This Data Processing Addendum (“Addendum”) is an addendum to and forms part of the Master Services Agreement (or other such titled written or electronic agreement addressing the same subject matter) (“Agreement”) to reflect the parties’ agreement with regard to the Processing of Personal Information.  

​

In the course of providing the Services to Customer pursuant to the Agreement, Service Provider may Process Personal Information on behalf of Customer and the parties agree to comply with the following provisions with respect to any Personal Information, each acting reasonably and in good faith. 

​

In the event of any conflict between the Agreement and this Addendum, the terms and conditions of this Addendum shall control. Except to the extent expressly superseded or modified in this Addendum, the terms and conditions of the Agreement will apply to this Addendum and remain in full force and effect.

1. Definitions

​

1. “Privacy Impact Assessment” means an assessment of the impact of the envisaged Processing operations on the protection of Personal Information as required by applicable Privacy Laws;

2. “Data Subject” means an identified or identifiable natural person.  

3. “Personal Information” means any information relating to an identified or identifiable individual.

4. “PIPEDA” means the Personal Information Protection and Electronic Documents Act, SC 2000, c.5.

5. “Privacy Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, theft, or unauthorized access to or disclosure of Personal Information.

6. “Privacy Laws” means any law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding restriction (as amended, consolidated or re-enacted from time to time) governing the Processing or protection of Personal Information, including for example, PIPEDA.

7. “Processing”, “Processed” or “Process” means any operation or set of operations which is performed on Personal Information or on sets of Personal Information, whether or not by automated means, such as but not limited to collection, use, modification, retrieval, disclosure, retention, storage, deletion, and/or management of Personal Information.


8. “Regulatory Authority” means an independent public authority tasked with the regulation and enforcement of applicable Privacy Laws.

9. Unless otherwise provided:

   1. a capitalised term that is not defined in this Addendum shall have the meaning given to it in the Agreement; and

   2. the words and expressions in, and the rules of interpretation of, the Agreement shall have the same meaning in this Addendum.

​

​

2. Data Processing and Security Responsibilities 

​

 

1. Customer and Service Provider shall each comply with all Privacy Laws that apply to it in relation to any Personal Information Processed in connection with this Addendum.

2. Customer agrees that it has:

   1. made and shall maintain all necessary registrations and notifications as required in order to permit Service Provider to perform its obligations and exercise its rights under this Addendum;

   2. obtained and shall continue to obtain all consents necessary, and provided all necessary notices and otherwise has and continues to have all necessary authority to permit Service Provider to perform its obligations and exercise its rights under this Addendum, and shall inform Service Provider immediately if any such consents are withdrawn or can no longer be relied upon;

   3. ensured and shall continue to ensure that all Personal Information Processed by Service Provider is adequate, relevant, accurate and up-to-date, and limited to what is necessary to permit Service Provider to perform its obligations and exercise its rights under this Addendum; 

   4. ensured and shall continue to ensure that there are valid legal bases to enable Service Provider to Process Customer's Personal Information in the matter and for the purposes contemplated under the Agreement and this Addendum; and

   5. Processed and will continue to Process the Personal Information in accordance with all applicable Privacy Laws.

3. In the course of Processing Personal Information on behalf of Customer, Service Provider shall:

   1. except as otherwise permitted herein, only use, disclose, transfer, retain, and otherwise Process Personal Information as reasonably necessary for the purposes of rendering the Services and as otherwise instructed by Customer in writing from time to time or as required by applicable Privacy Law, and not Process any Personal Information in any other manner without the express prior written authorization of Customer unless required to do so by applicable law;

   2. immediately inform the Customer if, in Service Provider’s opinion, any instruction received from the Customer infringes Privacy Law; 

   3. not disclose (and not allow any of its employees, or permitted agents or representatives to disclose) any Personal Information to any third party without the prior written authorization of Customer (under this Addendum or otherwise) unless required to do so under applicable law (in which case clause d) below shall apply);

   4. where any disclosure, transfer or other Processing of Personal Information is required by applicable law, promptly notify Customer in writing before complying with any such requirement (unless prohibited by applicable law, such as on important grounds of public interest); 

   5. promptly notify Customer in writing of any (i) enquiry received from individuals relating to the individual’s rights under Privacy Laws, and provide prompt reasonable assistance to Customer with respect to any obligations Customer has to respond to such requests, such as by an obligation to provide access to Personal Information, or to correct, rectify, or restrict the processing of Personal Information; (ii) complaint or correspondence received by Service Provider either from an individual or a Regulatory Authority relating to the Processing of Personal Information, and (iii) order, demand, warrant or any other document purporting to compel the production of any Personal Information, and provide reasonable assistance at Customer’s cost to facilitate Customer’s compliance with Customer’s obligations under Privacy Laws; 

   6. implement reasonable and appropriate physical, technical and organizational security procedures and practices appropriate to the sensitivity of the Personal Information that are designed to protect the Personal Information against loss, theft, destruction, damage, alteration and unauthorized or unlawful access, use, disclosure or other risks incurred by Processing in pursuit of the Services, as would allow Service Provider to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services (the “Security Measures”). The parties acknowledge and agree that the Security Measures are set out in Annex A. Service Provider shall carry out regular reviews of the Security Measures to ensure their continuing appropriateness and shall not materially lower the standard of the Security Measures without the prior approval of Customer; 

   7. limit access to Personal Information only to those employees and authorized agents of Service Provider who need to have access to the Personal Information for the purposes set out in the Agreement and this Addendum; 

   8. ensure or cause each of Service Provider’s employees involved in rendering the Services to agree in writing to protect the confidentiality and security of the Personal Information substantially in accordance with the terms of this Addendum, and otherwise properly advise and train each of its employees in Privacy Law compliance as applicable to this Addendum; 

   9. ensure that each employee of Service Provider involved in rendering the Services is appropriately screened to confirm the suitability of the performance of their duties in connection with the Services, including the access to and Processing of Personal Information; 

   10. at Customer’s cost and request, and taking into account the nature of the Processing and the Personal Information available to it, provide reasonable assistance to Customer as necessary for Customer to meet its obligations under Privacy Laws in connection with:

   11. obligations relating to ensuring the security and integrity of Personal Information;

   12. obligations relating to notifications and communication of Privacy Breaches as required by Privacy Laws to the Regulatory Authority and/or any affected individuals; and

   13. undertaking any Privacy Impact Assessments that are required by Privacy Laws and, where necessary, consulting with the relevant Regulatory Authority in respect of any such Privacy Impact Assessments;

   14. aggregate and/or anonymize the Personal Information in order to use such aggregated and/or anonymized information, provided that such aggregated or anonymized information, as the case may be, is non-identifiable as to Customer and otherwise no longer constitutes Personal Information under applicable Privacy Laws;

   15. taking into consideration Service Provider’s role in the Processing of Personal Information, provide the level of protection for the relevant Personal Information required by applicable Privacy Laws; and

   16. notify Customer if Service Provider determines it can no longer meet its obligations under this Addendum. 

4. Service Provider hereby certifies that it understands its obligations under this Addendum (including, without limitation, the restrictions under this Section 2) and that it will comply with them. 

 

 

3. Audit Rights

​

Service Provider shall provide, and Customer agrees to accept, Service Provider’s most current third-party certifications as may be relevant and available in respect of the Services. Service Provider shall provide Customer (or its representatives) with access to information necessary to demonstrate Service Provider’s compliance with this Addendum.

​

4. Sub-processing 

​

Subject to Clause 6, Customer acknowledges and agrees that Service Provider shall use sub-processors (including Service Provider affiliates) to provide the Services. Service Provider shall enter into a written contract with each such sub-processor that imposes obligations on the sub-processor that are substantially similar to those imposed on Service Provider under this Addendum (provided that obligations imposed on Service Provider that are legally required only under a future Privacy Law need not be imposed on a sub-processor prior to the effective date of such Privacy Law).  Service Provider shall only retain sub-processors that Service Provider can reasonably expect to appropriately protect the privacy, confidentiality and security of the Personal Information. 

​

5. Privacy Breach Notification

​

Service Provider shall notify Customer in writing without undue delay upon Service Provider becoming aware of a Privacy Breach. Service Provider shall further take any reasonably necessary measures and actions to remedy or mitigate the effects of the Privacy Breach to the extent within Service Provider’s control and shall keep Customer informed of material developments in connection with the Privacy Breach.

​

6. Data Transfers

​

Customer acknowledges and agrees that in the course of providing the Services to Customer, Service Provider may transfer Personal Information outside of North America (Canada/US).

​

7. Termination

​

1. This Addendum shall come into force on the Effective Date of the Agreement and shall remain in force until the termination or expiry of the Agreement.

2. Upon the termination of the Agreement or at such other times as instructed by Customer in writing, Service Provider shall securely dispose of (or, at Customer’s request, return) the Personal Information and all existing copies, subject to Service Provider’s requirements to retain certain Personal Information in order to comply with its legal and regulatory obligations and applicable law or as otherwise necessary in the context of any disputes or litigation. In the event applicable law does not permit Service Provider to comply with the delivery or destruction of the Personal Information, Service Provider warrants that it shall ensure the confidentiality of the Personal Information in accordance with applicable law.

​

8. Updates to this Addendum

​

In the event of changes to applicable Privacy Laws, including, but not limited to, the amendment, revision or introduction of new laws, regulations, or other legally binding requirements to which either party is subject, the parties agree to revisit the terms of this Addendum, and negotiate any appropriate or necessary updates in good faith, including the addition, amendment, or replacement of any schedules.  

​

9. Governing Law and Jurisdiction of Addendum 

9.1.    This Addendum and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed in accordance with the jurisdiction set out under the Agreement.