The terms used in this DPA shall have the meanings set forth herein. Terms not otherwise defined herein shall have the meaning given to them in the MSA. Except as modified below, the terms of the MSA shall remain in full force and effect.
This DPA sets out the additional terms, requirements and conditions on which Sentient will process Customer Personal Data when providing its Services to Customer.
By signing the DPA, Customer enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Legislation, in the name and on behalf of its Affiliates, if and to the extent Sentient processes Personal Data for which such Affiliates qualify as the Controller.
For the purposes of this DPA only, and except where indicated otherwise, the term "Customer" shall include Customer and its Affiliates.
AGREED TERMS
1. Definitions
All capitalized terms not defined herein shall have the meaning set forth in the MSA. The following additional definitions apply in this DPA.
“CCPA” means California Civil Code Sec. 1798.100 et seq. (also known as the California Consumer Privacy Act of 2018).
“Controller” means the Customer or the entity, alone or jointly with others, that determines the purposes and means of the Processing of Personal Data.
“Data Subject” means an identified or identifiable natural person.
“Data Protection Legislation” means (a) the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”); (b) the Irish Data Protection Acts 1988 and 2018; (c) the European Communities (Electronic Communications Networks & Services) (Privacy & Electronic Communications) Regulations 2011; (d) the UK GDPR and the UK Data Protection Act 2018; (e) the EU ePrivacy Directive 2002/58/EC (as amended) (the “ePrivacy Directive”); and (f) any relevant transposition of, or successor or replacement to the laws detailed at (a) to (e) inclusive; and all other industry guidelines (whether statutory or non-statutory) or applicable codes of practice and guidance notes issued from time to time by the Irish Data Protection Commissioner or other relevant national or supra-national authority relating to the processing of Personal Data or privacy; all as amended, re-enacted and/or replaced from time to time, and any other applicable legislation relating to the collection, processing, transfer, or retention of personal data.
“Delete” means to remove or obliterate Personal Data such that it cannot be recovered or reconstructed.
“Personal Data” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a Data Subject.
“Personal Data Breach” any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data Processing by Sentient or its Sub-processors.
“Process”, “Processed” or “Processing” means any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Processor” means Sentient or an entity that Processes Personal Data on behalf of the Controller.
“Sensitive Personal Data" has the meaning given in clause 2.4.
“Standard Contractual Clauses” means the European Union standard contractual clauses for international transfers from the European Economic Area to third countries, Commission Implementing Decision (EU) 2021/914 of 4 June 2021, available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX:32021D0914.
“Sub-processor” means any third party processor engaged by Sentient or its Affiliates engaged in the Processing of Customer Personal Data.
2. INTRODUCTION
2.1 In providing the Services under the MSA, Sentient may be required to process Customer Personal Data on Customer’s behalf. The parties record their intention that Customer and its Affiliates (as applicable) shall be the Controller and Sentient shall be a Processor. The parties shall exercise their rights hereunder acting in good faith and in a reasonable manner.
2.2 Customer (and any Affiliates) shall, at all times, comply with their respective obligations as Controller and shall be responsible for Processing of all Customer Personal Data processed under or in connection with the MSA by their Authorised Users in accordance with their obligations under applicable Data Protection Legislation. Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Personal Data and the means by which Customer acquires the Personal Data.
2.3 Customer shall ensure valid consents are obtained from and shall cause appropriate notices to be provided to, Data Subjects, in each case that are necessary for Sentient to Process (and have Processed by Sub-processors) Personal Data under or in connection with this DPA in accordance with Data Protection Legislation. Furthermore, Customer shall not, by act or omission, cause Sentient to violate Data Protection Legislation, as a result of Sentient or its Sub-processors Processing the Personal Data in accordance with this DPA.
2.4 Customer agrees not to use the Services to collect, store, process or transmit any Sensitive Personal Information. Customer shall inform Sentient in writing prior to engaging with the Services if the Customer Personal Data includes any of the following: (i) credit, debit or other payment card data subject to the Payment Card Industry Data Security Standards; (ii) patient, medical or other protected health information regulated by the Health Insurance Portability and Accountability Act (“HIPAA”); or (iii) any other personal data of an EU citizen deemed to be in a “special category” (as identified in the GDPR or any successor directive or regulation) (“Sensitive Personal Data”). If the Customer does not inform Sentient, Sentient shall not be liable for any violations of any requirements that apply to such Processing. Customer acknowledges that Sentient is not a Business Associate or subcontractor (as those terms are defined in HIPAA) or a payment card processor and that the Services are neither HIPAA nor PCI DSS compliant.
2.5 Annex 1 to this DPA sets out certain information regarding Sentient and its Sub-processors Processing of the Customer Personal Data.
2.6 Customer hereby instructs Sentient (and consents and authorises Sentient to instruct each Sub-processor) to process Customer Personal Data as reasonably necessary for the provision of the Services.
3. DATA PROTECTION OBLIGATIONS
3.1 To the extent that Sentient Processes Customer Personal Data pursuant to the MSA, Sentient warrants, represents and undertakes to Customer that it shall:
3.1.1 Process Customer Personal Data only on the Customer’s documented instructions including the MSA. Sentient will immediately inform Customer if, in its opinion, an instruction infringes Data Protection Legislation or other data protection provisions;
3.1.2 Process any Customer Personal Data only to the extent required to provide the Services and in such a manner and at all times in accordance with all Data Protection Legislation, unless required to do otherwise by law, in which case, where legally permitted, Sentient shall inform Customer of such legal requirement before Processing;
3.1.3 not Process Customer Personal Data for any purpose other than for the business purposes specified in MSA or otherwise retain, use or disclose Personal Data outside of the direct business relationship between Sentient and Customer;
3.1.4 taking into account the nature and extent of Processing, implement and maintain technical and organizational measures to ensure a level of security appropriate to the risk presented by Processing the Customer Personal Data, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data Processed.
3.1.5 not permit any Processing of any Customer Personal Data outside of the European Economic Area and/or the United Kingdom without Customer’s prior written consent and subject then in any event to the execution of an appropriate data transfer agreement in compliance with Data Protection Legislation in accordance with clause 7, unless Sentient or Sub-processors are required to transfer the Personal Data to comply with applicable laws and such laws prohibit notice to Customer on public interest grounds;
3.1.6 cooperate as reasonably requested by Customer to enable Customer to: (i) comply with any exercise of rights by a Data Subject under the Data Protection Legislation in respect of Customer Personal Data processed by Sentient under this DPA and shall implement and maintain appropriate technical and organizational measures to assist Customer in responding to such requests from Data Subjects and shall notify Customer promptly upon receipt of any such request from a Data Subject. Sentient will not respond to any request from a Data Subject except on the documented instructions of Customer or as required by law, in which case Sentient shall to the extent permitted by law inform Customer of that legal requirement before Sentient responds to the request;
3.1.7 upon Customer’s request, Sentient shall provide Customer with reasonable cooperation and assistance needed to fulfil Customer’s obligations under Data Protection Legislation, including with regards to data privacy impact assessments and consultations with supervisory authorities, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to Sentient. Cooperation may include the provision of appropriate technical and organizational measures, where possible, through the Sentient Services and/or as outlined in the User Documentation. Any such reasonable assistance shall be at the cost of Customer;
3.1.8 maintain proper up to date records of any Customer Personal Data Processed by or on behalf of Sentient pursuant to this DPA;
3.1.9 ensure that any person authorized to process the Customer’s Personal Data: (i) have committed themselves to appropriate contractual confidentiality obligations or are under an appropriate statutory obligation of confidentiality; (ii) Processes the Personal Data solely on behalf and in accordance with the instructions from Customer; and (c) are appropriately reliable, qualified, and trained in relation to their Processing of Personal Data;
3.1.10 appoint and identify to Customer a named individual within Sentient to act as a point of contact for any enquiries from Customer relating to Customer Personal Data and cooperate in good faith with Customer concerning all such enquires within a reasonable time period; and
3.1.11 at Customer's option within forty five (45) days of a request in writing to Sentient, either: (i) return to Customer (by way of Customer retrieving a final export via Sentient APIs); or (ii) Delete from its systems and records all Customer Personal Data and any copies, records, analysis, memoranda or other notes to the extent containing or effecting any Customer Personal Data. Sentient shall provide a certificate of confirmation from a senior authorised representative of Sentient that this paragraph 3.1.11 has been complied with in full in accordance with Sentient procedures.
4. PERSONAL DATA BREACH
4.1 Without prejudice to the other provisions of this DPA, Sentient shall promptly upon becoming aware and in any event within twenty four (24) hours of becoming aware of a Personal Data Breach, notify Customer of the Personal Data Breach where the Personal Data Breach directly affects Customer Personal Data or the Services being offered to Customer.
4.2 Sentient shall, at no additional cost to Customer (save that Customer shall reimburse Sentient's reasonable costs where Sentient has complied fully with its obligations under this DPA and such Personal Data Breach is not due to Sentient default or neglect), provide sufficient information and assistance to Customer in ensuring compliance with its obligations in relation to notification of Personal Data Breaches, and communication of Personal Data Breaches to Data Subjects where the breach is likely to result in a high risk to the rights of such Data Subjects, and take such reasonable commercial steps as are directed by Customer to assist in the investigation, mitigation and remediation of such Personal Data Breach.
5. California Consumer Privacy Act (“CCPA”)
5.1 If Sentient is processing Personal Data within the scope of the CCPA (“CCPA Personal Data”) these additional provisions for CCPA Personal Data shall apply only with respect to CCPA Personal Data:
5.1.1 Roles of the Parties. When processing CCPA Personal Data in accordance with Customer instructions, the parties acknowledge and agree that Customer is a “Business” and Sentient is a “Service Provider” for the purposes of the CCPA.
5.1.2 Responsibilities. The parties agree that Sentient will Process CCPA Personal Data as a Service Provider strictly for the purpose of performing the processing activities ("Business Purpose") or as otherwise permitted by the CCPA, including as described in the Sentient’s Privacy Policy.
5.1.3 Sentient will process Personal Data on behalf of the Customer and, not retain, use, or disclose that data for any purpose other than the Business Purpose, as otherwise set out in the MSA or as permitted under the CCPA;
5.1.4 In no event, will Sentient sell, retain, use, or disclose any Personal Data made available by Customer other than for the Business Purpose, as otherwise set out in the MSA or as permitted under the CCPA;
5.1.5 Sentient certifies that it understands all its contractual restrictions and will comply with them; and
5.1.6 the parties understand that the CCPA remains subject to amendment and regulations that have not yet been promulgated and agrees to comply with such amendments and regulations when they become effective, subject to Sentient’s right to terminate the MSA if the CCPA materially impacts the processing activities or Sentient’s rights and obligations under the MSA.
6. SUB-PROCESSORS
6.1 Customer confirms its prior general consent to sub-processing of the Customer Person Data Processing by Sentient’s current Sub-processors, an up to date list of which is maintained in Sentient's trust centre(https://trust.scorebuddyqa.com/) and which may be updated in accordance with Clause 6.2. The Sub-processor list shall include the identities of the Sub-processors, their country of location as well as a description of the processing they perform.
6.2 Sentient will post notice of any intended addition or replacement of a Sub-processor in the Trust Centre at least fourteen (14) calendar days before the Sub-processor first Processes Customer Personal Data (the “Sub-processor Notice Period”). An e-mail subscription mechanism is available in the Trust Centre and the Controller is responsible for subscribing or otherwise monitoring the change log. The Controller may object, on reasonable data-protection grounds, by notifying Sentient in writing within the Sub-processor Notice Period; if no objection is received, the Sub-processor will be deemed accepted.
6.3 Sentient shall ensure that: (i) it shall enter into an agreement with the Sub-processor and the terms governing the engagement between Sentient and any Sub-processor are not less protective with respect to Processing of Customer Personal Data compared to the provisions of this DPA and any other relevant provisions of the MSA to the extent those requirements are applicable to the nature of the services provided by the Sub-processor; and (ii) Sentient will remain responsible and liable for the Sub-processor’s compliance with its obligations and for any acts or omissions of such Sub-processor.
7. DATA TRANSFERS
7.1 If Sentient transfers Personal Data outside the EEA or UK to a third country that is not recognized by the European Commission (or relevant authority) as providing an adequate level of protection, such transfers shall be governed by the Standard Contractual Clauses. The parties agree that by executing this DPA they also execute the Standard Contractual Clauses, which will be incorporated by reference and form an integral part of this DPA, and be considered duly executed and completed upon entering into force of this DPA. The parties agree that the parties will comply with the provisions of the applicable Module of the Standard Contractual Clauses specified in Annex 1 and, with respect to the elements of the Standard Contractual Clauses that require the parties’ input, Annexes 1 and 2 contain information relevant to the Standard Contractual Clauses’ Annexes. In case of any conflicts or inconsistency between the provisions of this DPA and the Standard Contractual Clauses, the provisions of the Standard Contractual Clauses shall prevail.
7.2 The parties agree that, for Personal Data of Data Subjects in the United Kingdom, they adopt the modifications to the Standard Contractual Clauses listed in Annex 2 to adapt the Standard Contractual Clauses to local law, as applicable.
7.3 Without limiting the generality of the foregoing, Sentient will enter into (and will cause its Sub-processors to enter into) any additional agreements or adhere to any additional contractual terms and conditions related to the Processing, including cross border data transfer, of Personal Data as Customer may instruct in writing that Customer deems necessary to comply with Data Protection Legislation.
8. AUDIT
8.1 Subject to Clause 8.2 and to the extent required by applicable Data Protection Legislation, Customer shall have the right to audit Sentient systems, processes, and procedures relevant to the protection of Customer Personal Data.
8.2 An audit under this Clause 8 shall be: (i) carried out no more than once in any twelve (12) month period during the Term (unless it needs to be carried out more than once a year to comply with a request from an authority or a legal or regulatory obligation on the part of the Controller; (ii) conducted during Business Hours over the course of one Business Day; (iii) subject to a minimum thirty (30) days’ prior written notice; and (iv) in relation to the Customer’s Personal Data only. Sentient shall grant to Customer (or representatives of Customer that are not competitors of Sentient) a right of access to Sentient’s premises and/or systems during Business Hours for the purpose of such audit, and Sentient shall give such necessary assistance to the conduct of such audits.
8.3 Customer shall bear any and all expenses incurred by Sentient in respect of any such audit and any such audit shall not interfere with the normal and efficient operation of Sentient’s business. Sentient may require, as a condition of granting such access, that Customer (and representatives of Customer) enter into reasonable confidentiality undertakings with Sentient. The parties will work cooperatively to agree an audit plan, scope and timing in advance of any audit.
8.4 If the scope of the audit is addressed in an ISO 27001/27701 or similar audit report performed by a qualified third party auditor within the previous twelve (12) months, and Sentient data protection or other relevant officer certifies in writing there are no known material changes in the controls audited, Customer shall agree to accept those reports in lieu of requesting an audit of the controls covered by the report. Sentient will reasonably cooperate with and assist Customer where a Regulator requires an audit of Sentient’s Processing of Customer Personal Data in order to ascertain or monitor Customer’s compliance with Data Protection Legislation.
9. INDEMNITY
The parties shall indemnify each other (“Indemnified Party”) from and against any and all third party claims, suits, demands and actions and for resulting damages, awards of damages, losses, costs, and expenses (including but not limited to any regulatory fines and reasonable legal and professional fees) incurred by a party that result or arise from any breach by either party of the terms and conditions of this DPA and/or Data Protection Legislation. Such breaching party shall be liable on a comparative basis for the portion of those damages directly attributable to its breach of its obligations and the indemnity shall be subject to the limitations of liability in the MSA. If any third party makes a claim against the Indemnified Party, or notifies an intention to make a claim against the Indemnified Party, the Indemnified Party shall: (i) give written notice of the claim against the Indemnified Party to the indemnifying party as soon as reasonably practicable; (ii) not make any admission of liability in relation to the claim against Indemnified Party without the prior written consent of the indemnifying party; (iii) at the indemnifying party’s request and expense, allow the indemnifying party to conduct the defence of the claim against the Indemnified Party including settlement; and (iv) at the indemnifying party’s expense, co-operate and assist to a reasonable extent with the indemnifying party 's defence of the claim against the Indemnified Party.
10. CHANGES IN DATA PROTECTION LAWS
Sentient may propose variations to this DPA which Sentient reasonably considers to be necessary to address the requirements of any Data Protection Legislation. The Parties shall promptly discuss the proposed variations and negotiate in good faith with a view to agreeing and implementing those or alternative variations designed to address the requirements identified as soon as is reasonably practicable. Customer shall not unreasonably withhold or delay agreement to any consequential variations to this DPA proposed by Sentient to comply with Data Protection Legislation.
11. TERM AND TERMINATION
11.1 This DPA will remain in full force and effect so long as:
11.1.1 the MSA remains in effect; or
11.1.2 the Processor retains any of the Customer Personal Data related to the MSA in its possession or control (“Term”).
11.2 Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination of the MSA in order to protect the Customer Personal Data will remain in full force and effect.
Annex 1
Details of Processing of Customer Personal Data
(a) Subject matter and duration of the Processing of Customer Personal Data
The subject matter is Customer Personal Data and the duration of the Processing of Customer Personal Data is set out in the MSA.
(b) The nature and purpose of the Processing of Customer Personal Data
Sentient will Process Personal Data as necessary to perform the Services pursuant to the MSA and as further instructed by the Customer in its use of the Services.
(c) The types of Personal Data to be Processed
Customer Personal Data relating to the following type of data categories. The types of Personal Data may change from time to time, according to any additional or amended Services to be provided by Sentient.
The data entered into the Scorebuddy platform is at the discretion of the user but would typically include user access account details, attached files from the user environment and basic user information for individuals being assessed.
General User
• System ID
• Employee ID
• First name
• Last Name
• Company Email Address
(d) The categories of Data Subject to whom Customer Personal Data relates
Customer Personal Data relating to the following type of Data Subjects:
● Authorised Users (as defined in the MSA)
● Customer’s customers
(e) The obligations and rights of Customer
These are as set out in the MSA and this DPA.Sentient may provide notice of change to these provisions where an update is required due to changes to services or changes required due to applicable Data Protection Legislation, including the interpretation thereof.
Annex 2
Information for International Transfers
Categories of data subjects whose personal data is transferred
See Annex 1.
Categories of personal data transferred
See Annex 1.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
See Annex 1.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis)
Data is transferred on a continuous basis during the term of the MSA, unless otherwise specifically agreed elsewhere between Customer and Sentient.
Nature of the processing
Sentient will Process Personal Data as necessary to perform the Services pursuant to the MSA as further instructed by Customer and/or its Affiliates by virtue of using the Services, including storage, organization, structuring, disclosure by transmission, dissemination or making available, and other forms of processing.
Purpose(s) of the data transfer and further processing
The Purpose of the data transfer and processing by Sentient is to provide the Services to Customer and, as applicable, its Affiliates, as further specified in the MSA and other Sentient contracts (if any).
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
As a Processor, Sentient retains Personal Data it collects or receives from the Customer for the duration of the MSA and consistent with its obligations under applicable law.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
Sentient uses Sub-processors and will engage Sub-processors solely as necessary to provide the Services to Customer and, as applicable, its Customer Affiliates, and Sub-processors will carry out any processing of personal data only as necessary for such purposes and as further instructed by Customer and/or its Customer Affiliates by virtue of using the Services, including hosting, storage and other forms of processing. Such processing will be no longer than for the duration of the MSA, unless otherwise agreed upon in writing.
For the purposes of the Standard Contractual Clauses:
● Clause 9(a) (Module 2 and 3, as applicable): The parties select Option 2. The time period is 30 days.
● Clause 11(a): The parties do not select the independent dispute resolution option.
● Clause 17: The parties select Option 1. The parties agree that the governing jurisdiction is Ireland.
● Clause 18: The parties agree that the forum is Ireland.
● Annex I(A): The data exporter is Customer (defined above) and the data importer is Sentient (defined above).
● Annex I(B): The parties agree that Annex 1 describes the transfer.
● Annex I(C): The competent supervisory authority is the Irish Data Protection Commission.
For the purpose of localizing the Standard Contractual Clauses:
● United Kingdom
o For the purposes of transfers of personal data from the UK, the Parties agree to comply with the terms of Part 2: Mandatory Clauses of the Addendum, being the template UK International Data Transfer Addendum B.1.0 issued by the UK Information Commissioner and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 28 January 2022, as it is revised under Section 18 of those Mandatory Clauses. The Parties also agree that the information included in Part 1 of the Addendum shall be as set out above. The parties also agree that the Exporter and Importer may end the Addendum as set out in Section 19 of the Addendum.
o The parties agree that the Standard Contractual Clauses are deemed amended to the extent necessary that they operate for transfers from the United Kingdom to a Third Country and provide appropriate safeguards for transfers according to Article 46 of the United Kingdom General Data Protection Regulation (“UK GDPR”). Such amendments include changing references to the GDPR to the UK GDPR and changing references to EU Member States to the United Kingdom.
o Clause 17: The parties agree that the governing jurisdiction is the United Kingdom.
o Clause 18: The parties agree that the forum is the courts of England and Wales. The parties agree that Data Subjects may bring legal proceedings against either party in the courts of any country in the United Kingdom.