Data Protection Addendum

Last modified: August 30, 2021

The following DPA constitute an integral and substantial part of the Terms, as mentioned under the Enterprise Terms and Conditions https://www.gett.com/il/legal/roaming/enterprise-terms-and-conditions/

Capitalized terms used herein but not defined herein shall have the meanings set forth under Terms.

1. INTERPRETATION

In this DPA the following terms have the following meanings:

1.1 the terms “Controller”, “Commission”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processing” and “Processor” have the meanings given to them in article 4 of the GDPR (and their cognates are to be interpreted accordingly); The terms “Business”, “Business Purpose”, “Consumer” and “Service Provider” shall have the same meaning as in the CCPA; For the purpose of clarity, within this DPA “Controller” shall also mean “Business”, “Processor” shall also mean “Service Provider”, and “Personal Data” shall also mean “Personal Information”. In the same manner, Processor’s Sub-processor shall also refer to the concept of Service Provider.

1.2 “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control”, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity;

“Applicable Privacy Laws” means applicable laws on data protection or data privacy including (without limitation) the GDPR, the UK GDPR the Data Protection Act 2018, and the CCPA, as applicable to the Processing of Personal Data hereunder;

“Authorized Affiliate” means any of Your Affiliate(s) which is explicitly permitted to use the Services pursuant to the Terms between You and Us but has not signed its own agreement with Us and is not You as defined under the Terms;

“CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et. seq.

“GDPR” means General Data Protection Regulation (EU) 2016/679;

“Group” means, in relation to Us, Us, any subsidiary or any holding company from time to time of Us, and any subsidiary from time to time of a holding company of Us. Each company in the Group is a “Group Member Company”;

“Services” the technology platform services provided by Us, in accordance with the terms of the Terms;

“Standard Contractual Clauses” means either the standard contractual clauses approved by the European Commission for the transfer of Personal Data to processors or those for the transfer of Personal Data to controllers (as the context requires), in each case established in third countries which do not ensure an adequate level of data protection, and current as at the date of the transfer (or, where the UK GDPR applies, any equivalent set of clauses approved by the Secretary of State);

“Sub-Processor” has the meaning given in clause 3.2.5;

“UK GDPR” means the GDPR as transposed into United Kingdom national law by operation of section 3 of the European Union (Withdrawal) Act 2018, as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019. In this Terms, in circumstances where the UK GDPR applies, references to the GDPR and its provisions will be construed as references to the UK GDPR and its corresponding provisions, and references to EU or Member State law shall be construed as references to UK law; and

1.3 the word “including” and its cognates are to be construed without limitation.

2. ROLES OF THE PARTIES

2.1 Where Our Processes Personal Data in the course of performing the Services:

2.1.1 the parties acknowledge that We will act as a Processor on behalf of You as Controller for the limited purpose of registering/de-registering Service Users (as such term is defined in the Terms) at the behest of You (the “Processed Personal Data”); and

2.1.2 subject to clause 2.1.1, the parties acknowledge that We are an independent Controller of Personal Data.

2.2 Each party shall comply with its obligations under Applicable Privacy Laws in relation to the Processing of Personal Data subject to this DPA.

3. CONTROLLER-PROCESSOR PROVISIONS

3.1 Schedule 1 of this DPA (Data Processing Description) contains a description of the Processing of Processed Personal Data. The parties may from time to time jointly agree to make such changes to Schedule 1 of this DPA as are reasonably necessary to meet the requirements of article 28(3) of the GDPR or any other Applicable Privacy Law regarding information to be recorded in an agreement between a Controller and a Processor;

3.2 In respect of Our Processing of Processed Personal Data, We will:

3.2.1 only Process the Processed Personal Data on the reasonable and documented instructions of You, where such instructions are consistent with the terms of the Terms, unless otherwise required by law to which We are subjected, in which case We will inform You of that legal requirement before Processing, unless prohibited by that law;

3.2.2 ensure that all relevant employees who are directly engaged in the Processing of Processed Personal Data have committed themselves to confidentiality on appropriate terms or are under an appropriate statutory obligation of confidentiality;

3.2.3 at all times have in place technical and organisational measures to protect the Processed Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access, and which are appropriate to the risks of varying likelihood and severity for the rights and freedoms of individuals that are presented by the Processing, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the Processing, including, as and where appropriate: measures for the pseudonymisation and encryption of Processed Personal Data; the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services; the ability to restore the availability of and access to Processed Personal Data in a timely manner in the event of a physical or technical incident; and a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing;

3.2.4 give You such co-operation, assistance and information as You reasonably requests and We reasonably able to provide to enable You to comply with Your obligations under Applicable Privacy Laws and co-operate with Supervisory Authorities in relation to the Processed Personal Data, including, where relevant given the nature of Our Processing and the Processed Personal Data, assisting You:

(a) by taking appropriate technical and organisational measures, insofar as is possible, to respond to requests from Data Subjects to exercise rights under Applicable Privacy Laws (but We will notify You of the request before We respond to any such request); and

(b) in ensuring compliance with Your security, data breach notification, impact assessment and data protection or data privacy authority consultation obligations under Applicable Privacy Laws;

3.2.5 prior to permitting any third party to Process the Processed Personal Data (a “Sub-Processor”):

(a) ensure that the contract between Us and the Sub-Processor includes terms which afford a level of protection to the Processed Personal Data which is substantially similar to that afforded under this DPA;

(b) give You reasonable prior notice of the appointment of the Sub-Processor, and permit You to object, on reasonable grounds, to the appointment; and

(c) remain liable to You for the performance of the Sub-Processor’s obligations concerning the Processed Personal Data;

3.2.6 for the purposes of clause 3.2.5, You acknowledges the use by Us of Group Member Companies as Sub-Processors;

3.2.7 without undue delay and to the extent required under Applicable Privacy Laws, notify You upon becoming aware of any Personal Data Breach affecting the Processed Personal Data, and take such steps as You may reasonably request to assist You in addressing the adverse consequences for You; and

3.2.8 promptly inform You in writing (but without any obligation to give legal advice) if, in Our opinion, to follow an instruction given by You as contemplated by clause 3.2.1 would give rise to a breach of applicable law (in which case We will not be required to comply with the instruction until You has amended the instruction or confirmed its lawfulness); and

3.2.9 at termination or expiry of the Terms, and at the option of You (to be exercised without undue delay), delete or return to You, in a reasonable and appropriate format, all Processed Personal Data in its possession or under its control, except where continued Processing is required by applicable laws.

3.3 The obligations in clause 3.2.7 shall not apply to Personal Data Breaches that are caused by You or Service Users. You will not make, disclose, release or publish any finding, admission of liability, communication, notice, press release or report concerning any Personal Data Breach which directly or indirectly identifies Us (including in any legal proceeding or in any notification to regulatory or supervisory authorities or affected individuals) without Our prior written approval, unless, and solely to the extent that, You are compelled to do so pursuant to Applicable Privacy Laws. In the latter case, unless prohibited by law, You shall provide Us with reasonable prior written notice to provide Us with the opportunity to object to such disclosure and in any case You will limit the disclosure to the minimum scope required.

3.4 We acknowledge and confirms that We do not receive or process any Personal Data as consideration for any services or other items that We provide to You under the Terms t. We will not have, derive, or exercise any rights or benefits regarding Processed Personal Data that We Processes on Your behalf, and may use and disclose Processed Personal Data solely for the purposes for which such Processed Personal Data was provided to it, as stipulated in the Terms and this DPA. We certify that We understand the rules, requirements and definitions of the CCPA and agrees to refrain from selling (as such term is defined in the CCPA) any Processed Personal Data, without Your prior written consent, nor taking any action that would cause any transfer of Processed Personal Data to or from Us under the Terms or this DPA to qualify as “selling” such Personal Information under the CCPA.

4. CONTROLLER-CONTROLLER PROVISIONS

4.1 In relation to Our Processing of Personal Data as a Controller, and without prejudice to the generality of clause 2.2, We will:

4.1.1 make a privacy notice available to Service Users which explains how and why their Personal Data is Processed in the context of the Services;

4.1.2 comply with Our obligations under Applicable Privacy Laws with respect to any requests from Service Users to exercise their rights under said laws;

4.1.3 establish a lawful basis for each Processing activity mandated by Us as a Controller and relevant to the Services; and

4.1.4 at all times have in place appropriate technical and organisational measures to protect the Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access.

5. AUDIT

5.1 We will make available to You on request all information reasonably necessary to demonstrate Our compliance with this DPA, and, with respect to the Processing of Processed Personal Data, and subject to clause 5.2, permit and contribute to all reasonable audits, including inspections, conducted by You (or independent, reputable third party auditors mandated by You, that are not Our competitors, and subject to their confidentiality and non-compete undertakings towards Us).

5.2 You shall give Us reasonable notice of any audit or inspection of the Processed Personal Data to be conducted under clause 5.1 and shall use (and shall ensure that any mandated auditor uses) reasonable endeavours to prevent any damage, injury or disruption to Our premises, equipment, personnel and business. We do not need to give access to Our premises for the purposes of such an audit or inspection:

5.2.1 to any individual unless he or she produces reasonable evidence of identity and authority;

5.2.2 outside normal business hours at those premises, unless the audit or inspection needs to be conducted on an emergency basis and You noticed Us that this is the case before attendance outside those hours begins; or

5.2.3 for the purposes of more than one audit or inspection in any calendar year, except for any additional audits or inspections which You are required to carry out by applicable laws or by a Supervisory Authority.

5.3 Such information, audits, inspections and the results therefrom, including the documents reflecting the outcome of the audit and/or the inspections, shall only be used by You to assess compliance with this DPA, and shall not be used for any other purpose or disclosed to any third party without Our prior written approval. Upon Our first request, You shall return all records or documentation in Your possession or control provided by Us in the context of the audit and/or the inspection).

6. INTERNATIONAL TRANSFERS

6.1 For the purposes of Chapter V of the GDPR, or similar provisions under any other Applicable Privacy Laws, We may transfer Personal Data (including, without prejudice to clause 3.2.1, Processed Personal Data) to third countries (including, without limitation, to Sub-Processors and Group Member Companies in third countries) where such transfers are conducted in a lawful manner under such Applicable Privacy Laws; and particularly where the GDPR applies, are (i) governed by the Standard Contractual Clauses; (ii) made to countries or territories which benefit from an adequacy decision under Article 45 of the GDPR; (iii) based on an international agreement under Article 48 of the GDPR; or (iv) subject to a derogation under Article 49 of the GDPR.

6.2 Where the transfer of Personal Data to Us or Our Sub-Processor is made subject to the Standard Contractual Clauses, the “data importer” thereunder shall be either Us or Our Sub-Processor, as the case may be and as determined by Us, and the “data exporter” shall be the Controller of such Personal Data. We will ensure that the relevant Sub-Processor shall (where applicable) comply with the data importer’s obligations, and the Controller shall comply with the data exporter obligations, in each case under the applicable Standard Contractual Clauses. The Standard Contractual Clauses will not apply to Personal Data that relates to individuals located outside of the European Economic Area, the United Kingdom or Switzerland, or that is not transferred, either directly or via onward transfer, outside of such countries.

7. GOVERNING LAW AND JURISDICTION

7.1 The parties submit to the choice of jurisdiction stipulated in the Terms with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination, or the consequences of its nullity.

7.2 This DPA and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for the equivalent purpose in the Terms.

8. AUTHORIZED AFFILIATES

8.1 The parties acknowledge and agree that, by executing the DPA, You enter into the DPA on behalf of Your and, as applicable, in the name and on behalf of Your Authorized Affiliates, in which case each Authorized Affiliate agrees to be bound by Your obligations under this DPA, if and to the extent that Our Processes Personal Data on the behalf of such Authorized Affiliates, thus qualifying them as the “Controller”. All access to and use of the Services by Authorized Affiliates must comply with the terms and conditions of the Terms and this DPA and any violation of the terms and conditions therein by an Authorized Affiliate shall be deemed a violation by You.

8.2 You shall remain responsible for coordinating all communication with Us under the Terms and this DPA and shall be entitled to make and receive any communication in relation to this DPA on behalf of Our Authorized Affiliates.

9. ORDER OF PRECEDENCE

9.1 Except as modified by this DPA, the terms of the Terms shall remain in full force and effect.

9.2 With regard to the subject matter of this DPA, in the event of inconsistencies between the provisions of this DPA and any other agreements between the parties, including the Terms, the provisions of this DPA shall prevail.

10. SEVERANCE

Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.


SCHEDULE 1

DATA PROCESSING DESCRIPTION

1. Subject matter and duration of the Processing of Processed Personal Data

The subject matter of the Processing of Processed Personal Data by Us on behalf of You is limited to the registration and de-registration of Service Users which are Your employees, consultants, and guests, to Our B2B platform.
Until the latest of (a) termination of the Terms in accordance with its terms; or (b) the date upon which Processing is no longer necessary for the purposes of either party performing its respective obligations under this Terms (to the extent applicable) or (c) Processing for the purpose of compliance with applicable law.

2. Nature and purpose of Processing

Nature: collection, storage, duplication, electronic viewing, deletion and destruction.
Purpose: registration and de-registration of Service Users to Our B2B platform

3. Types of Processed Personal Data

Personal details (e.g. name, home address, business address), contact information (e.g. mobile phone number, pick-up and drop-off locations, employer/organization, position/job title)

4. Categories of Data Subjects
• Service Users