Learn how to engage, inspire, and sustain conversations with customers during and post-COVID with our latest report: Customer experience in a transformed world. Read more

Data Protection Agreement

Date of Last Revision: 14th Dec 2020

This Data Protection Agreement (“DPA”) becomes effective upon the acceptance of the Terms of Service.
Customer shall make available to Sinch and Customer authorizes Sinch to process information including personal data for the provision of the Services under the Service Agreement (hereinafter “SA”). The parties have agreed to enter into this DPA to confirm the data protection provisions relating to their relationship and so as to meet the requirements of applicable Data Protection Legislation.

1. DEFINITIONS

1.1 For the purposes of this DPA:

“Data Protection Legislation” means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to the Customer, including without limitation General Data Protection Regulation (Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 94/46/RC) (hereinafter “GDPR”) and any amendments, replacements or renewals thereof all binding national laws implementing the EU Legislation and other binding data protection or data security directives, laws, regulations and rulings valid at the given time including any guidance and codes of practices issued by the applicable supervisory authority;

“Personal Data” means any information relating to an identified or identifiable natural person (“data subject” or “individual” ); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person;

“(Data) Processing” means any operation or set of operations performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

“Special Categories of Personal Data” means information on racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, data concerning a natural person’s sex life or sexual orientation or any other special category of data as is indicated within the deviations in Appendix 2 Deviations based on applicable National legislation or in the Service Order or Service Specification;

“Technical and organisational measures” or TOMs means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access. This includes the agreed applicable security requirements and security instructions and their updates applicable at each time and described in Appendix 1 Technical and organisational measures to this DPA or in the Service Order or Service Specification;

The terms “data controller” and “data processor”, shall have the meanings given to them under the GDPR.

1.2 Capitalized terms used and not defined in this DPA have the meanings given to such terms in the SA.

2. ROLE OF THE PARTIES

The Parties understand that for the provision of the Services a distinction is made between two types of processing of personal data:

(i) the provision of the services (i.e. the database of call data records and the logs created and managed by Sinch on behalf and under the supervision of Customer) for which Sinch will act as a data processor and agrees to comply with the respective obligations set out in this DPA, and

(ii) the transmission of messages (i.e. A2P SMS) by Sinch and other Service Providers for which Sinch will act as a data controller and agrees to comply with the respective obligations set out in clause 14.

3. SUBJECT MATTER, NATURE AND PURPOSE OF SINCH’S PROCESSING OF PERSONAL DATA

3.1 The subject matter, nature and purpose of the processing of personal data under this DPA is Sinch performance of the Services pursuant to the SA and as further instructed by the Customer in its use of the Services (“Instructions”), unless required to do so otherwise by Data Protection Legislation and/or Relevant Laws. In such case (and if, to the extent permitted by Data Protection Legislation and/or Relevant Laws), Sinch shall inform the Customer of this legal requirement prior to carrying out the processing.

3.2 Instructions of the Customer shall be in written form (including, but not limited to, email) or can be given through settings and use of Sinch’s portal(s) and/or software. In exceptional cases, Instructions may be given orally by the Customer. Such oral Instructions will be confirmed by the authorized person of Customer in writing or per email (in text form).

4. INTERNATIONAL TRANSFER

4.1 Sinch shall process personal data originating from and sent to a country located in the EU/EEA or Switzerland solely in countries situated in the EU/EEA or Switzerland and not cause any cross border transfer of personal data from a country situated in the EU/EEA or Switzerland to any country situated outside the EU/EEA or Switzerland unless personal data is transferred to a country approved by the European Commission as providing an adequate level of protection for personal data, the transfer is made pursuant to European Commission approved Standard Contractual Clauses for the transfer of Personal Data. Customer provides a power of attorney for Sinch to enter into any such European Commission approved standard contractual clauses with a Sub-processor approved as set out in clause 10 in the name and on behalf of the Customer.

4.2 In case that European Commission approved standard contractual clauses are concluded between Sinch and the Customer, the following applies until a competent Member State supervisory authority, or an EU or competent Member State court approves a different lawful transfer mechanism that would be applicable to the data transfers covered by the Standard Contractual Clauses (in case if such mechanism applies only to some of the data transfers, the following clauses will remain applicable for the transfers that cannot be covered by this new lawful transfer mechanism):

(i) Rights granted to data subjects under this DPA and the European Standard Contractual Clauses may be enforced by the data subject against Sinch irrespective of any restriction in Clauses 3 or 6 of the Standard Contractual Clauses. The data subject may only bring a claim under this DPA and the European Standard Contractual Clauses on an individual basis, and not part of a class, collective, group or representative action. Rights granted to data subjects under this DPA and the European Standard Contractual Clauses are personal to the data subject and may not be assigned.

(ii) In addition to Clause 5(b) of the Standard Contractual Clauses, Sinch agrees that it, at the time of concluding this SA, has no reason to believe that the legislation applicable to it or its sub-processors, including in any country to which personal data is transferred either by itself or through a sub-processor, prevents it from fulfilling the instructions received from the customer and its obligations under the Standard Contractual Clauses and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Standard Contractual Clauses, it will notify the change to Customer as soon as it is aware, in which case Customer is entitled to suspend the transfer of data and/or terminate the contract.

(iii) For purpose of this section, lawful efforts do not include actions that would result in civil or criminal penalty such as contempt of court under the laws of the relevant jurisdiction:
– In case Sinch receives an order from any third party for compelled disclosure of any personal data that has been transferred under the Standard Contractual Clauses, Sinch will, where possible, redirect the third party to request data directly from Customer.
– In case Sinch receives an order from any third party for compelled disclosure of any personal data that has been transferred under the Standard Contractual Clauses, use all lawful efforts to challenge the order for disclosure on the basis of any legal deficiencies under the laws of the requesting party or any relevant conflicts with the law of the European Union or applicable Member State law.

5. DURATION

5.1 Sinch shall only collect or process personal data for the duration of the SA to the extent, and in such a manner, as is necessary for provision of the Services and in accordance with the SA and Data Protection Legislation applicable to Sinch in its role as data processor.

5.2 The processing of personal data will be carried out by Sinch after the SA necessary to fulfil the obligations in in this DPA or when necessary due to mandatory law unless otherwise agreed upon in writing.

6. TYPE OF PERSONAL DATA PROCESSED

The following Categories of personal data may be processed to deliver the Services, the extent of which is determined and controlled by the Customer in its sole discretion, and which may include, but is not limited to the following categories of personal data:

  • Contact information (company, email, phone, physical address)
  • First and last name
  • ID data
  • Title
  • Position
  • Employer
  • Connection data
  • Localisation data
  • Other data as is defined within the SA as agreed upon between parties.

7. TYPE OF DATA SUBJECTS

The Customer may submit personal data to the Services, the extent of which is determined and controlled by the Customer in its sole discretion, and which may include, but is not limited to personal data relating to the following categories of data subjects:

  • Customers, business partners and vendors of the Customer (who are natural persons)
  • Employees of contact persons of the Customer’s customers, business partners and vendors
  • Employees, agents, advisors, freelancers of the Customer (who are natural persons)
  • Customer’s Service user including any user of the Services, which Customer permits using the Services

8. TECHNICAL AND ORGANISATIONAL MEASURES

Sinch has implemented and maintains appropriate technical and organizational measures (to act in accordance Relevant Laws, for example but not limited to Article 28, 3 (c) and Article 32 in particular in relation with Article 5, 1 and 2 GDPR). Such measures include but not limited to physical and IT measures, and organizational measures to protect personal data processed against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. Such measures are described in Appendix 1 Technical and Organisational Measures.

9. QUALITY ASSURANCES AND OTHER DUTIES OF SINCH

9.1 Sinch shall comply with the mandatory requirements referred to in Articles 28 to 33 GDPR, and ensures in particular compliance with the following requirements:

  1. Appoint a data protection officer, who performs his/her duties in compliance with Articles 38 and 39 GDPR. The data protection officer’s contact details are available at Sinch web page. If Sinch contracting party is not established in the European Union, Sinch will appoint a responsible contact person in the European Union and/or a data protection officer in accordance with Data Protection Legislation.
  2. Confidentiality in accordance with Article 28, 3 (b), Articles 29 and 32 (4) GDPR. Sinch entrusts only such employees with the data processing outlined in this contract who have been bound to confidentiality and have previously been familiarized with the data protection provisions relevant to their work. Sinch and any person acting under its authority who has access to personal data, shall not process that data unless on instructions from the Customer, which includes the powers granted in this Amendment, unless required to do so by Data Protection Legislation.
  3. At the Customer’s cost and expense and taking into account the nature of the processing and the information available to Sinch, provide such information and assistance as the Customer may reasonably require and within the timescales reasonably specified by the Customer to assist the Customer to comply with its obligations under applicable Data Protection Legislation which may include assisting the Customer to:
    1. notify the Customer of any request Sinch receives for a data subject relating to personal data processed;
    2. comply with its security obligations;
    3. discharge its obligations to respond to requests relating to the exercise of Data Subject rights including right of access, right to rectification, right to erasure (“right to be forgotten”) right to restriction of processing (to the extent that personal data is not accessible to the Customer through the Services); carry out Data Protection Impact Assessment and audit Data Protection Impact Assessment compliance and consult with the supervisory authority;
    4. following Data Protection Impact Assessment.
  4. For purpose of this section, lawful efforts do not include actions that would result in civil or criminal penalty such as contempt of court under the laws of the relevant jurisdiction:
  5. Unless prohibited by applicable law or a legally binding request of law enforcement, Sinch shall promptly notify the Customer of any request by, any government official, data protection supervisory authority or law enforcement authority in respect of any personal data, and, if prohibited from notifying Customer, Sinch will use all lawful efforts to obtain the right to waive the prohibition in order to communicate as much information to Customer as soon as possible;
  6. Sinch shall periodically monitor the internal processes and the TOMs to ensure that processing within Sinch area of responsibility is in accordance with the requirements of Data Protection Legislation and the protection of the rights of the data subject.

10. SUB-PROCESSORS

10.1 The Customer agrees that Sinch may engage Sinch Affiliate or third parties to process personal data in order to assist Sinch to deliver the Services on behalf of the Customer (“Sub-processors”). Sinch has or will enter into written agreement with each Sub-processor containing data protection obligations not less protective than those in this DPA to the extent applicable to the nature of the Services provided by such Sub-processor. If the Sub-processor processes the Services outside the EU/EEA, Sinch shall ensure that the transfer is made pursuant to European Commission approved standard contractual clauses for the transfer of Personal Data which the Customer authorizes Sinch to enter into on its behalf, or that other appropriate legal data transfer mechanisms are used. When required by law, Sinch shall conclude additional agreements (for example, but not limited to, Business Associates Agreements as is required by HIPAA and/or HITECH).

10.2 The current Sub-processors for the Services are set out at https://www.sinch.com/data-protection-agreement/sub-processors/ (“Sub-processor List”) and the Customer agrees and approves that Sinch has engaged such Sub-processors to process personal data as set out in the list. The Customer may find at https://www.sinch.com/data-protection-agreement/sub-processors/ a mechanism to subscribe to notifications of new Sub-processors for each applicable Service, to which Customer shall subscribe, and if the Customer subscribes, Sinch shall provide notification of a new Sub-processor(s) before authorising any new Sub-processor(s) to process personal data in connection with the provision of the applicable Service.

10.3 Sinch shall notify the Customer, in accordance with the mechanism set out in clause 10.2, thirty (30) days’ in advance of any intended changes concerning the addition or replacement of any Sub-processor during which period the Customer may raise objections to the Sub-processor’s appointment. Any objections must be raised promptly (and in any event no later than fourteen (14) days following Sinch’s notification of the intended changes). Should Sinch choose to retain the objected to Sub-processor, Sinch will notify the customer at least fourteen (14) days before authorising the Sub-processor to process personal data and then the Customer may immediately discontinue using the relevant portion of the Services and may terminate the relevant portion of the Services. Sinch will refund the Customer any prepaid fees covering the remainder of the term of such relevant portion of the Service following the effective date of termination and there will be no penalty on either party.

10.4 for the avoidance of doubt, where any Sub-processor fails to fulfil its obligations under any sub-processing agreement or under applicable law Sinch will remain fully liable to the Customer for the fulfilment of its obligations under this DPA.

11. AUDITS AND INSPECTIONS

In the event that the Customer, a Regulator or data protection authority requires additional information or an audit related to the Services, then, Sinch agrees to submit its data processing facilities, data files and documentation needed for processing personal data to audit by the Customer (or any third party such as inspection agents or auditors, selected by Customer) to ascertain compliance with this DPA, subject to being given reasonable notice and compliance with Sinch’s Technical and organisational measures and the auditor entering into a non-disclosure agreement directly with Sinch. Sinch agrees to provide reasonable cooperation to Customer in the course of such operations including providing all relevant information and access to all equipment, software, data, files, information systems, etc., used for the performance of Services, including processing of personal data. Such audits shall be carried out at the Customer’s cost and expense.

12. NOTIFICATION OF A DATA BREACH

12.1 In the event of Sinch aware of any breach of security that results in the accidental, unauthorised or unlawful destruction or unauthorised disclosure of or access to personal data Sinch shall, among other things:

  1. Notify the Customer in writing immediately but not later than 72 hours after becoming aware of the personal data breach;
  2. Assist the Customer with regard to the Customers obligation to provide information to the data subject and to provide the Customer with relevant information in this regard;
  3. Support the Customer in consultations with data protection authority.

12.2 To the extent legally possible, Sinch may claim compensation for support services under this clause 12 which are not attributable to personal data breaches caused by Sinch.

13. DELETION AND RETURN OF PERSONAL DATA

13.1 Sinch is obliged to erase personal data as stipulated in the SA and in accordance with the Data Protection Legislation and/or Relevant Laws.

13.2 Customer has the right to request execution of the rights and obligations described in clause 13.1 during the duration of the entire DPA.

13.3 Statutory retention obligations or contractual obligations towards Service Providers of Sinch (for example but not limited to operators) remain unaffected by the above provisions. Documentation serving as evidence for an orderly data processing in accordance with the provisions of the DPA shall be retained by Sinch after termination of the DPA according to Data Protection Legislation and/or Relevant Laws.

14. SINCH’S OBLIGATIONS AS DATA CONTROLLER

In situations where Sinch will act as a data controller, it undertakes to comply with its obligations under applicable Data Protection Legislation in respect of any personal data processed under the SA. It shall process such personal data in connection with the transmission of messages and to fulfil its associated obligations under the SA or as may be required by law, court order or any government or regulatory authority and in accordance with its privacy policy which is available at https://www.sinch.com/privacy-policy/ as amended from time to time, if necessary.

15. CUSTOMER’S OBLIGATIONS

The Customer shall comply at all times with applicable Data Protection Legislation in relation to the processing of personal data in connection with the SA and the Services. The Customer shall inform Sinch in writing in case additional legislation is applicable on the Processing of Personal Data other than the legislation of the country where the Customer is established.

16. LIMITATION OF LIABILITY

16.1 Each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA whether in contract, tort or under any other theory of liability, is subject to the Limitation of Liability section of the SA, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the SA and this DPA.

16.2 Clause 16.1 shall not apply if the damage has been caused by the incorrect implementation of the commissioned service by the Customer or by an instruction given by the Customer. In such case, Customer will be liable for such damage.

17. MISCELLANEOUS

17.1 The DPA forms an integral part of the SA between Customer and Sinch. In case of conflict between the mandatory provisions in the European Standard Contractual Clauses and this DPA, the European Standard Contractual Clauses shall prevail. In case of other conflicts between other documents (including in case of conflict between the SA and this DPA), the DPA will prevail.

17.2 Should any provision of this DPA be or become invalid or contain a gap, the remaining provisions shall remain unaffected. Customer and Sinch undertake to replace the invalid provision with legally valid provisions which come the closest to the interest of the invalid provision respectively fills out the gap.

APPENDIX 1 TO THE DATA PROTECTION AGREEMENT – TECHNICAL AND ORGANISATIONAL MEASURES

Sinch shall implement the measures described in this appendix, provided that the measures directly or indirectly contribute or can contribute to the protection of personal data under the SA concluded between the Parties for the processing of data. The technical and organisational measures that are implemented by Sinch are based on the state of the art, the implementations costs and the nature, scope, circumstances and purposes of the processing and the likelihood and severity of the risk to rights and freedoms of individuals hold true. The Technical and Organisational Measures are subject to technical progress and development. In this respect Sinch is permitted to implement alternative adequate measures. The level of security must align with industry security best practice and not less than, the measures set forth herein. All major changes are to be agreed with the Customer and documented.

The Technical and Organisational Measures as are included within this Appendix are measures that are applicable on the Service(s) provided by Sinch. If necessary, for the Service, Sinch may include further Technical and Organisational measures in the Service Order or Service Specification.

 

1. Risk management
        1.1. Security risk management
                a. Sinch shall identify and evaluate security risks related to confidentiality, integrity and availability and based on such evaluation implement appropriate technical and organizational measures to ensure a level of security which is appropriate to the risk.
                b. Sinch shall have documented processes and routines for handling risks within its operations.
                c. Sinch shall periodically assess the risks related to information systems and processing, storing and transmitting information.

        1.2. Security risk management for personal data
                a. Sinch shall identify and evaluate security risks related to confidentiality, integrity and availability and based on such evaluation implement appropriate technical and organizational measures to ensure a level of security which is appropriate to the risk of the specific personal data types and purposes being processed by Sinch, including inter alia as appropriate:
                        (i) The pseudonymization and encryption of personal data
                        (ii) The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
                        (iii) The ability to restore the availability and access to the Customer’s Data in a timely manner in the event of a physical or technical incident
                        (iv) A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing
                b. Sinch shall have documented processes and routines for handling risks when processing personal data on behalf of the Customer.
                c. Sinch shall periodically assess the risks related to information systems and processing, storing and transmitting personal data.

2. Information security policies
        2.1. Sinch shall have a defined and documented information security management system (ISMS) including an information security policy and procedures in place, which shall be approved by Sinch’s management. They shall be published within Sinch´s organization and communicated to relevant Sinch Personnel.
        2.2. Sinch shall periodically review Sinch’s security policies and procedures and update them if required to ensure their compliance with the Security Directives.

3. Organization of information security
        3.1. Sinch shall have defined and documented security roles and responsibilities within its organization.
        3.2. Sinch shall appoint at least one data protection officer who has appropriate security competence and who has an overall responsibility for implementing the security measures under the Security Directives and who will be the contact person for the Customer’s security staff.

4. Human resource security
        4.1. Sinch shall ensure that Sinch personnel handles information in accordance with the level of confidentiality required under the SA.
        4.2. Sinch shall ensure that relevant Sinch personnel is aware of the approved use (including use restrictions as the case may be) of information, facilities and systems under the SA.
        4.3. Sinch shall ensure that any Sinch personnel performing assignments under the SA is trustworthy, meets established security criteria and has been, and during the term of the assignment will continue to be, subject to appropriate screening and background verification.
        4.4. Sinch shall ensure that Sinch personnel with security responsibilities is adequately trained to carry out security related duties.
        4.5. Sinch shall provide or ensure periodical security awareness training to relevant Sinch personnel. Such Sinch training shall include, without limitation:
                a. How to handle customer information security (i.e. the protection of the confidentiality, integrity and availability of information);
                b. Why information security is needed to protect customers information and systems;
                c. The common types of security threats (such as identity theft, malware, hacking, information leakage and insider threat);
                d. The importance of complying with information security policies and applying associated standards/procedures;
                e. Personal responsibility for information security (such as protecting customer’s privacy-related information and reporting actual and suspected data breaches).

5. Access control
        5.1. Sinch shall have a defined and documented access control policy for facilities, sites, network, system, application and information/data access (including physical, logical and remote access controls), an authorization process for user access and privileges, procedures for revoking access rights and an acceptable use of access privileges for Sinch personnel in place.
        5.2. Sinch shall have a formal and documented user registration and de-registration process implemented to enable assignment of access rights.
        5.3. Sinch shall assign all access privileges based on the principle of need-to-know and principle of least privilege.
        5.4. Sinch shall use strong authentication (multi-factor) for remote access users and users connecting from untrusted network.
        5.5. Sinch shall ensure that Sinch Personnel has a personal and unique identifier (user ID), and use an appropriate authentication technique, which confirms and ensures the identity of users.

6. Cryptography
        6.1. Sinch shall ensure proper and effective use of cryptography on information classified as confidential and secret (such as personal data).
        6.2. Sinch shall protect cryptographic keys.

7. Physical and environmental security
        7.1. Sinch shall protect information processing facilities against external and environmental threats and hazards, including power/cabling failures and other disruptions caused by failures in supporting utilities. This includes physical perimeter and access protection.
        7.2. Sinch shall protect goods received or sent on behalf of the Customer from theft, manipulation and destruction.

8. Admission to the Customer’s premises and the Customer’s leased premises
        8.1. Sinch’s admission to the Customer’s premises and property (such as datacentre buildings, office buildings, technical sites) is subject to the following:
                a. Sinch shall follow local regulations (such as regulations for “restricted areas”) for the Customer’s premises when performing the assignments under the SA.
                b. Sinch Personnel shall carry ID card or a visitor’s badge visible at all time when working within the Customer’s premises.
                c. After completing the assignment, or when Sinch personnel is transferred to other tasks, Sinch shall without delay inform the Customer of the change and return any keys, key cards, certificates, visitor’s badges and similar items.
                d. Keys or key cards shall be personally signed for by Sinch personnel and shall be handled according to the written rules given upon receipt.
                e. Loss of the Customer’s key or key card shall be reported without delay to the Customer.
                f. Photographing in or at the Customer’s premises without permission is prohibited.
                g. The Customer’s goods shall not be removed from the Customer’s premises without permission.
                h. Sinch Personnel shall not allow unauthorized persons access to the premises.

9. Operations security
        9.1. Sinch shall have an established change management system in place for making changes to business processes, information processing facilities and systems. The change management system shall include tests and reviews before changes are implemented, such as procedures to handle urgent changes, roll back procedures to recover from failed changes, logs that show, what has been changed, when and by whom.
        9.2. Sinch shall implement malware protection to ensure that any software used for Sinch’s provision of the Services to the Customer is protected from malware.
        9.3. Sinch shall make backup copies of critical information and test back-up copies to ensure that the information can be restored as agreed with the Customer.
        9.4. Sinch shall log and monitor activities, such as create, reading, copying, amendment and deletion of processed data, as well as exceptions, faults and information security events and regularly review these. Furthermore, Sinch shall protect and store (for at least 6 months or such period/s set by Data Protection Legislation) log information, and on request, deliver monitoring data to the Customer. Anomalies / incidents / indicators of compromise shall be reported according to the data breach management requirements as set out in clause 13, below.
        9.5. Sinch shall manage vulnerabilities of all relevant technologies such as operating systems, databases, applications proactively and in a timely manner.
        9.6. Sinch shall establish security baselines (hardening) for all relevant technologies such as operating systems, databases, applications.
        9.7. Sinch shall ensure development is segregated from test and production environment.

10. Communications security
Sinch shall implement network security controls such as service level, firewalling and segregation to protect information systems.

11. System acquisition, development and maintenance (when software development or system development is provided to the Customer by Sinch)
        11.1. Sinch shall implement rules for development lifecycle of software and systems including change and review procedures.
        11.2. Sinch shall test security functionality during development in a controlled environment.

12. SINCH relationship with sub-suppliers
        12.1. Sinch shall reflect the content of these Security Directives in its SAs with Sub-processors that perform tasks assigned under the SA.
        12.2. Sinch shall regularly monitor, review and audit Sub-processor’s compliance with the Security Directives.
        12.3. Sinch shall, at the request of the Customer, provide the Customer with evidence regarding Sub-processor’s compliance with the Security Directives.

13. Data breach management
        13.1. Sinch shall have established procedures for data breach management.
        13.2. Sinch shall inform the Customer about any data breach (including but not limited to incidents in relation to the processing of personal data) as soon as possible but no later than within 36 hours after the data breach has been identified.
        13.3. All reporting of security related incidents shall be treated as confidential information and be encrypted, using industry standard encryption methods.
        13.4. The data breach report shall contain at least the following information:
                a. The nature of the data breach,
                b. The nature of the personal data affected,
                c. The categories and number of data subjects concerned,
                d. The number of personal data records concerned,
                e. Measures taken to address the data breach,
                f. The possible consequences and adverse effect of the data breach, and
                g. Any other information the Customer is required to report to the relevant regulator or data subject.
        13.5. To the extent legally possible, Sinch may claim compensation for support services under this clause 13 which are not attributable to failures on the part of Sinch

14. Business continuity management
        14.1 Sinch shall identify business continuity risks and take necessary actions to control and mitigate such risks.

        14.2 Sinch shall have documented processes and routines for handling business continuity.

        14.3 Sinch shall ensure that information security is embedded into the business continuity plans.

        14.4 Sinch shall periodically assess the efficiency of its business continuity management, and compliance with availability requirements (if any).

APPENDIX 2 TO THE DATA PROTECTION AGREEMENT – DEVIATIONS BASED ON APPLICABLE NATIONAL LEGISLATION

1. Spain
In case the Controller/Processor is situated in Spain, the technical and organizational measures to be taken by the Processor are subject to the Spanish data protection laws. In this case, the preamble of Appendix 1 of this DPA shall be complemented as follows:
“The Processor shall make sure that the following technical and organizational measures are in compliance with the “high level security” measures according to Spanish Royal Decree 1720/2007 Title VIII, Art. 80 ff. Processor shall implement in particular the requirements of section three (Art. 89 ff.) of Spanish Royal Decree 1720/2007, in case the requirements in this Appendix 1 are not in compliance with these requirements. In such case, Processor shall inform Controller and submit any amendments or deviations from this Appendix 1 it deems necessary for a prior approval by the Controller.”

2. Canada
The definition “Special Categories of Personal Data” in Clause 1 of this DPA shall be amended as follows:
“Special Categories of Personal Data” shall mean information on racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, health or sex life or any other personal that may be considered as sensitive data based on applicable legislation.”

In addition to what is agreed upon in this DPA, the following is applicable concerning the transfer of Data:
Controller acknowledges that Processor may transfer, store, and process Personal Data to territories outside of Canada, where it will be subject to the laws of the foreign jurisdictions in which it is held. Processor shall not, and shall make sure that any Affiliate or any third party with whom it contracts to Process Personal Data on its behalf in connection with the relevant Service(s) shall not:
• transfer Personal Data to a territory outside of Canada except on terms substantially similar to terms herein, which are agreed to prior to such transfer; or
• operate in relation to that Personal Data in any way which will put Controller in breach of its obligations under applicable privacy laws.

In addition to what is agreed upon in this DPA:
Controller acknowledges that it possesses all necessary consents and legal authority from data subjects that would allow Processor to process the data.

In addition to what is agreed upon in Section 7 of this DPA:
Parties will also cooperate with respect to any data breach notifications to Canadian regulatory authorities, individuals and other organizations that are required by law or otherwise advisable in the Controller’s sole discretion.

Without limiting the terms and conditions of the DPA for Canada and the SA as far as it is applicable on Canada, the following apply:
“Processor will comply with all Canadian federal and provincial privacy and anti-spam legislation applicable to Controller and Processor in the course of processing any Data in connection with the Services, including all applicable notice, consent, content and unsubscribe requirements in connection with the sending of electronic messages and the installation of computer programs on another person’s device.
Processor will provide that access to the Data is limited only to those employees and authorized agents of Processor who need to have access to the Data solely for the purposes of Processor rendering the Services.”

3. Australia
Following the Australian Data Protection guidelines (Australian Privacy Principles; APP) from Schedule 1 of the “Privacy Amendment (Enhancing Privacy Protection) Act 2012” and any other document which is a Supplement to the “Privacy Act 1988”, the following is applicable on the processing of personal data:

(i) “Controller” means a person who, alone or together with other persons, establishes the purposes and the manner of processing personal data; and “Processor” means any person (other than an employee of the Controller) who, on behalf of the Controller, personal data processes.
(ii) The definition “Special Categories of Personal Data” in Clause 1 of this DPA shall also include credit information, tax file number information and employee records
(iii) Where a Controller or its Authorized Users in Australia intend to collect Personal Data in the Cloud Service, the Controller undertakes to obtain the prior consent of each Data Subject to an International Transfer pursuant to this Schedule if and to the extent that is required according to the Privacy Act. The Controller hereby confirms that he has received the personal data and has informed the persons concerned about the disclosure of the personal data in accordance with the APP and the Privacy Act 1988. On this basis, the requirement of “Informed Consent” within 8.1 APP is deemed to have been met due to the exception of the “Informed Consent”. Provided that the Informed Consent does not apply, this Schedule provides the framework for the protection of the personal data of the affected persons in Australia insofar as it provides at least essentially the same privacy as the APP, and Processor and its sub-processors commit themself to a level of data protection which is the same level as set out in Sections 2, 3 and 6 of this schedule (exception of “Substantially Similar Law” under APP 8.2 (a)). With this, the in APP 8.1 stated requirement of “Substantially Similar Law” for this purpose is seen as fulfilled.

4. UK
Insofar as a Data Protection Act (including the new EU Data Protection Basic Regulation or its successor after Great Britain leaves the European Union) comes into force after the date of entry into force of this DPA and it is contrary to the terms of this DPA or otherwise requires an amendment to this DPA, a Party may notify the other party in order to start to negotiate the necessary amendments to this DPA in accordance with the principle of good faith.

5. Switzerland
In accordance with Art. 3 lit. b of the Swiss Federal Act of 19 June 1992 on Data Protection (FADP), the definitions in clause 1 of this DPA shall be amended as follows:
“Data Subject”: natural or legal persons whose data is processed.

6. Italy
In accordance with Article 29 of the Italian Personal Data Protection Code states it is necessary to appoint the data processor conform Italian law and to describe the specific tasks that they have in accordance with the Italian Data Protection Code. By signing this DPA the Controller appoints the Processor as a Data Processor. The Data Processor shall process data in accordance with the regulations and safety measures provided by Legislative Decree no. 196/2003 and identified in Appendix B thereto “Technical specifications regarding minimum security measures” and the regulations and safety measures that will be provided as updates to those contained therein. The, to be taken, measures are described within this DPA and its Appendixes.

Specifically Data Processor agrees to perform his duties strictly in accordance with Instructions given to him by the Data Controller, and shall, pursuant to art. 29, paragraph 5 of Legislative Decree no. 196/2003, supervise the timely compliance of the tasks given to Data Processor.

The Data Processor undertakes to:
provide the Data Processing services described in the DPA, particularly undertakes to complete any processing operation or set of operations, with or without the aid of electronic means, with respect to the collection, recording, organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blockage, communication, dissemination, cancellation and destruction of data, even if not registered in a database;
perform the Services in accordance with the data protection requirements and only for the intended purposes as described in the DPA. The Data Processor is obliged to safeguard data secrecy according to Data Protection Legislation , particularly the Data Processor undertakes to complete the data processing operations referred to herein in a lawful and proper manner, that provides for maximum confidentiality and which will also provides for timely and full compliance with the applicable laws and regulations;
apply measures that all personnel charged with handling data do so in compliance with current law and regulations, as well as any Instructions provided thereon;
monitor that its processing of personal data complies with the requirements established by Legislative Decree no. 196/2003,
store personal data collected in compliance with the security measures provide art. 31 et seq. of Legislative Decree 196/2003, ensuring the observance of minimum security measures. Both, Controller and Processor acknowledge that the Technical and Organizational Measures of Appendix 1 of the DPA are currently sufficient to comply with the measures of art 31 et seq. of Legislative Decree 196/2003.
If necessary, a system administrator will be appointed within a separate Appointment letter for System administrator.

7. USA
The following definitions in clause 1 of this DPA shall be amended as follows:
Personal data (in the USA the term Personally Identifiable Information is used): any individual element of information concerning the personal or material circumstances of an identified or identifiable individual;

Sensitive data (also known as “Special Categories of Personal Data”): information on racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, health or sex life, social security number, driver’s license number or state or federally issues identification card number, account number or credit or debit card number, or an account number in combination with any required security code, access code, or password that would permit access to an individual’s financial account, or any other information the unauthorized disclosure of which may require Controller to notify affected individuals.

8. Singapore
In the case the Controller is situated in Singapore, the following text will be added to clause 4 of this DPA:
“The Processor will comply in a timely manner with the directions or decisions of any competent data protection and privacy authority in relation to the Data. The Processor will give the Controller such co-operation, assistance and information as the Controller reasonably requests to comply with its obligations under Data Protection Legislation .”

9. Malaysia
In the case the Controller is situated in Malaysia, the definition of Special Categories of data (“Special Categories of Personal Data” shall mean information on racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, health or sex life) in clause 1 of this DPA (Definitions) will be replaced with the following: “Special Categories of Personal Data” shall mean information on racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, the commission or alleged commission of any offence, physical or mental health or sex life.

In the case the Controller is situated in Malaysia, the following text of clause 8 of this DPA will be supplemented with “The Processor will implement the technical and organizational measures as specified in Data Protection Legislation and in Appendix 1 to protect the Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure, use or access and against all other unlawful forms of processing”.

In the case the Controller is situated in Malaysia, the following text will be added to clause 9.1(b) of this DPA: “Both Parties agree to observe secrecy regarding any information acquired within the framework of the SA and this DPA, especially regarding the Data, taking into account the Controller’s secret. This obligation continues to apply after termination of the DPA.”
In the case the Controller is situated in Malaysia, the following text will be added to clause11of this DPA ”The report will cover the objectives of the technical and organizational measures set out in Appendix 1 and Data Protection Legislation .”

10. India
The following definitions in clause 1 of this DPA shall be amended as follows:
“Personal Data” means any individual element of information concerning the personal or material circumstances of an identified or identifiable individual. Personal information which is any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person.
“Special Categories of Personal Data” shall mean Sensitive personal data or information of a person; this means such personal information which consists of information relating to;—(i) password; (ii) financial information such as Bank account or credit card or debit card or other payment instrument details ; (iii) physical, physiological and mental health condition; (iv) sexual orientation; (v) medical records and history; (vi) Biometric information; (vii) any detail relating to the above clauses as provided to body corporate for providing service; and (viii) any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise: provided that, any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as sensitive personal data or information for the purposes of these rules.

The following text will be added to clause 8 of this DPA:
“The Processor shall comply with the reasonable security practices and procedures prescribed by the Controller and/or the privacy policy of the Controller shall constitute reasonable security practices and procedures under section 43A of the (Indian) Information Technology Act 2000 and the rules issued by the Indian Government under such provision shall accordingly not be applicable.”

11. China
The following text will be added to clause 16 of this DPA:
”Legal liability according to the laws of the People’s Republic of China may apply depending on the agreements of the Controller with its customer.”

APPENDIX 3 TO THE DATA PROTECTION AGREEMENT: EUROPEAN STANDARD CONTRACTUAL CLAUSES

The following appendix is only applicable in case the Customer is established within the EU and concludes the SA with a Sinch company that is not established within the EU/EEA.

EU Flag

EUROPEAN COMMISSION
DIRECTORATE-GENERAL JUSTICE

Directorate C: Fundamental rights and Union citizenship
Unit C.3: Data protection

 

Commission Decision C(2010)593
Standard Contractual Clauses (processors)

For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection

the Entity represented by the individual accepting the Agreement online; or the actual individual, where the individual enters into the Agreement as a sole proprietor or trader, shall be referred to as “you” “your” or “Customer” within the Terms of Service.

(the data exporter)

And

The Sinch company you will be entering into the Standard Contractual Clauses with is one of the parties below. The Sinch Company that concludes the Standard Contractual Clauses is the same legal entity as set out below in the Sinch Terms of Service

Option 1: Sinch UK Ltd., Legal Department, 4th Floor, Cap House, 9-12 Long Lane, Barbican, London, EC1A 9HA, or
Option 2: Sinch America Inc., Legal Department, 40 Technology Parkway South, Suite 300, Norcross, GA, 30092, United States

(the data importer)
each a “party”; together “the parties”,

HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.

 

Clause 1

Definitions

For the purposes of the Clauses:

(a) ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
(b) ‘the data exporter’ means the controller who transfers the personal data;
(c) ‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
(d) ‘the subprocessor’ means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
(e) ‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
(f) ‘technical and organisational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

Clause 2

Details of the transfer

The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.

Clause 3

Third-party beneficiary clause

1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
2. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
3. The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
4. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.

Clause 4

Obligations of the data exporter

The data exporter agrees and warrants:
(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
(b) that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;
(c) that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;
(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
(e) that it will ensure compliance with the security measures;
(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
(g) to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
(i) that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and
(j) that it will ensure compliance with Clause 4(a) to (i).

Clause 5

Obligations of the data importer

The data importer agrees and warrants:
(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(c) that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;
(d) that it will promptly notify the data exporter about:
(i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,
(ii) any accidental or unauthorised access, and
(iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;
(e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
(f) at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
(g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
(h) that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;
(i) that the processing services by the subprocessor will be carried out in accordance with Clause 11;
(j) to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.

Clause 6

Liability

1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.
2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.
The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.
3. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.

Clause 7

Mediation and jurisdiction

1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
(a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
(b) to refer the dispute to the courts in the Member State in which the data exporter is established.
2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

Clause 8

Cooperation with supervisory authorities

1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).

Clause 9

Governing Law

The Clauses shall be governed by the law of the Member State in which the data exporter is established.

Clause 10

Variation of the contract

The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.

Clause 11

Subprocessing

1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses. Where the subprocessor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor’s obligations under such agreement.
2. The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
3. The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.
4. The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.

Clause 12

Obligation after the termination of personal data processing services

1. The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
2. The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.

 

APPENDIX 1 TO THE STANDARD CONTRACTUAL CLAUSES

This Appendix forms part of the Clauses and must be completed and signed by the parties.
The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.

Data exporter
The data exporter is (please specify briefly activities relevant to the transfer):
Data exporter is concluding this agreement to cover any data transfer that will take place necessary for the provisioning the services as described within the SA.

Data importer
The data importer is (please specify briefly activities relevant to the transfer):
Sinch is concluding this agreement on behalf of itself all its affiliates that will be part of Sinch Group and will provide the services as described within the SA.
Data subjects
The personal data transferred concern the following categories of data subjects (please specify):
As described in the DPA
Categories of data
The personal data transferred concern the following categories of data (please specify):
As described in the DPA
Special categories of data (if appropriate)
The personal data transferred concern the following special categories of data (please specify):
As described in the DPA
Processing operations
The personal data transferred will be subject to the following basic processing activities (please specify):
As described in the DPA and the SA

 

APPENDIX 2 TO THE STANDARD CONTRACTUAL CLAUSES

This Appendix forms part of the Clauses and must be completed and signed by the parties.

Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):

As described in Appendix 1 of the DPA