Data Processing Addendum

This Data Processing Addendum (“DPA”) supplements the agreement (“Agreement”) governing the RightFind^® services provided by Copyright Clearance Center, Inc. (“CCC”), RightsDirect B.V., or the other relevant subsidiary of CCC which is a party to such Agreement (the “Provider”) to the Customer identified in such Agreement (“Customer” and together with Provider, the “Parties”). This DPA is a binding agreement between Provider and Customer and shall govern any Processing of Personal Data (as such terms are defined below) by Provider under the Agreement; provided that this DPA shall not apply where there is a written, mutually executed agreement in place between the Parties which expressly governs the Processing of Personal Data under the Agreement. Except as modified by this DPA, the terms of the Agreement shall remain in full force and effect. 

1. DEFINITIONS AND INTERPRETATION

Capitalized terms used in this Data Processing DPA shall have the meanings set forth below.

1.1        “Agreement” has the meaning set forth above;

1.2       “Applicable Data Protection Laws” means all laws and regulations, including laws and regulations of the European Union, the European Economic Area, their member states and the United Kingdom which are applicable to the processing of Personal Data under the Agreements, including but not limited to the EU General Data Protection Regulation (2016/679) (“GDPR”) and “UK GDPR” (as defined in the UK Data Protection Act 2018);

1.3       “Data Controller”, “Data Processor”, “Data Subject”, “Personal Data” and “Personal Data Breach” each have the meanings given to them in the GDPR;

1.4       “Mandatory Clauses” means the Part 2: Mandatory Clauses of the UK SCC Addendum.

1.5       “Processing” has the meaning set out in the GDPR and “Process” and “Processed” shall be construed accordingly;

1.6       “Services” means those services to be provided by Provider to Customer pursuant to the Agreement.

1.7       “UK SCC Addendum” means the template Addendum B.1.0 issued by the Information Commissioner’s Office and laid before UK Parliament in accordance with s119A of the UK Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of the Mandatory Clauses.

2.         DATA PROTECTION

2.1        Each Party will comply with Applicable Data Protection Laws with respect to the Processing of Personal Data pursuant to the Agreement. The following provisions of this Section 2 are in addition to, and do not relieve, remove or replace, a Party’s obligations under the Applicable Data Protection Laws.

2.2        The Parties acknowledge and agree that the European Commission has adopted standard contractual clauses that became effective from 4 June 2021 (“EU Standard Contractual Clauses”) to permit the transfer of Personal Data from the European Union to Third Countries.  Such EU Standard Contractual Clauses are incorporated herein by reference and shall govern the transfer of Personal Data from the European Union to Third Countries and the Processing of such Personal Data under the Agreement and this DPA.  Each Party acknowledges that for the purposes of the GDPR and other Applicable Data Protection Laws, Customer is the Data Controller and Provider is the Data Processor.  Accordingly, the “Module 2 – Transfer from Controller to Processor” clauses of the EU Standard Contractual Clauses shall apply. The parties further agree that under Module 2 of the EU Standard Contractual Clauses: (i) per Clause 9, Provider has the Customer’s general written authorization under the Agreement to engage sub-processors; (ii) unless otherwise agreed by the parties, the supervisory authority indicated in Annex I.C shall act as competent supervisory authority; (iii) per Clause 17, the EU Standard Contractual Clauses shall be governed by the law of The Netherland; and (iv) per Clause 18, the courts of The Netherlands shall resolve any dispute arising from the EU Standard Contractual Clauses.

2.3        To the extent the Processing includes any Restricted Transfers as defined in the UK GDPR, the Mandatory Clauses are hereby incorporated by reference. For purposes of such Mandatory Clauses in relation to this DPA, the “Addendum EU SCCs” as referenced therein shall mean the EU Standard Contractual Clauses, and the “Appendix Information” referenced therein shall be as provided in Annexes I-III attached hereto.

2.4        Provider will perform Processing activities in relation to Personal Data provided or made accessible by or on behalf of Customer, and/or by Data Subjects who use the Services, as part of the Services, which Personal Data shall be provided to Provider with the consent of the Data Subject(s) as obtained by Customer, or other legal basis, in accordance with Applicable Data Protection Laws.

2.5        The details of the Data Processing under the Agreement are as set forth on Annexes I to III attached hereto.

2.6        Without prejudice to the generality of this Section 2, Provider shall, in relation to any Personal Data Processed in connection with the performance by Provider of its obligations under the Agreement: 

(a)        Process that Personal Data only on the written instructions of the Customer, unless Provider is required to do otherwise by Applicable Data Protection Laws or other applicable laws; 

(b)        ensure that it has in place appropriate technical and organizational measures to protect against unauthorized or unlawful Processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorized or unlawful Processing or accidental loss, destruction or damage and the nature of the Personal Data to be protected, taking into account the state of technological development and the cost of implementing any measures, ensuring confidentiality, integrity, and availability of Processor’s systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner in the event of a Personal Data Breach, and regularly assessing and evaluating the effectiveness of the technical and organizational measures adopted by it;

(c)        ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential and to treat the Personal Data in accordance with this DPA; and

(d)        not transfer any Personal Data to countries outside of the European Union, the European Economic Area, Switzerland or the United Kingdom which do not ensure an adequate level of data protection within the meaning of the Applicable Data Protection Laws (“Third Countries”), unless the following conditions are fulfilled:

(i)         Provider has provided appropriate safeguards in relation to the transfer;

(ii)         Provider complies with its obligations under the Applicable Data Protection Laws by providing an adequate level of protection to any Personal Data that is transferred; and

(iii)        Provider complies with reasonable instructions provided to it in advance by Customer with respect to the processing of the Personal Data;

(e)        assist Customer in responding to any request from a Data Subject and in complying with its obligations under Applicable Data Protection Laws with respect to security, Personal Data Breach notifications, impact assessments and consultations with supervisory authorities or regulators; 

(f)         notify Customer promptly on becoming aware of a Personal Data Breach and provide further information about the Personal Data Breach to the Customer without undue delay as such information becomes available; 

(g)        at the written direction of Customer, delete or return Personal Data and copies thereof to Customer on termination of the Agreement unless permitted by the Applicable Data Protection Laws to store the Personal Data;

(h)        maintain complete and accurate records and information to demonstrate its compliance with this Section 2 and conduct periodic audits to verify the adequacy of its privacy and security measures, which audits (a) will be performed at least annually; (b) will be performed according to ISO/IEC 27001:2013 (“ISO 27001”)  standards or such other alternative standards that are substantially equivalent to ISO 27001; (c) will be performed by independent third party security professionals at Provider’s selection and expense; and (d) will result in the generation of an audit report (“Report”), which will be Provider’s Confidential Information under the Agreement;

(i)         provide a copy of the Report to Customer upon Customer’s written request, subject to appropriate non-disclosure agreement; provided that, if, in the reasonable opinion of Customer, the Report does not provide adequate information to assess Provider’s compliance with Applicable Data Privacy Laws, Customer shall notify Provider in writing of the specific information that Customer deems to be inadequate, and Provider will use commercially reasonable efforts to provide, within 30 days of receipt of the notification, further information as necessary to render the identified information adequate, and the Parties shall escalate any dispute regarding the information to its appropriate officers for resolution. If the Parties are unable to resolve the dispute after reasonable efforts, Customer shall, at Provider’s request, allow for and contribute to audits of the information deemed inadequate in Customer’s reasonable opinion; in which case Provider shall permit the Customer or another auditor mandated by the Customer to inspect, copy and review any relevant records to assess Provider’s compliance with the provisions of Applicable Data Protection Laws as required pursuant to Clauses 8.9(c) and 8.9(d) of the EU Standard Contractual Clauses (defined below). Any such review shall be subject to Provider’s data privacy and security and confidentiality obligations to third parties;

 (j)        inform Customer promptly if it considers in its opinion that any of the Customer’s instructions violate the Applicable Data Protection Laws.

• Provider enters into an agreement with a third party subprocessor to fulfill its responsibilities under the Agreement, any such agreement shall incorporate terms which are substantively the same as those set out in this Section 2. Provider’s current subprocessors are set forth on Annex III attached hereto.

ANNEX

A. LIST OF PARTIES

Data exporter(s):                                                              Customer

Data importer(s):                                                              Provider

B. Description of Transfer

Categories of data subjects whose personal data is transferred

• End users of the Services provided to Customer who conduct transactions via or otherwise use the Services.

Categories of personal data transferred

• Names, titles, professional license/certification information, business contact address and email address, phone number, facsimile number, other invoicing information, company-id, user-id, department, division, cost center, PSP-element, credit card information (only where used for specific document orders), institution affiliation, data relating to usage of the Services.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

• None.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

• Continuous, as described in the Agreement.

Nature of the processing

• As described in the Agreement.

Purpose(s) of the data transfer and further processing

• As described in the Agreement.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

• The subject matter and duration of the Processing of Personal Data shall be consistent with the Agreement and the DPA.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

• See Annex III attached.

Location of processing

• RightsDirect B.V., Johan Cruiff Boulevard 65, 1101 DL Amsterdam, The Netherlands
• Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, Massachusetts 01923 USA
• Any other location of Provider as identified in the Agreement
• See also list and description of sub-processors on Annex III

C. COMPETENT SUPERVISORY AUTHORITY

• Dutch Data Protection Authority

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

• Provider is ISO/IEC27001:2013 certified and is audited annually under AICPA SOC II Type 2. Copies of the ISO Certificate and SOC II Type 2 report will be provided on request, subject to appropriate non-disclosure agreement.

ANNEX III

LIST OF SUB-PROCESSORS*

The Controller has authorized the use of the following sub-processors:

*Last updated 5 October 2022