CLIQ Web Manager Data Processing Agreement

between

ASSA ABLOY Ltd (the “Sub-processor”)

and

Customer (the “Processor”)

(each as “Party” together as “Parties”)

A.         The Sub-processor is a global manufacturer and supplier of access solutions.

B.         The Processor is a customer of ASSA ABLOY UK supplying security hardware products and associated software and services to the market.

C.         The Processor has entered into an agreement with the Sub-processor (the “Master Agreement”) under which the Sub-processor will provide certain services (the "Services") to the Processor and, where applicable, to affiliates of the Processor.

D.        The controller(s) of the personal data covered by this Data Processing Agreement are the end-user customers of the Processor.

E.         For the performance of the Services under the Master Agreement, the Sub-processor will process personal data as defined under the General Data Protection Regulation (EU) 2016/679 (the "GDPR") the UK General Data Protection Regulation (the GDPR as transposed into UK national law by operation of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019).

F.         The Parties agree that the terms of this Data Processing Agreement shall apply to such processing of personal data.

G.        The Parties recognize that the EU Commission has adopted Standard Contractual Clauses 2021/914 (the “Model Clauses”) for the transfer of personal data to third countries, which also fulfil the requirements of Article 28(3) and (4) of the GDPR.

H.         The Parties recognize that UK has adopted the International Data Transfer Addendum to supplement the Model Clauses (the “IDTA”) for the transfer of personal data to third countries.

1.1       The Sub-processor will act as a sub-processor with respect to the processing of personal data covered by this Data Processing Agreement.

1.2       The processing of personal data that the Sub-processor will carry out as a sub-processor is described in Appendix 1.  

1.3       For the purpose of the Model Clauses included in Appendix 2, the Processor is the "data exporter" and the Sub-processor is the "data importer".   

1.4       Appendix 3 includes an overview of the options exercised under the Model Clauses.

1.5       The Parties agree that the Model Clauses, Module 3, included in Appendix 2, shall apply to transfers of personal data from the Processor to Sub-processor.  

1.6        In cases where Processor acts as processor for other non-EU/non-EEA Customer affiliates, and Sub-processor acts as a sub-processor, the provisions of this Data Protection Agreement and in particular Module 3 of the Model Clauses shall apply, unless deviating or additional requirements are laid out by data protection law applicable to the concerned non-EU/non-EEA Customer affiliates, in which case such deviating or additional requirements shall apply.

3.1       For the purpose of Clause 9 of Module 3 of the Model Clauses regarding use of sub-processors, the Parties agree that the Sub-processor has a general authorization to engage sub-processors for carrying out specific processing activities on behalf of the controller identified in the Background above. Where the processing activities involve a transfer of personal data within the meaning of Chapter V of the GDPR, the Sub-processor and such engaged sub-processor shall ensure compliance with Chapter V of the GDPR.

3.2       The current list of agreed sub-processors is set out in Annex III of the Model Clauses. Moreover, the Sub-processor shall maintain an updated list of all sub-processors engaged to process personal data on behalf of the controller identified in the Background above, which the Sub-processor shall provide upon request. The list shall at least include the following information in relation to each sub-processor:

(i)            the identity of the sub-processor (including full legal name, corporate registration number and address),

(ii)           the type(s) of service(s) provided by the sub-processor,

(iii)          the location where the sub-processor will process personal data on behalf of the controller identified in the Background above, and

(iv)          information on the measures (or where information on such measures may be found) that the sub-processor has taken to protect and safeguard the personal data.

3.3       Where the Sub-processor relies on the Model Clauses to ensure compliance with Chapter V of the GDPR in relation to transfers to sub-processors, the Parties agree that the conditions for the use of the Model Clauses shall also be met.

The Parties agree that “without undue delay” pursuant to Clause 8.6 (c) of Module 3 of the Model Clauses shall generally not be longer than 24 hours. For the avoidance of doubt, in case “without undue delay” would imply a shorter time limit, such time limit shall apply. Breach notifications shall be made to the point of contact provided by the Processor in the Master Agreement.

Without prejudice to Clause 10 of Module 3 of the Model Clauses the Sub-processor shall (i) taking into account the nature of the processing, assist the Processor by appropriate technical means and organizational measures, insofar as this is possible, for the Processor's obligations towards the controller to respond to requests for exercising data subject's rights under the GDPR and (ii) taking into account the information available to the Sub-processor assist the Processor in ensuring compliance with Articles 32–36 of the GDPR. The Sub-processor has the right to invoice Processor for reasonable compensation for costs incurred under this section. 

For the purpose of Clause 8.9 of Module 3 of the Model Clauses regarding audits, the Parties agree that each Party will bear its own costs for such audit. Should an audit or inspection show that the Sub-processor has not fulfilled its obligations under this Data Processing Agreement, the Model Clauses or applicable data protection law, the Sub-processor shall without undue delay remedy such issue at its own cost and bear all costs (i.e. its own and those of the Processor) of the audit.

8.1       Changes to this Data Processing Agreement due to mandatory law. Processor shall have the right to request any necessary changes (including amendments) to the provisions of this Data Processing Agreement if this is necessary to comply with mandatory provisions of applicable data protection law. If disputed, the necessity of such change can be demonstrated by the provision of a respective order (which may be informal) by a competent supervisory authority, whereby Processor is not obliged to lodge an appeal against such an order. If, within thirty (30) days after Processor has notified Sub-processor in writing of the mandatory changes, the Parties are unable to agree on the mandatory changes necessary to comply with the mandatory legal requirements, Processor shall be entitled to terminate the Data Processing Agreement and the Master Agreement by giving thirty (30) days' written notice, without prejudice to its right to suspend the transfer of personal data with immediate effect.

8.2       If an essentially equivalent level of protection of personal data cannot be guaranteed. Where the Sub-processor notifies the Processor pursuant to Clause 14 (e) of the Model Clauses or if the Sub-processor otherwise has reason to believe that an essentially equivalent level of protection of personal data cannot be guaranteed, the Parties agree that the Processor – in addition to the measures outlined in Clause 14 (f) of the Model Clauses – shall be entitled to immediately terminate the Data Processing Agreement and the Master Agreement without any cost to the Processor.

8.3       Transfer impact assessment. For the purpose of Clause 14 of the Model Clauses, the Parties agree that the Sub-processor shall, at its own cost, reasonably assist Processor with the performance of any necessary data transfer impact assessments, including but not limited to providing the Processor with the full documentation of the data transfer impact assessment (which has to comply with the standards set forth in the European Data Protection Board’s Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, Version 2.0, adopted on 18 June 2021 (“Guidelines”) and which the Sub-processor will keep up to date and for which the Sub-processor will provide updates to Processor in cases of significant changes, including but not limited to changes of the Guidelines, the Sub-processor carried out for (i) its own country of registration, (ii) other countries where it operates and (iii) for the countries, in which the Sub-processor's subprocessors, if any, have their registered seats and operations, all with regard to the processing of personal data on behalf of the controller. The Parties shall mutually work together to identify and implement any additional safeguards as may be required to ensure an essential equivalent level of protection of the personal data covered by the Data Processing Agreement. 

9.1     Third party claims. Each Party shall indemnify and hold the other Party harmless from and against all losses, including administrative fines and penalties, due to claims by third parties (including affiliates to the Processor) arising out of or relating to any breach by such first-mentioned Party of this Data Processing Agreement or applicable data protection laws. Any applicable limitation of liability in the Master Agreement shall not apply to this indemnification obligation.

9.2    Claims from data subjects. Liability for any claims for damages from data subjects concerned shall be governed by Article 82 of the GDPR.

9.3    Breach of Model Clauses. Notwithstanding Clauses 9.1 and 9.2 above, liability for any breach of the Model Clauses shall be governed by Clause 12 of the Model Clauses.

9.4    Liability due to breach of contract. Without prejudice to Clauses 9.2 and 9.3 above, any loss suffered by a Party resulting from, arising out of or relating to a breach of this Data Processing Agreement as such (and that does not constitute a breach of the Model Clauses in Appendix 2), shall be governed by the provisions regarding liability and limitation of liability in the Master Agreement, save for that any limitation of liability in the Master Agreement shall not apply in regards to Sub-processor's liability.

9.5    Clause 4 transfers. Notwithstanding Clauses 9.1, 9.2 and 9.4 above and in case of a transfer covered by Clause 4 above, Clause 9.3 above shall not apply. Liability for breach of this Data Processing Agreement as such including the Model Clauses in Appendix 2 (as amended by Clause 4) shall be governed by the provisions regarding liability and limitation of liability in the Master Agreement, save for that any limitation of liability in the Master Agreement shall not apply in regards to Sub-processor's liability. 

10.1    Governing law. This Data Processing Agreement shall be governed by the laws stated in Clause 17 of the Model Clauses.

10.2    Disputes relating to the provisions of this Data Processing Agreement. Any dispute, controversy or claim arising out of or relating to the provisions of this Data Processing Agreement as such (and which does not relate to the Model Clauses in Appendix 2), including Clauses 2–9 above, this Clause 10 and Clause 11 below), or the breach, termination or validity thereof, shall be settled in accordance with the dispute resolution clause in the Master Agreement.

10.3    Disputes relating to the Model Clauses. Notwithstanding Clause 10.2 above, any dispute, controversy or claim arising out of or relating to the Model Clauses in Appendix 2, or the breach, termination or validity thereof, shall be resolved in accordance with what is stated in Clause 18 of the Model Clauses.

10.4    Clause 4 transfers. Notwithstanding Clause 10.2 and 10.3 above and in case of a Clause 4 transfer, any dispute, controversy or claim arising out of or relating to the provisions of this Data Processing Agreement as such including Clauses 2–9 above, this Clause 10 and Clause 11 below and the Model Clauses in Appendix 2 (as amended by Clause 4), or the breach, termination or validity thereof, shall be settled in accordance with the dispute resolution clause in the Master Agreement.