ANNEX
A. LIST OF PARTIES
Data exporter(s): Customer
| Role (controller/processor): | Controller |
Data importer(s): Provider
| Name: | |
| Address: | As set forth in the Agreement |
| Contact person’s name, position and contact details: | As set forth in the Agreement |
| Activities relevant to the data transferred: | Authorized officer of Provider |
| Role (controller/processor): | Processor |
B. Description of Transfer
Categories of data subjects whose personal data is transferred
- End users of the Services provided to Customer who conduct transactions via or otherwise use the Services.
Categories of personal data transferred
- Names, titles, professional license/certification information, business contact address and email address, phone number, facsimile number, other invoicing information, company-id, user-id, department, division, cost center, PSP-element, credit card information (only where used for specific document orders), institution affiliation, data relating to usage of the Services.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
- None.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
- Continuous, as described in the Agreement.
Nature of the processing
- As described in the Agreement.
Purpose(s) of the data transfer and further processing
- As described in the Agreement.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
- The subject matter and duration of the Processing of Personal Data shall be consistent with the Agreement and the DPA.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
- See Annex III attached.
Location of processing
- RightsDirect B.V., Johan Cruiff Boulevard 65, 1101 DL Amsterdam, The Netherlands
- Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, Massachusetts 01923 USA
- Any other location of Provider as identified in the Agreement
- See also list and description of sub-processors on Annex III
C. COMPETENT SUPERVISORY AUTHORITY
- Dutch Data Protection Authority
ANNEX II
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
- Provider is ISO/IEC27001:2013 certified and is audited annually under AICPA SOC II Type 2. Copies of the ISO Certificate and SOC II Type 2 report will be provided on request, subject to appropriate non-disclosure agreement.
ANNEX III
LIST OF SUB-PROCESSORS*
The Controller has authorized the use of the following sub-processors:
| Company name of Authorized Subprocessor | Details of the Point of Contact | Details of the processing | Service location | Additional safeguards (only in case of data transfer outside the EEA) |
|---|---|---|---|---|
| Copyright Clearance Center, Inc. (if Provider is an entity other than CCC) | Lauren Tulloch, Vice President and Managing Director, Corporate Solutions | Full back office support for the Services, including storage of Personal Data. | Danvers, Massachusetts, United States | Contractual agreement and annual review of security and privacy practices per Company’s ISO/IEC27001:2013 and SOC 2 Type 2 audits |
| 5CA International B.V., Catharijnesingel 30E, 3511 GB Utrecht, The Netherlands | Internal contact for CCC is Tom Ogier, Director of Customer Service. We cannot share PII for vendor. | Customer Service as initiated by the Data Subject | Services provided globally | Contractual agreement and annual review of security and privacy practices per Company’s ISO/IEC27001:2013 and SOC 2 Type 2 audits. |
| EPAM Systems, Inc., 41 University Drive, Suite 2020, Newtown Pennsylvania, USA, 18940 | Internal contact for CCC is Michael Farrar, VP Engineering. Provider cannot share PII for vendor | Response to technical service inquiries as initiated by the Data Subject | Services provided from within EEA and United States | Contractual agreement and annual review of security and privacy practices per Company’s ISO/IEC27001:2013 and SOC 2 Type 2 audits. |
*Last updated 5 October 2022