European Specific Provisions. 11.1 IIJ will process Personal Data in accordance with the GDPR requirements directly applicable to IIJ's provision of its Services. 11.2 Upon Customer’s request, IIJ shall provide Customer with reasonable cooperation and assistance needed to fulfil Customer’s obligation under the GDPR to carry out a data protection impact assessment related to Customer’s use of the Services, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to IIJ. IIJ shall provide reasonable assistance to Customer in the cooperation or prior consultation with the Supervisory Authority in the performance of its tasks relating to Section 11.2 of this DPA, to the extent required under the GDPR. 11.3 This DPA and the Agreement are Customer’s complete and final documented instructions at the time of signature of the Agreement to IIJ for the Processing of Personal Data. Any additional or alternate instructions must be agreed upon separately. 11.4 IIJ applies the following data transfer mechanisms for transfer of Personal Data from the European Union, the European Economic Area and/or their member states and Switzerland (“EEA countries”) to non-EEA countries: a. the adequacy decisions granted by the European Commission in pursuant to Article 45 of the GDPR for transfers of Personal Data from the EEA countries to non-EEA countries which are granted with such adequacy decision; b. the IIJ Processor BCR to transfers of Personal Data (i) among IIJ Group members who act as Processor or Sub- processor, or (ii) from a Customer established in the European Economic Area member states or Switzerland whose processing activities for the relevant data are governed by the GDPR and/or implementing national legislation to an IIJ Group member who acts as a Processor, or (iii) from non-European Economic Area member states for which Customer has contractually specified that the GDPR and implementing national legislation shall apply, to an IIJ Group member who acts as a Processor, or (iv) from an IIJ Group member who acts as a Processor to a non-IIJ Group Sub- processor located outside the European Economic Area; and c. the SCC 2021 (set forth in Schedule 3 to this DPA) to transfers of Personal Data under this DPA from the European Union, the European Economic Area and/or their member states and Switzerland to countries which do not ensure an adequate level of data protection within the meaning of Data Protection Laws and Regulations of the foregoing territories, to the extent such transfers are subject to such Data Protection Laws and Regulations; and In the event that no adequacy decision as stated in Section 11.4(a) of this DPA is applicable and a transfer of Personal Data is covered by more than one transfer mechanism, the transfer of Personal Data will be subject to a single transfer mechanism in accordance with the following order of precedence: (1) the IIJ Processor BCR, and (2) the SCC 2021. 11.5 IIJ applies the following data transfer mechanisms for transfer of Personal Data from the United Kingdom to other countries: a. the adequacy regulations granted by the United Kingdom’s Secretary of State under section 17A of the Data Protection ▇▇▇ ▇▇▇▇ of the United Kingdom for transfers of Personal Data from the United Kingdom to countries which are granted with such adequacy decision; b. the SCC 2010 (set forth in Schedule 4 to this DPA) to transfers of Personal Data under this DPA from the United Kingdom to countries which do not ensure an adequate level of data protection within the meaning of Data Protection Laws and Regulations of the United Kingdom, to the extent such transfers are subject to such Data Protection Laws and Regulations. IIJ reserves the right to update or replace the SCC 2010 in Schedule 4 with an equivalent international data transfer mechanism at any time in the effort to comply with the Data Protection Laws and Regulations of the United Kingdom. The Customer will be informed in advance by IIJ and be deemed to agree, if the Customer does not object to such update or replacement of Schedule 4 within ten (10) business days upon being informed. 11.6 Regardless of the origin of Personal Data, IIJ applies the IIJ Processor BCR to transfers of Personal Data from an IIJ Group member who acts as a Controller to an IIJ Group member who acts as a Processor. 11.7 The SCC 2010 and SCC 2021 apply to (i) the legal entity that has executed the SCC 2010 or SCC 2021 as a data exporter and its Authorized Affiliates and, (ii) all Affiliates of Customer established within the European Economic Area and Switzerland (for the SCC 2021) or the United Kingdom (for the SCC 2010), which have signed Order Forms for the Services. For the purpose of the SCC 2010 and SCC 2021, the aforementioned entities shall be deemed “data exporters”. 11.8 This DPA and the Agreement are Customer’s complete and final documented instructions at the time of signature of the Agreement to IIJ for the Processing of Personal Data. Any additional or alternate instructions must be agreed upon separately.
Appears in 2 contracts
European Specific Provisions. 11.1 IIJ will process Personal Data in accordance with pursuant to the GDPR requirements applicable directly applicable to IIJ's provision of its Services.
11.2 Upon IIJ shall, upon Customer’s request, IIJ shall provide Customer with reasonable cooperation and assistance needed necessary to fulfil Customer’s obligation under the GDPR to carry out conduct a data protection impact assessment related in relation to Customer’s use of the Services, to the extent Customer does not is otherwise have without access to the relevant information, and to the extent such information is available to IIJ. IIJ shall provide Customer with reasonable assistance to Customer in the cooperation or prior consultation with the Supervisory Authority in the performance execution of its tasks relating in relation to Section 11.2 of this DPA, to the extent required under the GDPR. In addition, upon Customer’s written request, IIJ shall provide Customer with the information available to the IIJ in order to verify IIJ’s compliance with IIJ’s obligations under this DPA.
11.3 This DPA and the Agreement are Customer’s complete and final documented instructions at the time of signature of the Agreement to IIJ for the Processing of Personal Data. Any additional or alternate instructions must be agreed upon separately.
11.4 IIJ applies shall make available the following data transfer mechanisms for transfer which shall apply, in the order of Personal Data from the European Union, the European Economic Area and/or their member states and Switzerland precedence : (“EEA countries”1) to non-EEA countries:
a. the adequacy decisions granted under Article 45 GDPR on 23rd January, 2019 on Japan by the European Commission in pursuant to Article 45 of (excluding the GDPR for transfers of Personal Data from the EEA countries to non-EEA countries which are granted with such adequacy decision;
b. decision on other countries), (2) the IIJ Processor BCR to transfers (as soon as it is approved by the respective data protection authority and in so far as it is within the scope of Personal Data (i) among application set out in Section 1.2(k), provided that the IIJ Group members who act as Processor or Sub- processor, or (ii) from a Customer established BCR shall prevail in the European Economic Area member states event of any conflicts or Switzerland whose processing activities for inconsistencies between this DPA and the relevant data are governed by IIJ BCR) and (3) the GDPR and/or implementing national legislation Standard Contractual Clauses (subject to an IIJ Group member who acts as a Processor, or (iii) from nonSection 11.4-European Economic Area member states for which Customer has contractually specified that the GDPR and implementing national legislation shall apply11.11), to an IIJ Group member who acts as a Processor, or (iv) from an IIJ Group member who acts as a Processor to a non-IIJ Group Sub- processor located outside the European Economic Area; and
c. the SCC 2021 (set forth in Schedule 3 to this DPA) to any transfers of Personal Data under this DPA from the European Union, the European Economic Area and/or their member states and Switzerland to countries which do not ensure an adequate level of data protection within the meaning of Data Protection Laws and Regulations of the foregoing territoriesstates, to the extent such transfers are subject to such Data Protection Laws and Regulations; and In the event that no adequacy decision as stated in Section 11.4(a) of this DPA is applicable and a transfer of Personal Data is covered by more than one transfer mechanism, the transfer of Personal Data will be subject to a single transfer mechanism in accordance with the following order of precedence: (1) the IIJ Processor BCRSwitzerland, and (2) the SCC 2021.
11.5 IIJ applies the following data transfer mechanisms for transfer of Personal Data from the United Kingdom to other countries:
a. the adequacy regulations granted by the United Kingdom’s Secretary of State under section 17A such third countries outside of the Data Protection ▇▇▇ ▇▇▇▇ of the United Kingdom for transfers of Personal Data from the United Kingdom to countries which are granted with such adequacy decision;
b. the SCC 2010 (set forth in Schedule 4 to this DPA) to transfers of Personal Data under this DPA from the United Kingdom to countries which do not ensure an adequate level of data protection within the meaning of Data Protection Laws and Regulations of the United Kingdomaforementioned regions, to the extent such transfers are subject to such Data Protection Laws and Regulations. For the avoidance of doubt, before the IIJ reserves BCR takes effect, data transfers to countries not providing for an adequate data protection regime that has been recognized by the right to update or replace the SCC 2010 EU Commission in Schedule 4 with an equivalent international data transfer mechanism at any time in the effort to comply with the Data Protection Laws and Regulations of the United Kingdom. The Customer will a formal decision shall be informed in advance by IIJ and be deemed to agree, if the Customer does not object to such update or replacement of Schedule 4 within ten (10) business days upon being informedbased on Standard Contractual Clauses only.
11.6 Regardless of 11.4 The Standard Contractual Clauses and the origin of Personal Data, IIJ applies the IIJ Processor BCR to transfers of Personal Data from an IIJ Group member who acts as a Controller to an IIJ Group member who acts as a Processor.
11.7 The SCC 2010 and SCC 2021 apply additional terms provided in this Section 11.4-11.11apply to (i) the legal entity that which has executed the SCC 2010 or SCC 2021 Standard Contractual Clauses as a data exporter and its Authorized Affiliates and, (ii) all Affiliates of Customer established within the European Economic Area Area, Switzerland and Switzerland (for the SCC 2021) or the United Kingdom (for the SCC 2010)U.K., which have signed Order Forms application forms for the SCC Services. For the purpose of the SCC 2010 Standard Contractual Clauses and SCC 2021this Section 11.4-11.11, the aforementioned entities mentioned above shall be deemed “data exporters”.
11.8 11.5 This DPA and the Main Agreement are Customer’s complete and final instructions documented instructions at the time of signature signing of the Main Agreement to IIJ for the Processing of Personal Data. Any additional or alternate instructions must be separately agreed upon separately.upon. For the purposes of Clause 5(a) of the Standard Contractual Clauses, the following is deemed to be an
Appears in 1 contract
Sources: Data Processing Addendum