1) Rhetorik and Customer wish to enter into this DPA so that Rhetorik may provide Customer with certain data, including some Rhetorik Personal Data (the Services). This DPA is supplemental to any Data Licensing Agreement (Agreement). Should any of the provisions of this DPA conflict with the terms and conditions of the Agreement, the provisions of this DPA shall prevail.

2) For the purposes of this DPA, the following terms have the following meanings:

The terms “personal data”, “controller”, “processor”, “processing”, “data subject”, “supervisory authority” and “appropriate technical and organisational measures” shall have the meanings ascribed to them under the Regulation (defined below), as applicable.

“Affiliate” means in relation to any company, any direct or indirect subsidiary or holding company of that company or any direct or indirect subsidiary of any such holding company.

“Data Discloser” means a Party that discloses Personal Data to the other Party.

“Data Protection Law” means the Regulation and all other laws and regulations of any jurisdiction, as amended or replaced from time to time, that relate to the processing of personal data, applicable to Rhetorik’s provision of the services and/or Customer and its Affiliates’ receipt of the services.

“Extended EEA Country” means a country within the European Economic Area (including the EU), Switzerland and the UK.

“Extended EEA Personal Data” means personal data as defined in the Data Protection Laws of the applicable Extended EEA Country, the processing of which in connection with the services and/or products provided under the Agreement, is governed by the Data Protection Laws of the applicable Extended EEA Country.

“Rhetorik Personal Data” means all personal data which is (i) supplied, or in respect of which access is granted, to Customer, or (ii) produced or generated by or on behalf of Customer, in connection with this DPA.  

“Regulation” means the UK Data Protection Act 2018 and the General Data Protection Regulation 2016 (GDPR)

“Reportable Breach” means any unauthorised or unlawful processing, disclosure of, or access to, Rhetorik Personal Data and/or any accidental or unlawful destruction of, loss of, alteration to, or corruption of Rhetorik Personal Data.

“Standard Contractual Clauses” means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission decision of 4 June 2021 and published under document number C(2021) 3972 available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=en&uri=CELEX:32021D0914.

“Sub-processor” means any processor who is or will be processing Rhetorik Personal Data as a result of the Customer’s subcontracting any of its obligations under the Agreement.

“Customer Party” means Customer and any applicable Customer Affiliate that is party to the Agreement.

“Third Country” means a country which is not deemed adequate to receive Extended EEA Personal Data under the Data Protection Laws of the applicable Extended EEA Country.

“Third Country Customer Party” means a contracting Customer Party located in a Third Country to which the Transferring Rhetorik Entity transfers Extended EEA Personal Data.

“Transferring Rhetorik Entity” has the meaning given to it in paragraph 22.

“Transferred Personal Data” means any Extended EEA Personal Data, the transfer of which by the Transferring Rhetorik Entity is subject to the Standard Contractual Clauses by virtue of paragraph 22.

3) The Parties agree the following sets out the Information required by the Regulation in relation to Customer’s processing of Rhetorik Personal Data:

Permitted Recipients

4) The parties to this DPA and Agreement, the employees of each party and any third parties engaged to perform obligations in connection with this DPA and Agreement.

Roles of the Parties

5) The Parties agree that for the purposes of this DPA and Customer’s processing of the Rhetorik Personal Data in connection with the Services, Customer and Rhetorik shall act as separate and independent Data Controllers.

Compliance with Data Protection Laws

6) Each Party shall be individually and separately responsible for complying with the obligations that apply to it as a Data Controller under any applicable Data Protection Laws in relation to the Personal Data Processed under this DPA and Agreement. Customer shall only process the Rhetorik Personal Data in compliance with, and shall not cause itself or Rhetorik to be in breach of, any Data Protection Law.

Each party shall:

(a) ensure that it has all necessary notices and consents in place to enable lawful transfer of the Personal Data to the Permitted Recipients for the Agreed Purposes;

(b) give full information to any data subject whose personal data may be processed under this agreement of the nature of such processing;

(c) process the Personal Data only for the Agreed Purposes;

(d) not disclose or allow access to the Personal Data to anyone other than the Permitted Recipients;

(e) ensure that all Permitted Recipients are subject to written contractual obligations concerning the Shared Personal Data (including obligations of confidentiality) which are no less onerous than those imposed by this agreement;

(f) not transfer any personal data received from the Data Discloser outside an Extended EEA Country unless the transferor:

(g) complies with the provisions of Article 26 of the GDPR (in the event the third party is a joint controller), and

(h) ensures that (i) the transfer is to a country approved by the European Commission as providing adequate protection pursuant to Article 45 of the GDPR; or (ii) there are appropriate safeguards in place pursuant to Article 46 GDPR; or (iii) Binding corporate rules are in place or (iv) one of the derogations for specific situations in Article 49 GDPR applies to the transfer.

Security

7) Customer shall:

(a) maintain appropriate technical and organisational measures to ensure the security of the Rhetorik Personal Data including protection against unauthorised or unlawful processing (including, without limitation, disclosure of, access to and/or alteration) of Rhetorik Personal Data and against accidental loss, destruction or damage and so that the processing of the personal data shall meet the requirements of Data Protection Law and ensure the protection of the rights of data subjects;

(b) take all reasonable steps to ensure the reliability of any staff who may have access to, or are authorised to process, Rhetorik Personal Data and ensure such staff have committed themselves to obligations of confidentiality or are under statutory obligations of confidentiality and at all times act in compliance with Data Protection Law and the obligations of this DPA; and

(c) make available to Rhetorik all Information necessary to demonstrate compliance with this DPA and promptly contribute to audits conducted by Rhetorik or its designated auditor, provided these are notified in writing to the Customer in advance, subject to reasonable confidentiality restrictions and not conducted more than once each year during the term of the Agreement (unless Rhetorik has reasonable grounds to believe Customer is in breach of this DPA).

Mutual Assistance

8) Each party shall assist the other in complying with all applicable requirements of any applicable Data Protection Laws. In particular, each party shall:

(a) provide the other party with reasonable assistance in complying with any data subject access request;

(b) assist the other party, at the cost of the other party, in responding to any request from a data subject and in ensuring compliance with its obligations under the applicable Data Protection Laws with respect to security, personal data breach notifications, data protection impact assessments and consultations with supervisory authorities or regulators;

(c) notify the other party without undue delay on becoming aware of any breach of the applicable Data Protection Laws;

(d) on termination or expiry of the relevant Agreement or this DPA, for whatever reason, cease all use of the Rhetorik Personal Data and transfer all Rhetorik Personal Data to Rhetorik or a nominated third party (in a mutually agreed format and by a mutually agreed method) unless instructed by Rhetorik to retain or delete the Rhetorik Personal Data except that Customer shall be entitled to retain specific Rhetorik Personal Data if required to do so by applicable law;

(e) use compatible technology for the processing of Personal Data to ensure that there is no lack of accuracy resulting from personal data transfers;

(f) provide the other party with contact details of at least one employee as point of contact and responsible manager for all issues arising out of applicable Data Protection Laws, including the joint training of relevant staff, the procedures to be followed in the event of a data security breach, and the regular review of the parties’ compliance with the applicable Data Protection Laws.

Record keeping

9) The customer shall maintain records of processing as required for processors under Article 30 (Records of processing activities) of the Regulation in respect of the Rhetorik Personal Data.

Transfers to countries subject to Extended EEA Country adequacy decisions

10) Extended EEA Personal Data may be transferred from an Extended EEA Country to countries that offer an adequate level of data protection under or pursuant to the adequacy decisions published by the relevant data protection authorities of the relevant Extended EEA Country, as applicable, without any further safeguards being necessary.

Transfers to Third Country Customer Party and population of the Standard Contractual Clauses

11) Where Rhetorik transfers Extended EEA Personal Data to Third Country Customer Party, the Standard Contractual Clauses shall apply to the Third Country Customer Party’s processing of such Extended EEA Personal Data as set out in this DPA and the Standard Contractual Clauses shall constitute a separate agreement between Rhetorik acting as a data exporter and Third Country Customer Party acting as a data importer.

12) With effect from the commencement of the relevant transfer, Rhetorik (as “data exporter”) and Third Country Customer Party (as “data importer”), hereby enter into the EU Standard Contractual Clauses (mutatis mutandis, as the case may be) as they apply to ‘MODULE ONE: Transfer controller to controller’ in respect of any transfer (or onward transfer) from Rhetorik to Customer where such transfer would otherwise be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address Data Protection Laws).

(a) Clause 17 Governing Law of the Standard Contractual Clauses shall be deemed to be prepopulated with Ireland.

(b) Annex I, Part A (List of parties) of the Standard Contractual Clauses is deemed to be completed with: (i) the details of the exporting Transferring Rhetorik Entity (as data exporter and controller); and (ii) the details of the applicable Third Country Customer Party (as data importer and controller);

(c) Annex I, Part B (Description of the transfer) of the Standard Contractual Clauses is deemed to be completed with the Information set out in Annex 1 to this DPA;

(d) Annex II of the Standard Contractual Clauses (Technical and organisational measures including technical and organisational measures to ensure the security of the data) is deemed to be completed with the details set out in paragraph 7(a) of this DPA and any other measures the Customer has implemented in order to conclude that the transfer meets Data Protection Laws;

(e) The customer will undertake a transfer impact assessment and not make the transfer unless it concludes that such transfer complies with the provisions of the Standard Contractual Clauses.

Additional country requirements

13) If a Customer Party at any time processes personal data originating from Rhetorik in any country which restricts the processing, export, or use of the personal data outside that country (including an Extended EEA Country), the relevant Customer Party will, on Rhetorik instructions, take all necessary actions and execute such agreements as may be necessary under applicable data protection law in such country to legitimise any processing or data transfer of personal data to Customer Party and to ensure an adequate level of protection for the relevant personal data.

14) In the event that any competent judicial or supervisory authority holds that a data transfer mechanism relied on by the Parties is invalid, or any competent judicial, executive, legislative or supervisory authority requires transfers of personal data made pursuant to such mechanism to be suspended, then Rhetorik may, at its discretion, require Customer to cease processing personal data, or co-operate with it to facilitate use of an alternative transfer mechanism.

Liability and Indemnity

15) Customer shall indemnify Rhetorik against all costs, claims, fines, losses and liabilities of whatsoever nature arising from or incurred by Rhetorik in connection with any failure of Customer to comply with the provisions of this DPA and/or Data Protection Law in respect of its processing of Rhetorik Personal Data. Any limitation of liability and exclusion of loss provisions in the Agreement shall not apply to this indemnity.

16) If any provision or part-provision of this DPA is or becomes invalid, illegal or unenforceable, it shall be deemed deleted, but that shall not affect the validity and enforceability of the rest of this DPA, and if it is deemed deleted, the Parties shall negotiate in good faith to agree a replacement provision that, to the greatest extent possible, achieves the intended commercial result of the original provision.

Annex 1 – Standard details of processing

Where Module One of the Standard Contractual Clauses apply:

1. Categories of Data Subjects whose personal data is transferred: such Data Subjects whose Transferred Personal Data is strictly required by the Third Country Customer Party (as data importer) to provide the Services, including the Information detailed at paragraph 3 of the DPA;
2. Categories of Transferred Personal Data: such Transferred Personal Data as is strictly required by the Third Country Customer Party (as data importer) to provide the Services, including the Information detailed at paragraph 3 of the DPA;
3. Special categories of personal data transferred (if applicable): Not applicable;
4. Frequency of the transfer: regular, as required in connection with the provision and receipt of the Services;
5. Nature and purpose(s) of the data transfer and further processing: strictly to provide the Services, in accordance with applicable Data Protection Laws and Rhetorik (as data exporter) instructions, including the Information detailed at paragraph 3 of the DPA;
6. The period for which the Transferred Personal Data will be retained, or if that is not possible, the criteria used to determine that period: for no longer than is necessary to provide the Services (unless otherwise agreed with Rhetorik).
7. The competent supervisory authority/ies in accordance with Clause 13: Data Protection Commission, Ireland