Online Data Processing Agreement

The Parties have entered into Terms and Conditions of Service set-out in a separate agreement (the “Agreement” or “Terms and Conditions of Service”) which requires that the Company accesses and Processes (as defined below) Personal Data. The Data Processing Agreement (the “DPA”) and its Appendices specify the obligations of the Parties relating to the Processing of Personal Data pursuant to the Agreement. Details of the Processing of Personal Data are included in the Agreement.
Xperi Inc. and its affiliates and subsidiaries (collectively “Xperi”) may update this version of the DPA from time to time. The current version will be posted online. The DPA and the Appendices to the DPA are expressly incorporated into the Agreement. The definitions are set-out at Section 15 of this DPA.
Responsibilities and Obligations
  1. The Parties agree that, for the Processing of Personal Data by the Company for Xperi, Xperi shall be the Data Controller and the Company shall be the Data Processor unless Xperi is a Data Processor in which event the Company shall be a Sub-Processor.
  2. Company shall Process Personal Data only on behalf of Xperi and at all times only in accordance with this DPA, including the Appendices, the Agreement and in compliance with Data Protection Laws.
  3. Within the scope of the Agreement, each Party shall be responsible for complying with its respective obligations under the Data Protection Laws.
  4. Where the CCPA applies to the Processing of Personal Data, Company will act as Xperi’s Service Provider (as defined in the CCPA). As such, Company will only retain, use or disclose Personal Data of Data Subjects (i) for a Business Purpose (as defined in the CCPA) on behalf of Xperi and the specific purpose of performing Services under the Agreement (including, without limitation, for auditing, detecting security incidents, fraud detection, analysis, internal research for technological development, reporting or other operational purposes) or (ii) as otherwise permitted for service providers under the CCPA. Company acknowledges and agrees that it shall not retain, sell, share, use or disclose Personal Data for any other commercial purpose, other than providing the Services specified in the Agreement and as set-out in the Terms and Conditions of Service. Company further acknowledges and confirms that it understands the above enumerated requirements and will comply with the requirements.
  5. The Parties agree that the disclosing, disseminating, making available, transferring or sharing of any Personal Data under this DPA for the performance of the Services is not a “Sale” of such Personal Data under the CCPA (or any other applicable Data Protection Laws).
  6. Processing Instructions
  7. Company will Process Personal Data in accordance with Xperi’s written instructions. This DPA along with the applicable Agreement, contains Xperi’s written instructions to Company. The Parties agree that Xperi may communicate any change in these initial written instructions to the Company by way of written notification to the Company and that Company shall abide by such instructions. The Company shall maintain a secure, complete, accurate and up to date record of all such individual instructions. For the avoidance of doubt, any instructions that would lead to Processing outside the scope of this DPA (e.g. because a new processing purpose is introduced) will require a prior agreement between the Parties and, where applicable, shall be subject to any contractual variation procedure under the Agreement.
  8. Where instructed by Xperi, Company shall promptly correct, delete or restruct the Processing of Personal Data and provide the Personal Data to or confirmation of deletion to Xperi.
  9. Company shall immediately inform Xperi in writing if, in Company’s opinion, a Processing Instruction infringes Data Protection Laws, and provide a detailed explanation of the reasons for its opinion in writing. The Parties shall reasonably co-operate to resolve such concerns of the Company.
  10. Company Personnel
  11. Company will ensure that only those authorised personnel will have access to the Personal Data and shall prohibit its personnel from Processing Personal Data without such authorization. Company will ensure that its personnel have committed themselves to contractual or statutory obligations of confidentiality to protect the Personal Data both during the term of engagement and after the engagement ends with such personnel. Company shall ensure that any personnel who have access to Personal Data are reliable (by undertaking background screening assessments prior to being assigned to Process the Personal Data) and have undergone appropriate training to ensure that they understand their data protection responsibilities with respect such Personal Data that they Process for Xperi.
  12. Disclosure to Third-Parties and Data Subject Rights
  13. Company will not disclose Personal Data to any third-party (including any government agency, court, or law enforcement) except with written consent from Xperi or as necessary to comply with applicable mandatory laws. If Company is obliged to disclose Personal Data to a law enforcement agency or third-party, Company shall give Xperi prompt notice of the access request prior to granting such access, and allow Xperi the opportunity to seek a protective order or other appropriate remedy if it so chooses. If such notice is legally prohibited, Company will take reasonable measures to minimise the nature and extent of the Personal Data so disclosed as if it were Company’s own confidential information being requested and shall inform Xperi as soon as possible if and when such legal prohibition ceases to apply.
  14. With respect to any request or communication from a Data Subject which relates to the processing of Personal Data under any Data Protection Law (“Request”), Company shall provide Xperi with full cooperation, information and assistance (“Assistance”) in relation to any such Request where instructed by Xperi.
  15. Where Company receives a Request, Company shall (i) not directly respond to such Request, (ii) promptly notify Xperi with a copy of the Request and (iii) provide Assistance according to further instructions from Xperi.
  16. Company will provide assistance to Xperi to enable it to comply with its obligations to Data Subjects of providing access to Personal Data, deletion, restriction and/or rectification of Personal Data under the Data Protection Laws and, if required by Xperi, to return or delete all copies of the Personal Data promptly on request.
  17. Technical and Organizational Security Measures
  18. Company shall implement and maintain appropriate technical and organizational security measures (“TOMs”) to ensure that Personal Data is Processed in accordance with this DPA and to protect Personal Data against any attempted, threatened, alleged or actual Personal Data Breach. Such measures shall include the measures set-out in Appendix 1.
  19. Company shall document the implemented TOMs and shall provide Xperi with such documentation upon request including, where available, any certifications including, but not limited to, an ISO 27001 certification.
  20. Company shall assess and evaluate the effectiveness of TOMs on an ongoing basis. Company shall continuously enhance and improve TOMs, where reasonably required, and shall provide an updated copy to Xperi upon request and when material changes are made to the last disclosed copy. In the unlikely event that Company degrades the effectiveness of its TOMs, Company shall notify Xperi promptly.
  21. Assistance with Data Protection Impact Assessment
  22. Where a Data Protection Impact Assessment (“DPIA”) is required under applicable Data Protection Laws for the Processing of Personal Data, Company shall provide upon request to Xperi any information and assistance reasonably required for the DPIA and assistance for any communication with data protection authorities, where required, unless the requested information or assistance is not pertaining to Company’s obligations under this DPA.
  23. Compliance Information Rights and Audit
  24. Company makes available to Xperi upon Xperi’s request all information reasonably required to demonstrate compliance with the obligations in this DPA.
  25. Company shall, upon reasonable notice, allow for and contribute to on-site inspections of the Company’s Processing of Personal Data, as well as the TOMs (including data processing systems, policies, procedures and records), during regular business hours and without interrupting Company’s business operations. Such on-site inspections are conducted by Xperi, its affiliates or an independent third-party on Xperi’s behalf (which will not be a competitor of the Company) that is subject to reasonable confidentiality obligations.
  26. Company will promptly refer to Xperi any requests received from data protection authorities or other regulators that relate to the Company’s Processing of Personal Data. Company shall cooperate promptly with Xperi in its dealings with such data protection authorities or regulators and with any audit requests received from national data protection authorities. Xperi shall be entitled to disclose this DPA or any other documents (including contracts with Subcontractors) that relate to the performance of its obligations under this DPA.
  27. Personal Data Breach Notification
    1. In respect of any threatened, suspected, alleged or actual Personal Data Breach, Company shall:
  28. notify Xperi of a Personal Data Breach involving Company or a Subcontractor without undue delay (and using reasonable endeavours to do so within 24 hours after becoming aware of the Personal Data Breach);
  29. provide reasonable information, cooperation and assistance to Xperi in relation to any action to be taken in response to a Personal Data Breach under Data Protection Laws, including regarding any communication of the Personal Data Breach to Data Subjects and national data protection authorities;
  30. not notify any Data Subjects, national data protection authorities or any other authorities or third-parties.
  31. Subcontracting
  32. Company shall not subcontract any of its rights or obligations under this DPA without prior written consent of Xperi. Any prior consent of Xperi to Subcontractors engaged by the Company at the date of this Agreement shall be indicated in Appendix 2 which shall be updated from time to time if Subcontractors are removed or new Subcontractors are engaged. If Company proposes to change such approved Subcontractors, it shall provide Xperi with prior written notice and allow Xperi at least four weeks to consider and, if reasonable, object to such proposed change. The Parties shall co-operate reasonably to resolve any concerns Xperi may have about such a change and Company shall not implement the proposed change unless Xperi has consented in writing.
  33. Where Company, with Xperi’s consent, subcontracts its obligations and rights under this DPA it shall do so only by way of a binding written contract with the Subcontractor which imposes the same Processing and confidentiality obligations, especially with regard to instructions and TOMs, on the Subcontractor as are imposed on Company under this DPA.
  34. Company shall, upon request from Xperi, provide a copy of such contract (omitting any confidential or commercial provisions) to Xperi. Company shall ensure that it has undertaken an appropriate diligence check on such Subcontractor particularly with respect to its TOMs and suitability to Process the Personal Data. Xperi shall have a direct or, through the Company, indirect right to perform inspections on site at the Subcontractor’s premises, or to have a third-party conduct such an audit of its Processing operations with respect to the Personal Data. Company shall regularly assess that the Subcontractor is fulfilling his obligations.
  35. Company shall remain fully liable to Xperi for the performance of the Subcontractor’s obligations with respect to its Processing of Personal Data.
  36. International Data Transfers and Risk Assessments
  37. The Personal Data shall be processed by the Company and any authorised Subcontractor in a member state of the European Union, the United Kingdom or in another signatory state of the European Economic Area Agreement and Switzerland (the “European Countries”) without restriction (subject to the United Kingdom and Switzerland retaining their adequacy under applicable European Commission decisions).
  38. Where the Company and any authorised Subcontractor processes the Personal Data in the United States or any other country which is not an European Country, the following applies unless explicitly agreed otherwise by the Parties in writing:
(a) the Standard Contractual Clauses will apply to Personal Data transferred or made accessible by an Xperi affiliate in a European Country (who, for the purposes of the Standard Contractual Clauses shall be deemed the “Data Exporter”) or Personal Data that is otherwise restricted from Processing outside the European Countries by the Data Protection Laws and that is Processed by Company (who, for the purposes of the Standard Contractual Clauses shall be deemed the “Data Importer”) or by Company’s Subcontractor outside the European Countries; the details for such Standard Contractual Clauses approved by the European Commission and the UK Addendum to such Standard Contractual Clauses are set-out at Appendix 2 of this DPA;
(b) at Xperi’s request, the Parties shall execute any other data transfer agreement applicable to the Processing of the Personal Data by the Company or its Subcontractor in any particular jurisdiction;
(c) if and as long as the country where Personal Data is transferred to a country which is subject to an adequacy decision according to Article 45 (3) GDPR (or equivalent process under the Data Protection Laws), the Standard Contractual Clauses are required. If the adequacy decision is repealed or suspended, Section 10.2(a) and (b) of this DPA shall automatically apply; and
(d) Company shall undertake such reasonably required risk assessments and implement all safeguards and additional measures (and provide completed copies of the risk assessments and details of such safeguards and measures to Xperi on request), to determine Company’s risks of being unable to comply with the terms of such Standard Contractual Clauses or equivalent data transfer agreements or arrangements and if there is any risk that Company is unable to comply, it shall promptly notify Xperi and Xperi may, in its sole discretion and without any breach or default arising under the Agreement, suspend or terminate the transfer of Personal Data to Company. In this event, Company shall, within seven days of Xperi’s written request, return or delete all Personal Data it has transferred outside the European Countries and require that any Subcontractors do the same.
  1. Term and Termination
  2. This DPA becomes effective upon signature of the Agreement or, if subsequent to the Agreement being signed, on signature of this DPA, as applicable. The Parties agree to the execution by electronic signature. This DPA terminates when the Agreement is terminated, save that the Company’s Processing obligations under this DPA shall continue to apply for so long as it has access to the Personal Data, notwithstanding the termination of the DPA.
  3. Xperi may terminate the DPA, the Agreement or any other agreement referred to in an Appendix for cause, at any time upon reasonable notice or without notice, as selected by Xperi, if the Company is in material breach of the terms of this DPA and in accordance with the process specified in the Agreement.
  4. Deletion or Return of Personal Data
  5. Company shall without undue delay, at the written request of Xperi, securely delete or return all the Personal Data to Xperi in hardcopy or electronic form after the end of the provision of the relevant services related to the processing and securely delete existing copies (unless storage of any data is required by applicable law and, if so, shall inform Xperi of any such requirement prior to processing).
  6. Search and Seizure
  7. Where Personal Data becomes subject to search and seizure, an attachment order, confiscation during bankruptcy or insolvency proceedings, or similar events or measures by third-parties while in Company’s control, the Company shall notify Xperi of such action without undue delay. Company shall, without undue delay, notify all pertinent parties in such action, that any Personal Data affected thereby is in Xperi’s sole property and area of responsibility, that Personal Data is at Xperi’s sole disposition, and that Xperi is the responsible body under Data Protection Laws.
  8. Miscellaneous
  9. In case of any conflict, the order of precedence is: (a) the SCCs incorporated by reference at Appendix 2; (ii) this DPA; and (iii) the Agreement.
  10. No Party shall receive any remuneration for performing its obligations under this DPA except as explicitly set-out herein or in another agreement.
  11. Where this DPA requires a “written notice” such notice can also be communicated per email to the other Party. Notices shall be sent to the contact persons set-out in the Terms and Conditions of Service.
  12. Any supplementary agreements or amendments to this DPA must be made in writing and signed by both Parties.
  13. Should individual provisions of this DPA become void, invalid or non-viable, this shall not affect the validity of the remaining conditions of this agreement.
  14. This DPA shall be governed by California law with respect to disputes under any US law and Irish law with respect to disputes under any EU law and English law with respect to an disputes under UK law. The place of jurisdiction shall be the courts of the State of California with respect to claims in the US and Ireland with respect to claims brought in the EU and England with respect to claims brought in the UK.
  15. Definitions
In this DPA, the following terms shall have the following meanings:
  1. “Data Breach” or “Personal Data Breach” means any accidental or unlawful destruction of, loss, alteration, destruction, disclosure, access or corruption of Personal Data.
  2. “Data Controller” means the organization which determines the purposes and means of processing Personal Data (as applicable).
  3. “Data Exporter” means the organization sending or making available Personal Data to a Data Importer.
  4. “Data Processor” means the organization who processes Personal Data on behalf of a Data Controller.
  5. “Data Protection Laws” shall mean the data protection laws of the country in which Xperi is established (including the the California Consumer Privacy Act of 2018 (Cal. Civ. Code § 1798.100, et seq. and all implementing regulations promulgated by the California Attorney General to date, as amended from time to time) (“CCPA”) and the GDPR) and any other data protection, data security and privacy laws applicable to Xperi and/or Company in connection with Processing of Personal Data under this DPA and the Agreement.
  6. “Data Subject” means an identified or identifiable natural person.
  7. “GDPR” shall mean the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC and includes the UK implementation of Regulation (EU) 2016/679 under section 3 of the UK European Union (Withdrawal) Act 2018.
  8. “Personal Data” shall mean any information relating to an identified or identifiable natural person or is reasonably capable of being associated with, or could be ereasonably linked, directly or indirectly, with a household, provided by or on behalf of Xperi to the Company.
  9. “Processing” means any operation which is performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of Personal Data (and “Process” shall be construed accordingly).
  10. “Services” means the services provided by the Company to Xperi as set-out in the Agreement.
  11. “Standard Contractual Clauses” or “Approved EU SCCs” mean the standard contractual clauses for the transfer of Personal Data from a Data Controller in the European Economic Area to Processors established in third countries approved in the European Commission Implementing Decision dated 4 June 2021[1] in the form expressly incorporated into this DPA, as amended by incorporating the description of the Personal Data to be transferred as set-out in the Terms and Conditions of Service and the technical and organizational measures to be implemented as set-out in Appendix 1 with details set-out in Parts A and B of Appendix 1.
  12. “Subcontractor” means an approved Subprocessor engaged by the Company who is listed in the Terms and Conditions of Service or otherwise approved by Xperi under Section 9.1.
  13. “Subprocessor” means a Data Processor engaged by another Data Processor to Process the Personal Data.
  14. “UK Addendum” means the mandatory clauses approved by the UK’s Information Commissioner’s Office to give effect to the Standard Conctractual Clauses as set-out in Part C of Appendix 2
APPENDIX 1
Technical and Organizational Measures
System Security Requirements Specification
The System Security Requirements Specification is the official statement of the system requirements for service providers that Process Personal Data on behalf of Xperi companies, such entities referred to as “Processors”. The corresponding Xperi company concerned is referred to as the “Controller”. It details what services the system should provide, the system properties, and the constraints on the operation and development of the system. Compliance with these minimum security measures does not guarantee that an appropriate level of protection has been provided – a comprehensive assessment of security must be undertaken depending upon the circumstances, type of data and Processing to be performed. Processors are expected to adopt these standards as appropriate standards to ensure a secure operating environment to handle Personal Data on behalf of Xperi.
Definitions
In this document, the following definitions are used:
Authorised Users
has the meaning defined in clause 16.
Information Systems
means all systems used to access, store or otherwise Process Personal Data, including temporary files;
Media
means a physical object likely to be Processed in an Information System and on which data may be recorded or from which they may be retrieved;
Security document
means the document containing the security plan;
Security plan
means the measures adopted to comply with these minimum security requirement;
Sensitive Personal Data
means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, data concerning health or sex life and data consisting of information as to the commission or alleged commission of any offence or any proceedings for any offence or alleged offence or the disposal of such proceedings or the sentence of any court in such proceedings, biometric Personal Data and all Personal Data of children under the age of 14 (or other required age under applicable Data Protection Laws); and references to Personal Data shall include Sensitive Personal Data;
User ID
has the meaning defined in clause 18.
All other definitions used are defined in Clause 1 of the DPA.
Security Categories
These minimum security requirements are divided into three categories to reflect the sensitivity of different types of data – Standard, Medium and High. The data types to which these three security categories apply are described below.
Standard
The standard security requirements apply to all Personal Data as identified by Xperi, including those categories of Personal Data referred to below in relation to the Medium and High categories.
Medium
The medium security requirements apply to Personal Data as identified by Xperi, including those categories of Personal Data referred to below in relation to the High category:
  • sufficient to permit an assessment of an individual’s personality.
  • bank account, tax information.
High
The high security requirements apply to the following data categories as identified by Xperi:
  • Sensitive Personal Data.
Order of precedence
In the event that the security requirements conflict, the higher standard shall take precedence.
Scope of these requirements
The security measures required for access to Personal Data via online cloud based networks must guarantee a level of security equivalent to that applying to Xperi internal security access.
Standard Security Measures
Organisational measures
Security Officer
  1. A person responsible for the overall compliance with these minimum security requirements shall be designated as the Security Officer. This person shall be suitably trained and experienced in managing information security and provided with appropriate resources to effectively ensure compliance.
  2. The contact details of the Security Officer shall be provided to the Controller within thirty (30) days of the parties entering into the DPA and any amendment to such details shall be communicated promptly.
Security Plan and Document
  1. The measures adopted to comply with these minimum security requirements shall be the subject of a Security Plan and set-out in a security document, which shall be kept up to date, and revised whenever relevant changes are made to the Information System or to how it is organised. The Security Document shall record such changes to the security measures or the Processing activities.
  2. The Security Plan shall address: Security measures relating to the modification and maintenance of the system used to Process Personal Data, including development and maintenance of applications, appropriate vendor support and an inventory of hardware and soft physical security, including security of the buildings or premises where Personal Data Processing occurs, security of data equipment and infrastructure and environmental controls.
  3. Data security mechanisms for securing the integrity and confidentiality of the Personal Data, classification of the Personal Data.
  4. Security of computers including procedures for managing back-up copies, procedures dealing with computer viruses, procedures for managing signal/codes, security for software implementation, security related to databases, security for connecting systems to the Internet, inspection of circumvention of data system, mechanisms for keeping account of attempts to break system security or gain unauthorized access.
  5. The Security Plan shall include:
    1. A Disaster Recovery Plan which shall set-out:
  6. measures to minimize interruptions to the normal functioning of the system;
  7. limit the extent of any damage and disasters;
  8. enable a smooth transition of Personal Data from one computer system to another;
  9. provide for alternative means of operating a computer system;
  10. educate, exercise and familiarize personnel with emergency procedures;
  11. provide for fast and smooth system recovery, and minimize the effects of any disaster event.
    1. A Contingency Plan which must address the following possible dangers to the system and appropriate criteria to determine when the Plan should be triggered:
      1. the critical functions and systems, the strategy for protecting the system and priorities in the event the Plan is activated;
      2. an inventory of relevant staff members to be called upon during an emergency, as well as telephone numbers of other relevant parties;
      3. a set of procedures for calculating the damage incurred;
      4. realistic time management plans to enable the recovery of the system;
      5. clearly allocated staff duties;
      6. possible use of alarms and special devices (e.g., air filters, noise filters);
      7. in the event of a fire, special equipment should be available (e.g., fire extinguisher, water pumps, etc.);
      8. devices or methods for determining temperature, humidity and other environmental factors (e.g., air conditioning, thermometers, etc.);
      9. special security software to detect breaches of security;
      10. special generators for dealing with power cuts;
      11. retention of copies of software or materials in other protected buildings to avoid inadvertent loss.
  12. The Security Document shall be available to staff who have access to Personal Data and the Information Systems, and must cover the following aspects as a minimum:
    1. The scope, with a detailed specification of protected resources;
    2. The measures, standards, procedures, code of conduct rules and norms to guarantee security, including for the control, inspection and supervision of the Information Systems;
    3. The functions and obligations of staff;
    4. The structure of files containing Personal Data and a description of the Information Systems on which they are Processed;
    5. The purposes for which the Information Systems may be used;
    6. The procedures for reporting, managing and responding to incidents;
    7. The procedures for making back-up copies and recovering Personal Data including the person who undertook the process, the Personal Data restored and, as appropriate, which Personal Data had to be input manually in the recovery process.
  13. The Security Document and any related records and documentation shall be retained for a minimum period of five (5) years from the end of the Processing.
Authorised Users
  1. Only those employees who have demonstrated honesty, integrity and discretion should be Authorised Users or have access to premises where Information Systems or media containing Personal Data are located. Staff should be bound by a duty of confidentiality in respect of any access to Personal Data.
  2. The necessary measures shall be adopted to train and make staff familiar with these minimum security requirements, any relevant policies and applicable laws concerning the performance of their functions and duties in respect of the Processing of Personal Data and the consequences of any breach of these requirements.
  3. The functions and obligations of staff having access to Personal Data and the Information Systems shall be clearly defined and documented.
  4. Authorised Users shall be instructed to the effect that electronic equipment should not be left unattended and made accessible during Processing sessions.
  5. Physical access to areas where any Personal Data are stored shall be restricted to Authorised Users.
  6. The disciplinary measures for a breach of the Security Plan shall be clearly defined and documented and communicated to staff.
Technical Measures
Authorisation
  1. Only those employees who have a legitimate operational need to access the Information Systems or carry out any Processing of Personal Data shall be authorised as Authorised Users.
  2. An authorisation system shall be used where different authorisation profiles are used for different purposes.
Identification
  1. Every Authorised User must be issued with a personal and unique identification code for that purpose (“User ID”).
  2. A User ID may not be assigned to another person, even at a subsequent time.
  3. An up-to-date record shall be kept of Authorised Users, and the authorised access available to each, and identification and authentication procedures shall be established for all access to Information Systems or for carrying out any Processing of Personal Data.
Authentication/Passwords
  1. Authorised Users shall be allowed to Process Personal Data if they are provided with authentication credentials such as to successfully complete an authentication procedure relating either to a specific Processing operation or to a set of Processing operations.
  2. Authentication must be based on a secret password associated with User ID, and which password shall only be known to the Authorised User; alternatively, authentication shall consist in an authentication device that shall be used and held exclusively by the person in charge of the Processing and may be associated with either an ID code or a password, or else in a biometric feature that relates to the person in charge of the Processing and may be associated with either an ID code or a password.
  3. One or more authentication credentials shall be assigned to, or associated with, an Authorised User.
  4. There must be a procedure that guarantees password confidentiality and integrity. Passwords must be stored in a way that makes them unintelligible while they remain valid. There must be a procedure for assigning, distributing and storing passwords.
  5. Passwords shall consist of at least eight characters, or, if this is not technically permitted by the relevant Information Systems, a password shall consist of the maximum permitted number of characters. Passwords shall not contain any item that can be easily related to the Authorised User in charge of the Processing and must be changed at regular intervals, which intervals must be set-out in the security document. Passwords shall be modified by the Authorised User to a secret value known only to the Authorised User when it is first used as well as at least every three (3) months thereafter.
  6. The instructions provided to Authorised Users shall lay down the obligation, as a condition of accessing the Information Systems, to take such precautions as may be necessary to ensure that the confidential component(s) in the credentials are kept secret and that the devices used and held exclusively by Authorised Users are kept with due care.
  7. Authentication credentials shall be de-activated if they have not been used for at least six months, except for those that have been authorised exclusively for technical management and support purposes.
  8. Authentication credentials shall be also de-activated if the Authorised User is disqualified or de-authorised from accessing the Information Systems or Processing Personal Data.
  9. Where data and electronic equipment may only be accessed by using the confidential component(s) of the authentication credential, appropriate instructions shall be given in advance, in writing, to clearly specify the mechanisms by which the Controller can ensure that Personal Data or electronic equipment are available in case the person in charge of the Processing is either absent or unavailable for a long time and it is indispensable to carry out certain activities without further delay exclusively for purposes related to system operationality and security. In this case, copies of the credentials shall be kept in such a way as to ensure their confidentiality by specifying, in writing, the entities in charge of keeping such credentials. Such entities shall have to inform the person in charge of the Processing, without delay, as to the activities carried out.
Access Controls
  1. Only Authorised Users shall have access to Personal Data, including when stored on any electronic or portable media or when transmitted. Authorised Users shall have authorised access only to those data and resources necessary for them to perform their duties.
  2. A system for granting Authorised Users access to designated data and resources shall be used.
  3. Authorisation profiles for each individual Authorised User or for homogeneous sets of Authorised Users shall be established and configured prior to the start of any Processing in such a way as to only enable access to data and resources that are necessary for Authorised Users to perform their duties.
  4. It shall be regularly verified, at least at yearly intervals, that the prerequisites for retaining the relevant authorisation profiles still apply. This may also include the list of Authorised Persons drawn up by homogeneous categories of task and corresponding authorisation profile.
  5. Measures shall be put in place to prevent a user gaining unauthorised access to, or use of, the Information Systems. In particular, firewalls and intrusion detection systems reflecting the state of the art and industry best practice should be installed to protect the Information Systems from unauthorized access. Measures shall be put in place to identify when the Information Systems have been accessed or Personal Data has been Processed without authorization, or where there have been unsuccessful attempts at the same.
  6. Operating system or database access controls must be correctly configured to ensure authorised access.
  7. Only those staff authorised in the security document shall be authorised to grant, alter or cancel authorised access by users to the Information Systems
Management of Media
  1. Information Systems and physical media storing Personal Data must be housed in a secure physical environment. Measures must be taken to prevent unauthorized physical access to premises housing Information Systems.
  2. Organisational and technical instructions shall be issued with regard to keeping and using the removable media on which the data are stored in order to prevent unauthorised access and Processing.
  3. Media containing Personal Data must permit the kind of information they contain to be identified, Inventoried (including the time of data entry; the Authorised User who entered the data and the person from whom the data was received; and the Personal Data entered) and stored at a physical location with physical access restricted to staff that are authorised in the security document to have such access.
  4. When media are to be disposed of or reused, the necessary measures shall be taken to prevent any subsequent retrieval of the Personal Data and other information stored on them, or to otherwise make the information intelligible or be re-constructed by any technical means, before they are withdrawn from the inventory. All reusable media used for the storage of Personal Data must be overwritten three times with randomised data prior to disposal or re-use.
  5. The removal of media containing Personal Data from the designated premises must be specifically authorised by the controller.
  6. Media containing Personal Data must be erased or rendered unreadable if it is no longer used or prior to disposal.
Distribution of Media and Transmission
  1. Media containing Personal Data must only be available to Authorised Users.
  2. Printing/copying Processes must be physically controlled by Authorised Users, to ensure that no prints or copies containing Personal Data remain left in the printers or copying machines.
  3. Media containing Personal Data or printed copies of Personal Data must contain the classification mark “Confidential”.
  4. Encryption (128-bit or stronger) or another equivalent form of protection must be used to protect Personal Data that is electronically transmitted over a public network or stored on a portable device, or where there is a requirement to store or Process Personal Data in a physically insecure environment.
  5. Paper documents containing Personal Data must be transferred in a sealed container/envelope that indicates clearly that the document must be delivered by hand to an Authorised User.
  6. When media containing Personal Data are to leave the designated premises as a result of maintenance operations, the necessary measures shall be taken to prevent any unauthorised retrieval of the Personal Data and other information stored on them.
  7. A system for recording incoming and outgoing media must be set up which permits direct or indirect identification of the kind of media, the date and time, the sender/recipient, the number of media, the kind of information contained, how they are sent and the person responsible for receiving /sending them, who must be duly authorised.
  8. Where Personal Data is transmitted or transferred over an online cloud based network, measures shall be put in place to control the flow of Personal Data and record the timing of the transmission or transfer, the Personal Data transmitted or transferred, the destination of any Personal Data transmitted or transferred, and details of the Authorised User conducting the transmission or transfer.
Preservation, Back-up copies and Recovery
  1. Tools must be in place to prevent the unintended deterioration or destruction of Personal Data.
  2. Procedures must be defined and laid down for making back-up copies and for recovering Personal Data. These procedures must guarantee that Personal Data files can be reconstructed in the state they were in at the time they were lost or destroyed.
  3. Back-up copies must be made at least once a week, unless no Personal Data has been updated during that period.
Anti-Virus and Intrusion Detection
  1. Anti-virus software and intrusion detection systems should be installed on the Information Systems to protect against attacks or other unauthorised acts in respect of Information Systems. Antivirus software and intrusion detection systems should be updated regularly in accordance with the state of the art and industry best practice for the Information Systems concerned (and at least every six months).
Software Updates
  1. The software, firmware and hardware used in the Information Systems shall be reviewed regularly in order to detect vulnerabilities and flaws in the Information Systems and resolve such vulnerabilities and flaws. This review shall be carried out at least annually.
Record Keeping
Access Record
  1. A history of Authorised Users’ access to or disclosure of Personal Data shall be recorded on a secure audit trail.
Physical Access Record
  1. Only those Processor staff duly authorised in the security document may have physical access to the premises where Information Systems and media storing Personal Data are stored. A record of staff who access such premises shall be maintained, including name, date and time of access.
Record of Incidents
  1. There shall be a procedure for reporting, responding to and managing security incidents such as data security breaches or attempts at unauthorised access. This shall include as a minimum:
    1. A procedure for reporting such incidents/breaches to appropriate management within the Processor;
    2. A clearly designated team for managing and co-ordinating the response to an incident led by the Security Officer;
    3. A documented and tested process for managing the response to an incident including the requirement to keep appropriate issues and action logs to include the time at which the incident occurred, the person reporting the incident, to whom it was reported and the effects thereof;
    4. The requirement on the Processor to notify the Controller immediately if it appears that Personal Data was involved in the incident or breach or may be impacted or affected in some way; and
    5. The Processor security/ incident management team should where appropriate work together with the Controller’s security representatives until the incident or breach has been satisfactorily resolved.
Medium Security Measures
Technical Measures
Identification and Authentication
  1. Passwords shall be modified at least every three (3) months.
  2. The software, firmware and hardware used in the Information Systems shall be reviewed at least every six (6) months in order to detect vulnerabilities and flaws in the Information Systems and resolve such vulnerabilities and flaws.
  3. Mechanisms shall be set up that permit unequivocal, personalised identification of any user who attempts to access the information system and a check to establish whether each user is authorised.
  4. Limits shall be placed on the scope for repeating attempts to gain unauthorised access to the Information System. After, at most, six (6) failed attempts to authenticate, the associated User ID must be blocked.
Tests with Real Data
  1. Testing prior to the implementation or modification of the Information Systems Processing Personal Data shall not use real or ‘live’ data unless such use is necessary and there is no reasonable alternative. Where real or ‘live’ data is used, it shall be limited to the extent necessary for the purposes of testing and the level of security corresponding to the type of Personal Data Processed must be guaranteed.
Audit
  1. Regular audits of compliance with these minimum security requirements, at least at two yearly intervals, should be performed and delivered in the form of an audit report.
  2. The audit report must provide an opinion on the extent to which the security measures and controls adopted comply with these minimum security requirements, identify any shortcomings and (if any) propose corrective or supplementary measures as necessary. It should also include the data, facts and observations on which the opinions reached and the recommendations proposed are based.
  3. The audit report shall be analysed by the Security Officer who shall refer the conclusions to the controller and the Security Officer shall remain at the disposal of the controller.
High Security Measures
Organisational Measures
Incident Reporting
  1. The procedure for reporting, managing and responding to incidents shall be tested at least once a year.
Technical Measures
Distribution of Media
  1. Media containing Personal Data may only be distributed if the Personal Data has been encrypted to guarantee that that Personal Data and other information is not intelligible or may not be manipulated in transit.
Access Record
  1. The minimum details to be recorded for every access to the Information Systems shall be the User ID, the date and the time of access, the file or Personal Data accessed, the kind of access and whether this was authorised or denied.
  2. If access was authorised, it shall be necessary to retain the information which permits the record that was accessed to be identified.
  3. The mechanisms permitting the Personal Data set-out in detail in the preceding paragraphs to be recorded shall be under the direct control of the Security Officer and under no circumstances must it be permissible to deactivate these.
  4. The minimum period for retaining the Personal Data recorded shall be two (2) years.
  5. The Security Officer shall periodically review the control information recorded, and shall draw up a report on the reviews carried out and any problems detected at least once a month.
Back-Up Copies and Recovery
  1. A back-up copy and data recovery procedures must be kept at a different location from the site of the Information Systems Processing the Personal Data and these security requirements shall apply to such back-up copies.
Electronic Communications Networks
  1. Personal Data may be distributed via online and/or cloud based networks only if they have been encrypted, enciphered or another mechanism is used to guarantee that the information is not intelligible or is not manipulated by third-parties.
Record Keeping
  1. All findings from the tests by the Processor of the procedure for reporting, managing and responding to incidents shall be provided promptly to the controller for review.
APPENDIX 2
Part A – EU Standard Contractual Clauses (Module 2 Controller-Processor)
Clause 7: Included
Clause 13: The supervisory authority named at Annex I.C, shall act as competent supervisory authority.
Clause 17: The law of Ireland (choice of law).
Clause 18: The courts of Ireland (choice of forum and jurisdiction).
ANNEX I
A. LIST OF PARTIES
See Parties listed in the DPA.
B. DESCRIPTION OF TRANSFER
See the Terms and Conditions of Service.
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13
Xperi’s competent supervisory authority is the Irish Data Protection Commission.
ANNEX II
Technical and organizational security measures
See Appendix 2 of the DPA.
Part B – EU Standard Contractual Clauses (Module 3 Processor-Processor)
Clause 7: Included
Clause 9(a): Option 1 (prior written authorization to use sub-processors).
Clause 11: Omit the option (redress).
Clause 13: The supervisory authority named at Annex I.C, shall act as competent supervisory authority.
Clause 17: The law of Ireland (governing law).
Clause 18: The courts of Ireland (choice of forum and jurisdiction).
ANNEX I
A. LIST OF PARTIES
See Parties listed in the DPA.
B. DESCRIPTION OF TRANSFER
See the Terms and Conditions of Service.
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13
Xperi’s supervisory authority is the Irish Data Protection Commission.
ANNEX II
Technical and organizational security measures
See Appendix 2 of the DPA.
Part C – UK Addendum to the Standard Contractual Clauses
Table 1: Parties
  1. Start date
  1. See the Terms and Conditions of Service
  1. The Parties
  1. Exporter (who sends the Restricted Transfer)
  1. Importer (who receives the Restricted Transfer)
  1. Parties’ details
  1. See the Terms and Conditions of Service
  1. See the Terms and Conditions of Service
  1. Key Contact
  1. See the Terms and Conditions of Service
  1. See the Terms and Conditions of Service
  1. Signature (if required for the purposes of Section ‎2)
Table 2: Selected Standard Contractual Clauses, Modules and Selected Clauses
  1. Addendum EU SCCs
The version of the Approved EU SCCs which this Addendum is appended to, detailed below, including the Appendix Information:
  1. Date:
  2. Reference (if any):
  3. Other identifier (if any):
  4. Or
X the Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum:
  1. Module
  1. Module in operation
  1. Clause 7 (Docking Clause)
  1. Clause 11
    (Option)
  1. Clause 9a (Prior Authorisation or General Authorisation)
  1. Clause 9a (Time period)
  1. Is personal data received from the Importer combined with personal data collected by the Exporter?
  1. 1
  1. 2
  1. X
  1. X
  1. Prior authorisation
  1. No
  1. 3
  1. X
  1. X
  1. Prior authorisation
  1. No
  1. 4
Table 3: Appendix Information
Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:
  1. Annex 1A: List of Parties: See the Terms and Conditions of Service
  1. Annex 1B: Description of Transfer: See the Terms and Conditions of Service
  1. Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: See Appendix 1 of the DPA
  1. Annex III: List of Sub processors (Modules 2 and 3 only): See the Terms and Conditions of Service
Table 4: Ending this Addendum when the Approved Addendum Changes
  1. Ending this Addendum when the Approved Addendum changes
  1. Which Parties may end this Addendum as set out in Section ‎19:
  2. Importer
  3. X Exporter
  4. neither Party
Mandatory Clauses
Entering into this Addendum
1. Each Party agrees to be bound by the terms and conditions set-out in this Addendum, in exchange for the other Party also agreeing to be bound by this Addendum.
2. Although Annex 1A and Clause 7 of the Approved EU SCCs require signature by the Parties, for the purpose of making Restricted Transfers, the Parties may enter into this Addendum in any way that makes them legally binding on the Parties and allows data subjects to enforce their rights as set-out in this Addendum. Entering into this Addendum will have the same effect as signing the Approved EU SCCs and any part of the Approved EU SCCs.
Interpretation of this Addendum
3. Where this UK Addendum uses terms that are defined in the Approved EU SCCs those terms shall have the same meaning as in the Approved EU SCCs. In addition, the following terms have the following meanings:
“Addendum” or “UK Addendum” means this International Data Transfer Addendum which is made up of this UK Addendum incorporating the Addendum EU SCCs.
“Addendum EU SCCs” means the version(s) of the Approved EU SCCs which this Addendum is appended to, as set-out in Table 2, including the Appendix Information.
“Appendix Information” is set-out in Table 3.
“Appropriate Safeguards” means the standard of protection over the personal data and of data subjects’ rights, which is required by UK Data Protection Laws when you are making a Restricted Transfer relying on standard data protection clauses under Article 46(2)(d) UK GDPR.
“Approved Addendum” means the template Addendum issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18.
“Approved EU SCCs” means the Standard Contractual Clauses set-out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
“EU GDPR” means the EU General Data Protection Regulation 20016/679
“ICO” means the Information Commissioner.
“Restricted Transfer” means a transfer which is covered by Chapter V of the UK GDPR.
“UK” means the United Kingdom of Great Britain and Northern Ireland.
“UK Data Protection Laws” means all laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018.
“UK GDPR” has the definition in section 3 of the Data Protection Act 2018.
4. This Addendum must always be interpreted in a manner that is consistent with UK Data Protection Laws and so that it fulfils the Parties’ obligation to provide the Appropriate Safeguards.
5. If the provisions included in the Addendum EU SCCs amend the Approved SCCs in any way which is not permitted under the Approved EU SCCs or the Approved Addendum, such amendment(s) will not be incorporated in this Addendum and the equivalent provision of the Approved EU SCCs will take their place.
6. If there is any inconsistency or conflict between UK Data Protection Laws and this Addendum, UK Data Protection Laws applies.
7. If the meaning of this Addendum is unclear or there is more than one meaning, the meaning which most closely aligns with UK Data Protection Laws applies.
8. Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Addendum has been entered into.
Hierarchy
9. Although Clause 5 of the Approved EU SCCs sets out that the Approved EU SCCs prevail over all related agreements between the parties, the parties agree that, for Restricted Transfers, the hierarchy in Section 10 will prevail.
10. Where there is any inconsistency or conflict between the Approved Addendum and the Addendum EU SCCs (as applicable), the Approved Addendum overrides the Addendum EU SCCs, except where (and in so far as) the inconsistent or conflicting terms of the Addendum EU SCCs provides greater protection for data subjects, in which case those terms will override the Approved Addendum.
11. Where this Addendum incorporates Addendum EU SCCs which have been entered into to protect transfers subject to the EU GDPR then the Parties acknowledge that nothing in this Addendum impacts those Addendum EU SCCs.
Incorporation of and changes to the EU SCCs
12. This Addendum incorporates the Addendum EU SCCs which are amended to the extent necessary so that:
a. together they operate for data transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter’s processing when making that data transfer, and they provide Appropriate Safeguards for those data transfers; b. Sections 9 to 11 override Clause 5 (Hierarchy) of the Addendum EU SCCs; and
c. this Addendum (including the Addendum EU SCCs incorporated into it) is (1) governed by the laws of England and Wales and (2) any dispute arising from it is resolved by the courts of England and Wales, in each case unless the laws and/or courts of Scotland or Northern Ireland have been expressly selected by the Parties.
13. Unless the Parties have agreed alternative amendments which meet the requirements of Section 12, the provisions of Section 15 will apply.
14. No amendments to the Approved EU SCCs other than to meet the requirements of Section 12 may be made.
15. The following amendments to the Addendum EU SCCs (for the purpose of Section 12) are made:
a. References to the “Clauses” means this Addendum, incorporating the Addendum EU SCCs;
b. In Clause 2, delete the words:
“and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679”;
c. Clause 6 (Description of the transfer(s)) is replaced with:
“The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.”;
d. Clause 8.7(i) of Module 1 is replaced with:
“it is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer”;
e. Clause 8.8(i) of Modules 2 and 3 is replaced with:
“the onward transfer is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer;”
f. References to “Regulation (EU) 2016/679”, “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)” and “that Regulation” are all replaced by “UK Data Protection Laws”. References to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK Data Protection Laws;
g. References to Regulation (EU) 2018/1725 are removed;
h. References to the “European Union”, “Union”, “EU”, “EU Member State”, “Member State” and “EU or Member State” are all replaced with the “UK”;
i. The reference to “Clause 12(c)(i)” at Clause 10(b)(i) of Module one, is replaced with “Clause 11(c)(i)”;
j. Clause 13(a) and Part C of Annex I are not used;
k. The “competent supervisory authority” and “supervisory authority” are both replaced with the “Information Commissioner”;
l. In Clause 16(e), subsection (i) is replaced with:
“the Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply;”;
m. Clause 17 is replaced with:
“These Clauses are governed by the laws of England and Wales.”;
n. Clause 18 is replaced with:
“Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”; and
o. The footnotes to the Approved EU SCCs do not form part of the Addendum, except for footnotes 8, 9, 10 and 11.
Amendments to this Addendum
16. The Parties may agree to change Clauses 17 and/or 18 of the Addendum EU SCCs to refer to the laws and/or courts of Scotland or Northern Ireland.
17. If the Parties wish to change the format of the information included in Part 1: Tables of the Approved Addendum, they may do so by agreeing to the change in writing, provided that the change does not reduce the Appropriate Safeguards.
18. From time to time, the ICO may issue a revised Approved Addendum which:
a. makes reasonable and proportionate changes to the Approved Addendum, including correcting errors in the Approved Addendum; and/or
b. reflects changes to UK Data Protection Laws;
19. The revised Approved Addendum will specify the start date from which the changes to the Approved Addendum are effective and whether the Parties need to review this Addendum including the Appendix Information. This Addendum is automatically amended as set-out in the revised Approved Addendum from the start date specified. 19. If the ICO issues a revised Approved Addendum under Section 18, if any Party selected in Table 4 “Ending the Addendum when the Approved Addendum changes”, will as a direct result of the changes in the Approved Addendum have a substantial, disproportionate and demonstrable increase in:
a. its direct costs of performing its obligations under the Addendum; and/or
b. its risk under the Addendum,
and in either case it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that Party may end this Addendum at the end of a reasonable notice period, by providing written notice for that period to the other Party before the start date of the revised Approved Addendum.
20. The Parties do not need the consent of any third-party to make changes to this Addendum, but any changes must be made in accordance with its terms.
  1. Processing Operations
The Personal Data transferred or Processed will be subject to the following processing activities:
The subject matter and duration of the Processing Activities of Personal Data are set out in the underlying Agreement and this DPA.
  1. Data Subjects
The Personal Data transferred or Processed concern the following categories of Data Subjects:
The types of Personal Data and categories of Data Subject about whom the Personal Data relates are determined and controlled by Controller in its sole discretion and are enuermated within the Agreement and this DPA.
  1. Categories of Data
The Personal Data transferred or Processed concern the following categories of data:
As determined and outlined in the underlying Agreement and this DPA.
  1. Special Categories of Data such as Health Data (if applicable)[2]
The Personal Data transferred or Processed concern the following Special Categories of Data:
The Parties do not anticipate that any sensitive data will be transferred. If and to the extent that the Parties transfer or process any Special Categories of Data, it will be determined and controlled by the Controller in its sole discretion, and for which relevant safeguards will be specified below:
  1. International Transfer
Please indicate if Personal Data is transferred to a country/recipient outside the EU/EEA/UK/Switzerland
Country If applicable (otherwise, leave empty): Mechanism to ensure adequate protection instead of EU Standard Contractual Clauses
  1. United States
  1. Subcontracting
Company intends to use the service of the following Subcontractors for Processing of Personal Data:
Name of Subcontractor Address Task to be performed International transfer (if applicable)
  1. [●] Please see the underlying Agreement
  1. [●]
  1. [●]
  2. Please explain briefly the processing activities (one or two keywords are sufficient, e.g. data hosting)
  1. [●]
  2. Please indicate to which country Personal Data is transferred if Personal Data is transferred to a country/recipient outside the EU/EEA/ Switzerland.
Xperi approves the use of the aforementioned Subcontractors and the international transfer of Personal Data (if applicable).
  1. Contact Persons
Questions and notices of Company under DPA shall be addressed to:
Xperi Data Protection Officer
Email: DataProtectionOfficer@Xperi.com
Respective questions of Xperi shall be addressed to:
[●] / Company: Please see the underlying Agreement
[Address, email]
  1. https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN 
  2. Article 9 GDPR for definition of Special Categories of Personal Data: Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation