Data Processing Agreement For Individual Planners
This Data Processing Agreement (this “DPA”) applies to the Processing of Personal Data of Data Subjects by Groups360 LLC (“Groups360”) when independent planners (i.e., non-hotel partners, which may include individual meeting planners, private bookers, and travel agents) (“Customers”) utilize the GroupSync platform and related services or products provided by Groups360 (“Services”) as described in the Groups360 Master Terms and Conditions and applicable Order Form(s) by and between Customer and Groups360 or any other agreements entered into by the parties (the “Agreement”). This DPA is not intended to cover Processing that occurs on behalf of an individual utilizing the Services for the purposes of purely personal or household activities. Except as expressly stated otherwise in this DPA or the Agreement, to the extent Groups360 is processing Personal Data subject to Data Protection Laws, this DPA is incorporated into and subject to the terms of the Agreement, and shall be effective and remain in force for the term of the Agreement.
1. Definitions. Capitalized terms not defined herein shall have the meanings ascribed to them under the Agreement. In this DPA, the following terms (and their applicable cognates) shall have the following meanings:::
“Data Protection Laws” shall mean all laws and regulations applicable to the Processing of Customer Personal Data, including but not limited to the laws and regulations identified in Exhibit B hereto as may be amended, modified, or supplemented from time to time, as applicable to the Services made available under the Agreement.
“Documented Instructions” shall mean Customer’s written instructions specified in the Agreement and this DPA (including with respect to transfers of Personal Data to a Third Country or to an International Organisation), it being understood that “written instructions” includes all requirements and obligations set forth in the Agreement on the part of Groups360 and as necessary to provide the Services in accordance with its documentation, supplemented or replaced from time to time by individual written instructions made from time to time by an authorized representative of Customer.
“GDPR” means the EU GDPR and UK GDPR as those terms are defined within Exhibit B, as applicable.
“Restricted Transfer” means any transfer of Customer Personal Data protected by Data Protection Laws to a Third Country or an International Organization in a Third Country (including data storage on foreign servers).
“SCCs” or “Standard Contractual Clauses” are the model clauses for Restricted Transfers adopted from time to time by the relevant authorities of the jurisdictions indicated in Exhibit B, insofar as their use is approved by the relevant authorities as an appropriate mechanism or safeguard for Restricted Transfers.
“Sub-Processor” shall mean any third party appointed by or on behalf of Groups360 to Process Customer Personal Data in connection with the Services.
The terms “Business”, “Controller”, “Data Protection Assessment”, “Data Subject”, “International Organisation”, “Member State”, “Personal Data”, or “Personal Information”, “Personal Data Breach”, “Processing”, “Processor”, “Rights of the Data Subjects”, “Sell”, “Service Provider”, “Share”, “Supervisory Authority” and “Third Country” have the same meaning as in the applicable Data Protection Laws, and their cognate and corresponding terms shall be construed accordingly.
2. Background and Interpretation.
2.1 In the event of any conflict between the terms of the Agreement and this DPA, the relevant terms of this DPA shall control and take precedence.
2.2 Customer acknowledges and agrees that (i) all rights and obligations under this DPA shall be exclusively exercised by Customer and (ii) correspondingly, any notifications to be provided by Groups360 under this DPA shall only be provided to Customer.
2.3 Customer shall ensure that it has complied with all applicable Data Protection Laws with respect to Personal Data that Customer transmits to or receives from Groups360.
3. Processing of Customer Personal Data.
3.1 Where Groups360 Processes Customer Personal Data on behalf of Customer in connection with the Services, Groups360 will process such Personal Data as a Processor or Sub-Processor/Service Provider on behalf of Customer (who, in turn, Processes such Personal Data as a Controller/Business or Processor/Service Provider) and this DPA will apply accordingly. A description of such Processing is set out in Part B of Exhibit A.
3.2 Where Groups360 Processes Personal Data as a Controller/Business, as further detailed in Part B of Exhibit A, Groups360 will Process such Personal Data in compliance with applicable Data Protection Laws and only for the purposes that are compatible with those described in Part B of Exhibit A. For these purposes, only Sections 1 (Definitions), 2 (Background and Interpretation), 3 (Processing of Customer Personal Data), 8 (Jurisdiction Specific Terms), 9 (Restricted Transfers), 14 (Amendment and Online Hosting), and 15 (Governing Law) of this DPA will apply, to the extent applicable.
3.3 Groups360 shall:
I. comply with all applicable Data Protection Laws in the Processing of Customer Personal Data;
II. not Process Customer Personal Data other than on Customer’s relevant documented instructions (including with regard to Restricted Transfers), unless such Processing is required by applicable Data Protection Laws, in which case Groups360 shall, to the extent permitted by applicable Data Protection Laws, inform Customer of such requirement before Processing that Customer Personal Data;
III. immediately inform Customer in the event that, in Groups360’s reasonable opinion, a Processing instruction given by Customer may infringe applicable Data Protection Laws; and until Customer’s withdrawal, amendment or confirmation of the relevant instruction, Groups360 shall be entitled to suspend the implementation of the relevant instruction.
3.4 All necessary information relating to the details of Processing (subject matter, duration, nature, and purpose, etc.) are specified in Exhibit A attached hereto.
3.5 Customer is responsible for compliance with its obligations under applicable Data Protection Laws, in particular for justification of any transmission of Personal Data to Groups360, and for Customer’s decisions and actions concerning the Processing of such Personal Data.
3.6 Customer instructs Groups360 (and authorizes Groups360 to instruct each Sub-Processor it engages) to Process Customer Personal Data and, in particular, transfer Customer Personal Data to any country or territory, only as reasonably necessary for the provision of the Services and consistent with the Agreement and this DPA.
3.7 Where Customer is acting as a Processor, it warrants that it shall:
I. Process Customer Personal Data only on behalf of the relevant Controller’s documented instructions and, in turn, only instruct Groups360 to carry out such Processing activities on behalf of Customer in accordance with said instructions of the Controller; and
II. obtain prior authorization from the relevant Controller for subcontracting the Processing of Customer Personal Data to Groups360 and its Sub-Processors.
4. Rights of Data Subjects. Taking into account the nature of the Processing, Groups360 shall assist Customer by implementing appropriate technical and organizational measures for the fulfilment of Customer’s obligation to respond to requests for exercising the Rights of Data Subjects (including access requests) set out in applicable Data Protection Laws.
5. Sub-Processors.
5.1 Customer agrees that Groups360 may engage Sub-Processors to assist in the performance of the Services, including those Sub-Processors set out within Appendix I to Exhibit A, provided the obligations of this Section 5 are met.
5.2 Groups360 will provide Customer prior written notice (which may be via email or updates to this DPA posted on Groups360’s website) of any changes concerning the addition or replacement of its Sub-Processors.
5.3 Customer will be deemed to have consented to the additional or replacement Sub-Processor if no objection is received within fifteen (15) days of Customer’s receipt of such notice. Customer may object to the appointment of a Sub-Processor by providing a written, reasonable objection.
5.4 If an objection is received, the Parties will work together in good faith with a view of achieving a commercially reasonable resolution. If no mutually agreeable resolution is available, Groups360 may terminate the Agreement immediately upon written notice to Customer, and Customer will owe no further fees other than what has been accrued up to and including the date of termination. Upon notice of termination, Groups360 shall cease Processing Customer Personal Data.
5.5 Where Groups360 authorizes a Sub-Processor as described in Section 5.1, (i) Groups360 will enter into a written agreement with the Sub-Processor that includes terms which offer at least the same level of data protection for Customer Personal Data as those set out in this DPA, to the extent applicable to the nature of the services provided by such Sub-Processor; and (ii) where the Sub-Processor fails to fulfil its obligations under such written agreement (or in the absence thereof, as the case may be), Groups360 will remain fully liable to Customer for the performance of the Sub-Processor’s obligations under such agreement and/or applicable Data Protection Laws.
6. Technical and Organizational Security Measures.
6.1 Groups360 shall implement and maintain certain administrative, technical and organizational security measures designed to ensure a level of security appropriate to the risks that are presented by such Processing, taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of Processing and the likelihood and severity of risk in relation to the rights and freedoms of the Data Subjects. Groups360 will provide a general description of its technical and organizational security measures upon Customer’s request when submitted by emailing us at [email protected].
6.2 Groups360 personnel as well as any Sub-Processors that may have access to Personal Data are subject to appropriate confidentiality obligations. Groups360 shall not disclose Personal Data to any third party, except to Sub-Processors in accordance with Section 5, unless requested in writing by an authorized representative of Customer or required under applicable law. If Groups360 is obligated by applicable law to disclose Personal Data to any third party, Groups360 shall (to the extent permitted by applicable law) inform Customer of such intended disclosure and reasonably cooperate with Customer to limit the scope of the disclosure to what is strictly required by applicable law and with such reasonable protective measures in place to protect the confidentiality and integrity of such Personal Data.
7. Personal Data Breach Notification.
7.1 If Groups360 discovers, is notified of, or has reason to suspect a Personal Data Breach affecting Customer Personal Data under its or its Sub-Processors’ control, Groups360 will (i) immediately begin work to implement measures to stop the unauthorized access; (ii) secure the Customer Personal Data; and (iii) notify Customer without undue delay on becoming aware of a Personal Data Breach affecting Customer Personal Data.
7.2 Immediately upon providing notice of a Personal Data Breach affecting Customer Personal Data, Groups360 shall:
I. Describe to Customer in as much detail as reasonably possible:
a. The nature of the Personal Data Breach,
b. Where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned,
c. The impact of such Personal Data Breach upon Customer and the affected Data Subjects, and
d. The measures taken or proposed by Groups360 to address the Personal Data Breach;
II. Provide and supplement notifications as and when additional information becomes available;
III. Assist Customer in meeting its respective obligations pursuant to applicable Data Protection Laws, including any obligations to notify Supervisory Authorities or Data Subjects of a Personal Data Breach; and
IV. Use commercially reasonable efforts to investigate, mitigate, and remediate each such Personal Data Breach and prevent recurrence of such Personal Data Breach.
7.3 Customer agrees that an unsuccessful Personal Data Breach will not be subject to this Section 7. An unsuccessful Personal Data Breach is one that results in no unauthorised access to Personal Data or to any of Groups360’s equipment or facilities storing Personal Data, and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorised access to traffic data that does not result in access beyond headers) or similar incidents.
7.4 Notwithstanding anything else in this DPA or the Agreement, Groups360’s obligation to report or respond to a Personal Data Breach under this Section 7 is not and will not be construed as an acknowledgement by Groups360 of any fault or liability of Groups360 with respect to the Personal Data Breach.
8. Jurisdiction Specific Terms. To the extent Groups360 Processes Customer Personal Data originating from or protected by applicable Data Protection Laws in a jurisdiction listed in Exhibit B, then the terms and definitions specified in Exhibit B with respect to the applicable jurisdiction shall apply in addition to the terms of this DPA.
9. Restricted Transfers.
9.1 Restricted Transfers of Customer Personal Data within the scope of this DPA shall be conducted in accordance with Exhibit B and applicable Data Protection Laws.
9.2 If relevant auauthorities adopt a new version of SCCs as a lawful mechanism for Restricted Transfers in a jurisdiction governing the processing of Customer Personal Data, the Parties are deemed to have agreed to the execution of the new version of the SCCs, and, if necessary, Groups360 shall be entitled to update Exhibit A and Exhibit B (and their appendices) accordingly.
9.3 If an alternative transfer mechanism, such as the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks and the commitments entailed, is adopted by Groups360 during the term of the Agreement (an “Alternative Mechanism”), and Groups360 notifies Customer that some or all Restricted Transfers can be conducted in compliance with applicable Data Protection Laws pursuant to the Alternative Mechanism, the Parties will rely on the Alternative Mechanism instead of the transfer mechanisms in Exhibit B for Restricted Transfers to which the Alternative Mechanism applies. Groups360 agrees to notify Customer if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Alternative Mechanism.
10. Audit Rights.
10.1 No more than once per calendar year, Customer may request information reasonably necessary from Groups360 to demonstrate its compliance with this DPA. Without prejudice to the foregoing, if the requested information is addressed by audit results or reports conducted by or on behalf of Groups360, including for example, a SOC 2 Type 2 report or a PCI-DSS compliance verification, or other similar audit report generated or issued by a qualified third-party auditor within the prior twelve (12) months and Groups360 provides such report to Customer, confirming that there are no material changes in the controls audited, Customer agrees to accept the findings presented in the audit report in lieu of requesting an audit of the same controls covered by the report. For the avoidance of doubt, all such reports shall be considered confidential information of Groups360.
10.2 For clarity, Groups360 will not provide Customer or any third-party direct access to Groups360’s databases or information systems due to confidentiality and security obligations to its other clients and as required under applicable law, including without limitation Data Protection Laws.
10.3 Groups360 shall inform Customer if, in its opinion, an instruction pursuant to this Section 10 infringes Data Protection Laws.
11. Return or Deletion of Personal Data.
11.1 Upon Customer’s request, Groups360 shall, upon termination or expiration of the Agreement, return or delete all Personal Data and delete all existing copies of such data, with the exception of any Customer Personal Data that may be retained pursuant to applicable laws.
11.2 This Section 11 does not apply to Customer Personal Data that has been archived on back-up systems, which Groups360 or its Sub-Processors, as applicable, shall securely isolate and protect from any further Processing, except to the extent required by applicable law.
12 Data Protection Assessment and Prior Consultation. Groups360 shall provide Customer with relevant information and documentation, and assist Customer in complying with its obligations with regard to any data protection assessments or prior consultations with Supervisory Authorities when required pursuant to applicable Data Protection Laws, but in each such case solely with regard to Customer Personal Data Processed by, and taking into account the nature of Processing and information available to, Groups360 and its Sub-Processors.
13. Inability to Meet Obligations. Groups360 shall notify Customer if, in Groups360 sole discretion, it determines that it can no longer meet the obligations required under applicable Data Protection Laws. Customer shall have the right to take reasonable and appropriate steps to stop and remediate any unauthorized use of Personal Data and to ensure that Groups360 uses the Personal Data collected pursuant to this DPA in compliance with the CCPA.
14. Amendment and Online Hosting.
14.1 Subject to the conditions specified in this DPA, Groups360 may host the content of this DPA online, and further update the DPA, provided that notice is given to Customer when material updates are made to the DPA.
14.2 If no objection is received within fifteen (15) days of receipt of the notice, Customer will be deemed to have consented to the update. If Customer issues notice of non-acceptance, the Parties will cooperate and negotiate in good faith regarding any required updates.
14.3 If no mutually agreeable resolution is available, Customer may terminate the Agreement immediately upon written notice to Groups360, with no further fees due, other than what has been accrued up to and including the date of termination. Upon notice of termination, Groups360 shall cease Processing Customer Personal Data.
14.4 To the extent that the DPA or its exhibits and appendices are hosted online, the latest version online shall take precedence over this DPA.
15. Governing Law. This DPA shall be governed by and construed in accordance with the choice of law stated in the Agreement, except that any matters involving interpretation of a Data Protection Laws or the processing of Personal Data shall be governed by and construed in accordance with the Data Protection Laws applicable to the relevant data subject(s) (save that any Standard Contractual Clauses shall be governed by the nominated governing law in accordance with their terms).
Exhibit A
Details of Processing
1. LIST OF PARTIES:
| Name and Address: |
Groups360: Customer: As described in the Agreement between the Parties. |
| Data Protection Contact: |
Groups360: Customer: As described in the Agreement between the Parties. |
| Article 27 EU Representative: |
Groups360: Customer: As described in the Agreement between the Parties. |
| Article 27 UK Representative: |
Groups360: Customer:As described in the Agreement between the Parties. |
| Data Protection Officer: |
Groups360: Customer: As described in the Agreement between the Parties. |
| Activities Relevant to Transferred Data: | Processing activities relating to the provision of the Services, as set forth in the Agreement. |
| Controllership Role: |
As set forth in Section 3 of the DPA, each Party may serve one or more of the following roles, according to the purposes of the Personal Data being Processed: Groups360 as an independent Controller Customer as the Controller and Groups360 as the Processor Customer as the Processor and Groups360 as the Sub-Processor • E.g., If a client hires Customer as a Processor and Groups360 acts as its Sub-Processor in assisting Customer to perform the client contract, then Customer’s client largely determines the purposes and means of Processing, to which Customer and Groups360 are subject. |
| Data Transfer Role: | Customer is a data exporter and Groups360 is the data importer. |
2. DESCRIPTION OF TRANSFER:
| Subject Matter of the Processing: | The subject matter of the Processing of Customer Personal Data pertains to the provision of Services pursuant to the Agreement. |
| Nature and Purpose of Processing: | Groups360 collects, processes and uses the Personal Data of the Data Subjects on behalf of Customer in order to perform the Services as further described in the Agreement and as further instructed by Customer in its use of the Services, namely, to send Booking Data and RFP Data to Groups360’s hotel partners on behalf of Customers, and to use Account Data to manage Customer’s account. |
| Further Processing: | Groups360 shall not carry out any further processing of Personal Data beyond the provision of the Services under the Agreement. |
| Retention Criteria (Duration):(The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period.) |
Groups360 shall Process Customer Personal Data only for the duration of the Agreement or as allowed under applicable law. In case Personal Data should be retained, any retention period will be limited to the duration necessary to perform the Services under the Agreement. |
| Categories of Data Subjects: |
Groups360 collects Personal Data of Data Subjects whose Personal Data is provided to Groups360 in its provision of Services, namely: End Users: End Users are individuals directly using the Services (i.e., Customer’s staff) and have an account with Groups360. Guests: Guests include guests and prospective guests that have been identified by Customer, whose personal data is provided in order to book services and rooms with Groups360’s hotel partners. Connected Contacts: Connected Contacts are individuals whose personal data is provided to Groups360 to facilitate Customer’s booking of services and rooms with Groups360’s hotel partners (i.e., Customer’s staff). |
| Categories of Personal Data: |
Groups360 collects the following Personal Data: From End Users: Account Data, which may include: RFP (Request for Proposal) Data, which may include:account name;name, email, phone number;job title;loyalty/rewards membership information; andother Personal Data contained in the content of the RFP and submitted attachments. From Guests: Booking Data, which may include: From Connected Contacts: Account Data, which may include: The Parties agree that no special categories of Personal Data will be transferred, which is, for the sake of clarity, Personal Data with information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, or data concerning health or sex life. |
| Frequency of the Transfer: | Regular and repeating for as long as Customer uses the Services. |
| Subject Matter, Nature, and Duration of Sub-Processors: | Any transfer to Sub-Processors will be only as strictly required to perform the Services pursuant to the Agreement. Upon request, Groups360 will provide to Customer a description of Processing for any Sub-Processor(s), including the subject matter, nature, and duration of Processing. |
| Technical and Organizational Measures of Sub-Processors: |
When Groups360 engages a Sub-Processor under the DPA, Groups360 and the Sub-Processor must enter into an agreement with data protection terms substantially similar to those contained in the DPA. Groups360 must ensure that the agreement with each Sub-Processor allows Groups360 to meet its respective obligations with respect to Customer. In addition to implementing technical and organizational measures to protect Customer Personal Data, Sub-Processors must: |
Appendix I to Exhibit A
List of Sub-Processors
In addition to the information contained in the table below, upon request, Groups360 will provide to Customer: the contact information for any Sub-Processor(s) and a description of Processing for any Sub-Processor(s), including the subject matter, nature, and duration of Processing.
| Sub-Processor’s Legal Entity Name and Website | Location | Products/Services | Description of Sub-Processor’s TOMs |
| Amazon Web Services, Inc. (https://aws.amazon.com/) | Washington, USA | Internal Hosting Provider | AWS undergoes a SOC 2 Type II audit annually. A summary of AWS’ security measures is available from Groups360 on request. Refer to https://aws.amazon.com/security/ for further information. |
| Spreedly, Inc. (https://www.spreedly.com/) | USA | Third-PartyPaymentServices | https://www.spreedly.com/security-compliance |
| Salesforce.com, Inc.(https://www.salesforce.com/) | California, USA | Customer Relationship Management Platform; Marketing Cloud | https://security.salesforce.com/ |
| WalkMe LTD (https://www.walkme.com/) | USA | Digital Wayfinding Services | https://www.walkme.com/walkme-security/ |
| FullStory, Inc. (https://www.fullstory.com/) | USA | Digital Experience Improvement Services | https://www.fullstory.com/privacy-resources/ |
| Stripe, Inc. (https://stripe.com/) | USA | Third-PartyPaymentServices | https://stripe.com/docs/security |
| Elavon, Inc. (https://www.elavon.com/) | Georgia, USA | Third-PartyPaymentServices | https://www.elavon.com/solutions/security-and-pci-compliance.html |
| FreedomPay, Inc. (https://corporate.freedompay.com/) | USA | Third-PartyPaymentServices | Annually, FreedomPay undergoes security audits which include, but are not limited to, Payment Card Industry Data Security Standard (PCI DSS), SSAE16/SSAE18 SOC II Type II, and Payment Card Industry Point-to-Point Encryption (PCI P2PE). Refer to https://corporate.freedompay.com/privacy-policy/ for further information. |
| Adyen NV (https://www.adyen.com/) | Amsterdam, Netherlands | Third-PartyPaymentServices | Adyen is fully PCI DSS v3.2.1 compliant as a Level 1 Service Provider. Refer to https://docs.adyen.com/development-resources/adyen-data-security for further information. |
Exhibit B
Jurisdiction Specific Terms
1. Argentina.
1.1 Applicability. Wherever the Processing pursuant to the DPA falls within the scope of Argentina’s Personal Data Protection Law 25,326, Regulatory Decree 1558/2001, and any other corresponding decrees, regulations, or guidance governing the Processing of Personal Data in Argentina (collectively “Argentine Data Protection Laws”), the provisions of the DPA and this Section shall apply to such Processing.
1.2 Restricted Transfers. With regard to any Restricted Transfer subject to Argentine Data Protection Laws between the Parties, one of the following transfer mechanisms shall apply, in the following order of precedence:
I. a valid adequacy decision adopted by the Argentine National Bureau of Personal Data Protection (“NBPDP”);
II. the appropriate SCCs adopted by the NBPDP from time to time; or
III. any other lawful data transfer mechanism, as laid down in Argentine Data Protection Laws.
1.3 Standard Contractual Clauses.
I. The DPA hereby incorporates by reference the SCCs. The Parties are deemed to have accepted, executed, and signed the SCCs where necessary in their entirety (including the annexures thereto).
II. The Parties agree that any references to annexures within this Section shall be deemed to be the same as the cognate and corresponding references within any appropriate, updated SCCs as may be applicable from time to time pursuant to the DPA.
III. For the purposes of the annexures to Annex II of the SCCs promulgated by the NDPDP in its Provision 60-E/2016 (“Argentine SCCs”) and any substantially similar SCCs which may be adopted by the relevant authorities in the future, the content of Annex A of the Argentine SCCs is set forth in Exhibit A.
IV. In cases where the SCCs apply and there is a conflict between the terms of the DPA and the terms of the SCCs, the terms of the SCCs shall prevail with regard to the Restricted Transfer in question.
1.4 Termination. Upon termination of the Agreement, Groups360 shall destroy all Personal Data it has Processed on behalf of Customer after the end of the provision of Services relating to the Processing and destroy all copies of the Personal Data unless applicable law requires or permits storage of such Personal Data.
2. Australia. When applicable, the Processing of Customer Personal Data shall be compliant with the Australian Privacy Principles, the Australian Privacy Act (1988), and any other applicable law, regulation, or decree of Australia pertaining to the protection of such information.
3. Brazil. When applicable, the Processing of Customer Personal Data shall be compliant with Brazil’s Lei Geral de Proteção de Dados (Law No. 13.709 of 14 August 2018) and any other applicable law, regulation, or decree of Brazil pertaining to the protection of such information.
4. Bulgaria.
4.1 Applicability. Wherever the Processing pursuant to the DPA falls within the scope of Bulgaria’s Personal Data Protection Act (as amended in November 2019), and any other corresponding decrees, regulations, or guidance, the provisions of the DPA and this Section shall apply to such Processing.
4.2 General. Groups360 shall:
I. return to Customer any Personal Data Processed pursuant to the DPA within a period of one month after having become aware of any Personal Data that has been disclosed (i) without a legal basis pursuant Article 6 (1) of the EU GDPR, or (ii) contrary to the principles under Article 5 of the EU GDPR; or, if this is impossible or would involve disproportionate efforts, erase or destroy the Personal Data; and
II. if the Personal Data is erased or destroyed in accordance with Section 4.2(I) of these Jurisdiction Specific Terms, document such erasure and destruction.
5. Canada. When applicable, the Processing of Customer Personal Data shall be compliant with the Canadian Federal Personal Information Protection and Electronic Documents Act and any other applicable law, regulation, or decree of Canada pertaining to the protection of such information.
6. Colombia.
6.1 Applicability. Wherever the Processing pursuant to the DPA falls within the scope of Colombia’s Data Protection Law No. 1581 of 2012 (“Data Protection Law No. 1581”), Data Protection Decree No. 1377 of 2013 (“Data Protection Decree”), and any corresponding decrees, regulations, or guidance (collectively “Colombian Data Protection Laws”), the provisions of the DPA and this Section shall apply to such Processing.
6.2 Definitions.
I. “Information Processing Policy” (“Política de Tratamiento de la información”) shall have the meaning set forth in Article 13 of the Data Protection Decree.
II. “Personal Data Breach” (as used in the DPA) includes “violations of security codes” [that] “result in risks to the administration of Data Subjects’ information” (“violaciones a los códigos de seguridad y existan riesgos en la administración de la información de los Titulares”), as that phrase is construed under Articles 17(n) and 18(k) of the Data Protection Law No. 1581.
III. “Rights of the Data Subjects” (as used in the DPA) include such Data Subjects’ hábeas data rights, as that phrase is construed under the Constitution of Colombia and Colombian Data Protection Laws.
IV. “Supervisory Authority” (as used in the DPA) includes Colombia’s Superintendency of Industry and Commerce (Superintendencia de Industria y Comercio).
6.3 General. As applicable, Groups360 shall comply with all requirements applicable to Processors under the Columbian Data Protection Laws, including but not limited to obligations under Article 18 of Data Protection Law No. 1581 and Articles 11, 23, and 25 of the Data Protection Decree. Groups360 shall also comply with Customer’s Information Processing Policy, if any.
7. European Economic Area.
7.1 Definitions.
I. “EEA” means the European Economic Area, consisting of the EU Member States, and Iceland, Liechtenstein, and Norway.
II. “EEA Data Protection Laws” means the EU GDPR and all laws and regulations of the EU and the EEA countries applicable to the Processing of Customer Personal Data.
III. “EU 2021 SCCs” means the contractual clauses adopted by the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
IV. “EU GDPR” (as used in the DPA) means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, as may be amended from time to time.
7.2 Restricted Transfers. With regard to any Restricted Transfer subject to EEA Data Protection Laws between the Parties, one of the following transfer mechanisms shall apply, in the following order of precedence:
I. a valid adequacy decision adopted by the European Commission on the basis of Article 45 of the EU GDPR;
II. the appropriate SCCs adopted by the European Commission from time to time; or
III. any other lawful data transfer mechanism, as laid down in EEA Data Protection Laws.
7.3 Standard Contractual Clauses.
I. The DPA hereby incorporates by reference the SCCs. The Parties are deemed to have accepted, executed, and signed the SCCs where necessary in their entirety (including the annexures thereto).
II. The Parties agree that any references to clauses, annexures, modules and choices within this Section shall be deemed to be the same as the cognate and corresponding references within any appropriate, updated SCCs as may be applicable from time to time pursuant to the DPA.
III. For the purposes of the EU 2021 SCCs and any substantially similar SCCs which may be adopted by the relevant authorities in the future:
(A) the Parties agree to apply the following modules:
1) Module One with respect to Controller-to-Controller Restricted Transfers;
2) Module Two with respect to Controller-to-Processor Restricted Transfers; and
3) Module Three with respect to Processor-to-Sub-Processor Restricted Transfers.
(B). Clause 7: The Parties choose not to include the optional docking clause;
(C). Clause 9(a): The Parties choose option 2, “General Written Authorization,” and the time period set forth in Section 5.2 of the DPA (The procedures for designation and notification of new Sub-Processors are set forth in more detail in Section 5 of the DPA);
(D). Clause 11: The Parties choose not to include the optional language relating to the use of an independent dispute resolution body;
(E). Clause 13 (Annex I.C): The competent Supervisory Authority is the Data Protection Commission (the Republic of Ireland);
(F). Clause 17: The SCCs shall be governed by the laws of the Republic of Ireland;
(G). Clause 18: Any dispute arising from the SCCs shall be resolved by the courts of the Republic of Ireland;
(H). Annex I (A and B) : The content of Annex I (A) and (B) is set forth in Exhibit A;
(I). Annex II: The content of Annex II is available upon request from Groups360 as set forth in Section 6 of the DPA; and
(J) Annex III: The content of Annex III is set out in Appendix I to Exhibit A.
IV. The terms contained in Exhibit C to the DPA supplement the SCCs.
V. In cases where the SCCs apply and there is a conflict between the terms of the DPA and the terms of the SCCs, the terms of the SCCs shall prevail with regard to the Restricted Transfer in question.
8. Israel.
8.1 Applicability. Wherever the Processing pursuant to the DPA falls within the scope of Israel’s Protection of Privacy Law (5741-1981), the Protection of Privacy Regulations (Data Security) 5777-2017, and any corresponding decrees, regulations, or guidance, the provisions of the DPA and this Section shall apply to such Processing.
8.2 Deletion or Return of Personal Data. After returning or deleting Customer Personal Data pursuant to Section 11 of the DPA, Groups360 shall provide Customer with written confirmation that it no longer possesses any Customer Personal Data.
8.3 General. Groups360 shall notify Customer, at least once annually (and in a format to be agreed upon by the Parties), on the manner in which Groups360 has implemented its obligations in the DPA.
9. Singapore.
9.1 Applicability. Wherever the Processing pursuant to the DPA falls within the scope of Singapore’s Personal Data Protection Act 2012, Personal Data Protection (Amendment) Bill 2020, Personal Data Protection Regulations 2021, and any corresponding decrees, regulations, or guidance, the provisions of the DPA and this Section shall apply to such Processing.
9.2 Retention of Personal Data. Groups360 shall not retain Customer Personal Data (or any documents or records containing Customer Personal Data, electronic or otherwise) for any period of time longer than is necessary to serve the purposes of the Agreement.
9.3 Deletion or Return of Personal Data. After returning or deleting Customer Personal Data pursuant to Section 11 of the DPA, Groups360 shall provide Customer with written confirmation that it no longer possesses any Customer Personal Data.
10. Switzerland.
10.1 Definitions.
I. “EU 2021 SCCs” means the contractual clauses adopted by the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
II. “FDPIC” means the Swiss Federal Data Protection and Information Commissioner.
III. “Swiss Data Protection Laws” includes the Federal Act on Data Protection of 19 June 1992 (“FADP”) and the Ordinance to the Federal Act on Data Protection.
10.2 Restricted Transfers. With regard to any Restricted Transfer subject to Swiss Data Protection Laws between the Parties, one of the following transfer mechanisms shall apply, in the following order of precedence:
I. a valid adequacy decision adopted by the FDPIC on the basis of Article 6 of the FADP;
II. the appropriate SCCs adopted by the FDPIC from time to time; or
III. any other lawful transfer mechanism, as laid down in Swiss Data Protection Laws.
10.3 Standard Contractual Clauses.
I. The DPA hereby incorporates by reference the EU 2021 SCCs, which have been adopted for use by the FDPIC with certain modifications. The Parties are deemed to have accepted, executed, and signed the EU 2021 SCCs where necessary in their entirety (including the annexures thereto).
II. The Parties incorporate and adopt the EU 2021 SCCs for Restricted Transfers subject to Swiss Data Protection Laws in the same manner set forth in Section 7.3 of these Jurisdiction Specific Terms, subject to the following:
(A) Clause 13 (Annex I.C): The competent authority shall be the FDPIC. Nothing about the Parties’ designation of the competent Supervisory Authority shall be interpreted to preclude Data Subjects in Switzerland from applying to the FDPIC for relief;
(B) Clause 17: The SCCs shall be governed by the laws of Switzerland;
(C) Clause 18: Any dispute arising from the SCCs shall be resolved by the courts of Switzerland. The Parties’ selection of forum may not be construed as forbidding Data Subjects habitually resident in Switzerland from suing for their rights in Switzerland;
(D) references to “Regulation (EU) 2016/679” and specific articles therein shall be replaced with references to the FADP and the equivalent articles or sections therein, insofar as there are any Restricted Transfers subject to Swiss Data Protection Laws; and
(E) the SCCs also protect the data of legal entities until the entry into force of the revised FADP.
III. In cases where the SCCs apply and there is a conflict between the terms of the DPA and the terms of the SCCs, the terms of the SCCs shall prevail with regard to the Restricted Transfer in question.
11. United Arab Emirates: ADGM.
11.1 Definitions.
I. “ADGM Data Protection Laws” includes the Abu Dhabi Global Market (“ADGM”) Data Protection Regulations 2021 (“DPR 2021”), and any corresponding decrees, regulations, or guidance.
II. “ADGM SCCs” means the contractual clauses adopted by the Commissioner of Data Protection effective from 2021-08-14 relating to the transfer of Personal Data outside the ADGM pursuant to DPR 2021.
11.2 Personal Data Breach. In addition to those terms contained in Section 7 of the DPA, immediately upon providing notice of a Personal Data Breach, Groups360 shall provide to Customer the name and contact details of the contact point where more information can be obtained.
11.3 Restricted Transfers. With regard to any Restricted Transfer subject to ADGM Data Protection Laws between the Parties, one of the following transfer mechanisms shall apply, in the following order of precedence:
I. a valid adequacy decision adopted by the Commissioner of Data Protection on the basis of Article 41 of the DPR 2021;
II. the appropriate SCCs adopted by the Commissioner of Data Protection from time to time; or
III. any other lawful data transfer mechanism, as laid down in ADGM Data Protection Laws.
11.4 Standard Contractual Clauses.
I. The DPA hereby incorporates by reference the SCCs. The Parties are deemed to have accepted, executed, and signed the SCCs where necessary in their entirety (including the annexures thereto).
II. The Parties agree that any references to clauses, annexures, modules and choices within this Section shall be deemed to be the same as the cognate and corresponding references within any appropriate, updated SCCs as may be applicable from time to time pursuant to the DPA.
III. For the purposes of the ADGM SCCs and any substantially similar SCCs which may be adopted by the relevant authorities in the future:
(A) the Parties agree to apply the following modules:
1) Module One with respect to Controller-to-Controller Restricted Transfers;
2) Module Two with respect to Controller-to-Processor Restricted Transfers; and
3) Module Three with respect to Processor-to-Sub-Processor Restricted Transfers.
(B) Clause 7: The Parties choose not to include the optional docking clause;
(C) Clause 9(a): The Parties choose option 2, “General Written Authorization,” and the time period set forth in Section 5.2 of the DPA (The procedures for designation and notification of new Sub-Processors are set forth in more detail in Section 5 of the DPA);
(D) Clause 11: The Parties choose not to include the optional language relating to the use of an independent dispute resolution body;
(E) Clause 17: The SCCs shall be governed by the laws of the United States;
(F) Clause 18: Any dispute arising from the SCCs shall be resolved by the courts of the United States;
(G) Annex I: The content of Annex I is set forth in Exhibit A;
(H) Annex II: The content of Annex II is available upon request from Groups360 as set forth in Section 6 of the DPA; and
(I) Annex III: The content of Annex III is set out in Appendix I to Exhibit A.
IV. In cases where the SCCs apply and there is a conflict between the terms of the DPA and the terms of the SCCs, the terms of the SCCs shall prevail with regard to the Transfer in question.
11.5 General. Groups360 shall fully co-operate, on request, with the ADGM Office of Data Protection in the performance of Groups360’s obligations under the ADGM Data Protection Laws.
12. United Arab Emirates: DIFC.
12.1 Definitions.
I. “Commissioner” means the DIFC Commissioner of Data Protection.
II. “DIFC Data Protection Laws” includes the Dubai International Financial Centre (“DIFC”) Data Protection Law No. 5 of 2020, as amended by DIFC Law No. 2 of 2022 (“DP Law 2020”), the DIFC Data Protection Regulations of 2020 (“Regulations”), and any corresponding decrees, regulations, or guidance.
III. “DIFC SCCs” means the contractual clauses adopted by the Commissioner in accordance with regulations relating to the transfer of Personal Data outside the DIFC pursuant to DP Law 2020.
12.2 Personal Data Breach. In addition to those terms contained in Section 7 of the DPA, immediately upon providing notice of a Personal Data Breach, Groups360 shall provide to Customer the name and contact details of the contact point where more information can be obtained. Groups360 shall fully co-operate with any investigation of the Commissioner in relation to a Personal Data Breach.
12.3 Audit Rights. In addition to those terms contained in Section 10 of the DPA, Groups360 shall make available to the Commissioner, upon request, all information necessary to demonstrate compliance with the obligations laid down in this Section 12 of these Jurisdiction Specific Terms and the DPA, and allow for and contribute to audits, including inspections, conducted by the Commissioner.
12.4 Restricted Transfers. With regard to any Restricted Transfer subject to DIFC Data Protection Laws between the Parties, one of the following transfer mechanisms shall apply, in the following order of precedence:
I. a valid adequacy decision adopted by the Commissioner on the basis of Article 26 of the DP Law 2020;
II. the appropriate SCCs adopted by the Commissioner from time to time;
III. any other lawful data transfer mechanism, as laid down in DIFC Data Protection Laws.
12.5 Standard Contractual Clauses.
I. The DPA hereby incorporates by reference the SCCs. The Parties are deemed to have accepted, executed, and signed the SCCs where necessary in their entirety (including the appendices thereto).
II. The Parties agree that any references to clauses, appendices, and choices within this Section shall be deemed to be the same as the cognate and corresponding references within any appropriate, updated SCCs as may be applicable from time to time pursuant to the DPA.
III. For the purposes of the DIFC SCCs and any substantially similar SCCs which may be adopted by the relevant authorities in the future:
(A) The SCCs shall be effective from the Effective Date. The term of the SCCs shall be three (3) years, at which time the DPA will be reviewed and updated as needed in order to comply with then-current DIFC Data Protection Laws.
(B) Clause 7: The Parties choose not to include the optional docking clause;
(C) Clause 9: The Parties choose option 2, “General Written Authorization,” and the time period set forth in Section 5.2 of the DPA (The procedures for designation and notification of new Sub-Processors are set forth in more detail in Section 5 of the DPA);
(D) Clause 16: The Parties choose to include the optional language relating to terminating the SCCs when circumstances change, including where they are no longer required by providing sixty (60) days written notice to the other Party;
(E) Appendix 1: The content of Appendix 1 of the DIFC SCCs is set forth in Exhibit A;
(F) Appendix 2: The content of Appendix 2 of the DIFC SCCs is available upon request from Groups360 as set forth in Section 6 of the DPA; and
(G) Appendix 3: The content of Appendix 3 of the DIFC SCCs is set out in Appendix I to Exhibit A.
IV. In cases where the SCCs apply and there is a conflict between the terms of the DPA and the terms of the SCCs, the terms of the SCCs shall prevail with regard to the Restricted Transfer in question.
13. United Arab Emirates: Federal.
13.1 Definitions.
I. “Data Office” means the UAE Data Office established by virtue of Decree-Law No. 44 of 2021.
II. “UAE Federal Data Protection Laws” includes the United Arab Emirates (“UAE”) Personal Data Protection Law (Decree-Law No. 45 of 2021), Decree-Law No. 44 of 2021, and any corresponding decrees, regulations, or guidance.
13.2 Personal Data Breach. In addition to its obligations pursuant to Section 7 of the DPA, immediately upon providing notice of a Personal Data Breach, Groups360 shall describe to Customer in as much detail as reasonably possible: (i) the form and causes of the Personal Data Breach, (ii) the potential and expected impact and consequences of such Personal Data Breach upon Customer and the affected Data Subjects, and (iii) the name and contact details of a contact point where more information can be obtained.
13.3 Restricted Transfers. With regard to any Restricted Transfer subject to UAE Federal Data Protection Laws between the Parties, one of the following transfer mechanisms shall apply, in the following order of precedence:
I. a valid adequacy decision adopted by the Data Office on the basis of Article 22 of Decree-Law No. 45 of 2021;
II. the appropriate SCCs adopted by the Data Office from time to time; or
III. any other lawful data transfer mechanism, as laid down in UAE Federal Data Protection Laws.
13.4 Standard Contractual Clauses.
I. The DPA hereby incorporates by reference the SCCs. The Parties are deemed to have accepted, executed, and signed the SCCs where necessary in their entirety (including the appendices thereto).
II. The Parties agree that any references to clauses, appendices, and choices within this Section shall be deemed to be the same as the cognate and corresponding references within any appropriate SCCs as may be applicable from time to time pursuant to the DPA.
III. For the purposes of the SCCs and any substantially similar SCCs which may be adopted by the relevant authorities in the future:
(A) The SCCs shall be effective from the Effective Date. The term of the SCCs shall be three (3) years, at which time the DPA will be reviewed and updated as needed in order to comply with then-current UAE Federal Data Protection Laws.
(B) Clause 7: The Parties choose not to include the optional docking clause;
(C) Clause 9(a): The Parties choose option 2, “General Written Authorization,” and the time period set forth in Section 5.2 of the DPA (The procedures for designation and notification of new Sub-Processors are set forth in more detail in Section 5 of the DPA);
(D) Clause 16: The Parties choose to include the optional language relating to terminating the SCCs when circumstances change, including where they are no longer required by providing sixty (60) days written notice to the other Party;
(E) Appendix 1: The content of Appendix 1 of the SCCs is set forth in Exhibit A;
(F) Appendix 2: The content of Appendix 2 of the SCCs is available upon request from Groups360 as set forth in Section 6 of the DPA; and
(G) Appendix 3: The content of Appendix 3 of the SCCs is set out in Appendix I to Exhibit A.
IV. In cases where the SCCs apply and there is a conflict between the terms of the DPA and the terms of the SCCs, the terms of the SCCs shall prevail with regard to the Restricted Transfer in question.
13.5 General.
I. Groups360 shall notify Customer if the Processing exceeds the duration set forth in Part B of Exhibit A so that Customer may extend such duration or issue the appropriate directions.
II. Groups360 shall fully co-operate, on request, with the Data Office in the performance of its obligations under the UAE Federal Data Protection Laws.
14. United Kingdom.
14.1 Definitions.
I. “UK Data Protection Laws” includes the Data Protection Act 2018 and the UK GDPR.
II. “UK GDPR” (as used in the DPA) means the United Kingdom General Data Protection Regulation, as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018.
III. “UK ICO” means the UK Information Commissioner’s Office.
IV. “UK IDTA means the International Data Transfer Agreement issued pursuant to Section 119A(1) of the Data Protection Act 2018 and approved by the UK Parliament.
14.2 Restricted Transfers. With regard to any Restricted Transfer subject to UK Data Protection Laws between the Parties, one of the following transfer mechanisms shall apply, in the following order of precedence:
I. a valid adequacy decision adopted pursuant to Article 45 of the UK GDPR;
II. the UK IDTA; or
III. any other lawful data transfer mechanism, as laid down in the UK Data Protection Laws.
14.3 UK IDTA.
I. The DPA hereby incorporates by reference the UK IDTA. The Parties are deemed to have accepted, executed, and signed the UK IDTA where necessary in its entirety.
II. For the purposes of the tables to the UK IDTA:
(A) Table 1: The content of Table 1 is set forth in Part A of Exhibit A;
(B) Table 2:
1) The UK IDTA, shall be governed by the laws of England and Wales;
2) Any dispute arising from the UK IDTA shall be resolved by the courts of England and Wales;
3) The Parties’ controllership and data transfer roles are set out in Part A of Exhibit A;
4) The UK GDPR applies to the Data Importer’s Processing of the Personal Data;
5) The DPA and the Agreement set out the instructions for Processing Personal Data;
6) The Data Importer shall Process Personal Data for the time period set out in Part B of Exhibit A. The Parties agree that the Data Importer may terminate the UK IDTA before the end of such time period by serving written notice;
7) The Data Importer may only transfer Personal Data to authorized Sub-Processors (if applicable), as set out within Section 5 of the DPA, or to such third parties that the Data Exporter authorizes in writing or within the Agreement;
(C) Table 3: The content of Table 3 is set forth in Part B of Exhibit A and may be updated in accordance with Section 14 of the DPA; and
(D) Table 4: The content of Table 4 is available upon request from Groups360 as set forth in Section 6 of the DPA and may be updated in accordance with Section 14 of the DPA.
III. Part 2 (Extra Protection Clauses) and Part 3 (Commercial Clauses) of the UK IDTA are noted throughout the DPA.
IV. The terms contained in Exhibit C to the DPA supplement the UK IDTA.
V. In cases where the UK IDTA applies and there is a conflict between the terms of the DPA and the terms of the UK IDTA, the terms of the UK IDTA shall prevail.
15. United States of America.
15.1 Applicability. Wherever the Processing pursuant to the DPA falls within the scope of United States Data Protection Laws (defined below), the provisions of the DPA and this Section shall apply to such Processing.
15.2 Definitions.
I. “United States Data Protection Laws” include, individually and collectively, enacted state and federal laws, acts, and regulations of the United States of America that apply to the Processing of Personal Data, as may be amended from time to time. Such laws include, without limitation:
(A) the California Consumer Privacy Act of 2018, as amended, including as amended by the California Privacy Rights Act of 2020 (Cal. Civ. Code § 1798.100 et seq.)., and the California Consumer Privacy Act Regulations, together with all implementing regulations;
(B) the Colorado Privacy Act, Colo. Rev. Stat. § 6-1-1301 et seq., together with all implementing regulations;
(C) the Connecticut Act Concerning Data Privacy and Online Monitoring, Pub. Act No. 22015;
(D) the Utah Consumer Privacy Act, Utah Code Ann. S 13-61-101 et seq.; and
(E) the Virginia Consumer Data Protection Act, Va. Code Ann. § 59.1-571 et seq.
II. “Personal Data Breach” (as used in the DPA) includes “Breach of Security” and “Breach of the Security of the System” as defined under applicable United States Data Protection Laws.
III. The terms “Business Purpose”, “Commercial Purpose”, “Sell”, and “Share” shall have the same meanings as under applicable United States Data Protection Laws, and their cognate and corresponding terms shall be construed accordingly.
15.3 Processing of Customer Personal Data.
I. Customer discloses Customer Personal Data to Groups360 solely for: (i) valid Business Purposes; and (ii) to enable Groups360 to perform the Services.
II. Groups360 shall not: (i) Sell or Share Customer Personal Data; (ii) retain, use or disclose Customer Personal Data for a Commercial Purpose other than providing the Services specified in the Agreement or as otherwise permitted or required by United States Data Protection Laws; (iii) retain, use, or disclose Customer Personal Data except where permitted under the Agreement between Customer and Groups360; nor (iv) combine Customer Personal Data with other information that Groups360 Processes on behalf of other persons or that Groups360 collects directly from the Data Subject, with the exception of Processing for Business Purposes. Groups360 certifies that it understands these prohibitions and agrees to comply with them.
15.4 Termination. Upon termination of the Agreement, Groups360 shall, as soon as reasonably practicable, destroy all Personal Data it has Processed on behalf of Customer after the end of the provision of Services relating to the Processing and destroy all copies of the Personal Data unless applicable law requires or permits storage of such Personal Data.
