, which pages you have visited.
Marketing & Advertising Cookies: These Cookies allow us to know whether or not you’ve seen an ad or a type of ad online, how you interacted with such an ad, and how long it has been since you have seen it.
We also set Cookies on certain other sites that we advertise on. If you receive one of those Cookies, we may use it to identify you as having visited that site and viewing our ad there if you later visit our Services. We can then target our advertisements based on this information.
Third-Party Integration Cookies: On some pages of our Services, other organizations may also set their own Cookies. They do this to enable and improve the performance and interoperability of their applications, features, or tools integrated with our Services to track their performance or customize their services for you.
How Can You Turn Cookies Off (or Remove Them)?
All modern web browsers allow you to change your Cookie settings. You can usually find these settings in the ‘Options’ or ‘Preferences’ menu of your browser. In order to understand these settings, the following links to ‘cookies’ help pages may be helpful. You can also use the ‘Help’ option in your browser for more details.
If you are primarily concerned about third-party Cookies generated by advertisers and live in the US, Canada, or Europe, you can also opt out from the collection of your data by our advertising partners who participate in the Digital Advertising Alliance. Opt out by visiting:
To find out more about Cookies and their use on the Internet, you may find the following websites useful:
‘Do Not Track’ Signals
Some web browsers may transmit ‘Do Not Track’ signals to websites with which the browser communicates, telling the website not to follow its online movements. Because of differences in how web browsers interpret this feature and send those signals and a lack of standardization, it is not always clear whether visitors and users intend for these signals to be transmitted or whether they are even aware of them. Therefore, like many other reputable websites and online platforms, we currently do not respond to such ‘Do Not Track’ signals.
This Data Processing Addendum (“DPA”) is incorporated by reference into XXX Terms of Service agreement governing the use of XXX services (“Agreement”) entered by and between you, the client (as defined in the Agreement as iResearch Services Pvt. Ltd.) (collectively, “you,” “your,” “Client”), and XXX (“XXX,” “us,” “we,” “our”) to reflect the parties’ agreement with regard to the Processing of Personal Data by XXX solely on behalf of Client. Both parties shall be referred to as the “Parties” and each a “Party.”
Capitalized terms not defined herein shall have the meanings assigned to such terms in the Agreement.
By using the Services, Client accepts this DPA, and you represent and warrant that you have full authority to bind Client to this DPA. If you cannot or do not agree to comply with and be bound by this DPA or do not have the authority to bind Client or any other entity, please do not provide/process Personal Data.In the event of any conflict between certain provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail over the conflicting provisions of the Agreement solely with respect to the Processing of Personal Data.
(a) “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
(b) “Authorized Affiliate” means any Client Affiliate(s) that is explicitly permitted to use the Services pursuant to the Agreement between Client and XXX but has not signed its own agreement with XXX and is not a “Client” as defined under the Agreement.
(c) “CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et. Seq. and its implementing regulations, as may be amended from time to time.
(d) The terms “Controller,” “Member State,” “Processor,” “Processing,” and “Supervisory Authority” shall have the same meaning as in the GDPR. The terms “Business,” “Business Purpose,” “Consumer,” and “Service Provider” shall have the same meaning as in the CCPA.
For clarity, within this DPA, “Controller” shall also mean “Business,” and “Processor” shall also mean “Service Provider” to the extent that the CCPA applies. In the same manner, Processor’s Sub-processor shall also refer to the concept of Service Provider.
(e) “Data Protection Laws” means all applicable and binding privacy and data protection laws and regulations, including those of the European Union, the European Economic Area and their Member States, Switzerland, the United Kingdom, Canada, Israel, and the United States of America,
XXX Data Processing Addendum – November 2022 1
including the GDPR, the UK GDPR, and the CCPA, applicable to and in effect at the time of the Processing of Personal Data hereunder.
(f) “Data Subject” means the identified or identifiable person to whom the Personal Data relates.
(g) “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
(h) “Personal Data” or “Personal Information” means any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, to or with an identified or identifiable natural person or Consumer, which is processed by XXX solely on behalf of Client under this DPA and the Agreement.
“Services” means the cloud-based work operating system platform (“Platform”) and any other services provided to Client by XXX under the Agreement.
(i) “Security Documentation” means the security documentation, as updated from time to time, setting forth the technical and organizational measures adopted by XXX that are applicable to the Processing of Personal Data by XXX under the Agreement and this DPA accessible via www.XXX/trustcenter/datasecure, or as otherwise made reasonably available to Client by XXX.
(j) “Sensitive Data” means Personal Data that is protected under special legislation and requires unique treatment, such as “special categories of data,” “sensitive data,” or other materially similar terms under applicable Data Protection Laws, which may include any of the following: 1) social security number, tax file number, passport number, driver’s license number, or similar identifier (or any portion thereof); 2) financial or credit information, credit or debit card number; 3) information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning a person’s health, sex life or sexual orientation, or data relating to criminal convictions and offenses; 4) Personal Data relating to children; and/or 5) account passwords in unhashed form.
(k) “Standard Contractual Clauses” means 1) in respect of transfers of Personal Data subject to the GDPR, the Standard Contractual Clauses between controllers and processors (located here), as approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, including all Annexes I, II, and V thereto, (”EU SCCs”), 2) in respect of transfers of Personal Data subject to the UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses of 21 March 2022 (version B.1.0), as incorporated into the EU SCCs through Annex III thereto (“UK Addendum”); 3) in respect of transfers subject to the Federal Act on Data Protection (FADP – as revised as of 25 September 2020), the terms set forth in Annex IV of the EU SCCs (“Switzerland Addendum”).
(l) “Sub-processor” means any third party that carries out specific Processing activities of Personal Data under the instruction of XXX.
(m) “UK GDPR” means the Data Protection Act 2018, as well as the GDPR as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI 2019/419).
2. Processing of Personal Data
2.1 Roles of the Parties. The Parties acknowledge and agree that with regard to the Processing of Personal Data solely by XXX on behalf of Client: (a) Client is the Controller of Personal Data, and (b) XXX is the Processor of such Personal Data. The terms “Controller” and “Processor” below signify Client and XXX, respectively.
2.2 Client’s Obligations. Client, in its use of the Services, and Client’s instructions to the Processor, shall comply with Data Protection Laws, the Agreement, and this DPA. Client shall establish and have any and all required legal bases in order to collect, Process, and transfer to Processor the Personal Data and authorize the Processing activities conducted by Processor on Client’s behalf in accordance with the Agreement and this DPA, including the pursuit of a Business Purpose.
2.3 Processor’s Processing of Personal Data. Processor shall Process Personal Data for the following purposes: (a) in accordance with the Agreement and this DPA; (b) in connection with its provision of the Services; (c) to comply with Client’s reasonable and documented instructions, where such instructions are consistent with the terms of the Agreement and this DPA and regard the manner in which the Processing shall be performed; and (d) as required under the laws applicable to Processor, and/or as required by a court of competent jurisdiction or other competent governmental or semi-governmental authority, provided that Processor shall inform Client of the legal requirement before Processing unless such law or order prohibits disclosing such information.
Processor shall inform Client without undue delay if, in Processor’s reasonable opinion, an instruction for the Processing of Personal Data given by Client infringes applicable Data Protection Laws, unless Processor is prohibited from notifying Client under applicable Data Protection Laws. It is hereby clarified that Processor has no obligation to assess whether instructions by Client infringe any Data Protection Laws.
2.4 Details of Processing. The subject matter of Processing of Personal Data by Processor is the performance of the Services pursuant to the Agreement and this DPA. The details relating to the duration, nature and purpose, types of Personal Data, and categories of Data Subjects Processed under this DPA are further specified in Schedule 1 (Details of Processing) of this DPA.
2.5 Sensitive Data. The Parties agree that the Services are not intended for the Processing of Sensitive Data and that if Client wishes to use the Services to Process Sensitive Data, it must first obtain explicit prior written consent from XXX and enter into any additional agreements as may be required by XXX.
2.6 CCPA Standard of Care; No Sale of Personal Information. Processor acknowledges and confirms that it does not receive or process any Personal Information as consideration for any services or other items that Processor provides to Client under the Agreement or this DPA. Processor shall not have, derive, or exercise any rights or benefits regarding Personal Information Processed on Client’s behalf, nor shall it combine the Personal Information submitted to the Platform and Processed on Client’s behalf with any information it processes on behalf of any other parties by way of logical separation and may use and disclose Personal Information solely for the purposes for which such Personal Information was provided to it, as stipulated in the Agreement and this DPA. Processor certifies that it understands the rules, requirements, and definitions of the CCPA – in instances where Processor may qualify as Service Provider as defined in the CCPA – and agrees to refrain from selling and/or sharing (as such term is defined in the CCPA) any Personal Information Processed hereunder without Client’s prior written consent or instruction, nor take any action that would cause any transfer of Personal Information to or from Processor under the Agreement or this DPA to qualify as “selling” or “sharing” such Personal Information under the CCPA.
3. Data Subject Requests
If Processor receives a request from a Data Subject or Consumer to exercise their rights (to the extent available to them under applicable Data Protection Laws) of access, right to rectification, restriction of Processing, erasure, data portability, objection to the Processing, their right not to be subject to automated individual decision making, to opt-out of the sale of Personal Information, or the right not to be discriminated against (“Data Subject Request”), Processor shall notify Client or refer Data Subject or Consumer to Client. Taking into account the nature of the Processing, Processor shall assist Client insofar as this is possible and reasonable to enable Client to respond to a Data Subject Request. Processor may refer Data Subjects or Consumers to the Client’s Admin for the treatment of such request or advise them on using the self-exercising features available within the Platform.
Processor shall ensure that its personnel and contractors engaged in the Processing of Personal Data have committed themselves to confidentiality or are otherwise under a statutory obligation of confidentiality.
5.1 Appointment of Sub-processors.
Client acknowledges and agrees that (a) Processor’s Affiliates may be engaged as Sub-processors; and (b) Processor and Processor’s Affiliates may each engage third-party Sub-processors in connection with the provision of the Services.
5.2 List of Current Sub-processors and Notification of New Sub-processors.
5.3 As of the Effective Date, Client hereby grants Processor general written authorization to engage with the Sub-processors set out at www.XXX/terms/subprocessors (“Sub-processor’s Page”), which are currently used by Processor to process Personal Data.
The Sub-processor’s Page offers a mechanism to subscribe to notifications of the engagement of new and replacement of existing Sub-processors (“Sub-processor Notice”), and Client acknowledges that it shall subscribe to this mechanism upon entering this DPA and that the notifications sent through this mechanism fulfill the Processor’s obligations to notify Client of the appointment of a new or replacement of an existing Sub-processor.
5.4 Objection to New Sub-processors. Pursuant to the publication of a new Sub-processor Notice, Client may reasonably object to Processor’s use of a new or replacement of a Sub-processor for reasons relating to the protection of Personal Data intended to be Processed by such Sub-processor. Such objection must be submitted promptly by notifying Processor in writing to privacy@XXX within seven (7) days following the publication of a new Sub-processor Notice, in which Client shall detail the reasons for the objection to using such new Sub-processor. Where Client has not objected within such seven (7) day period in the manner described above, the use of the new Sub-Processor shall be deemed accepted by Client. In the event Client reasonably objects to a new Sub-processor, as permitted in the preceding sentences, Processor will use reasonable efforts to make available to Client a change in the Services or recommend a commercially reasonable change to Client’s configuration or use of the Services to avoid Processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening Client. If Processor is unable to make available such change within thirty (30) days following receipt of the objection, Client may, as a sole remedy, terminate the Agreement and this DPA with respect only to those elements of the Services which cannot be provided by Processor without the use of the objected-to new Sub-processor, by providing written notice to Processor. All amounts outstanding under the Agreement before the termination date with respect to the Processing at issue shall be duly paid to Processor. Until a decision is made regarding the new Sub-processor, Processor may temporarily avoid or cease the Processing of the affected Personal Data and/or suspend access to the Services. Client will have no further claims against Processor due to the termination of the Agreement (including, without limitation, requesting refunds) and/or the DPA in the situation described in this paragraph.
5.5 Agreements with Sub-processors. Processor or a Processor’s Affiliate has entered into a written agreement with each existing Sub-processor and shall enter into a written agreement with each new Sub-processor containing the same or materially similar data protection obligations as set out in this DPA, in particular obligations to implement appropriate technical and organizational measures in such a manner that the Processing will meet the requirements of the GDPR. Where a Sub-processor fails to fulfill its data protection obligations concerning its Processing of Personal Data, Processor shall remain responsible to the Client for the performance of the Sub-processor’s obligations.
6. Security & Audits
6.1 Controls for the Protection of Personal Data. Processor shall maintain appropriate industry-standard technical and organizational measures for the protection of Personal Data Processed hereunder (including measures against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of or access to Personal Data or confidentiality and integrity of Personal Data). Upon Client’s reasonable request, Processor will reasonably assist Client, at Client’s cost and subject to the provisions of Section 11.1 below, in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of the Processing and the information available to Processor.
6.2 Audits and Inspections. Upon Client’s 14 days prior written request at reasonable intervals (but no more than once every 12 months), and subject to strict confidentiality undertakings by
Client, Processor shall make available to Client that is not a competitor of Processor (or Client’s independent, reputable, third-party auditor that is not a competitor of Processor and not in conflict with Processor, subject to their confidentiality and non-compete undertakings) information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by them. Processor may satisfy its obligations under this section by answering Client’s questionnaire-based audits and/or by providing Client with attestations, certifications, and summaries of audit reports conducted by accredited third-party auditors solely related to Processor’s compliance with this DPA. Any information relating to audits, inspections, and the results therefrom, including the documents reflecting the outcome thereof, shall only be used by Client to assess Processor’s compliance with this DPA and shall not be used for any other purpose or disclosed to any third party without Processor’s prior written approval. Upon Processor’s first request, Client shall transfer to Processor all records or documentation that was provided by Processor or collected and/or generated by Client (or each of its mandated auditors) in the context of the audit and/or the inspection.
6.3 In the event of an audit or inspections as set forth above, Client shall ensure that it (and each of its mandated auditors) will not cause (or, if it cannot avoid, minimize) any damage, injury, or disruption to Processor’s operations, premises, equipment, personnel, and business, as applicable, while conducting such audit or inspection.
The audit rights set forth in 6.2 above shall only apply to the extent that the Agreement does not otherwise provide Client with audit rights that meet the relevant requirements of Data Protection Laws (including, where applicable, article 28(3)(h) of the GDPR or the UK GDPR). If and to the extent that the Standard Contractual Clauses apply, nothing in this Section 6 varies or modifies the Standard Contractual Clauses nor affects any Supervisory Authority’s or Data Subject’s rights under the Standard Contractual Clauses.
7. Data Incident Management and Notification
7.1 Processor maintains internal security incident management policies and procedures and, to the extent required under applicable Data Protection Laws, shall notify Client without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data Processed by Processor on behalf of Client (a “Data Incident”). Processor shall make reasonable efforts to identify and take those steps as Processor deems necessary and reasonably designed to remediate and/or mitigate the cause of such Data Incident to the extent the remediation and/or mitigation is within Processor’s reasonable control. The obligations herein shall not apply to Data Incidents that are caused by Client, its Users, or anyone who uses the Services on Client’s behalf.
Client will not make, disclose, release, or publish any finding, admission of liability, communication, notice, press release, or report concerning any Data Incident which directly or indirectly identifies Processor (including in any legal proceeding or in any notification to regulatory or supervisory authorities or affected individuals) without Processor’s prior written approval, unless and solely to the extent that Client is compelled to do so pursuant to applicable Data Protection Laws. In the latter case, unless prohibited by such laws, Client shall provide Processor with reasonable prior written notice to provide Processor with the opportunity to object to such disclosure, and in any case, Client will limit the disclosure to the minimum scope required by such laws.
8. Return and Deletion of Personal Data
Following termination of the Agreement and cessation of the Services, at the choice of Client (indicated through the Platform or in written notification to Processor), Processor, upon notice by Client, shall delete or return to Client all Personal Data it Processes on behalf of the Client in the manner described in the Agreement, unless laws applicable to Processor requires or permits otherwise.
9. Cross-Border Data Transfers
9.1 Transfers from the EEA, Switzerland, and the United Kingdom to countries that offer an adequate level of data protection. Personal Data may be transferred from EU Member States and Norway, Iceland, and Liechtenstein (collectively, “EEA”), Switzerland, and the United Kingdom (“UK”) to countries that offer an adequate level of data protection under or pursuant to the adequacy decisions published by the relevant authorities of the EEA, Switzerland, and/or the UK as relevant (“Adequacy Decisions”), as applicable, without any further safeguard being necessary.
Transfers from the EEA, Switzerland, and the United Kingdom to other countries. If the Processing of Personal Data by Processor includes a transfer (either directly or via onward transfer):
(i) from the EEA to other countries that have not been subject to a relevant Adequacy Decision, and such transfers are not performed through an alternative compliance mechanism recognized by Data Protection Laws (as may be adopted by Processor at its own discretion) (“EEA Transfer”), the terms set forth in the EU SCCs shall apply;
(ii) from the UK to other countries which have not been subject to a relevant Adequacy Decision, and such transfers are not performed through an alternative compliance mechanism recognized by Data Protection Laws (as may be adopted by Processor at its own discretion) (“UK Transfer”), the terms set forth in the UK Addendum shall apply;
(iii) from Switzerland to other countries which have not been subject to a relevant Adequacy Decision, and such transfers are not performed through an alternative compliance mechanism recognized by Data Protection Laws (as may be adopted by Processor at its own discretion) (“Switzerland Transfer”), the terms set forth in the Switzerland Addendum shall apply;
(iv) the terms set forth in Annex V of the EU SCCs (Additional Safeguards) shall apply to any EEA Transfer, UK Transfer, and Switzerland Transfer, where the Standard Contractual Clauses apply.
9.2 Transfers from other countries. If the Processing of Personal Data by Processor includes a transfer of Personal Data by and/or mandated by Client to Processor from any other jurisdiction which mandates a particular compliance mechanism for the lawful transfer of such data be established, Client shall notify Processor of such applicable requirements, and the Parties may seek to make any necessary amendments to this DPA in accordance with provisions of Section 11.2 below.
10. Authorized Affiliates
10.1 Contractual Relationship. The Parties acknowledge and agree that by executing this DPA, Client enters into the DPA on behalf of itself and, as applicable, in the name and on behalf of its Authorized Affiliates, in which case each Authorized Affiliate agrees to be bound by the Client’s obligations under this DPA, if and to the extent that Processor Processes Personal Data on behalf of such Authorized Affiliates, thus qualifying them as the “Controller” with respect to the Personal Data Processed on their behalf. All access to and use of the Services by Authorized Affiliates must comply with the terms and conditions of the Agreement and this DPA, and any violation of the terms and conditions therein by an Authorized Affiliate shall be deemed a violation by Client.
10.2 Communication. Client shall remain responsible for coordinating all communication with Processor under the Agreement and this DPA and shall be entitled to make and receive any communication in relation to this DPA on behalf of its Authorized Affiliates.
11. Other Provisions
11.1 Data Protection Impact Assessment and Prior Consultation. Upon Client’s reasonable request, Processor shall provide Client, at Client’s cost, with reasonable cooperation and assistance needed to fulfill Client’s obligation under the GDPR or the UK GDPR (as applicable) to carry out a data protection impact assessment related to Client’s use of the Services to the extent Client does not otherwise have access to the relevant information and to the extent such information is available to Processor. Processor shall provide, at Client’s cost, reasonable assistance to Client in the cooperation or prior consultation with the Supervisory Authority in the performance of its tasks relating to this Section 11.1 to the extent required under the GDPR or the UK GDPR, as applicable.
11.2 Modifications. Each Party may, by at least forty-five (45) calendar days prior written notice to the other Party, request in writing any variations to this DPA if they are required as a result of any change in applicable Data Protection Laws to allow Processing of Client Personal Data to be made (or continue to be made) without breach of such Data Protection Laws. Pursuant to such notice, the Parties shall use commercially reasonable efforts to accommodate such required modification and negotiate in good faith with a view to agreeing and implementing those or alternative variations designed to address the requirements under applicable Data Protection Law as identified in Client’s or Processor’s notice as soon as is reasonably practicable. In addition, Processor may amend this DPA from time to time without notice, provided that such changes are not adverse in any material aspect with respect to the Client’s rights or Processor’s obligations (i.e., error and typos fixing, making technical adjustments, or for any other reasons as Processor deems necessary). For clarity, if Processor makes any material adverse change to Client’s rights or Processor’s obligations, Processor will notify Client by posting an announcement on the site via the Service and/or by sending an email.
IN WITNESS WHEREOF, the parties have caused this DPA to be executed by their duly authorized representatives to be effective as of the Effective Date.
|Name: Siddharth Srinivasan
|| iResearch Services Pvt.Ltd
Schedule 1 – Details of the Processing
Nature and Purpose of Processing
1. Providing the Services to Client;
2. Performing the Agreement, this DPA and/or other contracts executed by and between the Parties;
3. Acting upon Client’s instructions, where such instructions are consistent with the terms of
4. Sharing Personal Data with third parties in accordance with Client’s instructions and/or pursuant to Client’s use of the Services (e.g., integrations between the Services and any services provided by third parties, as configured by or on behalf of Client to facilitate the sharing of Personal Data between the Services and such third-party services);
5. Complying with applicable laws and regulations;
6. All tasks related to any of the above.
Duration of Processing
Subject to any section of the DPA and/or the Agreement dealing with the duration of the Processing and the consequences of the expiration or termination thereof, Processor will Process Personal Data for the duration of the Agreement and provision of the Services thereunder, unless otherwise agreed upon in writing.
Type of Personal Data
Client may submit Personal Data to the Services, the type and extent of which is determined and controlled by Client in its sole discretion.
Categories of Data Subjects
The Categories of Data Subjects relating to the Personal Data that will be processed by Processor are dependent on the Client and may include, but are not limited to, any of the following categories:
- Employees, agents, advisors, and freelancers of Client (who are natural persons)
- Prospects, Clients, business partners, and vendors of Client (who are natural persons)
- Employees or contact persons of Client’s prospects, clients, business partners, and vendors
- Any other third-party individual with whom Client decides to communicate through the Services.
These Standard Contractual Clauses are attached to and form part of the XXX Services Data Processing Addendum agreement (the “DPA”) between Client (iResearch Services Pvt. Ltd) and XXX Services, governing the processing of Personal Data contained in Client’s data. Unless otherwise defined in this attachment, capitalized terms used in these Standard Contractual Clauses have the meanings given to them in the DPA.
Purpose and scope
(a) The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) for the transfer of personal data to a third country.
(b) The Parties:
(i) the natural or legal person(s), public authority/ies, agency/ies, or other body/ies (hereinafter “entity/ies”) transferring the personal data, as listed in Annex I.A (hereinafter each “data exporter”), and
(ii) the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A (hereinafter each “data importer”)
have agreed to these standard contractual clauses (hereinafter: “Clauses”).
(c) These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.
(d) The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.
Effect and invariability of the Clauses
(a) These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46(2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or adding other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.
(b) These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.
(a) Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:
(i) Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;
(ii) Clause 8.1(b), and 8.9(a), (c), (d), (e);
(iii) Clause 9(a), (c), (d) and (e);
(iv) Clause 12(a), (d) and (f);
(v) Clause 13;
(vi) Clause 15.1(c), (d) and (e);
(vii) Clause 16(e);
(viii) Clause 18(a) and (b).
(b) Paragraph (a) is without prejudice to the rights of data subjects under Regulation (EU) 2016/679.
(a) Where these Clauses use terms defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.
(b) These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.
(c) These Clauses shall not be interpreted in a way that conflicts with the rights and obligations provided for in Regulation (EU) 2016/679.
In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.
Description of the transfer(s)
The details of the transfer(s), particularly the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.
Clause 7 – Optional
Section II – Obligations of the Parties
Data protection safeguards
The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organizational measures, to satisfy its obligations under these Clauses.
(a) The data importer shall process the personal data only on documented instructions from the data exporter. The data exporter may give such instructions throughout the duration of the contract.
(b) The data importer shall immediately inform the data exporter if it is unable to follow those instructions.
8.2 Purpose limitation
The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B, unless on further instructions from the data exporter.
On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including the measures described in Annex II and personal data, the data exporter may redact part of the text of the Appendix to these Clauses prior to sharing a copy but shall provide a meaningful summary where the data subject would otherwise not be able to understand its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information. This Clause is without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.
If the data importer becomes aware that the personal data it has received is inaccurate or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to erase or rectify the data.
8.5 Duration of processing and erasure or return of data
Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the data exporter and certify to the data exporter that it has done so or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular, the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).
8.6 Security of processing
(a) The data importer and, during transmission, also the data exporter shall implement appropriate technical and organizational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to that data (hereinafter “personal data breach”). In assessing the appropriate level of security, The Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context, and purpose(s) of processing, and the risks involved in the processing for the data subjects. The Parties shall, in particular, consider having recourse to encryption or pseudonymization, including during transmission, where the purpose of processing can be fulfilled in that manner. In the case of pseudonymization, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organizational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.
(b) The data importer shall grant access to the data to members of its personnel only to the extent strictly necessary for the implementation, management, and monitoring of the contract. It shall ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
(c) In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify the data exporter without undue delay after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences, and the measures taken or proposed to address the breach including, where appropriate, measures to mitigate its possible adverse effects. Where, and insofar as it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
(d) The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular, to notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer.
8.7 Sensitive data
Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offenses (hereinafter “sensitive data”), the data importer shall apply the specific restrictions and/or additional safeguards described in Annex I.B.
8.8 Onward transfers
The data importer shall only disclose the personal data to a third party on documented instructions from the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union (in the same country as the data importer or another third country, hereinafter “onward transfer”) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:
(i) the onward transfer is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;
(ii) the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 Regulation of (EU) 2016/679 with respect to the processing in question;
(iii) the onward transfer is necessary for the establishment, exercise, or defense of legal claims in the context of specific administrative, regulatory, or judicial proceedings; or
(iv) the onward transfer is necessary to protect the vital interests of the data subject or another natural person.
Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.
8.9 Documentation and compliance
(a) The data importer shall promptly and adequately deal with inquiries from the data exporter that relate to the processing under these Clauses.
(b) The Parties shall be able to demonstrate compliance with these Clauses. In particular, the data importer shall keep appropriate documentation on the processing activities carried out on behalf of the data exporter.
(c) The data importer shall make available to the data exporter all information necessary to demonstrate compliance with the obligations set out in these Clauses and, at the data exporter’s request, allow for and contribute to audits of the processing activities covered by these Clauses at reasonable intervals or if there are indications of non-compliance. In deciding on a review or audit, the data exporter may take into account relevant certifications held by the data importer.
(d) The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice.
(e) The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request.
Use of sub-processors
(a) The data importer has the data exporter’s general authorization for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least ten (10) business days in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.
(b) Where the data importer engages a sub-processor to carry out specific processing activities (on behalf of the data exporter), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those binding the data importer under these Clauses, including in terms of third-party beneficiary rights for data subjects. The Parties agree that by complying with this Clause, the data importer fulfills its obligations under Clause 8.8. The data importer shall ensure that the sub-processor complies with the obligations to which the data importer is subject pursuant to these Clauses.
(c) The data importer shall provide, at the data exporter’s request, a copy of such a sub-processor agreement and any subsequent amendments to the data exporter. To the extent necessary to protect business secrets or other confidential information, including personal data, the data importer may redact the text of the agreement prior to sharing a copy.
(d) The data importer shall remain fully responsible to the data exporter for the performance of the sub-processor’s obligations under its contract with the data importer. The data importer shall notify the data exporter of any failure by the sub-processor to fulfill its obligations under that contract.
(e) The data importer shall agree to a third-party beneficiary clause with the sub-processor whereby – in the event the data importer has factually disappeared, ceased to exist in law, or has become insolvent – the data exporter shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.
Data subject rights
(a) The data importer shall promptly notify the data exporter of any request it has received from a data subject. It shall not respond to that request itself unless it has been authorized to do so by the data exporter.
(b) The data importer shall assist the data exporter in fulfilling its obligations to respond to data subjects’ requests exercising their rights under Regulation (EU) 2016/679. In this regard, the Parties shall set out in Annex II the appropriate technical and organizational measures, taking into account the nature of the processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required.
(c) In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions from the data exporter.
(a) The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorized to handle complaints. It shall deal promptly with any complaints it receives from a data subject.
(b) In case of a dispute between a data subject and one of the Parties as regards compliance with these Clauses, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them.
(c) Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to:
(i) lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work or the competent supervisory authority pursuant to Clause 13;
(ii) refer the dispute to the competent courts within the meaning of Clause 18.
(d) The Parties accept that the data subject may be represented by a not-for-profit body, organization, or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679.
(e) The data importer shall abide by a decision that is binding under the applicable EU or Member State law.
(f) The data importer agrees that the choice made by the data subject will not prejudice his/her substantive and procedural rights to seek remedies in accordance with applicable laws.
(a) Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.
(b) The data importer shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data importer or its sub-processor causes the data subject by breaching the third-party beneficiary rights under these Clauses.
(c) Notwithstanding paragraph (b), the data exporter shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data exporter or the data importer (or its sub-processor) causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter and, where the data exporter is a processor acting on behalf of a controller, to the liability of the controller under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable.
(d) The Parties agree that if the data exporter is held liable under paragraph (c) for damages caused by the data importer (or its sub-processor), it shall be entitled to claim back from the data importer that part of the compensation corresponding to the data importer’s responsibility for the damage.
(e) Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable, and the data subject is entitled to bring an action in court against any of these Parties.
(f) The Parties agree that if one Party is held liable under paragraph (e), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its/their responsibility for the damage.
(g) The data importer may not invoke the conduct of a sub-processor to avoid its own liability.
(a) Where the data exporter is established in an EU Member State: The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as the competent supervisory authority.
Where the data exporter is not established in an EU Member State but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679: The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority.
Where the data exporter is not established in an EU Member State but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without, however, having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679: The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behavior is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.
(b) The data importer agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Clauses. In particular, the data importer agrees to respond to inquiries, submit to audits, and comply with the measures adopted by the supervisory authority, including remedial and compensatory measures. It shall provide the supervisory authority with written confirmation that the necessary actions have been taken.
Section III – Local Laws and Obligations in Case of Access by Public Authorities
Local laws and practices affecting compliance with the Clauses
(a) The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorizing access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679 are not in contradiction with these Clauses.
(b) The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:
(i) the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used, intended onward transfers, the type of recipient, the purpose of processing, the categories and format of the transferred personal data, the economic sector in which the transfer occurs, and the storage location of the data transferred;
(ii) the laws and practices of the third country of destination, including those requiring the disclosure of data to public authorities or authorizing access by such authorities, relevant in light of the specific circumstances of the transfer and the applicable limitations and safeguards;
(iii) any relevant contractual, technical, or organizational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.
(c) The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.
(d) The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.
(e) The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a).
(f) Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfill its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g., technical or organizational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured or if instructed by the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.
Obligations of the data importer in case of access by public authorities
(a) The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it:
(i) receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request, and the response provided; or
(ii) becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.
(b) If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicate as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.
(c) Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.).
(d) The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request. (e) Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses.
15.2 Review of legality and data minimization
(a) The data importer agrees to review the legality of the request for disclosure, in particular, whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law, and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspend the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).
(b) The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request.
(c) The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure based on a reasonable interpretation of the request.
Section IV – Final Provisions
Non-compliance with the Clauses and termination
(a) The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses for whatever reason.
(b) In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).
(c) The data exporter shall be entitled to terminate the contract insofar as it concerns the processing of personal data under these Clauses, where:
(i) the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b), and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;
(ii) the data importer is in substantial or persistent breach of these Clauses; or
(iii) the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.
In these cases, it shall inform the competent supervisory authority of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party unless the Parties have agreed otherwise.
(d) Personal data that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall, at the choice of the data exporter, immediately be returned to the data exporter or deleted in its entirety. The same shall apply to any copies of the data. The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.
(e) Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.
These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of the Republic of Ireland.
Choice of forum and jurisdiction
(a) Any dispute arising from these Clauses shall be resolved by the courts of an EU Member State.
(b) The Parties agree that those shall be the courts of the Republic of Ireland.
(c) A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence.
(d) The Parties agree to submit themselves to the jurisdiction of such courts.
1. LIST OF PARTIES
Name: The entity identified as “Client” in the DPA or the Agreement.
Address: The address of Client as specified in the DPA or the Agreement.
Contact person’s name, position and contact details: The contact details associated with Client, as specified in the DPA or the Agreement.
Activities relevant to the data transferred under these Clauses: The activities specified in Section 2.3 and Schedule 1 of the DPA.
Signature and date: By entering into the Agreement and DPA and using the Services for EEA Transfers, the data exporter is deemed to have signed these Standard Contractual Clauses and their respective Annexes.
Role (controller/processor): Controller
Name: XXX Services as identified in the DPA.
Address: the address of XXX Services as specified in the Agreement.
Contact person’s name, position, and contact details: The contact details of XXX Services as specified in the Agreement.
Activities relevant to the data transferred under these Clauses:
The activities specified in Section 2.3 and Schedule 1 of the DPA.
Signature and date: By entering into the Agreement and DPA and engaging in EEA Transfers as the data importer on behalf of the data exporter, the data importer is deemed to have signed these Standard Contractual Clauses and their respective Annexes.
Role (controller/processor): Processor
1. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
The categories of data subjects are described in Schedule 1 (Details of Processing) of the DPA.
Categories of personal data transferred
The categories of personal data are described in Schedule 1 (Details of Processing) of the DPA.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as, for instance, strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
The Parties do not intend for Sensitive Data to be transferred, except in accordance with Section 2.5 of the DPA.
The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis).
Personal Data is transferred on a continuous basis in accordance with the Client’s use of the Services and submission of Personal Data thereto.
Nature of the processing
The nature of the processing is described in Schedule 1 (Details of Processing) of the DPA.
Purpose(s) of the data transfer and further processing
The purpose of the processing is described in Schedule 1 (Details of Processing) of the DPA.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
The period for which Personal Data will be retained is for the duration of the Agreement unless agreed otherwise in the Agreement and/or the DPA.
For transfers to (sub-) processors, also specify the subject matter, nature, and duration of the processing
In relation to transfers to sub-processors, the subject matter and nature of the processing are set forth at the link detailed in Section 5.2.1 of the DPA. The duration of the processing by Sub-processors is the duration of the Agreement unless agreed otherwise in the Agreement and/or the DPA.
1. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13
The data exporter’s competent supervisory authority will be determined in accordance with the GDPR.
TECHNICAL AND ORGANIZATIONAL MEASURES, INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Description of the technical and organizational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context, and purpose of the processing, and the risks to the rights and freedoms of natural persons
The technical and organizational measures (including the certifications held by the data importer), as well as the scope and the extent of the assistance required to respond to data subjects’ requests, are described in the DPA and Security Documentation.
For transfers to (sub-) processors, also describe the specific technical and organizational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter.
The technical and organizational measures that the data importer will impose on sub-processors are described in the DPA.
UK CROSS-BORDER TRANSFERS
Table 1: The Parties: as stipulated in Annex I.A.
Table 2: Selected SCCs, Modules, and Selected Clauses: as stipulated in Annex I.
Table 3: Appendix Information: means the information which must be provided for the selected modules as set out in the Appendix of the EU SCCs (other than the Parties), and which for this Annex III is set out in Annex I.
Entering into this Annex III:
1. Each Party agrees to be bound by the terms and conditions set out in this Annex III in exchange for the other Party also agreeing to be bound by this Annex III.
2. Although Annex I.A and Clause 7 of the EU SCCs require signatures by the Parties, for the purpose of making UK Transfers, the Parties may enter into this Annex III in any way that makes them legally binding on the Parties and allows data subjects to enforce their rights as set out in this Annex III. Entering into this Annex III will have the same effect as signing the EU SCCs and any part of the EU SCCs.
Interpretation of this Annex III:
3. Where this Annex III uses terms that are defined in the EU SCCs, those terms shall have the same meaning as in the EU SCCs. In addition, the following terms have the following meanings:
|Addendum EU SCCs
||The version(s) of the EU SCCs to which this Annex III is appended to as set out in Table 2, including the Appendix Information.
||As set out in Table 3.
||The standard of protection of personal data and data subjects’ rights, which is required by UK Data Protection Laws when the Parties are making a UK Transfer relying on standard data protection clauses under Article 46(2)(d) UK GDPR.
|Standard Contractual Clauses
||As defined in the DPA
||The information commissioner.
||This Annex III, which is made up of this Annex III incorporating the Addendum EU SCCs.
||As defined in the DPA
|UK Data Protection Laws
||All laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018.
||As defined in Section 3 of the Data Protection Act 2018.
||The United Kingdom of Great Britain and Northern Ireland.
||A transfer covered by Chapter V of the UK GDPR.
4. This Annex III must always be interpreted in a manner that is consistent with UK Data Protection Laws and so that it fulfills the Parties’ obligation to provide the Appropriate Safeguards.
5. If the provisions included in the Addendum EU SCCs amend the EU SCCs in any way which is not permitted under the EU SCCs or this Annex III, such amendment(s) will not be incorporated by this Annex III and the equivalent provision of the EU SCCs will take their place.
6. If there is any inconsistency or conflict between UK Data Protection Laws and this Annex III, UK Data Protection Laws apply.
7. If the meaning of this Annex III is unclear or there is more than one meaning, the meaning that most closely aligns with UK Data Protection Laws applies.
8. Any references to legislation (or specific provisions of legislation) mean that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted, and/or replaced after this DPA has been entered into.
9. Although Clause 5 of EU SCCs sets out that the EU SCCs prevail over all related agreements between the Parties, the Parties agree that, for a UK Transfer, the hierarchy in Section 10 below will prevail.
10. Where there is any inconsistency or conflict between this Annex III and the Addendum EU SCCs (as applicable), this Annex III overrides the Addendum EU SCCs, except where (and in so far as) the inconsistent or conflicting terms of the Addendum EU SCCs provides greater protection for data subjects, in which case those terms will override the provisions of this Annex III.
11. Where this Annex III incorporates Addendum EU SCCs that have been entered into to protect transfers subject to the General Data Protection Regulation (EU) 2016/679, then the Parties acknowledge that nothing in this Annex III impacts those Addendum EU SCCs.
Incorporation and changes to the EU SCCs:
12. This Annex III incorporates the Addendum EU SCCs, which are amended to the extent necessary so that:
a. Together they operate for data transfers made by the data exporter to the data importer to the extent that UK Data Protection Laws apply to the data exporter’s processing when making that data transfer, and they provide Appropriate Safeguards for those data transfers;
b. Sections 9 to 11 override Clause 5 (Hierarchy) of the EU SCCs; and
c. This Annex III (including the Addendum EU SCCs incorporated into it) is (1) governed by the laws of England and Wales and (2) any dispute arising from it is resolved by the courts of England and Wales, in each case unless the laws and/or courts of Scotland or Northern Ireland have been expressly selected by the Parties.
13. Unless the Parties have agreed on alternative amendments that meet the requirements of Section 12 above, the provisions of Section 15 below will apply.
14. No amendments to the EU SCCs other than to meet the requirements of Section 12 above may be made.
15. The following amendments to the Addendum EU SCCs (for the purpose of Section 12 above) are made:
a. References to the “Clauses” mean this Annex III, incorporating the Addendum EU SCCs;
b. In Clause 2, delete the words:
“and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679”;
c. Clause 6 (Description of the transfer(s)) is replaced with:
“The details of the transfers(s) and, in particular, the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.”;
d. Clause 8.8 is replaced with:
“the onward transfer is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer;”
e. References to “Regulation (EU) 2016/679”, “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)” and “that Regulation” are all replaced by “UK Data Protection Laws.” References to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK Data Protection Laws;
f. References to Regulation (EU) 2018/1725 are removed;
g. References to the “European Union,” “Union,” “EU,” “EU Member State,” “Member State,” and “EU or Member State” are all replaced with the “UK”;
h. Clause 13(a) and Part C of Annex I are not used;
i. The “competent supervisory authority” and “supervisory authority” are both replaced with the “Information Commissioner”;
j. In Clause 16(e), subsection (i) is replaced with:
“the Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply;”;
k. Clause 17 is replaced with:
“These Clauses are governed by the laws of England and Wales.”;
l. Clause 18 is replaced with:
“Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”; and
m. The footnotes to the EU SCCs do not form part of this Annex III, except for footnotes 8, 9, 10, and 11.
Amendments to this Annex III:
16. The Parties may agree to change Clause 17 and/or 18 of this Annex III to refer to the laws and/or courts of Scotland or Northern Ireland.
17. If the Parties wish to change the format of the information included in Tables 1, 2, or 3 of this Annex III, they may do so by agreeing to the change in writing, provided that the change does not reduce the Appropriate Safeguards.
18. From time to time, the ICO may issue a revised UK Addendum which:
a. Makes reasonable and proportionate changes to the UK Addendum, including correcting errors in the UK Addendum; and/or
b. Reflects changes to UK Data Protection Laws;
The revised UK Addendum will specify the start date from which the changes to the UK Addendum are effective and whether the Parties need to review this Annex III, including the Appendix Information. This Annex III is automatically amended as set out in the revised UK Addendum from the start date specified.
19. If the ICO issues a revised UK Addendum under Section 18, or if any Party will, as a direct result of the changes in the UK Addendum, have a substantial, disproportionate, and demonstrable increase in:
a. Its direct costs of performing its obligations under this Annex III; and/or
b. Its risk under this Annex III,
and in either case, it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that Party may end this Annex III at the end of a reasonable notice period by providing written notice for that period to the other Party before the start date of the revised UK Addendum.
20.The Parties do not need the consent of any third party to make changes to this Annex III, but any changes must be made in accordance with its terms.
SWITZERLAND CROSS-BORDER TRANSFERS
The Parties agree that the EU SCCs, as amended by Annex I, shall be adjusted as set out below where the Federal Act on Data Protection of 19 June 1992 (the “FADP,” and as revised as of 25 September 2020, the “Revised FADP”) applies to Switzerland Transfers:
1. References to the EU SCCs means the EU SCCs as amended by Annex IV;
2. The Swiss Federal Data Protection and Information Commissioner (“FDPIC”) shall be the sole Supervisory Authority for Switzerland Transfers exclusively subject to the FADP;
3. The terms “General Data Protection Regulation” or “Regulation (EU) 2016/679,” as utilized in the EU SCCs, shall be interpreted to include the FADP with respect to Switzerland Transfers.
4. References to Regulation (EU) 2018/1725 are removed.
5. Switzerland Transfers subject to both the FADP and the GDPR, shall be dealt with by the EU Supervisory Authority named in Annex I;
6. References to the “Union,” “EU,” and “EU Member State” shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of exercising their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs;
7. Where Switzerland Transfers are exclusively subject to the FADP, all references to the GDPR in the EU SCCs are to be understood to be references to the FADP;
8. Where Switzerland Transfers are subject to both the FADA and the EU GDPR, all references to the GDPR in the EU SCCs are to be understood to be references to the FDPA insofar as the Switzerland Transfers are subject to the FADP;
9. The Swiss SCCs also protect the Personal Data of legal entities until the entry into force of the Revised FADP.
1. In the event of any transfer where the Standard Contractual Clauses apply, the Parties agree to supplement these with the following safeguards and representations, where appropriate:
(a) The data importer shall have in place and maintain, in accordance with good industry practices, measures to protect the Personal Data from interception (including in transit from the data exporter to the data importer and between different systems and services). This includes having in place and maintaining network protection intended to deny attackers the ability to intercept data and encryption of Personal Data whilst in transit and at rest intended to deny attackers the ability to read data.
(b) The data importer will make commercially reasonable efforts to resist, subject to applicable laws, any request for bulk surveillance relating to the Personal Data protected under GDPR, the UK GDPR, or the FADP, including under section 702 of the United States Foreign Intelligence Surveillance Act (“FISA”);
(c) If the data importer becomes aware that any government authority (including law enforcement) wishes to obtain access to or a copy of some or all of the Personal Data, whether on a voluntary or a mandatory basis, then unless legally prohibited or under a mandatory legal compulsion that requires otherwise:
(i) The data importer shall inform the relevant government authority that the data importer is a processor of the Personal Data and that the data exporter has not authorized the data importer to disclose the Personal Data to the government authority and inform the relevant government authority that any and all requests or demands for access to the Personal Data should therefore be notified to or served upon the data exporter in writing;
(ii) The data importer will use commercially reasonable legal mechanisms to challenge any such demand for access to Personal Data that is under the data importer’s control. Notwithstanding the above, (a) the data exporter acknowledges that such challenge may not always be reasonable or possible in light of the nature, scope, context, and purposes of the intended government authority access, and (b) if, taking into account the nature, scope, context, and purposes of the intended government authority access to Personal Data, the data importer has a reasonable and good-faith belief that urgent access is necessary to prevent imminent risk of serious harm to any individual or entity, this subsection (e)(II) shall not apply. In such event, the data importer shall notify the data exporter as soon as possible following the access by the government authority and provide the data exporter with relevant details of the same, unless and to the extent legally prohibited to do so.
2. Once in every 12-month period, the data importer will inform the data exporter, at the data exporter’s written request, of the types of binding legal demands for Personal Data it has received and solely to the extent such demands have been received, including national security orders and directives, which shall encompass any process issued under section 702 of FISA.
iResearch Services Is GDPR-Ready
At iResearch Services, nothing is more important than our clients’ data protection and success. With clients in nearly every country in the world, we strictly adhere to the European General Data Protection Regulation (GDPR), which expands the privacy rights granted to European individuals and requires certain companies that process their personal data to comply with a new set of regulations. In particular, the GDPR may apply to companies that process the personal data of European individuals with an EU presence (for example, offices or establishments) and companies without an EU presence that target the European market (for example, by offering goods or services to the European market) or monitor the behavior of European individuals. We’re here to help our clients in their efforts to comply with the GDPR.
What Is the GDPR?
Enforced in May 2018, the European Union’s General Data Protection Regulation (GDPR) established a structured and comprehensive framework for collecting, processing, using, and sharing personal data in order to protect the privacy rights of EU data subjects. The GDPR generally applies to any organizations operating within or outside the EU that offer goods or services to clients or businesses in the EU and process the personal data of EU-based individuals.
The GDPR expands the privacy rights granted to European individuals and is designed to protect their data protection rights by strengthening the security and protection of their personal data and improving their control over how it is handled.
In the UK, parts of the GDPR were incorporated into local law by the enactment of the Data Protection Act 2018. On 31 December 2020, the remaining provisions of the GDPR were incorporated into local UK law, creating what is known as the “UK GDPR.” Currently, the UK GDPR contains requirements very similar to the EU GDPR, with some provisions that may be different and more business-friendly. When we refer to “the GDPR,” we are referring to both the EU GDPR and UK GDPR.
Roles and Responsibilities
The GDPR distinguishes between two main types of roles regarding the processing of personal data: “data controller” and “data processor.” A data controller determines the purposes and ways that personal data is processed, while a data processor is a party that processes data on behalf of the controller.
Clients using the services of iResearch Services to process personal data for their own purposes and means will typically be considered the “data controllers” and are primarily responsible for meeting all applicable GDPR requirements. iResearch Services serves as its clients’ “data processor,” processing such personal data on behalf of its clients.
Compliance With the GDPR
Our legal and privacy teams regularly monitor and review our practices in order to ensure ongoing and full compliance with the GDPR by:
- Reviewing and strengthening our security infrastructure and practices, data encryption in transit and at rest, backups, logs, and security alerts.
- Conducting periodic risk assessments and data mapping processes, embedding them into our change management processes to ensure proper personal data management in accordance with the GDPR’s requirements.
- Regularly monitoring guidance around GDPR compliance and ensuring ongoing compliance through our internal procedures, processes, and controls and recurring training sessions for the team.
- Enabling our clients to respond to data subject requests to exercise their privacy rights and deleting data upon data subject request.
- We have received an internationally recognized security certification for ISO 27001 ISMS (Information Security Management System) & BS10012 PIMS (Personal Information Management System) from BSI.
- Ensuring appropriate contractual terms are in place to perform our role as a data processor for our clients while complying with the GDPR.
- We have revised our Data Processing Addendum to ensure the protection of personal data according to customary industry standards and such appropriate lawful mechanisms and contractual terms in compliance with the GDPR following the invalidation of the Privacy Shield Framework.
- Allowing our clients to enter into Standard Contractual Clauses (SCCs) adopted by the European Commission on 4 June 2021 (Controller-to-Processor) for the international transfers of personal data, including an Annex intending to cover transfers of personal data from the UK to third countries (see Annex III). We have supplemented the SCCs with Additional Safeguards (see Annex IV) to further strengthen the rights and freedoms of data subjects.
- Regularly performing security and privacy assessments of our sub-processors to ensure their adherence to GDPR principles.
- Designating a representative in the EU and the UK and appointing a Data Protection Officer (DPO) to monitor and advise on iResearch Services’ ongoing privacy and data protection compliance and serve as a point of contact for individuals and supervisory authorities concerning data protection and privacy matters.
- Having procedures for handling suspected breaches concerning personal data, limiting the use, disclosure, and retention of personal data, and regularly conducting privacy training for all relevant staff members.
If you have any questions concerning iResearch Services’ privacy program and our compliance with the GDPR, please feel free to contact our Data Protection Officer & Privacy Team at email@example.com.
At iResearch Services, we invest significant efforts in ensuring that our products and practices comply with all global data protection and privacy laws that apply to us and our clients.
On this page we provide information about the California Consumer Privacy Act of 2018 (CCPA) and the ways in which iResearch Services complies with its current requirements.
CCPA – What Is It All About?
The CCPA, which came into effect on January 1, 2020 and became enforceable on July 1, 2020, consists of a series of bills that gave new privacy rights to consumers residing in the State of California, and imposes obligations on businesses processing their personal information.
Roles, Responsibilities & Exemptions
The CCPA distinguishes between three roles for companies involved in the processing of personal information:
- Business (similar to ‘data controller’ under the GDPR)
- Service Provider (similar to ‘data processor’ under the GDPR)
- Third Party (similar to a Business, but one that does not have direct interaction with the consumer)
The CCPA generally applies to Businesses that fulfil one or more of the following conditions:
(i) have a gross revenue greater than $25 million;
(ii) Annually buys, receives, sells, or shares the personal information of more than 50,000 consumers, households, or devices for commercial purposes;
(iii) Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
The obligations imposed on ‘Businesses’ outline the limits of ‘sale’ of personal information and define specific actions that Businesses are required to perform, such as:
- Create a “Do-Not-Sell-My-Personal-Information” button on your homepage
- Inform consumers of categories & specific pieces of information collected/sold to them
- Provide at least 2 methods of communication for requesting to exercise consumer rights
As the CCPA currently only applies to ‘consumers’ (and not ‘Data Subjects’ as defined by the GDPR), certain relationships were exempt from CCPA enforcement:
- Employee information (this includes past, current and potential employee information)
- B2B interactions (information obtained in the course of an activity between companies)
How Is iResearch Services Complying With the CCPA?
- We have identified iResearch Services’ role as a “Service Provider” under the CCPA, where we process personal information solely on behalf of our clients (the “Business” in such cases).
- We have identified iResearch Services’ role as a “Business” where it processes the personal information of California consumers for its own purposes. Due to the nature of iResearch Services, its activities are typically exempt from CCPA enforcement on iResearch Services, provided it does not sell personal information of California consumers (or of any other data subjects); however may be applicable from a Lead Generation processing point of view.
- iResearch Services has already invested significant effort and resources into its GDPR program for the right to access personal data, and has simply widened the scope of applicability to include California consumers, thereby complying with the so-called “look back” requirement to ensure that consumers are able to access their personal information covering the preceding 12-month period.
- iResearch Services already provides technical and organizational measures for sufficiently exercising other proposed consumer rights that are similar to rights granted under the GDPR (such as the right to disclosure, deletion, and opt-out).
- Introduced additional amendments to iResearch Services’ data processing addendum (DPA) and internal procedures to reflect the specific requirements of the CCPA (such as with respect to entity roles, the maximum response time and data subject verification process, and the commitments required of a Service Provider towards the Business under the CCPA).
- Having procedures for handling suspected breaches concerning personal information, limiting the use, disclosure, and retention of personal information, and regularly conducting privacy training for all relevant members of our staff.
iResearch Services closely follows developments surrounding the CCPA and the AG’s Proposed Regulations, as well as monitoring legislative developments both in California and in other US states.
If you have any further questions concerning iResearch Services’ privacy program and our ongoing efforts surrounding the CCPA, please feel free to contact our Data Protection Officer & Privacy Team at firstname.lastname@example.org.
The Australian Privacy Act (APA) and Australian Privacy Principles (APP) establish a structured framework for collecting, processing, using, and sharing personal information, giving individuals greater control over how their information is handled. iResearch Services is committed to fully complying with the requirements of the APA & APP by:
- Having a dedicated privacy team to ensure that your information and privacy are protected and that we remain compliant with applicable data protection and privacy regulations.
- Having procedures for handling data subject requests, suspected incidents concerning personal information, and regular privacy training for all relevant staff members.
- Ensuring that your personal information remains protected pursuant to overseas transfers.
The obligations imposed on ‘Businesses’ outline the limits of ‘sale’ of personal information and define specific actions that Businesses are required to perform, such as (but not only) securing your personal information using industry-standard physical, procedural, and technical measures (to learn more, see our security page).
If you have any questions concerning iResearch Services’ privacy program and our compliance with the Australian Privacy Act & Principles, please feel free to contact our Data Protection Officer & Privacy Team at email@example.com
What Is the LGPD?
The Brazilian General Personal Data Protection Law 13709/2018 (LGPD), which came into force in August 2020, is designed to strengthen personal data protection and establish a structured framework for collecting, processing, using, and sharing (known as “processing operations”) personal data. The LGPD has extraterritorial application and affects both organizations established in Brazil and organizations located outside of Brazil that offer goods or services to individuals located in Brazil.
Like the EU GDPR, the LGPD defines and distinguishes between two types of roles and responsibilities regarding the processing of personal data: “data controller” and “data processor.”
A data controller is in charge of making decisions regarding the processing of personal data, while a data processor processes personal data in the name of the data controller. iResearch Services is the data processor where it processes personal data solely on behalf of its customers and is the controller where it processes personal data for its own purposes.
How Does iResearch Services Comply With the LGPD?
iResearch Services is committed to complying with LGPD requirements where it applies to our data processing activities by:
- Adopting security, technical, and administrative measures aimed at protecting personal data from unauthorized access or any improper or unlawful processing.
- Having a dedicated privacy team for monitoring and ensuring that the personal data processed by iResearch Services is protected and that we remain compliant with applicable data protection and privacy regulations.
- Ensuring that personal data remains protected to the levels required under the LGPD.
- Having procedures for handling data subject requests, suspected incidents concerning personal data, and regularly conducting privacy training for all relevant staff members.
If you have any further questions concerning iResearch Services’ privacy program and our ongoing efforts surrounding the LGPD, please feel free to contact our Data Protection Officer & Privacy Team at firstname.lastname@example.org.
What Is the PIPEDA?
The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian federal law enacted in April of 2000 (updated several times since) that applies to private sector businesses engaged in commercial activities. The law governs the collection, use, and disclosure of personal information for private-sector organizations in Canada.
How Is iResearch Services Complying With the PIPEDA?
iResearch Services is committed to complying with the PIPEDA’s requirements where it applies to our data processing activities by:
- Having a dedicated privacy team for monitoring and ensuring that personal information and privacy are protected and that we remain compliant with applicable data protection and privacy regulations.
- Adopting safeguards by implementing security, technical, and administrative measures aimed at protecting personal information from unauthorized access or any improper or unlawful processing.
- Having procedures for handling data subject requests, suspected breaches concerning personal information, limiting the use, disclosure, and retention of personal information, and regularly conducting privacy training for all relevant staff members.
If you have any further questions concerning iResearch Services’ privacy program and our ongoing efforts surrounding the PIPEDA, please feel free to contact our Data Protection Officer & Privacy Team at email@example.com.
The purpose of the Global Information Security Policy (GISP) is to deﬁne the measures and controls iResearch Services has in place in order to protect its information and its customers’ information and to comply with local and international laws, standards, and regulations.
It serves as a central policy document with which all employees and contractors must be aligned with and deﬁnes actions and prohibitions that all users must follow.
The scope of this policy is all iResearch Services information, including customer information, source code, diagrams, ﬁnancial information, PII, and PHI (where applicable).
The scope of this policy is the entire iResearch Services organization, including its subsidiaries, employees, contractors, subcontractors, partners, and anyone who creates, maintains, stores, accesses, processes, or transmits iResearch Services’ information.
CEO: The Chief Executive Oﬃcers are responsible for the overall privacy and security practices of the company.
ISO: The Information Security Oﬃcer is responsible for all information security aspects of the company.
DPO: The Data Protection Oﬃcer is responsible for ensuring proper protective measures of personal data are in place and overseeing the privacy aspect of the company’s product and practices.
Conﬁdentiality: The information is available or disclosed only to those authorized for it.
Integrity: All information assets are accurate and complete.
Availability: All information is accessible and usable upon demand.
Encryption: The process of transforming information using an algorithm to make it unreadable to anyone other than those who have a speciﬁc “need to know”.
Personally identiﬁable information (PII): Any information about an individual that can be used to distinguish or trace an individual‘s identity, such as name, Identiﬁcation number, date and place of birth, biometric records, medical information, ﬁnancial information, etc.
Third Party: All vendors, subcontractors and other parties under contract with iResearch Services.
1.4. Information Security Objectives
- Align with iResearch Services’ business objectives and support the company’s effort to achieve these objectives;
- Ensure that all security efforts are aligned with the company’s obligations as a fast-growing public company;
- Maintain a comprehensive and up-to-date information security plan to mitigate information security risks;
- Prevent security incidents at their earliest stage, and if they occur, detect, and contain security incidents as early as possible;
- Maintain an up-to-date list of all assets and the risks associated with these assets.
1.5. Organization of Information Security
iResearch Services ISO has the overall responsibility for the company’s information security.
To provide guidance and continuous monitoring of the company’s practices, the following representatives, at a minimum, conduct a weekly Security Forum:
- Director Operations
- IT Manager
- Compliance Specialist
Additional representatives from the company’s departments may join the forum as needed.
1.6. Information Security Management
All iResearch Services employees, contractors, and third parties should adhere to the company’s policies, have their relevant responsibilities communicated to them as part of their onboarding and on a regular basis, and have 24/7 access to the policies. All policies should be reviewed at least annually. Whenever there is a major change in the company’s practices that may affect the conﬁdentiality, integrity, or availability of the company’s or its customers’ data, the applicable policies will be reviewed.
All policies must be approved by a member of the senior management.
1.7. Continuous Improvement
iResearch Services continuously assesses potential risks to its service and evaluates the need for protective measures, basing its remediation strategy on the ﬁndings’ severity.
The following periodic assessments are executed:
- Internal & External audit – ISO 27001
- Application vulnerability scans – On an ongoing basis
- Overall risk assessment of critical information systems – Annually
2. Roles and Responsibilities
Conﬂicting duties and areas of responsibilities should be segregated to reduce the opportunities for unauthorized or unintentional modiﬁcation or misuse of the organization’s assets.
2.1. Senior Management
The Senior Management of the company has the overall responsibility for ensuring that the company’s commitment to this policy is met.
The Senior Management should provide adequate resources to maintain and improve the Information Security Management System (ISMS) within the company.
2.2. Director Operations
The Director Operations is responsible for approving security budgets.
In addition, the Director Operations communicates the results of essential ISMS activities (such as Risk Assessment, Risk Treatment Plan, Operational Plan and Goals, etc.) to both third parties (as applicable) and Senior Management.
2.3. ISO & Information Security Audit Team
The ISO & ISA team is responsible for deﬁning the company’s security strategy and the implementation and enforcement of information security processes and controls. The ISO reports to Senior Management.
The ISO’s main responsibilities are:
- Ownership of the Information Security Management System (ISMS) documentation.
- Leading the process of periodic risk assessment as part of the security policy.
- When applicable, recommend changes to policies, standards, and procedures.
- Ensuring that all critical company assets are secured and controlled.
- Developing and maintaining an information security education, training, and awareness program.
- Advising on compliance with laws, regulations, best practices, and frameworks.
- Building security-related budget and investment plans.
2.4. Security Steering Committee
The security steering committee is responsible for reviewing the strategic security plan and approving it. The security steering committee will meet once a year.
The security steering committee members are:
- Director Operations
2.5. Information Security Forum
The Security Forum is the operational forum for all information security activities.
Its responsibilities are:
- Coordinating the development and implementation of information management practices, including policies, standards, guidelines, and procedures;
- Coordinating the development and implementation of security-related issues in the company products, code, and infrastructure;
- Addressing ongoing security-related issues raised by the company employees, vendors, partners, and customers;
- Coordinating and sharing information among Forum members to ensure consistent execution of the information security management activities across the organization.
The company’s Security Forum will meet at least once a month.
2.6. Asset Owner
Asset Owners are managers held accountable for the protection of particular signiﬁcant assets. They may delegate information security tasks to other individuals but remain accountable for the proper implementation of the tasks. The Information Asset Owners are responsible for:
- Appropriate classiﬁcation and protection of information assets;
- Specifying and funding suitable protective controls;
- Authorizing access to information assets in accordance with their classiﬁcation and business needs;
- Ensuring timely completion of regular system/data access reviews;
- Monitoring compliance with protection requirements affecting their assets.
All employees are required to comply with the company’s information security policies and standards and should use company assets according to the company’s Acceptable Use Policy (internal).
3. Information Security Implementation
3.1. Human Resources Security
A company’s employees are among its most valuable resources. Employees have access to sensitive information by virtue of their job. Securely managing the human resources of iResearch Services is an essential part of the overall security of the company and is covered in the HR Security Policy (internal).
3.2. Asset Management Security
Lack of knowledge and familiarity with the targets of attack in an organization poses a signiﬁcant risk. Mapping an organization’s assets and deﬁning the measures to secure them signiﬁcantly decreases the risk level of an organization.
- All Company assets (such as data, software, hardware, ) will be accounted for and have an owner;
- Asset Owners will be identiﬁed for all assets and will be responsible for the maintenance and protection of their assets;
- All information should be classiﬁed and handled according to its sensitivity levels as detailed in the Data Classiﬁcation Policy (internal).
- Asset management security is detailed in the Asset Management Policy (internal).
3.3. Access Control
Accessing assets is one of the most sensitive processes in an organization. Failure to uphold appropriate access privileges to resources may put the organization at a signiﬁcant risk.
Access privileges in iResearch Services are provided according to the need-to-know and least-privilege principles. All security aspects of access control are detailed in the Access Control Policy (internal).
3.4. Physical and Environmental Security
The physical and environmental security aspect refers to the measures that iResearch Services utilizes in order to secure its physical premises and assets. It is detailed in the Physical and Environmental Security Policy (internal).
3.5. Operations Security
The capacity management of the existing systems and the process for accepting new systems within the company should be conducted according to the company’s policies. A change management process is in place to ensure that changes are well-controlled. For more information, please refer to the company’s IT Change Management Procedure (internal).
To ensure the protection of the information iResearch Services handles on behalf of its customers against loss, backups shall be taken and tested regularly in accordance with an agreed policy, as detailed in the Backup Policy (internal).
3.6. Communications Security
Communications security deals with the prevention of unauthorized access to information in transit, i.e., information that is sent from one IT entity to another one.
Communication security is covered in the Physical and Environmental Policy (internal).
3.7. Supply Chain Security
iResearch Services uses third-party solutions for certain aspects of its service. Such third-party relations may include cloud service providers, outsourced contractors, remote support, etc. When implementing a third-party solution, certain security measures should be taken in order to ensure that the third party does not negatively impact iResearch Services’ risk level.
Supply chain security is covered in the Vendor Policy (internal).
3.8. Information Security Incident Management, Business Continuity Plan (BCP), and Disaster Recovery Plan (DRP)
iResearch Services invests substantial efforts to prevent any incidents that may impact the conﬁdentiality, availability, and integrity of the data it processes on behalf of its customers. Notwithstanding this, it is not possible to fully mitigate the risk of incidents. In case of an information security incident, iResearch Services will detect and contain the incident in the shortest possible time frame. All aspects of information security incident handling are covered in the Information Security & Data Incident Response Procedure (internal), Disaster Recovery Plan (DRP), and Business Continuity Plan (BCP, internal).
iResearch Services is committed to adhering to any applicable laws, regulations, and standards. This is done by continuously identifying new local and international laws, new regulations, and the publication of new standards.
4. Policy Lifecycle
4.1. Additions, Changes, and Deletions
- Alterations to established policies, standards, and baselines should be made as necessary.
- Each request should include the business justiﬁcation for requesting such a change.
- The Director Operations should review each request and provide approval/denial.
- The Security Team is responsible for ensuring all relevant changes or additions are communicated to the company’s employees.
4.2. Review Process
- The Global Information Security Policy should be reviewed and updated annually, or when necessary, in accordance with business or regulatory requirements.
- Information security policies, standards, and baselines should be reviewed at least every 12 months to ensure that they are consistent and properly address the following:
- Business needs and business environment – controls should remain effective from both cost and ongoing operational perspectives and support the business without causing unreasonable disruption to its processes.
- External technology environment – opportunities and threats created by changes, trends, and new developments.
- Internal technology environment – strengths and weaknesses resulting from the company’s use of technology.
- Legal, regulatory, and contractual requirements.
- Other requirements speciﬁc to new or unique circumstances.
4.3. Delegation of Responsibilities
- The ISO may choose to delegate certain roles and responsibilities to speciﬁc employees or units as required.
- Delegated responsibilities are non-transferable.
4.4. Exception to Policies
- The Company’s employees and third parties are required to comply with said Policies and Standards.
- In the event that a policy or standard cannot be adhered to, an exception to such a baseline should be considered by the ISO.
- An exception may be granted only if the beneﬁts of the exception outweigh the resulting risks as determined by the ISO based on the recommendation of the Security Forum.
- Exceptions should be assigned due dates where applicable to ensure the timely implementation of the agreed-upon remediation strategies.
- Exceptions should be regularly reviewed to verify that remediation is achieved in time.
GDPR & Privacy
Information security management system
Quality Management system