This Data Processing Addendum (“DPA”) is entered into by and between Collibra NV (“Collibra”) and its wholly owned subsidiary, either Collibra Inc. or Collibra UK Limited (as applicable, “Vendor”), on the one hand, and you, a customer of Vendor for Collibra products and/or services (“Customer”), on the other hand, and amends and forms part of the commercial agreement between Customer and Vendor for Collibra products and/or services (the “Agreement”). This DPA is made effective as of the date of the Agreement and prevails over any conflicting term of the Agreement, but does not otherwise modify the Agreement. Collibra may modify this DPA from time to time upon written notice to Customer, provided that the terms of this DPA shall be no less protective of Customer’s rights and data as those contained herein as of the date of the Agreement.
Scope and Purpose of DPA
- Collibra strives to process Covered Data in compliance with applicable laws, rules and regulations. The Schedules to this DPA address compliance with specific jurisdictional privacy laws, rules and regulations, and only govern Collibra’s processing of Covered Data hereunder to the extent such privacy laws, rules or regulations have jurisdiction over such Covered Data or Collibra’s processing thereof.
- Capitalized terms used but not defined herein have the meaning given to them in the Agreement.
Confidentiality, Security and Personal Data Breaches
- Collibra will ensure that all personnel authorized to process Covered Data are subject to an obligation of confidentiality.
- Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Collibra will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including the measures listed in the Collibra Security Policy.
- Customer acknowledges that the security measures in the Collibra Security Policy are appropriate in relation to the risks associated with Customer’s intended processing, and will notify Collibra prior to any intended processing for which Collibra’s security measures may not be appropriate.
- Collibra will notify Customer without undue delay after becoming aware of a data breach involving Covered Data. If Collibra’s notification is delayed, it will be accompanied by reasons for the delay.
- Collibra must make available to Customer all information necessary to demonstrate compliance with the obligations of this DPA and allow for and contribute to audits, including inspections, as mandated by an applicable, authorized governmental regulatory authority, or reasonably requested by Customer and performed by an independent auditor as agreed upon by Customer and Collibra.
- Collibra will inform Customer if Collibra believes that Customer’s instruction under Section 3.1 infringes or violates applicable law. Collibra may suspend the audit or inspection, or withhold requested information until Collibra has modified or confirmed the lawfulness of the instructions in writing.
- Collibra and Customer each bear their own costs related to an audit.
Customer will send all notifications, requests and instructions under this DPA to Collibra’s Chief Privacy Officer via email to email@example.com.
In no event shall Collibra be liable for any damages, fines, or costs arising from or related to the acts or omissions of Customer in relation to the subject matter of this DPA, including to the extent that the Agreement requires Collibra to collect, use, retain, disclose, or reidentify any Covered Data as directed by Customer.
Termination and return or deletion
- This DPA is terminated upon the termination of the Agreement.
- Customer may request return of Covered Data up to thirty (30) days after termination of the Agreement. Unless required or permitted by applicable law, Collibra will securely delete all remaining copies of Covered Data in accordance with Collibra’s standard data retention practices.
Invalidity and severability
- If any provision of this DPA is found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, then the invalidity or unenforceability of such provision does not affect any other provision of this DPA and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.
EU Data Protection Law
This Schedule 1 to the DPA applies solely to the processing of Covered Data under EU Data Protection Law, as defined herein.
In this Schedule 1:
- “Controller”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processing”, “Processor”, and “Supervisory Authority” have the meaning given to them in the GDPR.
- “Customer Personal Data” means any Personal Data of Customer, the Processing of which is subject to EU Data Protection Law, for which Customer or Customer’s customers are the Controller, and which is Processed by Collibra to provide the Services.
- “EU Data Protection Law” means Data Protection Directive 95/46/EC, General Data Protection Regulation (EU) 2016/679 (“GDPR”), and e-Privacy Directive 2002/58/EC (as amended by Directive 2009/136/EC), and their national implementations in the European Economic Area (“EEA”), Switzerland and the United Kingdom, each as applicable, and as may be amended or replaced from time to time.
- “Data Subject Rights” means Data Subjects’ rights to information, access, rectification, erasure, restriction, portability, objection, and not to be subject to automated individual decision-making in accordance with EU Data Protection Law.
- “International Data Transfer” means any transfer of Customer Personal Datafrom the EEA,
Switzerland or the United Kingdom to an international organization or to a country outside of
the EEA, Switzerland and the United Kingdom.
- “Privacy Shield” means the self-regulatory framework administered by the U.S. Department of Commerce in accordance with EU Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-U.S. Privacy Shield (OJ L 207, 1.8.2016, p. 1-112) and as approved by the Swiss Federal Council on January 11, 2017, each as applicable, and may be amended or replaced from time to time.
- “Subprocessor” means a Processor engaged by Collibra to Process Customer Personal Data.
- “Standard Contractual Clauses” means the clauses annexed to EU Commission Decision 2010/87/EU of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (OJ L 39, 12.2.2010, p. 5-18).
- Scope and applicability
- This Schedule 1 applies solely with respect to Collibra’s Processing of Personal Data as a Processor. This Schedule 1 shall not apply to Personal Data Processing by Collibra as a Controller.
- The subject matter, nature and purpose of the Processing, the types of Customer Personal Data and categories of Data Subjects are set out in Appendix 2 to this Schedule 1.
- Customer is a Controller and appoints Collibra as a Processor on behalf of Customer. Customer is responsible for compliance with the requirements of EU Data Protection Law applicable to Controllers.
- If Customer is a Processor on behalf of other Controller(s), then Customer: is the single point of contact for Collibra; must obtain all necessary authorizations from such other Controller(s); undertakes to issue all instructions and exercise all rights on behalf of such other Controller(s); and is responsible for compliance with the requirements of EU Data Protection Law applicable to Processors.
- Customer acknowledges that Collibra may Process Personal Data relating to the operation, support, or use of the Services for its own business purposes, such as billing, account management, data analysis, benchmarking, technical support, product development, and compliance with law. Collibra is the Controller for such Processing and will Process such data in accordance with EU Data Protection Law.
- Collibra will Process Customer Personal Data to provide the Services and in accordance with Customer’s documented instructions.
- The Controller’s instructions are documented in this DPA, the Agreement, and any applicable statement of work.
- Customer may reasonably issue additional instructions as necessary to comply with EU Data Protection Law. Collibra may charge a reasonable fee to comply with any additional instructions.
- Unless prohibited by applicable law, Collibra will inform Customer if Collibra is subject to a legal obligation that requires Collibra to Process Customer Personal Data in contravention of Customer’s documented instructions.
- Customer hereby authorizes Collibra to engage Subprocessors. A list of Collibra’s current Subprocessors is included in Appendix 1 to this Schedule 1.
- Collibra will enter into a written agreement with Subprocessors which imposes the same obligations as required by EU Data Protection Law.
- Collibra will notify Customer prior to any intended change to Subprocessors. Customer may object to the addition of a Subprocessor based on reasonable grounds relating to a potential or actual violation of EU Data Protection Law by providing written notice detailing the grounds of such objection within thirty (30) days following Collibra’s notification of the intended change. Customer and Collibra will work together in good faith to address Customer’s objection. If Collibra chooses to retain the Subprocessor, Collibra will inform Customer at least thirty (30) days before authorizing the Subprocessor to Process Customer Personal Data, and Customer may immediately discontinue using the relevant parts of the Services, and may terminate the relevant parts of the Services within thirty (30) days.
- Taking into account the nature of the Processing, and the information available to Collibra, Collibra will assist Customer, including, as appropriate, by implementing technical and organizational measures, with the fulfilment of Customer’s own obligations under EU Data Protection Law to: comply with requests to exercise Data Subject Rights; conduct data protection impact assessments, and prior consultations with Supervisory Authorities; and notify a Personal Data Breach.
- Collibra will maintain records of Processing of Customer Personal Data in accordance with EU Data Protection Law.
- Collibra may charge a reasonable fee for assistance under this Section 5. If Collibra is at fault, Collibra and Customer shall each bear their own costs related to assistance.
- International Data Transfers
- Customer hereby authorizes Collibra to perform International Data Transfers to any country deemed adequate by the EU Commission; on the basis of appropriate safeguards in accordance with EU Data Protection Law; or pursuant to the Standard Contractual Clauses referred to in Section 6.2.
- By signing this DPA, Customer and Collibra conclude the Standard Contractual Clauses, which are hereby incorporated into this Schedule 1 and completed as follows: the “data exporter” is Customer; the “data importer” is Collibra; the governing law in Clause 9 and Clause 11.3 of the Standard Contractual Clauses is the law of the country in which Customer is established; Appendix 1 and Appendix 2 to the Standard Contractual Clauses, are
Appendices 1 and 2 to this Schedule 1 respectively; and the optional indemnification clause is struck.
- If Collibra’s compliance with EU Data Protection Law applicable to International Data Transfers is affected by circumstances outside of Collibra’s control, including if a legal instrument for International Data Transfers is invalidated, amended, or replaced, then Customer and Collibra will work together in good faith to reasonably resolve such non-compliance.
- To the extent Collibra Processes Customer Personal Data that is covered by the Privacy Shield certification of Customer:
- Collibra will provide at least the same level of privacy protection as is required by the Privacy Shield principles;
- Collibra will notify Customer if it determines that it can no longer meet its obligation to provide at least the same level of protection as is required by the Privacy Shield, in which case Customer may take reasonable steps to stop and remediate unauthorized Processing; and
- Customer and Collibra may provide a summary or a representative copy of the relevant privacy provisions of this agreement to the U.S. Department of Commerce upon request.
Appendix 1 to Schedule 1
Collibra Subprocessors are listed here, as may be updated from time to time in accordance with the terms of this DPA.
Appendix 2 to Schedule 1
Description of the Processing
- Data Subjects
- Categories of Customer Personal Data
- Sensitive data
- Processing operations
The Customer Personal Data Processed concern the following categories of Data Subjects (please specify):
|1||Employees of Customer, including current and former employees, as well as, temporary staff, interns, and contractors and consultants who perform services for Customer.|
|2||Data Subjects whose data Customer processes and chooses to sample within the Collibra product|
The Customer Personal Data Processed concern the following categories of data (please specify):
|1||Contact information and roles or titles of Customer’s current and former employees, as well as, temporary staff, interns, and contractors and consultants who perform services for Customer and who are involved in the use of the Collibra product|
|2||Any data sampled by Customer within the Collibra product|
The Customer Personal Data Processed concern the following special categories of data (please specify):
|1||The Services are not intended to Process special categories of data.|
The Customer Personal Data will be subject to the following basic Processing activities (please specify):
|1||Allowing user access, differentiating user access and control rights, identifying data stewards and other roles and responsibilities within the product, user notifications related to product usage, and similar processing activities necessary to allow Customer users full access to and use of the Collibra products|
|2||Sampling to train Collibra products to recognize Customer data types as requested by Customer|
This Schedule 2 to the DPA applies solely to the processing of Covered Data under CCPA, as defined herein.
In this Schedule 2:
- “CCPA” means the California Consumer Privacy Act of 2018 (California Civil Code §§ 1798.100 to 1798.199) and its implementing regulations, as amended or superseded from time to time.
- The capitalized terms used in this
Schedule 2 and not otherwise defined in this Addendum shall have the definitions set forth in the CCPA.
- Roles and Scope.
- This Schedule 2 applies to the collection, retention, use, disclosure, and sale of Personal Information provided by Customer or which is collected on behalf of Customer by Collibra to provide Services to Customer pursuant to the Agreement or to perform a Business Purpose.
- Customer is a Business and appoints Collibra as a Service Provider to process Personal Information on behalf of Customer. Customer is responsible for compliance with the requirements of the CCPA applicable to Businesses. This Schedule 2 applies solely with respect to Collibra’s processing of Personal Information as a Service Provider of Customer. This Schedule 2 shall not apply to Personal Information collected by Collibra as a Business.
- Restrictions on Processing.
- Collibra is prohibited from retaining, using, or disclosing the Personal Information provided by Customer or which is collected on behalf of Customer for any purpose other than for the specific purpose of performing the Services specified in the Agreement for Customer, as set out in this DPA, or as otherwise permitted by the CCPA.
- Collibra shall not further collect, sell, or use the Personal Information except as necessary to perform the Business Purpose. Customer acknowledges that Collibra may collect, retain, use, and disclose information for its own Business Purposes. For the avoidance of doubt, Collibra shall not use the Personal Information for the purpose of providing services to another person or entity, except that ollibra may combine Personal Information received from one or more entities to which it provides similar services to the extent necessary to detect data security incidents, or protect against fraudulent or illegal activity.
Customer represents and warrants that it has provided notice that Personal Information is being used or shared consistent with Cal. Civ. Code 1798.140(t)(2)(C)(i).
- Consumer Rights.
- Collibra shall provide reasonable assistance to Customer in facilitating compliance with Consumer rights requests.
- Upon direction by Customer, and in any event no later than thirty (30) days after receipt of a request from Customer, Collibra shall promptly delete Personal Information as directed by Customer. Collibra shall not be required to delete any Personal Information to comply with a Consumer’s request directed by Customer if it is necessary to maintain such information in accordance with Cal. Civ. Code 1798.105(d), in which case Collibra shall promptly inform Customer of the exceptions relied upon under 1798.105(d) and Collibra shall not use the Personal Information retained for any other purpose than provided for by that exception.
- Deidentified Information.In the event that either party shares Deidentified Information with the other party, the receiving party warrants that it: (a) has implemented technical safeguards that prohibit reidentification of the Consumer to whom the information may pertain; (b) has implemented business processes that specifically prohibit reidentification of the information; (c) has implemented business processes to prevent inadvertent release of Deidentified Information; and (d) will make no attempt to reidentify the information.
- Mergers, Sale, or Other Asset Transfer. In the event that either party transfers to a Third Party the Personal Information of a Consumer as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the Third Party assumes control of all or part of such Party to the Agreement, that information shall be used or shared consistently with applicable law. If a Third Party materially alters how it uses or shares the Personal Information of a Consumer in a manner that is materially inconsistent with the promises made at the time of collection, it shall provide prior notice of the new or changed practice to the Consumer in accordance with applicable law.
- As Required by Law.
Notwithstanding any provision to the contrary of the Agreement or this DPA, Collibra may cooperate with law enforcement agencies concerning conduct or activity that it reasonably and in good faith believes may violate federal, state, or local law.
- Sale of Information
- The parties acknowledge and agree that the exchange of Personal Information between the parties does not form part of any monetary or other valuable consideration exchanged between the parties with respect to the Agreement or this DPA.