This data transfer agreement (the “DTA“) supplements the data processing clauses in the agreement between isla and the Customer relating to the provision of isla’s TRACE services (the “TRACE Customer Agreement“, which term shall include the services order form agreed by the parties). This DTA applies in relation to international transfers of personal data that are restricted under EU and/or UK data protection laws.
- Definitions
1.1 In this DTA, in addition to the words and phrases defined in the TRACE Customer Agreement:
“Applicable Safeguards” means:
(a) in relation to Restricted Transfers under the EU GDPR, the EU Standard Contractual Clauses; and
(b) in relation to Restricted Transfers under the UK GDPR, the EU Standard Contractual Clauses as modified by the UK Addendum;
“EU GDPR” means the EU General Data Protection Regulation 2016/679, as amended, superseded or replaced from time to time;
“EU Standard Contractual Clauses” means the Standard Contractual Clauses in the annex to Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as referenced in and adapted in accordance with Attachment 1;
“Inter-Party Transfer” means a Restricted Transfer of Relevant Personal Data made by the Customer to isla or by isla to the Customer;
“Relevant Personal Data” means:
(a) the Customer Personal Data; and
(b) any other Personal Data that is provided or made available directly or indirectly by the Customer to isla, or by isla to the Customer, under or in connection with the TRACE Customer Agreement from time to time;
“Restricted Transfer” means an international transfer of Personal Data that is:
(a) restricted under Article 44 of the EU GDPR and is not to a jurisdiction that the Commission has decided ensures an adequate level of protection under Article 45 of the EU GDPR; and/or
(b) restricted under the Article 44 of the UK GDPR and is not to a jurisdiction that is the subject of adequacy regulations under Section 17A of the Data Protection Act 2018;
“Subsequent Transfer” means a Restricted Transfer of Relevant Personal Data:
(a) by isla to any third party, or by any third party acting on behalf of isla, where the Relevant Personal Data was provided or made available directly or indirectly by the Customer to isla; or
(a) by the Customer to any third party, or by any third party acting on behalf of the Customer, where the Relevant Personal Data was provided or made available directly or indirectly by isla to the Customer;
“UK GDPR” means EU GDPR as incorporated into UK law by the Data Protection Act 2018 and the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, as amended, superseded or replaced from time to time; and
“UK Addendum” means the UK addendum to the EU Standard Contractual Clauses issued by the UK Information Commissioner under section 119A(1) of the Data Protection Act 2018, as referenced in Attachment 4.
- Term
2.1 This DTA shall come into force on the Effective Date and shall continue in force until the termination of the TRACE Customer Agreement.
- Transfers
3.1 The parties agree that all Inter-Party Transfers shall be subject to the Applicable Safeguards, which are deemed in each case to be adapted and/or completed using the information set out:
(a) in relation to Inter-Party Transfers made by the Customer acting as controller to isla acting as controller or processor, in Attachment 2; and
(b) in relation to Inter-Party Transfers made by isla acting as controller or processor to the Customer acting as controller, in Attachment 3.
3.2 In relation to Subsequent Transfers of Personal Data provided or made available by the Customer to isla, isla must ensure that the Applicable Safeguards shall apply; and in relation to Subsequent Transfers of Personal Data provided or made available by isla to the Customer, the Customer must ensure that the Applicable Safeguards apply. A party that is obligated to ensure that Applicable Safeguards apply with respect to a Subsequent Transfer must promptly, following receipt of a written request from the other party, provide to the other party reasonable written evidence of those Applicable Safeguards and their execution.
3.3 The Applicable Safeguards applying between the Customer and isla are hereby incorporated into the TRACE Customer Agreement, but only with respect to each specific Inter-Party Transfer and the Relevant Personal Data that is the subject of each specific Inter-Party Transfer.
- Protection and conflicts
4.1 If Applicable Safeguards under both the EU GDPR and the UK GDPR apply, then those provisions specifying a higher standard of protection for the relevant Personal Data shall apply in place of those specifying a lower standard of protection.
4.2 If there is a conflict between the Applicable Safeguards as applied by this DTA and the provisions of the TRACE Customer Agreement, then those provisions specifying a higher standard of protection for the relevant Personal Data shall apply in place of those specifying a lower standard of protection.
- Changes
5.1 isla may by giving at least 30 days’ written notice to the Customer change the Applicable Safeguards that apply to any Restricted Transfers to the extent permitted by the EU GDPR and/or the UK GDPR, and in particular:
(a) with respect to the EU GDPR, if the Commission decides that new or alternative standard contractual clauses shall apply;
(b) with respect to the UK GDPR, if the UK Secretary of State makes regulations specifying that new or alternative standard contractual clauses shall apply.
5.2 The parties acknowledge that Applicable Safeguards may cease to be required by this DTA, and accordingly may cease to apply:
(a) with respect to the EU GDPR, because of a Commission decision that a jurisdiction ensures an adequate level of protection under Article 45 of the GDPR;
(b) with respect to the UK GDPR, because of adequacy regulations under Section 17A of the Data Protection Act 2018.
5.3 Without prejudice to isla’s rights under Clause 5.1, if any changes or prospective changes to the Data Protection Laws result or will result in one or both parties not complying with the Data Protection Laws in relation to Restricted Transfers carried out under the TRACE Customer Agreement, then the parties shall use their best endeavours promptly to agree such variations to this DTA as may be necessary to remedy such non-compliance.
ATTACHMENT 1 (ADAPTATIONS TO EU STANDARD CONTRACTUAL CLAUSES)
Provision | Adaptation |
Clause 7 | Clause 7 shall be included. |
Clause 9 | The “GENERAL WRITTEN AUTHORISATION” text shall apply, and the “SPECIFIC WRITTEN AUTHORISAITON” text shall be deleted. The time period referenced in paragraph 1 of that text shall be 7 days. |
Clause 11 | The optional text in Clause 11 shall be omitted. |
Clause 17 | With respect to Modules 1,2 and 3, the “OPTION 1” text shall apply, and the “OPTION 2” text shall be omitted. The relevant law specified in the TRACE Customer Agreement as being applicable to the clauses shall govern the clauses (or if no relevant law is specified, then the law of Ireland shall govern the clauses). |
Clause 18 | The courts specified in the TRACE Customer Agreement shall resolve disputes arising from the clauses (or if no applicable courts are specified, then the courts of Ireland shall resolve such disputes). |
A copy of the EU Standard Contractual Clauses can be seen at https://traceyour.events/eu-standard-contractual-clauses.
ATTACHMENT 2 (TRANSFER INFORMATION – CUSTOMER TO ISLA)
ANNEX I
- LIST OF PARTIES
Data exporter(s):
1. | |
Name: | The Customer, as identified in the TRACE Customer Agreement |
Address: | As specified in the TRACE Customer Agreement |
Contact person’s name, position and contact details: | As specified in the TRACE Customer Agreement |
Activities relevant to the data transferred under these Clauses: | Contracting for, receiving and enabling the administration of the Services to be provided by isla under the TRACE Customer Agreement |
Signature and date: | By signing the Services Order Form, the parties have agreed the provisions of the Applicable Safeguards |
Role (controller/processor): | Controller |
Data importer(s):
1. | |
Name: | isla, as identified in the TRACE Customer Agreement |
Address: | As specified in the TRACE Customer Agreement |
Contact person’s name, position and contact details: | As specified in the TRACE Customer Agreement |
Activities relevant to the data transferred under these Clauses: | Contracting for, providing and administering the Services to be provided to the Customer under the TRACE Customer Agreement |
Signature and date: | By signing the Services Order Form, the parties have agreed the provisions of the Applicable Safeguards |
Role (controller/processor): | Processor (except where specified as controller in B below) |
- DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred | (1) Customer personnel (isla acts as processor) (2) Customer personnel and isla personnel (isla acts as controller) |
Categories of personal data transferred | (1) Names, email address and associated application usage data (2) Business identity and contact information (names, business names, addresses, phone numbers, email address, job title) |
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures. | (1) & (2) None |
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis). | (1) When uploaded by Customer to isla systems, typically on a regular basis (2) When isla is communicating with the Customer |
Nature of the processing | (1) Processing by isla in the course of the provision of the Services (2) Processing by isla in managing its relationship with Customer |
Purpose(s) of the data transfer and further processing | (1) Provision of the Services (2) Enabling the provision of the Services, the provision of support to the Customer, communications between the parties, invoicing and billing, accounting, general administration, the negotiation and execution of contracts and orders, sending notifications to the Customer, marketing |
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period | (1) In accordance with the TRACE Customer Agreement (2) In accordance with the isla privacy policy |
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing | (1) In accordance with the TRACE Customer Agreement (2) In accordance with the isla privacy policy |
- COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13 | As specified in the TRACE Customer Agreement |
ANNEX II
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Measure | Description |
As specified in any security policy document(s) referenced in the TRACE Customer Agreement or otherwise agreed by the parties. | As specified in any security policy document(s) referenced in the TRACE Customer Agreement or otherwise agreed by the parties. |
ANNEX III
LIST OF SUB-PROCESSORS
Not applicable, as the Customer has granted to isla general authorisations in relation to the appointment of sub-processors.
ATTACHMENT 3 (TRANSFER INFORMATION – ISLA TO CUSTOMER)
ANNEX I
- LIST OF PARTIES
Data exporter(s):
1. | |
Name: | isla, as identified in the TRACE Customer Agreement |
Address: | As specified in the TRACE Customer Agreement |
Contact person’s name, position and contact details: | As specified in the TRACE Customer Agreement |
Activities relevant to the data transferred under these Clauses: | Contracting for, providing and administering the Services to be provided to the Customer under the TRACE Customer Agreement |
Signature and date: | By signing the Services Order Form, the parties have agreed the provisions of the Applicable Safeguards |
Role (controller/processor): | Processor (except where specified as controller in B below) |
Data importer(s):
1. | |
Name: | The Customer, as identified in the TRACE Customer Agreement |
Address: | As specified in the TRACE Customer Agreement |
Contact person’s name, position and contact details: | As specified in the TRACE Customer Agreement |
Activities relevant to the data transferred under these Clauses: | Contracting for, receiving and enabling the administration of the Services to be provided by isla under the TRACE Customer Agreement |
Signature and date: | By signing the Services Order Form, the parties have agreed the provisions of the Applicable Safeguards |
Role (controller/processor): | Controller |
- DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred | (1) Customer personnel (isla acts as processor) (2) Customer and isla personnel (isla acts as controller) |
Categories of personal data transferred | (1) Names, email address and associated application usage data (2) Business identity and contact information (names, business names, addresses, phone numbers, email address, job title) |
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures. | (1) & (2) None |
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis). | (1) When transferred to the Customer at the instigation of the Customer using isla systems, typically on a regular basis (2) When the Customer is communicating with isla |
Nature of the processing | (1) Processing by the Customer in the course of receiving and benefiting from the Services (2) Processing by the Customer in the course of managing its relationship with isla |
Purpose(s) of the data transfer and further processing | (1) Receipt of the Services (2) Enabling the receipt of the Services, the receipt of support, communications between the parties, payments, accounting, general administration, the negotiation and execution of contracts and orders |
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period | (1) & (2) In accordance with the Customer’s (or other relevant controller’s) privacy policy |
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing | (1) & (2) In accordance with the Customer’s (or other relevant controller’s) privacy policy |
- COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13 | As specified in the TRACE Customer Agreement |
ANNEX II
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Measure | Description |
As specified in any security policy document(s) referenced in the TRACE Customer Agreement or otherwise agreed by the parties. | As specified in any security policy document(s) referenced in the TRACE Customer Agreement or otherwise agreed by the parties. |
ANNEX III
LIST OF SUB-PROCESSORS
Not applicable, as the Customer acts as controller with respect to all relevant transfers.
ATTACHMENT 4 (UK ADDENDUM)
A copy of the UK Addendum can be seen at https://traceyour.events/uk-addendum.