Skip to content

Legal Policies

Last Update: September 22, 2023

 

MARKETSTAR PRIVACY POLICY

MarketStar is committed to safeguarding personal data and operating its business with high standards of practice in data privacy and security compliance. Our Privacy Policy details what data is collected from website users, our client representatives, other business representatives, and the data collection we perform on behalf of our clients, how we use it, and how it is stored.

WHO WE ARE

MarketStar provides advanced sales and marketing services for its clients to drive market revenue, grow accounts, and expand their customer base. MarketStar services are categorized as sales as a service, and involve provision of talented sales teams and management, marketing programs, data analysis, sourcing and intelligence services, advisory services and operations support.

MarketStar headquarters is based in Ogden, in the United States with a key office located in Ireland, in the European Union, and other offices in global regions offered through partnered subcontractors. MarketStar has an extensive history of providing exceptional service for key clients who are major players in their respective industries. We respect your privacy and take safeguarding personal data seriously. Please read the following to understand the privacy practices of MarketStar. For information on the privacy practices of third parties such as social media platforms, we encourage you to read their privacy policy before clicking on any link from MarketStar’s website.

This Privacy Policy applies to all Personal Data processed by MarketStar (except for job applicants and employees, which have separate Privacy Notices) in the operation of MarketStar’s business and in connection with MarketStar’s website at https://www.marketstar.com. This Privacy Policy applies to the following MarketStar entities: MarketStar QOZ Business, LLC, a Utah limited liability company; AEBE Limited, an Irish company limited by shares with company number 467373, trading as MarketStar, Out2Bound EOOD, a Bulgarian company, All Channel Sales Solutions, S. de R.L. de C.V., a Mexican company, MarketStar Canada Corp., a Canadian company trading as MarketStar, and a Spanish company, Leemore Investments, S.L., (together “MarketStar”, “we”, “us”, and “our”).

WHAT IS PERSONAL DATA

“Personal Data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Under specific laws, Personal Data may include any information relating to a household.

PERSONAL DATA WE PROCESS

We operate as both a data controller, where we determine the means of data processing for our own business needs, and a data processor, where we process data on behalf of our business clients. Key information about these processing roles is detailed below.

The categories of data subjects for whom we process Personal Data are:

As Data Controller: (1) Client Representatives; (2) Prospective Client Representatives; (3) Business Representatives; (4) Other Users; and (5) Web Users.

As Data Processor: (1) Client Customers; (2) Potential Client Customers; (3) Business Representatives; and (4) Other Users.

The purposes for processing Personal Data are:

As Data Controller: (1) Administer contracts; (2) Operate our business; (3) Meet our legal obligations; (4) Register with our proprietary software platforms; (5) Seek new market opportunities; and (6) Targeted advertising for MarketStar services.

As Data Processor: (1) Fulfil our contractual obligations; (2) Qualify client leads; (3) Enhance client data; (4) Provide sales and marketing services; (5) Perform data analytics and reporting; and (6) Provide advisory services.

The possible consequence of failing to provide Personal Data is our inability to respond to inquiries or interact for business purposes.

The categories of Personal Data we process are:

As Data Controller: (1) Business contact information; (2) Business administration information; (3) Finance information; and (4) Other data related to the client relationship.

As Data Processor: (1) Business contact information; (2) Business profile information; and (3) Other data related to client programs.

The examples of Personal Data processed include: name, phone number, email address, business name, job title, job role, contracts, statements of work, work product, policies, surveys, reports, sales and marketing information, and other administrational documents and compliance records associated with an individual or their specific job role.

The sources of Personal Data collected include: business interaction with the data subject, online forms, chat-line requests, purchased lists, social media, marketing surveys, phone calls, and open source means.

The legal basis for processing Personal Data is: (1) necessity to perform contracts; (2) legitimate interest as a provider of advanced sales and marketing services; or (3) regulatory requirements. In addition MarketStar relies upon consent as the legal basis for processing Personal Data for cookies, related targeted advertising, related web analytics, visitors to MarketStar facilities, and specific IT access to networks and systems.

Personal Data we do NOT actively collect or process: We do not actively collect or otherwise process the Personal Data of minors, data related to criminal convictions and offenses, or special categories of data (i.e. revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, or genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. Please note that employees are provided a separate privacy notice.

Data processed from third-party service providers: We may purchase and license customer lists, contact lists and other business intelligence so that we may provide our sourcing and intelligence services to our clients. These processing activities are key to our business value. We may source this information on behalf of our clients in order to perform our contractual obligations under our service agreements. This service is an integrated part of our overall advanced sales and marketing services. Data sourced from third-party service providers is shared with our clients or used by us on behalf of our clients in marketing campaigns and other sales initiatives. This may be considered as selling Personal Data as we receive monetary or other valuable consideration for our services that include this processing. We do not separately sell Personal Data. Please note that we do not process, sell or share the data of minors.

Technical data: We process technical information and navigational information when you visit our website, which is found at https://www.marketstar.com/. Technical information includes IP address, geographical location, device ID and related information and browser type. Navigational information includes pages viewed, selection made and length of visit. Our primary goal in processing this information from you is to provide you access to features on the site and help us improve our product and services and develop and market new products and services.

We may also process payment information when you pay for certain MarketStar services.

Cookies and Similar Tracking Technologies: We (and the third-party service providers working on our behalf) use various technologies to collect Personal Data. This may include saving cookies to your device. For information on what cookies are, which ones we use, why we use them, and how you can manage their use, please see our Cookie Policy.

PURPOSES FOR PROCESSING PERSONAL DATA

We process Personal Data to fulfill our contractual obligations in our service contracts with clients and enhance client business opportunities. In addition, we process Personal Data for sales leads, information services, payment, employee training, marketing, web analysis, security monitoring, and recruitment and employment. Our purpose in processing this Personal Data is to develop new client relationships, increase our client service and for administrative and other business purposes.

  1. MarketStar’s services are categorized as follows:
  2. Advanced & predictive analytics: The tracking and analysis of important customer trends, loyalty, and outreach patterns based on comprehensive data analysis and modeling
  3. Customer acquisition: Driving revenue for SMB and Enterprise by selling directly to end-users or businesses and closing deals
  4. Data services: The targeting, cleansing, and augmentation of prospect and active lead data vital in all lead generation programs - partner or direct
  5. Direct account management: Providing enablement, availability, and quality control for existing customers, leading to superior onboarding and ongoing account management
  6. Direct demand channel fulfilled: Building measurable demand by engaging in lead generation, lead qualification, and appointment setting with end-user accounts on behalf of the partner
  7. DMR enablement: Utilizing on-site, telephone, or digital sales and technical support for floor sales reps at DMRs, NSPs, and sales call centers
  8. Events & training: The creation, scheduling, and execution of large and small-scale training events, including training content design, content distribution and face-to-face training
  9. Lead qualification: The nurturing and qualification of active leads by utilizing automated email outreach, social outreach or telephone outreach
  10. Partner recruitment: Identify new partners, speed up their ramp-to-revenue trajectory, and set expectationts that help build partner relationships that are robust and productive
  11. Partner sales management: The proactive outreach, business planning, and sales enablement of all channel partners, including VARs, OEMs, CSPs, MSPs, and ISVs
  12. Pass-through: Non-margin related services e.g. travel costs
  13. Virtual engineering team: High-end technical support personnel that assist field resources, partners, and inside sales teams with pre and post-sales enablement and configuration support
  14. Customer Success: Engaging partner and subprocessor relationships to enhance services and maximize results
  15. Direct management of third-party subprocessors and subcontractors: Engagement of technology platforms, licenses, subscriptions, and outsourced services to fulfil contract obligations

MarketStar may use your Personal Data to comply with applicable laws, exercise legal rights, and meet tax and other regulatory requirements. We may also use your Personal Data for internal purposes, including auditing, data analysis, system troubleshooting, and research. In these cases, we base our processing on legitimate interests in performing the activities of the organization.

SHARING OF PERSONAL DATA

We do not sell your Personal Data!

We share your Personal Data with clients, third-party service providers, subcontractors, regulatory bodies, public authorities and law enforcement in the following circumstances:

Clients. We may provide Personal Data we obtain from our third-party service providers to our clients in order to fulfill our contractual obligations as a sales and marketing service provider. For example, we may provide our clients with contact information of an organizational representative so that the representative can be presented with an opportunity to purchase a software license that would be of value to the organization. We may also provide our clients with customers lists we have purchased or licensed from our third-party service providers.

Third-Party Providers. We share Personal Data with third-party providers for their processing in performing functions on our behalf. The categories of third-party providers with whom we share Personal Data are: Sales-lead Processors, Payment Processors, Providers of Marketing Services, Web Analytics Service Providers, and Security Monitoring Service Providers. In such instances, the providers will be contractually required to protect Personal Data from additional processing (including for marketing purposes) and transfer in accordance with this Privacy Policy and applicable laws.

Affiliates. MarketStar operates as part of a group of entities and may share your Personal Data with any one of MarketStar’s affiliates, including MarketStar Holdings, LLC, (U.S.), MarketStar QOZ Business, LLC, (U.S.), MarketStar Regalix, LLC (U.S.), Regalix, Inc. (U.S.); Nytro.ai, Inc. (U.S.); AEBE Limited trading as MarketStar (Ireland), ; Out2Bound, (Bulgaria), All Channel Sales Solutions, S. de R.L. de C.V., (Mexico); MarketStar Canada Corp., trading as MarketStar (Canada); Leemore Investments, S.L. (Spain); and Regalix India Pvt Ltd (India).

Partners. MarketStar engages partnered subcontractors to perform sales and marketing services for certain specialty work. These subcontractors are located outside of the US, including in Australia, Philippines, and Malaysia.

Regulatory Bodies, Public Authorities and Law Enforcement. We may access and disclose your Personal Data to regulatory bodies if we have a good-faith belief that doing so is required under regulation. This may include submitting Personal Data required by tax authorities. We may disclose your Personal Data in response to lawful requests by public authorities or law enforcement, including to meet national security or law enforcement requirements.

Other Disclosures. We may also disclose your Personal Data to exercise or defend legal rights; to take precautions against liability; to protect the rights, property, or safety of the resource, of any individual, or of the general public; to maintain and protect the security and integrity of our services or infrastructure; to protect ourselves and our services from fraudulent, abusive, or unlawful uses; or to investigate and defend ourselves against third-party claims or allegations. Disclosures may be made to courts of law, attorneys and law enforcement or other relevant third parties in order to meet these purposes.

If we transfer Personal Data of individuals located in the European Economica Area (“EEA”), United Kingdom (“UK”), or Switzerland that we have received under the respective Data Privacy Framework to a third party, MarketStar remains liable for such Personal Data and the actions of such third party.

STORAGE OF PERSONAL DATA

Personal Data stored on behalf of our clients and for our own purposes is processed and stored at various locations including on servers located in the United States of America and the EU. In the case of transfers of data out of the EEA, UK, or Switzerland, we have committed to comply with the Data Privacy Framework and implement Standard Contractual Clauses as set forth by the European Commission and International Data Transfer Agreements as set forth by the Information Commissioner.

DATA SECURITY

MarketStar uses technical and organizational measures to protect the Personal Data that we store, transmit, or otherwise process, against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access. We currently maintain certifications for the SOC 2 Type II security standard and internationally recognized ISO 27001 security standard. We regularly consider appropriate new security technology and methods as we maintain and develop our software and systems.

RETENTION OF PERSONAL DATA

MarketStar has an internal data retentional policy and retention schedule that determines the time period for which data is stored and retained across various systems. MarketStar retains the Personal Data of its clients and client’s customers as instructed by the clients for whom MarketStar processes data. At the end of a client engagement, MarketStar performs a standard deletion within the time frame specified in the client contract or within sixty days per MarketStar policy, whichever is earliest, unless client requests retention of Personal Data for future engagement. Where MarketStar collects Personal Data for its own purposes, it retains the Personal Data for a reasonable period of time to fulfill the processing purposes mentioned above. Personal Data is then archived for time periods required or necessitated by law or legal considerations. When archival is no longer required, Personal Data is deleted from our records. If you wish to request a deletion of your Personal Data, please contact directly the client who provided the source of data. If you want more information about how to contact a client, make an inquiry to the address provided at the end of this notice.

We retain Personal Data that we are required to retain in order to meet our regulatory obligations including tax records and transaction history. We regularly review our retention policy to ensure compliance with our obligations under data protection laws and other regulatory requirements. We regularly audit our databases and archived information to ensure that Personal Data is only stored and archived in alignment with our retention policy.

PERSONAL DATA RIGHTS

MarketStar invites anyone with questions about individual privacy rights, our Privacy Policy or privacy practices to contact us.

 

Email: privacy@marketstar.com

Online Form: Data Access Form

Phone (USA): +1 800.877.8259

Phone: (EU) +353 1.588.2447

United States Postal (USA):
Attn: Privacy
MarketStar QOZ, LLC
2475 Washington Blvd.
Ogden, Utah
84401
Postal (EU):
Attn: EU Privacy Officer
AEBE Limited T/A MarketStar
Block G, 2nd Floor
Central Park, Leopardstown
Dublin 18, D18 NH10, Ireland

For marketing emails, an unsubscribe option is provided at the end of each email communication. For text messages, a STOP messaging option is provided. You may also request that we limit the use and disclosure of your personal data using the contact methods provided above.

Depending on where you reside, there may be certain rights that you can exercise regarding your Personal Data. We have listed key privacy rights below:

Residents of the European Economic Area (“EEA”)

The following rights are available to residents of the EEA:

Access: The right to obtain confirmation as to whether or not your Personal Data is being processed, and to obtain access to specific information about the processing.

Rectification: The right to obtain rectification of inaccurate Personal Data and the right to have incomplete Personal Data completed.

Erasure: The right to obtain erasure of Personal Data, subject to certain GDPR requirements.

Restriction of Processing: The right to obtain restriction of processing of Personal Data where (a) accuracy is contested and being verified, (b) processing is unlawful, (c) data is not needed but for processing but is required for legal claims, or (d) following an objection to processing where legitimate grounds for processing are being verified.

Data Portability: The right to receive Personal Data and transmit to another controller

Object: The right to object to direct marketing; the right to object on grounds of particular situation

Automated individual decision-making, including profiling: The right not to be subject to a decision based solely on automated decision-making, including profiling; a right to appeal.

Individuals also have the right to lodge a complaint about the processing of their Personal Data with their local data protection authority or with the Irish Data Protection Commission at:

Online Form: https://forms.dataprotection.ie/contact

Email: dpo@dataprotection.ie

Postal (EU):
Data Protection Commission
21 Fitzwilliam Square South
Dublin 2, D02 RD28, Ireland

RESIDENTS OF CALIFORNIA
  • The following rights are available to California residents:
  • Right to know what personal information is being collected
  • Right of access
  • Right to know what personal information is sold or shared and to whom
  • Right to opt out of sale or sharing of personal information
  • Right to delete personal information
  • Right to correct inaccurate personal information
  • Right to limit use and disclosure of sensitive personal information
  • Right of no retaliation following opt out or exercise of other rights


Our Commitment to the Data Privacy Frameworks

MarketStar complies with the EU-U.S. Data Privacy Framework program (“EU-U.S. DPF”), the the UK extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework program (“Swiss-U.S. DPF”) as set forth by the U.S. Department of Commerce. MarketStar has certified to the Department of Commerce that it adheres to the EU-U.S. DPF Principles, Extension to the EU-U.S. DPF Principles, and Swiss-U.S. DPF Principles, as applicable to the individual, with regard to the collection, use, and retention of Personal Data transferred from the EEA, UK (and Gibralter), and Switzerland, to the United States in reliance on the respective Data Privacy Framework Principles. If there is any conflict between the terms in this Privacy Policy and the EU-U.S. DPF Principles, Extension to the EU-U.S. DPF Principles, and/or Swiss-U.S. DPF Principles, the Principles shall apply. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.dataprivacyframework.gov/s/.

As part of its participation in Privacy Shield, MarketStar is subject to the investigatory and enforcement powers of the Federal Trade Commission. Organizations participating in the Frameworks must respond within 45 days of receiving a complaint.

In certain situations, we may be required to disclose Personal Data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

In compliance with the EU-U.S. DPF Principles, MarketStar commits to resolve complaints about your privacy and our collection or use of your Personal Data transferred to the United States pursuant to EU-U.S. DPF Principles.

EU, UK, and Swiss individuals with DPF inquiries or complaints should first contact MarketStar. (See Contact Information above for details.) If you have not received a timely or satisfactory response to your question or complaint, please contact one of the independent recourse mechanisms listed below:

Non-HR Data:

International Centre for Dispute Resolution – American Arbitration Association (ICDR-AAA)

https://www.icdr.org/

 

HR Data:

EU Data Protection Authorities (“DPAs”)

http://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm.

UK Information Commissioner’s Office

https://ico.org.uk

Swiss Federal Data Protection and Information Commissioner (“FDPIC”)

https://www.edoeb.admin.ch/edoeb/en/home/the-fdpic/task.html

Please note the independent dispute resolution bodies are designated to address complaints and provide appropriate recourse free of charge to the individual.

Under certain circumstances, individuals located in the EEA, UK, and Switzerland may invoke binding arbitration to resolve a Data Privacy Framework related dispute. In order to invoke arbitration, you must take the following steps prior to initiating an arbitration claim: (1) raise your complaint directly with MarketStar and provide us the opportunity to resolve the issue; (2) make use of the independent recourse mechanism listed above; and (3) raise the issue through your relevant Data Protection Authority to the U.S. Department of Commerce and afford the U.S. Department of Commerce an opportunity to use best efforts to resolve the issue at no cost to you. For more information on arbitration procedures, see the Data Privacy Framework site reference at: https://www.dataprivacyframework.gov/s/article/G-Arbitration-Procedures-dpf?tabset-35584=2 .

AMENDMENTS

We may modify this Privacy Policy from time to time, with the current version indicated by the effective date at the top of this document. The current version of the Privacy Policy will govern our use of your Personal Data and will always be published at https://www.marketstar.com/legal#privacy-policy. Please note we publish a separate Cookie Policy and Recruitment Privacy Notice online and provide our staff with an Employee Privacy Notice.

 

 

RECRUITMENT PRIVACY POLICY

Last update: September 8, 2023

Who We Are

MarketStar is the operator of outsourced sales and marketing services and other specialty advisory services. MarketStar deploys sales and marketing teams to work on client programs to drive market revenue, grow accounts, and expand their customer base. MarketStar services include sales, account management, lead generation, lead qualification, customer acquisition, partner recruitment, direct market reseller enablement, data services, advanced & predictive analytics, event management, and training.

MarketStar has an extensive history of providing exceptional service for key clients who are global leading brands. Account services and Client support services are performed by Company staff in office locations, including in the United States and Ireland, where staff access data in authorized technology platforms to perform tasks relevant to their job roles.

This Privacy Notice applies to all personal data of job applicants processed by MarketStar or in connection with the Careers section on MarketStar’s website at https://www.marketstar.com/careers.

Recruitment is conducted by the following MarketStar entities which includes MarketStar QOZ Business, LLC (U.S.), MarketStar Regalix, LLC (U.S.), Regalix Inc., (U.S.), Nytro.ai, Inc., (U.S.), AEBE Limited, a company limited by shares with company number 467373, trading as MarketStar with company number 467373 (Ireland), Leemore Investments S.L. with ID N0175491J (Spain), Out2Bound EOOD, (Bulgaria), Regalix India Pvt Ltd (India), MarketStar Canada Corp. (Canada), and All Channel Sales Solutions, S. de R.L. de C.V. (Mexico)   (“MarketStar”, “we”, “us”, and “our”). 

 

About the Careers Section of the MarketStar Website

You can apply for an open position within MarketStar through our online recruitment system on the Careers section of our website.  You may apply for specific vacancies posted by submitting your application online. We also invite you to sign up an account so we can reach out with job alerts.

 

Our goal at MarketStar is to find the brightest and best to join our teams. Our teams are made up of employees who value an opportunity to earn, learn grow and be challenged, as they work together to provide exceptional service to our clients. To achieve these goals, MarketStar collects and processes personal data about its applicants. 

 

What is Personal Data

“Personal Data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Under specific laws, Personal Data may include any information relating to a household.

Personal Data We Collect

We collect personal data for recruitment purposes through our online application process either directly or by communicating through email, telephone, social media platforms, or other digital media. The categories of personal data collected are:

  • Contact information, work status, resume, education, work experience, professional certifications and licenses, skills, attributes, job-related qualifications, references, social media account, availability for work, preference for job location, proximity to workplace, salary preference, application survey responses, interview responses and notes, other information pertinent to a job application.

 

We invite you to upload your resume and other relevant documents and ask you to provide us information about your work experience and education, as well as other information that you want us to view as part of your application. We ask that you provide contact information (including your email, phone number, and the city, state and country you are located). We invite you to provide us a mobile phone number so that we may send you text alerts related available job positions.

Please note that we rely upon our legitimate business interests or your consent for processing your personal data and may also rely upon the necessity of contract in the event you are hired. Depending on the country where the job position is located, we may also rely upon complying with regulatory requirements as the legal basis for processing your personal data. If we obtain your consent, this will be the legal basis upon which we process your personal data; please note you may withdraw your consent at any time by contacting us; the withdrawal of your consent does not affect the lawfulness of processing based on consent before withdrawal. Our contact details are provided at the end of this Privacy Notice.

If you choose not to provide us with certain personal data as requested, we may not be able to consider you for the job position, either because we are unable to assess your suitability or qualifications for the job role or because we are unable to meet our statutory obligations as a result of the lack of information provided. If you have any questions in this regard, please contact us.

Cookies And Similar Tracking Technologies

We (and the third-party service providers working on our behalf) use various technologies to collect personal data. This may include saving cookies to your device. For information on what cookies are, which ones we use, why we use them, and how you can manage their use, please see our Cookie Policy.

Purposes for Processing Personal Data

We process personal data for recruitment purposes, including information that helps us manage applications and determine how you meet our organizational and job role selection criteria.  We also communicate with you about your application including requests for additional information, interviews, and notifications regarding the process.  For some job roles, you may be required to provide personal data for purposes of completing a background check. We also process personal data as we, in our sole discretion, otherwise determine to be necessary to comply with applicable law.

We process your personal data as described above according to one or more of the following lawful bases, depending on each specific context and the types of personal information concerned:

  • Processing in our legitimate interests (not superseded by your rights) of operating a business, including recruiting talent to fill vacant positions.
  • Consent for collection such as background checks, visitor photos at office check-in.
  • Necessity of contract in the event you enter employment.
  • Processing as necessary to comply with legal obligations.  For example, in the event you are hired, we process as necessary to establish and fulfill a contract of employment with you.

Most of the information collected is provided by you as part of your application. We may verify information provided such as your educational qualifications or references. We also collect information through your social media accounts, if provided as part of your application.

How Your Personal Data is Shared

We share your personal data with the following types of recipients:

  • Affiliates. MarketStar operates as part of a group of entities and may share your personal data with any one of MarketStar’s affiliates, listed as entities under the “Who We Are” section above. MarketStar and its affiliates have entered a Data Sharing Agreement with transfer requirements for the EEA, UK, and Switzerland.
  • Third-party service providers. We may use a third-party service provider to host our online recruitment process. We will take steps to ensure that your data privacy rights are protected. In addition, we use third-party service providers for services like cloud hosting, analytics or other technical tools. Where your personal data is transferred outside of the EEA, UK, and Switzerland, we ensure that adequate protections are in place, such as implementing Standard Contractual Clauses or using third party service providers who are certified with the Data Privacy Framework.These service providers only process your data as directed by us. We do not sell your personal information to third parties.
  • Clients. MarketStar may share your personal data with clients or potential clients in its discretion including for any of the following reasons: to assess suitability for placement on client programs, provide data needed to access client sites, systems, and technology platforms, partner with clients on performance criteria, meet contractual obligations, and demonstrate legal compliance.
  • Other. Law enforcement or regulatory authorities, government agencies, courts of law or other third parties

Storage of Your Personal Data

All personal data sent or collected via or by MarketStar may be stored anywhere in the world, including the United States, in the cloud, our servers, the servers of our affiliates or the servers of our service providers. Your personal data may be accessible to law enforcement or other authorities pursuant to a lawful request. 

In the case of transfers of data out of the EEA, UK, or Switzerland, we implement Standard Contractual Clauses as set forth by the European Commission and International Data Transfer Agreements as set forth by the Information Commissioner. 

 

Data Security

MarketStar uses technical and organizational measures to protect the personal data that we store, transmit, or otherwise process against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access.  We regularly consider appropriate new security technology and methods as we maintain and develop our software and systems. MarketStar has achieved ISO27001 and SOC2 Type II certification for its key operational entities, MarketStar QOZ Business, LLC, AEBE Limited, Regalix Inc., and Regalix India Pvt Ltd., adhering to these industry security standards as part of its security posture. This process requires comprehensive security measures to be implemented and maintained, with regular periodic audits conducted by third-party auditors. In addition, MarketStar conducts regular security reviews and has assigned security functions to key personnel responsible for maintaining compliance and recommending ongoing security improvements that use internal processes and technology to maintain a robust security posture. Employee training is a part of these internal processes. 

The practical reality is, however, no data transmissions over the Internet can be guaranteed to be 100% secure. Therefore, we cannot ensure or warrant the security of any information you transmit to us and you understand that any information that you transfer to us is done at your own risk.

 

Data Retention

We retain your personal data for a reasonable time period to fulfill the processing purposes outlined above. For example, your personal data is retained directly by MarketStar for up to one year after the application and selection process is finalized for each position posted.  In the event you are not selected, MarketStar deletes or destroys your personal data, unless we determine it necessary to retain for longer periods to fulfill our legitimate interests such as resolving disputes. For applicants to U.S. job openings, applications may be retained for up to one year in a candidacy pool for future job opportunities due to the ongoing recruitment needs of MarketStar. In the event MarketStar uses a third-party service provider to host its online recruitment process, the information submitted may be retained by the third-party service provider. The Privacy Policy of the third-party service provider may apply to your personal data. You may read their Privacy Policy by clicking on links available on the job posting web pages and electronic forms. If you are successful in your job application and enter an employment agreement, your personal data is retained further and becomes part of your employment file and MarketStar employee profile.

Your Rights

Depending on your residency, you may have certain rights that you may exercise in relation to your personal data, subject to applicable lawful exemptions. For text alerts sent to you, we offer you the option to stop the alerts at any time. You may also contact us with your personal data inquiries or for assistance in modifying or updating your personal data and to exercise your rights. Our contact details are provided at the end of this Privacy Notice.

Where the EU General Data Protection Regulation (“GDPR”) applies, your rights consist of:

  1. The right to be informed;
  2. The right of access;
  3. The right to rectification;
  4. The right to erasure;
  5. The right to restrict processing;
  6. The right to data portability;
  7. The right to object; and
  8. The rights in relation to automated decision making and profiling.

You may also have a right to lodge a complaint with a supervisory authority or other regulatory agency if you believe that we have violated any of the rights concerning personal data about you. The local data protection authority in Ireland is the Data Protection Commission, with its website at https://www.dataprotection.ie/. We encourage you to first reach out to us, so we have an opportunity to address your concerns directly before you do so. Our contact details are provided at the end of this Privacy Notice.  

Effective Date and Amendments

This document is effective as of the date indicated at the top of this Recruitment Privacy Notice under “Last updated”. This document may be amended from time to time.

Contact Information

Inquiries may be made through any of the following means:

Email: privacy@marketstar.com

Online Form: Data Access Form

Phone (USA): +1 800.877.8259

Phone: (EU) +353 1.588.2447

United States Postal (USA):
Attn: Privacy
MarketStar QOZ, LLC
2475 Washington Blvd.
Ogden, Utah
84401
Postal (EU):
Attn: EU Privacy Officer
AEBE Limited T/A MarketStar
Block G, 2nd Floor
Central Park, Leopardstown
Dublin 18, D18 NH10, Ireland

 

 

MARKETSTAR COOKIE POLICY

Effective date and last update: September 8, 2023

Our Cookie Policy outlines the general policy, practices, and types of cookies that MarketStar may use to operate and improve our services and your experience when visiting our website or using our proprietary technology applications or other services. Please refer to our Privacy Policy for additional information and definitions regarding our privacy practices.

By using our Website, you consent to our use of cookies in accordance with this Cookie Policy. If you do not agree to the use of cookies as described in this policy, you should adjust your browser settings accordingly or refrain from using our Website.

WHAT ARE COOKIES AND WHY DO WE USE THEM

Cookies are small pieces of data set by a website or web-based application through your browser and stored on your electronic device. Cookies are used by many websites and web-based applications to remember information about you, such as your language setting, login information, or session information, or to analyze website usage and improve the overall user experience. We use cookies and other similar technologies (collectively “cookies”) to provide a better experience for you and to generally improve our websites at

 https://www.marketstarcom/,  https://www.regalix.com/https://www.nytro.ai/, and

our proprietary analytics platform Partner Dynamics and relates sales and marketing services (collectively “Services”).

 

For our websites, we use cookies to operate our websites, improve your experience on our sites, analyze site usage, and provide social media features. We also use advertising and targeting cookies for MarketStar marketing purposes only and do not sell your personal information. Where relevant, and especially for our proprietary platform, we use necessary, functional, and analytics cookies to store and retrieve login information, session information, operate the technology platform effectively, and obtain aggregate data for analysis to improve our technology services.  

ENABLING/DISABLING COOKIES

When you visit a MarketStar website, we provide notice to you about our cookie use and give you the option to decline to use our services. Some portions of our Serves are functional without cookies, and you may generally choose whether to accept cookies. Most browsers are set to accept cookies by default; however, you may be able to delete cookies yourself through your browser’s cookie manager. To do so, please follow the instructions provided by your web browser. Please note that disabling cookies will reset your session, disable auto-login, and may affect the functionality of our website, applications, services, and other resources and connections to social media we provide to you. 

For more information about managing cookies and how to stop cookies being installed visit http://www.allaboutcookies.org/manage-cookies/.

THIRD PARTY PLATFORMS

We may use third party platforms as part of our services to clients or for our own operational purposes, such as PowerBI. We encourage you to read the cookie policy of each third party to understand their data processing practices. We are not responsible for the practices of third party platform providers.

TYPES OF COOKIES

Necessary Cookies Category 

Label: Essential Cookies 

Description: These cookies are strictly necessary to provide you with services available through our website and technology function and are not switched off even when a user selects “Decline” in a cookie banner. They are usually only set in response to actions made by the user such as recording your cookie consent, logging in, or filling in forms, and are therefore essential to the services provided. 

  

Analytics Cookies Category 

Label: Analytics and Customization Cookies 

Description: Analytics cookies collect information about website use in an anonymous way that is used either in aggregate form to help us understand how our websites are being used or the effectiveness of our marketing campaigns. Examples include counting site visits and clicks. MarketStar uses Google Analytics to track anonymized usage statistics for the site. This data is used to analyze how frequently people visit the site, how the website is found, and which pages are most frequently viewed. These cookies do not collect information that identifies a website user. This information is combined with data from thousands of other users to create an overall view of website data use and is never identified individually or personally. These cookies are only used to identify ways to improve the website. The analytics cookies we use are: Google Analytics – Web traffic tracking. Customization cookies help us customize our websites for you. We provide specific default settings and information to you as a user such as language based upon your browser settings. 

  

Functional Cookies Category 

Label: Performance and Functionality Cookies 

Description: These cookies enable enhanced functionality and personalization for the website or application and may be needed to function properly but are not strictly necessary and are therefore included as a user option. Examples include cookies to determine whether you have logged in before and to determine if you have dismissed a notification banner. We also use cookies to provide customized services. You may disable any of these functional cookies as described above; but if you do, various functions of the Services may be unavailable to you or may not work as intended. You will also notice we have social media links on our site. There are social networking cookies that enable you to share pages and content you find interesting on our websites through third party social networking and other websites. We classify these cookies as functional cookies. Social media sites may also use cookies independently for advertising purposes. MarketStar currently provides links to LinkedIn, Facebook, Instagram, Twitter, and YouTube. 

   

Advertisement Cookies Category 

Label: Advertising Cookies 

Description: These cookies are based upon uniquely identifying the browser and internet device rather than relying upon directly personal information. Cookies are placed by third-party advertising platforms or networks to collect information about website visits and actions for delivery of targeted ads and to track ad performance, such as ensuring ads are properly displayed. They also perform functions like preventing the same ad from continuously reappearing and possibly selecting ads that are based on your interests. The collection of information is often through cross-context behavioral tracking. These cookies can be set by the site owner or advertising partner to build a profile of interests and show relevant ads on other sites. MarketStar uses advertising cookies only for our own ads. We do not allow advertisers to use data to build a profile. We do not sell your personal information. Social media sites may also use cookies independently for advertising purposes. MarketStar currently provides links to LinkedIn, Facebook, Instagram, Twitter, and YouTube. You will need to manage the cookie settings within each social media platform if you use these links and want to restrict advertising cookies. 

EFFECTIVE DATE AND AMENDMENTS

We may modify this Cookies Policy from time to time, with the current version indicated by the effective date at the top of this document.

CONTACT INFORMATION

Inquiries may be made through any of the following means:

Email: privacy@marketstar.com

Online Form: Data Access Form

Phone (USA): +1 800.877.8259

Phone: (EU) +353 1.588.2447

United States Postal (USA):
Attn: Privacy
MarketStar QOZ, LLC
2475 Washington Blvd.
Ogden, Utah
84401
Postal (EU):
Attn: EU Privacy Officer
AEBE Limited T/A MarketStar
Block G, 2nd Floor
Central Park, Leopardstown
Dublin 18, D18 NH10, Ireland

 

 

TERMS AND CONDITIONS OF USE

Last update: January 3, 2022

PLEASE READ THE FOLLOWING TERMS AND CONDITIONS CAREFULLY. BY ACCESSING THIS WEB SITE AND ANY PAGES THEREOF, YOU AGREE TO BE BOUND BY THESE TERMS AND CONDITIONS. THE TERMS AND CONDITIONS MAY BE CHANGED AT ANY TIME WITHOUT NOTICE TO YOU.

FURTHERMORE, BY USING THIS WEB SITE, YOU REPRESENT (I) YOU HAVE THE CAPACITY TO BE BOUND BY THESE TERMS AND CONDITIONS AND (II) IF YOU ARE ACTING ON BEHALF OF A COMPANY OR OTHER ENTITY, YOU HAVE THE AUTHORITY TO BIND SUCH COMPANY OR ENTITY. IF YOU DO NOT AGREE, YOU SHOULD NOT USE OR ACCESS THIS WEB SITE OR ANY PORTION THEREOF.

Privacy

To operate all aspects of this Web Site, we need information about you; we only use your information where we have a legal basis to do so. Please refer to our Privacy Policy at https://www.marketstar.com legal to help you understand what information we collect, how we use it and what choices you have when you use our Web Site and other services. Our Privacy Policy is incorporated into this Terms and Conditions of Use by reference.

Restrictions On Use

This Web Site and its entire contents including, but not limited to, the text, information, material, software, layout, graphics, logos, marketing material and any white papers (collectively, the "Materials") are owned by MARKETSTAR ("MARKETSTAR"). The Materials are protected by copyright, trademark and other intellectual property laws and treaties. The Materials may not be copied, reproduced, displayed, distributed, published, licensed, modified, uploaded, downloaded, posted, reused, sold, transmitted, used to create a derivative work, or otherwise used for public or commercial purposes, without the prior written consent of MARKETSTAR. You may download (1) one copy of the Materials on a single computer for your personal, non-commercial, internal use. You may not (i) modify the Materials or use them for any commercial purpose, or any other public display, performance, sale, or rental, (ii) decompile, reverse engineer, or disassemble software materials, (iii) delete or change any copyright, trademark, or other proprietary notices from the Materials, or (iv) transfer the Materials to another person. Modification or use of the materials for any other purposes violates MARKETSTAR's intellectual property rights. The material in this Web Site is provided for lawful purposes only. Possible evidence of use of this Web Site for illegal purposes will be provided to law enforcement authorities. Prior written consent must be obtained for any commercial use of data provided on this Web Site. Please forward any requests in writing to MARKETSTAR QOZ Business LLC, 2475 Washington Blvd., Ogden, Utah 84401. MARKETSTAR reserves the right to revoke such authorization at any time, and any such use shall be discontinued immediately upon notice from MARKETSTAR.

Downloading Software

If you download software from the Web Site, the software and its content is licensed to you by MARKETSTAR for your personal use only. Neither title nor intellectual property rights are transferred to you, but remain with MARKETSTAR, who owns full and complete title. You are not authorized to distribute, sell, modify, decompile, reverse engineer, disassemble, or otherwise convert the software in any way, or use it for any commercial purposes. You may not make copies. MARKETSTAR does not accept responsibility for any technical difficulty users may have as a result of accessing this Web Site. MARKETSTAR does not accept responsibility for the function or malfunction of any software downloaded from this Web Site.

Restriction On Liability

MARKETSTAR will not be liable for any damages or injury caused by, including but not limited to, any failure of performance, error, omission, interruption, defect, delay in operation of transmission, computer virus, or line failure. MARKETSTAR will not be liable for any damages or injury, including but not limited to, special or consequential damages that result from the use of, or the inability to use, the materials in this Web Site or a web site which is linked to this Web Site, even if there is negligence or MARKETSTAR or an authorized MARKETSTAR representative has been advised of the possibility of such damages, or both. The above limitation or exclusion may not apply to you to the extent that applicable law may not allow the limitation or exclusion of liability for incidental or consequential damages. MARKETSTAR maintains this Web Site to provide you with information about MARKETSTAR, its products and services, and to provide an avenue of communication between you and MARKETSTAR. This Web Site provides information. While MARKETSTAR believes such information to be reliable, we make no claims or representations about the accuracy, reliability, timeliness, usefulness or completeness of such information.

Disclaimer

The material in this Web Site could include technical inaccuracies or typographical errors. By using this Web Site, you assume all responsibility and risk for the use of this Web Site and the Internet generally. THE MATERIALS IN THIS WEB SITE ARE PROVIDED "AS IS" AND WITHOUT WARRANTIES OF ANY KIND EITHER EXPRESSED OR IMPLIED, TO THE FULLEST EXTENT PERMISSIBLE PURSUANT TO APPLICABLE LAW. MARKETSTAR DISCLAIMS ALL WARRANTIES OR MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. MARKETSTAR DOES NOT WARRANT THAT THE FUNCTIONS CONTAINED IN THE MATERIAL WILL BE UNINTERRUPTED OR ERROR-FREE, THAT DEFECTS WILL BE CORRECTED, OR THAT THIS WEB SITE OR THE SERVER THAT MAKES IT AVAILABLE ARE FREE OF VIRUSES OR OTHER HARMFUL COMPONENTS. MARKETSTAR DOES NOT WARRANT OR MAKE ANY REPRESENTATIONS REGARDING THE USE OF OR THE RESULT OF THE USE OF THE MATERIAL IN THIS WEB SITE IN TERMS OF THEIR CORRECTNESS, ACCURACY, RELIABLITY, OR OTHERWISE. THE ABOVE EXCLUSION MAY NOT APPLY TO YOU, TO THE EXTENT THAT APPLICABLE LAW MAY NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES.

Submissions

All remarks, suggestions, ideas, graphics, or other information communicated to MARKETSTAR through this Web Site (together, the "Submission") will forever be the property of MARKETSTAR. MARKETSTAR will not compensate you for any use associated with your submission. MARKETSTAR will not be required to treat any Submission as confidential, and will not be liable for any ideas for its business (including without limitation, product or advertising ideas) and will not incur any liability as a result of any similarities that may appear in future MARKETSTAR operations. Without limitation, MARKETSTAR will have exclusive ownership of all present and future existing rights to the Submission of every kind and nature everywhere. Except as noted below in this paragraph, MARKETSTAR will be entitled to use the Submission for any commercial or other purpose whatsoever, without compensation to you or any other person sending the Submission. Personally identifiable information that may be received at this Web Site is provided voluntarily by a visitor to this Web Site. This information is for internal purposes only and is not sold or otherwise transferred to third parties or to entities who are not involved in the operation of this Web Site. You acknowledge that you are responsible for whatever material you submit, and you, not MARKETSTAR, have full responsibility for the message, including its legality, reliability, appropriateness, originality, and copyright.

Links

This Web Site may be linked to other web sites which are not maintained by MARKETSTAR. MARKETSTAR has not reviewed all of the web sites linked to this Web Site. MARKETSTAR is not responsible for the content of those web sites. MARKETSTAR makes no representations whatsoever about any other web sites which you may access through this one. Your linking to any other web site is at your own risk. MARKETSTAR disclaims any endorsement, sponsorship or affiliation between MARKETSTAR and other web sites unless that web site operator has our consent to place the link.

Termination

MARKETSTAR or you may terminate this agreement at any time. You may terminate this agreement by destroying: (a) all materials obtained from the Web Site, and (b) all related documentation and all copies, printouts, and installations. MARKETSTAR may terminate this agreement immediately without notice if, in its sole judgment, you breach any term or condition of this agreement. Upon termination, you must destroy all materials.

Miscellaneous

These Terms and Conditions will be governed and will be interpreted pursuant to the laws of the State of Utah, United States of America, notwithstanding any principles of conflicts of law. If any part of these Terms and Conditions is unlawful, void, or unenforceable, that part will be deemed severable and will not affect the validity and enforceability of any remaining provisions. MARKETSTAR may change, update, discontinue, or restrict or prevent access to this Web Site or the Materials at any time without notice. MARKETSTAR may discontinue or make changes in the products or services described on the Web Site at any time. MARKETSTAR reserves the right to terminate any and all Web Site offerings without prior notice. All users may not be eligible for all the products or services offered by MARKETSTAR, and the right to determine the eligibility of users for products and services remains with MARKETSTAR. In offering information, products or services via this Web Site, MARKETSTAR is making no solicitation to any person to use such information, products or services in jurisdictions where their provision is prohibited by law.

Trademark Information

The MARKETSTAR marks are federally protected marks of MARKETSTAR. All other trademarks displayed on this Web Site or through links to other web sites are the property of the respective trademark owners. All rights not expressly granted herein are reserved.

Copyright Notice

Copyright ©MarketStar QOZ Business LLC, 2475 Washington Boulevard, Ogden, Utah 84401. All rights reserved.

Contact Us

Should you have any questions regarding our Web Site, please e-mail us at info@marketstar.com.

 

 

DATA PROCESSING ADDENDUM

Last update: September 1, 2023

This Data Processing Addendum (“DPA”), forms part of that certain Master Services Agreement effective as of September 1, 2023, (“MSA”), and applicable statement(s) of work (“SOW” and together the “Agreement”), entered between MarketStar QOZ Business, LLC, together with its Affiliates, (“Company”), and the client, together with its Affiliates, (“Client”), for the provision of certain services defined in the Agreement that requires Company to Process certain Personal Data on behalf of Client. This DPA shall be effective on the date both parties entered the Agreement. Company and Client are also referred to herein to herein individually as “party” and collectively as “parties”.  

  1. Definitions. In this DPA, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly; terms not defined in this DPA shall have the meanings defined in the Agreement: 

Affiliate” means any legal entity that owns, is owned by, or is commonly owned with a party. “Own” means having more than 50% ownership or the right to direct the management of the entity;

Controller” means the entity which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data;

Data Protection Law” means all data protection laws applicable to Personal Data Processing including the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., (“CCPA”), EU General Data Protection Regulation (EU) 2016/679 (“GDPR”), UK General Data Protection Regulations (UK GDPR), the UK Data Protection Act 2018 (“DPA 2018”), and the respective implementing regulations for each of the laws and regulations;

Data Subject” means the identified or identifiable person to whom the Personal Data relates;

Client Data” means any information provided by Client or collected from or on behalf of Client by Company pursuant to the Agreement;

Personal Data” means any information relating to an identified or identifiable natural person;

Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise Processed;

Process” or “Processing” means any operation or set of operations which is performed on Personal Data or sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

Processor” means the entity which Processes Personal Data on behalf of the Controller;

Services” means all subscription services, professional services, and related support provided pursuant to the Agreement.   

  1. DATA PROTECTION AND USE

2.1 Data Protection Commitment.  Company and Client each undertake to Process the Personal Data pursuant to all applicable requirements under the applicable Data Protection Law, including adherence to security measures required pursuant to Article 32 of the GDPR. 

2.2 Data Processing Role.  The Parties hereby acknowledge that for the purposes of this Agreement, Company is the data Processor and Client is the data Controller, unless the data Processing is being carried out on behalf of Client’s business Clients or business partners, whereby the respective business Client or business partner is the data Controller.  Client shall ensure that it has obtained the prior specific or general written authorization of its business Clients or business partners to engage Company to Process the Personal Data. Client shall be responsible for the accuracy, quality, and legality of Personal Data and the means of data acquisition.   

2.3 Processing Per Instructions.  Company agrees to Process the Personal Data only as instructed by Client for the purposes set forth in Exhibit A, which sets out the subject-matter, nature and purpose of Processing undertaken by Company, as well as the duration of Processing and the types of Personal Data and categories of Data Subjects Processed. Company shall not Process the Personal Data other than on Client’s documented instructions unless Processing is required by applicable laws to which Company or their contracted Processor is subject, in which case Company shall to the extent permitted by applicable laws inform Client of that legal requirement before the relevant Processing of that Personal Data. In the event Company cannot Processed Personal Data in accordance with this DPA, Company shall notify the other Party, in which case both parties shall determine whether Processing can continue with an appropriate level of protection, or whether Processing shall cease in no more than ten (10) days. If it is determined that Processing shall cease, Personal Data shall no longer be Processed, and all Personal Data previously Processed, and copies thereof shall either be returned or completely destroyed. In determining whether Personal Data can be Processed in accordance with this DPA, Company shall take into account the national laws of the country in which the Personal Data is Processed, the impact on the rights of individuals in regard to their Personal Data, and any government access to that Personal Data and whereby specific notice of the access and Processing by that government authority cannot be disclosed.

2.4 Restrictions in Processing. Company shall only Process the Personal Data as instructed by Client to fulfil its Services as set forth in the Agreement, requested through use of the Services, or applicable written instructions. Personal Data shall only be further Processed for the purpose of anonymizing for use by Company in improving its Services, aggregate analytics, and research and statistical purposes that are unrelated to an identified individual.

2.5 Confidentiality.  Company shall require its employees and contractors authorized to Process the Personal Data to be subject to confidentiality undertakings in relation to the Personal Data.

2.6 Security.  Company shall maintain appropriate technical and organizational measures for protection of the security, confidentiality, and integrity of Client Data, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, to prevent accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise Processed. Company will not materially decrease the overall security of the Services during a subscription term. Specific security measures are detailed in Exhibit B.

2.7 Subprocessors.  Client authorizes Company to engage third-party service providers (“Subprocessors”) to Process the Personal Data of Client Representatives, Business Representatives, and Users, to facilitate its Services for all administrative and other business-related activities and shall provide the details of all Subprocessors upon request. Company shall inform Client in writing, including electronically, at least 30 days in advance of any intended changes that will result in the addition or replacement of a Subprocessor that Processes Client Data under the Agreement thereby giving Client the opportunity to object to such changes on reasonable grounds prior to the engagement of the concerned Subprocessor(s). In such case Parties will cooperate in good faith to find a mutually acceptable resolution to address such objection. Company agrees to carry out due diligence to confirm its Subprocessors are capable of providing the level of protection required under applicable Data Protection Law, including implementing appropriate technical and organizational measures for Processing the Personal Data and providing protection for the rights of Data Subjects. If the Subprocessor does not fulfil its data protection obligations under applicable Data Protection Law that relate to its role in Processing Client Data as a Subprocessor, Company shall remain fully liable to Client as regards the fulfilment of the obligations of the Subprocessor as they relate to Services under this Agreement.   

2.8 Data Transfer to Third Countries or International Organizations.  Client authorizes Company to transfer the Personal Data to a third country or an international organization to Process the Personal Data to facilitate its Services on condition that Company ensures adequate protections are in place as required under applicable Data Protection Law for such transfer. Where Processing involves transferring of Personal Data from the European Economic Area or the United Kingdom to a third country or international organization, including to the United States, the applicable Standard Contractual Clauses in Exhibit D or Exhibit E shall apply.

2.9 Rights of Data Subjects.  Company agrees to assist Client to meet its obligations under applicable Data Protection Law for responding to a Data Subject’s exercise of rights.  Company shall promptly notify Client if it receives a request from a Data Subject for whom Company Processes Personal Data under this Agreement in respect of the exercise of the rights of such Data Subject and shall ensure that it does not respond to that request except on Client’s documented instructions, or as required by applicable Data Protection Law, in which case Company shall to the extent permitted by law inform Client of that legal requirement before responding to the request.  

2.10 Data Breach and Other Compliance Obligations. Company shall inform Client without undue delay and in any event not later than forty-eight (48) hours after becoming aware of a Personal Data Breach. Company shall make reasonable efforts to identify the cause of the Personal Data Breach and shall take those steps Client deems necessary and reasonable to remediate the cause of such Personal Data breach to the extent the remediation is within Company’s reasonable control. The obligations herein shall not apply to Personal Data Breach caused by Client or Client’s users. Company agrees to provide information to assist Client in meeting its requirements for notification to applicable regulatory bodies and Data Subjects, as required under applicable Data Protection Law. 

2.11 Reasonable Assistance.  Company shall provide reasonable assistance to Client to comply with its obligations under applicable Data Protection Law, including data protection impact assessments and prior consultation with the applicable supervisory authority. Company shall also provide reasonable assistance in providing information to enable Client to fulfil its obligations and demonstrate its compliance with applicable Data Protection Law and allow for and contribute to audits and inspections, and a right to assistance in the event an audit is required by an applicable supervisory authority.

2.12 Retention of Data.  The Personal Data shall be retained by Company for a reasonable time in accordance with its provision of Services.  Upon request, Company shall provide specific information on how its retention policy applies to the Personal Data Processed on behalf of Client.  Upon termination of Company’s Services under this Agreement by either party, and upon request of Client within thirty days of notice of termination, Company shall at the choice of Client, delete or return all or any portion of any Personal Data in its possession or control, and delete existing copies, with deletion occurring as part of Company’s standard deletion cycle.  The Personal Data will only be further retained as allowed under applicable Data Protection Law or required under regulatory provisions mandating record retention.

  1. LIMITED LIABILITY

3.1 Limitation of Liability. Each party’s liability arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to limitation of liability set out under the MSA, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the MSA and all DPAs together.   

  1. GENERAL 

4.1 Precedence. The provisions of this DPA are supplemental to the provisions of the MSA or any applicable SOW or other written or electronic agreement that forms part of the Agreement. In the event of inconsistencies between the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail with respect to the subject matter of this DPA. Where and to the extent that Standard Contractual Clauses in Exhibit D or Exhibit E apply, if there is any conflict between this DPA and Standard Contractual Clauses, Standard Contractual Clauses will prevail.

4.2 Severability. The parties agree that, if any section or sub-section of this DPA is held by any court or competent authority to be unlawful or unenforceable, it shall not invalidate or render unenforceable any other section of this DPA.

4.3 Duration. The DPA shall apply for the duration of the provision of Services under the MSA or any applicable SOW. For the duration of the provision of Services under the MSA or any applicable SOW, this DPA cannot be terminated unless the parties have executed an agreement governing the Processing of Personal Data in connection with the provision of Services.

4.6 Governing Law. Except as otherwise provided herein, the parties agree the governing law for this DPA will be the same as that applied to the MSA.

 

EXHIBIT A

SCOPE OF PROCESSING

This Exhibit A details the scope of Personal Data Processing under this Agreement.

Duration of the Processing. Company will Process the Personal Data for the duration of the Agreement, unless otherwise instructed by Client in writing.   

Subject-Matter of the Processing. The subject matter of the Processing is fulfilling of the Services under the Agreement, sales and marketing services, data analytics and reporting through Company technology platform, technological support services, and related administrative, sales and marketing activities relevant to the business relationship.  

Nature and Purpose of the Processing. The nature and purpose of the Processing is to fulfill the Agreement and perform services on behalf of Client to perform sales and marketing services, promote Client products and programs, analyze market data, and providing valuable reporting data for business use to improve sales techniques and performance and drive market growth. 

Categories of Data Subjects. Categories listed include current, past and prospective Data Subjects.

  • Client Representatives
  • Client Leads
  • Client Customers
  • Users
  • Business Representatives

Categories of Data

  • Contact information e.g. name, email, social media information

  • Business contact information e.g. name, job title, work email, work phone

  • Business profile information e.g. technology history, product history

  • Business administration information e.g. contracts, data analysis

  • Technical information e.g. navigation, device ID, IP address, browser type

  • Survey responses e.g. Client feedback, experience ratings, and related information

  • Other information specific to the products and programs for sales and marketing

Special Categories of Data. The parties do not anticipate sharing Personal Data that concern special categories of data: information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the Processing of data concerning health or sex life or any other similar categories under applicable data protection laws and regulations.  

Processing Operations. The Personal Data will be subject to the basic Processing activities listed:
Receiving data, including collection, accessing, retrieval, recording, and data entry
Holding data, including storage, organization and structuring
Using data, including analyzing, consultation, testing, automated decision making and profiling
Updating data, including correcting, adaptation, alteration, alignment and combination
Protecting data, including restricting, encrypting, and security testing
Sharing data, including disclosure, dissemination, allowing access or making available 
Returning data to the data exporter or Data Subject
Erasing data, including destruction and deletion
Anonymizing or de-identifying data for aggregate use

EXHIBIT B

DATA SECURITY REQUIREMENTS

This Exhibit B details the technical and organizational security measures implemented by Company that shall apply to this Agreement.

Data importer shall implement appropriate technical and organizational measures to ensure a level of security appropriate to risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, to prevent accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise Processed. 

MarketStar shall maintain the following technical and organizational measures to protect data, including Personal Data for the duration of this Agreement:

  • Web and database servers are protected using up-to-date firewalls;

  • Intrusion Detection Systems and Intrusion Protection Systems are in place at our premises and hosted data centers.

  • Antivirus is deployed on all endpoints and servers

  • Email protection is in place to help mitigate the threat of phishing and spam.

  • Passwords used for account registration require minimum password strength attributes;

  • User access is tracked and reviewed multiple times per year;

  • Role-based security is applied to system access following least privilege principles;

  • Multifactor authentication is employed where possible.

  • Use of data encryption is employed both in transit and at rest;

  • Use encryption technology where customer data traverses public networks;

  • Vulnerability scans are run regularly, and appropriate patches are deployed according to our policy.

  • Vendor-supplied patches are reviewed and tested for compatibility before installation;

  • Regular system backups are made;

  • Regular maintenance is performed on systems;

  • Systems are monitored for security;  

  • Physical Access polices are in place for all employees

  • Client data is physically and logically segregated.

  • Incident detection and response teams are in place.

  • A formal Business Continuity plan and DR plan is in place.

  • Security assessments are performed on all third-party vendors;

  • All employees are contractually obligated to maintain the confidentiality of Personal Data accessible through their employment;

  • All employees are required to attend regular security and awareness training; and

Internal documented procedures and controls to enable security including SOC 2 Type II and ISO 27001 controls, finance procedures and controls related to delegation of control and other procedures, legal contract negotiation and obligation tracking, client service management, and employee policies and training.

EXHIBIT D
EUROPEAN UNION: STANDARD CONTRACTUAL CLAUSES
(the “EU Standard Contractual Clauses”)

Incorporation and References

The provisions of the EU Standard Contractual Clauses pursuant to European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 available at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en and as amended or replaced from time shall be incorporated into this DPA by reference and shall apply to Personal Data of residents of the European Economic Area (“EEA”) as referenced in this Section 1:

  1. On the basis of the Standard Contractual Clauses pursuant to European Commission accessible at https://www.marketstar.com/legal

  2. List of parties required under Annex I set out in Section 2 of Exhibit D;
  3. Description of transfer required under Annex I set out in Exhibit A;
  4. Operative clauses to the EU Standard Contractual Clauses detailed in Section 3 of Exhibit D;
  5. Competent supervisory authority required under Annex I set out in Section 4 of Exhibit D;
  6. Technical and organizational measures required under Annex II set out in Exhibit B; and

List of sub-Processors authorized for use required under Annex III set out in Exhibit C.


1.1 The EU Standard Contractual Clauses shall be incorporated into this DPA by reference.
1.2 The parties agree to Process Personal Data of residents of the European Economic Union in compliance with the terms of the EU Standard Contractual Clauses as referenced in this Section 1.

Parties to the EU Standard Contractual Clauses


2.1 Module One shall not apply to this Agreement.
2.2 For the purposes of Module Two the data Controller shall be Client and the data Processor shall be Company.
2.3 In the event Module Three applies to this Agreement, the Processors shall be Company and any authorized subProcessor listed in Exhibit C.
2.4 For the purposes of Module Four the data Processor shall be Company and the data Controller shall be Client

Operative Clauses to the EU Standard Contractual Clauses


3.1 The relevant provisions contained in the EU Standard Contractual Clauses are incorporated by reference.
3.2 The Personal Data transferred concern the categories of Data Subjects are set out in Exhibit A.
3.3 The Personal Data transferred concern the categories of data set out in Exhibit A.
3.4 If included in Processing, the details of special categories are set out in Exhibit A.
3.5 Personal Data transferred will be subject to the basic Processing activities set out in Exhibit A.
3.6 The description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) are set out in Exhibit B. 
3.7 The effective date of the EU Standard Contractual Clauses is the MSA Effective Date, or if legally required to be fully executed first, the date of last signature of the DPA

Competent Supervisory Authority


In accordance with Clause 13, the applicable competent supervisory authority shall be determined by reference to the following order: Client’s EU headquarters location; Client’s EU representative location; Data Subject residence; The Irish Data Protection Commissioner.
 
EXHIBIT E
UNITED KINGDOM: STANDARD DATA PROTECTION CLAUSES FOR TRANSFERS
Standard Contractual Clauses (Processors)
(the “UK Standard Contractual Clauses”)

Incorporation and References


1.1 The provisions of the UK Standard Contractual Clauses shall be incorporated into this DPA by reference.
1.2 The parties agree to Process Personal Data of residents of the United Kingdom in compliance with the terms of the UK Standard Contractual Clauses as referenced in this Section 1:

UK Standard Contractual Clauses accessible at https://www.marketstar.com/legal

Data exporter and data importer as detailed in Section 2 of Exhibit E;

Operative clauses to the UK Standard Contractual Clauses detailed in Section 3 of Exhibit E; and

 

Information required for the purposes of the Appendices to the UK Standard Contractual Clauses as detailed in Exhibit A, Exhibit B, and Exhibit C as referenced in Section 3 of Exhibit E.

 

Data Exporter and Data Importer

2.1 For the purposes of complying with the UK Standard Contractual Clauses, the Data Exporter is Client who provides data to MarketStar to engage in the work. Client engages Company for outsourced sales and marketing services and other specialty advisory services, whereby hired sales teams integrate with Client personnel to sell and promote the specific products and programs. Client provides a sales portal and sales leads which are qualified by Company resources whereby Personal Data is Processed, including analytics, collection, storage, transmission, and further Processing. Additional Processing is performed on other Personal Data related to Client support and administrative functions.

2.2 For the purposes of complying with the UK Standard Contractual Clauses, the Data Importer is Company, an operator of outsourced sales and marketing services and other specialty advisory services. Company deploys sales and marketing teams to work on client programs which include Processing of Personal Data to enhance the sales and marketing objectives of Client and provide meaningful analytics and reporting under the Agreement. Account services and Client support services are performed by Company staff in office locations, including in the United States and Ireland, where staff access data in the authorized technology platforms to perform the tasks relevant to their job roles. The main administrative offices of Company are in Ogden, Utah in the United States, with another office in Ireland, and appointed staff roles in field positions from where staff perform administrative functions involving Processing of Personal Data.

Operative Clauses to the UK Standard Contractual Clauses

3.1 The relevant provisions contained in the UK Standard Contractual Clauses are incorporated by reference.

3.2 The Personal Data transferred concern the categories of Data Subjects are set out in Exhibit A.

3.3 The Personal Data transferred concern the categories of data are set out in Exhibit A.

3.4 If included in Processing, the details of special categories are set out in Exhibit A.

3.5 In relation to Processing operations, the Personal Data transferred will be subject to the basic Processing activities set out in Exhibit A.

3.6 The description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) are set out in Exhibit B. 

3.7 The effective date of the UK Standard Contractual Clauses is the MSA Effective Date, or if legally required to be fully executed first, the date of last signature of the DPA.

 

EUROPEAN UNION: STANDARD CONTRACTUAL CLAUSES

Last update: September 1, 2023

Background

The data exporter has entered into an Agreement with the data importer. Pursuant to the terms of the Agreement it is contemplated that services provided by the data importer will involve the transfer of personal data to data importer. The data exporter agrees to the provision of such services subject to the data importer’s compliance with the terms of these Clauses. 

SECTION I

Clause 1: Purpose and Scope

(a) The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)1 for the transfer of personal data to a third country.

(b) The Parties:

(i) the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter “entity/ies”) transferring the personal data, as listed in Annex I.A. (hereinafter each “data exporter”), and

(ii) the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A. (hereinafter each “data importer”) have agreed to these standard contractual clauses (hereinafter: “Clauses”).

(c) These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.

(d) The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses

Clause 2: Effect and Invariability of the Clauses

(a) These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46 (2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.

(b) These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.

Clause 3: Third-party Beneficiaries

(a) Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:

(i) Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;

(ii) Clause 8 - Module One: Clause 8.5 (e) and Clause 8.9(b); Module Two: Clause 8.1(b), 8.9(a), (c), (d) and (e); Module Three: Clause 8.1(a), (c) and (d) and Clause 8.9(a), (c), (d), (e), (f) and (g); Module Four: Clause 8.1 (b) and Clause 8.3(b);

(iii) Clause 9 - Module Two: Clause 9(a), (c), (d) and (e); Module Three: Clause 9(a), (c), (d) and (e);

(iv) Clause 12 - Module One: Clause 12(a) and (d); Modules Two and Three: Clause 12(a), (d) and (f);

(v) Clause 13;

(vi) Clause 15.1(c), (d) and (e);

(vii) Clause 16(e);

(viii) Clause 18 - Modules One, Two and Three: Clause 18(a) and (b); Module Four: Clause 18.

(b) Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.

Clause 4: Interpretation

(a) Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.

(b) These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.

(c) These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.

Clause 5: Hierarchy

In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.

Clause 6: Description of the Transfer(s)

The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B

Clause 7: Docking Clause Not applicable

SECTION II – OBLIGATIONS OF THE PARTIES

Clause 8: Data Protection Safeguards

The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organizational measures, to satisfy its obligations under these Clauses.

MODULE ONE: Transfer Controller to Controller Not applicable

MODULE TWO: Transfer Controller to Processor

8.1   Instructions

(a) The data importer shall process the personal data only on documented instructions from the data exporter. The data exporter may give such instructions throughout the duration of the contract.

(b) The data importer shall immediately inform the data exporter if it is unable to follow those instructions.

8.2   Purpose Limitation

The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B, unless on further instructions from the data exporter.

8.3   Transparency

On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including the measures described in Annex II and personal data, the data exporter may redact part of the text of the Appendix to these Clauses prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand the its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information. This Clause is without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.

8.4   Accuracy

If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to erase or rectify the data.

8.5   Duration of Processing and Erasure or Return of Data

Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the data exporter and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).

8.6   Security of Processing

(a) The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter ‘personal data breach’). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.

(b) The data importer shall grant access to the personal data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

(c) In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify the data exporter without undue delay after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the breach including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.

(d) The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer.

8.7   Sensitive Data

Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter ‘sensitive data’), the data importer shall apply the specific restrictions and/or additional safeguards described in Annex I.B.

8.8   Onward Transfers

The data importer shall only disclose the personal data to a third party on documented instructions from the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union (4) (in the same country as the data importer or in another third country, hereinafter ‘onward transfer’) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:

(i) the onward transfer is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;

(ii) the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 Regulation of (EU) 2016/679 with respect to the processing in question;

(iii) the onward transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or

(iv) the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person.

Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.

8.9   Documentation and Compliance

(a) The data importer shall promptly and adequately deal with enquiries from the data exporter that relate to the processing under these Clauses.

(b) The Parties shall be able to demonstrate compliance with these Clauses. In particular, the data importer shall keep appropriate documentation on the processing activities carried out on behalf of the data exporter.

(c) The data importer shall make available to the data exporter all information necessary to demonstrate compliance with the obligations set out in these Clauses and at the data exporter’s request, allow for and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or audit, the data exporter may take into account relevant certifications held by the data importer.

(d) The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice.

(e) The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request.

MODULE THREE: Transfer Processor to Processor

8.1   Instructions

(a) The data exporter has informed the data importer that it acts as processor under the instructions of its controller(s), which the data exporter shall make available to the data importer prior to processing.

(b) The data importer shall process the personal data only on documented instructions from the controller, as communicated to the data importer by the data exporter, and any additional documented instructions from the data exporter. Such additional instructions shall not conflict with the instructions from the controller. The controller or data exporter may give further documented instructions regarding the data processing throughout the duration of the contract.

(c) The data importer shall immediately inform the data exporter if it is unable to follow those instructions. Where the data importer is unable to follow the instructions from the controller, the data exporter shall immediately notify the controller.

(d) The data exporter warrants that it has imposed the same data protection obligations on the data importer as set out in the contract or other legal act under Union or Member State law between the controller and the data exporter (5).

8.2   Purpose Limitation

The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B., unless on further instructions from the controller, as communicated to the data importer by the data exporter, or from the data exporter.

8.3   Transparency

On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including personal data, the data exporter may redact part of the text of the Appendix prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information.

8.4   Accuracy

If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to rectify or erase the data.

8.5   Duration of Processing and Erasure or Return of Data

Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the controller and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).

8.6   Security of Processing

(a) The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter ‘personal data breach’). In assessing the appropriate level of security, they shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subject. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter or the controller. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.

(b) The data importer shall grant access to the data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

(c) In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify, without undue delay, the data exporter and, where appropriate and feasible, the controller after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the data breach, including measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.

(d) The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify its controller so that the latter may in turn notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer.

8.7   Sensitive Data

Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter ‘sensitive data’), the data importer shall apply the specific restrictions and/or additional safeguards set out in Annex I.B.

8.8   Onward Transfers

The data importer shall only disclose the personal data to a third party on documented instructions from the controller, as communicated to the data importer by the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union (6) (in the same country as the data importer or in another third country, hereinafter ‘onward transfer’) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:

(i) the onward transfer is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;

(ii) the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 of Regulation (EU) 2016/679;

(iii) the onward transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or

(iv) the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person.

Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.

8.9   Documentation and Compliance

(a) The data importer shall promptly and adequately deal with enquiries from the data exporter or the controller that relate to the processing under these Clauses.

(b) The Parties shall be able to demonstrate compliance with these Clauses. In particular, the data importer shall keep appropriate documentation on the processing activities carried out on behalf of the controller.

(c) The data importer shall make all information necessary to demonstrate compliance with the obligations set out in these Clauses available to the data exporter, which shall provide it to the controller.

(d) The data importer shall allow for and contribute to audits by the data exporter of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. The same shall apply where the data exporter requests an audit on instructions of the controller. In deciding on an audit, the data exporter may take into account relevant certifications held by the data importer.

(e) Where the audit is carried out on the instructions of the controller, the data exporter shall make the results available to the controller.

(f) The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice.

(g) The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request.

MODULE FOUR: Transfer Processor to Controller

8.1   Instructions

(a) The data exporter shall process the personal data only on documented instructions from the data importer acting as its controller.

(b) The data exporter shall immediately inform the data importer if it is unable to follow those instructions, including if such instructions infringe Regulation (EU) 2016/679 or other Union or Member State data protection law.

(c) The data importer shall refrain from any action that would prevent the data exporter from fulfilling its obligations under Regulation (EU) 2016/679, including in the context of sub-processing or as regards cooperation with competent supervisory authorities.

(d) After the end of the provision of the processing services, the data exporter shall, at the choice of the data importer, delete all personal data processed on behalf of the data importer and certify to the data importer that it has done so, or return to the data importer all personal data processed on its behalf and delete existing copies.

8.2   Security of Processing

(a) The Parties shall implement appropriate technical and organisational measures to ensure the security of the data, including during transmission, and protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access (hereinafter ‘personal data breach’). In assessing the appropriate level of security, they shall take due account of the state of the art, the costs of implementation, the nature of the personal data (7), the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects, and in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner.

(b) The data exporter shall assist the data importer in ensuring appropriate security of the data in accordance with paragraph (a). In case of a personal data breach concerning the personal data processed by the data exporter under these Clauses, the data exporter shall notify the data importer without undue delay after becoming aware of it and assist the data importer in addressing the breach.

(c) The data exporter shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

8.3   Documentation and Compliance

(a) The Parties shall be able to demonstrate compliance with these Clauses.

(b) The data exporter shall make available to the data importer all information necessary to demonstrate compliance with its obligations under these Clauses and allow for and contribute to audits.

Clause 9: Use of Sub-processors

MODULE TWO: Transfer Controller to Processor

(a) SPECIFIC PRIOR AUTHORISATION The data importer shall not sub-contract any of its processing activities performed on behalf of the data exporter under these Clauses to a sub-processor without the data exporter’s prior specific written authorisation. The data importer shall submit the request for specific authorisation at least ten (10) days prior to the engagement of the sub-processor, together with the information necessary to enable the data exporter to decide on the authorisation. The list of sub-processors already authorised by the data exporter can be found in Annex III. The Parties shall keep Annex III up to date.

MODULE THREE: Transfer Processor to Processor

(a) SPECIFIC PRIOR AUTHORISATION The data importer shall not sub-contract any of its processing activities performed on behalf of the data exporter under these Clauses to a sub-processor without the prior specific written authorisation of the controller. The data importer shall submit the request for specific authorisation at least ten (10) days prior to the engagement of the sub-processor, together with the information necessary to enable the controller to decide on the authorisation. It shall inform the data exporter of such engagement. The list of sub-processors already authorised by the controller can be found in Annex III. The Parties shall keep Annex III up to date.

Clause 10: Data Subject Rights

MODULE ONE: Not applicable

MODULE TWO: Transfer controller to processor

(a) The data importer shall promptly notify the data exporter of any request it has received from a data subject. It shall not respond to that request itself unless it has been authorised to do so by the data exporter.

(b) The data importer shall assist the data exporter in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679. In this regard, the Parties shall set out in Annex II the appropriate technical and organisational measures, taking into account the nature of the processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required.

(c) In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions from the data exporter.

MODULE THREE: Transfer Processor to Processor

(a) The data importer shall promptly notify the data exporter and, where appropriate, the controller of any request it has received from a data subject, without responding to that request unless it has been authorised to do so by the controller.

(b) The data importer shall assist, where appropriate in cooperation with the data exporter, the controller in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable. In this regard, the Parties shall set out in Annex II the appropriate technical and organisational measures, taking into account the nature of the processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required.

(c) In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions from the controller, as communicated by the data exporter.

MODULE FOUR: Transfer Processor to Controller

The Parties shall assist each other in responding to enquiries and requests made by data subjects under the local law applicable to the data importer or, for data processing by the data exporter in the EU, under Regulation (EU) 2016/679.

Clause 11: Redress

(a) The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject.

[OPTION: The data importer agrees that data subjects may also lodge a complaint with an independent dispute resolution body (11) at no cost to the data subject. It shall inform the data subjects, in the manner set out in paragraph (a), of such redress mechanism and that they are not required to use it, or follow a particular sequence in seeking redress.]

MODULE ONE: Transfer Controller to Controller Not applicable

MODULE TWO: Transfer Controller to Processor

MODULE THREE: Transfer Processor to Processor

(b) In case of a dispute between a data subject and one of the Parties as regards compliance with these Clauses, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them.

(c) Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to:

(i) lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work, or the competent supervisory authority pursuant to Clause 13;

(ii) refer the dispute to the competent courts within the meaning of Clause 18.

(d) The Parties accept that the data subject may be represented by a not-for-profit body, organisation or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679.

(e) The data importer shall abide by a decision that is binding under the applicable EU or Member State law.

(f) The data importer agrees that the choice made by the data subject will not prejudice his/her substantive and procedural rights to seek remedies in accordance with applicable laws.

Clause 12: Liability

MODULE ONE: Transfer Controller to Controller Not applicable

MODULE FOUR: Transfer Processor to Controller

(a) Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.

(b) Each Party shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages that the Party causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter under Regulation (EU) 2016/679.

(c) Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.

(d) The Parties agree that if one Party is held liable under paragraph (c), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its/their responsibility for the damage.

(e) The data importer may not invoke the conduct of a processor or sub-processor to avoid its own liability.

MODULE TWO: Transfer Controller to Processor

MODULE THREE: Transfer Processor to Processor

(a) Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.

(b) The data importer shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data importer or its sub-processor causes the data subject by breaching the third-party beneficiary rights under these Clauses.

(c) Notwithstanding paragraph (b), the data exporter shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data exporter or the data importer (or its sub-processor) causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter and, where the data exporter is a processor acting on behalf of a controller, to the liability of the controller under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable.

(d) The Parties agree that if the data exporter is held liable under paragraph (c) for damages caused by the data importer (or its sub-processor), it shall be entitled to claim back from the data importer that part of the compensation corresponding to the data importer’s responsibility for the damage.

(e) Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.

(f) The Parties agree that if one Party is held liable under paragraph (e), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its/their responsibility for the damage.

(g) The data importer may not invoke the conduct of a sub-processor to avoid its own liability.

Clause 13: Supervision

MODULE ONE: Transfer Controller to Controller Not applicable

MODULE TWO: Transfer Controller to Processor

MODULE THREE: Transfer Processor to Processor

(a) [Where the data exporter is established in an EU Member State:] The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority.

[Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679:] The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority.

[Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679:] The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.

(b) The data importer agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Clauses. In particular, the data importer agrees to respond to enquiries, submit to audits and comply with the measures adopted by the supervisory authority, including remedial and compensatory measures. It shall provide the supervisory authority with written confirmation that the necessary actions have been taken.

SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES

Clause 14: Local Laws and Practices Affecting Compliance with the Clauses

MODULE ONE: Transfer Controller to Controller Not applicable

MODULE TWO: Transfer Controller to Processor

MODULE THREE: Transfer Processor to Processor

MODULE FOUR: Transfer Processor to Controller (where the EU processor combines the personal data received from the third country-controller with personal data collected by the processor in the EU)

(a) The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.

(b) The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:

(i) the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;

(ii) the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards (12);

(iii) any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.

(c) The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.

(d) The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.

(e) The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a). [For Module Three: The data exporter shall forward the notification to the controller.]

(f) Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation [for Module Three:, if appropriate in consultation with the controller]. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by [for Module Three: the controller or] the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.

Clause 15: Obligations of the Data Importer in Case of Access by Public Authorities

MODULE ONE: Transfer Controller to Controller Not applicable

MODULE TWO: Transfer Controller to Processor To be added in the event this Module applies.

MODULE THREE: Transfer Processor to Processor

MODULE FOUR: Transfer Processor to Controller (where the EU processor combines the personal data received from the third country-controller with personal data collected by the processor in the EU)

15.1   Notification

(a)

The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it:

(i)

receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or

 

(ii)

becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.

[For Module Three: The data exporter shall forward the notification to the controller.]

 

(b)

If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.

 

(c)

Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.). [For Module Three: The data exporter shall forward the information to the controller.]

 

(d)

The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.

 

(e)

Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses.

15.2   Review of Legality and Data Minimisation

(a)

The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).

 

(b)

The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request. [For Module Three: The data exporter shall make the assessment available to the controller.]

 

(c)

The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.

SECTION IV – FINAL PROVISIONS

Clause 16: Non-compliance with the Clauses and Termination

(a) The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.

(b) In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).

(c) The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:

(i) the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;

(ii) the data importer is in substantial or persistent breach of these Clauses; or

(iii) the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.

In these cases, it shall inform the competent supervisory authority [for Module Three: and the controller] of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.

(d) [For Modules One, Two and Three: Personal data that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall at the choice of the data exporter immediately be returned to the data exporter or deleted in its entirety. The same shall apply to any copies of the data.] [For Module Four: Personal data collected by the data exporter in the EU that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall immediately be deleted in its entirety, including any copy thereof.] The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.

(e) Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.

Clause 17: Governing law

MODULE ONE: Transfer Controller to Controller Not applicable

MODULE TWO: Transfer Controller to Processor.

These Clauses shall be governed by the law of the EU Member State in which the data exporter is established. Where such law does not allow for third-party beneficiary rights, they shall be governed by the law of another EU Member State that does allow for third-party beneficiary rights. The Parties agree that this shall be the law of Ireland.

MODULE THREE: Transfer Processor to Processor

These Clauses shall be governed by the law of the EU Member State in which the data exporter is established. Where such law does not allow for third-party beneficiary rights, they shall be governed by the law of another EU Member State that does allow for third-party beneficiary rights. The Parties agree that this shall be the law of Ireland.

MODULE FOUR: Transfer Processor to Controller

These Clauses shall be governed by the law of a country allowing for third-party beneficiary rights. The Parties agree that this shall be the law of Ireland.

Clause 18: Choice of Forum and Jurisdiction

MODULE ONE: Transfer Controller to Controller Not applicable

MODULE TWO: Transfer Controller to Processor To be added in the event this Module applies.

MODULE THREE: Transfer Processor to Processor

(a) Any dispute arising from these Clauses shall be resolved by the courts of an EU Member State.

(b) The Parties agree that those shall be the courts of Ireland.

(c) A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence.

(d) The Parties agree to submit themselves to the jurisdiction of such courts.

MODULE FOUR: Transfer Processor to Controller

Any dispute arising from these Clauses shall be resolved by the courts of Ireland.

 

 

UNITED KINGDOM (UK): STANDARD DATA PROTECTION CLAUSES FOR TRANSFERS

Last update: December, 2021

Standard Contractual Clauses (processors) (the “UK Standard Contractual Clauses”)

The data exporter and The data importer each a “party”; together “the parties”,

HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.

Background

The data exporter has entered into a Master Services Agreement and Data Processing Addendum (“Agreement”) with the data importer. Pursuant to the terms of the Agreement it is contemplated that services provided by the data importer will involve the transfer of personal data to data importer. The data exporter agrees to the provision of such services subject to the data importer’s compliance with the terms of these Clauses. The Effective Date of the UK Standard Contractual Clauses is the date of last signature executing the Agreement.

Clause 1: Definitions

For the purposes of the Clauses:

(a) 'personal data', 'special categories of data', 'process/processing', 'controller', 'processor', 'data subject' and Commissioner’ shall have the same meaning as in the UK GDPR;

(b) 'the data exporter' means the controller who transfers the personal data;

(c) 'the data importer' means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system covered by UK adequacy regulations issued under Section 17A Data Protection Act 2018 or Paragraphs 4 and 5 of Schedule 21 of the Data Protection Act 2018;

(d) 'the sub-processor' means any processor engaged by the data importer or by any other sub-processor of the data importer who agrees to receive from the data importer or from any other sub-processor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;

(e) 'the applicable data protection law' means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the UK, namely the UK GDPR and the Data Protection Act 2018 (“DPA 2018”);

(f) 'technical and organizational security measures' means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

Clause 2: Details of the transfer

The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.

Clause 3: Third-party beneficiary clause

  1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary. 
  2. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. 
  3. The data subject can enforce against the sub-processor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses. 
  4. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law. 

Clause 4: Obligations of the data exporter

The data exporter agrees and warrants: 

(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the Commissioner) and does not violate the applicable data protection law;

(b) that it has instructed and throughout the duration of the personal data-processing services will instruct the data importer to process the personal data transferred only on the data exporter's behalf and in accordance with the applicable data protection law and the Clauses;

(c) that the data importer will provide sufficient guarantees in respect of the technical and organizational security measures specified in Appendix 2 to this contract;

(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;

(e) that it will ensure compliance with the security measures;

(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequacy regulations issued under Section 17A Data Protection Act 2018 or Paragraphs 4 and 5 of Schedule 21 Data Protection Act 2018;

(g) to forward any notification received from the data importer or any sub-processor pursuant to Clause 5(b) and Clause 8(3) to the Commissioner if the data exporter decides to continue the transfer or to lift the suspension;

(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for sub-processing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;

(i) that, in the event of sub-processing, the processing activity is carried out in accordance with Clause 11 by a sub-processor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses;

(j) that it will ensure compliance with Clause 4(a) to (i).

Clause 5: Obligations of the data importer

The data importer agrees and warrants:

(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(c) that it has implemented the technical and organizational security measures specified in Appendix 2 before processing the personal data transferred;

(d) that it will promptly notify the data exporter about:

(i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,

(ii) any accidental or unauthorized access, and

(iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorized to do so;

(e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the Commissioner with regard to the processing of the data transferred;

(f) at the request of the data exporter to submit its data-processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the Commissioner;

(g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for sub-processing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;

(h) that, in the event of sub-processing, it has previously informed the data exporter and obtained its prior written consent;

(i) that the processing services by the sub-processor will be carried out in accordance with Clause 11;

(j) to send promptly a copy of any sub-processor agreement it concludes under the Clauses to the data exporter.

Clause 6: Liability

  1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or sub-processor is entitled to receive compensation from the data exporter for the damage suffered.
  2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his sub-processor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.

The data importer may not rely on a breach by a sub-processor of its obligations in order to avoid its own liabilities.

  1. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the sub-processor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the sub-processor agrees that the data subject may issue a claim against the data sub-processor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the sub-processor shall be limited to its own processing operations under the Clauses.

Clause 7: Mediation and jurisdiction

  1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:

(a) to refer the dispute to mediation, by an independent person or, where applicable, by the Commissioner;

(b) to refer the dispute to the UK courts.

  1. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

Clause 8: Cooperation with supervisory authorities

  1. The data exporter agrees to deposit a copy of this contract with the Commissioner if it so requests or if such deposit is required under the applicable data protection law.
  2. The parties agree that the Commissioner has the right to conduct an audit of the data importer, and of any sub-processor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
  3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any sub-processor preventing the conduct of an audit of the data importer, or any sub-processor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).

Clause 9: Governing Law

The Clauses shall be governed by the law of the country of the United Kingdom in which the data exporter is established.

Clause 10: Variation of the contract

The parties undertake not to vary or modify the Clauses. This does not preclude the parties from (i) making changes permitted by Paragraph 7(3) & (4) of Schedule 21 Data Protection Act 2018; or (ii) adding clauses on business related issues where required as long as they do not contradict the Clause.

Clause 11: Subprocessing

  1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the sub-processor which imposes the same obligations on the sub-processor as are imposed on the data importer under the Clauses. Where the sub-processor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the sub-processor's obligations under such agreement. 
  2. The prior written contract between the data importer and the sub-processor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.
  3. The provisions relating to data protection aspects for sub-processing of the contract referred to in paragraph 1 shall be governed by the law of the UK where the data exporter is established.
  4. The data exporter shall keep a list of sub-processing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the Commissioner.

Clause 12: Obligation after the termination of personal data-processing services

  1. The parties agree that on the termination of the provision of data-processing services, the data importer and the sub-processor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
  2. The data importer and the sub-processor warrant that upon request of the data exporter and/or of the Commissioner, it will submit its data-processing facilities for an audit of the measures referred to in paragraph 1.

APPENDIX 1 TO THE STANDARD CONTRACTUAL CLAUSES

The information required for the purposes of Appendix 1 is referenced in Exhibit E to the Agreement.

APPENDIX 2 TO THE STANDARD CONTRACTUAL CLAUSES

 

The information required for the purposes of Appendix 2 is referenced in Exhibit E to the Agreement.

 

How Can We Help You?

Whether it’s revenue growth, strategic partnerships, or everything in between, we believe that your business can reach new heights. And MarketStar is the partner you need to drive that growth. Reach out to our team today; we’d love to hear from you!

Get the Latest: Subscribe to Our Newsletter

b4b8d883054f5994238b5bd304e7279f