Data Processing Addendum
This Data Processing Addendum (“DPA”) is supplemental to, and forms part of, Your Agreement with Suzy, Inc. (“Suzy”). This DPA supersedes and replaces any existing data processing terms in place between You and Suzy relating to the Processing of Personal Data.
1.0 Definitions
1.1. For purposes of this DPA, the following terms shall have the following meanings:
“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the Party. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the Party.
“Agreement” means the agreement between Suzy and You for the Services. Such agreement may have various titles, such as “Master Services Agreement,” “Terms and Conditions”, “Order Form,” or “Sales Order”.
“Applicable Data Protection Law” means all data protection, privacy, and security laws applicable to the respective Party in its respective role in the Processing of Personal Data under the Agreement, which may include without limitation Canadian Data Protection Law, European Data Protection Law, UK Data Protection Law, or U.S. Data Protection Law.
“BCRs" means the binding corporate rules approved pursuant to Article 47 and 63 of the GDPR.
“Canadian Data Protection Law” means the Personal Information Protection and Electronic Documents Act (“PIPEDA”) and any update, amendment, or replacement of same.
“Client”, “You”, or “Your” means the company that is identified on and/or is party to the Agreement. To the extent required under Applicable Data Protection Law, and for the purposes of this DPA only, the term “Client”, “You”, or “Your” shall include Client’s Affiliates.
“Client Personal Data” means Personal Data that Client controls and discloses, provides, or otherwise makes available to Suzy pursuant to the Agreement or to which access was provided to Suzy by or at the direction of Client.
“Controller” means the entity which determines the purposes and means of the Processing of Personal Data, including as applicable any “business” as that term is defined by the CCPA.
"Data Personnel” means a Party’s personnel who have access to the other Party’s Personal Data.
“Data Subject” means the identified or identifiable person to whom Personal Data relates, or as otherwise termed and defined by Applicable Data Protection Law.
“Data Subject Request” means any request from a Data Subject to exercise rights afforded to the Data Subject under Applicable Data Protection Law in relation to Personal Data, including, as applicable, the following: access, rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, objection to the Processing, or objection to automated individual decision making.
“EEA” means the Member States of the European Union (“EU”) and Iceland, Liechtenstein, and Norway.
"European Data Protection Law" means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (“GDPR”) as implemented by countries within the EEA; (ii) the European Union e-Privacy Directive 2002/58/EC as implemented by countries within the EEA; (iii) other EU, EEA or European single market Member State laws or regulations that are similar, equivalent to, successors to, or that are intended to or implement the laws that are identified in (i) and (ii) above, including UK Data Protection Law; and/or (iv) any update, amendment, or replacement of same.
“Instruct” or “Instruction” means a direction, either in writing (e.g., the Agreement), in textual form (e.g., by e-mail), or by using a software or online tool, issued by You to Suzy and directing Suzy to Process Client Personal Data.
“Personal Data” or “Personal Information” means any information (a) relating to Data Subjects; or (b) “personally identifiable information”, “personal information”, “personal data” or similar terms, as such terms are defined under Applicable Data Protection Law.
“Process”, “Processed”, “Processes” or “Processing” means any activity, operation, or set of operations performed upon Personal Data, individually or in sets, whether or not by automated means, such as collecting, retrieving, obtaining, holding, accessing, using, structuring, recording, organizing, storing, adapting or altering, consultation, disclosure by transmission, transferring, sharing, dissemination or otherwise making available to third parties, alignment or combination, blocking, erasing, or destruction. For the avoidance of doubt, the definition includes any activity that the Applicable Data Protection Law may otherwise include.
“Processor” means an entity which engages in the Processing of Personal Data on behalf of the Controller, including as applicable any “service provider” as that term is defined by the CCPA.
“Regulator Correspondence” means any correspondence or communication received from a Supervisory Authority relating to Personal Data.
“Relevant Transfer” means any transfer of Personal Data: (a) made by a Party; (b) from the European Union, the EEA and/or their member states, the United Kingdom and/or Switzerland to countries which do not ensure an adequate level of data protection within the meaning of Applicable Data Protection Law; and (c) subject to Applicable Data Protection Law.
“Respondents” means Suzy’s Members and Global Audiences, each as defined in the Suzy Privacy Policy, and all other Data Subjects who utilize Suzy’s platforms to respond to Actions, as defined in the Privacy Policy.
“Security Breach” means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed. For the avoidance of doubt, a Security Breach does not include, for example, unsuccessful attempts or activities that do not compromise the security of personal data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems.
“Security Incident” means any act or omission that compromises the security, confidentiality, integrity, or availability of Personal Data or the physical, technical, administrative, or organizational safeguards put in place to protect it.
“Sell” or “Sale” has the meaning ascribed in the CCPA.
“Services” means the services provided pursuant to the Agreement.
“SCCs” or “Standard Contractual Clauses” means (i) where the GDPR applies, the SCCs (EU Controller to Controller), the SCCs (EU Controller-to-Processor), or the SCCs (EU Processor-to-Processor), as applicable; and (ii) where the UK Data Protection Law applies, the UK Addendum.
“SCCs (EU Controller-to-Controller)” means the SCCs for the transfer of Personal Data to third countries approved by the European Commission’s decision 2021/914/EC of 4 June 2021, as currently set out at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj (the “EU SCCs”), Module One, in accordance with the terms of Schedule 2 (EEA Addendum).
“SCCs (EU Controller-to-Processor)” means the EU SCCs, Module Two, in accordance with the terms of Schedule 2.
“SCCs (EU Processor-to-Processor)” means the EU SCCs, Module Threein accordance with the terms of Schedule 2.
“SCCs (EU Processor-to-Controller)” means the EU SCCs, Module Four, in accordance with the terms of Schedule 2.
“UK Addendum” means the International Data Transfer Addendum issued by the UK Information Commissioner, Version B1.0, as currently provided at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf and as revised under Section 18 of the International Data Transfer Addendum, as set out in Schedule 4 to this DPA.
“Sub-processor” means any Processor engaged to assist in fulfilling the Services and/or obligations under the Agreement.
“Supervisory Authority” means an independent public authority established under, or tasked with the regulation and enforcement of, Applicable Data Protection Law, including (but not limited to) supervisory authorities established by an EU Member State pursuant to the GDPR, the UK’s Information Commissioner’s Office, or the California Privacy Protection Agency.
“UK Data Protection Law” means the GDPR as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (and see section 205(4)) and the UK Data Protection Act 2018 (as amended), together with all data protection, privacy, and security laws applicable in the United Kingdom.
“U.S. Data Protection Law” means all U.S. laws and regulations that apply to Processing of Personal Data under the Agreement, including without limitation: the Colorado Privacy Act (Colo. Rev. Stat. § 6-1-1301 et seq.); the Illinois Biometric Information Protection Act (740 ILCS 14 et seq.); the Virginia Consumer Data Protection Act (Va. Code § 59.1-571 et seq.); the California Consumer Privacy Act (Cal. Civ. Code § 1798.100 et seq.) as expanded by the California Privacy Rights Act (together, the “CCPA”); and the implementation regulations, amendments, or replacements of same.
2.0 Relationship of the Parties; Scope of DPA
2.1. The Parties acknowledge that the factual arrangements between them dictate the classification (i.e., Controller or Processor) of each Party under Applicable Data Protection Law. The Parties acknowledge that each Party may serve in different capacities when performing different Processing activities or when Processing different categories of Personal Data.
2.2. Suzy’s Roles. Suzy anticipates that during the term of the Agreement, Suzy will act in the capacities set forth at https://suzy.com/s/Suzys-Roles-Data-Controller_Processorpptx.pdf (as may be updated from time to time) (“Suzy’s Roles”) such that:
2.2.1. When and to the extent that Suzy acts as independent Controller, this DPA shall not apply. Suzy acknowledges and agrees that Suzy is independently responsible for compliance and will comply with Applicable Data Protection Law (e.g., obligations of Controllers) in such situations.
2.2.2. If and to the extent that Suzy acts as a joint Controller with Client of Personal Data, Sections 2, 3, 7, and 8 of this DPA shall apply. In such instances, Suzy shall assume responsibility for holding, Processing, and keeping the applicable Personal Data in compliance with Applicable Data Protection Laws until onward transfer to Client.
2.2.3. If and to the extent that Suzy acts as a Processor of Personal Data for Client, the entirety of this DPA shall apply.
3.0 Processing Activities; Compliance with Law
3.1. The Parties acknowledge and agree that Schedule 1 (Processing Details) to this DPA is an accurate description of the intended Processing carried out under this DPA. Both Parties shall be permitted to make amendments to Schedule 1 regarding the nature, duration, purpose, scope, types, and categories of Personal Data, on written notice to the other Party. For purposes of this section, notice to Suzy shall be by Instruction.
3.2. Each Party shall:
3.2.1. ensure that any Instructions it provides to the other Party in relation to the Processing of Personal Data shall comply with all Applicable Data Protection Laws; and
3.2.2. provide reasonable assistance to the other Party as necessary for the other Party to comply with its obligations under Applicable Data Protection Laws, provided that, notwithstanding this, each Party shall remain responsible for its own compliance with Applicable Data Protection Laws; and
3.2.3. Process the other Party’s Personal Data solely for the purposes specified in the Agreement, this DPA, and as Instructed; and
3.2.4. maintain and use Anonymous Data or De-Identified Data only in an anonymous or de-identified form and not attempt to re-identify the Data;
3.2.5. promptly, and in such period required by Applicable Data Protection Law, honor any opt-out signal that one Party communicates to the other Party that indicates a natural person has opted-out of the Sale of their Personal Data and/or sharing of their Personal Data, including without limitation by further restricting its use, retention, and other Processing of such Personal Data to those purposes that would ensure that there is no Sale or sharing of the applicable Data Subject’s Personal Data.
3.3. Security Breach and Breach Notification. If either Party becomes aware of a Security Breach involving the other Party’s Personal Data, they will take reasonable steps to notify the other Party without undue delay and no later than 48 hours after discovery of the Security Breach, providing sufficient information (to the extent that such information is known or available) and cooperation to the receiving Party to enable the receiving Party to comply with its obligations under Applicable Data Protection Law. Any such notification does not constitute acceptance of liability by the notifying Party. At the notifying Party’s own expense, the notifying Party shall take reasonable steps to:
3.3.1. remedy or mitigate the effects of the Security Breach; and
3.3.2. reduce the risk to Data Subjects whose Personal Data was involved; and
3.3.3. keep the receiving Party informed of material developments in connection with the Security Breach.
4.0. Client’s Responsibilities as Controller
4.1. Client shall, in its use of the Services and provision of Instructions: (i) control and Process Client Personal Data in accordance with the requirements of Applicable Data Protection Law; (ii) ensure that any Instructions provided to Suzy are at all times in accordance with Applicable Data Protection Laws; (iii) maintain the accuracy, quality, and legality of the Personal Data provided to Suzy by or on behalf of Client; (iv) ensure the means by which Client acquired any such Personal Data complies with Applicable Data Protection Laws, including providing any required notices and obtaining any required consents from Data Subjects; and (v) provide to Suzy, or ask Suzy to Process, the minimum amount of Personal Data necessary for the provision of the Services.
4.2. Client is responsible for its use of the Suzy Platform and its storage of any copies of Client Personal Data outside Suzy’s or Suzy’s Sub-processors’ systems, including: (i) ensuring a level of security appropriate to the risk to the Client Personal Data; (ii) securing the authentication credentials, systems, and devices Client uses to access the Suzy Platform; and (iii) backing up its Client Personal Data as appropriate.
5.0. Suzy’s Responsibilities as Processor
5.1. Suzy will comply with the following provisions when acting as Processor for Client:
5.1.1. Instructions. Suzy shall Process Client Personal Data only on Client’s Instructions, unless, in Suzy’s opinion, such Instruction(s) conflict with or infringe Applicable Data Protection Law, in which case, Suzy shall take reasonable steps to inform Client of such conflict or infringement. Notwithstanding the foregoing, Suzy shall have no obligation to monitor or review the lawfulness of any Instruction received from Client.
5.1.2. Confidentiality. Suzy shall ensure that all Suzy Data Personnel whom Suzy authorizes to Process Client Personal Data are subject to a duty of confidentiality (whether contractual or statutory).
5.1.3. Access. Suzy will reasonably limit Client Personal Data access to only those Data Personnel who require access to fulfill the Services or for the performance of their duties. Suzy will take reasonable steps to ensure: (a) Data Personnel are informed of the confidential nature and use restrictions of Client Personal Data; (b) Data Personnel are trained on Personal Data protection under Applicable Data Protection Laws; and (c) the reliability, integrity, and trustworthiness of, and conduct background checks consistent with applicable law on, Data Personnel with access to Client Personal Data.
5.1.4. Security measures. Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Suzy shall maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of Processing Client Personal Data. Suzy shall, taking into account the nature of the Processing and the information available to Suzy, provide Client with reasonable cooperation and assistance where necessary for Client to comply with Client’s obligations pursuant to Article 32 of the GDPR or equivalent provision of Applicable Data Protection Law. Specific measures implemented by Suzy include, but are not limited to, those set forth at https://suzy.com/s/Suzy-Security-Measures.pdf (as may be updated by Suzy from time to time but in no event shall degrade the security of Client Personal Data) (“Security Measures”).
5.1.5. Record-keeping. Suzy shall maintain records required by Applicable Data Protection Law and information to demonstrate its compliance with this DPA during the term of this DPA and for one (1) year thereafter.
5.1.6. Third Party Risk Assessment. Upon Client’s written request, at reasonable intervals, to confirm compliance with this DPA, Applicable Data Protection Law, or industry standard, Suzy shall promptly and accurately respond to an information security questionnaire provided by Client, or a third party on Client’s behalf, regarding Suzy’s business practices and information technology environment in relation to Client Personal Data being handled and/or Services being provided pursuant to the Agreement. Client will treat the information provided by Suzy as Suzy’s Confidential Information.
5.1.7. Data Protection Impact Assessment. Upon Client’s written request, Suzy will assist Client as reasonably required where Client (i) conducts a data protection impact assessment involving the Services (which may include by provision of documentation to allow Client to conduct their own assessment); or (ii) is required to notify a Security Breach to a Supervisory Authority or a relevant Data Subject.
5.1.8. Audits. At least once every two years, Suzy will conduct site audits of its Personal Data Processing practices and the information technology and information security controls for its facilities and systems used in complying with its obligations under this DPA, including, but not limited to, obtaining a network-level vulnerability assessment performed by a recognized third-party audit firm based on recognized industry best practices. Upon Client’s written request, and no more than once annually, Suzy will make available to Client its most recent ISO 27001 certificate, SOC2 report, or other relevant documentation or information necessary and reasonably requested to demonstrate compliance with this DPA. Client acknowledges and agrees that all such documentation or reports constitute Confidential Information of Suzy’s.
5.1.9.Data Subject Requests. Unless Suzy is legally prohibited from doing so, Suzy will notify Client without undue delay if Suzy receives a Data Subject Request related to Client Personal Data that Suzy Processes on behalf of Client. However, Client acknowledges that Data Subjects (namely, respondents) implicated in the provisioning of Services often do not know the identity of Client. As such, the Parties agree that Suzy will facilitate Data Subject Requests related to the Agreement. Taking into account the nature of the Processing, and upon Suzy’s request, Client will assist Suzy, insofar as this is possible, in the fulfillment of or response to a Data Subject Request as required by Applicable Data Protection Law.
5.1.10. Regulator Correspondence. Suzy shall promptly notify Client on receipt of any Regulator Correspondence, unless Suzy is prohibited from doing so by applicable law. Suzy will not disclose any Client Personal Data in response to such Regulator Correspondence without first consulting with and obtaining Client’s authorization, unless legally compelled to do so. If a law enforcement agency or Supervisory Authority sends Suzy a demand for Client Personal Data (e.g., a subpoena or court order), Suzy will attempt to redirect the law enforcement agency or Supervisory Authority to request that data directly from Client. If compelled to disclose Client Personal Data to a law enforcement agency or Supervisory Authority, then Suzy will immediately notify Client of the demand to allow Client to seek a protective order or other appropriate remedy to the extent Suzy is legally permitted to do so.
5.1.11. Data Destruction. In the event of expiration or termination of the Agreement by either side or otherwise on written request from Client to legal@suzy.com, Suzy shall: (i) securely destroy all Client Assets and Client Personal Data (collectively, “Client Data”) in Suzy’s possession or control within 6 months and (ii) purge all Client Data from all Suzy and/or third party storage devices including backups within 12 months, unless Suzy is otherwise required to retain a category of data for longer periods. Where required by Applicable Data Protection Law and upon Client’s written request to legal@suzy.com, Suzy will (a) certify in writing that it has taken such measures, or (b) that it is not able to take such measures, giving details of the documents or materials that it must retain, the legal basis for retention, and establishing a timeline for destruction once the retention requirement ends. Client Data Processed with artificial intelligence-powered products and tools within Suzy’s Platform or Services is excluded from this Section insofar as consistent with Applicable Data Protection Law.
5.1.12. Prohibition on Sale. Suzy will not share or Sell Client Personal Data to another business, person, or third party, except for authorized Sub-Processors or as otherwise Instructed and then only for the purpose of providing the Services, or to the extent such disclosure is required by applicable law.
6.0. Sub-Processing
6.1 Authorization for Sub-processors. Client provides a general authorization for Suzy to engage the Sub-processors listed at https://suzy.com/subprocessor-list (“Subprocessor List”) in order to provide the Services, conditioned on the following:
6.1.1. Suzy will restrict the Sub-processor’s access to Client Personal Data only to what is necessary to provide the Services;
6.1.2. Suzy agrees to impose on the Sub-processor contractual data protection obligations, including appropriate technical and organizational measures, to protect Client Personal Data to the standard required by Applicable Data Protection Law and this DPA; and
6.1.3. Suzy will remain liable for any breach of this DPA that is caused by an act, error, or omission of its Sub-processors.
6.2 Notification of Changes to Subprocessor List. Client will fill out the form available at https://engage.suzy.com/suzy-subprocessor to receive notifications of updates or changes to the Subprocessor List. If Client subscribes to such notifications, Suzy will provide notice of any update or change to the Subprocessor List as soon as reasonably practicable, but no less than thirty (30) days prior to any such update or change. Client may object to Suzy’s appointment or replacement of a Sub-processor prior to its appointment or replacement, provided such objection is in writing to legal@suzy.com and based on reasonable grounds relating to data protection. In such an event, the parties agree to discuss commercially reasonable alternative solutions in good faith.
7.0. International Data Transfers
7.1. Depending on the scope of Services and/or locale of Client, Suzy may Process Client Personal Data on a global basis as necessary to provide the Services. Where applicable, Suzy will ensure Relevant Transfers comply with Applicable Data Protection Law. If so required, Suzy will not transfer Client Personal Data from the EEA, Switzerland, or the UK to any country or recipient not recognized as providing an adequate level of protection for Client Personal Data by the relevant Supervisory Authority unless Suzy first takes all necessary measures to ensure the transfer is in compliance with Applicable Data Protection Law. Such measures may include transferring such data to a recipient that:
7.1.1. is covered by a suitable framework or other legally adequate transfer mechanism recognized by the relevant Supervisory Authorities or courts as providing an adequate level of protection for Personal Data;
7.1.2. has achieved BCRs; or
7.1.3. has executed appropriate SCCs. Unless otherwise agreed in writing by the Parties, by executing the Agreement or an Order incorporating this DPA, Client is deemed to execute the SCCs as set out in full, which will have legally binding force on the Parties as follows:
(a) If Suzy Processes Client Personal Data related to EEA Data Subjects, the EEA Addendum as set out in Schedule 2 shall apply in addition to the DPA and is incorporated by reference into the SCCs;
(b) If Suzy Processes Client Personal Data related to Swiss Data Subjects, the Switzerland Addendum as set out in Schedule 3 shall apply in addition to the DPA and is incorporated by reference into the SCCs; and
(c) If Suzy Processes Client Personal Data related to UK Data Subjects, the UK Addendum as set out in Schedule 4 shall apply in addition to the DPA and is incorporated by reference into the SCCs.
7.2. If any Personal Data transfer between Client and Suzy requires separate execution of SCCs in order to comply with the Applicable Data Protection Laws, upon Client’s written request, Suzy will cooperate in good faith to do so and take all other actions required to legitimize the transfer, including, if necessary: (i) co-operating to register the SCCs with any Supervisory Authority; (ii) procuring approval from any such Supervisory Authority; or (iii) providing additional information about the transfer to such Supervisory Authority.
7.3 Each Party will only transfer Applicable Personal Data on to another country if the transfer complies with Applicable Data Protection Laws.
8.0. General Provisions
8.1. Termination. This DPA will terminate contemporaneously and automatically with the termination or expiration of the Agreement, subject to additional provisions in any Schedule attached hereto. If a change in any Applicable Data Protection Laws prevents either Party from fulfilling all or part of its obligations under this DPA, the Parties may suspend the Processing of Personal Data until that Processing complies with the new requirements.
8.2. Survival. Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination of the Agreement in order to protect Personal Data will remain in full force and effect.
8.3. Modification. Notwithstanding anything to the contrary in the Agreement, Suzy may periodically make modifications to this DPA as may be required to comply with Applicable Data Protection Laws.
8.4. Conflicts and Interpretation. To the extent there is a conflict between: (1) this DPA and the Agreement, with respect to the subject matter of this DPA, the DPA takes precedence. To the extent the Agreement provides additional privacy, security, or confidentiality obligations for either Party, those obligations will apply in addition to the DPA; or (2) this DPA and any Schedule, the provision in the Schedule shall prevail; or (3) any provisions of Applicable Data Protection Laws, the more onerous applicable requirement or higher applicable standard shall prevail. Notwithstanding the foregoing, this DPA is to be read and interpreted in the light of the provisions of the Applicable Data Protection Laws and must not be interpreted in a way that runs counter to the rights and obligations provided for in Applicable Data Protection Laws, or in a way that prejudices the fundamental rights or freedoms of Data Subjects.
8.5. No further amendment. All terms and conditions in the Agreement save as amended herein remain in full force and effect and are binding upon the Parties.
SCHEDULE 1 – PROCESSING DETAILS
Data Exporter (where applicable)
● Name: Client
● Address: As specified in the Agreement
● Contact person’s name, position, and contact details: Contact details for the data exporter are specified in the Agreement.
● Data Protection Officer and/or Representative in the EU (if applicable): If applicable, Client’s DPO and/or Representative in the EU shall be shared in writing to Client’s Suzy Representative.
● Activities relevant to the data transferred: The data importer provides the Services to the data exporter in accordance with the Agreement.
Data Importer (where applicable)
● Name: Suzy
● Address: As specified in the Agreement
● Contact person’s name, position, and contact details: Privacy Counsel, legal@suzy.com
● Data Protection Officer and/or Representative in the EU (if applicable): If applicable, Suzy’s DPO and/or Representative in the EU shall be shared on the Suzy Trust Center.
● Activities relevant to the data transferred: The data importer provides the Services to the data exporter in accordance with the Agreement.
Purpose(s) of Processing
Delivering Services pursuant to the Agreement and as further Instructed by Client during the term of the Agreement.
Scope of Processing
As Processor, Suzy will Process Client Personal Data solely: (a) to fulfill its obligations to Client under the Agreement, as is necessary to provide the Services as Instructed; (b) on Client’s behalf;and (c) in compliance with Applicable Data Protection Law. Without limiting the foregoing, Client directs Suzy, and Suzy agrees, to Process Client Personal Data in accordance with Client’s Instructions.
Subject matter and nature of Processing
Market research and insights
Duration
The duration of the Processing described herein corresponds to the duration of the Agreement and the DPA.
Categories of Personal Data
The Processing of Personal Data comprises the categories of data listed at, and hyperlinked from within, https://suzy.com/s/Suzys-Roles-Data-Controller_Processorpptx.pdf (Suzy’s Roles).
The categories of data Suzy collects from users of the Suzy platform (i.e., Client’s employees) are detailed in Section 7 of the Suzy Privacy Policy: https://app.suzy.com/privacy-policy#7-what-personal-data-do-we-use.
The categories of data Suzy collects from Respondents are detailed in the Chart in Section 6 of our Crowdtap privacy policy: https://www.crowdtap.com/privacy-policy#6-what-personal-data-do-we-use
Special (or sensitive) categories of data may be Processed in the provisioning of Services, depending upon Client’s Instructions, and may include:
☒ Racial or ethnic origin
☒ Political opinion
☒ Religious or philosophical beliefs
☒ Trade union membership
☐ Genetic data
☒ Biometric data
☒ Health data
☒ A person’s sex life or sexual orientation
☐ Data relating to criminal convictions
Categories of Data Subjects
Data subjects may include:
☒ Natural persons who submit Personal Data via use of Suzy’s sites (including via online surveys on the Crowdtap platform);
☒ Natural persons who are employees, representatives, or other business contacts of Client and/or Client’s users who are authorized by the Client to access and use the Sites.
☐ Other (please specify)
Frequency of data transfer
☐ One-off
☒ Continuous, for the Term of the Agreement and DPA
Retention period
As stated in the Agreement and DPA, and thereafter only insofar as required in order to comply with applicable law, including Applicable Data Protection Law.
Specific Restrictions
The Processing of Client Personal Data shall be subject to the restrictions described in the Agreement and DPA.
SCHEDULE 2 - EEA ADDENDUM
1.0 Scope
1.1 This Schedule (also “EEA Addendum”) shall apply in the event that: (i) Suzy, as a Processor, Processes Client Personal Data in the course of providing the Services; and (ii) the Processing is subject to European Data Protection Law.
1.2 All terms used herein not defined in the DPA will have the meaning assigned to them in the applicable European Data Protection Law. All references to laws in the DPA shall be read in the context of EU or Member State law for the purpose of this EEA Addendum.
2.0. SCCs
2.1 If any of the SCCs in sections 2.2 through 2.4 are applicable, the Parties agree that:
2.1.1 Docking clause. The optional docking clause under Clause 7 shall not apply.
2.1.2 Redress. The optional clause under Clause 11 shall not apply.
2.1.3 Notification of Government Access Requests. The Parties agree that, for the purposes of Clause 15(1)(a), the notification of government access requests shall be carried out in accordance with the DPA.
2.1.4 Governing Law. The governing law for the purposes of Clause 17 shall be the law of Ireland.
2.1.5 Certification of Deletion. The Parties agree that the certification of deletion of Client Personal Data that is described in Clauses 8.5 and 16(d) shall be provided as set forth in the DPA.
2.1.6 Choice of forum and jurisdiction. For the purposes of Clause 18, any dispute arising from the SCCs shall be resolved by the courts of Ireland.
2.2 If applicable, the Parties agree that the SCCs (Controller-to-Controller) shall apply as follows: as described in 2.1 of this EEA Addendum.
2.3 If applicable, the Parties agree that the SCCs (Controller-to-Processor) and the SCCs (Processor-to-Processor) shall apply as follows, in addition to section 2.1 of this EEA Addendum:
2.2.1 Security of Processing. For the purposes of Clause 8.6(a), Client is solely responsible for making an independent determination as to whether the technical and organizational measures set forth in the Agreement and DPA meet Client’s requirements. For the purposes of Clause 8.6(c), Security Breaches will be handled in accordance with Section 3.3 of the DPA.
2.2.2 Use of Sub-processors. Option 2 under Clause 9 shall apply and the time period specified is thirty (30) days.
2.2.3 Data Subjects. The Parties agree that Suzy has been authorized, under Clause 10, to respond to Data Subject Requests as set forth in the DPA.
2.2.4 Liability. Suzy’s liability under Clause 12(b) of the Standard Contractual Clauses shall be limited to any damage caused by its Processing where Suzy has not complied with its obligations under the GDPR specifically directed to Processors, or where it has acted outside of or contrary to lawful instructions of Client, as specified in Article 82 GDPR.
2.4 If applicable, the Parties agree that the SCCs (Processor-to-Controller) shall apply as follows: as described in 2.1 of this EEA Addendum.
2.5 Appendix. The Appendix shall be completed as follows:
2.5.1 Annex I.A. The contents of Schedule 1 to the DPA shall form Annex I.A.
2.5.1 Annex I.B. The contents of Schedule 1 to the DPA shall form Annex I.B.
2.5.2 Annex I.C. The competent Supervisory Authority shall be the Data Protection Commission - Ireland for the purposes of Annex I.C.
2.5.3 Annex II. The contents of the Security Measures and any security terms set forth in the Agreement shall form Annex II.
2.5.4 Annex III. The contents of the Subprocessor List shall form Annex III.
2.6 Alternative transfer mechanisms. The Parties agree that the data export solution identified herein will not apply if and to the extent that Suzy adopts an alternative data export solution for the lawful transfer of Client Personal Data (as recognized under European Data Protection Laws) outside of the EEA, in which event, Suzy shall take any action (which may include execution of documents) required to give effect to such solution and the alternative transfer mechanism will apply instead.
2.7 UK Addendum. The following language is inserted before the signatures for the SCCs: Where applicable, by signing we agree to be bound by the UK Addendum to the EU Commission Standard Contractual Clauses.
SCHEDULE 3 - SWITZERLAND ADDENDUM
1. Scope
1.1. This Schedule (the “Swiss Addendum”) applies to and is a part of EEA Addendum.
2. Applicable Terms
2.1. The Parties agree that the following provisions shall apply with respect to data transfers that are governed by the Federal Act on Data Protection (“FADP”), e.g., Personal Data transferred by a data exporter from Switzerland to a data importer outside of Switzerland (including Personal Data located in Switzerland that a data exporter makes accessible to the data importer) (the “Swiss Personal Information”):
2.1.1. the term “Personal Data” shall be deemed to include information relating to an identified or identifiable legal entity;
2.1.2. references to (articles in) the EU GDPR 2016/679 shall be deemed to refer to (respective articles in) the FADP;
2.1.3. reference to the competent Supervisory Authority in Annex I.C. under Clause 13 shall be deemed to refer to the Federal Data Protection and Information Commissioner (“FDPIC”);
2.1.4. references to Member State(s)/EU Member State(s) shall be deemed to include Switzerland;
2.1.5. reference to the European Union in Annex I(A) shall be deemed to include Switzerland; and
2.1.6. where the Clauses use terms that are defined in the EU GDPR 2016/679, those terms shall be deemed to have the meaning as the equivalent terms are defined in the FADP.
2.2. The list of Data Subjects and categories of data indicated in Annex I.B. to the Clauses shall not be deemed to restrict the application of the SCCs to the Swiss Personal Information.
SCHEDULE 4 - UK ADDENDUM
1. Scope
1.1 . This Schedule (the “UK Addendum”) shall apply in the event that: (i) Suzy, as Processor, Processes Client Personal Data in the course of providing the Services; and (ii) the Processing is subject to UK Data Protection Law.
1.2. All terms used herein not defined in the DPA will have the meaning assigned to them in the applicable UK Data Protection Law. All references to Data Protection Law or laws in the DPA shall be read in the context of English law for the purpose of this UK Addendum.
2. Tables
2.1. Table 1 (Parties). The contents of Schedule 1 to the DPA shall form Table 1.
2.1. Table 2 (Selected SCCs, Modules and Selected Clauses) shall be completed as follows: the second checkbox shall be selected with the modules, clauses, or optional provisions of the SCCs as set out in Schedule 2 (EEA Addendum) to the DPA.
2.2 Table 3 (Appendix Information) shall be completed as follows: the contents of Schedule 1 shall form Annex I.B; the contents of the Security Measures shall form Annex II; and the contents of the Subprocessor List shall form Annex III.
2.3 Table 4 (Ending this Addendum) shall be completed as follows: neither Party.
APPENDIX 1 TO UK ADDENDUM
Mandatory Clauses
Entering into this Addendum
Each Party agrees to be bound by the terms and conditions set out in this Addendum, in exchange for the other Party also agreeing to be bound by this Addendum.
Although Annex 1A and Clause 7 of the Approved EU SCCs require signature by the Parties, for the purpose of making Restricted Transfers, the Parties may enter into this Addendum in any way that makes them legally binding on the Parties and allows data subjects to enforce their rights as set out in this Addendum. Entering into this Addendum will have the same effect as signing the Approved EU SCCs and any part of the Approved EU SCCs.
Interpretation of this Addendum
Where this Addendum uses terms that are defined in the Approved EU SCCs those terms shall have the same meaning as in the Approved EU SCCs. In addition, the following terms have the following meanings:
Addendum
This International Data Transfer Addendum which is made up of this Addendum incorporating the Addendum EU SCCs.
Addendum EU SCCs
The version(s) of the Approved EU SCCs which this Addendum is appended to, as set out in Table 2, including the Appendix Information.
Appendix Information
As set out in Table 3.
Appropriate Safeguards
The standard of protection over the personal data and of data subjects’ rights, which is required by UK Data Protection Laws when you are making a Restricted Transfer relying on standard data protection clauses under Article 46(2)(d) UK GDPR.
Approved Addendum
The template Addendum issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18.
Approved EU SCCs
The Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
ICO
The Information Commissioner.
Restricted Transfer
A transfer which is covered by Chapter V of the UK GDPR.
UK
The United Kingdom of Great Britain and Northern Ireland.
UK Data Protection Laws
All laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018.
UK GDPR
As defined in section 3 of the Data Protection Act 2018.
This Addendum must always be interpreted in a manner that is consistent with UK Data Protection Laws and so that it fulfills the Parties’ obligation to provide the Appropriate Safeguards.
If the provisions included in the Addendum EU SCCs amend the Approved SCCs in any way which is not permitted under the Approved EU SCCs or the Approved Addendum, such amendment(s) will not be incorporated in this Addendum and the equivalent provision of the Approved EU SCCs will take their place.
If there is any inconsistency or conflict between UK Data Protection Laws and this Addendum, UK Data Protection Laws applies.
If the meaning of this Addendum is unclear or there is more than one meaning, the meaning which most closely aligns with UK Data Protection Laws applies.
Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Addendum has been entered into.
Hierarchy
Although Clause 5 of the Approved EU SCCs sets out that the Approved EU SCCs prevail over all related agreements between the parties, the parties agree that, for Restricted Transfers, the hierarchy in Section 10 will prevail.
10. Where there is any inconsistency or conflict between the Approved Addendum and the Addendum EU SCCs (as applicable), the Approved Addendum overrides the Addendum EU SCCs, except where (and in so far as) the inconsistent or conflicting terms of the Addendum EU SCCs provides greater protection for data subjects, in which case those terms will override the Approved Addendum.
Where this Addendum incorporates Addendum EU SCCs which have been entered into to protect transfers subject to the General Data Protection Regulation (EU) 2016/679 then the Parties acknowledge that nothing in this Addendum impacts those Addendum EU SCCs.
Incorporation of and changes to the EU SCCs
This Addendum incorporates the Addendum EU SCCs which are amended to the extent necessary so that:
(a) together they operate for data transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter’s processing when making that data transfer, and they provide Appropriate Safeguards for those data transfers;
(b) Sections 9 to 11 override Clause 5 (Hierarchy) of the Addendum EU SCCs; and
(c) this Addendum (including the Addendum EU SCCs incorporated into it) is (1) governed by the laws of England and Wales and (2) any dispute arising from it is resolved by the courts of England and Wales, in each case unless the laws and/or courts of Scotland or Northern Ireland have been expressly selected by the Parties.
Unless the Parties have agreed alternative amendments which meet the requirements of Section 12, the provisions of Section 15 will apply.
No amendments to the Approved EU SCCs other than to meet the requirements of Section 12 may be made.
The following amendments to the Addendum EU SCCs (for the purpose of Section 12) are made:
(a) References to the “Clauses” means this Addendum, incorporating the Addendum EU SCCs;
(b) In Clause 2, delete the words: “and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679”;
(c) Clause 6 (Description of the transfer(s)) is replaced with: “The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.”;
(d) Clause 8.7(i) of Module 1 is replaced with: “it is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer”;
(e) Clause 8.8(i) of Modules 2 and 3 is replaced with: “the onward transfer is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer;”
(f) References to “Regulation (EU) 2016/679”, “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)” and “that Regulation” are all replaced by “UK Data Protection Laws”. References to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK Data Protection Laws;
(g) References to Regulation (EU) 2018/1725 are removed;
(h) References to the “European Union”, “Union”, “EU”, “EU Member State”, “Member State” and “EU or Member State” are all replaced with the “UK”;
(i) The reference to “Clause 12(c)(i)” at Clause 10(b)(i) of Module one, is replaced with “Clause 11(c)(i)”;
(j) Clause 13(a) and Part C of Annex I are not used;
(k) The “competent supervisory authority” and “supervisory authority” are both replaced with the “Information Commissioner”;
(l) In Clause 16(e), subsection (i) is replaced with: “the Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply;”;
(m) Clause 17 is replaced with: “These Clauses are governed by the laws of England and Wales.”;
(n) Clause 18 is replaced with: “Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”; and
(o) The footnotes to the Approved EU SCCs do not form part of the Addendum, except for footnotes 8, 9, 10 and 11.
Amendments to this Addendum
The Parties may agree to change Clauses 17 and/or 18 of the Addendum EU SCCs to refer to the laws and/or courts of Scotland or Northern Ireland.
If the Parties wish to change the format of the information included in Part 1: Tables of the Approved Addendum, they may do so by agreeing to the change in writing, provided that the change does not reduce the Appropriate Safeguards.
From time to time, the ICO may issue a revised Approved Addendum which:
(a) makes reasonable and proportionate changes to the Approved Addendum, including correcting errors in the Approved Addendum; and/or
(b) reflects changes to UK Data Protection Laws;
The revised Approved Addendum will specify the start date from which the changes to the Approved Addendum are effective and whether the Parties need to review this Addendum including the Appendix Information. This Addendum is automatically amended as set out in the revised Approved Addendum from the start date specified.
If the ICO issues a revised Approved Addendum under Section 18, if any Party selected in Table 4 “Ending the Addendum when the Approved Addendum changes”, will as a direct result of the changes in the Approved Addendum have a substantial, disproportionate and demonstrable increase in:
(a) its direct costs of performing its obligations under the Addendum; and/or
(b) its risk under the Addendum,
and in either case it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that Party may end this Addendum at the end of a reasonable notice period, by providing written notice for that period to the other Party before the start date of the revised Approved Addendum.
The Parties do not need the consent of any third party to make changes to this Addendum, but any changes must be made in accordance with its terms.
Date: 05-11-2023
Prior versions