[Example: Create your own version and remove this note and the footer before using]

Example Schedules for Bonterms Data Protection Addendum (DPA)

 

Schedule 1Subject Matter and Details of Processing
Schedule 2Technical and Organizational Measures
Schedule 3Cross-Border Transfer Mechanisms
Schedule 4Region-Specific Terms

Schedule 1: Subject Matter and Details of Processing

Customer / ‘Data Exporter’ Details

Name:
Contact details for data protection:
Main address:
Customer activities:
Role:Controller

Provider / ‘Data Importer’ Details

Name:
Contact details for data protection:
Main address:
Provider activities:
Role:Processor

Details of Processing

Categories of Data Subjects:
Categories of Customer Personal Data:
Sensitive Categories of Data and additional associated restrictions/safeguards:
Frequency of transfer:
Nature of the Processing:
Purpose of the Processing:
Duration of Processing / retention period:
Transfers to Subprocessors:

Schedule 2: Technical and Organizational Measures

[Describe specific applicable measures and refer as applicable to Security Measures under the Agreement]

 


Schedule 3: Cross-Border Transfer Mechanisms

1. Definitions. Capitalized terms not defined in this Schedule are defined in the DPA.

1.1.  “EU Standard Contractual Clauses” or “EU SCCs” means the Standard Contractual Clauses approved by the European Commission in decision 2021/914.

1.2.  “UK International Data Transfer Agreement” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner, Version B1.0, in force as of March 21, 2022.

1.3.  In addition:

Designated EU Governing Law” means:

Designated EU Member State” means:

[parties to specify]

[parties to specify]

2. EU Transfers. Where Customer Personal Data is protected by EU GDPR and is subject to a Restricted Transfer, the following applies:

2.1.  The EU SCCs are hereby incorporated by reference as follows:

(a) Module 2 (Controller to Processor) applies where Customer is a Controller of Customer Personal Data and Provider is a Processor of Customer Personal Data;

(b) Module 3 (Processor to Processor) applies where Customer is a Processor of Customer Personal Data (on behalf of a third-party Controller) and Provider is a Processor of Customer Personal Data;

(c) Customer is the “data exporter” and Provider is the “data importer”; and

(d) by entering into this DPA, each party is deemed to have signed the EU SCCs (including their Annexes) as of the DPA Effective Date.

2.2.  For each Module, where applicable the following applies:

(a) the optional docking clause in Clause 7 does not apply;

(b) in Clause 9, Option 2 will apply, the minimum time period for prior notice of Subprocessor changes shall be as set out in Section 4.3 of this DPA, and Provider shall fulfill its notification obligations by notifying Customer of any Subprocessor changes in accordance with Section 4.3 of this DPA;

(c) in Clause 11, the optional language does not apply;

(d) in Clause 13, all square brackets are removed with the text remaining;

(e) in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Designated EU Governing Law;

(f) in Clause 18(b), disputes will be resolved before the courts of the Designated EU Member State;

(g) Schedule 1 (Subject Matter and Details of Processing) to this DPA contains the information required in Annex 1 of the EU SCCs; and

(h) Schedule 2 (Technical and Organizational Measures) to this DPA contains the information required in Annex 2 of the EU SCCs.

2.3.  Where context permits and requires, any reference in this DPA to the EU SCCs shall be read as a reference to the EU SCCs as modified in the manner set forth in this Section 2.

3. Swiss Transfers. Where Customer Personal Data is protected by the FADP and is subject to a Restricted Transfer, the following applies:

3.1.  The EU SCCs apply as set forth in Section 2 (EU Transfers) of this Schedule 3 with the following modifications:

(a) in Clause 13, the competent supervisory authority shall be the Swiss Federal Data Protection and Information Commissioner;

(b) in Clause 17 (Option 1), the EU SCCs will be governed by the laws of Switzerland;

(c) in Clause 18(b), disputes will be resolved before the courts of Switzerland;

(d) the term Member State must not be interpreted in such a way as to exclude Data Subjects in Switzerland from enforcing their rights in their place of habitual residence in accordance with Clause 18(c); and

(e) all references to the EU GDPR in this DPA are also deemed to refer to the FADP.

4. UK Transfers. Where Customer Personal Data is protected by the UK GDPR and is subject to a Restricted Transfer, the following applies:

4.1.  The EU SCCs apply as set forth in Section 2 (EU Transfers) of this Schedule 3 with the following modifications:

(a) each party shall be deemed to have signed the “UK Addendum to the EU Standard Contractual Clauses” (“UK Addendum”) issued by the Information Commissioner’s Office under section 119 (A) of the Data Protection Act 2018;

(b) the EU SCCs shall be deemed amended as specified by the UK Addendum in respect of the transfer of Customer Personal Data;

(c) in Table 1 of the UK Addendum, the parties’ key contact information is located in Schedule 1 (Subject Matter and Details of Processing) to this DPA;

(d) in Table 2 of the UK Addendum, information about the version of the EU SCCs, modules and selected clauses which this UK Addendum is appended to are located above in this Schedule 3;

(e) in Table 3 of the UK Addendum:

(i) the list of parties is located in Schedule 1 (Subject Matter and Details of Processing) to this DPA;

(ii) the description of transfer is located in Schedule 1 (Subject Matter and Details of Processing) to this DPA;

(iii) Annex II is located in Schedule 2 (Technical and Organizational Measures) to this DPA; and

(iv) the list of Subprocessors is located in Schedule 1 (Subject Matter and Details of Processing) to this DPA.

(f) in Table 4 of the UK Addendum, both the Importer and the Exporter may end the UK Addendum in accordance with its terms (and the respective box for each is deemed checked); and

(g) in Part 2: Part 2 – Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with section 119 (A) of the Data Protection Act 2018 on 2 February 2022, as it is revised under section ‎‎18 of those Mandatory Clauses.


Schedule 4: Region-Specific Terms

A. CALIFORNIA

1. Definitions. CCPA and other capitalized terms not defined in this Schedule are defined in the DPA.

1.1.  “business purpose”, “commercial purpose”, “personal information”, “sell”, “service provider” and “share” have the meanings given in the CCPA.

1.2.  The definition of “Data Subject” includes “consumer” as defined under the CCPA.

1.3.  The definition of “Controller” includes “business” as defined under the CCPA.

1.4.  The definition of “Processor” includes “service provider” as defined under the CCPA.

2. Obligations.

2.1.  Customer is providing the Customer Personal Data to Provider under the Agreement for the limited and specific business purposes of providing the Cloud Services as described in Schedule 1 (Subject Matter and Details of Processing) to this DPA and otherwise performing under the Agreement.

2.2.  Provider will comply with its applicable obligations under the CCPA and provide the same level of privacy protection to Customer Personal Data as is required by the CCPA.

2.3.  Provider acknowledges that Customer has the right to: (i) take reasonable and appropriate steps under Section 9 (Audits) of this DPA to help to ensure that Provider’s use of Customer Personal Data is consistent with Customer’s obligations under the CCPA, (ii) receive from Provider notice and assistance under Section 7 (Data Subject Requests) of this DPA regarding consumers’ requests to exercise rights under the CCPA and (iii) upon notice, take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Data.

2.4.  Provider will notify Customer promptly after it makes a determination that it can no longer meet its obligations under the CCPA.

2.5.  Provider will not retain, use or disclose Customer Personal Data: (i) for any purpose, including a commercial purpose, other than the business purposes described in Section 2.1 of this Section A (California) of Schedule 4 or (ii) outside of the direct business relationship between Provider with Customer, except, in either case, where and to the extent permitted by the CCPA.

2.6.  Provider will not sell or share Customer Personal Data received under the Agreement.

2.7.  Provider will not combine Customer Personal Data with other personal information except to the extent a service provider is permitted to do so by the CCPA.

3. Activity Prior to January 1, 2023. To the extent this Section A (California) of Schedule 4 is in effect prior to January 1, 2023, Provider’s obligations hereunder that are required solely by amendments to the CCPA made by the California Privacy Rights Act regarding contractual obligations of service providers shall only apply on and after January 1, 2023.