The RANDORI Data Processing Addendum at http://www.Randori.com/dpa (DPA) applies to the Processing of Personal Data by RANDORI on behalf of Client under the Agreement in order to provide and improve the RANDORI Services and other RANDORI services that utilize the same underlying technology or tools, and as otherwise set out in the Agreement, if and to the extent i) the European General Data Protection Regulation (EU/2016/679) (GDPR); or ii) any other data protection laws identified below apply.
The Appendix on Additional Safeguards to EU Standard Contractual Clauses, reported below, supplements and is made part of the EU SCCs and UK SCCs, set out in the DPA Exhibit or at Online Standard Contractual Clauses, as applicable.
The DPA prevails over any conflicting term of the Agreement.
European Union Regulations and EEA Member State laws, other than GDPR, requiring a contract governing the processing of personal data, identical to or substantially similar to the requirements specified in Art. 28 of the GDPR.
The UK General Data Protection Regulation (as incorporated into UK law under the European Union (Withdrawal) Act 2018), and the UK Data Protection Act 2018, both as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019, as amended, superseded or replaced.
For the purpose of Section 8 of the DPA, the EU SCC and United Kingdom’s International Data Transfer Addendum to the European Commission’s standard contractual clauses for international transfers (together, the UK SCC) will be implemented for transfers to Non-Adequate Countries subject to the UK General Data Protection Regulation. By entering into the Agreement, the Parties therefore agree that reference to the EU SCC in Section 8 of the DPA shall also include the UK SCC. Where applicable, the UK SCC is referenced within the applicable DPA Exhibit or at Online Standard Contractual Clauses.
The Swiss Federal Act on Data Protection of 19 June 1992; as of September 1, 2023, its totally revised version of 25 September 2020 (“FADP”), as amended, superseded or replaced.
For the purpose of Section 8 of the DPA and Section 7.1 of the DPA Exhibit, the EU SCC will be implemented for transfers to Non-Adequate Countries subject to the FADP, as amended and adapted, as follows:
(i) the Swiss Federal Data Protection and Information Commissioner (FDPIC) is the competent supervisory authority in accordance with Clause 13 and Annex I.C of the EU SCC; and
(ii) the governing law in accordance with Clause 17 of the EU SCC shall be Swiss law in case the data transfer is exclusively subject to the FADP; and
(iii) the term “member state” must not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18 of the EU SCC; and
(iv) references to the GDPR in the EU SCC shall also include the reference to the equivalent provisions of the FADP (as amended or replaced).
Law on Personal Data Protection (Zakon o zaštiti podataka o ličnosti; Official Gazette of the Republic of Serbia, no 87/2018).
In the case of a transfer of Client Personal Data to a Non-Adequate Country, by entering into the Agreement, the Client is entering to the Serbian Standard Contractual Clauses (Serbian SCC) as adopted by the “Serbian Commissioner for Information of Public Importance and Personal Data Protection”, published at https://www.poverenik.rs/images/stories/dokumentacija-nova/podzakonski-akti/Klauzulelat.docx to provide an adequate level of protection. References to the EU Standard Contractual Clauses (EU SCC) in Section 8 of the DPA and in the DPA Exhibit shall mean the Serbian SCC.
Information required to complete Appendices 1 to 8 of the Serbian SCC for the purpose of governing the transfer of Personal Data to a Non-Adequate Country can be found in the DPA and DPA Exhibit.
Upon request, Randori will provide a copy of the Serbian SCCs in the Serbian language signed by the Randori Data Importers and a courtesy translation in English. Please submit requests to ChiefPrivacyOffice@ca.ibm.com.
The Brazil’s General Data Protection Law, Lei Geral de Proteção de Dados (LGPD), upon entering into force. For the sake of clarity, Randori’s obligations to a Client under the DPA are only those express obligations imposed by LGPD on a “Data Processor (operador)” for the benefit of a “Data Controller (Controlador)” (including new Section 1.6 below), as “Data Controller (controlador)” and “Data Processor (operador)” are defined by the LGPD:
1.6 Each party is responsible to fulfil its respective obligations set out in the LGPD, and Client will only issue Processing instructions, as set forth in Section 1.3 of this DPA, that enable Randori to fulfill its LGPD obligations.
For the purpose of Section 8, the EU SCC will be used for transfers to non-adequate countries as per GDPR.
The California Consumer Privacy Act of 2018 (CCPA), as amended by the California Privacy Rights Act of 2020 (CPRA) and its implementing regulations upon entering into force (referred to together below as the CCPA). Randori’s obligations to Client under the DPA are those that the CCPA requires that a “Business” have in place with a “Service Provider” (including amended Section 1.3 and new Sections 1.6 – 1.7), as “Service Provider” and “Business” are defined by the CCPA:
1.3 The following wording is added to the end of Section 1.3 of the DPA: Randori will notify Client if Randori determines that it can no longer meet its obligations under the CCPA. In the event of unauthorised use of Client Personal Information, Client has the right, on notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Client Personal Information.
1.6 Randori will not further combine Client Personal Information, or use, retain or disclose Client Personal Information outside of the direct business relationship between Randori and Client or, for any purpose other than to perform the Services and business purpose(s) specified in the Agreement (including the DPA Exhibit(s) and the applicable TD(s)), or as otherwise permitted by CCPA. Randori will not sell or Share Client Personal Information.
1.7 Unless expressly permitted in a TD, Randori commits not to re-identify any Client deidentified data Randori processes on behalf of Client (Client Deidentified Data), and to take reasonable measures that are available to Randori to avoid Client Deidentified Data being associated with a Consumer or Household, in compliance with its obligations under CCPA. If Randori is instructed by Client in a TD to re-identify Client Deidentified Data, Randori will treat Client Deidentified Data as Client Personal Information subject to the terms of this DPA.
The terms used in the applicable provisions of the DPA shall be replaced as follows: “Personal Data” shall mean “Personal Information”; “Controller” shall mean “Business”; “Processor” shall mean “Service Provider”; “Data Subject” shall mean “Consumer”; “Special Categories of Personal Data” shall mean “Sensitive Personal Information”; “Deidentified Data” shall mean data that cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable Consumer, or a device linked to such person; and “business purpose”, “Household”, and “Share” shall have the meaning given to them by the CCPA.
The People’s Republic of China Personal Information Protection Law (PIPL) upon entering into force. For the sake of clarity, Randori’s obligations to Client under the DPA are those that the PIPL requires that Randori as “Entrusted Person” have in place with a “Personal Information Handler, as “Entrusted Person” and “Personal Information Handler” are referenced in the PIPL.
The Personal Data Protection Act 2012 No. 26 of 2012, as amended from time to time, and its accompanying regulations. For the sake of clarity, Randori’s obligations to Client under the DPA are only those express obligations imposed by PDPA on a “Data Processor (data intermediary)” when processing personal data on behalf of “Data Controller (organisation)” pursuant to a contract, as “organisation” and “data intermediary” are defined by the PDPA.
In case of a transfer of Client Personal Data outside of Singapore, the DPA applies excluding Section 8.
The Protection of Personal Information Act (POPIA) upon entry into force. For the sake of clarity, Randori’s obligations to Client under the DPA are those that POPIA requires that Randori as ”Operator” have in place with a ”Responsible Party”, as ”Responsible Party” and ”Operator” are referenced in POPIA.
In case of a transfer of Client Personal Data outside of South Africa, the DPA applies excluding Section 8.
The Personal Data Protection Act B.E. 2562 (2019) (PDPA) upon entry into force.
In case of a transfer of Client Personal Data outside of Thailand, the DPA applies excluding Section 8.
The Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (COPA), the Connecticut Data Privacy Act (CTDPA), and the Utah Consumer Privacy Act (UTCPA) (in each case as applicable) (Applicable State Law) upon entering into force. For the sake of clarity, Randori’s obligations to Client under the DPA are only those express obligations imposed by the Applicable State Law on a “Processor” when processing Client Personal Data on behalf of a “Controller” (including new Section 1.6 below), as “Processor” and “Controller” are defined by the Applicable State Law:
1.6 Unless expressly permitted in a TD, Randori commits not to re-identify any Client De-identified Data Randori processes on behalf of Client (Client De-identified Data), and to take reasonable measures that are available to Randori to avoid Client De-identified Data being associated with a natural person, in compliance with its obligations under Applicable State Law. If Randori is instructed by Client in a TD to re-identify Client De-identified Data, Randori will treat Client De-identified Data as Client Personal Data subject to the terms of this DPA.
The terms used in the applicable provisions of the DPA shall be replaced as follows: “subprocessor” shall mean “subcontractor”; “Data Subject” shall mean “Consumer”; “Special Categories of Personal Data” shall mean “Sensitive data”; “Data Protection Impact Assessment” shall mean “data protection assessment”; and “De-identified Data” shall mean “data that cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable natural person, or a device linked to such person (where required by Applicable State Law).
The Japanese Act on the Protection of Personal Information no. 57 of 2003 (APPI), as amended and its accompanying regulations.
For the sake of clarity, Randori’s obligations to Client under the DPA shall be those that the APPI requires Client to have in place as “Business Operator”, to entrust the processing of Client Personal Data to Randori as “entrusted Business Operator”, as such terms are used in the APPI.
In case of a transfer of Client Personal Data from Japan to an overseas country for purposes of the APPI, the DPA applies and Section 8 “Transborder Data Processing” is replaced as follows:
8. The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the Client Personal Data by Randori prevent them from implementing their obligations under the DPA and DPA Exhibit.
The parties agree to notify the other party if, after having agreed to this DPA and for the duration of the contract, a party has reason to believe that either party cannot comply with its obligation under the DPA. In which case, the parties will cooperate in good faith to identify appropriate measures to be adopted to address the situation. If no appropriate measures can be implemented, the parties will evaluate together whether to suspend the transfer of Client Personal Data.
Client acknowledges that Randori’s service is not designed to handle Specific Personal Information as defined and subject to the Japanese My Number Act (i.e., the Act on the Use of Numbers to Identify a Specific Individual in the Administrative Procedure (Act No.27 of 2013), as may be amended), unless otherwise agreed between Randori and Client in the Agreement.
The Quebec Bill 64 (An Act to modernize legislative provisions as regards the protection of personal information, SQ 2021, c 25) (the “Act”) and the legislation applicable to the protection of personal information as expressly referenced and amended by the Act, upon entering into force, as amended, superseded, or replaced.
The Organic Law for the Protection of Personal Data, Ley Orgánica de Protección de Datos Personales, upon entering into force. For the purpose of Section 8 of the DPA, the EU SCC will be used for transfers of personal data to non-adequate countries as per GDPR.
The Data Protection Act, 2019 and its implementing regulations upon entering into force. In case of a transfer of Client Personal Data outside of Kenya, the DPA applies excluding Section 8.
The Vietnam Personal Data Protection Decree (PDP), upon entering into force, as amended, superseded or replaced.
The Data Protection (Jersey) Law 2018, the Data Protection Authority (Jersey) Law 2018, and their implementing regulations. The terms used in the applicable provisions of the DPA shall be replaced as follows: “Special Categories of Personal Data” shall mean “Special Category Data”.
The Uruguay’s Law on the Protection of Personal Data and Habeas Data Action No. 18,331 of 2008 (“Uruguay DPL”), as amended and its implementing regulations upon entering into force.
In case of a transfer of Client Personal Data outside of Uruguay, the DPA applies and Section 8 “Transborder Data Processing” is replaced as follows:
8.1. Client shall obtain consent from the Data Subjects for any transfer of Client Personal Data to a country not providing an adequate level of protection pursuant to the Uruguay DPL (Non-Adequate Country), if applicable. If Client believes the measures are not sufficient to satisfy the legal requirements, Client shall notify Randori and the parties shall work together to find an alternative.
