By entering into the Client Agreement (as defined below),Client acknowledges it has accepted and signed the Client Agreement, the Data Processing Agreement, and the additional documents which are incorporated therein by reference (collectively, the “Agreement”), and is legally bound thereby.
- Pursuant to Terms of Service and/or related order forms accepted and agreed by You with NTT Security Holdings Corporation or its subsidiary (the “Client Agreement”), You have entered into an agreement for access, use or delivery and receipt of certain services (the “Services”). In performing the Client Agreement NTT or it’s sub-processors may have access to personal data relating to You, Your employees, or end-users. In certain jurisdictions, it is a requirement under applicable data protection laws to have a data processing agreement in place to provide certain services to you which may involve the access, processing and storage of personal data. The data protection related obligations between parties are set out in this ‘Data Processing Agreement’ or ‘DPA’ which is a standalone agreement but is added as an addendum to the Client Agreement. In this DPA and its attachments NTT Security Holdings Corporation and its subsidiary are referred to as “NTT” and You are referred to as “Client”.
- To the extent NTT may be required to process personal data on behalf of Client under the Client Agreement, NTT will do so in accordance with the terms set out in this Data Processing Agreement (‘DPA’).
- Defined terms
- ‘Contact’ means, in the case of Client, the contact information entered at the time it subscribed for the NTT Services and, in the case of NTT the contact information provided [here]contact points for Client and NTT as set forth pursuant to Attachment A
- ‘GDPR’ means the General Data Protection Regulation ((EU) 2016/679).
- ‘Personal Data’ means all personal data provided to NTT by, or on behalf of, Client through use of the Services.
- ‘Restricted Transfer’ means a transfer of Personal Data from a member state of the European Economic Area (‘EEA’), the UK or Switzerland (a country not in the EEA or the EU) to a country outside the European Union, EEA, the UK or Switzerland.
- ‘Standard Contractual Clauses’ or ‘SCCs’ means the EU SCCs and UK SCCsas may be updated, supplemented or replaced from time to time under applicable Data Protection Laws,as a recognized transfer or processing mechanism (as applicable).
- ‘UK GDPR’ means the GDPR as implemented in the UK.
- ‘UK GDPR Terms’ means those terms otherwise required pursuant to UK GDPR which are not comprised in the SCCs, as set out inAttachment C.
- Lower case terms. The following lower case terms used but not defined in this DPA, such as ‘controller’, ‘data subject’, ‘personal data’, ‘processor’ and ‘processing’ will have the same meaning as set forth in Article 4 of the GDPR, irrespective of whether the GDPR applies.
- Applicable law
- NTT may be required to process personal data on behalf of Client under (a) any applicable law including (b) subordinate legislation and regulations implementing the GDPR and (c) UK GDPR, (collectively referred to ‘applicable Data Protection Laws’).
- Unless expressly stated otherwise, in the event of any conflict between (a) the main body of this DPA; and (b) UK GDPR (to the extent the applicable UK GDPR applies), the applicable local law in will prevail.
- To the extent NTT is a processor of personal data subject to the GDPR and/or UK GDPR, the mandatory sections required by Article 28(3) of the GDPR (or UK GDPR, as applicable) for contracts between controllers and processors that govern the processing of personal data are set out in clauses 1, 6.1, 6.3, 6.4, 7, 8.1, 8.2, 9.1, 9.2, 10 to 14 (inclusive). The UK GDPR Terms will govern any processing in relation to any terms required by the UK GDPR which are not covered elsewhere in this DPA.
- Duration and termination
- This DPA will commence on the date it is signed by the party who signs it last and will remain in force so long as the Client Agreement remains in effect or NTT retains any Personal Data related to the Client Agreement in its possession or control.
- NTT will process Personal Data until the date of expiration or termination of the Client Agreement, unless instructed otherwise by Client in writing, or until such Personal Data is returned or destroyed on the written instructions of Client or to the extent that NTT is required to retain such Personal Data to comply with applicable
- Personal data types and processing purposes
- Where the applicable Data Protection Law is the GDPR or UK GDPR:
- Client and NTT acknowledge that Client is the controller and NTT is the processor or sub-processor.
- The details of the processing operations, in particular the categories of personal data and the purposes of processing for which the personal data is processed on behalf of the controller, are specified in Attachment B.
- The Client retains control of the Personal Data and remains responsible for its compliance obligations under applicable Data Protection Laws, including providing any required notices, obtaining any required consents, and for the processing instructions it gives to NTT.
- Attachment B describes the purpose of processing and the categories of data subjects and Personal Data that NTT may process in relation to the Services described in the Client Agreement (‘Business Purposes’).
- NTT obligations
- Client instructions. When NTT acts as the processor of Personal Data, it will only process the Personal Data on Client’s documented instructions and to the extent that this is required to fulfil the Business Purposes. NTT will not process the Personal Data for any other purpose or in a way that does not comply with this DPA or applicable Data Protection Laws. Should NTT reasonably believe that a specific processing activity beyond the scope of Client’s instructions is required to comply with a legal obligation to which NTT is subject, NTT must inform Client of that legal obligation and seek explicit authorization from Client before undertaking such processing. NTT will not process the Personal Data in a manner inconsistent with Client’s documented instructions.
- Independent controller. To the extent NTT uses or otherwise processes Personal Data in connection with NTT’s legitimate business operations, NTT will be an independent controller for such use and will be responsible for complying with all applicable laws and controller obligations.
- Compliance. NTT will reasonably assist Client in complying with Client’s obligations under applicable Data Protection Laws, taking into account the nature of NTT’s processing and the information made available to NTT, including in relation to data subject rights, data protection impact assessments and reporting to and consulting with data protection authorities under applicable Data Protection Laws. NTT will promptly notify Client if, in its opinion, any instruction infringes applicable Data Protection Laws. This notification will not constitute a general obligation on the part of NTT to monitor or interpret the laws applicable to Client, and this notification will not constitute legal advice to Client.
- Disclosure. NTT will not disclose personal data except: (a) as Client directs in writing, (b) as described in this DPA or (c) as required by law. Where NTT is permitted by law to do so, upon receiving a request from a public authority, NTT will use reasonable endeavors to notify the Client and attempt to redirect the public authority to request the personal data directly from Client.
- Contracting with sub-processors
- List of sub-processors. A list of NTT's sub-processors that NTT directly engages for the specific Services as a processor is available at [ ] or on request to the NTT Contact or as otherwise made available on an NTT website.
- General authorization. Client provides its general authorization to NTT’s engagement with sub-processors, including current and future subsidiaries of NTT, to provide some or all Services and process Personal Data on its behalf. To the fullest extent permissible under applicable Data Protection Laws this DPA will constitute Client’s general written authorization to the subcontracting by NTT of the processing of Personal Data to this agreed list of sub-processors.
- NTT will notify the Client in writing of any intended changes to the agreed list of sub-processors at least 14 days in advance, thereby giving the Client the opportunity to object to such changes. Such objection must be madein writing to the NTT Contact within 10 days of notification. Client’s failure to submit a written objection to the agreed list of sub-processors within 10 days of notification, will be deemed acceptance of the changes to the agreed list of sub-processors.
- Performance. NTT is responsible for its sub-processors compliance with NTT’s obligations in this DPA.
- Client obligations
- Data subject requests. If NTT receives a request from Client’s data subject to exercise one or more of its rights under applicable Data Protection Laws, in connection with a Service for which NTT is a processor or sub-processor, NTT will redirect the data subject to make its request directly to Client. Client will be responsible for responding to any such request. NTT will comply with reasonable requests by Client to assist with Client’s response to such a data subject request. Client will be responsible for reasonable costs NTT incurs in providing this assistance.
- Client requests. NTT must promptly comply with any Client request or instruction from persons authorized by Client requiring (a) NTT to amend, transfer, delete or otherwise process the Personal Data, or to stop, mitigate or remedy any unauthorized processing, (b) Client’s obligations regarding security of processing and (c) Client’s prior consultation obligations in terms of applicable Data Protection Laws, considering the nature of the processing and the information available to NTT.
- Warranty. Client warrants that: (a) it has all necessary rights to provide the Personal Data to NTT for the processing to be performed in relation to the Services; and (b)NTT's expected use of the Personal Data for the Business Purposes and as specifically instructed by the Client will comply with all applicable Data Protection Laws.
- Privacy notices. To the extent required by applicable Data Protection Laws, Client is responsible for ensuring that all necessary privacy notices are provided to data subjects, and unless another legal basis set forth in applicable Data Protection Laws supports the lawfulness of the processing, that any necessary data subject consents to the processing are obtained and a record of such consents is maintained. Should such a consent be revoked by a data subject, Client is responsible for communicating the fact of such revocation to NTT, and NTT remains responsible for implementing Client’s instruction with respect to the processing of that Personal Data.
- TOMs. NTT will implement appropriate Technical and Organizational Measures (‘TOMs’) to ensure thesecurity of the Personal Data in terms of applicable Data Protection Laws, including the security measures set out in B. This includes protecting the Personal Data against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to the Personal Data.
- Access to Personal Data. NTT will grant access to the Personal Data undergoing processing to members of its personnel only to the extent strictly necessary for implementing, managing and monitoring of the Client Agreement. NTT will ensure that persons authorized to process the Personal Data received have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- Cost negotiations. The parties will negotiate in good faith the cost, if any, to implement material changes other than to the extent required by specific updated security requirements set forth in applicable Data Protection Laws or by data protection authorities of competent jurisdiction (in which case NTT would bear the responsibilities of such cost to the extent required by applicable Data Protection Laws or by the data protection authority).
- Certifications. NTT will maintain any certifications that it is contractually obligated to maintain and comply with as expressly stated in the Client Agreement. NTT will re-certify against those certifications as reasonably required.
- Provision of evidence. At Client’s written request, NTT will provide Client with evidence of those certifications relating to the processing of Personal Data, including applicable certifications or audit reports of its computing environment and physical data centers that it uses in processing Personal Data to provide the Services, so that Client can reasonably verify NTT’s compliance with its obligations under this DPA.
- Compliance with TOMS. NTT may also rely on those certifications to demonstrate compliance with the requirements set out in clause 1.
- Confidential information. Any evidence provided by NTT is confidential information and is subject to non-disclosure and distribution limitations of NTT and/or any NTT sub-processor.
- Client Audits. Client may carry out audits of NTT´s premises and operations as these relate to the Personal Data of Client if:
- NTT has not provided sufficient evidence of the measures taken under clause 9; or
- an audit is formally required by a data protection authority of competent jurisdiction; or
- applicable Data Protection Laws provide Client with a direct audit right (and as long as Client only conducts an audit once in any twelve-month period, unless mandatory applicable Data Protection Laws requires more frequent audits).
NTT subsidiaries are intended third-party beneficiaries of this section.
- Client audit process. The Client audit may be carried out by a third party (but must not be a competitor of NTT or not suitably qualified or independent) who must first enter into a confidentiality agreement with NTT. Client must provide at least 60 days advance notice of any audit unless mandatory applicable Data Protection Laws or a data protection authority of competent jurisdiction requires shorter notice. NTT will cooperate with such audits carried out and will grant Client´s auditors reasonable access to any premises and devices involved with the processing of the Client’s Personal Data. The Client audits will be limited in time to a maximum of three business days. Beyond such restrictions, the parties will use current certifications or other audit reports to avoid or minimize repetitive audits. The Client must bear the costs of any Client audit unless the audit reveals a material breach by NTT of this DPA in which case NTT will bear the costs of the audit. If the audit determines that NTT has breached its obligations under the DPA, NTT will promptly remedy the breach at its own cost.
- Incident management
- Security incidents. If NTT becomes aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data while processed by NTT (each a ‘Security Incident’), NTT will promptly and without undue delay:
- notify Client of the Security Incident;
- investigate the Security Incident and provide Client with sufficient information about the Security Incident, including whether the Security Incident involves Personal Data of the Client;
- take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Incident.
- Security incident notification. Notification(s) of Security Incidents will take place in accordance with clause 4. Where the Security Incident involves Personal Data of the Client, NTT will make reasonable efforts to enable Client to perform a thorough investigation into the Security Incident, to formulate a correct response, and to take suitable further steps in respect of the Security Incident. NTT will make reasonable efforts to assist Client in fulfilling Client’s obligation under applicable Data Protection Laws to notify the relevant data protection authority and data subjects about such Security Incident. NTT’s notification of or response to a Security Incident under this clause is not an acknowledgement by NTT of any fault or liability with respect to the Security Incident.
- Other incidents. NTT will notify Client promptly if NTT becomes aware of:
- a complaint or a request with respect to the exercise of a data subject’s rights under any applicable Data Protection Laws in relation to Personal Data NTT processes on behalf of Client and its data subjects; or
- an investigation into or seizure of the Personal Data of Client by government officials, or a specific indication that such an investigation or seizure is imminent; or
- where, in the opinion of NTT, implementing an instruction received from Client in relation to the processing of Personal Data would violate applicable laws to which Client or NTT are subject.
- Client notifications. Any notifications made to Client pursuant to this clause 11 will be addressed to the Client Contact mentioned in Attachment A.
- General cross border transfers of Personal Data
- Except as described elsewhere in the DPA, Personal Data that NTT processes on Client’s behalf may be transferred to and stored and processed in any country in which NTT or its sub-processors may operate.
- Transfer restrictions. If an applicable Data Protection Law restricts cross-border transfers of Personal Data, the Client will only transfer that Personal Data to NTT if NTT, either through its location or participation in a valid cross-border transfer mechanism under the applicable Data Protection Laws, may legally receive that Personal Data.
- Transfer mechanism. Where the parties determine that cross-border transfers of Personal data are necessary, the parties shall agree and implement the appropriate SCCs or other specific statutory mechanism prior to commencing such cross-border transfer. To the extent that NTT is relying on the SCCs or another specific statutory mechanisms to normalize international data transfers and those mechanisms are subsequently modified, revoked, or held in a court of competent jurisdiction to be invalid, Client and NTT agree to cooperate in good faith to promptly suspend the transfer or to pursue a suitable alternate mechanism that can lawfully support the transfer.
- GDPR and UK GDPR cross border transfers of Personal Data
- Where the GDPR or UK GDPR is the applicable Data Protection Law NTT may only process, or permit the processing, of Personal Data by the Services in respect of a Restricted Transfer under the following conditions:
- Adequacy decision. Where the European Commission or the UK (as applicable) has found that that the relevant countries provides adequate protection for the privacy rights of data subjects;
- Adequate safeguards. In the absence of an adequacy decision, where appropriate safeguards have been provided by the controller or processor established in third countries which do not ensure an adequate level of data protection, and who receive the Personal Data by way of a valid transfer mechanism under Article 46(2) of the GDPR, UK GDPR or other applicable Data Protection Law.
- Standard Contractual Clauses. SCCs may be used as follows:
- the UK SCCs’ for Personal Data subject to UK GDPR;
- the applicable Module(s) of the EU SCCs for Personal Data subject to GDPR and/or Swiss Federal Act of 19 June 1992 on Data Protection (FADP).
- Execution of SCCs. If any cross-border transfer of Personal Data between NTT and the Client requires execution of SCCs to comply with the applicable Data Protection Law, the parties will complete all relevant details in, and execute, the applicable SCCs, and take all other actions required to legitimize the transfer.
- Sub-processors. Where Client provides it general written authorization to NTT (located in the EEA or UK, as applicable) appointing a sub-processor located outside the EEA or UK (as applicable), Client authorizes NTT to enter into the applicable form of the applicable SCCs with the sub-processor in Client’s name and on its behalf (in which case Client will no longer require to enter into direct agreements itself with such sub-processors). NTT will make the executed applicable SCC available to Client on request.
- Return or destruction of Personal Data
- Client deletion. For certain Services the Client is responsible for installing, hosting, processing and using Personal Data. Here only Client has the ability to access, extract and delete Personal Data stored in that Service. Where the particular Service does not support access, retention or extraction of software provided by Client, NTT has no liability for the deletion of Personal Data as described in this clause1.
- Delete or return. Where the Client Agreement requires NTT to retain Personal Data, NTT will delete that Personal Data within the time period agreed to in the Client Agreement, unless NTT is permitted or required by applicable law to retain such Personal Data. Where the retention of Personal Data has not been addressed in the Client Agreement, NTT will either delete, destroy or return all Personal Data to Client and destroy or return any existing copies when NTT has finished providing Services:
- related to the processing;
- this DPA terminates;
- Client requests NTT to do so in writing; or
- NTT has otherwise fulfilled all purposes agreed in the context of the Services related to the processing activities where Client does not require NTT to do any further processing.
- Certificate of destruction. NTT will provide Client with a destruction certificate at Client’s request. Where the deletion or return of the Personal Data is impossible for any reason, or where backups and/or archived copies have been made of the Personal Data, NTT will retain such Personal Data in compliance with applicable Data Protection Laws.
- Third parties. On termination of this DPA, NTT will notify all sub-processors supporting its own processing and make sure that they either destroy the Personal Data or return the Personal Data to Client, at the discretion of Client.
- Liability and warranty
- Any limitation of liability in the Client Agreementwill apply to this DPA, other than to the extent such limitation (a) limits the liability of the parties to data subjects or (b) is not permitted by applicable law.
- Any notice or other communication given to a party under or in connection with this DPA must be in writing and delivered to the other party by email.
- Clause 1 does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution.
- Any notice or other communication will be deemed given when:
- delivered in person;
- received by mail (postage prepaid, registered or certified mail, return receipt requested); or
- received by an internationally recognized courier service (proof of delivery received by the noticing party) at the physical notice address (as identified above), with an electronic copy sent to the electronic notice address (as identified in the table above).
- Conflict of terms. The Client Agreement terms remain in full force and effect except as modified in this DPA. Insofar as NTT will be processing Personal Data subject to applicable Data Protection Laws on behalf of the Client in the course of the performance of the Client Agreement, the terms of this DPA will apply. If the terms of this DPA conflict with the terms of the Client Agreement, the terms of this DPA will take precedence over the terms of the Client Agreement.
- Governing law. This DPA is governed by the laws of the jurisdiction specified in the relevant provisions of the Client Agreement.
- Dispute resolution. Any disputes arising from or in connection with this DPA will be brought exclusively before the tribunal specified in the relevant provisions of the Client Agreement.
- Execution: This DPA may be executed in any number of counterparts, each of which will constitute an original, but which will together constitute one agreement. The parties will execute this DPA by electronic signature, and intend and agree that the electronic signature will have the same validity and legal effect as the use of a signature affixed by hand and is made with the intention of authenticating this DPA and evidencing the intention of that party to be bound by this DPA.
Particulars of Processing
Categories of data subjects whose personal data is transferred
Data subjects include the data exporter’s
-users including employees, contractors, and Clients. NTT acknowledges that, depending on Client’s use of the Services, the data importer may process the personal data of any of the following types of data subjects:
- Employees, contractors, temporary workers, agents and representatives of data exporter;
- Users (e.g., clients end users) and other data subjects that are users of data exporter's Services;
- Juristic persons (where applicable).
Categories of personal data transferred
NTT acknowledges that, depending on Client’s use of the Services, the data importer may process the following types of Personal Data:
- Basic personal data (for example first name, last name, email address);
- Authentication data (for example username and password);
- Contact information (for example work email and phone number);
- Unique identification numbers and signatures (for example IP addresses);
- Biometric Information (for example fingerprintsat NTT data centers);
- Location data (for example, geo-location network data);
- Device identification (for example IMEI-number and MAC address);
- Special category personal data as identified in Article 9 of the GDPR;
- Any other personal data identified in Article 4 of the GDPR.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
No Sensitive Personal Data transferred. The data exporter shall not disclose (and shall not permit any individual to disclose) any Sensitive Personal Data to the data importer for processing.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Personal data may be transferred on a continuous basis in order to provide the Services under the existing Client Agreement
Nature of the processing
The nature of processing personal data is for data importer to provide the Services under the existing Client Agreement.
Purpose(s) of the data transfer and further processing
The data importer will Process Personal Data, as necessary to perform the Services pursuant to the Client Agreement to the extent determined and controlled by the You in Your sole discretion. Further, We will also Process and enrich the Personal Data in the data importer’s systems to (i) improve, enhance, support and operate the Services and its availability; (ii) develop new products and services; (iii) compile statistical reports and insights into usage patterns.
The data importer may further transfer Personal Data to third-party service providers that host and maintain the data importer’s applications, backup, storage, payment processing, analytics and other services as specified in the section on sub-processors below. These third-party service providers may have access to or Process Personal Data for the purpose of providing these services to NTT.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
See clause 14 of the DPA
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
In accordance with the DPA, the data importer may engage sub-processors to provide some or all of the Services on data importer’s behalf or use any of current or future subsidiaries of NTT for the duration of the Client Agreement. Any such sub-processors will be permitted to obtain personal data only to provide some or all of the Services the data importer has engaged them to provide, and they are prohibited from using personal data for any other purpose.
A list of sub-processors engaged by NTT is available at [ link - sub-processors ].
Attachment B Technical and Organizational Measures
NTT maintains Technical and Organizational Measures (‘TOMs’) to ensure it processes and protects Personal Data in a responsible way, considering the types of Personal Data that NTT processes, industrystandards, the interests and rights of NTT’s employees, clients and communities, and the reasonable cost of implementation in accordance with clause 9 of the DPA and/or, as applicable, incorporated in the applicable SCCs and/or applicable Data Protection Laws. The TOMs maintained by NTT as referenced in this B are described at [ link – security (TOMs) ].