Common use of Use of Processors Clause in Contracts

Use of Processors. Where one or more Contracting Parties wish to use, for one of the processing activities in Annex A, a third party as a processor (within the meaning of article 4 GDPR) to carry out a processing of personal data on their behalf, they shall consult with the other Contracting Parties being controllers of said processing activity and enter into a processor agreement with the third party in accordance with article 28(3) GDPR and other applicable Data Protection Laws and, if such third party is in a country without an adequate level of data protection, they shall also enter into an agreement reflecting the "Standard Contractual Clauses (processors)" pursuant to the Decision 2010|87|EU (C(2010)593) of the European Commission without the Illustrative Indemnification Clause, or any clauses superseding them under the GDPR, as the case may be (the EU Model Clauses). Individual interpreters and court reporters (but not legal entities) and the Arbitral Tribunal's secretary, if any, are not be considered processors but instead acting instead under the control of the relevant processor (article 29 GDPR). Hence, the provisions of Section 3.6 shall apply to them. The Contracting Parties agree that Matter Data and other personal data related to the processing activities for which they are a controller may be stored with a Cloud or hosting service provider by a Contracting Party with no further consultation of the other Contracting Parties, provided that this occurs otherwise in compliance the above provisions of this Section 4. Data Protection Governance Data Subject and Supervisory Requests Each Contracting Party who, as a controller of a processing activity defined in Annex A, receives a data subject request (including requests for access, correction, deletion or objection) or a request from data protection supervisory shall (a) without delay inform all other Contracting Parties who are also controllers of the processing activity at issue pursuant to Annex A, and (b) in good faith agree with them on how to respond to it, it being agreed that this shall not prevent a Contracting Party from complying the GDPR and other the Data Protection Laws applicable to it. Each Contracting Party who is a controller of the processing activity at issue shall provide the other Contracting Parties who are also controllers of such processing activity any reasonably requested support allowing them to properly respond to such request pursuant to the GDPR and other Data Protection Laws applicable to such processing activity. The Arbitral Tribunal may request that requests it has received are properly responded by the Arbitration Parties insofar they are also controllers of the processing activities at issue, even if they are not subject to the GDPR or other Data Protection Laws applicable to such processing activity. Each Contracting Party may share the essence of this Agreement with any data subject or supervisory authority requesting it. The Contracting Parties shall beforehand agree on what the essence is, with the Arbitral Tribunal having the final decision power. Data Breaches If a Contracting Party becomes aware of a personal data breach within the meaning of article 33 GDPR that relates to a processing activity defined in Annex A, it shall (a) without delay inform all other Contracting Parties of such breach and (b) in good faith agree with them on how to respond to it, including making notifications to supervisory authorities and data subjects as required under the GDPR and other Data Protection Laws applicable to such processing activity, it being agreed that this shall not prevent a Contracting Party from complying the GDPR and other the Data Protection Laws applicable to it. Each Contracting Party who is a controller of the processing activity at issue shall provide the other Contracting Parties who are also controllers of such processing activity any reasonably requested support allowing them to properly respond to such data breach pursuant to the GDPR and other Data Protection Laws applicable to such processing activity. The primary responsibility to do a data breach notification is with (a) the Contracting Party responsible for the data breach or where the breach occurred (if this can be determined and there is one), and (b) the Contracting Party being an Arbitration Party (in this order of priority).

Use of Processors. Where one or more Contracting Parties wish For each Processor retained by a Party that may have access to usethe Shared Data, for one the relevant Party shall: • conduct a prior assessment of the processing activities Processor to ensure that it is able to comply with the relevant obligations imposed on the relevant Party under this Data Processing Agreement, to be subcontracted to the Processor; • ensure that an appropriate written contract is signed between the relevant Party and each Processor, in Annex Aaccordance with Article 28 of the GDPR, the terms and conditions of which may not be less stringent than those set out in this Data Processing Agreement (in particular with regard to the requirements established between the Parties concerning Processing that complies with the requirements of the Data Protection Regulations in force); • remain fully liable to the other Party for all acts and/or omissions of the Processor that could cause the relevant Party to breach this Data Processing Agreement and/or the Main Agreement. Skeepers’ Processors are listed online at ▇▇▇▇▇://▇▇▇▇▇▇▇▇.▇▇/en/en-sub-processors/. Neither Party may store any Shared Data with Processors located outside the European Union or the European Economic Area (EEA), in a third party country that is not recognised by the European authorities as ‘adequate’, meaning providing a processor (within level of data protection equivalent to the meaning of article 4 GDPR) to carry out a processing of personal data on their behalf, they shall consult unless otherwise expressly agreed with the other Contracting Party. The Parties being controllers of said processing activity and enter into may not transfer any Shared Data to Processors located outside the European Union or the European Economic Area (EEA), in a processor agreement country that is not recognised as ‘adequate’, unless otherwise expressly agreed with the third party other Party for certain current or future Processors performing specific services, as set out on ▇▇▇▇▇://▇▇▇▇▇▇▇▇.▇▇/en/en-sub-processors/. Each Party shall make every effort to use Processors located in the European Union, the European Economic Area (EEA) or a country recognised as ‘adequate’ whenever possible, providing the best data protection and security guarantees in accordance with article 28(3) GDPR and other applicable the Data Protection Laws andRegulations in force. If a Party is required to transfer Shared Data outside the European Union or the European Economic Area (EEA), if to a country that is not recognised as ‘adequate’, under the Union or Member State law to which it is subject, it shall inform the other Party in advance and in writing at [XXXX@XXX] at least fifteen (15) days in advance, unless the relevant law prohibits such third party information on important grounds of public interest. In the event that Shared Data needs to be transferred outside the European Union or the European Economic Area (EEA), to a country that is not recognised as ‘adequate’, the transfer must be framed by the conclusion of standard contractual clauses, as adopted by the European Commission and in their latest version in force. In such a case, each Party undertakes to take the additional steps required to ensure that any processing operations performed outside the European Union or the European Economic Area (EEA), in a country without an adequate level that is not recognised as ‘adequate’, comply with the Data Protection Regulations in force, taking into account the decision issued by the Court of data protection, they shall also enter into an agreement reflecting the "Standard Contractual Clauses (processors)" pursuant to the Decision 2010|87|EU (C(2010)593) Justice of the European Commission without Union on 16 July 2020 (Schrems II) and in accordance with the Illustrative Indemnification Clause, or any clauses superseding them under the GDPR, as the case may be (EDPB guidelines entitled ‘Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU Model Clauses)level of protection of personal data’. Individual interpreters and court reporters In such cases, a Data Transfer Impact Assessment (but not legal entitiesDTIA) and must be carried out to minimise the Arbitral Tribunal's secretaryremaining risks, if any, are not be considered processors but instead acting instead under the control of the relevant processor (article 29 GDPR). Hence, the provisions of Section 3.6 shall apply to them. The Contracting Parties agree that Matter Data and other personal data related to the processing activities for which they are a controller may be stored with a Cloud or hosting service provider by a Contracting Party with no further consultation of the other Contracting Parties, provided that this occurs otherwise in compliance the above provisions of this Section 4. Data Protection Governance Data Subject and Supervisory Requests Each Contracting Party who, make them as a controller of a processing activity defined in Annex A, receives a data subject request (including requests for access, correction, deletion or objection) or a request from data protection supervisory shall (a) without delay inform all other Contracting Parties who are also controllers of the processing activity at issue pursuant to Annex A, and (b) in good faith agree with them on how to respond to it, it being agreed that this shall not prevent a Contracting Party from complying the GDPR and other the Data Protection Laws applicable to it. Each Contracting Party who is a controller of the processing activity at issue shall provide the other Contracting Parties who are also controllers of such processing activity any reasonably requested support allowing them to properly respond to such request pursuant to the GDPR and other Data Protection Laws applicable to such processing activity. The Arbitral Tribunal may request that requests it has received are properly responded by the Arbitration Parties insofar they are also controllers of the processing activities at issue, even if they are not subject to the GDPR or other Data Protection Laws applicable to such processing activity. Each Contracting Party may share the essence of this Agreement with any data subject or supervisory authority requesting it. The Contracting Parties shall beforehand agree on what the essence is, with the Arbitral Tribunal having the final decision power. Data Breaches If a Contracting Party becomes aware of a personal data breach within the meaning of article 33 GDPR that relates to a processing activity defined in Annex A, it shall (a) without delay inform all other Contracting Parties of such breach and (b) in good faith agree with them on how to respond to it, including making notifications to supervisory authorities and data subjects low as required under the GDPR and other Data Protection Laws applicable to such processing activity, it being agreed that this shall not prevent a Contracting Party from complying the GDPR and other the Data Protection Laws applicable to it. Each Contracting Party who is a controller of the processing activity at issue shall provide the other Contracting Parties who are also controllers of such processing activity any reasonably requested support allowing them to properly respond to such data breach pursuant to the GDPR and other Data Protection Laws applicable to such processing activity. The primary responsibility to do a data breach notification is with (a) the Contracting Party responsible for the data breach or where the breach occurred (if this can be determined and there is one), and (b) the Contracting Party being an Arbitration Party (in this order of priority)possible.