DATA TRANSFER AGREEMENT
Data Transfer Agreement
This Data Transfer Agreement (“Data Transfer Agreement”) is by and between the entity named below (“Company”) the Dun & Bradstreet entity Company entered into an agreement(s) with (“D&B”) (hereinafter referred to as the “Agreement”). This Data Transfer Agreement is effective as of the date set forth below D&B’s signature (the “Effective Date”). Company and D&B may be sometimes referred to in this Data Transfer Agreement each individually as a “Party” or collectively as the “Parties”.
The Parties here to agree as follows:
Controller to Processor GDPR. Company warrants that to the extent D&B Personal Data subject to European Privacy Legislation, or any jurisdiction recognizing or otherwise permitting a data transfer mechanism materially comparable to the standard contractual clauses as an adequate data transfer mechanism including but not limited to the United Kingdom (UK) Standard Contractual Clauses or Singapore PDPA, is transferred to Company under any agreement between the Parties, such Personal Data will be used and Processed in accordance with the EU Data Standard Contractual Clauses, as set forth at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX:32021D0914&locale=en (and additionally for the UK the Mandatory Clauses as laid out at international-data-transfer-addendum.pdf (ico.org.uk)) , or any future version of the EU Data Standard Contractual Clauses as required based on the nature of the agreement(s) under applicable law, which are incorporated herein by reference (the “Data Transfer Agreement”). D&B shall be the Controller and the data exporter, and Company shall be the Processor and data importer. The Data Transfer Agreement is governed by the laws of the Republic of Ireland or the UK (as applicable). The Supervisory Authority shall be the Irish Data Protection Commission or the UK Information Commissioner’s Office (as applicable). For the purpose of Appendix 1 to the Data Transfer Agreement: (1) the use of sub-processors shall be in accordance with specific prior authorization as set forth in Agreement (2) the data subjects are those individuals whose Personal Data is provided to Company in accordance with the Agreement and/or SOW between the Parties; (3) the categories of data are the categories of Personal Data provided to Company in accordance with the Agreement and/or SOW between the Parties; (4) the special or sensitive categories of data (if any) to be Processed as defined by European Privacy Legislation are set forth in the Agreement and/or SOW between the Parties; (5) the frequency of the transfer shall be continuous; (6) the Processing operations to be performed are as specified in the Agreement and/or SOW between the Parties (7) the purpose of the transfer shall be for D&B to obtain the benefit of the Services under the Agreement (8) the transfer of Personal Data to sub-processors, if any, shall be for the purpose of providing the Services to D&B under the Agreement. For the purpose of Appendix 2 to the Data Transfer Agreement, the description of the technical and organizational security measures implemented by the data importer in accordance with EU Data Standard Contractual Clauses 4(d) and 5(c) are stated in the Agreement between the Parties. The contact points for data protection queries are the parties’ contacts for matters under this the Agreement between the Parties. To the extent the terms of the Data Transfer Agreement conflict with other terms of the Agreement between the Parties, the terms of the Data Transfer Agreement will control. “PDPA” means the Singapore Personal Data Protection Act 2012 (No. 26 of 2012), as amended, including implementing regulations. “Personal Data” shall have the meaning afforded to it under European Privacy Legislation. “European Privacy Legislation” means European Union Regulation 2016/679, UK GDPR and any other applicable European data protection legislation including implementing legislation, guidelines and industry standards from time-to-time in force in a relevant jurisdiction, relating to the use and Processing of Personal Data in that jurisdiction. “Controller” shall have the meaning afforded to it under European Privacy Legislation. “Process,” “Processed” or “Processing” means any operation, or set of operations, which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, use, disclosure by transmission, or otherwise making available, alignment or combination, return or destruction. “Processor” shall have the meaning afforded to it under European Privacy Legislation.
Controller to Controller GDPR. D&B warrants that to the extent Company Personal Data subject to European Privacy Legislation, or any jurisdiction recognizing or otherwise permitting a data transfer mechanism materially comparable to the standard contractual clauses as an adequate data transfer mechanism including but not limited to the United Kingdom (UK) Standard Contractual Clauses or Singapore PDPA, is transferred to D&B under any agreement between the Parties, such Personal Data will be used and Processed in accordance with the EU Data Standard Contractual Clauses, as set forth at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX:32021D0914&locale=en (and additionally for the UK the Mandatory Clauses as laid out at international-data-transfer-addendum.pdf (ico.org.uk)), or any future version of the EU Data Standard Contractual Clauses as required based on the nature of the agreement(s) under applicable law, which are incorporated herein by reference (the “Data Transfer Agreement”). Company shall be the Controller and the data exporter, and D&B shall be the Controller and data importer. The Data Transfer Agreement is governed by the laws of the Republic of Ireland or UK (as applicable). The Supervisory Authority shall be the Irish Data Protection Commission or the UK Information Commissioner’s Office (as applicable). For the purpose of Appendix 1 to the Data Transfer Agreement: (1) the data subjects are those individuals whose Personal Data is provided to D&B in accordance with the Agreement and/or SOW between the Parties; (2) the categories of data are the categories of Personal Data provided to D&B in accordance with the Agreement and/or SOW between the Parties; (3) the special or sensitive categories of data (if any) to be Processed as defined by European Privacy Legislation are set forth in the Agreement and/or SOW between the Parties; (5) the frequency of the transfer shall be as set forth in the Agreement; (6) the Processing operations to be performed are as specified in the Agreement and/or SOW between the Parties (7) the purpose of the transfer shall be for D&B to obtain the benefit of the Services under the Agreement. For the purpose of Appendix 2 to the Data Transfer Agreement, the description of the technical and organizational security measures implemented by the data importer in accordance with EU Data Standard Contractual Clauses 4(d) and 5(c) are stated in the Agreement between the Parties. The contact points for data protection queries are the parties’ contacts for matters under this the Agreement between the Parties. To the extent the terms of the Data Transfer Agreement conflict with other terms of the Agreement between the Parties, the terms of the Data Transfer Agreement will control.
Processor to Processor GDPR. Company warrants that to the extent D&B Customer Personal Data subject to European Privacy Legislation, or any jurisdiction recognizing or otherwise permitting a data transfer mechanism materially comparable to the standard contractual clauses as an adequate data transfer mechanism including but not limited to the United Kingdom (UK) Standard Contractual Clauses or Singapore PDPA, is transferred to Company under any agreement between the Parties, such Personal Data will be used and Processed in accordance with the EU Data Standard Contractual Clauses, as set forth at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX:32021D0914&locale=en, (and additionally for the UK the Mandatory Clauses as laid out at international-data-transfer-addendum.pdf (ico.org.uk)) or any future version of the EU Data Standard Contractual Clauses as required based on the nature of the agreement(s) under applicable law, which are incorporated herein by reference (the “Data Transfer Agreement”). D&B shall be the Processor and the data exporter, and Company shall be the Processor and data importer. The Data Transfer Agreement is governed by the laws of the Republic of Ireland or the UK (as applicable). The Supervisory Authority shall be the Irish Data Protection Commission or the UK Information Commissioner’s Office (as applicable). For the purpose of Appendix 1 to the Data Transfer Agreement: (1) the use of sub-processors shall be in accordance with specific prior authorization as set forth in the Agreement (2) the data subjects are those individuals whose Personal Data is provided to Company in accordance with the Agreement and/or SOW between the Parties; (3) the categories of data are the categories of Personal Data provided to Company in accordance with the Agreement and/or SOW between the Parties; (4) the special or sensitive categories of data (if any) to be Processed as defined by European Privacy Legislation are set forth in the Agreement and/or SOW between the Parties; (5) the frequency of the transfer shall be continuous; (6) the Processing operations to be performed are as specified in the Agreement and/or SOW between the Parties (7) importer may process exporter’s personal data as a Processor to support the Exporter in the context of providing and/or supporting internal business operations, business decisioning data, analytics, and services to its Customers, in the areas of third party risk management and compliance, supplier management, commercial credit, and sales and marketing activities (8) the transfer of Personal Data to sub-processors, if any, shall be to support the Exporter in the context of providing and/or supporting internal business operations, business decisioning data, analytics, and services to its Customers, in the areas of third party risk management and compliance, supplier management, commercial credit, and sales and marketing activities. For the purpose of Appendix 2 to the Data Transfer Agreement, the description of the technical and organizational security measures implemented by the data importer in accordance with EU Data Standard Contractual Clauses 4(d) and 5(c) are stated in the Agreement between the Parties. The contact points for data protection queries are the parties’ contacts for matters under this the Agreement between the Parties. To the extent the terms of the Data Transfer Agreement conflict with other terms of the Agreement between the Parties, the terms of the Data Transfer Agreement will control. “D&B Customer Data” shall solely apply to data provided by D&B’s customer as the controller to D&B as the processor for the limited purpose of supporting the customer in the context of providing and/or supporting internal business operations, business decisioning data, analytics, and services in the areas of third party risk management and compliance, supplier management, commercial credit, and sales and marketing activities.
All other terms and conditions in the Agreement between the Parties shall remain in full force and effect. Any amendments of or waivers relating to this Data Transfer Agreement must be in writing signed by the party, or parties, to be charged therewith, provided that in no event shall any terms or conditions included on any form of purchase orders, invoices, or electronic documents (except as expressly identified in the Agreement between the Parties or this Data Transfer Agreement), apply to the relationship between D&B and Company hereunder. In the event of a conflict between the Agreement between the Parties and this Data Transfer Agreement, this Data Transfer Agreement shall prevail.