Data Processing Agreement
updated Aug 21st, 2023
1. Scope
This Data Processing Agreement and any Annexes (collectively “DPA”) reflects an agreement between [customer], and any Permitted Affiliates (“Data Controller”, “Controller”, “you”, “your”) and LEAD TECH Inc. (“Data Processor”, “Processor”, “service provider”, “us”, “our”, “we”) with respect to the Processing of Personal Data by LEAD TECH Inc. on behalf of [customer] in connection with the [Services under the Terms of Service between (controller) and (processor)] (also referred to in this DPA as the “Agreement”).
This DPA is supplemental to, and forms an integral part of, the Agreement and is effective upon its incorporation into the Agreement, which may be specified in the Agreement, or an executed amendment to the Agreement. In case of any conflict or inconsistency with the terms of the Agreement, this DPA will take precedence over the terms of the Agreement to the extent of such conflict or inconsistency.
Terms not otherwise defined in this DPA will have the meaning as set forth in the Agreement.
2. Definitions
“Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
“Data Protection Laws” means all applicable worldwide legislation relating to data protection and privacy that applies to the respective party in the role of Processing Personal Data in question under the Agreement. This include, when applicable, European Data Protection Laws (a) Regulation 2016/679 (General Data Protection Regulation) (“EU GDPR”); (b) the EU GDPR as saved into United Kingdom law by virtue of section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”); and (c) the Swiss Federal Data Protection Act and its implementing regulations (“Swiss Data Protection Act”); and the California Consumer Privacy Act (CCPA), to be replaced with the California Privacy Rights Act (CPRA); in each case as may be amended, superseded or replaced from time to time.
“Data Subject” means the individual to whom Personal Data relates.
“Europe” means the European Union, the European Economic Area and/or their member states, and the United Kingdom.
“Instructions” means the written, documented instructions issued by a Controller to a Processor, and directing the same to perform a specific or general action with regard to Personal Data (including, but not limited to, depersonalizing, blocking, deletion, making available).
“Permitted Affiliates” means any of your Affiliates that (i) are permitted to use the Services pursuant to the Agreement, but have not signed their own separate agreement with us and are not a “Customer” as defined under the Agreement, (ii) qualify as a Controller of Personal Data Processed by us.
“Personal Data” means any information relating to an identified or identifiable individual and is protected similarly as personal data, personal information, or personally identifiable information under applicable Data Protection Laws.
“Processing” means any operation or set of operations which is performed on Personal Data, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction or erasure of Personal Data. The terms “Process”, “Processes” and “Processed” will be construed accordingly.
“Processor” means a natural or legal person, public authority, agency, or other body which Processes Personal Data on behalf of the Controller.
“Service provider” shall have the meaning from the California Privacy Rights Act (CPRA), meaning an organization that processes personal information on behalf of a business and that receives from or on behalf of the business a consumer’s personal information for a business purpose.
“Standard Contractual Clauses” or “SCCs” means the standard contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021, as may be amended, superseded or replaced from time to time.
“Sub-Processor” means any Processor engaged by us or our Affiliates to assist in fulfilling our obligations with respect to the provision of the Services under the Agreement. Sub-Processors may include third parties or our Affiliates but will exclude any employee or consultant.
.“UK Addendum” means the International Data Transfer Addendum (version B1.0) issued by the Information Commissioners Office under S.119 (a) of the UK Data Protection Act 2018, as updated or amended from time to time.
“UK GDPR” means the General Data Protection Regulation (EU) 2016/679, as incorporated into the laws of the United Kingdom (“UK”).
“UK IDTA” means the International Data Transfer Agreement issued under Section 119A of the Data Protection Act 2018 and that came into force on March 21, 2022.
3. Responsibilities of the Data Processor
3.1 For the purposes of this DPA, Lead shall be considered a data processor under GDPR, UK GDPR, a service provider under CCPA and CPRA, and similar classifications under any other applicable data protection regulations or laws.
3.2 Data Processor will only Process Personal Data for the purposes described in this DPA or as otherwise agreed within the scope of Data Controller’s lawful Instructions, except where and to the extent otherwise required by applicable law. We are not responsible for compliance with any Data Protection Laws applicable to you or your industry that are not generally applicable to us.
3.3 The Data Processor will only process the Personal Data on documented instructions of the Data Controller to the extent that this is required for the provision of the Services. Should the Data Processor reasonably believe that a specific processing activity beyond the scope of the Data Controller’s instructions is required to comply with a legal obligation to which the Data Processor is subject, the Data Processor shall inform the Data Controller of that legal obligation prior to processing the necessary Personal Data. The Data Processor shall never process the Personal Data in a manner inconsistent with the Data Controller’s documented instructions. The Data Processor shall notify the Data Controller if, in its opinion, any instruction infringes upon any relevant Data Protection Laws. Such notification will not constitute a general obligation on the part of the Data Processor to monitor or interpret the laws applicable to the Data Controller, and such notification will not constitute legal advice to the Data Controller.
3.4 The Data Processor shall be allowed to exercise its own discretion in the selection and use of such means as it considers necessary to pursue those processing activities detailed in this DPA, and any relevant Agreement and Annexes, provided that all such discretion is compatible with the requirements of this DPA.
3.5 The Data Controller warrants that it has all necessary rights to provide the Personal Data to the Data Processor for the Processing to be performed in relation to the Services, and, including when relevant, one or lawful bases as set forth in Data Protection Laws. To the extent required by Data Protection Law, the Data Controller is responsible for ensuring that all necessary privacy notices are provided to data subjects, and unless another legal basis set forth in Data Protection Law supports the lawfulness of the processing, that any necessary data subject consents to the Processing are obtained, and for ensuring that a record of such consents is maintained. Should such consent be revoked by a data subject, the Data Controller is responsible for communicating the fact of such revocation to the Data Processor, and the Data Processor remains responsible for implementing Data Controller’s instruction with respect to the processing of that Personal Data.
3.6 Data Processor will implement and maintain appropriate technical and organizational measures to protect Personal Data from Personal Data Breaches, as described under Section 5 and 6 to this DPA. Notwithstanding any provision to the contrary, we may modify or update the Security Measures at our discretion provided that such modification or update does not result in a material degradation in the protection offered by the Security Measures.
3.7 Confidentiality. We will ensure that any personnel whom we authorize to Process Personal Data on our behalf is subject to appropriate confidentiality obligations (whether a contractual or statutory duty) with respect to that Personal Data.
3.8 Data Processor will notify you without undue delay after it becomes aware of any Personal Data Breach and will provide timely information relating to the Personal Data Breach as it becomes known or reasonably requested by you. At your request, we will promptly provide you with such reasonable assistance as necessary to enable you to notify relevant Personal Data Breaches to competent authorities and/or affected Data Subjects, if you are required to do so under Data Protection Laws.
3.9. We will delete or return all Controller-provided Personal Data, (including copies thereof) Processed pursuant to this DPA, on termination of your Agreement in accordance with the procedures and timeframes set out in the Agreement. For clarity, LEAD may continue to process Customer Personal Data that has been aggregated or anonymized in a way that does not identify individuals or customers to improve LEAD’s systems and services.
3.10 LEAD shall process data as a service provider under CCPA and CPRA and shall not process, retain, use, or disclose Personal Data for any purpose other than for the purposes set out in the Agreement, DPA and as permitted under applicable Data Protection Laws. LEAD shall not sell or share information as those terms are defined under the CCPA and CPRA.
4. Responsibilities of the Data Controller
4.1 Within the scope of this DPA and any use of LEAD TECH Inc Services, Data Controller will be responsible for complying with all requirements that apply to it under applicable Data Protection Laws.
4.2 In particular, but without prejudice to the generality of the foregoing, you acknowledge and agree that you will be solely responsible for: (i) the accuracy, quality, and legality of Customer Data and the means by which you acquired Personal Data; (ii) complying with all necessary transparency and lawfulness requirements under applicable Data Protection Laws for the collection and use of the Personal Data, including obtaining any necessary consents and authorizations (particularly for use by Customer for marketing purposes); (iii) ensuring you have the right to transfer, or provide access to, the Personal Data to us for Processing in accordance with the terms of this DPA; (iv) ensuring that your Instructions to us regarding the Processing of Personal Data comply with applicable laws, including Data Protection Laws; You will inform us without undue delay if you are not able to comply with its responsibilities under this subsection (4) or applicable Data Protection Laws.
4.3. This DPA and any related Annexes and Service Agreements, constitute Controller’s complete and final instructions to us in relation to the Processing of Personal Data, and additional instructions outside the scope of the instructions shall require a prior written agreement between us and you.
5. Security
5.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Data Controller and Data Processor, shall implement appropriate technical and organizational measures to ensure a level of security of the processing of Personal Data appropriate to the risk.
5.2. Both the Data Controller and the Data Processor shall maintain written security policies that are fully implemented and applicable to the processing of Personal Data.
5.3. At the request of the Data Controller, the Data Processor shall demonstrate the security measures it has taken and shall allow the Data Controller to audit and test such measures, provided the Data Controller provides reasonable notice and reimburses Data Processor for any costs incurred.
6. Personal Data Breach
6.1 When the Data Processor becomes aware of an incident that has a material impact on the Processing of the Personal Data that is the subject of this DPA, it shall promptly notify the Data Controller about the incident, shall cooperate with the Data Controller, and shall follow the Data Controller’s reasonable instructions with regard to such incidents.
6.2 For clarity, “Personal Data Breach” will not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
7. Sub-Processors
7.1 The Data Processor may engage Sub-Processors to Process Personal Data on your behalf. Our current Sub-Processors are listed here. We will notify you if we add or remove Sub-Processors to Annex prior to any such changes.
7.2 If the Data Controller timely sends the Processor a written objection notice, setting forth a reasonable basis for objection, the Parties will make a good-faith effort to resolve Data Controller’s objection.
7.3 Where we engage Sub-Processors, we will impose data protection terms on the Sub-Processors that provide at least the same level of protection for Personal Data as those in this DPA (including, where appropriate, Standard Contractual Clauses), to the extent applicable to the nature of the services provided by such Sub-Processors. We will remain responsible for each Sub-Processor’s compliance with the obligations of this DPA and for any acts or omissions of such Sub-Processor that cause us to breach any of its obligations under this DPA.
8. Data Transfers
8.1 Data Processor may access and Process Personal Data on a global basis as necessary to fulfill this DPA, and in particular that Personal Data may be transferred to and Processed in the United States and to other jurisdictions. We will ensure such transfers are made in compliance with the requirements of Data Protection Laws.
8.2. To the extent that the Data Controller or the Data Processor are relying on specific mechanisms for international data transfers and that mechanism is subsequently modified, revoked, or held in a court of competent jurisdiction to be invalid, the Data Controller and the Data Processor agree to cooperate in good faith to promptly suspend the transfer or to pursue a suitable alternate mechanism that can lawfully support the transfer.
8.3 If and when the EU-U.S. DPF and Swiss-U.S. DPF are recognized as valid data transfer mechanisms, they will serve as the default means of compliance with the data transfer provisions of relevant Data Protection Laws, unless an alternative is mutually agreed upon in writing by the Data Processor and Data Controller. Clause 8.3 will remain in effect even if new data transfer agreements emerge between the governments of the U.S., EU, and Switzerland that might supersede the DPF.
8.4 When required for transferring data, Standard Contractual Clauses shall be deemed incorporated into and form an integral part of the Agreement in accordance with Annex B of this DPA.
9. Data Subject Rights
9.1 Data Processor shall assist Data Controller in providing responses to data subjects exercising rights under applicable Data Protection Laws in a manner consistent with this DPA and any related Agreements. To the extent the Controller does not have the ability to address the request, Data Processor shall provide reasonable assistance and Data Controller shall reimburse Processor for reasonable costs arising out of such assistance. Reasonable assistance includes taking appropriate technical and organizational measures taking into account the Processing activity.
9.2 If such requests are made directly to the Data Processor, Data Processor will promptly inform Data Controller and will advise Data Subjects to submit their request directly to the Controller. Controller shall then be responsible for responding to any Data Subjects requests.
10. Liability and Indemnity
10.1 The Data Processor indemnifies the Data Controller and holds the Data Controller harmless against all claims, actions, third party claims, losses, damages, and expenses incurred by the Data Controller arising out of a breach of this Data Processing Agreement by actions taken under the sole discretion of the Data Processor. The Data Controller indemnifies the Data Processor and holds the Data Processor harmless against all claims, actions, third party claims, losses, damages, and expenses incurred by the Data Processor arising out of a breach of this Data Processing Agreement.
10.2 Each party and each of their Affiliates’ liability, taken in aggregate, arising out of or related to this DPA (and any other DPAs between the parties) and the Standard Contractual Clauses (where applicable), whether in contract, tort or under any other theory of liability, will be subject to the limitations and exclusions of liability set out in the Agreement.
10.3 Nothing in this Section 10 will affect any party’s liability to data subjects under the third-party beneficiary provisions of Standard Contractual Clauses to the extent the limitation of such rights is prohibited by applicable Data Protection Laws, where applicable.
11. Duration and Termination
11.1 This DPA shall come into effect on the effective date of the signing.
11.2 Termination shall occur according to the process detailed in the Agreement. Termination or expiration of this DPA shall not discharge the Data Processor from its confidentiality obligations pursuant to Article 3.
12. Miscellaneous
12.1 All notices and communications given under this DPA must be in writing and will be delivered personally, sent by email to the address as notified from time to time by the Parties changing address. Such notices shall be provided according to the process detailed in the Agreement.
12.2 In the event of any inconsistency between the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail.
12.3 Severability. If any individual provisions of this DPA are determined to be invalid or unenforceable, the validity and enforceability of the other provisions of this DPA will not be affected.
12.4 This DPA will be governed by and construed in accordance with the laws of California unless required otherwise by Data Protection Laws.
Annex 1
Details of Processing
The categories of Data Subjects about which Personal Data may be Processes, the categories of Personal Data being processed, and the nature, purpose, and duration of the Processing are detailed below.
Categories of Data Subjects:
- Current and past Customer employees
Categories of Personal Data
- Identifiers, including name, emails, and social media accounts.
- Employment related information such as job title, skills, and interests.
- IP address and device information
- Other information Employees provide on or through LEAD’s Services.
- Inferences drawn from any of the information above to create a profile about an Employee reflecting the Employee’s preferences and characteristics,
Description of Safeguards in Place, in particular related to Sensitive Data
N/A
Nature of the Processing
- Receiving data, including collection, accessing, retrieval, recording, and data entry
- Holding data, including storage, organization and structuring
- Updating data, including correcting, adaptation, alteration, alignment and combination
- Erasing data, including destruction and deletion
Purpose(s) of the Processing
- Performing the Services as described in the Agreement
Duration of Processing
For as long as the Processor is permitted or required to retain the Personal Data to provide the Services.
Annex B