Partner Data Transfer Addendum
Last updated : 14/11/2024
Worka Partner Platform – Terms and Conditions: Data Transfer Addendum
This Data Transfer Addendum applies where We transfer personal data to You in circumstances where the GDPR, UK GDPR or Switzerland’s Federal Act on Data Protection apply, and where You are not located in a country or territory that is recognised under applicable Data Protection Legislation as providing adequate protection of personal data.
The terms of this Data Transfer Addendum form part of and are incorporated into the Worka Partner Platform – Terms and Conditions (the “Terms”). Any defined terms set forth in the Terms shall apply to the interpretation of this Data Transfer Addendum.
1. Incorporation of the Standard Contractual Clauses
Module 1 of the Standard Contractual Clauses is incorporated by reference into the Terms and applies (where applicable) pursuant to clause 8 of Schedule 2 (Data Protection) of the Terms and as tailored and supplemented by the provisions in this Data Transfer Addendum. The Standard Contractual Clauses apply as follows:
Optional Clause 7 is used.
The optional second paragraph of Clause 11(a) is not used.
For Clause 17 Governing Law: Option 1 is selected and the governing law is that of Ireland.
For Clause 18 Choice of forum and jurisdiction: The courts of Ireland shall resolve any disputes arising from these Clauses.
Standard Contractual Clauses
ANNEX I
A. LIST OF PARTIES
Data exporter(s):
Data exporter | |
|---|---|
Name: | Us (as defined in the Terms) |
Address: | Our address (as stated in the Terms) |
Activities relevant to the data transferred under these Clauses: | As described in Annex IB |
By entering into the Terms the data exporter will be deemed to have signed this Annex I thereby agreeing to (i) these Clauses, (ii) the UK Addendum to these Clauses below and (iii) the Switzerland Addendum to these Clauses below from the date the Terms are entered into. | |
Role (controller/processor): | Controller |
Data importer(s):
Data importer | |
|---|---|
Name: | You (as defined in the Terms) |
Address: | Your address, as made available by You to Us from time to time |
Activities relevant to the data transferred under these Clauses: | As described in Annex IB |
By entering into the Terms the data importer will be deemed to have signed this Annex I thereby agreeing to (i) these Clauses, (ii) the UK Addendum to these Clauses below and (iii) the Switzerland Addendum to these Clauses below from the date the Terms are entered into. | |
Role (controller/processor): | Controller |
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
Customer personnel.
Categories of personal data transferred
Name and business contact details (including email address and telephone number).
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
N/A.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Continuous for our provision of theWorka Platform.
Nature of the processing
Storage, analysis and use of the personal data for the Agreed Purpose (as defined in the Terms).
Purpose(s) of the data transfer and further processing
The personal data is provided by the data exporter to the data importer for the Agreed Purpose (as defined in the Terms).
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
In accordance with clause 5 of Schedule 2 (Data Protection) of the Terms.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
N/A.
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13
The data exporter’s competent supervisory authority will be determined in accordance with the GDPR.
ANNEX II: TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
The data importer shall take appropriate technical and organisational measures to ensure that the processing of the personal data complies with the requirements set out in the Data Protection Legislation, in particular the requirements of the GDPR, UK GDPR and FADP (as applicable), and that the rights of data subjects are protected. The measures must ensure a level of data security appropriate to the risks to the rights and freedoms of the data subjects. These measures include, among others, the following:
The data importer shall as a minimum, ensure:
The confidentiality of information processed.
The integrity of information processed.
The availability of information processed.
That the data importer complies with its legal requirements.
That information security and risk awareness training is provided to all data importer personnel.
That breaches of information security, actual or suspected, are reported to and investigated by the data importer.
Non-exhaustive examples of the measures that the data importer shall implement to ensure the above are:
Implementing data loss prevention measures to ensure that confidential data cannot be transported outside of the data importer’s systems.
Maintaining and implementing disaster recovery and backup plans.
Utilising appropriate network security and endpoint protection tools to ensure the integrity and security of the data importer’s network and systems.
Monitoring the data importer’s network and systems for unauthorised access or use.
Regularly patching known vulnerabilities and updating third party software.
Implementing access management controls.
Maintaining and implementing password security standards.
Utilising multifactor authentication for the use of the data importer’s systems and applications.
Utilising a VPN for secure communications.
Encrypting data, including encrypting all data at rest.
UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (v B1.0)
This Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.
Part 1: Tables
By entering into the Terms, both parties agree to the format of this Part 1: Tables set out below.
Table 1: Parties
The start date of this Addendum is the same as the start date of the Addendum EU SCCs. The parties’ details are as set out in Annex I.A of the Addendum EU SCCs above.
Table 2: Selected SCCs, Modules and Selected Clauses
The Addendum EU SCCs are the version of the Approved EU SCCs incorporated into the Terms (as tailored and supplemented by the provisions at the start of this Data Transfer Addendum) which this Addendum is appended to, including the Appendix Information (as defined below).
Table 3: Appendix Information
“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in Annex I and II of the Addendum EU SCCs above.
Table 4: Ending this Addendum when the Approved Addendum Changes
Neither party may end this Addendum as set out in Section 19.
Alternative Part 2 Mandatory Clauses
Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses.
Switzerland Addendum to the EU Commission Standard Contractual Clauses
This Addendum applies to and is a part of the Clauses.
The Parties agree that the following provisions shall apply with respect to data transfers that are governed by Switzerland’s Federal Act on Data Protection (“FADP”), e.g. personal data transferred by a data exporter from Switzerland to a data importer outside of Switzerland (including personal data located in Switzerland that a data exporter makes accessible to the data importer) (the “Swiss Personal Data”):
(i) Reference to the competent supervisory authority in Annex I.C under Clause 13 shall be deemed to refer to the Federal Data Protection and Information Commissioner (“FDPIC”);
(ii) References to Member State(s), the EU and the EEA shall be deemed to include Switzerland;
(iii) The list of data subjects and categories of data indicated in Annex I.B to the Clauses shall not be deemed to restrict the application of the Clauses to the Swiss Personal Data;
(iv) References to (articles in) the GDPR shall be deemed to refer to (equivalent articles in) the FADP; and
Where the Clauses use terms that are defined in the GDPR, those terms shall be deemed to have the meaning as the equivalent terms are defined in the FADP.