Version effective as of September 2021
By accepting the terms of the Agreement referring to this Data Processing Addendum (“DPA”), you (“Subscriber”) agree to the terms set forth herein, which are incorporated into the Agreement by reference.
Recitals
AgeVerification.org and Subscriber, on behalf of itself and its Affiliates, have entered into one or more order forms, contracts and/or agreements (“Agreement”) pursuant to which AgeVerification.org has agreed to license software, products and/or provide services to the Subscriber as described in the Agreement (collectively, the “Services”). Capitalized terms used but not otherwise defined in this DPA shall have the meaning ascribed to them in the Agreement. In the event of a conflict between the terms of this DPA and the terms of the Agreement, the terms of this DPA shall control with respect to such conflict. The Agreement includes any exhibits, schedules, appendices, statements of work, or other attachments made part of or incorporated into the Agreement, including this DPA.
By executing the Agreement, Subscriber enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws and Regulations, in the name and on behalf of its Affiliates, if and to the extent AgeVerification.org processes Personal Data for which such Affiliates qualify as the Controller. For the purposes of this DPA only, and except where indicated otherwise, the term “Subscriber” shall include Subscriber and Affiliates.
In the course of providing the Services to Subscriber pursuant to the Agreement, AgeVerification.org may Process Personal Data on behalf of Subscriber and the Parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.
1. Definitions
“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control”, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
“CCPA” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., and its implementing regulations.
“Controller” means the entity which determines the purposes and means of the Processing of Personal Data.
“Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed by AgeVerification.org pursuant to the Agreement.
“Data Protection Laws and Regulations” means all laws and regulations, including laws and regulations applicable to the Processing of Personal Data under the Agreement as amended from time to time. For the avoidance of doubt, if AgeVerification.org’s processing activities involving Personal Data are not within the scope of a given data protection law, such law is not applicable for purposes of this DPA.
“Data Subject” means the identified or identifiable person to whom Personal Data relates.
“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), including as implemented or adopted under the laws of the United Kingdom.
“Personal Data” means any information relating to (i) an identified or identifiable natural person and, (ii) an identified or identifiable legal entity (where such information is protected similarly as personal data or personally identifiable information under applicable Data Protection Laws and Regulations).
“Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Processor” means the entity which Processes Personal Data on behalf of the Controller, including as applicable any “service provider” as that term is defined by the CCPA.
“Subscriber” means the entity that executed the Agreement together with its Affiliates (for so long as they remain Affiliates).
“EU Standard Contractual Clauses” means the standard contractual clauses set forth in Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available here.
“Subprocessor” means any Processor engaged by AgeVerification.org or AgeVerification.org’s Affiliates on behalf of AgeVerification.org.
“Supervisory Authority” means an independent public authority which is established by an EU Member State pursuant to the GDPR or, for the United Kingdom, the Information Commissioner’s Office (“ICO”).
2. Processing of Personal Data
2.1. Roles of the Parties. The parties acknowledge and agree that with regard to the Processing of Personal Data, Subscriber is the Controller, AgeVerification.org is the Processor, and that AgeVerification.org will engage Subprocessors pursuant to the requirements set forth in Section 5 “Subprocessors” below.
2.2. Subscriber’s Processing of Personal Data. Subscriber shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws and Regulations, including any applicable requirement to provide notice to Data Subjects of the use of AgeVerification.org as Processor. For the avoidance of doubt, Subscriber’s instructions for the Processing of Personal Data shall comply with Data Protection Laws and Regulations. Subscriber is solely responsible for the accuracy, quality, and legality of (i) the Personal Data provided to AgeVerification.org by or on behalf of Subscriber, (ii) the means by which the Subscriber acquired the Personal Data, and (iii) the Instructions it provides to AgeVerification.org. Subscriber shall not provide or make available to AgeVerification.org any Personal Data in violation of the Agreement, or which is otherwise inappropriate for the nature of the Services and shall indemnify AgeVerification.org from all claims and losses in connection with Subscriber’s breach of applicable Data Protection Laws and Regulations.
2.3. AgeVerification.org’s Processing of Personal Data. AgeVerification.org shall treat Personal Data as confidential information and shall Process Personal Data on behalf of and only in accordance with Subscriber’s documented instructions, unless required otherwise by a legal requirement AgeVerification.org is subject to, for the following purposes: (i) Processing in accordance with the Agreement and order form(s); (ii) Processing initiated by users in their use of the Services; (iii) Processing to comply with other documented reasonable instructions provided by Subscriber (e.g., via email) where such instructions are consistent with the terms of the Agreement, and (iv) Processing in compliance with the Data Protection Laws and Regulations. In case AgeVerification.org is subject to a legal requirement, AgeVerification.org shall inform Subscriber of that legal requirement, unless such law prohibits the same.
Subscriber hereby instructs AgeVerification.org to Process Personal Data in accordance with the foregoing and as part of Subscriber’s use of the Services.
2.4. AgeVerification.org’s Role as a Service Provider under the CCPA. The parties acknowledge and agree that AgeVerification.org is a service provider for the purposes of the CCPA and is receiving Personal Data from Subscriber pursuant to the Agreement for a business purpose. AgeVerification.org shall not sell any such Personal Data nor retain, use or disclose any Personal Data provided by Subscriber pursuant to the Agreement except as necessary for performing the Services or otherwise as set forth in the Agreement or as permitted by the CCPA. The terms “service provider,” and “sell” are as defined in Section 1798.140 of the CCPA. AgeVerification.org certifies that it understands the restrictions of this section.
2.5. Details of the Processing. The subject-matter of Processing of Personal Data by AgeVerification.org is the performance of the Services pursuant to the Agreement. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA as well as information on the transfer of Personal Data as required by Annexes I and II of the EU Standard Contractual Clauses (if applicable) are further specified in Schedule 2 to this DPA.
3. Rights of Data Subjects
Data Subject Request. AgeVerification.org shall, to the extent legally permitted, promptly notify Subscriber if AgeVerification.org receives a request from a Data Subject to exercise the Data Subject’s right of access, right to rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, object to the Processing, or its right not to be subject to an automated individual decision making, each such request being a “Data Subject Request”. Considering the nature of the Processing, AgeVerification.org shall assist Subscriber by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Subscriber’s obligation to respond to a Data Subject Request under Data Protection Laws and Regulations.
4. AgeVerification.org Personnel
4.1. Confidentiality. AgeVerification.org shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. AgeVerification.org shall ensure that such confidentiality obligations survive the termination of the personnel engagement.
4.2. Limitation of Access. AgeVerification.org shall ensure that AgeVerification.org’s access to Personal Data is limited to those personnel performing Services in accordance with the Agreement.
4.3. Data Protection Officer. AgeVerification.org has appointed a data protection officer.
5. Subprocessors
5.1. Appointment of Subprocessors. Subscriber acknowledges and agrees that (a) AgeVerification.org’s Affiliates may be retained as Subprocessors; and (b) AgeVerification.org and AgeVerification.org’s Affiliates respectively may engage third-party Subprocessors in connection with the provision of the Services. AgeVerification.org or a AgeVerification.org Affiliate has entered into a written agreement with each Subprocessor containing data protection obligations not less protective than those in this DPA with respect to the protection of Subscriber Personal Data to the extent applicable to the nature of the Services provided by such Subprocessor.
5.2. List of Current Subprocessors, Notification of New Subprocessors, and Consent Mechanism. AgeVerification.org shall make available to Subscriber the current list of Subprocessors for the Services. Subscriber hereby generally authorizes AgeVerification.org and AgeVerification.org’s Affiliates to remove or add new subprocessors in accordance with this Section 5. New Subprocessors that access Subscriber’s Personal Data shall be approved by Subscriber via the following consent mechanism:
- AgeVerification.org shall notify Subscriber at least thirty (30) days before authorizing any new subprocessor to access Personal Data by updating the subprocessor to the list online at AgeVerification.org’s Trust Center.
- If Subscriber raises no reasonable objections with AgeVerification.org in writing within this thirty (30) days period, then this shall be taken as an approval of the new subprocessor by Subscriber.
- If Subscriber raises reasonable objections, then AgeVerification.org shall have the right to terminate the affected Service to Subscriber with fourteen (14) days’ notice unless AgeVerification.org decides to (a) continue the Service without the engagement of the Subprocessor which Subscriber objected to, (b) take sufficient steps to address the concerns raised in Subscriber’s objection or (c) in agreement with Subscriber, cease to provide (temporarily or permanently), the particular aspect of the Service that would involve use of the subprocessor. Each Subprocessor shall be bound by data protection obligations consistent with those in this Agreement.
5.3. Liability. AgeVerification.org shall be liable for the acts and omissions of its Subprocessors to the same extent AgeVerification.org would be liable if performing the services of each Subprocessor directly under the terms of this DPA, except as otherwise set forth in the Agreement.
6. Security
6.1. Security Measures. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, AgeVerification.org shall maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of Processing Personal Data. AgeVerification.org shall, at a minimum:
- Adopt policies and standards related to information security.
- Assign responsibility for information security management.
- Devote adequate personnel resources to information security.
- Perform reference or background checks on permanent employees that shall have access to personal data and as necessary for compliance requirements (where practicable and lawful in each relevant jurisdiction).
- Require all AgeVerification.org employees to comply with a written Information Security policy.
- Have procedures in place to prevent unauthorized access to Personal Data through the use, as appropriate, of physical and logical entry controls, secure areas for processing, and data loss prevention tools.
- Ensure compliance with policies and standards related to data protection on an ongoing basis.
6.2. Updates to Security Measures. AgeVerification.org is entitled to change the technical and organizational measures at its sole discretion, provided that the overall level of security of the Services is not degraded. Additional information concerning AgeVerification.org’s technical and organizational measures are available at AgeVerification.org’s Trust Center, as updated from time to time.
7. Subscriber Right To Audit
7.1. Audit Rights and Process. For the duration of this DPA, upon Subscriber’s request, not more than once per calendar year, and subject to non-disclosure agreement, AgeVerification.org shall provide to Subscriber the most recent audit report performed by an independent auditor so that Subscriber can reasonably verify AgeVerification.org’s compliance with its data protection obligations. Subscriber agrees to exercise any audit and inspection rights it may have solely by requesting and reviewing such audit report.
7.2. Additional Information Requests. After Subscriber has reviewed the foregoing, in the event that additional information is required to demonstrate compliance with AgeVerification.org’s data protection obligations, Subscriber must notify AgeVerification.org in writing, identifying specifically what obligation the report fails to demonstrate compliance with, the deficiency in the audit report, and areas for which additional information is requested. After review, AgeVerification.org may notify its independent auditor of the identified deficiencies for inclusion in its auditing procedures.
7.3. Access to Additional Documentation. At AgeVerification.org’s discretion, AgeVerification.org shall use reasonable efforts to comply and provide Subscriber (either itself or a registered accredited auditor acting on Subscriber’s behalf, subject to non-disclosure obligations) with access to additional policies, procedures, processes, and/or supporting evidence demonstrating the operation of controls. Subscriber shall give AgeVerification.org no fewer than 30 days’ prior notice, shall not be permitted to keep any copies of additional documentation or make copies, and shall not unreasonably disrupt AgeVerification.org’s business operations. Subscriber shall be responsible for all costs of such audit, and additional charges to offset costs incurred by AgeVerification.org may apply.
8. Data Breach Management and Notification
8.1. Notification of Data Breach. AgeVerification.org agrees to notify Subscriber without undue delay upon discovery of a Data Breach. In the course of notification to Subscriber, AgeVerification.org will provide to Subscriber, as feasible, sufficient information for Subscriber to make any required notifications within the timeline required by Data Protection Laws and Regulations. Such information may include, but is not necessarily limited to: (i) the nature of the Data Breach, and the categories and approximate number of Data Subjects and Personal Data records affected; (ii) the likely consequences of the Data Breach, to the extent consequences are able to be determined; and (iii) any measures taken to address or mitigate the Data Breach.
9. Return and Deletion of Personal Data
9.1. Retention and Deletion. AgeVerification.org shall retain Personal Data received from Subscriber or created on behalf of Subscriber for only so long as necessary to perform the services under the Agreement or as may otherwise be required under applicable law. Upon request from Subscriber, AgeVerification.org agrees to return or destroy the Personal Data received or created pursuant to the Agreement, to the extent permitted by applicable law.
10. Limitation of Liability
10.1. Aggregate Liability. The total liability of each of Subscriber and AgeVerification.org (and their respective employees, directors, officers, affiliates, successors, and assigns), arising out of or related to this DPA, whether in contract, tort, or other theory of liability is subject to the ‘Limitation of Liability’ section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and all DPAs together.
11. European Specific Provisions
11.1. GDPR. AgeVerification.org will Process Personal Data in accordance with the GDPR requirements directly applicable to AgeVerification.org’s provision of its Services.
11.2. Data Protection Impact Assessment. AgeVerification.org shall provide reasonable assistance to Subscriber in respect to any data protection impact assessments and/or prior consultations that may be required in respect of processing carried out under the Agreement, to the extent required under the GDPR.
11.3. Notification of Inspection. AgeVerification.org agrees to notify Subscriber of any inspection or audit by a Supervisory Authority concerning compliance with Data Protection Laws and Regulations to the extent related to the Services provided under the Agreement. AgeVerification.org shall cooperate with relevant Supervisory Authorities upon request by Subscriber to a reasonable extent.
11.4. Transfer mechanisms for data transfers. AgeVerification.org makes available the transfer mechanism listed in Schedule 1 which shall apply, to any transfers of Personal Data under this DPA from the European Union, the European Economic Area and/or their member states, Switzerland and the United Kingdom to countries which do not ensure an adequate level of data protection within the meaning of Data Protection Laws and Regulations of the foregoing territories, to the extent such transfers are subject to such Data Protection Laws and Regulations. Furthermore, Schedule 1 contains additional terms on the application of the transfer mechanisms set forth therein.
12. Miscellaneous
12.1. Legal Effect. This DPA may be executed in counterparts, each of which shall be deemed an original, but all of which together shall be deemed to be one and the same agreement. A signed copy of this DPA delivered by facsimile, e-mail, or other means of electronic transmission (to which a signed PDF copy is attached) shall be deemed to have the same legal effect as delivery of an original signed copy of this DPA.
12.2. Jurisdiction Specific Term. To the extent AgeVerification.org Processes Personal Data originating from and protected by Data Protection Laws and Regulations in one of the jurisdictions listed in Schedule 5 (Jurisdiction Specific Terms) of this DPA, the terms specified in Schedule 5 with respect to the applicable jurisdiction(s) apply in addition to the terms of this DPA.
12.3. Conflict. In the event of any conflict or inconsistency between the body of this DPA (including any of its Schedules and Appendices other than those of the EU Standard Contractual Clauses) and the EU Standard Contractual Clauses, the EU Standard Contractual Clauses shall prevail.
List of Schedules
Schedule 1: Transfer Mechanisms and Additional Terms for European Data Transfers
Schedule 2: Details of the Processing and Transfer of Personal Data
Schedule 3: SCC-Matrix
Schedule 4: Parties’ Contact Details and Identification of the Competent Supervisory Authority
Schedule 5: Jurisdiction Specific Terms
Schedule 1 – Transfer Mechanisms and Additional Terms for European Data Transfers
This Schedule 1 sets forth the transfer mechanisms for the transfer of Subscriber’s Personal Data subject to the applicable data protection laws in the European Union, the European Economic Area and/or their member states, Switzerland and the United Kingdom to AgeVerification.org contact (“European Data Transfers”) as well as additional terms on the scope and application of such transfer mechanism when using the Services provided by AgeVerification.org.
European Data Transfers
This section applies to the transfer of Subscriber’s Personal Data to AgeVerification.org when using AgeVerification.org’s Services, provided that transfer of such Personal Data is subject to the GDPR.
1.1. Application of the EU Standard Contractual Clauses
In case Subscriber’s Personal Data subject to the GDPR are transferred to AgeVerification.org, such transfer is subject to the EU Standard Contractual Clauses. The EU Standard Contractual Clauses provide several modules which apply depending on which entity is exporting and importing Subscriber’s Personal Data.
- Where the contractual party to this DPA is AgeVerification.org, Module 3 of the EU Standard Contractual Clauses (processor to processor) applies to and between AgeVerification.org as the “Data Exporter” and AgeVerification.org as the “Data Importer” with respect to the transfer of Subscriber’s Personal Data to AgeVerification.org. AgeVerification.org will provide Subscriber with a copy of the EU Standard Contractual Clauses concluded between AgeVerification.org and AgeVerification.org upon request.
- Where the contractual party to this DPA is AgeVerification.org, Module 2 of the EU Standard Contractual Clauses (controller to processor) applies to and between Subscriber as the “Data Exporter” and AgeVerification.org as the “Data Importer” with respect to the transfer of Subscriber’s Personal Data to AgeVerification.org. In this case, Subscriber must comply with the execution process defined in Section 1.2. of this Schedule 1.
1.2. Execution Process for Module 2 of the EU Standard Contractual Clauses
In case Module 2 of the EU Standard Contractual Clauses applies as defined in Section 1.1 of this Schedule 1, Subscriber must comply with the following execution process:
Schedule 3 contains a matrix (“SCC-Matrix”) which specifies which options provided in Module 2 of the EU Standard Contractual Clauses are applicable and where the information regarding the transfer of personal data required in the Annexes of the EU Standard Contractual Clauses are defined in the DPA.
1.3. Supplementary Measures
AgeVerification.org provides the following supplementary measures to ensure an adequate level of protection pursuant to Article 44 et seq. GDPR for Subscriber’s Personal Data transferred to AgeVerification.org provided that AgeVerification.org is not barred under applicable law to comply with these supplementary measures:
- AgeVerification.org shall notify the Subscriber without undue delay should any public authority request access to Subscriber’s Personal Data. Should AgeVerification.org be barred from notifying the Subscriber in a situation due to applicable law, AgeVerification.org shall without undue delay ensure that transfer of Personal Data to the country that requested the access is ceased and notify the Subscriber that it had to do so. The Parties shall enter into discussions how to mitigate the situation.
- AgeVerification.org shall take without undue delay any available legal recourse against any data access requests by public authorities and not disclose any Personal Data until ordered so by final and binding court decision.
- AgeVerification.org shall assist the Subscriber by providing any information to the extent reasonable if the Subscriber decides to inform the Data Subjects if their Personal Data are affected by a request on data access by a public authority.
- AgeVerification.org will provide Subscriber on a regular basis with a transparency report about requests for access to Personal Data received from public authorities in an aggregated form, including at least information on the amount of data requests, the type of data requested, the requesting public authority and to what extent AgeVerification.org has disclosed personal data to such public authorities.
- AgeVerification.org shall constantly monitor any legal or policy developments that might lead to its inability to comply with the obligations under the EU Standard Contractual Clauses and without undue delay inform the Subscriber of any such changes and developments.
- AgeVerification.org hereby confirms that it has not purposefully created backdoors or similar programming that could be used to access AgeVerification.org’s systems and/or Subscriber’s personal data stored therein.
Further information relating to supplementary safeguards is available upon request.
Schedule 2 – Details of the Processing and Transfer of Personal Data
This Schedule 2 specifies the information on the Processing and the transfer of Personal Data in accordance with Section 2.5 of the DPA.
Description of the Processing activities and roles of the Parties
Subscriber’s use of the AgeVerification.org’s Services involves Processing of Personal Data by AgeVerification.org on behalf of the Subscriber. Any Processing of Personal Data belonging to the Subscriber is carried out by AgeVerification.org acting as Processor, whereby Subscriber is acting as Controller.
AgeVerification.org’s Processing of Subscriber’s Personal Data involves collection, transfer, storage, and other processing activities necessary to provide, maintain and update the Services provided by AgeVerification.org to Subscriber via AgeVerification.org’s systems. Any Personal Data Processed in AgeVerification.org’s systems when using the Services provided by AgeVerification.org are transferred to and stored on servers located in the USA and operated by AgeVerification.org.
Nature and Purpose of Processing
AgeVerification.org will Process Personal Data as necessary to perform the Services pursuant to the Agreement, as further specified in the documentation, and as further instructed by Subscriber in its use of the Services.
Duration of Processing
Subject to Section 9 of the DPA, AgeVerification.org will Process Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing.
Categories of Data Subjects
Subscriber may submit Personal Data to the Services, the extent of which is determined and controlled by Subscriber in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:
- Business partners and vendors of Subscriber (who are natural persons)
- Employees, agents, advisors, freelancers of Subscriber (who are natural persons)
- Subscriber’s users authorized by Subscriber to use the Services (who are natural persons)
Categories of Personal Data. Subscriber may submit Personal Data to the Services, the extent of which is determined and controlled by Subscriber in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:
- Localization data
- Subscriber ID data
- First and last name
- Contact information (company, email, phone, physical business address)
- Any Personal Data stored by the Subscriber in AgeVerification.org’s cloud environment
- Subscriber’s Personal Data uploaded to the Services in connection with the Agreement
Special categories of data (if appropriate)
Not applicable.
Frequency of the Transfer
Subscriber’s use of AgeVerification.org’s Services during the subscription term involves transfer of Personal Data on a continuous basis.
Retention Periods
AgeVerification.org retains Subscriber’s Personal Data during Subscriber’s subscription term. In case Subscriber’s subscription term ends, AgeVerification.org ceases to transfer and Process Subscriber’s Personal Data and returns or deletes such Personal Data in accordance with the provisions set forth in this DPA.
Transfers to (sub-) processors
AgeVerification.org is using certain (sub-) Processors when providing its Services to Subscriber. For this purpose, such (sub-) Processor may also Process Subscriber’s Personal Data.
Technical and Organizational Measures
AgeVerification.org will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Personal Data Processed in the context of providing the Services as made reasonably available by AgeVerification.org.
Schedule 3 – SCC-Matrix
This Schedule 3 only applies if AgeVerification.org is the contractual party to this DPA and Module 2 of the EU Standard Contractual Clauses applies to and between Subscriber and AgeVerification.org as defined in Section 1.1 of Schedule 1. Schedule 3 does not apply if AgeVerification.org is the contractual party to this DPA.
This Schedule 3 specifies the selectable options as well as the necessary information on the third country transfer required under the EU Standard Contractual Clauses.
|
Module 2 of the EU Standard Contractual Clauses (Controller to Processor) |
Specification |
| Clause 7 (Docking clause): Selection of available options | Data Exporter and Data Importer hereby agree that any entity that is not party to the EU Standard Contractual Clauses shall accede thereto as either Data Exporter or Data Importer in accordance with Section I, Clause 7 of the EU Standard Contractual Clause (“Docking Clause”) only upon Data Exporter’s and Data Importer’s explicit confirmation; such confirmation must be in writing. |
| Clause 9 (a) (Use of sub-processors): Selection of available options | Data Exporter and Data Importer hereby agree that Option 2 of Section II, Clause 9.a of the EU Standard Contractual Clauses applies (general authorisation for the engagement of sub-processors). For this purpose, Section 5 of the DPA applies accordingly. |
| Clause 11 (Redress): Selection of available options | Data Exporter and Data Importer hereby agree that the redress option set forth in Section II, Clause 11 of the SCC does not apply. |
| Clause 13 (Supervision), Annex I.C.: Determination of the competent supervisory authority | See the information in Schedule 4. |
|
Clause 17 (Governing law): Selection of available options |
Data Exporter and Data Importer hereby agree that the provisions in Option 1 of Section III, Clause 17 of the EU Standard Contractual Clauses shall apply and the EU Standard Contractual Clauses shall be governed by the laws of Ireland. |
|
Clause 18 (Choice of forum and jurisdiction): Selection of available options |
Data Exporter and Data Importer hereby agree in accordance with Section III, Clause 18 of the EU Standard Contractual Clauses that any disputes arising from the EU Standard Contractual Clauses shall be submitted to the courts of Dublin, Ireland. |
| Annex I.A.: Information on Data Exporter’s name, address, role and activities relevant to the data transferred, contact person’s name, position and contact details | See the information in Schedule 2 and Schedule 4. |
| Annex I.A.: Data Exporter’s signature and date | Signing the Agreement shall be deemed as signing EU Standard Contractual Clauses and its Appendix as described in Section 1.2. of Schedule 1. |
| Annex I.A.: Information on Data Importer’s name, address, role and activities relevant to the data transferred, contact person’s name, position and contact details | See the information in Schedule 2 and Schedule 4. |
| Annex I.A.: Data Importer’s signature and date | Signing the Agreement shall be deemed as signing the EU Standard Contractual Clauses and its Appendix as described in Section 1.2. of Schedule 1. |
| Annex I.B.: Categories of data subjects whose personal data is transferred | See the information in Schedule 2. |
| Annex I.B.: Categories of personal data transferred | See the information in Schedule 2. |
| Annex I.B.: Sensitive data transferred (if applicable) and applied restrictions or safeguards | See the information in Schedule 2. |
| Annex I.B.: Frequency of the transfer | See the information in Schedule 2. |
| Annex I.B.: Nature of the processing | See the information in Schedule 2. |
| Annex I.B.: Purpose of the data transfer and further processing | See the information in Schedule 2. |
| Annex I.B.: Period for which personal data will be retained, or if that is not possible, the criteria used to determine that period | See the information in Schedule 3. |
| Annex I.B.: For transfer to (sub-) processor: subject matter, nature and duration of the processing | See the information in Schedule 2. |
| Annex I.C.: Identity of the competent supervisory authority/ies in accordance with Clause 13 | See the information in Schedule 4. |
| Annex II: Technical and organisational measures | See the information in Schedule 2. |
| Annex III: Information on Sub-processors, including name, address, contact person’s name, position and contact details, description of processing | Not required as Option 2 in Clause 9.a of the EU Standard Contractual Clause shall apply as specified in this Schedule 3. |
Schedule 4 – Parties’ Contact Details and Identification of the Competent Supervisory Authority
This Schedule 4 only applies if AgeVerification.org is the contractual party to this DPA, and Module 2 of the EU Standard Contractual Clauses applies to and between Subscriber and AgeVerification.org as defined in Section 1.1 of Schedule 1. Schedule 4 does not apply if AgeVerification.org is the contractual party to this DPA.
This Schedule 4 sets forth the contact details of the Data Exporter and the Data Importer as required by Annex I of the EU Standard Contractual Clauses to the extent these details are not already specified in this DPA and the other Schedules 1 to 3, as well as the identity of the competent supervisory authority in accordance with Article 13 of the EU Standard Contractual Clauses.
AgeVerification.org’s Contact
Data Protection Officer: [email protected]
Subscriber’s Contact Person(s) and/or Data Protection Officer (if applicable)
Name: as specified in the Agreement
Position, Title: as specified in the Agreement
Contact Details: as specified in the Agreement
Subscriber’s Representative in the EU (if applicable)
Name: as specified in the Agreement
Contact Details: as specified in the Agreement
Identification of the Competent Supervisory Authority
Name: competent supervisory authority in the jurisdiction where the data export is established, as further defined in the Agreement.
Schedule 5 – Jurisdiction Specific Terms
Australia
- The definition of “Data Protection Laws and Regulations” includes the Australian Privacy Principles and the Australian Privacy Act (1988).
- The definition of “Personal Data” includes “Personal Information” as defined under Data Protection Laws and Regulations.
Brazil
- The definition of “Data Protection Laws and Regulations” includes the Lei Geral de Proteção de Dados (“LGPD”).
- The definition of “Processor” includes “operator” as defined under LGPD.
Canada
- The definition of “Data Protection Laws and Regulations” includes the Federal Personal Information Protection and Electronic Documents Act (“PIPEDA”).
- AgeVerification.org’s Subprocessors, as described in Section 5 (Subprocessors) of this DPA, are third parties under PIPEDA, with whom AgeVerification.org has entered into a written contract that includes terms substantially similar to this DPA. AgeVerification.org has conducted appropriate due diligence on its Subprocessors.
Israel
- The definition of “Data Protection Laws and Regulations” includes the Protection of Privacy Law (“PPL”).
- The definition of “Controller” includes “Database Owner” as defined under PPL.
- The definition of “Processor” includes “Holder” as defined under PPL.
Japan
- The definition of “Data Protection Laws and Regulations” includes the Act on the Protection of Personal Information (“APPI”).
- The definition of “Personal Data” includes “Personal Information” as defined under APPI.
- The definition of “Controller” includes “Business Operator” as defined under APPI. As a Business Operator, AgeVerification.org is responsible for the handling of personal data in its possession.
- The definition of “Processor” includes a business operator entrusted by the Business Operator with the handling of personal data in whole or in part (also a “trustee”), as described under APPI. As a trustee, AgeVerification.org will ensure that the use of the entrusted personal data is securely controlled.
Mexico
- The definition of “Data Protection Laws and Regulations” includes the Federal Law for the Protection of Personal Data Held by Private Parties and its Regulations (“FLPPIPPE”).
Singapore
- The definition of “Data Protection Laws and Regulations” includes the Personal Data Protection Act 2012 (“PDPA”).
- AgeVerification.org will Process Personal Data to a standard of protection in accordance with the PDPA by implementing adequate technical and organizational measures as set forth in Section 6 (Security) of this DPA and complying with the terms of the Agreement.
Switzerland
- The definition of “Data Protection Laws and Regulations” includes the Swiss Federal Act on Data Protection.
- When AgeVerification.org engages a Subprocessor under Section 5 (Subprocessor) of this DPA, it will require any appointed Subprocessor to protect Subscriber Data to the standard required by Data Protection Laws and Regulations, such as including the same data protection obligations referred to in Article 28(3) of the GDPR, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR.
- When AgeVerification.org engages a Subprocessor, it will also require that Subprocessor to either (i) agree in writing to only process personal data in a country that the European Union has declared to have an “adequate” level of protection, or (ii) only process personal data on terms equivalent to the EU Standard Contractual Clauses or pursuant to a Binding Corporate Rules approval granted by competent European Union data protection authorities.
United Kingdom (UK)
- References in this DPA to GDPR will to that extent be deemed to be references to the corresponding laws of the United Kingdom (including the UK GDPR and Data Protection Act 2018).
- When AgeVerification.org engages a Subprocessor under Section 5 (Subprocessor) of this DPA, it will require any appointed Subprocessor to protect Subscriber Data to the standard required by Data Protection Laws and Regulations, such as including the same data protection obligations referred to in Article 28(3) of the GDPR, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR.
- When AgeVerification.org engages a Subprocessor, it will also require that Subprocessor to either (i) agree in writing to only process personal data in a country that the United Kingdom has declared to have an “adequate” level of protection, or (ii) only process personal data on terms equivalent to the EU Standard Contractual Clauses or pursuant to a Binding Corporate Rules approval granted by competent United Kingdom data protection authorities.
- Notwithstanding anything to the contrary in this DPA or in the Agreement (including, without limitation, either party’s indemnification obligations), neither party will be responsible for any UK GDPR fines issued or levied under Article 83 of the UK GDPR against the other party by a regulatory authority or governmental body in connection with such other party’s violation of the UK GDPR.