connection with the Partner
Agreement.
Collectively, this Partner DPA (including the SCCs, as defined below) and the Partner
Agreement are referred to in this Partner DPA as the “Agreement.” In the event of
any conflict or inconsistency between any of the terms of the Agreement, the
provisions of the following documents (in order of precedence) shall prevail: (a) the
SCCs (b) this Partner DPA; and (c) the Partner Agreement.
The Purpose of this Partner DPA is to establish a framework to address scenarios
where:
Round-the-Clock and Partner may, in connection with the Partner Agreement,
each be Controllers (as defined below) of Personal Data and, transfer that
Personal Data to the other party for that other party to act as a Controller of
that Personal Data;
Round-the-Clock and Partner may each be Controllers of Personal Data and,
transfers that Personal Data to the other party for that other party to provide
certain services to the other party (e.g., performing services as Solutions
Partner or completing an API call) as a Processor of that Personal Data; or
Round-the-Clock and Partner may each be Processors of a Joint Customer’s
Personal Data and transfer such data to the other party for processing at the
direction of that Joint Customer.
- DEFINITIONS
“Business” and “Service Provider” will have the meanings given to them in the
CCPA.
“California Personal Information” means Personal Data that is subject to the
protection of the CCPA.
“CCPA” means California Civil Code Sec. 1798.100 et seq. (also known as the
California Consumer Privacy Act of 2018), as amended by the California Privacy
rights Act of 2020 or “CPRA”.
“Controller” means the natural or legal person, public authority, agency or other body
which, alone or jointly with others, determines the purposes and means of the
Processing of Personal Data.
“Data Privacy Framework” means the EU-U.S. Data Privacy Framework, the
Swiss-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. Data
Privacy Framework self-certification programs (as applicable) operated by the U.S.
Department of Commerce; as may be amended, superseded or replaced.
“Data Privacy Framework Principles” means the Principles and Supplemental
Principles contained in the relevant Data Privacy Framework; as may be amended,
superseded or replaced.
“Data Protection Laws” means all applicable worldwide legislation or regulations
relating to data protection and privacy which applies to the respective party in the
role of Processing Personal Data in question under the Agreement, including without
limitation European Data Protection Laws, the CCPA and the data protection and
privacy laws of Australia and Singapore; in each case as amended, repealed,
consolidated or replaced from time to time. “Europe” means the European Union, the
European Economic Area and/or their member states, Switzerland and the United
Kingdom.
“European Data Protection Laws” means data protection laws applicable in Europe,
including: (i) Regulation 2016/679 of the European Parliament and of the Council on
the protection of natural persons with regard to the processing of personal data and
on the free movement of such data (General Data Protection Regulation) (“GDPR”);
(ii) Directive 2002/58/EC concerning the processing of personal data and the
protection of privacy in the electronic communications sector; and (iii) applicable
national implementations of (i) and (ii); or (iii) GDPR as it forms parts of the United
Kingdom domestic law by virtue of Section 3 of the European Union (Withdrawal) Act
2018 (“UK GDPR”); and (iv) Swiss Federal Data Protection Act of 2020 and its
Ordinance (“Swiss DPA”); in each case, as may be amended, superseded or
replaced.
“European Personal Data” means Personal Data that is subject to the protection of
European Data Protection Laws.
“Joint Customer” means a customer of both Partner and Round-the-Clock.
“Joint Customer Personal Data” means any Personal Data for which a Joint
Customer acts as a Controller.
“Round-the-Clock Personal Data” means any Personal Data for which
Round-the-Clock acts as a Controller.
“Partner Personal Data” means any Personal Data for which Partner acts as a
Controller.
“Personal Data” means any information relating to an identified or identifiable
individual where such information is contained within Round-the-Clock Personal
Data, Partner Personal Data or Joint Customer Personal Data and is protected
similarly as personal data or personally identifiable information under applicable Data
Protection Laws.
“Personal Data Breach” means any accidental or unlawful destruction, loss,
alteration, unauthorized disclosure of, or access to Personal Data.
“Processing” means any operation or set of operations which is performed on
Personal Data, encompassing the collection, recording, organization, structuring,
storage, adaptation or alteration, retrieval, consultation, use, disclosure by
transmission, dissemination or otherwise making available, alignment or
combination, restriction or erasure of Personal Data. The terms “Process”,
“Processes” and “Processed” will be construed accordingly.
“Processor” means a natural or legal person, public authority, agency or other body
which processes Personal Data on behalf of the Controller.
“Standard Contractual Clauses” or “SCCs” means the standard contractual clauses
annexed to the European Commission’s Implementing Decision 2021/914 of 4 June
2021.
“Subprocessor” means any entity which provides processing services to a Processor.
“Supervisory Authority” means an independent public authority which is established
by a member state of the European Economic Area, Switzerland or the United
Kingdom.
“UK Addendum” means the International Data Transfer Addendum (Version B.1.0)
issued by the UK ICO under s119A of the Data Protection Act 2018, as it may be
amended, superseded or replaced. - COMPLIANCE WITH LAWS
The parties shall each represent and warrant that they will comply with their
respective obligations and duties under applicable Data Protection Laws. - JOINT PROCESSOR SCENARIOS
Each party, to the extent that it, along with the other party, acts as a Processor with
respect to Joint Customer Personal Data, will (i) comply with the instructions and
restrictions set forth in any agreement(s) with the Joint Customer; and (ii) reasonably
cooperate with the other party to enable the exercise of data protection rights as set
forth in applicable Data Protection Laws. The parties both acknowledge and agree
that each party is acting as a Processor for the Joint Customer and neither party is
engaging the other as a Subprocessor. - CONTROLLER-TO-CONTROLLER SCENARIOS
Each party, to the extent that it, along with the other party, acts as a Controller with
respect to Personal Data, will reasonably cooperate with the other party to enable
the exercise of data protection rights as set forth in applicable Data Protection Laws.
The parties acknowledge and agree that each is acting independently as a Controller
with respect of Personal Data and the parties are not joint controllers as defined
under European Data Protection Laws. - CONTROLLER-TO-PROCESSOR SCENARIOS
A. Relationship of the parties.The rights, responsibilities, and obligations of the
parties with regard to Sections 6 – 9 of this DPA shall be as follows:
For Processing operations where Round-the-Clock processes Personal Data on
Partner’s behalf and at Partner’s direction, the term “Processor” refers to
Round-the-Clock, the term “Controller” refers to Partner, and the term “Personal
Data” refers to Partner Personal Data. For data processing operations where Partner
processes Personal Data on Round-the-Clock’s behalf and at Round-the-Clock’s
direction, the term “Processor” refers to Partner, the term “Controller” refers to
Round-the-Clock, and the term “Personal Data” refers to Round-the-Clock Personal
Data.
B. Scope of Processing.
In the context of the scenarios described in Section 5.a above, each party agrees to
process Personal Data only for the purposes set forth in the applicable Partner
Agreement and/or the agreement(s) with the Joint Customer. For the avoidance of
doubt, the categories of Personal Data processed and the categories of data
subjects subject to this DPA are described in Schedule A to this DPA. - CONTROLLER OBLIGATIONS
The parties in their capacity as a Controller agree to:
A. Provide instructions to the Processor and determine the purposes and means of
the Processor’s processing of Personal Data in accordance with the Agreement; and
B. Comply with its protection, security and other obligations with respect to Personal
Data prescribed by applicable Data Protection Laws for a Controller by: (i)
establishing and maintaining a procedure for the exercise of the rights of the
individuals whose Personal Data are processed on behalf of the Controller; (ii)
processing only data that has been lawfully and validly collected and ensuring that
such data will be relevant and proportionate to the respective uses; and (iii) ensuring
compliance with the provisions of this DPA by its personnel or by any third party
accessing or using Personal Data on its behalf. - PROCESSOR OBLIGATIONS
A. Processing Requirements. The parties in their capacity as a Processor agree to:
a. Process Personal Data (i) only for the purpose of providing, supporting and
improving the Processor’s product and services (including to provide insights and
other reporting), using appropriate technical and organizational security measures;
and (ii) in compliance with the instructions received from the Controller. The
Processor will not use or process Personal Data for any other purpose. The
Processor will promptly inform the Controller in writing if it cannot comply with the
requirements under Sections 6 – 9 of this DPA, in which case the Controller may
terminate the Agreement, and any applicable Partner Agreement, or take any other
reasonable action, including suspending data processing operations;
b. Inform the Controller promptly and without undue delay if, in the Processor’s
opinion, an instruction from the Controller violates applicable Data Protection Laws;
c. If the Processor is collecting Personal Data from individuals on behalf of the
Controller, follow the Controller’s instructions regarding such Personal Data
collection;
d. Take commercially reasonable steps to ensure that (i) persons employed by it and
(ii) other persons engaged to perform on the Processor’s behalf comply with the
terms of the Agreement, and applicable Partner Agreements;
e. Represent and warrant that its employees, authorized agents and any
Subprocessors are subject to a strict duty of confidentiality (whether a contractual
duty or a statutory duty), and shall not permit any person to process the personal
data who is not under such a duty of confidentiality;
f. If it intends to engage Subprocessors to help it satisfy its obligations in accordance
with this DPA or to delegate all or part of the processing activities to such
Subprocessors, (i) provide a list of Subprocessors currently engaged by the
Processor to the Controller (such list for Round-the-Clock is available online at
https://legal.Round-the-Clock.ae/sub-processors-page), and notify the Controller of
the engagement of any new Subprocessors at least 30 days in advance, giving the
Controller the opportunity to object; (ii) remain liable to the Controller for the
Subprocessors’ acts and omissions with regard to data protection where such
Subprocessors act on the Processor’s instructions; and (iii) enter into contractual
arrangements with such Subprocessors binding them to provide the same level of
data protection and information security to that provided for herein;
g. Upon request, provide the Controller with the Processor’s privacy and security
policies; and
h. Inform the Controller if the Processor undertakes an independent security review.
B. Notice to the Controller. The Processor will immediately and without undue delay
inform the Controller if the Processor becomes aware of:
a. Any non-compliance by Processor or its employees with Sections 6 – 9 of this
DPA or applicable Data Protection Laws relating to the protection of Personal Data
processed under this DPA;
b. Any legally binding request for disclosure of Personal Data by a law enforcement
or government authority, unless the Processor is otherwise forbidden by law to
inform the Controller, for example to preserve the confidentiality of an investigation
by law enforcement authorities;
c. Any notice, inquiry or investigation by a Supervisory Authority with respect to
Personal Data; or
d. Any complaint or request (in particular, requests for access to, rectification or
blocking of Personal Data) received directly from data subjects of the Controller. The
Processor will not respond to any such request without the Controller’s prior written
authorization.
C. Assistance to the Controller.The Processor will provide timely and reasonable
assistance to the Controller regarding:
a. Responding to any request from an individual to exercise rights under applicable
Data Protection Laws (including its rights of access, correction, objection, erasure
and data portability, as applicable) and the Processor agrees to promptly inform the
Controller if such a request is received directly;
b. The investigation of Personal Data Breaches and the notification to the
Supervisory Authority and the Controller data subjects regarding such Personal Data
Breaches; and
c. where appropriate, the preparation of data protection impact assessments and,
where necessary, carrying out consultations with any Supervisory Authority.
D. Required Processing.
If the Processor is required by Data Protection Laws to process any Personal Data
for a reason other than in connection with the Agreement, the Processor will inform
the Controller of this requirement in advance of any processing, unless the
Processor is legally prohibited from informing the Controller of such processing (e.g.,
as a result of secrecy requirements that may exist under applicable EU member
state laws).
E. Security. The Processor will:
a. Maintain appropriate organizational and technical security measures (including
with respect to personnel, facilities, hardware and software, storage and networks,
access controls, monitoring and logging, vulnerability and breach detection, incident
response, encryption of Personal Data while in transit and at rest) to protect against
unauthorized or accidental access, loss, alteration, disclosure or destruction of
Personal Data;
b. Be responsible for the sufficiency of the security, privacy, and confidentiality
safeguards of all of the Processor’s personnel with respect to Personal Data and
liable for any failure by such Processor personnel to meet the terms of this DPA;
c. Take appropriate steps to confirm that all of the Processor’s personnel are
protecting the security, privacy and confidentiality of Personal Data consistent with
the requirements of this DPA; and
d. Notify the Controller of any Personal Data Breach by the Processor, its
Subprocessors, or any other third parties acting on the Processor’s behalf without
undue delay and in any event within 48 hours of becoming aware of a Personal Data
Breach.
F. Additional Provisions for California Personal Information.
When the Processor Processes California Personal Information in accordance with
the instructions received from the Controller, the parties acknowledge and agree that
the Controller is a Business and the Processor is a Service Provider for the purposes
of the CCPA. The parties agree that the Processor will Process California Personal
Information as a Service Provider strictly for the purpose of providing, supporting and
improving the Processor’s services (including to provide insights and other reporting)
(the “Business Purpose”) or as otherwise permitted by the CCPA. Further, the
Processor (i) will not Sell or Share California Personal Information; (ii) will not
Process California Personal Information outside the direct business relationship
between the parties, unless required by applicable law; and (iii) will not combine the
California Personal Information with personal information that collected or received
from another source (other than information received from another source in
connection with Processor’s obligations under the applicable Partner Agreement
and/or the agreement(s) with the Joint Customer). - AUDIT, CERTIFICATION
A. Supervisory Authority Audit.
If a Supervisory Authority requires an audit of the data processing facilities from
which the Processor processes Personal Data in order to ascertain or monitor
compliance with Data Protection Laws, the Processor will cooperate with such audit.
The Controller will reimburse the Processor for its reasonable expenses incurred to
cooperate with the audit, unless such audit reveals the Processor’s noncompliance
with this DPA.
B. Processor Certification.
The Processor must, upon the Controller’s request provide a certification of
compliance to the Controller (not to exceed one request per calendar year) by email
(where Round-the-Clock is the Processor, such emails shall be sent to
privacy@Round-the-Clock.ae; where Partner is the Processor, Partner shall
establish and provide to Round-the-Clock upon request a single point of contact for
email correspondence regarding data protection), certify compliance with this DPA in
writing. - DATA RETURN AND DELETION
The parties agree that on the termination of the data processing services or upon the
Controller’s reasonable request, the Processor shall and shall take reasonable
measures to cause any Subprocessors to, at the choice of the Controller, return all
the Personal Data and copies of such data to the Controller or securely destroy them
and demonstrate to the satisfaction of the Controller that it has taken such
measures, unless applicable Data Protection Laws prevent the Processor from
returning or destroying all or part of the Personal Data disclosed. In such case, the
Processor agrees to preserve the confidentiality of the Personal Data retained by it
and that it will only actively process such Personal Data after such date in order to
comply with applicable laws. - DATA TRANSFERS
Wherever Personal Data is transferred outside its country of origin, each party will
ensure such transfers are made in compliance with the requirements of Data
Protection Laws.
a. European Partner Data. For transfers of European Personal Data from Partner to
Round-the-Clock for processing by Round-the-Clock in a jurisdiction outside Europe
that does not provide an adequate level of protection for Personal Data (within the
meaning of applicable European Data Protection Laws), the parties agree that:
(i) Data Privacy Framework: Round-the-Clock will use the Data Privacy Framework
to lawfully receive Partner European Data in the United States and ensure that it
provides at least the same level of protection to such Partner European Data as is
required by the Data Privacy Framework Principles and will inform Partner if it is
unable to comply with this requirement.
(ii) Standard Contractual Clauses: If European Data Protection Laws require that
appropriate safeguards are put in place (for example, if the Data Privacy Framework
does not cover the transfer to Round-the-Clock and/or the Data Privacy Framework
is invalidated), the parties agree to abide by and process European Partner Data in
compliance with the SCCs as incorporated below.
b. European Round-the-Clock Data. For transfers of Round-the-Clock Personal Data
that is subject to European Data Protection Laws (“European Round-the-Clock
Data”) European Personal Data from Round-the-Clock to Partner for processing by
Partner in a jurisdiction outside Europe that does not provide an adequate level of
protection for Personal Data (within the meaning of applicable European Data
Protection Laws), the parties agree that Partner shall provide the same level of
protection that is required by the Data Privacy Framework Principles by complying
with the following:
(i) If Partner is self-certified to the Data Privacy Framework, Partner shall use the
Data Privacy Framework to lawfully receive European Round-the-Clock Data in the
United States and Partner shall ensure that it provides at least the same level of
protection to such European Round-the-Clock Data as is required by the Data
Privacy Framework Principles and notify Round-the-Clock if it is unable to comply
with these requirements.
(ii) Standard Contractual Clauses: If European Data Protection Laws require that
appropriate safeguards are put in place (for example, if the Data Privacy Framework
does not cover the transfer to Partner and/or the Data Privacy Framework is
invalidated), the parties agree to abide by and process European Round-the-Clock
Data in compliance with the SCCs as incorporated below.
c. Standard Contractual Clauses. The Parties acknowledge and agree that for the
purposes of the SCCs: (i) with respect to Partner European Data, the “data exporter”
shall be Partner and the “data importer” shall be Round-the-Clock (acting on behalf
of itself and its Affiliates); (ii) with respect to Round-the-Clock European Data the
“data exporter” shall be Round-the-Clock (acting on behalf of itself and its Affiliates)
and the “data importer” shall be Partner; (iii) the Module One terms shall apply where
both parties are Controllers and the Module Two terms shall apply where the party
receiving Personal Data under the SCCs is acting as a Processor on behalf of the
other party as a Controller; (iv) in Clause 7, the optional docking clause shall apply;
(v) in Clause 9, Option 2 of Module Two shall apply and the Processor shall obtain
authorization for Subprocessors in accordance with Section 7(a) of this DPA; (vi) in
Clause 11, the optional language shall be deleted; (vii) in Clause 17 and Clause
18(b), the SCCs shall be governed by the laws of and disputes shall be resolved
before the courts of the Republic of Ireland or the EEA member state in which the
Round-the-Clock legal entity that has entered into the Agreement is established or, if
such Round-the-Clock is not established in the EEA, the Republic of Ireland; (viii) in
Annex I of the SCCs, the details of the parties is set out in the Agreement; and (ix)
the remaining information in Annex I and Annex II of the SCCs shall be deemed
completed with the information set out in Schedule A of this DPA.
d. UK Transfers. In relation to Personal Data that is subject to the UK GDPR, the
SCCs shall apply in accordance with Section 10(c) above and the following
additional modifications: (i) the SCCs shall be amended as specified by the UK
Addendum, which shall be incorporated by reference; (ii) Tables 1 to 3 in Part 1 of
the UK Addendum shall be populated with relevant information set out in Schedule A
of this DPA; (iii) Table 4 in Part 1 of the UK Addendum shall be deemed completed
by selecting “neither”; and (iv) any conflict between the SCCs and the UK Addendum
shall be resolved in accordance with Section 10 and Section 11 of the UK
Addendum.
e. Swiss Transfers. In relation to Personal Data that is subject to the Swiss DPA, the
SCCs shall apply in accordance with Section 10(c) above and the following
additional modifications: (i) references to “Regulation (EU) 2016/679” and specific
articles therein shall be interpreted as references to the Swiss DPA and the
equivalent articles or sections therein; (ii) references to “EU”, “Union” and “Member
State” shall be replaced with references to “Switzerland”; (iii) references to the
“competent supervisory authority” and “competent courts” shall be replaced with
references to the “Swiss Federal Data Protection Information Commissioner” and
“applicable courts of Switzerland”; and (iv) in Clause 17 and Clause 18(b), the SCCs
shall be governed by the laws of and disputes shall be resolved before the courts of
Switzerland.
f. The parties shall promptly notify each other of any inability to comply with the
provisions of this Section 10. - TERM
This DPA shall remain in effect as long as either party carries out Personal Data
processing operations on the Personal Data uploaded or otherwise provided by the
other party pursuant to and in accordance with the Partner Agreement. - INDEMNITY
Each Party shall defend, indemnify, and hold harmless the other and its subsidiaries,
affiliates, and its respective officers, directors, employees, and agents from and
against all losses, damages, liabilities, deficiencies, actions, judgments, interest,
awards, penalties, fines, costs, or expenses of whatever kind, including reasonable
attorneys’ fees, the cost of enforcing any right to indemnification hereunder, and the
cost of pursuing any insurance providers, arising out of or resulting from any
third-party claim against the other arising out of or resulting from the breaching
party’s failure to comply with any of its obligations under this DPA or the applicable
laws, regulations, or principles contained in European Data Protection Laws. Each
Party’s liability shall be subject to the limitation of liability in the applicable Partner
Agreement.
SCHEDULE A
ANNEX A – DESCRIPTION OF THE TRANSFER - Categories of data subjects. The personal data transferred concerns the
following categories of data subjects, depending on the agreement between the data
importer and data exporter:
Round-the-Clock members; potential and actual customers and employees of the
data exporter; sales and marketing leads of the data exporter; and third parties that
have, or may have, a commercial relationship with the data exporter (e.g.
advertisers, customers, corporate subscribers, contractors and product users). - Categories of personal data. The personal data transferred concern the
following categories of data:
The data transferred is the personal data provided by the data exporter to the data
importer in connection with the Partner Agreement. Such personal data may include
first name, last name, email address, contact information, education and work history
and other information provided in Round-the-Clock member profiles, resumes, CRM
data concerning sales leads and customer lists, any notes provided by the data
exporter regarding the foregoing and other activities of Round-the-Clock members
taken on the Round-the-Clock platform.
Sensitive data (if appropriate). The personal data transferred may concern the
following special categories of data:
None.
Frequency of transfer.
The personal data is transferred continuously.
Nature and purpose of the processing. The transfer is made for the following
purposes:
The transfer is intended to enable the relationship of the parties contemplated
by the Partner Agreement. The “Partner Agreement” is the agreement(s)
entered into by the data importer and the data exporter that govern data
sharing between those parties (but excluding customer agreements between
Partner and Round-the-Clock that govern Partner’s purchase of
Round-the-Clock products and services).
Period for which personal data will be retained:
The personal data transferred between the parties may only be retained for
the period of time permitted under the Partner Agreement. The parties agree
that each party will, to the extent that it, along with the other party, acts as a
Controller with respect to Personal Data, reasonably cooperate with the other
party to enable the exercise of data protection rights as set forth in Data
Protection Laws.
Subject matter, nature and duration of the processing.
The subject matter, nature and duration of the processing is as described in
the Agreement, including this DPA.
Competent supervisory authority. For the purposes of the Standard
Contractual Clauses, the competent supervisory authority is the authority of
the EEA member state in which Partner or Partner’s EEA representative is
established (with respect to Partner Personal Data) or the [Irish Data
Protection Commissioner] (with respect to Round-the-Clock Personal Data).
For the purposes of UK and Swiss transfers, the competent supervisory
authority is the United Kingdom Information Commissioner or Swiss Federal
Data Protection Information Commissioner (as applicable).
ANNEX B – SECURITY MEASURES
We use a variety of security technologies and procedures to help protect your
Personal Data. All Personal Data is protected using appropriate physical, technical
and organizational measures. For more on Security at Round-the-Clock, please
contact affiliate@round-the-clock.ae
Round-the-Clock FZCO 