Master Data Protection Addendum ("DPA")
1.1 This DPA forms part of, and is subject to, the Customer Contract by and between Customer and Litera.
1.2 We deliver innovative services and technology solutions to legal, corporate, life sciences and other organizations to customers located around the world.
1.3 Our customers access and use our services and technology solutions either by hosting our software solutions themselves or by using our software-as-a-service platform. As part of these arrangements, we process personal information held by our customers for and on behalf of our customers as their processor. We recognise the importance of keeping safe and secure any personal information which we process on behalf of our customers in providing our services.
1.4 For our customers located in the United Kingdom or the European Economic Area or otherwise subject to European Union data protection laws (either directly or indirectly), we understand the requirements they are under in relation to the use of processors such as ourselves. In particular, we have developed a set of standard data protection terms, set out below, that are incorporated into each customer contract we enter into and which fulfil the data protection legal requirements our United Kingdom and EEA customers, as well as our other customers that are either directly or indirectly subject to the United Kingdom or European Union data protection laws, are subject to in relation to their appointment and use of us as their processor.
1.5 We have a data protection officer whose job is to oversee our data protection compliance. If you have any queries about these terms, please email us to: Mishcon de Reya LLP - firstname.lastname@example.org and cc to email@example.com.
1.6 To the fullest extent permitted by Law, any liability or claims brought under this DPA and/or the Standard Contractual Clauses shall be subject to the terms and conditions of the Customer Contract, including but not limited to, the exclusions and limitations set forth therein. For the avoidance of doubt, Litera's aggregate liability arising out of this DPA and/or the Standard Contractual Clauses shall in no event exceed the limitations set forth in the Customer Contract.
2.Data processing terms
2.1 The data processing terms set out in paragraphs 2 to 8 (inclusive) shall automatically apply to and form part of each Customer Contract.
2.2 These data processing terms shall survive termination or expiry of each Customer Contract to the extent we continue to Process any Personal Information beyond the term of the Customer Contract.
2.3 To the extent that there is any conflict or inconsistency between these data processing terms and the other terms of a Customer Contract then these data processing terms shall take precedence.
For the purposes of this DPA:
(a) Controller means a person which, alone or jointly with others, determines the purposes and means of the Processing of Personal Information;
(b) Customer means a customer of the Litera group in respect of which we Process Personal Information as the Processor of the customer in connection with the services we provide to the customer pursuant to a Customer Contract
(c) Customer Contract means a contract we have entered into with a Customer for the provision of one or more of our document technology services and solutions;
(d) Data Protection Laws means all applicable laws and regulations relating to the Processing of Personal Information as the same may be in force from time to time;
(e) Data Subject means the natural person to which the Personal Information relates;
(f) EEA means European Economic Area;
(g) GDPR means Regulation (EU) 2016/679 on the protection of natural persons with regard to the Processing of Personal Information and on the free movement of such data;
(h) Litera, Company, we, us and our means, in respect of each Customer Contract, the Litera group company that has entered into the Customer Contract, being either Workshare Limited, Freedom Solutions Group, L.L.C. dba Litera or DocsCorp Pty. Ltd
(i) Personal Information means any information Processed by Litera pursuant to the Customer Contract relating to an identified or identifiable natural person;
(j) Personal Information Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Information;
(k) Processing means any operation or set of operations which is performed on Personal Information or on sets of Personal Information, whether or not by automated means, and Process, Processes and Processed shall be construed accordingly;
(l) Processor means a person which Processes Personal Information on behalf of a Controller;
(m) Product means the innovative services and technology solutions included in the Product Schedules to this DPA that are offered by the Company either in the form of hosting the Company's software solutions or its software-as-a-service platform as stated in the Customer Contract.
(n) Product Schedule means Schedule 2 as annexed to this DPA that relate to the specification of individual Product offered by the Company;
(o) Standard Contractual Clauses means as applicable (a) the standard contractual clauses pursuant to the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Information to third countries pursuant to the GDPR (the "EU SCCs”);and (b) the International Data Transfer Addendum to the EU SCCs issued by the Information Commissioner’s Office under S119A(1) of the Data Protection Act (“UK Addendum”);
(p) Sub-processor means any entity we engage to Processs Personal Information on the Customer's behalf, information available here: List of Sub-processors;
(q) UK GDPR means the GDPR as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018.
4.Arrangements for the Processing of Personal Information
4.1 In respect of each Customer Contract:
(a) the Customer Contract may require the Processing of Personal Information by us on behalf of the Customer;
(b) the Customer alone shall determine the purposes for which and the manner in which Personal Information will be Processed by us on behalf of the Customer under the Customer Contract;
(c) the Customer permits the use of analytics and aggregate data derived from Customer Content or Customer Data (as applicable and defined in the governing terms and conditions of the Customer Contract) for improving the platform and the provision of services provided by the Company; and
(d) the Customer shall be the Controller and we shall be the Processor in respect of the Processing of all such Personal Information except when Customer acts as a Processor of such Personal Information, in which case Litera is a sub-Processor of such Personal Information. Nothing in the preceding sentence alters the obligations of either Litera or Customer under this DPA, as Litera acts as a Processor with respect to Customer in all events. In any instance where the Customer is a Processor, Customer warrants to Litera that Customer’s instructions, including appointment of Litera as a Processor or sub-Processor, have been authorized by the relevant Controller.
4.2 Where, under or in connection with the Customer Contract, we Process Personal Information on behalf of the Customer as the Customer's Processor, we shall:
(a) Process the Personal Information only:
(i) on the Customer's instructions and to the extent reasonably necessary for the performance by us of our obligations under the Customer Contract or as otherwise directed in writing by the Customer. We shall immediately inform the Customer if, in our opinion, Processing the Personal Information in accordance with a written instruction received from the Customer or in the performance of our obligations under the Customer Contract infringes the Data Protection Laws to which either the Customer (in its capacity as a Controller) or we (in our capacity as a Processor) are subject; or
(ii) as otherwise required by applicable law, in which case we shall inform the Customer of that legal requirement before Processing the Personal Information (unless that law prohibits us from informing the Customer);
(b) ensure that all persons authorised by us to Process the Personal Information:
(i) Process the Personal Information in accordance with provisions of this paragraph 4.2; and
(ii) are under an appropriate contractual or other legal obligation to keep the Personal Information confidential;
(c) taking into account the state of the art, the nature, scope, context and purposes of the Processing and the risks to Data Subjects, implement appropriate technical and organizational measures to ensure the security of the Personal Information and prevent Personal Information Breaches. The current measures implemented by us are described in Schedule 2 in respect of the relevant Litera product or services being provided pursuant to the Customer Contract. We reserve the right to change and adapt our implemented technical and organizational measures in accordance with ongoing and future technical developments, provided that the amended measures do not fall significantly short of the level of protection provided by the measures described in Schedule 2;
(d) taking into account the nature of the Processing, implement appropriate technical and organizational measures to assist the Customer to comply with its obligations under the Data Protection Laws to which the Customer is subject to and assist the Customer in responding to requests from Data Subjects to exercise their legal rights in relation to their Personal Information;
(e) taking into account the nature of the processing activities and the information available to us, assist the Customer to comply with its obligations in respect of such Personal Information under the Data Protection Laws to which the Customer is subject in relation to:
(i) keeping Personal Information secure by compling with our obligations in Schedule 2;
(ii) dealing with Personal Information Breaches;
(iii) carrying out data protection impact assessments;
(iv) dealing with requests from Data Subjects to exercise their legal rights in relation to their Personal Information; and
(v) investigations and enquiries by data protection regulatory authorities;
(f) notify the Customer without undue delay and, in any event, within 72 hours after becoming aware of a Personal Information Breach in respect of the Personal Information;
(g) permanently and securely delete or return all the Personal Information promptly on termination of the Customer Contract in accordance with the process as detailed under each Product Schedule, and delete any existing copies of the Personal Information save to the extent that we are required to retain copies of the Personal Information by the laws to which we are subject or when Personal Information is tranmitted via email, it will be subject to Company’s email retention policy ; and
(h) make available to the Customer all information necessary, redacted at Company’s discretion, to demonstrate compliance with our obligations under this paragraph 4.2 and solely to the extent Customer's audit requirements cannot be reasonably satisfied through the provision of such information, allow for and contribute to audits, including (without limitation) inspections during Company’s normal and ordinary working hours, conducted by the Customer or an auditor appointed by the Customer that relate to our compliance with our obligations in respect of the Personal Information under this paragraph 4.2. The audit and the inspections shall be subject to following requirements:
(i) without disruption to Company’s business operations; (ii) with Company’s direct supervision; (iii) where any agents and or audits are subject to confidentiality covenants no less restrictive than the terms in here; (iv) no more than one (1) time per annual period; (iv) with thirty (30) days prior, wirtten notice to the Company; (v) no audit the Company's system and (v) subject to agreed reasonable confidentiality and security procedures with no additional information about the personnel, customers or financies of the Company.
4.3 In respect of each Customer Contract, we may charge the Customer for the time and expenses incurred in providing the assistance required by the Customer under paragraphs 4.2(d), 4.2(e), and 4.2(h) to the extent permitted by Data Protection Laws.
4.4 We shall not be liable to the Customer for any failure to perform our obligations under a Customer Contract to the extent that such failure is due (either directly or indirectly) to us complying with an instruction of the Customer pursuant to paragraph 4.2(a)(i) or the Data Protection Laws to which either we or the Customer is subject. The Customer shall remain solely responsible for assessing and ensuring the lawfulness of the Processing, and for safeguarding the rights of the Data Subjects, in accordance with Data Protection Laws to which it is subject.
4.5 In respect of each Customer Contract, we may terminate the Customer Contract with immediate effect by giving the Customer notice of such termination in the event that the Customer gives us any instruction in relation to the Personal Information that we Process on behalf of the Customer that is incompatible with the Customer Contract or the services and technology solutions we provide to the Customer.
5.Particulars of Processing
5.1 The particulars of Processing to be carried out by us on behalf of a Customer under or in connection with the Customer Contract are set out in Schedule 2.
6.International Data Transfers
6.1 Each Customer acknowledges and agrees that the nature of our operations means that it is highly likely we (either directly or via our Sub-processors) will Process Personal Information under a Customer Contract for and on behalf of the Customer in a number of jurisdictions around the world. We shall ensure that any transfer of Personal Information by us to a jurisdiction outside of the UK or EEA without an adequacy decision from the UK Government or European Commission, as applicable, will comply with applicable Data Protection Laws.
6.2 Where, in connection with a Customer Contract, we Process Personal Information on behalf of a Customer subject to the UK GDPR and/or GDPR, as applicable, as its Processor and such Processing would, but for the application of the provisions set out in this paragraph (as amended from time to time by the Data Protection Laws to which the Customer is subject), be prohibited under the UK GDPR and/or GDPR, then the additional provisions set out in Schedule 1 shall apply. To the extent that there is any conflict or inconsistency between the provisions of Schedule 1 and the other terms of the Customer Contract, the provisions of Schedule 1 shall take precedence.
7.1 In respect of each Customer Contract, we may engage third party Sub-processors to Process Personal Information on behalf of the Customer in the course of performing our obligations under the Customer Contract. We shall enter into a contract with each Sub-processor that imposes on the Sub-processor obligations equivalent to, or more onerous than, the ones imposed on us by these data processing terms. Notwithstanding any other provision of the Customer Contract, we shall remain fully liable and responsible to the Customer in accordance with the Customer Contract for all acts and omissions of the Sub-processors in relation to their Processing of the Personal Information.
7.2 A current list of Sub-processors for the subscription Products, including the identities of those Sub-processors, the activities they are performing on our behalf, and their location can be found at List of Sub-processors (the “Sub-process Site”). If Customer would like to receive notifications of new Sub-processors which we update to Sub-process Site, the Customer must subscribe to the following webpage: Registration Link for Sub-processors in order to be notified. We shall provide the notification of new Sub-processors only if Customer has subscribed to receive the notification.
7.3 We will restrict the Sub-processors access to Personal Information only to what is necessary to assist us in providing or maintaining the Subscription Products. We will remain responsible for our compliance with the obligations under this DPA and for any acts or omissions of the Sub-processor that cause us to breach any of our obligations under this DPA.
7.4 Once the Customer is notified of any changes to the Sub-process Site, Customer may object in writing within five (5) days to our appointment of a new Sub-processor, provided that such objection is based on reasonable grounds relating to Data Protection Laws. In such event, the parties will discuss such concerns in good faith with a view to achieving resolution. If the parties cannot agree a mutually acceptable resolution, either party shall have the right to terminate the Agreement.
8.1 Customer acknowledges that: (a) Customer will comply with all applicable Data Protection Laws; (b) Customer is responsible for determining whether the purchase Litera products and services are appropriate for storage and Processing of Personal Information; and (c) Customer has the right to transfer, or provide access to, Personal Information to Litera and its Sub-processors for Processing in accordance with the terms of the Customer contract and this DPA.
STANDARD CONTRACTUAL CLAUSES
The applicable Standard Contractual Clauses are incorporated into the DPA by reference, as if they had been set out in full, and are populated as follows. Unless expressly stated below, any optional clauses contained within the Standard Contractual Clauses shall not apply.
The following Standard Contractual Clauses shall apply where Personal Information is transferred to a third country (unless the transfer is permitted on the basis of an adequacy decision):
a) CONTROLLER PROCESSOR (Module Two) (“Controller to Processor Standard Contractual Clauses”) if Customer, acting as a Controller, is making a restricted transfer of Personal Information subject to the GDPR and/or the UK GDPR (as applicable) to us, acting as a Processor; and/or
b) PROCESSOR PROCESSOR (Module Three) (“Processor to Processor Standard Contractual Clauses”) if Customer, acting as a Processor, makes a restricted transfer of Personal Information subject to the GDPR and/or the UK GDPR (as applicable) to us acting as a Processor.
c) PROCESSOR CONTROLLER (Module Four) ("Processor to Controller Standard Contractual Clauses") if the Customer acting as a Controller is based outside the EEA and we are making a restricted transfer as a Processor while sending the Personal Information subject to the GDPR and/or the UK GDPR (as applicable) to the Customer. Please note this will only be applicable where the contracting entity is Workshare Limited and the Customer is based in a jurisdiction outside of the UK or EEA without an adequacy decision from the UK Government or European Commission, as applicable.
The following supplementary clauses shall apply to the Standard Contractual Clauses:
a) Erasure and deletion: For the purposes of Clause 8.5, Section II of Module Two and Module Three of the Standard Contractual Clauses the data importer shall delete the Personal Information in accordance with clause 4.2(g) of the DPA.
b) Audit: The parties acknowledge that the data importer complies with its obligations under Clause 8.9, Section II of Module Two and Module Three of the Standard Contractual Clauses by (i) acting in accordance with clause 4.2(h) of the DPA and (ii) exercising its contractual audit rights it has agreed with its Sub-processors. For the purposes of Clause 8.9(e), Section II of Module Three of the Standard Contractual Clauses, the data exporter shall ensure the results are provided to the relevant controller(s) on a confidential basis and that the controller(s) have committed themselves to confidentiality in respect of the same.
c) Sub-Processors: For the purposes of Clause 9, Section II of Module Two and Module Three of the Standard Contractual Clauses, the parties agree that option 2: general written authorization shall apply, and the data importer shall notify the data exporter of any changes in accordance with clause 7 of the DPA.
d) Data Subject Rights: For the purposes of Clause 10(a) to (c) Section II of Module Three of the Standard Contractual Clauses, the parties acknowledge that given the nature of the Processing by the data importer it would not be appropriate for the data importer to notify or assist the controller directly in respect of any requests received from a Data Subject.
e) For the purposes of Clause 14(c), 15.1(b) and 15.2, Section III of Module Two and Module Three of the Standard Contractual Clauses, the Parties agree that “best efforts” and the obligations of the data importer under clause 15.2 shall mean exercising the degree of skill and care, diligence, prudence and foresight which would reasonably and ordinarily be expected from a leading practice engaged in a similar type of undertaking under the same or similar circumstances and shall not include actions that would result in civil or criminal penalty such as contempt of court under the laws of the relevant jurisdiction.
f) Governing law and Jurisdiction: For the purposes of Clause 17 and 18, Section IV of Module Two and Module Three of the EU SCCs, the parties agree that the laws and courts of Ireland will apply. For the purpose of the UK Addendum, the parties acknowledge and accept that the laws and courts of England and Wales will apply.
Annex 1 to the Standard Contractual Clauses
A. List of Parties
Data exporter: Customer is the data exporter. The data exporter has contracted with the data importer to access and use one or more of the data importer's technology services and solutions in connection with its business and, as part of those arrangements, is transferring Personal Information to the data importer.
The data exporter’s data protection contact (and EU/UK representative if applicable) is as detailed in the Customer Contract or as otherwise provided to the data importer.
Data importer: The data importer is a member of the Litera group, which is a provider of innovative technology services and solutions. The data importer's activities which are relevant to the transfer are the provision of certain technology services and solutions to the data exporter.
The data importer’s data protection contact details are as specified in the DPA.
B. Description of Transfer
Data Subjects: The categories of data subjects to which the personal information relates will be determined by the data exporter. Details about the likely categories of data subject are set out in Schedule 1 of the DPA.
Categories of data: The non-special categories of Personal Information will be determined by the data exporter. Details about the likely non-special categories of Personal Information are set out in Schedule 1 of the DPA.
Special categories of data: The special categories of Personal Information will be determined by the data exporter. Details about the likely special categories of Personal Information are set out in Schedule 1 of the DPA.
Frequency and duration: are set out in Schedule 1 of the DPA.
Nature and purpose of the Processing: Schedule 1 of the DPA sets out the basic processing activities to which the Personal Information will be subject.
Sub-Processors: Any Sub-processor appointed by the data importer will Process the Personal Information to assist the data importer in providing the services as described above for the duration of the Customer Contract.
- Competent Supervisory Authority
The competent supervisory authority shall be determined in accordance with Clause 13, Section II of Module Two and Module Three of the EU SCCs. In respect of the UK Addendum, the competent supervisory shall be read as Information Commissioner.
Annex 2 to the Standard Contractual Clauses
The data importer shall implement the technical and organisational security measures set out here: Security Addendum .
The UK Addendum is effective from the effective date of the Customer Contract.
Table 1: Parties
Exporter and key contact: As set out in Annex 1 of the Standard Contractual Clauses above.
Importer and key contact: As set out in Annex 1 of the Standard Contractual Clauses above.
Table 2: Selected SCCs, Modules and Clauses
As applicable, Module 2 and Module 3 of the EU SCCs as incorporated by reference into Schedule 1 of the DPA including any supplementary clauses set out within Schedule 1 of the DPA.
Table 3: Appendix Information
As set out in Annex 1 and Annex 2 of the of the Standard Contractual Clauses above.
Table 4: Ending this Addendum when the Approved Addendum Changes
In the event the Information Commissioner’s Office issues a revised Approved Addendum, in accordance with Section 18 of the UK Addendum which as a direct result of such changes has a substantial, disproportionate and demonstrable increase in: (a) the data importer’s direct costs of performing its obligations under the Addendum; and/or (b) relevant party's risk risk under the Addendum, either party may terminate this UK Addendum on reasonable written notice to the data exporter in accordance with Table 4 and paragraph 19 of the UK Addendum.
List of Products/Software