1.1. For the purposes of this Schedule, the words and expressions set out below shall have the following meanings:
1.1.1. Affiliate or Affiliates means entities which are controlled by a Party, which controls a Party or which is under the common control with a Party, where “control” means the direct or indirect ownership of at least fifty percent (50%) of the shares or voting rights or the equivalent thereof, so long as such control exists.
1.1.2. CCPA means the California Consumer Privacy Act of 2018, as amended (Cal. Civ. Code §§ 1798.100 to 1798.199), and any related regulations or guidance provided by the California Attorney General. If the CCPA applies to the provision of or receipt and use of the Services or Products, the Parties further agree to be bound by the terms set forth in Exhibit 1, attached hereto.
1.1.3. Controller shall have the meaning set out in applicable Data Protection Law.
1.1.4. Data Protection Law means the laws and regulations in respect of the states or countries where the Services are provided from by Pattern anywhere in the world, but including laws and regulations as applicable, of the United Kingdom, the European Union, the EEA and their member states, and Switzerland, including GDPR and the laws of Israel (including but not limited to the Protection of Privacy Law 5741-1981 and all regulations thereunder and Basic Law: Human Dignity and Liberty, 5752-1992 and the guidelines of the Privacy Protection Authority and all other subsequent or amending legislation concerning data privacy and protection) and of the United States, including, as applicable the CCPA or any other applicable state or federal laws concerning data privacy, or in any other country in the world, those laws and regulations applicable in those countries and which are applicable to Personal Data and the Processing of Personal Data under the Agreement.
1.1.5. Data Processor has the meaning given under Data Protection Law
1.1.6. Data Subject has the meaning set out in applicable Data Protection Law.
1.1.7. Party or Parties means Pattern or Customer and both Pattern and Customer are the Parties.
1.1.8. Personal Data means the Personal Data Processed by the Data Processor in connection with the Services as described in the Agreement and the details of which are described in the Agreement.
1.1.9. Privacy Notice(s) means those privacy notices published by the Controller on its applicable websites which relate to the Services and Products.
1.1.10. EEA means the European Economic Area.
1.1.11. GDPR means the EU GDPR and the UK GDPR in each case to the extent applicable.
1.1.12. Products means the products provided by the Controller under the Agreement.
1.1.13. Processing, Processes and Processed shall have the meaning set out in applicable Data Protection Law.
1.1.14. Processor shall have the meaning set out in applicable Data Protection Law.
1.1.15. SCCs means the standard contractual clauses set out in EC Decision 2010/87/EU for the transfer of Personal Data to processors established in third countries which do not ensure an adequate level of data protection, as may be updated or replaced from time to time and the equivalent in the United Kingdom.
1.1.16. Security Breach means any actual or suspected, threatened or ‘near miss’ incident of theft, accidental or unlawful destruction, loss, alteration or damage, wrongful use, or unauthorised or accidental disclosure of or access to Personal Data, or other breach of these Data Processing Terms.
1.1.17. Security Due Diligence means any review of the Data Processor by the Controller, including the submission to the Controller of any questionnaires or requests for information, security due diligence, cyber security reviews and any site visits to the Data Processor’s premises.
1.1.18. Services means the services provided by the Controller under the Agreement.
1.1.19. Sub-processor shall have the meaning set out in paragraph 6.1 of these Data Processing Terms.
Compliance and Processing
2.1. The Parties acknowledge that each of them may be a Controller of Personal Data depending on the circumstances of their roles under the Agreement in the provision or the receipt of the Services as also determined under Data Protection Law. In the event that a Party is as a matter of fact under the Agreement a Data Processor of the Controller, then they are hereby appointed as a Data Processor in relation to Personal Data it Processes in order to provide or receive the Services.
2.2. The Controller may change any of the terms of these Data Processing Terms in order to and to the extent required, to comply with Data Protection Law, by notice in writing to the Data Processor and such changes shall take effect from the date specified in that written notice.
2.3. The details of the subject matter, nature, purpose and duration of Personal Data Processing and the type of Personal Data and categories of Data Subjects which shall be Processed by the Data Processor are described in the Agreement.
2.4. The Data Processor shall Process Personal Data only in accordance with the written instructions of the Controller or as otherwise prescribed by Data Protection Law and not to otherwise cause the Controller to breach any of its Privacy Notice(s). For the purposes of this paragraph 2.3 of these Data Processing Terms, Controller’s written instructions are to Process Personal Data to the extent necessary in order to provide or receive the Services. If the Data Processor (or any of its Sub-processors) is required to Process Personal Data for any other purpose by applicable Data Protection Law, the Data Processor will inform the Controller of this requirement prior to Processing, unless such applicable Data Protection Law prohibit informing the Controller in advance on important grounds of public interest. The Data Processor shall notify the Controller immediately if, in the Data Processor’s opinion, an instruction for the Processing of Personal Data given by the Controller infringes applicable Data Protection Law.
2.5. In the event that the Data Processor does not follow the instructions of the Controller, the Parties agree that the Data Processor will be acting as a Controller without the actual Controller’s consent or permission. This will be a material breach of these Data Processing Terms and the Data Processor will be responsible for complying with all applicable Data Protection Law (as a Controller) while Processing Personal Data outside of the original Controller’s instructions pursuant to paragraph 3.3 of these Data Processing Terms.
2.6. Data Processor shall not Process Personal Data in any way that will or may cause the Controller to be non-compliant with its obligations under applicable Data Protection Law.
2.7. Data Processor shall comply with any requirement imposed on Controller by any relevant regulator or supervisory authority in respect of Personal Data and shall comply with any requirement of Controller in order to ensure compliance with applicable Data Protection Law.
2.8. Data Processor represents and warrants that it shall (and shall procure that its Sub-processors shall) fully comply at all times with applicable Data Protection Law in respect of the Processing of Personal Data and in particular shall ensure all Personal Data inputted or recorded is accurate and up to date and only retained in accordance with paragraph 3.3 of these Data Processing Terms.
Security of Personal Data
3.1. Data Processor represents and warrants that any information it may provide to the Controller for the purposes of Security Due Diligence is accurate and complete in all respects and is not misleading.
3.2. Data Processor shall implement and maintain all appropriate technical and organisational measures (including security procedures, backup procedures and safeguards) to protect Personal Data against any Security Breach and any other forms of unlawful Processing. Data Processor shall ensure that such measures ensure a level of security appropriate to the risk and severity of harm that might result from a Security Breach and any other unlawful Processing.
3.3. As a minimum, the technical and organisational measures referred to in paragraph 3.2 of these Data Processing Terms shall be employed by Data Processor shall meet the requirements of Data Protection Law. Data Processor shall provide a written description of such technical and organizational measures employed for Processing Personal Data within the timescales reasonably required by the Controller.
3.4. Data Processor shall (and shall procure that its Sub-processors shall) promptly (and in any event within forty eight (48) hours of discovery or such shorter period if determined by Data Protection Law) notify Controller of a Security Breach by emailing Controller at the address given for such purposes in the notices clause of the Agreement and, if required by Controller, suspend the Processing of Personal Data until the Security Breach is remedied to the satisfaction of Controller.
3.5. Data Processor shall cooperate with Controller, provide all reasonable assistance and take such steps as Controller deems necessary (acting reasonably) to identify, prevent and mitigate the effects of the Security Breach and to remedy the Security Breach and prevent any further incidents.
3.6. Without prejudice to the requirement to comply with paragraph 4.5 of this Schedule 7, Data Processor shall take action immediately to investigate the Security Breach and to try and identify, prevent and mitigate the effects of the Security Breach and to remedy the Security Breach and prevent any further incidents.
3.7. Data Processor shall promptly provide Controller with all relevant information in its possession or in a Sub-processor’s possession to comply with any management and reporting obligations under Controller’s policies, recommended by a regulatory or supervisory authority and/or required by the Data Protection Law, concerning any Security Breach. At the date of these Data Processing Terms, this shall include:
3.7.1. the type of Personal Data or other information involved;
3.7.2. the number of records involved and the categories and approximate numbers Data Subjects affected;
3.7.3. the circumstances of Security Breach and the likely impact of the Security Breach;
3.7.4. the risk posed by the Security Breach to individuals;
3.7.5. steps taken to identify, prevent and mitigate the effects of the Security Breach;
3.7.6. investigation details;
3.7.7. details of reports to and reactions from other relevant bodies of the Security Breach;
3.7.8. remedial action taken and action to avoid repeats; and
3.7.9. any other information requested by Controller.
3.8. Data Processor shall not release or publish any announcement, filing, communication, notice, press release, or report about a Security Breach without the prior written consent and approval of Controller, unless otherwise required by a relevant regulator or supervisory authority.
3.9. Data Processor shall:
3.9.1. take reasonable steps to ensure the reliability and competence of the Data Processor’s personnel who have access to Personal Data (including the provision of appropriate training on the requirements of Data Protection Law);
3.9.2. ensure that the Data Processor’s personnel are subject to a binding duty of confidentiality in respect of Personal Data and have committed to comply with the obligations set out in the Agreement and these Data Processing Terms; and
3.9.3. ensure that access to Personal Data is restricted to only such of its personnel as strictly necessary to meet its obligations under the Agreement and Data Processing Terms.
4.1. Data Processor shall, unless expressly prevented by Applicable Laws, promptly inform Controller upon receiving any notice or communication from any Data Subject, supervisory or regulatory authority, court, law enforcement or government body that relates directly or indirectly to the Processing of Personal Data under this Agreement.
4.2. Data Processor shall, taking into account the nature of the Processing, assist Controller by appropriate technical and organisational measures, in so far as this is possible, in fulfilling Controller’s obligations to respond to requests from Data Subjects exercising their rights under applicable Data Protection Law.
4.3. Data Processor shall, taking into account the nature of the Processing and the information available to Data Processor, reasonably assist Controller in ensuring compliance with its obligations pursuant to Articles 32 to 36 of the GDPR and/or equivalent obligations under other applicable Data Protection Law to which Controller is subject.
4.4. Data Processor shall promptly carry out any written request from Controller requiring Data Processor to access, amend, transfer, destroy, delete or restrict Personal Data or any part of Personal Data (unless such written request would render Data Processor non-compliant with Data Protection Law and then Data Processor shall comply to fullest extent possible not making Data Processor non-compliant with Data Protection Law). If requested by Controller, Data Processor shall (without undue delay) provide to Controller, or directly to any third party requested by Controller, a copy of Personal Data in a structured, machine-readable format and on the media reasonably specified by Controller.
Sub-Processors of Personal Data
5.1. Data Processor shall not disclose Personal Data to, or give access to Personal Data to, any third party (including affiliates, group companies or sub-contractors) (“Sub-processor”) other than with the prior written consent of Controller to the specific Sub-processor. Where Data Processor has appointed or appoints a Sub-processor pursuant to this paragraph 6.1, the Parties agree the following:
5.1.1. Data Processor shall ensure that, prior to any Processing of Personal Data by the Sub-processor, it has entered into a contract with the Sub-processor that includes terms which impose obligations on the Sub-processor no less onerous than the ones set out in this Schedule 7;
5.1.2. the appointment of any Sub-processor shall not relieve Data Processor from any liability under the Agreement and the Data Processing Terms and the Data Processor shall remain liable for the performance of any Sub-processors’ obligations; and
5.1.3. Data Processor shall ensure that Sub-processors cannot appoint, or disclose Personal Data or give access to Personal Data to, further Sub-processors themselves.
5.2. For the purposes of paragraph 6.1 of this Schedule 7, as at the date of these Data Processing Terms the Parties agree that no Sub-Processors can be identified as Controller has not consented to the appointment of any particular Sub-Processor. Data Processor agrees that prior to appointing any Sub-Processor for the purpose of processing, Data Processor will obtain Controller’s prior written consent to such appointment. Where Data Processor request that a sub-processor be so appointed and Controller has any concerns with that appointment (either because of the identity of the Sub-Processor of their domicile, the parties shall use reasonable endeavors to find a work-around to address Controller’s concerns. If Controller and Data Processor can not agree to such concerns including by finding a resolution, and where the failure to appoint such Sub-processor would materially hinder the provision of the Services or Products by the Controller, then the Controller may terminate the Agreement and these Data Processing Terms (subject to paragraph 9.2 below), with immediate effect.
5.3. Controller may (acting reasonably) require Data Processor to assist Controller to put a direct data processing agreement in place between Controller and the Sub-processor.
6.1. Data Processor shall make available to Controller all information which Controller requests to allow Controller to demonstrate that the obligations set out in Article 28 of the GDPR, any of CCPA and/or equivalent obligations under other applicable Data Protection Law relating to the appointment of Processors, have been met.
6.2. Data Processor shall, and shall procure its Sub-processors shall, allow their premises, data processing facilities, procedures, personnel and any relevant documentation which relate to the Processing of Personal Data to be audited and inspected (at such reasonable times and upon reasonable prior written notice) by the authorised auditors of Controller and/or Controller’s employees or agents during the term of the Agreement and to the extent only in order to comply with Data Protection Law, in order to ascertain compliance with the terms of these Data Processing Terms.
Data Export of Personal Data
7.1. Data Processor shall not, and shall ensure that Sub-processors shall not, under any circumstances transfer or otherwise Process Personal Data outside the country or territory from where the Services or Products are provided from, being (as applicable) the EEA or the United Kingdom, the United States, Israel or any other country, state or territory in which the Services and/or Products are provided from (“Territory”) by the Controller, without the Controller’s prior written consent.
7.2. Where Controller has provided prior written consent to any Processing of Personal Data outside of the Territory, in a country not deemed adequate pursuant to Data Protection Law for that Territory, Data Processor shall, before the Processing takes place, enter into to the Data Protection Law Standard Contractual Clauses or other measures approved by Data Protection Law (“SCCs”) with Controller (and/or shall procure that any relevant Sub-processor enters into the SCCs with Data Processor or Controller) ’ or, if the SCCs are no longer valid or do not apply to the Processing for any reason, ensure the application of another lawful transfer safeguard under applicable Data Protection Law.
7.3. In the event that:
7.3.1. any transfer safeguard relied upon by Controller for compliance with applicable Data Protection Law in relation to the Processing of Personal Data outside the Territory, is invalidated, replaced or otherwise no longer applies or no longer covers the Processing of Personal Data outside the applicable Territory for any reason;
7.3.2. the transfer of Personal Data from the Territory to any country pursuant to this Agreement becomes unlawful under Data Protection Law; or
7.3.3. the transfer of Personal Data pursuant to this Agreement otherwise becomes unlawful under applicable Data Protection Law;
Controller shall have the right, upon notice to the Data Processor, to require Data Processor to cease (or require Data Processor to ensure a Sub-processor ceases) the Processing of Personal Data outside the applicable Territory and/or to require the Data Processor to co-operate with Controller (and to procure the cooperation of relevant Sub-processors) to facilitate the use of a valid transfer safeguard under applicable Data Protection Law.
Investigation and Indemnity
8.1. Upon notice to Data Processor, Data Processor shall reasonably assist and support Controller in connection with any investigation by a relevant regulator or supervisory authority that relates to Personal Data Processed by the Data Processor.
8.2. Data Processor shall notify Controller promptly if Data Processor receives any complaint, notice or communication from a relevant regulator or supervisory authority or other third party which relates directly or indirectly to Personal Data, to Controller’s compliance with Data Protection Law or to Data Processor’s compliance with Data Protection Law in relation to the Agreement and/or these Data Processing Terms.
8.3. Data Processor shall maintain records of all Processing operations under its responsibility that contain at least the minimum information required by Data Protection Law and shall make such information available to Controller and/or to any relevant regulator or supervisory authority on request.
8.4. The Parties shall each indemnify and keep indemnified one another against liabilities arising out of or in connection with any Security Breach caused directly or indirectly by a Party or a Party’s Sub-processor and/or an actual or alleged breach by either Party or either Party’s Sub-processors under these Data Processing Terms, subject to the applicable limitation and exclusions of liability in the Agreement.
9.1. As from the expiry or termination of the Agreement, Data Processor shall upon Controller’s written instructions and at Controller’s option, ensure: (i) the prompt irretrievable deletion of Personal Data unless there is a lawful basis for the continued holding of Personal Data (unless such irretrievable deletion would render Data Processor non-compliant with applicable Data Protection Laws and then they shall comply with this paragraph 9.1 to the maximum extent possible to allow compliance with Data Protection Law); or (ii) the return of Personal Data to Controller and the prompt irretrievable deletion of copies, unless applicable laws require, or there is a lawful basis to retain, the continued storage of such Personal Data. In each case, Data Processor shall certify in writing to Controller that it no longer retains any copy of Personal Data (except where applicable laws or lawful basis to retain, require storage of such Personal Data) and shall promptly upon written request provide to Controller such information as is reasonably necessary to enable Controller to satisfy itself of this.
9.2. These Data Processing Terms shall continue in effect following termination or expiry of this Agreement for so long as Data Processor or any Sub-processor Processes Personal Data, provided that any provisions in these Data Processing Terms that, by their nature and content, must survive the completion, rescission, termination or expiration in order to achieve the fundamental purpose of such provision shall so survive and continue to bind the Parties.
10.1 These Data Processing Terms shall be subject to the jurisdiction of and governed by the laws of the Agreement.