This Data Processing Addendum (“DPA”) between Collibra NV, on behalf of itself and its affiliates (“Collibra”), and you, a customer of Collibra (or an affiliate thereof) (“Customer”), amends and forms part of Customer’s agreement with Collibra (or an affiliate thereof) for the license of, access to and/or use of Collibra’s products and/or services (the “Agreement”). This DPA prevails over any conflicting term of the Agreement but does not otherwise modify the Agreement.
This DPA will be effective as of the date of the Agreement. Collibra may modify this DPA from time to time upon written notice to Customer, provided that the terms of this DPA shall be no less protective of Customer’s rights and data as those contained herein as of the date of the Agreement.
In this DPA:
“Controller”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processing”, “Processor”, and “Supervisory Authority” have the meaning given to them in the GDPR;
“Customer Personal Data” means any Customer Data that constitutes Personal Data, the Processing of which is subject to Data Protection Law, for which Customer or Customer’s customers are the Controller, and which is Processed by Collibra to provide the Services;
“Data Protection Law” means Data Protection Directive 95/46/EC, General Data Protection Regulation (EU) 2016/679 (“GDPR”), and e-Privacy Directive 2002/58/EC (as amended by Directive 2009/136/EC), and their national implementations in the European Economic Area (“EEA”), Switzerland and the United Kingdom, each as applicable, and as may be amended or replaced from time to time;
“Data Subject Rights” means Data Subjects’ rights to information, access, rectification, erasure, restriction, portability, objection, and not to be subject to automated individual decision-making in accordance with Data Protection Law;
“International Data Transfer” means any transfer of Customer Personal Data from the EEA, Switzerland or the United Kingdom to an international organization or to a country outside of the EEA, Switzerland and the United Kingdom;
“Privacy Shield” means the self-regulatory framework administered by the U.S. Department of Commerce in accordance with EU Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-U.S. Privacy Shield (OJ L 207, 1.8.2016, p. 1-112) and as approved by the Swiss Federal Council on January 11, 2017, each as applicable, and may be amended or replaced from time to time;
“Services” means the services provided by Collibra to Customer under the Agreement;
“Subprocessor” means a Processor engaged by Collibra to Process Customer Personal Data; and
“Standard Contractual Clauses” means the clauses annexed to EU Commission Decision 2010/87/EU of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (OJ L 39, 12.2.2010, p. 5-18).
Capitalized terms used but not defined herein have the meaning given to them in the Agreement.
Scope and applicability
This DPA applies to Processing of Customer Personal Data by Collibra to provide the Services.
The subject matter, nature and purpose of the Processing, the types of Customer Personal Data and categories of Data Subjects are set out in Appendix 1.
Customer is a Controller and appoints Collibra as a Processor on behalf of Customer. Customer is responsible for compliance with the requirements of Data Protection Law applicable to Controllers.
If Customer is a Processor on behalf of other Controller(s), then Customer: is the single point of contact for Collibra; must obtain all necessary authorizations from such other Controller(s); undertakes to issue all instructions and exercise all rights on behalf of such other Controller(s); and is responsible for compliance with the requirements of Data Protection Law applicable to Processors.
Customer acknowledges that Collibra may Process Personal Data relating to the operation, support, or use of the Services for its own business purposes, such as billing, account management, data analysis, benchmarking, technical support, product development, and compliance with law. Collibra is the Controller for such Processing and will Process such data in accordance with Data Protection Law.
Collibra will Process Customer Personal Data to provide the Services and in accordance with Customer’s documented instructions.
The Controller’s instructions are documented in this DPA, the Agreement, and any applicable statement of work.
Customer may reasonably issue additional instructions as necessary to comply with Data Protection Law. Collibra may charge a reasonable fee to comply with any additional instructions.
Unless prohibited by applicable law, Collibra will inform Customer if Collibra is subject to a legal obligation that requires Collibra to Process Customer Personal Data in contravention of Customer’s documented instructions.
Collibra will ensure that all personnel authorized to Process Customer Personal Data are subject to an obligation of confidentiality
Security and Personal Data Breaches
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Collibra will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including the measures listed in Appendix 2.
Customer acknowledges that the security measures in Appendix 2 are appropriate in relation to the risks associated with Customer’s intended Processing and will notify Collibra prior to any intended Processing for which Collibra’s security measures may not be appropriate.
Collibra will notify Customer without undue delay after becoming aware of a Personal Data Breach involving Customer Personal Data. If Collibra’s notification is delayed, it will be accompanied by reasons for the delay.
Customer hereby authorizes Collibra to engage Subprocessors. A list of Collibra’s current Subprocessors is included in here in Appendix 3. Collibra will enter into a written agreement with Subprocessors which imposes the same obligations as required by Data Protection Law.Collibra will notify Customer prior to any intended change to Subprocessors. Customer may object to the addition of a Subprocessor based on reasonable grounds relating to a potential or actual violation of Data Protection Law by providing written notice detailing the grounds of such objection within thirty (30) days following Collibra’s notification of the intended change. Customer and Collibra will work together in good faith to address Customer’s objection. If Collibra chooses to retain the Subprocessor, Collibra will inform Customer at least thirty (30) days before authorizing the Subprocessor to Process Customer Personal Data, and Customer may immediately discontinue using the relevant parts of the Services, and may terminate the relevant parts of the Services within thirty (30) days.
Taking into account the nature of the Processing, and the information available to Collibra, Collibra will assist Customer, including, as appropriate, by implementing technical and organizational measures, with the fulfilment of Customer’s own obligations under Data Protection Law to: comply with requests to exercise Data Subject Rights; conduct data protection impact assessments, and prior consultations with Supervisory Authorities; and notify a Personal Data Breach.
Collibra will maintain records of Processing of Customer Personal Data in accordance with Data Protection Law.
Collibra may charge a reasonable fee for assistance under this Section.
If Collibra is at fault, Collibra and Customer shall each bear their own costs related to assistance.
Collibra must make available to Customer all information necessary to demonstrate compliance with the obligations of this DPA and allow for and contribute to audits, including inspections, as mandated by a Supervisory Authority or reasonably requested by Customer and performed by an independent auditor as agreed upon by Customer and Collibra.
Collibra will inform Customer if Collibra believes that Customer’s instruction under Section 8.1 infringes Data Protection Law. Collibra may suspend the audit or inspection or withhold requested information until Collibra has modified or confirmed the lawfulness of the instructions in writing.
Collibra and Customer each bear their own costs related to an audit.
International Data Transfers
Customer hereby authorizes Collibra to perform International Data Transfers to any country deemed adequate by the EU Commission; on the basis of appropriate safeguards in accordance with Data Protection Law; or pursuant to the Standard Contractual Clauses referred to in Section 9.2.
By signing this DPA, Customer and Collibra conclude the Standard Contractual Clauses, which are hereby incorporated into this DPA and completed as follows: the “data exporter” is Customer; the “data importer” is Collibra; the governing law in Clause 9 and Clause 11.3 of the Standard Contractual Clauses is the law of the country in which Customer is established; Appendix 1 and Appendix 2 to the Standard Contractual Clauses, are Appendix 1 and 2 to this DPA respectively; and the optional indemnification clause is struck.
If Collibra’s compliance with Data Protection Law applicable to International Data Transfers is affected by circumstances outside of Collibra’s control, including if a legal instrument for International Data Transfers is invalidated, amended, or replaced, then Customer and Collibra will work together in good faith to reasonably resolve such non-compliance.
Privacy Shield Onward Transfer
To the extent Collibra Processes Customer Personal Data that is covered by the Privacy Shield certification of Customer:
a) Collibra will provide at least the same level of privacy protection as is required by the Privacy Shield principles;
b) Collibra will notify Customer if it determines that it can no longer meet its obligation to provide at least the same level of protection as is required by the Privacy Shield, in which case Customer may take reasonable steps to stop and remediate unauthorized Processing; and
c) Customer and Collibra may provide a summary or a representative copy of the relevant privacy provisions of this agreement to the U.S. Department of Commerce upon request.
Customer will send all notifications, requests and instructions under this DPA to Collibra’s Chief Privacy Officer via email to firstname.lastname@example.org.
To the extent permitted by applicable law, where Collibra has paid damages or fines, Collibra is entitled to claim back from Customer that part of the compensation, damages or fines, corresponding to Customer’s part of responsibility for the damages or fines.
Termination and return or deletion
This DPA is terminated upon the termination of the Agreement.
Customer may request return of Customer Personal Data up to thirty (30) days after termination of the Agreement. Unless required or permitted by applicable law, Collibra will securely delete all remaining copies of Customer Personal Data in accordance with Collibra’s standard data retention practices.
Modification of this DPA
This DPA may only be modified by a written amendment signed by both Collibra and Customer.
Invalidity and Severability
If any provision of this DPA is found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, then the invalidity or unenforceability of such provision does not affect any other provision of this DPA and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.
Description of the Processing
The Customer Personal Data Processed concern the following categories of Data Subjects:
Employees of Customer, including current and former employees, as well as, temporary staff, interns, and contractors and consultants who perform services for Customer
Data Subjects whose data Customer processes and chooses to sample within the Collibra product
Categories of Customer Personal Data
The Customer Personal Data Processed concern the following categories of data:
Contact information of Customer’s current and former employees, as well as, temporary staff, interns, and contractors and consultants who perform services for Customer, in each case, who are involved in the use of the Collibra product
Any data sampled by Customer (if applicable) within the Collibra product.
The Services are not intended to Process special categories of data
The Customer Personal Data will be subject to the following basic Processing activities:
Allowing user access, differentiating user access and control rights, identifying data stewards and other roles and responsibilities within the product, user notifications related to product usage, and similar processing activities necessary to allow Customer users full access to and use of the Collibra products.
Sampling to train Collibra products to recognize Customer data types as requested by Customer
Collibra’s standard security practices are as follows:
Physical access control
Technical and organizational measures to prevent unauthorized persons from gaining access to the data processing systems available in premises and facilities (including databases, application servers and related hardware), where Customer Personal Data are Processed, include:
Establishing security areas, restriction of access paths;
Establishing access authorizations for employees and third parties;
Access control system (ID reader, magnetic card, chip card);
Key management, card-keys procedures;
Door locking (electric door openers etc.);
Security staff, janitors;
Surveillance facilities, video/CCTV monitor, alarm system; and
Securing decentralized data processing equipment and personal computers.
Virtual access control
Technical and organizational measures to prevent data processing systems from being used by unauthorized persons include:
User identification and authentication procedures;
ID/password security procedures (special characters, minimum length, change of password);
Automatic blocking (e.g. password or timeout);
Monitoring of break-in-attempts and automatic turn-off of the user ID upon several erroneous passwords attempts;
Creation of one master record per user, user-master data procedures per data processing environment; and
Encryption of archived data media.
Data access control
Technical and organizational measures to ensure that persons entitled to use a data processing system gain access only to such Customer Personal Data in accordance with their access rights, and that Customer Personal Data cannot be read, copied, modified or deleted without authorization, include:
Internal policies and procedures;
Control authorization schemes;
Differentiated access rights (profiles, roles, transactions and objects);
Monitoring and logging of accesses;
Disciplinary action against employees who access Customer Personal Data without authorization;
Reports of access;
Deletion procedure; and
Technical and organizational measures to ensure that Customer Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media (manual or electronic), and that it can be verified to which companies or other legal entities Customer Personal Data are disclosed, include:
Technical and organizational measures to monitor whether Customer Personal Data have been entered, changed or removed (deleted), and by whom, from data processing systems, include:
Logging and reporting systems; and
Audit trails and documentation.
Control of instructions
Technical and organizational measures to ensure that Customer Personal Data are Processed solely in accordance with the instructions of the Controller include:
Unambiguous wording of the contract;
Formal commissioning (request form); and
Criteria for selecting the Processor.
Technical and organizational measures to ensure that Customer Personal Data are protected against accidental destruction or loss (physical/logical) include:
Mirroring of hard disks (e.g. RAID technology);
Uninterruptible power supply (UPS);
Anti-virus/firewall systems; and
Disaster recovery plan.
Technical and organizational measures to ensure that Customer Personal Data collected for different purposes can be Processed separately include:
Separation of databases;
“Internal client” concept / limitation of use;
Segregation of functions (production/testing); and
Procedures for storage, amendment, deletion, transmission of data for different purposes.
COLLIBRA’S CURRENT SUBPROCESSORS
Collibra’s current Subprocessors of Customer Personal Data (as such terms are defined in Customer’s Data Processing Addendum with Collibra) are as follows: