Great Place To Work® Institute, Inc.
Product and Services Agreement
February 1, 2022
TABLE OF CONTENTSTelecommunications and Internet Services
Invoices and Payment
Credits for Future Services
Rights to Audits, Inspections, Data Protection Impact Assessments and Prior Consultations
Remuneration and Costs
Deletion of Customer Personal Data
Subprocessors
Personal Data Breach
Compliance with Federal Healthcare Programs
Compliance with Federal Healthcare and Procurement Programs
Compliance with Immigration Laws
Compliance with United States Code Title 42
GPTW Transparency Report and Data Transfer From the EU
Termination for Cause
Rights and Obligations Upon Expiration or Termination
Survival
Waiver
Notices
Assignment
Independent Contractor
Severability
Amendments
Use of Names/Logo
Legal Fees
Insurance
Force Majeure
Successors and Assigns
Counterparts
Titles and Subtitles
Disputes
Remedies
No Third-Party Beneficiaries
Entire Agreement
Digital Format
This PRODUCTS AND SERVICES AGREEMENT (this “Agreement”) is incorporated by reference into the fully executed GPTW Order Form or GPTW Statement of Work (collectively, the "Principal Agreement") between: (i) GPTWacting on its own behalf and as agent for each GPTW Affiliate; and (ii) Customer acting on its own behalf and possibly as agent for each Customer Affiliate. GPTW and Customer are each a “Party” and, collectively, the “Parties” to this Agreement.
WHEREAS, GPTW provides products and services assessing workplace culture, performance, certification, and accreditation to assist companies and organizations in evaluating and improving their workplaces; and
WHEREAS, Customer wishes to engage GPTW to perform the Services (defined below) pursuant to the terms of this Agreement.
NOW, THEREFORE, in consideration of the promises and the mutual covenants contained herein and for other good and valuable consideration, the Parties hereto agree as follows:
GENERAL TERMS AND CONDITIONS
1. DEFINITIONS
Capitalized terms not defined in this Section 1 have the meaning ascribed to them where used in the Agreement.
1.1 “Affiliate” means GPTW wholly-owned and majority-owned subsidiaries and Great Place To Work Institute, Inc. licensees with no ownership interest by GPTW.
1.2 “Aggregate Data” means (a) the Customer-specific information, data, and content contained in any report(s) delivered by GPTW to Customer pursuant to this Agreement; and (b) any other aggregated data that is derived from the Raw Data and that is delivered by GPTW to Customer pursuant to this Agreement. For the avoidance of doubt, Aggregate Data does not include any Raw Data or Customer Data.
1.3 “Assessment” means any assessment conducted by GPTW as part of the Services pursuant to which GPTW uses its tools and methodologies to assess and measure work place culture (including, but not limited to, use of Trust Index Survey, Culture Audit, Culture Brief, Trust Model and Methodology).
1.4 “Certification” means the process through which Customers may measure their employees’ experiences and which such employees’ experiences may be “Certified” through the confirmation and performance with the Great Place To Work Models.
1.5 “Customer Affiliate” means Customer wholly-owned and majority-owned subsidiaries.
1.6 “Customer Data” means Customer’s proprietary data and information that Customer provides to GPTW so that GPTW may, as part of the Services, conduct an Assessment (e.g., demographic and corporate information necessary to distribute the Survey to participants such as email address, employee ID, and other personally identifying information) and the proprietary data that may be provided by Customer to GPTW for the Culture Audit or Culture Brief). For the avoidance of doubt, Customer Data does not include either Aggregate Data or Raw Data.
1.7 “Customer Personal Data” means any Personal Data Processed by a Processor on behalf of Customer pursuant to or in connection with the Principal Agreement.
1.8 “Consent” of the Data Subject means any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of Personal Data relating to him or her.
1.9 “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
1.10 “Data” means the Raw Data and the Aggregate Data.
1.11 “Data Protection Laws" means the European Union (EU) 2016 General Data Protection Regulation (GDPR), the California Consumer Protection Act of 2018 AB 375 (CCPA), and the Data Protection Laws of all other country, state, or regulating bodies.
1.12 “Fees” means the fees to be paid by Customer to GPTW as set forth in this Agreement, including in the applicable Principal Agreement.
1.13 “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation).
1.14 “GPTW Intellectual Property” means (a) all copyrightable works owned by Great Place To Work (including without limitation books, articles, brochures, Surveys, Trust Index Surveys, Culture Audits, Culture Briefs, Trust Model and Methodology, the form and structure of reports, and other materials, tools and methodologies), whether or not the copyrights in such works have been registered in the U.S. or any other jurisdiction; (b) all confidential information and material belonging to Great Place To Work; (c) all Great Place To Work names, service marks, icons, and logos; (d) all techniques, algorithms and methods or rights thereto owned by, or licensed to, Great Place To Work during the term of this Agreement and employed by Great Place To Work in connection with the GPTW Services provided to Customer; (e) the Raw Data and GPTW Aggregate Data; (f) the GPTW Services; and (g) the Applications.
1.15 “GPTW Materials” means all techniques, algorithms and methods or rights thereto owned by, or licensed to, GPTW during the term of this Agreement and employed by GPTW in connection with the Services provided to Customer.
1.16 “Initial Term” has the meaning set forth in Section 9.1.
1.17 “Intellectual Property Rights” means patent rights (including, without limitation, patent applications and disclosures), copyrights, trade secrets, moral rights, know-how, and any other intellectual property rights recognized in any country or jurisdiction in the world.
1.18 “Late Payments” has the meaning set forth in Section 3.2
1.19 “Personal Data” means any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. For purposes of this Agreement, Personal Data excludes information provided by an individual directly to GPTW so long as GPTW was not collecting such information on behalf of Customer or in furtherance of completing transactions as required pursuant to this Agreement.
1.20 “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
1.21 “Pre-existing IPR” has the meaning set forth in Section 5.1.
1.22 “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. The nature and purpose as well as the subject matter and duration of the Processing of the Customer Personal Data is to collect Customer employee survey data for processing and archiving scientific and historical research purposes and statistical purposes assessing workplace culture, performance, and accreditation to assist organizations in evaluating and improving their workplaces.
1.23 “Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
1.24 “Raw Data” means the confidential and anonymous responses received by GPTW from Customer and Customer’s employees in connection with, among other things, the Trust Index Survey(s) and/or Culture Audit(s), Culture Brief(s), focus groups, and one-to-one interviews administered by GPTW pursuant to this Agreement. For the avoidance of doubt, Raw Data does not include any Aggregate Data or Customer Data.
1.25 “Software” means any software owned or licensed by GPTW and used by GPTW to provide the Services.
1.26 “Services” means the services that GPTW will perform for Customer as described in the applicable Principal Agreement.
1.27 “Subprocessor" means any person (including any third party and any GPTW Affiliate, but excluding an employee of GPTW or any of its sub-contractors) appointed by or on behalf of GPTW or any GPTW Affiliate to Process Customer Personal Data on behalf of Customer in connection with the Principal Agreement.
1.28 “Supervisory Authority” means an independent public authority which is established by a Member State pursuant to Article 51 of the GDPR.
1.29 “Survey” means the web-based Customer employee engagement survey consisting of GPTW's standard survey questions and/or additional questions as requested by Customer.
1.30 “Term” has the meaning set forth in Section 10.1.
2. CUSTOMER OBLIGATIONS
2.1 Cooperation and Assistance. As a condition to GPTW’s performance hereunder, Customer will at all times: (a) provide GPTW with good faith cooperation and access to such information, facilities, and equipment as may be reasonably required by GPTW in order to provide the Services, including, but not limited to, providing Customer Data; (b) provide such personnel assistance, as may be reasonably requested by GPTW from time to time; and (c) comply with its obligations under this Agreement.
2.2 Telecommunications and Internet Services. Customer acknowledges and agrees that Customer’s and Customer’s users’ use of the Assessment portion of the Services is dependent upon access to telecommunications and Internet services. Customer and Customer’s users will be solely responsible for acquiring and maintaining all telecommunications and Internet services and other hardware and software required to access and use the Assessment portion of the Services, including, without limitation, all costs, fees, expenses, and taxes of any kind related to the foregoing.
3. FEES
3.1 Fees. In consideration for GPTW performing the Services, Customer will pay to GPTW the Fees in the amounts and in accordance with the terms set forth in the Principal Agreement.
3.2 Invoices and Payment.
(a) Customer will pay to GPTW the full amount of undisputed Fees according to the Payment Terms set forth in the Principal Agreement and sent by invoice to the Customer. GPTW reserves the right to cease performance of the Services to Customer if payment(s) is not made on time. An additional fee may need to be paid before the Services are reinstated.
(b) GPTW will email invoices to the primary Customer contact specified in the Principal Agreement. Further invoice requirements with respect to payment due dates are specified in the Principal Agreement. Payment remittance options will be set forth in the invoice and will include payment by check or wire, or payment online.
3.3 Credits for Future Services. If at any time GPTW issues a credit for future services to Customer, Customer must use the credits within twelve (12) months of the credit being issued.
4. OWNERSHIP AND USE OF DATA
4.1 Customer Data.
(a) As between GPTW and Customer, the Customer Data, and all Intellectual Property Rights therein or relating thereto, are and will remain the exclusive property of Customer or its licensors.
(b) GPTW will use Customer Data solely to perform the Services and in a manner that is compatible with the purposes for which such Customer Data is furnished to GPTW or subsequently authorized to be used, and GPTW will ensure that any Personal Information included in Customer Data is properly maintained and protected in accordance with Section 7.
4.2 Aggregate Data and Raw Data.
(a) As between GPTW and Customer, the Raw Data and the Aggregate Data, and all Intellectual Property Rights therein or relating thereto, are and will remain the exclusive property of GPTW.
(b) The Raw Data will not be provided to Customer by GPTW to protect the confidentiality of Customer respondents. Customer may use Aggregate Data solely as described in Section 5.3.
(c) GPTW covenants to use the Aggregate Data solely for the purposes of GPTW, including without limitation for benchmarking, creation of best practices, certification of companies as recognized workplaces, creation of lists of companies for publication, statistical analysis, and other R&D purposes. Customer
(d) To protect the confidentiality of Customer respondents, GPTW will not report on Assessment results in which fewer than five (5) people in a Customer demographic group have responded.
5. TREATMENT OF INTELLECTUAL PROPERTY
5.1 Notwithstanding any provision of this Agreement to the contrary, (a) all Intellectual Property Rights belonging to a Party, sub-contractor or third party prior to the Effective Date, or created other than in connection with GPTW’s provision of the Services (“Pre-existing IPR”) will remain with, and vested in, that Party, sub-contractor or third party (as applicable) and will not be assigned hereunder, and (b) all Intellectual Property Rights in all enhancements and modifications to, or derivative works of, any Pre-existing IPR made by either Party will be with, and vest in, the owner of the relevant Pre-existing IPR.
5.2 As between GPTW and Customer, the GPTW Intellectual Property, and all Intellectual Property Rights therein or relating thereto (except for limited rights granted to Customer and Customer’s users herein), are and will remain the exclusive property of GPTW or its licensors. Customer is not acquiring any rights to any GPTW Intellectual Property. Any use of GPTW Intellectual Property other than as expressly described in this Agreement requires prior written approval from GPTW.
5.3 Without GPTW’s prior written approval, which may be withheld in GPTW’s sole discretion, Customer will not use or re-use any GPTW Intellectual Property in any manner other than pursuant to its receipt of the Services during the Term (including in any surveying conducted either in-house or with another vendor outside of the scope of this Agreement). Reports provided by GPTW to Customer may be distributed internally by Customer, but any external distribution requires prior written approval from GPTW which will not be unreasonably withheld.
5.4 Each Party will not infringe or misappropriate the Intellectual Property Rights of the other Party or of any third party while performing its obligations under this Agreement.
5.5 Each Party acknowledges and agrees that the other Party’s Intellectual Property is the valuable property of the other Party. Each Party will safeguard and protect the Intellectual Property that it receives. Each Party will not alter or modify or permit others to alter or modify the other Party’s Intellectual Property without the prior written approval of the other Party. As examples only, and in no way as any limitation of this provision, no text may be revised nor may any mark or logo be altered, distorted or modified in any way.
5.6 In the event a Party becomes aware of any infringement or unauthorized use of the other Party’s Intellectual Property by that Party, its personnel or by any third party, that Party will immediately notify the other Party of such infringement or unauthorized use. If such infringement or unauthorized use is by that Party or its personnel, that Party immediately will cease such infringement or unauthorized use; if such infringement or unauthorized use is by a third party, that Party will cooperate with the other Party in causing the third party to cease such infringement or unauthorized use.
6. CONFIDENTIALITY
6.1 Any Customer Data providedCustomer to GPTW or otherwise obtained by GPTW as a receiving Party relating to the business or operations of Customer or its clients or any person, firm, Customer or organization associated with Customer, will be treated by GPTW as confidential, and GPTW will not disclose the same to third parties without the prior written consent of Customer. The Parties acknowledge and agree that the Customer Data Customer does not include the Raw Data and the Aggregate Data, which is GPTW Intellectual Property.
6.2 In the event that Customer as a receiving Party has access to any confidential information and/or material belonging to GPTW (including GPTW Intellectual Property), whether such access is intended or inadvertent, then Customer will treat such information and/or material as confidential and will not disclose such information and/or material to third parties without the prior written consent of GPTW.
6.3 The confidentiality provisions set forth herein will not apply to confidential information which (a) is in or enters the public domain other than by acts or omissions of the receiving Party, (b) is obtained by the receiving Party from a third party who obtained it lawfully without obligation of confidentiality, (c) is or has been independently generated by the receiving Party as evidenced in written documents, or (d) is properly disclosed by the receiving Party pursuant to a statutory obligation, the order of a court of competent jurisdiction or that of a competent regulated body that requires the disclosure of confidential information or material belonging to the other Party, provided that the receiving Party will before disclosure notify the other Party, unless such notice is prohibited, so that steps may be taken to attempt to quash or limit any disclosure.
6.4 The foregoing obligations as to confidentiality will apply retrospectively, from the point of first contact between Customer and GPTW regarding the Services and will remain in full force and effect notwithstanding any termination of this Agreement.
7. DATA SECURITY
7.1 The GPTW analytical survey platform named Emprising is hosted by the cloud provider Microsoft Azure. GPTW contracts with Azure to maintain the highest level of Data Security and Data Privacy global compliance at all times. This legal protection is passed along to all GPTW clients though the warranties in the Products and Services Agreement for the entire term of our engagement as detailed below. The Azure audit reports and other resource documentation as well as the Azure Compliance Manager Tool used by GPTW to comply with the GDPR and other privacy laws are found at the following URLs: https://servicetrust.microsoft.com/ and other compliance offerings: https://www.microsoft.com/en-us/trustcenter/compliance/complianceofferings. A general article about Azure compliance is here: https://www.communicationsquare.com/news/everything-about-gdpr-compliance-in-microsoft-cloud/ and a blog here: https://azure.microsoft.com/en-us/blog/protecting-privacy-in-microsoft-azure-gdpr-azure-policy-updates/ There are some country specific compliance resources as well. For example, compliance in Germany is addressed at the following URL: https://servicetrust.microsoft.com/ViewPage/GermanComplianceResourcesV3.
7.2 GPTW provides the highest standard of legal protection by warranting to our clients that during the entire term of the engagement, GPTW has not received notice of non-compliance with the following industry standards: CPA-audited financial statements by the firm Abbott, Stringham & Lynch, the International Organization for Standardization (ISO) for data security ISO 27001:2013, business continuity management ISO 22301:2019, and quality management ISO 9001:2015 as well as the National Institute of Standards and Technology (NIST 2015) cybersecurity framework. If applicable, GPTW also complies with the Payment Card Industry Data Security Standard (PCI DSS) through a third-party provider. GPTW also provides these warranties and representations for the GPTW Network even though it does not support Emprising. The Emprising survey questions and responses never touch the GPTW Network. Any communication between Emprising hosted on Azure and the GPTW Network is strictly limited to an end-to-end secure VPN connection using IPSec protocol. Accordingly, GPTW considers the third-party financial and security audits of the GPTW Network to be for “restricted use” and confidential and does not release them to any Customer.
7.3 GPTW maintains a Chief Data Protection Officer (CDPO) and a Certified Lead Auditor (Auditor) for ISO 27001:2013 to ensure compliance with these industry standards. The CDPO and Auditor report directly to the CEO and President of GPTW.
8. DATA PRIVACY
8.1 GPTW will use commercially reasonable efforts consistent with industry standards to collect, transmit, store, protect and maintain the Data and Customer Data obtained through the Services in accordance with the details provided in the GPTW Global Privacy Policy found at the following URL: https://www.greatplacetowork.com/privacy-policy. GPTW represents and warrants that during the Term it complies with the European Union (EU) 2016 General Data Protection Regulation (GDPR), the California Consumer Protection Act of 2018 AB 375 (CCPA), the Asia-Pacific Economic Cooperation (APEC) Cross Border Privacy Rules, and the Data Protection Laws of all other country, state, or regulating bodies. GPTW is also certified under the US/EU and US/CH Privacy Shield. If needed, appended to this Agreement is an executed Standard Contractual Clauses (new SCC) recited in the June 4, 2021 final Implementing Decision released by the European Commission.. GPTW collects Data for processing and archiving scientific and historical research purposes and statistical purposes assessing workplace culture, performance, and accreditation to assist organizations in evaluating and improving their workplaces. This exact language is found in Article 89 of the GDPR. The types and categories of Customer Personal Data to be processed is found in the demographic section and Trust Index questions of the survey. GPTW DOES NOT SELL PERSONAL DATA to any third party.
8.2 In connection with the Services, GPTW may receive, process and store Personal Data in the United States or other jurisdictions. Personal Information received by GPTW will be protected by GPTW as described in the Section above. In the event that consent of any individual is required to be obtained before transfer of Personal Information to GPTW, Customer is responsible for obtaining the consent of any affected individual. Said consent needs to be freely given, specific, informed, unambiguous and given by a statement or clear affirmative action.
8.3 GPTW maintains a full-time Chief Data Protection Officer (CDPO) and staff to ensure compliance with all Data Protection Laws. The CDPO reports directly to the CEO and President of GPTW. GPTW also employs full-time a Certified Information Privacy Practitioner (CIPP) and a Certified Information Privacy Manager (CIPM) who are certified by the International Association of Privacy Professionals at www.iapp.org whose credentials are accredited by the American National Standards Institute (ANSI) under the International Organization for Standardization (ISO) standard 17024:2012.
8.4 Data Subject’s Rights. Taking into account the nature of the Processing, GPTW and each GPTW Affiliate shallassist Customer to respond to requests toexercise Data Subject rights under any Data Protection Laws. GPTW shallpromptly notify Customer if any Processor receives a request from a Data Subject under any Data Protection Law in respect of Customer Personal Data. GPTW shall ensure that the Processor does not respond to that request except on the documented instructions of Customer or as required by any Data Protection Law to which the Processor is subject, in which case GPTW shall to the extent permitted by any Data Protection Law inform Customer of that legal requirement before Processor responds to the request. The nature and purpose as well as the subject matter and duration of the Processing of the acco is to collect Customer employee survey data for processing and archiving scientific and historical research purposes and statistical purposes assessing workplace culture, performance, and accreditation to assist organizations in evaluating and improving their workplaces. The types and categories of Customer Personal Data to be processed are found in the demographic section and Trust Index questions of the survey.
8.5 Rights to Audits, Inspections, Data Protection Impact Assessments, and Prior Consultations. GPTW and each GPTW Affiliate shall make available to Customer on request all information necessary to contribute to audits, inspections. data protection impact assessments, and prior consultations by Customer in relation to the Processing of the Customer Personal Data by the Processor to meet the requirements of any Data Protection Law. GPTW shall immediately inform Customer if, in its opinion, an instruction pursuant to this Section infringes any Data Protection Law. Customer undertaking an audit, inspection, data protection impact assessment, or prior consultation under this Section shall give GPTW or the relevant GPTW Affiliate reasonable noticeand shall make (and ensure that each of its mandated auditors makes) reasonable endeavors to avoid causing any damage, injury or disruption to the Processor’s premises, equipment, personnel and business while Customer’spersonnel are on those premises in the course of such an audit, inspection, data protection impact assessment, or prior consultation. A Processor need not give access to its premises pursuant to this Section: (i)to any individual unless he or she produces reasonable evidence of identity and authority; (ii) outside normal business hours at those premises; or(iii) for the purposes of more than one audit, inspection, data impact assessment, or prior consultation in respect of each Processor in any calendar year, except if Customer is so required by a Supervisory Authority or any similar regulatory authority responsible for the enforcement of Data Protection Laws in any country.
8.6 Remuneration and Costs. The Customer shall remunerate GPTW based on time and costs spent to perform the obligations under this Section based on GPTW’s CDPO and CIPP hourly rates of $650/hour and the hourly rates of other GPTW personnel as needed. GPTW is also entitled to remuneration for any time and material used to adapt and change the Processing activities in order to comply with any changes to the Customer’s instruction, including implementation costs and additional costs required to deliver obligations under the Principal Agreement due to the change in instruction. GPTW shall invoice Customer for a deposit to be paid in advance of performing the work in this Section requiring remuneration and/or costs.
8.7 Deletion of Company Personal Data. GPTW will delete and destroy Customer Personal Data used in the Processing after its use in the Processing is complete such as deleting the Customer’s employee names and email addresses file when a survey closes.
8.8 Subprocessors. GPTW may contract with one or more Subprocessors under the same terms provided in this Agreement. GPTW shall give Customer prior written notice of the appointment of any new Subprocessor, including full details of the Processing to be undertaken by the Subprocessor. Within five (5) business days after the receipt of that notice, Customer may notify GPTW in writing of any objections (on reasonable grounds) to the proposed appointment. GPTW will remain responsible and liable for the actions of any Subprocessors.
8.9 Personal Data Breach. GPTW shall notify Customer without undue delay and in no case more than 72 hours upon a Processor becoming aware of a Personal Data Breach affecting Customer Personal Data. Customer shall be provided with sufficient information to allow Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws. GPTW shall co-operate with Customer and take such reasonable commercial steps as are directed by Customer to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
9. ADDITIONAL REPRESENTATIONS AND WARRANTIES OF GPTW
9.1 Compliance with HIPAA, Gramm-Leach-Biley, etc. In carrying out its duties and obligations under this Agreement, GPTW shall follow and adhere to all applicable federal and state laws, including, but not limited to the Civil Rights Act of 1964, the Rehabilitation Act of 1973, Title IX of the Education Amendments of 1972, the Age Discrimination Act of 1975, the Americans with Disabilities Act, the Social Security Act, the Federal Acquisition Streamlining Act of 1994, the Federal Acquisition Regulations, the Health Insurance Portability and Accountability Act and the Gramm-Leach-Biley Act. GPTW acknowledges that the submission of false claims and statements in connection with the provision of Services under this Agreement is prohibited, and that such actions are sanctionable.
9.2 Compliance with Federal Healthcare Programs. GPTW represents and warrants that neither it, nor any of its contractors or employees who will furnish goods or services under the Agreement, directors or officers, or any person with an ownership interest in Supplier of five percent (5%) or more, is or ever has been: (i) debarred, suspended or excluded from participation in Medicare, Medicaid, the State Children’s Health Insurance Program (SCHIP) or any other federal health care program; (ii) convicted of a criminal offense related to the delivery of items or services under the Medicare or Medicaid program; (iii) had any disciplinary action taken against any professional license or certification held in any state or U.S. territory, including disciplinary action, board consent order, suspension, revocation, or voluntary surrender of a license or certification; or (iv) debarred or suspended from participation in procurement or non-procurement activities by any federal agency (collectively, “Sanctioned Persons”). In order to ensure that no payments from the Customer are made to Sanctioned Persons, GPTW shall screen all employees and contractors who will furnish goods or services under the Agreement to determine whether they have been excluded from participation in Medicare, Medicaid, the Children’s Health Insurance Program and/or any federal health care programs.
9.3 Compliance with Federal Healthcare and Procurement Programs. GPTW affirms that neither it nor any of its employees, affiliates or agents is an Ineligible Person and that to the best of its knowledge it is not party to a contract with any Ineligible Person. An Ineligible Person is an individual or entity who/which (i) currently is excluded, debarred, suspended or otherwise ineligible to participate in any federal healthcare and/or procurement or non-procurement programs (like Medicare and Medicaid) and/or (ii) has been convicted of a criminal offense that falls within the range of activities described in 42 U.S.C. §1320a-7(a), but who has not yet been excluded, debarred suspended or otherwise declared ineligible. This shall be an ongoing representation and warranty during the term of the Agreement, and GPTW shall immediately notify Customer of any change in the status of the representation and warranty set forth in this section. Any breach of this section shall give Customer the right to terminate this Agreement immediately for cause.
9.4 Compliance with Immigration Laws. GPTW represents and warrants to Customer that GPTW, to the best of its knowledge, shall not employ any individual to perform Services who is not legally authorized to work in the United States in the capacity indicated. GPTW certifies that, to the best of its knowledge, all employees who shall provide Services to Customer under this Agreement are legally authorized to be and to work in the United States in the capacity in which they are working under this Agreement and will provide written documentation to support such certification. Should an employee’s legal status change during the Term, GPTW shall notify Customer and promptly remove such employee from Company and from performing Services hereunder. GPTW shall indemnify and hold Customer harmless from any claim and/or from any legal action made against or involving Customer related to its alleged failure to comply with its obligations under this Section.
9.5 Compliance with United States Code Title 42. Until the expiration of four (4) years after this Agreement’s termination for any reason, GPTW, in accordance with Section 1395x(V)(1)(I) of Title 42 United States Code, shall make available upon written request of Customer, the U.S. Secretary of the United States Department of Health and Human Services, the Comptroller General of the United States General Accounting Office or any of their duly authorized representatives, a copy of this Agreement and such books, documents and records that the aforesaid parties determine necessary to verify the nature and extent of the costs of the services and/or supplies provided by GPTW hereunder. Should GPTW perform any of its duties hereunder through a subcontract with a value or cost of Ten Thousand Dollars ($10,000) or more over a twelve (12) month period with a related organization, such agreement shall require that until expiration of four (4) years after the furnishing of such services and/or supplies pursuant to such subcontract, the related organization similarly shall make available to the above parties all applicable contracts and all books, documents and records that they determine necessary to verify such costs’ nature and extent.
9.6 GPTW Transparency Report for Data Transfers Outside the EU. On July 16, 2020 the Court of Justice of the EU issued a Decision invalidating the use of the Privacy Shield as a means to transfer personal data from the EU to the US. The Decision did not invalidate the Privacy Shield itself and GPTW continues to comply with its requirements. The Decision affirmed the use of the 2010 Standard Contractual Clauses (SCC) as a means of transferring personal data from the EU to the US if the Customer performs a two part “assessment” of GPTW. First, GPTW must inform Customer if it is unable to comply with the SCC, which GPTW so warrants. Second, GPTW has put in place what is referred to in the Court decision as “supplementary measures.” One of the supplementary measures implemented by GPTW is to warrant that GPTW will issue a Transparency Report if needed. Initially pursuant to an agreement with the U.S. Department of Justice and later Section 604 of the 2015 USA Freedom Act, a number of tech companies have published statistics in “Transparency Reports” about the production orders received from national security and law enforcement authorities. Providers are allowed to disclose aggregated statistics about the number of requests received pursuant to various criminal and national security authorities but given the non-disclosure orders that generally accompany FISA and National Security Letters, disclosures are limited to a preset number of data points and the use of general ranges of numbers (“bands”). Since its incorporation as a business and through the date of this Agreement, GPTW has never received or been notified of a National Security Letter, an order under the Foreign Intelligence Surveillance Act, or any other classified request for user information pursuant to the national security laws of the United States or any other country.” As a result, GPTW has never had to issue a Transparency Report. Such a declaration further bolsters the proposition that reliance on SCC can ensure adequate protection for EU citizen data, despite the existence of EO 12333, PPD 28 and FISA Section 702.
9.7 GPTW warrants to Customer that the Services will be performed: (i) in a professional and workman like manner and otherwise in accordance with prevailing industry standards; (ii) by personnel that have the requisite skills, expertise, experience and training necessary to perform such Services; and (iii) in accordance with the requirements of the Principal Agreement and all applicable present and future laws, regulations, ordinances, orders, decrees and requirements applicable to performance of the Services. GPTW warrants and represents that it will make commercially reasonable efforts to ensure that no Software or Data shall include and/or cause the Customer’s data and/or computer system to become infected by any virus or any other type of malware.
10. TERM AND TERMINATION
10.1 Term. This Agreement will commence on the Effective Date and will continue for the period stated in the Principal Agreement, (the “Initial Term”), unless terminated earlier as provided in this Agreement. The Principal Agreement controls whether this Agreement will automatically renew for subsequent renewal periods each of length equivalent to the Initial Period unless either Party notifies the other in writing of its intent not to renew at least thirty (30) calendar days prior to the end of the Initial Term or the then-current renewal period, as applicable. The Initial Term and any renewal periods are collectively, (the “Term”).
10.2 Termination for Cause. Either Party may terminate this Agreement upon written notice if the other Party materially breaches this Agreement and fails to correct the breach within thirty (30) days following written notice specifying the breach; provided that the cure period for any default with respect to Customer’s payment of Fees will be five (5) business days after written notice is sent.
10.3 Rights and Obligations Upon Expiration or Termination. Upon expiration or termination of this Agreement, Customer’s and Customer’s users’ right to access and use the Services (and any GPTW Intellectual Property) will immediately terminate, Customer and its users will immediately cease all use of the Services (and any GPTW Intellectual Property) except for the Aggregate Data received in reports which may continue to be used internally at the Customer, and each Party will return and make no further use of any confidential information, materials, or other items (and all copies thereof) belonging to the other Party no later than ten (10) days after the effective date of the expiration or termination of this Agreement.
10.4 Survival. The rights and obligations of GPTW and Customer contained in Sections 3 (Fees), 4 (Ownership), 5 (Intellectual Property), 6 (Confidentiality), 7 (Data Protection), 8 (Data Privacy), 11 (Indemnification), 12 (Limitation of Liability), and 13 (General) will survive any expiration or termination of this Agreement.
11. INDEMNIFICATION
11.1 A Party will release, defend, hold harmless and indemnify the other Party and its employees, officers, directors, shareholders, agents, representatives, successors and assigns, from and against any and all claims, demands, causes of action, losses, damages, liabilities, costs and expenses, including reasonable attorneys’ fees and costs, arising out of, resulting from or pertaining to (a) any negligent or wrongful act or omission of, or violation of law by, the Party, or any of its employees, officers, directors, representatives or affiliates; or (b) a breach of any warranty or agreement made by the Party herein. In addition, a Party will release, defend, hold harmless and indemnify the other Party and its employees, officers, directors, shareholders, agents, representatives, successors and assigns, from and against any and all third party claims, demands, causes of action, losses, damages, liabilities, costs and expenses, including reasonable attorneys’ fees and costs, arising out of, resulting from or pertaining to any claim alleging infringement or violation of any third party’s intellectual property rights.
11.2 The indemnified Party will promptly notify the indemnifying Party of any claim subject to indemnification, tender to the indemnifying Party control over the defense and settlement of the claim and render reasonable assistance to the indemnifying Party with respect to such defense and settlement.
12. LIMITATION OF LIABILITY
12.1 If A Party should become entitled to claim damages from the other Party for any reason in connection with this Agreement (including without limitation, for breach of contract, breach of warranty, negligence or other tort claim), the other Party will be liable only for the amount of the other Party’s actual direct damages up to the amount that Customer paid GPTW for the Services that are the subject of the claim. In no event will the other Party’s aggregate liability to the Party for all claims arising under or relating to this Agreement exceed the amount of twelve (12) months’ worth of Fees paid by Customer to GPTW under this Agreement. These limits are the maximum liability for which the other Party is responsible.
12.2 In no event will either Party be liable for: (a) any damages arising out of or related to the failure of the other Party or its affiliates or personnel to perform their responsibilities; and/or (b) any lost profits, loss of business, loss of data, loss of use, lost savings or other consequential, special, incidental, indirect, exemplary or punitive damages, even if either Party has been advised of the possibility of such damages.
12.3 The limitations of liability contained in Sections 12.1 and 12.2 shall not apply to liabilities arising from: (a) a Party’s gross negligence, fraud, violation of law, or misrepresentation; (b) a Party’s indemnity obligations; or (c) claims covered by a Party’s insurance.
13. GENERAL
13.1 Supplemental Charges for Work Not Quoted in the GPTW Order Form. In an effort of complete transparency and ease of doing business with GPTW at the lowest possible price to the Customer, there is link to the GPTW External Security Policy on the bottom of the GPTW US website. In that Policy are found all the answers for filling out Customer security surveys or registering GPTW as a Customer vendor or the like. Customer agrees that if it requires GPTW to fill out a Customer security survey, registration, or the like, it will be invoiced for this additional work at $650/hr.
13.2 Waiver. It is understood and agreed that no failure or delay by either Party in exercising any right, power or privilege hereunder in any one or more instances or to insist on strict compliance with the performance of this Agreement or to take advantage of any respective rights will operate as a waiver thereof or the relinquishment of such rights in other instances but the same will continue and remain in full force and effect nor will any single or partial exercise thereof preclude any other or further exercise thereof or the exercise of any right, power or privilege hereunder.
13.3 Notices. All notices hereunder shall be in writing and delivered personally, by traceable courier (such as UPS) or by certified US mail, return receipt requested to the Party at the address set forth in the Principal Agreement. All such notices are deemed effective upon receipt or refusal of delivery.
13.4 Assignment. This Agreement may not be voluntarily or by operation of law assigned or transferred in whole or part, or in any other manner transferred by GPTW without the prior written consent of Customer, but GPTW may use subcontractors in assisting GPTW in providing the Services; provided that subcontractors sign an agreement with GPTW with at least terms as limiting as those in this Agreement. Any attempt to assign or transfer this Agreement other than in conformance with this Section will be of no effect and considered null and void.
13.5 Independent Contractor.
(a) GPTW is an independent contractor and nothing herein will be construed to the contrary. GPTW will not assume or create any obligations or responsibilities express or implied, on behalf of or in the name of Customer, or bind Customer in any manner or thing whatsoever without Customer’s written consent. GPTW will use GPTW’s own tools and instruments in providing the Services. GPTW will supply all necessary labor to render Services under this Agreement and may use subcontractors in doing so. GPTW will be solely responsible for the direction and control of GPTW’s agents, employees, representatives and subcontractors, including decisions regarding hiring, firing, supervision, assignment and the setting of wages and working conditions. Customer will neither have nor exercise disciplinary control or authority over GPTW or GPTW’s agents, employees, representatives or subcontractors.
(b) No agent, employee, representative or subcontractor of GPTW will be or be deemed to be the employee, agent, representative or subcontractor of Customer. None of the employer-paid benefits provided by Customer to its own employees, including but not limited to workers’ compensation insurance and unemployment insurance, are available from Customer to GPTW or to GPTW’s employees, agents, representatives or subcontractors. GPTW agrees to provide workers’ compensation insurance for any person utilized by GPTW to perform services under this Agreement and to pay all applicable social security taxes, unemployment compensation taxes, income taxes and other employer taxes and contributions required by any federal, state or local law with respect to GPTW or to persons utilized by GPTW to perform services under this Agreement.
13.6 Severability. If any provision of this Agreement is deemed to be invalid or unenforceable by a court of competent jurisdiction, the same will be deemed severable from the remainder of this Agreement and the Parties agree to renegotiate such provision in good faith, in order to maintain the economic position enjoyed by each Party as close as possible to that under the provision rendered unenforceable. In the event that the Parties cannot reach a mutually agreeable and enforceable replacement for such provision, then (i) such provision will be excluded from this Agreement, (ii) the balance of the Agreement will be interpreted as if such provision were so excluded and (iii) the balance of the Agreement will be enforceable in accordance with its terms.
13.7 Amendments. Once executed, this Agreement, and any attachments to this Agreement, may be modified only through the execution of a written instrument signed by the Parties.
13.8 Use of Names/Logo. Customer may request permission for the use of the GPTW logo, and in doing so, should request to fill out and complete the “Use of Great Place To Work® Institute Materials Consent Agreement” (the “GPTW Material Consent Form”) downloadable at www.greatplacetowork.com/images/GPTW-Material-Consent-Form.doc. Customer understands that it is subject to all rules and guidelines set forth in the GPTW Material Consent Form, the GPTW Intellectual Property Usage Policy at www.greatplacetowork.com/Intellectual-Property-Usage-Policy, the GPTW Brand Identity Policy at www.greatplacetowork.com/Brand-Identity-Policy and the GPTW Brand Usage Guide at which govern the usage of the Great Place To Work LOGO®. GPTW may include Customer’s name on a client list, unless notified otherwise in writing by Customer.
13.9 Legal Fees. If any action at law or in equity is necessary to enforce or interpret this Agreement, the prevailing Party will be entitled to reasonable attorneys’ fees, costs and necessary disbursements in addition to any other relief to which such Party may be entitled. It is agreed that GPTW in-house counsel will be billed at $650/hr.
13.10 Insurance. GPTW will provide, pay for, and maintain in full force and effect during the term of the Agreement the insurance outlined herein covering GPTW’s activities, and anyone directly or indirectly engaged by GPTW. GPTW will carry the following insurance coverages during the Term of this Agreement: (i) workers’ compensation insurance in the statutory amount and employer liability insurance with minimum limits of $1,000,000 each accident, $1,000,000 each employee and $1,000,000 annual aggregate; (ii) and errors and omissions (professional liability) insurance for the Services rendered hereunder in the minimum amount of Two Million ($2,000,000) dollars per occurrence and in the annual aggregate; (iii) general liability insurance written on an occurrence basis in the minimum amount of One Million ($1,000,000) dollars per occurrence and Two Million ($2,000,000) dollars in the annual aggregate; and (iv) cyber liability insurance including coverage for network privacy liability with minimum limits of One Million ($1,000,000) dollars per occurrence and in the annual aggregate.
13.11 Force Majeure. Neither Party will be liable, and its performance will be excused, for any delays resulting from circumstances or causes beyond its reasonable control, including without limitation, fire or other casualty, act of God, strike or labor dispute, war, sabotage, terrorism, acts of aggression or other violence provided such Party will have used its commercially reasonable efforts to mitigate its effects and has given prompt written notice to the other Party. The time for the performance will be extended for the period of delay or inability to perform due to such occurrences up to a period of thirty (30) business days at which time the Party unaffected by the Force Majeure event may immediately terminate this Agreement.
13.12 Successors and Assigns. This Agreement and all of the terms and conditions hereof will be binding upon and inure to the benefit of GPTW and Customer and their respective successors, transferees, permitted assignees or legal representatives. Any terms of this Agreement containing a reference to GPTW or Customer will apply with equal effect to any such successor, permitted assignee, transferee or legal representative of the Party in question.
13.13 Counterparts. This Agreement may be executed in two or more counterparts, each of which will be deemed an original and all of which together will constitute one document.
13.14 Titles and Subtitles. The titles and subtitles used in this Agreement are used for convenience only and are not to be considered in construing or interpreting this Agreement.
13.15 Disputes. If any dispute or disagreement arises between the Parties with respect to the interpretation of any provision of this Agreement, the performance of either Party under this Agreement, or any other matter that is in dispute between the Parties related to this Agreement, then, upon the written request of either Party, the Parties will meet for the purpose of resolving such dispute. The Parties agree to discuss the problem and negotiate in good faith without the necessity of any formal proceedings related thereto. If such efforts are not successful then the Parties shall submit any dispute arising from or related to this Agreement to binding arbitration by a single arbitrator in accordance with the rules of the American Arbitration Association in Massachusetts, United States. If it is necessary to enforce or interpret this Agreement, the prevailing Party shall be entitled to reasonable attorneys’ fees, costs and necessary disbursements in addition to any other relief to which such Party may be entitled. This Agreement, and all matters collateral thereto, shall be governed by the laws of the United States (including without limitation, U.S. copyright and trademark laws) and the laws of the State of Delaware applicable to contracts entered into and to be performed entirely therein, without regard to any choice of law or conflict of law rules. Notwithstanding the foregoing, either Party will be free at any point to pursue injunctive relief if a Party’s Intellectual Property is being violated by the other Party or its affiliates. For any litigation which may otherwise arise with respect this Agreement, the parties irrevocably and unconditionally submit (i) to the exclusive jurisdiction and venue (and waive any claim of forum non conveniens and any objections as to laying of venue) of the United States District Court for the State of Massachusetts, or (ii) if such court does not have jurisdiction, to the appropriate State court sitting in Middlesex County, Massachusetts, in connection with any action, suit or proceeding arising out of or relating to this Agreement and the subject matter of this Agreement, whether in contract, tort (including negligence), or any other form of action. THE PARTIES HEREBY UNCONDITIONALLY WAIVE THEIR RESPECTIVE RIGHTS TO A JURY TRIAL OF ANY CLAIM OR CAUSE OF ACTION ARISING UNDER THIS AGREEMENT.
13.16 Remedies. The rights and remedies herein provided will be cumulative and no one of them will be exclusive of any other and will be in addition to any other remedies available at law or in equity.
13.17 No Third-Party Beneficiaries. This Agreement is intended for the sole and exclusive benefit of the signatories and is not intended to benefit any third party (other than as described in Section 10). Only the Parties to this Agreement may enforce it.
13.18 Entire Agreement. This Agreement and the Principal Agreement constitutes the entire understanding between the Parties. All previous representations or undertakings, whether oral or in writing, are superseded by this Agreement.
13.19 Digital Format. The Parties agree that the original of the Agreement, including the signature page, may be imaged and stored in a digital format on a Party’s computer systems and that any printout or other visually readable output which accurately reproduces the original of the Agreement, may be used for any purpose for which the original was intended, including proof of the content of the original writing.
GREAT PLACE TO WORK
STANDARD CONTRACTUAL CLAUSES
SEPTEMBER 26, 2021
THIS DATA PROCESSING AGREEMENT (this “Agreement”) is made between:
a Customer (the “Controller”); and
GREAT PLACE TO WORK INSTITUTE, INC., a Customer incorporated under the laws of the State of California in the United States, address 1999 Harrison Street Suite 2070 Oakland, CA 94612 (the “Processor”).
The Controller and the Processor may also be referred to herein collectively as the “Parties” and each individually as a “Party”.
- BACKGROUND INFORMATION
The Controller is interested in the workplace accreditation products and services offered by Processor and Sub-Processor.
The Processor will perform services to the Controller according to an Order Form and Terms & Conditions entered into between the Parties (the “Service Agreement”), which includes the processing of personal data on behalf of the Controller for the purpose set forth in Section 1.1 and according to what is set forth in Exhibit 1 hereto. The Processor is established in a third country, i.e. a country outside the European Economic Area (“EEA”), for which the European Commission of the European Union did not issue a so-called adequacy decision, stating that it ensures an adequate level of data protection as required under Regulation (EU) 2016/679. Therefore, the Parties have agreed to include certain standard contractual clauses (C(2021) 3972; “SCCs”) in this Agreement, to legitimize the envisioned data transfer in line with article 46(2)(c) of Regulation (EU) 2016/679. These SCCs are attached hereto as Exhibit 1, which exhibit must be signed separately. Parties have determined that these SCCs provide a sufficient safeguard to ensure an adequate level of data protection for the personal data to be processed by Processor on behalf of the Controller, as set out in the Transfer Impact Assessment (“TIA”) of which the conclusion is attached hereto as Exhibit 2
As a supplement to Exhibit 1, the following terms and conditions shall apply. In case of any conflict or inconsistency between the terms and conditions as set out in the body of this Agreement and the SCCs included in Exhibit 1, Exhibit 1 shall prevail and take precedence to the extent of that conflict or inconsistency in connection with the transfer of personal data.
- DEFINITIONS
Where this Agreement uses terms that are defined in Regulation (EU) 2016/679 (the “Regulation”), those terms shall have the same meaning as in the Regulation.
- CONTROLLER OBLIGATIONS
The Controller warrants that it is allowed under the applicable laws, including the Regulation, to provide the personal data to the Processor.
The Controller warrants that it complies with all its obligations under applicable laws, including the Regulation.
- AUDIT RIGHT (INCL. INSPECTION)
Upon the written request of the Controller, the Processor undertakes to make available to the Controller all information and all assistance necessary to demonstrate compliance with the obligations laid down in this Agreement, for as far as the Controller is unable to obtain such information by other means without the involvement of the Processor and for as far as commercially reasonable. Furthermore, Processor shall upon the Controller’s written request at reasonable intervals, provide a copy of the available and most recent third-party audits and / or certifications of the Processor’s compliance with the requirements hereunder, or any summaries thereof.
If based upon the information which the Controller obtained under Section 4.1 of this Agreement, it has reasonable cause to doubt the Data Processor’s compliance with its requirements under this Agreement, the Controller has the right, upon reasonable written notice and at reasonable intervals, to verify Processor’s compliance with the requirements hereunder by requesting a self-certification letter from an authorised signatory of the Processor, accompanied by relevant reports and details (such as copies of processing agreements entered with sub-processors, details about information security, etc.) which the Processor agrees to compile in response to the request for self-certification (collectively the “Self-Certification Letter”).
If based upon the information which the Controller obtained under Sections 4.1 and 4.2 of this Agreement, it has reasonable cause to doubt the Data Processor’s compliance with its requirements under this Agreement, the Controller has the right to audit, including to inspect, (if necessary) at Processor’s premises, the Processor’s processing of personal data under this Agreement, at reasonable intervals or if there are indications of non-compliance of this Agreement by the Processor. The audit will take place during normal business hours, upon thirty (30) days’ prior written notice to the Processor, without interrupting the Processor’s normal course of business. The Controller hereby chooses to exercise its audit right by mandating an external, independent and certified auditor, to be designated in conference with the Processor.
The Parties shall consult each other on the findings of an audit on their earliest convenience. The Processor shall implement the proposed measures for improvement insofar as they are to its discretion appropriate, taking into account the processing risks associated with the processing activities, the state of the art, the costs of implementation and the market in which it operates.
The Processor shall be entitled to invoice the Controller for any costs it incurs in the context of this Section of the Agreement.
- ASSISTANCE TO THE CONTROLLER
The Processor shall assist the Controller with complying with the fulfilment of the Controller’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter II of the Regulation and the obligations pursuant to articles 32 to 36 of the Regulation: (i) for as far as the Controller is unable to meet these requirements under the Regulation without the Processor’s assistance, (ii) insofar as providing this assistance is commercially reasonable in the context of the scope and the extent of the assistance required and (iii) taking into account the nature of processing and the information available to the Processor.
The Processor shall be entitled to invoice the Controller for any costs it incurs in the context of this Section 5 of the Agreement.
- TRANSFERS OUTSIDE THE EEA
The Processor may transfer personal data to a Sub-Processor mentioned in Annex III located outside of the EEA if the Processor, in addition to fulfilling the requirements set forth in Clause 8.8 of Exhibit 1, enters into a binding agreement with the Sub-Processor. This agreement shall include the obligations arising from this Agreement, including the instructions set out in Annex I-II of Exhibit 1. For the avoidance of doubt, it is the Controller’s responsibility to ensure compliance with the transfer requirements of Chapter V of the Regulation. To safeguard that the SCCs indeed legitimize the Transfer under the applicable data protection laws and provide for an adequate level of data protection as required under the Regulation, the Processor has performed a transfer impact assessment which the Controller deems to suffice for this purpose. If at any time either Party becomes aware that the transfer of personal data may result in an increased risk of any public, private or governmental body in any country mandating or obtaining access to personal data processed in the context of the Service Agreement, the Parties shall work together to ensure the execution of an addendum to this Agreement to appropriately safeguard the personal data being transferred.
The Controller shall at all times be entitled to withdraw its consent to the engagement of Sub-Processors (including any related third country transfers), provided under Section 6.1. In such case, the Processor shall immediately cease with the transfer and shall, upon the Controller’s request, provide written confirmation of this. The Controller agrees that Controller’s withdrawal of consent pursuant to this Section 6.2 shall not affect any of the Controller’s obligations according to a Service Agreement, even if such withdrawal, to the extent reasonably evidenced by the Processor, adversely affects Processor’s performance of its obligations under the Service Agreement.
- INDEMNIFICATION
The Processor undertakes to indemnify and hold harmless the Controller for any and all damage and losses incurred by the Controller due to the Processor’s processing of personal data in breach of this Agreement to the extent that said damage and losses are covered by the insurance policy(ies) of Processor.
- CONFIDENTIALITY
The Processor agrees to not disclose or otherwise reveal information to third parties as to the processing of personal data under this Agreement, or other information received by the Processor as a consequence of this Agreement. This confidentiality obligation is not applicable to information that the Processor is ordered to disclose to a governmental authority, notwithstanding Section III of Exhibit 1. This obligation of confidentiality shall survive any termination or expiration of this Agreement.
- THE CONTRACT TERM
This Agreement is effective as of its execution and for as long as the Processor processes personal data on behalf of the Controller, or until the Controller gives written notice of termination of this Agreement. In the event of a notice of termination, such notice shall be sent at least three (3) months prior to the termination of this Agreement.
- ENTIRE AGREEMENT, ETC.
With regard to the subject matter hereof, this Agreement shall supersede any prior DPA agreements, DPA regulations in Terms & Conditions, and understandings between the Parties.
This Agreement has been executed on the date of the last signature set forth below.
CUSTOMER
Customer’s address and contact information as it appears on the GPTW Order Form.
Customer’s date and signature as it appears on the GPTW Order Form.
Oakland California USA September 25, 2021
GREAT PLACE TO WORK INSTITUTE, INC.
Signature:
Name: Timothy H. Gens
Title: VP, Chief Legal Officer, CIPP, CDPO
EXHIBIT 1
STANDARD CONTRACTUAL CLAUSES
SECTION I
Clause 1
Purpose and scope
- The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)[1]for the transfer of personal data to a third country.
- The Parties:
- the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter ‘entity/ies’) transferring the personal data, as listed in Annex I.A (hereinafter each ‘data exporter’), and
- the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A (hereinafter each ‘data importer’)
have agreed to these standard contractual clauses (hereinafter: ‘Clauses’).
- These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.
- The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.
Clause 2
Effect and invariability of the Clauses
- These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46(2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.
- These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.
Clause 3
Third-party beneficiaries
- Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:
- Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;
- Clause 8 – Clause 8.1(b), 8.9(a), (c), (d) and (e);
- Clause 9 – Clause 9(a), (c), (d) and (e);
- Clause 12 – Clause 12(a), (d) and (f);
- Clause 13;
- Clause 15.1(c), (d) and (e);
- Clause 16(e);
- Clause 18 – Clause 18(a) and (b).
- Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.
Clause 4
Interpretation
- Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.
- These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.
- These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.
Clause 5
Hierarchy
In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.
Clause 6
Description of the transfer(s)
The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.
Clause 7 (optional)
Docking clause
- An entity that is not a Party to these Clauses may, with the agreement of the Parties, accede to these Clauses at any time, either as a data exporter or as a data importer, by completing the Appendix and signing Annex I.A.
- Once it has completed the Appendix and signed Annex I.A, the acceding entity shall become a Party to these Clauses and have the rights and obligations of a data exporter or data importer in accordance with its designation in Annex I.A.
- The acceding entity shall have no rights or obligations arising under these Clauses from the period prior to becoming a Party.
SECTION II – OBLIGATIONS OF THE PARTIES
Clause 8
Data protection safeguards
The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.
MODULE TWO: Transfer controller to processor
8.1 Instructions
- The data importer shall process the personal data only on documented instructions from the data exporter. The data exporter may give such instructions throughout the duration of the contract.
- The data importer shall immediately inform the data exporter if it is unable to follow those instructions.
8.2 Purpose limitation
The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B, unless on further instructions from the data exporter.
8.3 Transparency
On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including the measures described in Annex II and personal data, the data exporter may redact part of the text of the Appendix to these Clauses prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand the its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information. This Clause is without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.
8.4 Accuracy
If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to erase or rectify the data.
8.5 Duration of processing and erasure or return of data
Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the data exporter and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).
8.6 Security of processing
- The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter ‘personal data breach’). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects. The Parties shall in particular consider having recourse to encryption or pseudonymization, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymization, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.
- The data importer shall grant access to the personal data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify the data exporter without undue delay after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the breach including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
- The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer.
8.7 Sensitive data
Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter ‘sensitive data’), the data importer shall apply the specific restrictions and/or additional safeguards described in Annex I.B.
8.8 Onward transfers
The data importer shall only disclose the personal data to a third party on documented instructions from the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union[2] (in the same country as the data importer or in another third country, hereinafter ‘onward transfer’) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:
- the onward transfer is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;
- the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 Regulation of (EU) 2016/679 with respect to the processing in question;
- the onward transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or
- the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person.
Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.
8.9 Documentation and compliance
- The data importer shall promptly and adequately deal with enquiries from the data exporter that relate to the processing under these Clauses.
- The Parties shall be able to demonstrate compliance with these Clauses. In particular, the data importer shall keep appropriate documentation on the processing activities carried out on behalf of the data exporter.
- The data importer shall make available to the data exporter all information necessary to demonstrate compliance with the obligations set out in these Clauses and at the data exporter’s request, allow for and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or audit, the data exporter may take into account relevant certifications held by the data importer.
- The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice.
- The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request.
Clause 9
Use of sub-processors
MODULE TWO: Transfer controller to processor
- The data importer shall not sub-contract any of its processing activities performed on behalf of the data exporter under these Clauses to a sub-processor without the data exporter’s prior specific written authorisation. The data importer shall submit the request for specific authorisation at least thirty (30) days prior to the engagement of the sub-processor, together with the information necessary to enable the data exporter to decide on the authorisation. The list of sub-processors already authorised by the data exporter can be found in Annex III. The Parties shall keep Annex III up to date.
- Where the data importer engages a sub-processor to carry out specific processing activities (on behalf of the data exporter), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those binding the data importer under these Clauses, including in terms of third-party beneficiary rights for data subjects.[3]The Parties agree that, by complying with this Clause, the data importer fulfils its obligations under Clause 8.8. The data importer shall ensure that the sub-processor complies with the obligations to which the data importer is subject pursuant to these Clauses.
- The data importer shall provide, at the data exporter’s request, a copy of such a sub-processor agreement and any subsequent amendments to the data exporter. To the extent necessary to protect business secrets or other confidential information, including personal data, the data importer may redact the text of the agreement prior to sharing a copy.
- The data importer shall remain fully responsible to the data exporter for the performance of the sub-processor’s obligations under its contract with the data importer. The data importer shall notify the data exporter of any failure by the sub-processor to fulfil its obligations under that contract.
- The data importer shall agree a third-party beneficiary clause with the sub-processor whereby – in the event the data importer has factually disappeared, ceased to exist in law or has become insolvent – the data exporter shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.
Clause 10
Data subject rights
MODULE TWO: Transfer controller to processor
- The data importer shall promptly notify the data exporter of any request it has received from a data subject. It shall not respond to that request itself unless it has been authorised to do so by the data exporter.
- The data importer shall assist the data exporter in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679. In this regard, the Parties shall set out in Annex II the appropriate technical and organisational measures, taking into account the nature of the processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required.
- In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions from the data exporter.
Clause 11
Redress
- The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject.
MODULE TWO: Transfer controller to processor
- In case of a dispute between a data subject and one of the Parties as regards compliance with these Clauses, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them.
- Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to:
- lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work, or the competent supervisory authority pursuant to Clause 13;
- refer the dispute to the competent courts within the meaning of Clause 18.
- The Parties accept that the data subject may be represented by a not-for-profit body, organisation or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679.
- The data importer shall abide by a decision that is binding under the applicable EU or Member State law.
- The data importer agrees that the choice made by the data subject will not prejudice his/her substantive and procedural rights to seek remedies in accordance with applicable laws.
Clause 12
Liability
MODULE TWO: Transfer controller to processor
- Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.
- The data importer shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data importer or its sub-processor causes the data subject by breaching the third-party beneficiary rights under these Clauses.
- Notwithstanding paragraph (b), the data exporter shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data exporter or the data importer (or its sub-processor) causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter and, where the data exporter is a processor acting on behalf of a controller, to the liability of the controller under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable.
- The Parties agree that if the data exporter is held liable under paragraph (c) for damages caused by the data importer (or its sub-processor), it shall be entitled to claim back from the data importer that part of the compensation corresponding to the data importer’s responsibility for the damage.
- Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.
- The Parties agree that if one Party is held liable under paragraph (e), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its/their responsibility for the damage.
- The data importer may not invoke the conduct of a sub-processor to avoid its own liability.
Clause 13
Supervision
MODULE TWO: Transfer controller to processor
- The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority.
- The data importer agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Clauses. In particular, the data importer agrees to respond to enquiries, submit to audits and comply with the measures adopted by the supervisory authority, including remedial and compensatory measures. It shall provide the supervisory authority with written confirmation that the necessary actions have been taken.
SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES
Clause 14
Local laws and practices affecting compliance with the Clauses
MODULE TWO: Transfer controller to processor
- The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.
- The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:
- the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;
- the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards[4];
- any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.
- The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.
- The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.
- The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a).
- Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.
Clause 15
Obligations of the data importer in case of access by public authorities
MODULE TWO: Transfer controller to processor
15.1 Notification
- The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it:
- receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or
- becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.
- If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.
- Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.).
- The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.
- Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses.
15.2 Review of legality and data minimisation
- The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).
- The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request.
- The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.
SECTION IV – FINAL PROVISIONS
Clause 16
Non-compliance with the Clauses and termination
- The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.
- In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).
- The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:
- the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;
- the data importer is in substantial or persistent breach of these Clauses; or
- the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.
In these cases, it shall inform the competent supervisory authority of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.
- Personal data that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall at the choice of the data exporter immediately be returned to the data exporter or deleted in its entirety. The same shall apply to any copies of the data. The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.
- Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.
Clause 17
Governing law
MODULE TWO: Transfer controller to processor
These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of the member state wherein Controller is headquartered.
Clause 18
Choice of forum and jurisdiction
MODULE TWO: Transfer controller to processor
Any dispute arising from these Clauses shall be resolved by the courts of an EU Member State.The Parties agree that those shall be the courts of the member state wherein Controller is headquartered.
A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence.
The Parties agree to submit themselves to the jurisdiction of such courts.
__________________
This Agreement has been executed on the date of the last signature set forth below.
CUSTOMER
Customer’s address and contact information as it appears on the GPTW Order Form.
Customer’s date and signature as it appears on the GPTW Order Form.
[1] Where the data exporter is a processor subject to Regulation (EU) 2016/679 acting on behalf of a Union institution or body as controller, reliance on these Clauses when engaging another processor (sub-processing) not subject to Regulation (EU) 2016/679 also ensures compliance with Article 29(4) of Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39), to the extent these Clauses and the data protection obligations as set out in the contract or other legal act between the controller and the processor pursuant to Article 29(3) of Regulation (EU) 2018/1725 are aligned. This will in particular be the case where the controller and processor rely on the standard contractual clauses included in Decision 2021/915.
[2] The Agreement on the European Economic Area (EEA Agreement) provides for the extension of the European Union’s internal market to the three EEA States Iceland, Liechtenstein and Norway. The Union data protection legislation, including Regulation (EU) 2016/679, is covered by the EEA Agreement and has been incorporated into Annex XI thereto. Therefore, any disclosure by the data importer to a third party located in the EEA does not qualify as an onward transfer for the purpose of these Clauses.
[3] This requirement may be satisfied by the sub-processor acceding to these Clauses under the appropriate Module, in accordance with Clause 7.
[4] As regards the impact of such laws and practices on compliance with these Clauses, different elements may be considered as part of an overall assessment. Such elements may include relevant and documented practical experience with prior instances of requests for disclosure from public authorities, or the absence of such requests, covering a sufficiently representative time-frame. This refers in particular to internal records or other documentation, drawn up on a continuous basis in accordance with due diligence and certified at senior management level, provided that this information can be lawfully shared with third parties. Where this practical experience is relied upon to conclude that the data importer will not be prevented from complying with these Clauses, it needs to be supported by other relevant, objective elements, and it is for the Parties to consider carefully whether these elements together carry sufficient weight, in terms of their reliability and representativeness, to support this conclusion. In particular, the Parties have to take into account whether their practical experience is corroborated and not contradicted by publicly available or otherwise accessible, reliable information on the existence or absence of requests within the same sector and/or the application of the law in practice, such as case law and reports by independent oversight bodies.
APPENDIX
EXPLANATORY NOTE:
It must be possible to clearly distinguish the information applicable to each transfer or category of transfers and, in this regard, to determine the respective role(s) of the Parties as data exporter(s) and/or data importer(s). This does not necessarily require completing and signing separate appendices for each transfer/category of transfers and/or contractual relationship, where this transparency can achieved through one appendix. However, where necessary to ensure sufficient clarity, separate appendices should be used.
ANNEX I
A. LIST OF PARTIES
MODULE TWO: Transfer controller to processor
Data exporter(s): [Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]
1. |
Name: CUSTOMER Address: As stated on the GPTW Order Form Contact person’s name, position and contact details as stated on the GPTW Order Form: Activities relevant to the data transferred under these Clauses: As signed and dated by Customer on the GPTW Order Form: Role (controller/processor): Controller |
Data importer(s): [Identity and contact details of the data importer(s), including any contact person with responsibility for data protection]
1. |
Name: GREAT PLACE TO WORK INSTITUTE, INC. Address: 1999 Harrison Street Suite 2070 Oakland, CA 94612 Name: Timothy H. Gens, VP Chief Legal Officer, tim.gens@greatplacetowork.com Collection of responses from Data Exporter’s employees by a survey platform called Emprsing. September 25, 2021 Role: Sub-Processor |
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
Employees of Controller.
Categories of personal data transferred
Name, email addresses of Customer employees invites to take the Survey.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
None.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Variable.
Nature of the processing
Collecting, storing, recording, anonymizing, erasing,
Purpose(s) of the data transfer and further processing.
To conduct, and report upon, an Assessment, as part of the Products and Services
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
The processing shall continue during the Survey, and for a period of up to five business days thereafter. GPTW shall delete all Personal Data within five business days from the Survey closing.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
The processing shall continue during the Survey, and for a period of up to five business days thereafter. GPTW shall delete all Personal Data within five business days from the Survey closing.
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13
The Data Processing Authority with jurisdiction over the Controller.
ANNEX II
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
MODULE TWO: Transfer controller to processor
EXPLANATORY NOTE:
The technical and organisational measures must be described in specific (and not generic) terms. See also the general comment on the first page of the Appendix, in particular on the need to clearly indicate which measures apply to each transfer/set of transfers.
Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
Measures of anonymization and encryption of personal data
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing
Measures for user identification and authorisation
Measures for the protection of data during transmission
Measures for the protection of data during storage
Measures for ensuring physical security of locations at which personal data are processed
Measures for ensuring events logging
Measures for ensuring system configuration, including default configuration
Measures for internal IT and IT security governance and management
Measures for certification/assurance of processes and products
Measures for ensuring data minimisation
Measures for ensuring data quality
Measures for ensuring limited data retention
Measures for ensuring accountability
Measures for allowing data portability and ensuring erasure
- Confidentiality of processing systems and services (Art. 32 (1) b GDPR)
- Access to Customer data is only granted to those with a legitimate need. Customer dataisonly accessed byGPTW employees that are authorized based on job Survey access is controlled so that survey respondents cannot see another’s responses.
- GPTW has a documented Access Control Policy which includes a formal userregistration and de-registration process to enable assignment of access rights, uniqueIDs for all users, a periodic review ofaccess rights with owners of the information systems or services, restrictions and control of privileged access rights by management, an authorization process to allocate and control privileged access rights, monthly review of privileged access, a formal Password Policy, a policy that forces users to change their password atfirst log-on, password requirements (such as minimum length, complexity, periodicity to change, password history), and encrypted passwords in store and transmit.
- On premises servers are in a locked, climate-controlled server room with accesslimitedto authorized personnel.
- All remote access (including VPN, dial-up, and other forms of access that allow login tointernal systems) is required to use multi-factor authentication. Multi-factorauthentication is used for all administrative access. Direct administrative interactive access to systems (either remotely or locally) is blocked. Instead, administrators access systems initially using a non-administrative
- Data is partitioned and separated so that Customer users cannot see anotherCustomer’s
- To protect the confidentiality of the Customer Employee Data, GPTW uses a suppression algorithm. GPTW will not report on Assessment results in which fewer than five (5) people in a Customer demographicgroup have The Customer Employee is assured that their participation is completely confidential and voluntary.
- GPTW has a documented Risk Management Risk assessments are performed quarterly. The Customer has formally documented information security, data privacy, and confidentiality policies, standardsand procedures that are approved by senior management, communicated to staff, reviewed at least annually, and published appropriately as to be available for reference and application.
- TheGPTW analytical survey platform named Emprising is hosted by the cloud provider Microsoft Azure.GPTW contracts with Azure to maintain the highest level of Data Security and Data Privacy global compliance at all times. This legal protection is passed along to all GPTW clients though the warranties in the Products and Services Agreement for the entire term of our engagement as detailed below. The Azure audit reports and other resource documentation as well as the Azure Compliance Manager Tool used by GPTW to comply with the GDPR and other privacy laws are found at the following URLs:https://servicetrust.microsoft.com/ and other compliance offerings: https://www.microsoft.com/en-us/trustcenter/compliance/complianceofferings. A general article about Azure compliance is here:https://www.communicationsquare.com/news/everything-about-gdpr-compliance-in- microsoft-cloud/ and a blog here: https://azure.microsoft.com/en-us/blog/protecting- privacy-in-microsoft-azure-gdpr-azure-policy-updates/. There are some country specific compliance resources as well. For example, compliance in Germany is addressed at the following URL: https://servicetrust.microsoft.com/ViewPage/GermanComplianceResourcesV3.
- Access to Customer data is only granted to those with a legitimate need. Customer dataisonly accessed byGPTW employees that are authorized based on job Survey access is controlled so that survey respondents cannot see another’s responses.
- Integrity of processing systems and services (Art. 32 (1) b GDPR)
- GPTW uses commercially reasonable efforts consistent with industry standards tocollect, transmit, store, protect and maintain the Data and Customer Data obtainedthrough the GPTW represents andwarrants that during processing or the term of the client’s engagement that it complies with the European Union (EU) 2016 General Data Protection Regulation (GDPR), the California Consumer Privacy Act of 2018 AB 375 (CCPA), and the Data Protection Laws of all other country, state, or regulating bodies. This warranty is stated in Section 8 (Data Privacy) of the GPTW Products and Services Agreement found at the link on the bottom of the GPTW US homepage: https://www.greatplacetowork.com/products-services-agreement
- TheGPTWEmprising™ survey and analytics software platform operates by uploading to Emprising an Employee Data File (EDF) containing an email address list for the Customer’s Employees taking the survey and, optionally, other information such as pre-coded demographics etc. of the Customer’s Employees. The EDF can be uploaded to Emprising either GPTW or directly by the Customer. The EDF is stored encrypted in a separately partitioned area from the Customer Employee Data which contains the Survey Responses from the Customer’s Employees. When the Survey closes, the EDF is
- Any communication between Emprising hosted on Azure and the GPTW Network isstrictlylimited to anend-to-end secure VPN connection using IPSec
- GPTW uses commercially reasonable efforts consistent with industry standards tocollect, transmit, store, protect and maintain the Data and Customer Data obtainedthrough the GPTW represents andwarrants that during processing or the term of the client’s engagement that it complies with the European Union (EU) 2016 General Data Protection Regulation (GDPR), the California Consumer Privacy Act of 2018 AB 375 (CCPA), and the Data Protection Laws of all other country, state, or regulating bodies. This warranty is stated in Section 8 (Data Privacy) of the GPTW Products and Services Agreement found at the link on the bottom of the GPTW US homepage: https://www.greatplacetowork.com/products-services-agreement
- Availability and resilience of processing systems and services (Art. 32 (1) b GDPR)
- Audit log settings are validated for each device that maintains log information.Validation ensures that logs include relevant information for the device including atimestamp, source addresses, destination addresses,and various other useful elements of the packet and/or transaction. Devices record logs in a standardized format (such as syslog entries or those outlined by the Common Event Expression initiative).
- A holistic disaster recovery plan has been documented and implemented. Disasterrecovery plans address the recovery of all relevant aspects of the businessfunction/service, including applications, databases, utilities, and network infrastructure
- At least two different telecommunication providers are used to supply networkcommunications to the data center. Redundant data center locations are at least 30miles apart. Natural hazards that may negatively impact the data center (e.g., proximity to bodies of water, proximity to fault lines) have been
- All data is backed upped between Azure servers the Cloud providers daily at these fullyredundant hot-sites. Contractual language is included to ensure that Azure properlycontrols access in a manner consistent withGPTW's own internal Data is encrypted in transit and in storage using a commercially available dual key AES 256-bit encryption software.
- Audit log settings are validated for each device that maintains log information.Validation ensures that logs include relevant information for the device including atimestamp, source addresses, destination addresses,and various other useful elements of the packet and/or transaction. Devices record logs in a standardized format (such as syslog entries or those outlined by the Common Event Expression initiative).
- Procedures for routine review, assessment, and evaluation (Art. 32 (1) lit. d GDPR; Art. 25(1)GDPR)
- An automated configuration monitoring system for data protection management isimplemented to measure and monitor secure configuration elements throughremote testing. The system uses features compliant with Security Content Automation Protocol (SCAP) to gather configuration vulnerability information. System-specific configuration management tools are deployed (such as Active Directory Group Policy for Microsoft Windows environments) that automatically enforce and redeploy configuration settings to systems at regularly scheduled Automated tools are deployed to continuously monitor workstations, servers,and mobile devices for active, up-to-date anti-malware protection.
- GPTW has established a written incident response plan that includes definition of rolesand responsibilities for incident management. The plan also defines procedures forincident management. Senior management is appropriately represented (with input and decision-making authority) in the incident management process. The incident response plan includes procedures for the analysis of events and the criteria for determining ifthe event should be escalated to an incident. Procedures include roles and responsibilities for personnel and requirements for internal (e.g., Compliance, Communications, Legal, Executive Team) and external (e.g., Law Enforcement, Customer)
- All data is password protected by
- The standard secure configurations are documented, approved, and regularly Any deviations from the standard configuration or updates to the standardconfiguration are documented and approved by authorized personnel. At network interconnection points (e.g., Internet gateways, third party network connections, internal network segments with different security controls etc.), ingress and egress filtering are implemented to allow only those ports and protocols with an explicit and documented business need. All other ports and protocols are blocked. Any exceptions are documented, approved, time-bound, and regularly reviewed.
- An automated configuration monitoring system for data protection management isimplemented to measure and monitor secure configuration elements throughremote testing. The system uses features compliant with Security Content Automation Protocol (SCAP) to gather configuration vulnerability information. System-specific configuration management tools are deployed (such as Active Directory Group Policy for Microsoft Windows environments) that automatically enforce and redeploy configuration settings to systems at regularly scheduled Automated tools are deployed to continuously monitor workstations, servers,and mobile devices for active, up-to-date anti-malware protection.
- Pseudonymization and encryption of personal data (Art. 32 (1) lit. a GDPR)
- The GPTW Emprising™ survey and analytics software platform operates by uploading to Emprising an Employee Data File (EDF) containing an email address list for the Customer’s Employees taking the survey and, optionally, other information such as pre-coded demographics etc. of the Customer’s Employees. The EDF is dual key AES265 bit encrypted both in transit and in storage in a separately partitioned area from the Customer Employee Data which contains the Survey Responses from the Customer’s Employees. When the Customer Survey starts running, the email list from the EDF is used to generate a Personalized Invite to each Customer Employee which is a log-in identifier unique to each Customer Employee. Employee responses are encrypted both in transit and in storage.When the Customer Survey closes, the link is broken between the EDF and the Customer Employee Data containing the Survey Responses of the Customer Employees which disassociates and physically separates the EDF from the Customer Employee Data. After the survey closes, the Customer Employee Data does not contain the Customer name, nor the name or email address of the Customer Employee, nor any Personal Information that can be used to identify the Customer Employee. As a result, the Customer Employee Data is immediately de-identified and madeanonymous when the survey closes. Within five business days after closing the Customer Survey, the functionality of the survey is confirmed by GPTW and the EDF is deleted.
Additional details are provided at the link on the bottom of the GPTW US homepage in the GPTW External Security Policy:
https://www.greatplacetowork.com/external-security-policy
For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter
Same as above.
ANNEX III
LIST OF SUB-PROCESSORS
MODULE TWO: Transfer controller to processor
EXPLANATORY NOTE:
This Annex must be completed for Modules Two and Three, in case of the specific authorisation of sub-processors (Clause 9(a), Option 1).
The controller has authorised the use of the following sub-processors:
1. Name: Microsoft Azure
Address: 101 Herbert Drive, Danville, VA
Contact: https://azure.microsoft.com
Description of Processing: Cloud Provider for hosting Emprising Application.
2. Name: HTEC Group
Address: Bulevar Milutina Milankovica 11B, 11000 Belgrade, Serbia
Contact: Aleksandar Cabrilo, President, aleksandar.cabrilo@htec.rs
Description of Processing: Software Maintenance for Emprising Application.
3. Any relevant licensees and / or affiliates of the Processor as included in the Service Agreement.