LAST UPDATED: 1 March 2023
1. BACKGROUND AND PURPOSE OF SCHEDULE
“Laws” means the EU General Data Protection Regulation 2016/679 (“GDPR”) and other European Union wide data protection laws applicable to the Processing, as amended from time to time.
“Model Clauses“ means the contractual clauses determined by the European Commission on offering sufficient safeguards for international data transfers, as may be updated or replaced from time to time.
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
“Process” or “Processing” means any operation or set of operations which is performed on the Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Subcontractor” means the third parties that the Supplier uses in the performance of its contractual duties under the Agreement.
3. PROCESSING AND SUPPLIER’S DUTIES
3.1 The Supplier mainly uses the Personal Data for the purposes specified in the Agreement and based on documented instructions from the Customer, unless required to do so by European Union (“EU”) or EU Member State law to which the Supplier is subject; in such a case, the Supplier shall inform the Customer of that legal requirement before the Processing, unless that law prohibits such information on important grounds of public interest. Such documented instructions are hereby given by the Customer to the Supplier and are limited to: the Customer gives the Supplier instructions to Process the Personal Data in order for the Supplier and its Subcontractors to provide the run.events Software Service in accordance with the service specification of the Supplier as amended by the Supplier from time to time. If the Customer desires to amend the documented instructions or give new documented instructions to the Supplier, the amended and new instructions are subject to the Supplier’s written consent and may be priced in accordance with the Separate Pricing. Transfers of the Personal Data to a third country (meaning a country outside of European Economic Area or EU) is permitted if legally permitted based on the Laws (such as based on the Model Clauses or the European Commission’s adequacy decision) or if consented to by the Customer. When the Customer gives its consent to the transfer or requests the transfer, the Customer is liable for that the transfer is lawful. The servers where the Personal Data is hosted by the Supplier and its subcontractors are within European Economic Area unless otherwise consented to by the Customer.
3.2 The Customer hereby gives the Supplier a general authorisation to use the Personal Data for other purposes than are specified in the Agreement that are directly related to the improvement of the run.events Service offered to the Customer. Such purposes are for example test running, analytics and organising customer satisfaction surveys among Service users. The Supplier shall carry out legitimate interest assessment(s) to fulfil named purpose(s) together with an adequate process for management of Data Subject’s objection(s) to the Processing of Personal Data.
3.3 If based on the Laws or any other applicable legislation, regulations or decisions of authorities, the Supplier is at any time instructed or required to assist the Customer in performing the Customer’s obligations to respond to requests for exercising the Data Subjects’ rights, or if the Supplier is otherwise required to perform any other tasks or activities relating to the Personal Data or the Processing that are not the Supplier’s duties regarding run.events Software Service, the Customer shall pay to the Supplier a hourly price of EUR 175 for such tasks. These tasks or activities can be e.g. providing information to a Data Subject on the Personal Data possessed by the Supplier, or removing or transferring Personal Data or responding or reporting to data protection authorities or allowing audits or inspections.
3.4 The Supplier shall carry out the technical and organisational measures according to Article 32 of the GDPR for endeavouring to secure the Personal Data against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to the data. In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purposes of processing and the risks involved for the data subjects.
3.6 The Parties acknowledge that as a result of changes or developments in the Laws or in the requirements for sufficient safeguards for international data transfers, the processing of personal data by the Supplier may during the term of the Agreement become subject to additional requirements. Accordingly:
(a) the Supplier shall, without prejudice to Clause 3.5 below, use all reasonable endeavours to perform such acts and execute such further documents as may reasonably be required by the Supplier to allow the Supplier to continue to perform the run.events Software Service in compliance with its legal obligations under the Laws; and
(b) the Customer acknowledges that the Supplier may, acting reasonably, update the terms of the Agreement (including the terms of this Schedule) or any aspect of the run.events Software Service in order to ensure that the Supplier is able to comply with its legal obligations under the Laws (including also the requirements for sufficient safeguards for international data transfers).
3.7 Notwithstanding Clause 3.5 above, each Party shall use all reasonable endeavours to perform such acts and execute such documents as may reasonably be required for the purpose of giving full effect to this Schedule, including but not limited to the formal execution of Model Clauses as may be required to provide safeguards for the international transfer of Personal Data in accordance with the Laws.
3.8 After the termination or expiration of the Agreement, the Supplier shall at the choice of the Customer either destroy the Personal Data or return the Personal Data to the Customer, and delete existing copies unless EU or EU Member State law requires storage of the Personal Data by the Supplier. In accordance with the Separate Pricing, the Supplier is allowed to charge a price for its activities required to return the Personal Data.
3.9 The Supplier shall, to the extent required in the Laws:
(a) grant access to the Personal Data undergoing Processing to members of its personnel only to the extent strictly necessary for implementing, managing and monitoring of the contract. The Supplier shall ensure that persons authorised to Process the Personal Data received have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
(b) in accordance with the Separate Pricing and taking into account the nature of the Processing and the information available to the Supplier, assist the Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR.
(c) in accordance with the Separate Pricing and taking into account the nature of the Processing, assist the Customer by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer's obligation to respond to requests for exercising the Data Subject’s rights laid down in Chapter III of the GDPR; and
(d) in accordance with the Separate Pricing, make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in the Article 28 of the GDPR and allow for and contribute to audits required in the Laws, including inspections, conducted by the Customer or another auditor mandated by the Customer and required in the Laws. The Customer shall notify the Supplier of the audit in writing at least thirty (30) days in advance. The auditor may not be a competitor of the Supplier. The information regarding the Supplier’s operations learnt during the audits are the Supplier’s trade secrets. The Customer is liable for the auditor’s compliance with the terms of the Agreement. The audit timetable, method and scope will be agreed beforehand between the Parties and the audit may not unreasonably burden the Supplier or endanger the Supplier’s or its other clients’ deliveries, quality, security or confidentiality.
4. NOTIFICATION OF PERSONAL DATA BREACH
4.1 The Supplier shall notify the Customer without undue delay after becoming aware of a Personal Data Breach in the Supplier’s own or its sub-Processors’ environments.
4.2 The notification referred to in Clause 4.1 shall:
(a) describe the nature of the Personal Data Breach including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;
(b) communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
(c) describe the likely consequences of the Personal Data Breach;
(d) describe the measures taken or proposed to be taken by the Supplier to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.
4.3 The Supplier shall, in accordance with the Separate Pricing, assist the Customer in ensuring compliance with the Customer’s obligations pursuant to Laws to notify the Personal Data Breach to the supervisory authority and/or to the Data Subjects, taking into account the nature of the Processing and the information available to the Supplier, such as by providing any other relevant information requested by the Customer which is or may be necessary for the Customer when preparing the notification or responding to additional requests of the competent supervisory authority related to the Personal Data Breach.
5. USE OF SUBCONTRACTORS
5.1 The Customer hereby gives the Supplier a general authorisation to engage Subcontractors as the Supplier’s sub-Processor(s) for the purpose of the Processing.
5.2 A list of the Supplier’s current sub-Processor(s) will be provided upon request from the Supplier. The Supplier will notify the Customer of intended changes concerning the engagement of new sub-Processor(s). The Customer has fourteen (14) days after receiving such notification to object to the engagement of new sub-Processor(s) in writing, including valid reasonable reasoning for the objection. If the Customer objects to the engagement of a new sub-Processor as permitted herein and if the Supplier does not change the run.events Software Service to avoid the Processing of the Personal Data by that new sub-Processor within sixty (60) days after receiving such objection and reasoning, either Party may terminate the Agreement with respect to the run.events Software Service to the extent provided by the Supplier by using that sub-Processor, by giving the other Party a thirty (30) days’ written notice. Such termination is the Customer’s sole and exclusive remedy. The Customer also understands and agrees that if the Supplier for some reason (e.g. due to the sub-Processor’s financial situation) does not have the resources of an earlier sub-Processor any longer and if the Customer has objected to the engagement of a replacement sub-Processor, there can be loss of the functionality of the run.events Software Service, unavailability of the run.events Software Service and/or other problems in the provision of the run.events Software Service , until acceptable replacement resources are found or the Agreement wholly or partly terminated, as permitted herein. These problems are not deemed as the Supplier’s breaches.
5.3 If the Supplier engages a sub-Processor for carrying out the Processing activities, the Supplier shall agree with the sub-Processor on data protection obligations substantially similar as in this Schedule by way of a written contract or other legal act, to the extent applicable to the nature of the services provided by such sub-Processor, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the GDPR. Where that sub-Processor fails to fulfil its data protection obligations, the Supplier shall remain fully liable to the Customer for the performance of that sub-Processor’s obligations as for the Supplier’s own obligations under this Schedule.
5.4 For avoidance of doubt, Third Party Suppliers are not Subcontractors or sub-Processors of the Supplier.
6. CUSTOMER’S DUTIES
6.1 The Customer acts as a Personal Data controller, as defined in the Laws, in relation to all Personal Data. The Customer is (among other things) liable for the correctness of the Personal Data and the lawfulness of the Processing of the Personal Data. Without limiting the generality of the foregoing, the Customer is liable for all duties and liabilities of a Personal Data controller.
6.2 The Customer warrants to the Supplier that: (a) the Personal Data has been obtained lawfully; (b) the run.events Software Service and the Professional Services to be provided by the Supplier and its Subcontractors will be consistent with and appropriate to the specified and lawful purposes for which the Customer is engaged in relation to the Personal Data; (c) the Customer has not and will not disclose the Personal Data or any part thereof to the Supplier or its Subcontractors in a manner incompatible with applicable Laws; and (d) the Supplier and its Subcontractors are authorized to Process the Personal Data under the Laws. The Customer warrants that the Personal Data or its storage or other Processing by the Supplier and its Subcontractors for the provision of the run.events Software Service does not infringe rights of third parties.