DATA PROCESSING ADDENDUM
This Data Processing Addendum (“DPA”) supplements the Gorilla Expense Terms of Use and other written or electronic agreement(s) between you and Gorilla Expense (also referred to as “we” or “our” in this DPA) for the provision of the Services (the “Agreement”). This DPA applies to both you and your Authorized Affiliates. All capitalized terms not defined herein will have the meaning set forth in the Agreement.
This DPA reflects the parties’ agreement on the terms governing the processing and security of your Personal Data in connection with the Data Protection Laws. This DPA does not apply to User Data of which Gorilla Expense is the controller and which Gorilla Expense may use in accordance with the terms of the Agreement.
Upon your acceptance of the Agreement, this DPA will become legally binding. The terms of this DPA will take effect on the Effective Date and will continue in effect until the Agreement is terminated or expires in accordance with its terms.
DATA PROCESSING TERMS
1. DEFINITIONS
1.1 In this DPA, these capitalized terms have the following meaning:
“Affiliate” means an entity that directly or indirectly controls, is controlled by, or is under common control with, a party.
“Authorized Affiliate” means any of your Affiliate(s) which (a) is subject to the Data Protection Laws, and (b) is permitted to use the Services pursuant to your Agreement with Gorilla Expense but has not signed its own Order Form with Gorilla Expense and is not a “client” or “customer” as defined under the Agreement.
“Data Protection Laws” means all laws and regulations, including laws and regulations of the European Union and including GDPR, the European Economic Area, and Switzerland, applicable to the processing of personal data under the Agreement.
“Effective Date” means the date on which you accept this DPA.
“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
“Gorilla Expense Group” means Gorilla Expense and its Affiliates engaged in the processing of personal data.
“Personal Data” means personal data that you process or that is processed by Gorilla Expense on your behalf in connection with Gorilla Expense’s provision of the Services.
“Standard Contractual Clauses” means the contractual clauses attached hereto and incorporated into this DPA as Exhibit 2 pursuant to the European Commission’s decision (C(2010)593) of 5 February 2010 on Standard Contractual Clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection, amended as indicated (in square brackets and italics).
“Sub-processor” means any processor (but excluding any employee of Gorilla Expense or of a member of the Gorilla Expense Group) engaged by Gorilla Expense or a member of the Gorilla Expense Group.
“User Data” means any personal data relating to you or your Users, employees, officers or contractors provided to or obtained by Gorilla Expense in the provision of the Services.
“Users” means individuals authorized by you to access the Services through your Gorilla Expense account.
1.2 The terms “controller”, “data subject”, “personal data”, “processing”, “processor” and “supervisory authority” as used in this DPA have the meanings given to them in the GDPR.
2. PROCESSING OF PERSONAL DATA
2.1 Roles of the Parties. The parties acknowledge and agree that, regarding the processing of Personal Data, you are the controller, Gorilla Expense is the processor and that Gorilla Expense or members of the Gorilla Expense Group will engage Sub-processors pursuant to the requirements set forth in Section 5 (Sub-processors) below. The parties acknowledge and agree that, as the controller, you will determine the scope, purposes, and manner by which Personal Data may be accessed or processed by Gorilla Expense.
2.2 Your Processing of Personal Data. You agree that, in your use of the Services, you will process Personal Data in accordance with the requirements of Data Protection Laws. You agree that your instructions for the processing of Personal Data will comply with Data Protection Laws. You represent and warrant that you have all necessary rights to provide Personal Data to Gorilla Expense for processing to be performed in connection with the Services, and that one or more lawful bases set forth in the Data Protection Laws support the lawfulness of the processing. To the extent required by Data Protection Laws, you are responsible for ensuring that all necessary privacy notices are provided to data subjects, and unless another legal basis set forth in the Data Protection Laws supports the lawfulness of the processing, that any necessary data subject consents to the processing are obtained, and for ensuring that a record of such consents is maintained. Should such a consent be revoked by a data subject, you are responsible for communicating the fact of this revocation to Gorilla Expense, and Gorilla Expense remains responsible for implementing your instruction with respect to the processing of that Personal Data. As between the parties, you acknowledge and agree that you are solely responsible for the accuracy and quality of Personal Data.
2.3 Gorilla Expense’s Processing of Personal Data. Gorilla Expense agrees that it will process Personal Data only on your behalf and only in accordance with your documented instructions for the following purposes: (a) processing in accordance with the Agreement; (b) processing initiated by Users in their use of the Services; and (c) processing to comply with other documented reasonable instructions provided by you (e.g., via email) where such instructions are consistent with the terms of the Agreement. Should Gorilla Expense reasonably believe that a specific processing activity beyond the scope of your instructions (or otherwise inconsistent with the terms of the Agreement) is required to comply with a legal obligation to which Gorilla Expense is subject, Gorilla Expense will inform you of that legal obligation before undertaking such processing. Unless required to comply with such a legal obligation, Gorilla Expense will not process Personal Data in a manner inconsistent with your documented instructions. Gorilla Expense will promptly notify you if, in its opinion, any such instruction violates any Data Protection Law. Such notification will not constitute a general obligation on the part of Gorilla Expense to monitor or interpret the laws applicable to you, and such notification will not constitute legal advice to you.
2.4 Details of the Processing. The subject matter of processing of Personal Data by Gorilla Expense is the performance of the Services pursuant to the Agreement. The duration of the processing, the nature and purpose of the processing, the types of Personal Data and categories of data subjects processed under this DPA are further specified in Exhibit 1. These instructions also describe the duration, object, scope and purpose of the processing. Gorilla Expense will be allowed to exercise its own discretion in the selection and use of such means as it considers necessary to pursue the purpose of the processing specified in Exhibit 1, provided that all such discretion is compatible with the requirements of the Agreement, as amended by this DPA, and in particular your written instructions.
3. RIGHTS OF DATA SUBJECTS
Gorilla Expense will, to the extent legally permitted, promptly notify you if Gorilla Expense receives a request from a data subject to exercise the data subject’s right of access, right to rectification, restriction of processing, erasure (“right to be forgotten”), data portability, object to the processing, or its right not to be subject to an automated individual decision making (“Data Subject Request”). Taking into account the nature of the processing, Gorilla Expense will assist you by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of your obligation to respond to a Data Subject Request under Data Protection Laws. In addition, to the extent you, in your use of the Services, do not have the ability to address a Data Subject Request, Gorilla Expense will upon your request use commercially reasonable efforts to assist you in responding to such Data Subject Request, to the extent Gorilla Expense is legally permitted to do so and the response to such Data Subject Request is required under Data Protection Laws. You will be responsible for any costs arising from Gorilla Expense’s provision of assistance under this Section 3.
4. GORILLA EXPENSE EMPLOYEES
4.1 Confidentiality. Gorilla Expense will treat all Personal Data as confidential and will cause its employees engaged in the processing of Personal Data to be informed of the confidential nature of the Personal Data, to have received appropriate training on their responsibilities and to have executed written confidentiality agreements or otherwise to be bound by obligations of confidentiality. Gorilla Expense will ensure that such confidentiality obligations survive the termination of the employee’s engagement.
4.2 Reliability. Gorilla Expense will take commercially reasonable steps to ensure the reliability of any Gorilla Expense employees engaged in the processing of Personal Data.
4.3 Limitation of Access. Gorilla Expense will ensure that Gorilla Expense’s access to Personal Data is limited to those employees performing Services in accordance with the Agreement.
5. SUB-PROCESSORS
5.1 Appointment of Sub-processors. You acknowledge and agree that (a) Gorilla Expense’s Affiliates may be retained as Sub-processors; and (b) Gorilla Expense and Gorilla Expense’s Affiliates respectively may engage third-party Sub-processors in connection with the provision of the Services. Gorilla Expense or a Gorilla Expense Affiliate will ensure that each Sub-processor is bound by obligations compatible with those of Gorilla Expense under this DPA with respect to the protection of Personal Data to the extent applicable to the nature of the Services provided by such Sub-processor and will reasonably monitor compliance therewith.
5.2 List of Current Sub-processors and Notification of New Sub-processors. Gorilla Expense agrees to make available to you the current list of Sub-processors for the Services. A current list of Sub-processors for the Services, including the identities of those Sub-processors and their country of location, is set forth at Exhibit 3. When a Sub-processor is proposed to be changed, Gorilla Expense will provide prior notice by email or other permissible notice under the Agreement to you before implementing such change.
5.3 Objection Right for New Sub-processors. You may object to Gorilla Expense’s use of a new Sub-processor by setting forth a reasonable basis for its objection and notifying Gorilla Expense promptly in writing within ten (10) business days after receipt of Gorilla Expense’s notice in accordance with the mechanism set out in Section 5.2 above. If you object to a new Sub-processor, as permitted in the preceding sentence, the parties will make a good-faith effort to resolve your objection. In the absence of a resolution, Gorilla Expense will use reasonable efforts to make available to you a change in the Services or recommend a commercially reasonable change to your configuration or use of the Services to avoid processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening you. If Gorilla Expense is unable to make available such change within a reasonable period, which will not exceed thirty (30) days, you may terminate the Agreement with respect only to those Services which cannot be provided by Gorilla Expense without the use of the objected-to new Sub-processor by providing written notice to Gorilla Expense. Gorilla Expense will refund you any prepaid fees covering the remainder of the term of such Agreement following the effective date of termination with respect to such terminated Services, without imposing on you a penalty for the termination.
6. SECURITY
6.1 Controls for the Protection of Personal Data. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, you and Gorilla Expense will implement appropriate technical and organizational measures to ensure a level of security of the processing of Personal Data appropriate to the risk. These measures will include, at a minimum, the security measures agreed upon by the parties in Annex B of the Standard Contractual Clauses.
6.2 Security Policies. Both you and Gorilla Expense agree to maintain written security policies that are fully implemented and applicable to the processing of Personal Data. At a minimum, such policies should include assignment of internal responsibility for information security management; devoting reasonably adequate personnel resources to information security; where permitted by applicable law, carrying out appropriate verification checks on permanent staff who will have access to Personal Data; and conducting training to make employees with access to Personal Data aware of information security risks presented by the processing.
6.3 Third-Party Certifications and Audits. Gorilla Expense has obtained certain third-party certifications and audits. Upon your written request at reasonable intervals, and subject to the confidentiality obligations set forth in the Agreement, Gorilla Expense will make available to you (as long as you are not a competitor of Gorilla Expense) or to your independent, third-party auditor (as long as the auditor is not a competitor of Gorilla Expense) a copy of Gorilla Expense’s then most recent third-party audits or certifications, as applicable. You may contact Gorilla Expense at compliance@gorillaexpense.com to request an on-site audit of the procedures relevant to the protection of Personal Data. You agree to reimburse Gorilla Expense for any time expended for any such on-site audit at Gorilla Expense’s then-current professional services rates, which we will make available to you upon request. Before the commencement of any such on-site audit, you and Gorilla Expense will mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which you will be responsible. All reimbursement rates will be reasonable, taking into account the resources expended by Gorilla Expense. You agree to promptly notify Gorilla Expense with information regarding any non-compliance discovered during an audit. Gorilla Expense’s adherence to either a code of conduct or to a certification mechanism approved by the applicable supervisory authority and recognized under Data Protection Laws may be used, at Gorilla Expense’s discretion, as an element by which Gorilla Expense may demonstrate compliance with the requirements set forth in this Section 6, provided that the requirements contained in Annex B of the Standard Contractual Clauses are also addressed by such code of conduct or certification mechanism.
6.4 Improvements to Security.
6.4.1 The parties acknowledge that security requirements are constantly changing and that effective security requires frequent evaluation and regular improvements of outdated security measures. Gorilla Expense will therefore evaluate the measures as implemented in accordance with this Section 6 on an on-going basis to maintain compliance with the requirements set out in this Section 6. The parties will negotiate in good faith the cost, if any, to implement material changes required by specific updated security requirements set forth in Data Protection Laws.
6.4.2 Where an amendment to the Agreement is required to execute your instruction to Gorilla Expense to improve security measures as may be required by changes in Data Protection Laws from time to time, the parties agree to negotiate an amendment to the Agreement in good faith.
7. DATA INCIDENTS
Gorilla Expense will notify you without undue delay after becoming aware of any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data, transmitted, stored or otherwise processed by Gorilla Expense or its Sub-processors of which Gorilla Expense becomes aware (each, a “Data Incident”). Gorilla Expense will make reasonable efforts to identify the cause of the Data Incident and take those steps as Gorilla Expense deems necessary and reasonable to remediate the cause of the Data Incident to the extent the remediation is within Gorilla Expense’s reasonable control. The obligations herein will not apply to incidents that are caused by you or your Users.
8. IMPACT ASSESSMENT AND PRIOR CONSULTATION.
Upon your request, Gorilla Expense will provide you with reasonable cooperation and assistance needed to fulfil your obligation under the GDPR to carry out a data protection impact assessment related to your use of the Services, to the extent you do not otherwise have access to the relevant information, taking into account the nature of the processing and to the extent such information is available to Gorilla Expense. Gorilla Expense will provide reasonable assistance to you in cooperation or prior consultation with the applicable supervisory authority, to the extent required under the GDPR.
9. DELETION OR RETURN OF PERSONAL DATA
No later than thirty (30) days following the date that Gorilla Expense ceases to process Personal Data, or sooner upon your written request, Gorilla Expense will return Personal Data to you and, to the extent allowed by applicable law, delete or destroy Personal Data, in each case as required by the Data Protection Laws and to the extent within Gorilla Expense’s custody and control.
10. EU STANDARD CONTRACTUAL CLAUSES RELATED TERMS
10.1 Standard Contractual Clauses. The Standard Contractual Clauses and the additional terms specified in this Section 10 apply to (i) the legal entity that has accepted the Standard Contractual Clauses as a data exporter and its Authorized Affiliates, and (ii) all your Affiliates that are established within the European Economic Area and Switzerland and that have entered into Order Forms for the Services. For the purpose of the Standard Contractual Clauses and this Section 10, the aforementioned entities will be deemed “data exporters”.
10.2 Instructions. This DPA and the Agreement are your complete and final documented instructions as of the Effective Date to Gorilla Expense for the processing of Personal Data. Any additional or alternate instructions must be agreed upon separately. For the purposes of Clause 5(a) of the Standard Contractual Clauses, the following is deemed your instruction to process Personal Data: (a) in accordance with the Agreement; (b) as initiated by Users in their use of the Services and (c) to comply with other reasonable documented instructions that you provide (e.g., via email) where such instructions are consistent with the terms of the Agreement. The duration of the processing, the nature and purpose of the processing, the types of Personal Data and categories of data subjects processed under this DPA are further specified in Annex A of the Standard Contractual Clauses attached hereto. These instructions also describe the duration, object, scope and purpose of the processing.
10.3 Sub-processors. Pursuant to Clause 5(h) of the Standard Contractual Clauses, the data exporter acknowledges and expressly agrees that the provisions of Section 5 of this DPA will also apply to the data importer as if it were Gorilla Expense. The parties agree that the copies of the sub-processor agreements that must be sent by the data importer to the data exporter pursuant to Clause 5(j) of the Standard Contractual Clauses may have all commercial information, or clauses unrelated to the EU Standard Contractual Clauses or their equivalent, removed by the data importer beforehand; and, that such copies will be provided by data importer only upon reasonable request by data exporter.
10.4 Audits and Certifications. The parties agree that with respect to the audits described in Clause 5(f), Clause 11 and Clause 12(2) of the Standard Contractual Clauses, the provisions of Section 6.2 of this DPA will also apply to the data importer as if it were Gorilla Expense.
10.5 Certification of Deletion. The parties agree that Gorilla Expense will provide you with the certification of deletion of Personal Data that is described in Clause 12(1) of the Standard Contractual Clauses only upon your request.
10.6 Conflict. In the event of any conflict or inconsistency between the body of this DPA and the Standard Contractual Clauses in Exhibit 2, the Standard Contractual Clauses will prevail.
11. AUTHORIZED AFFILIATES
11.1 Contractual Relationship. The parties acknowledge and agree that, by executing the Agreement, you are entering into this DPA on behalf of yourself and, as applicable, in the name and on behalf of your Authorized Affiliates, thereby establishing a separate DPA between Gorilla Expense and each such Authorized Affiliate subject to the provisions of the Agreement and this Section 11 and Section 12. Each Authorized Affiliate agrees to be bound by the obligations under this DPA and, to the extent applicable, the Agreement. For the avoidance of doubt, an Authorized Affiliate is not and does not become a party to the Agreement and is only a party to the DPA. All access to and use of the Services by Authorized Affiliates must comply with the terms and conditions of the Agreement and any violation of the terms and conditions of the Agreement by an Authorized Affiliate will be deemed a violation by you.
11.2 Communication. The entity that is the contracting party to the Agreement will remain responsible for coordinating all communication with Gorilla Expense under this DPA and be entitled to make and receive any communication in relation to this DPA on behalf of its Authorized Affiliates.
11.3 Rights of Authorized Affiliates. Where an Authorized Affiliate becomes a party to the DPA with Gorilla Expense, it will to the extent required under applicable Data Protection Laws be entitled to exercise its rights and seek remedies under this DPA, subject to the following:
11.3.1 Except where applicable Data Protection Laws require the Authorized Affiliate to exercise a right or seek any remedy under this DPA against Gorilla Expense directly by itself, the parties agree that (i) solely the entity that is the contracting party to the Agreement will exercise any such right or seek any such remedy on behalf of the Authorized Affiliate, and (ii) the entity that is the contracting party to the Agreement will exercise any such rights under this DPA not separately for each Authorized Affiliate individually but in a combined manner for all of its Authorized Affiliates together (as set forth, for example, in Section 11.3.2 below).
11.3.2 The parties agree that the entity that is the contracting party to the Agreement will, when carrying out an onsite audit of the procedures relevant to the protection of Personal Data, take all reasonable measures to limit any impact on Gorilla Expense and its sub-Processors by combining, to the extent reasonably possible, several audit requests carried out on behalf of different Authorized Affiliates in one single audit.
12.LIMITATION OF LIABILITY
Each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, and all DPAs between Authorized Affiliates and Gorilla Expense, whether in contract, tort or under any other theory of liability, is subject to the “Limitations of Liability” section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and all DPAs together.
For the avoidance of doubt, Gorilla Expense’s and its Affiliates’ total liability for all claims made by you arising out of or related to the Agreement and each DPA will apply in the aggregate for all claims under both the Agreement and all DPAs established under this DPA, including by you and all Authorized Affiliates, and, in particular, will not be understood to apply individually and severally to the entity that is a contractual party to any such DPA.
13. ORDER OF PRECEDENCE; INTERPRETATION
If there is any conflict or inconsistency between the terms of this DPA and the remainder of the Agreement, the terms of this DPA will govern. Subject to the amendments of the Agreement set forth in this DPA, the Agreement remains in full force and effect. Also, for the avoidance of doubt, each reference to the DPA in this DPA means this DPA including its Exhibits and Annexes.
14. CHANGES TO THIS DPA
14.1 Changes to this DPA. From time to time, Gorilla Expense may change any URL referenced in this DPA and the content at any such URL. Gorilla Expense may change this DPA if the change: (a) is expressly permitted by this DPA; (b) reflects a change in the name or form of a legal entity; (c) is required to comply with applicable law or regulation, or a court order or guidance issued by a governmental regulator or agency; or (d) does not: (i) result in a degradation of the overall security of the Services; (ii) expand the scope of, or remove any restrictions on, Gorilla Expense’s processing of Personal Data; or (iii) otherwise have a material adverse impact on your rights under this DPA, as reasonably determined by Gorilla Expense.
14.2 Notification of Changes. If Gorilla Expense intends to change this DPA under Section 14.1(c) or (d), Gorilla Expense will inform you at least 30 days (or such shorter period as may be required to comply with applicable law or regulation, or a court order or guidance issued by a governmental regulator or agency) before the change will take effect by either: (a) sending an email to your notification email address; or (b) alerting you via the user interface for the Services. If you object to any such change, you may terminate the Agreement by giving written notice to Gorilla Expense within 90 days of being informed by Gorilla Expense of the change.
15. GOVERNING LAW AND JURISDICTION
The substantive laws of the State of Georgia govern this DPA as though it was entered into and is to be entirely performed within the State of Georgia, without regard to conflict of law principles. The parties expressly disclaim the applicability of, and waive any rights based upon, the Uniform Computer Information Transactions Act or the United Nations Convention on Contracts for the International Sale of Goods. However, this DPA will not prejudice or limit a party’s right to enforce any award or decree under the laws of any jurisdiction where property or assets of the other party may be located. For all litigation arising out of or related to this DPA, the parties irrevocably and unconditionally submit to the exclusive jurisdiction and venue (and waive any claim of forum non conveniens and any objections as to laying of venue) of (A) the United States District Court for the Northern District of Georgia, or (B) if such court lacks subject matter jurisdiction, the appropriate state court of the State of Georgia, Fulton County. Each party irrevocably waives any right to object that the court does not have jurisdiction over the substance of claims or disputes or a party. You consent to the service of process in connection with any claim or dispute by registered or certified mail, postage prepaid, to you, to the contact details you have provided to the Services in connection with your Gorilla Expense account. To the fullest extent permitted by law, each party hereby expressly waives (on behalf of itself and on behalf of any person or entity claiming through that party) any right to a trial by jury in any action, suit, proceeding, or counterclaim of any kind arising out of or in any manner connected with this DPA.
List of Attachments
Exhibit 1 : DETAILS OF PROCESSING OF PERSONAL DATA
Exhibit 2 : STANDARD CONTRACTUAL CLAUSES
EXHIBIT 1
DETAILS OF PROCESSING OF PERSONAL DATA
This Exhibit 1 includes certain details of the processing of Personal Data as required by Article 28(3) of the GDPR.
Subject matter and duration of the processing of Personal Data
The subject matter and duration of the processing of the Personal Data are set out in the Agreement and this DPA.
The nature and purpose of the processing of Personal Data
Gorilla Expense will be processing the Personal Data specified below in order to provide the Services further described in the Agreement.
The types of Personal Data to be processed
- Contact information (for example, name, phone number, address, e-mail address)
- Business information (for example, your name, size and location)
- Employment information (for example, employee identification number and cost center)
- Other personal profile information (for example, travel preferences or out-of-office settings)
- Travel- and expense-related information (for example, copies of receipts and itineraries)
- Corporate card information
- Mobile device information (for example, information accessed by the device’s camera or contained in the device’s photo gallery)
- Other information provided by a User (for example, via free text boxes or a chat functionality)
The categories of data subject to whom the Personal Data relates
- Your employees and independent contractors
Your (and your Affiliates’) obligations and rights
Your (and your Affiliates’) obligations and rights are set out in the Agreement and this DPA.
EXHIBIT 2
STANDARD CONTRACTUAL CLAUSES
[If these Clauses are not governed by the law of a Member State, the terms “Member State” and “State” are replaced, throughout, by the word “jurisdiction”.]
Standard Contractual Clauses (processors)
For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection.
Name of the data exporting organisation: The entity that has accepted the DPA
Contact information: Provided through the Services.
Other information needed to identify the organisation: Not applicable
(the data exporter)
And
Name of the data importing organisation: Gorilla Expense
Address: 3870 Peachtree Industrial Boulevard, S-340 #167
Duluth, GA 30096
compliance@gorillaexpense.com
Other information needed to identify the organisation: Not applicable
(the data importer)
each a “party”; together “the parties”,
HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Annex A.
Clause 1
Definitions
For the purposes of the Clauses:
(a) personal data, special categories of data, process/processing, controller, processor, data subject and supervisory authority shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (1); [If these Clauses are governed by a law which extends the protection of data protection laws to corporate persons, the words “except that, if these Clauses govern a transfer of data relating to identified or identifiable corporate (as well as natural) persons, the definition of “personal data” is expanded to include those data” are added.]
(b) the data exporter means the controller who transfers the personal data;
(c) the data importer means the processor who agrees to receive from the data exporter personal data intended for processing on its behalf after the transfer in accordance with its instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC; [If these Clauses are not governed by the law of a Member State, the words “and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC” are deleted.]
(d) the sub-processor means any processor engaged by the data importer or by any other sub-processor of the data importer who agrees to receive from the data importer or from any other sub-processor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with its instructions, the terms of the Clauses and the terms of the written subcontract;
(e) the applicable data protection law means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
(f) technical and organisational security measures means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
Clause 2
Details of the transfer
The details of the transfer and in particular the special categories of personal data where applicable are specified in Annex A which forms an integral part of the Clauses.
Clause 3
Third-party beneficiary clause
- The data subject can enforce against the data exporter this clause 3, clause 4(b) to clause 4(i), clause 5(a) to clause 5(e) and clause 5(g) to clause 5(j), clause 6(1) and clause 6(2), clause 7, clause 8(2) and clause 9 to clause 12 as third-party beneficiary.
- The data subject can enforce against the data importer this clause 3(2), clause 5(a) to clause 5(e) and clause 5(g), clause 6, clause 7, clause 8(2) and clause 9 to clause 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
- The data subject can enforce against the sub-processor this clause 3(3), clause 5(a) to clause 5(e) and clause 5(g), clause 6, clause 7, clause 8(2), and clause 9 to clause 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.
- The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.
Clause 4
Obligations of the data exporter
The data exporter agrees and warrants:
(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
(b) that it has instructed and throughout the duration of the personal data-processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;
(c) that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Annex B to this contract;
(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
(e) that it will ensure compliance with the security measures;
(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC; [If these Clauses are not governed by the law of a Member State, the words “within the meaning of Directive 95/46/EC” are deleted.]
(g) to forward any notification received from the data importer or any sub-processor pursuant to clause 5(b) and clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Annex B and a summary description of the security measures, as well as a copy of any contract for sub-processing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
(i) that, in the event of sub-processing, the processing activity is carried out in accordance with clause 11 by a sub-processor providing at least the same level of protection for the personal data and the rights of data subjects as the data importer under the Clauses; and
(j) that it will ensure compliance with clause 4(a) to clause 4(i).
Clause 5
Obligations of the data importer
The data importer agrees and warrants:
(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(c) that it has implemented the technical and organisational security measures specified in Annex B before processing the personal data transferred;
(d) that it will promptly notify the data exporter about:
(i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;
(ii) any accidental or unauthorised access; and
(iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;
(e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
(f) at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
(g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for sub-processing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Annex B which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
(h) that, in the event of sub-processing, it has previously informed the data exporter and obtained its prior written consent;
(i) that the processing services by the sub-processor will be carried out in accordance with clause 11; and
(j) to send promptly a copy of any sub-processor agreement it concludes under the Clauses to the data exporter.
Clause 6
Liability
- The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in clause 3 or in clause 11 by any party or sub-processor is entitled to receive compensation from the data exporter for the damage suffered.
- If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or its sub-processor of any of their obligations referred to in clause 3 or in clause 11 because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The data importer may not rely on a breach by a sub-processor of its obligations in order to avoid its own liabilities.
- If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the sub-processor of any of their obligations referred to in clause 3 or in clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the sub-processor agrees that the data subject may issue a claim against the data sub-processor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the sub-processor shall be limited to its own processing operations under the Clauses.
Clause 7
Mediation and jurisdiction
- The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
(a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
(b) to refer the dispute to the courts in the Member State in which the data exporter is established.
- The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.
Clause 8
Cooperation with supervisory authorities
- The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
- The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any sub-processor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
- The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any sub-processor preventing the conduct of an audit of the data importer, or any sub-processor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in clause 5(b).
Clause 9
Governing law
The Clauses shall be governed by the law of the Member State in which the data exporter is established.
Clause 10
Variations of the contract
The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clauses.
Clause 11
Sub-processing
- The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the sub-processor which imposes the same obligations on the sub-processor as are imposed on the data importer under the Clauses. Where the sub-processor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the sub-processor’s obligations under such agreement.
- The prior written contract between the data importer and the sub-processor shall also provide for a third-party beneficiary clause as laid down in clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.
- The provisions relating to data protection aspects for sub-processing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.
- The data exporter shall keep a list of sub-processing agreements concluded under the Clauses and notified by the data importer pursuant to clause 5(j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.
Clause 12
Obligation after termination of personal data processing services
- The parties agree that on the termination of the provision of data-processing services, the data importer and the sub-processor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
- The data importer and the sub-processor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data-processing facilities for an audit of the measures referred to in paragraph 1.
ANNEX A TO THE STANDARD CONTRACTUAL CLAUSES
This Annex forms part of the Clauses and must be accepted by the parties.
Data exporter
The data exporter is the entity that has accepted the DPA.
Contact information: Provided by the data exporter through the Services.
Data importer
The data importer is Gorilla Expense.
Gorilla Expense is the provider of Software as a Service for managing expense reports.
Contact information: 3870 Peachtree Industrial Boulevard, S-340 #167, Duluth, GA 30096
compliance@gorillaexpense.com
Data subjects
Data exporter may submit Personal Data to the Services, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, but is not limited to personal data relating to the following categories of data subjects:
- Employees or independent contractors of data exporter
Categories of data
Data exporter may submit Personal Data to the Services, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, but is not limited to the following categories of personal data:
- Contact information (for example, name, phone number, address, e-mail address)
- Business information (for example, the name, size and location of the data exporter)
- Employment information (for example, employee identification number and cost center)
- Other personal profile information (for example, travel preferences or out-of-office settings)
- Travel- and expense-related information (for example, copies of receipts and itineraries)
- Corporate card information
- Mobile device information (for example, information accessed by the device’s camera or contained in the device’s photo gallery)
- Other information provided by a user (for example, via free text boxes or a chat functionality)
Special categories of data (if appropriate)
Not applicable, unless Client configures the Services to capture such data.
Processing operations
The personal data transferred will be processed in accordance with the Agreement and may be subject to the following processing activities:
- storage and other processing necessary to provide, maintain and update the Services provided to the data exporter;
- to provide customer and technical support to the data exporter; and
- disclosures in accordance with the Agreement, the DPA or as compelled by law.
Subject to Section 9 of the DPA, the data importer will process the Personal Data for the duration of the Agreement.
ANNEX B TO THE STANDARD CONTRACTUAL CLAUSES
This Annex forms part of the Clauses and must be accepted by the parties.
Description of the technical and organizational security measures implemented by the data importer in accordance with
Clauses 4(d) and 5(c) (or document/legislation attached):
Data importer will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Personal Data as set forth in the DPA and as follows:
- Measures taken to prevent any unauthorized person from accessing the facilities used for data processing (e.g., secured access, badges);
- Measures taken to prevent data media from being read, copied, amended or moved by any unauthorized persons (e.g., data kept in locked premises);
- Measures taken to prevent the unauthorized introduction of any data into the information system, as well as any unauthorized knowledge, amendment or deletion of the recorded data (e.g., restricted access to the IT infrastructure);
- Measures taken to prevent data processing systems from being used by unauthorized person using data transmission facilities (e.g., firewalls);
- Measures taken to guarantee that authorized persons when using an automated data processing system may access only data that are within their competence (e.g., specific users accounts);
- Measures taken to guarantee the checking and recording of the identity of third parties to whom the data can be transmitted by transmission facilities (e.g., VPN, encryption of data);
- Measures taken to guarantee that the identity of the persons having had access to the information system and the data introduced into the system can be checked and recorded ex post facto at any time and by any authorized person;
- Measures taken to prevent data from being read, copied, amended or deleted in an unauthorized manner when data are disclosed and data media transported (e.g., by encryption or pseudonymization); and
- Measures taken to safeguard data by creating backup copies (encryption of data back-ups).
EXHIBIT 3
SUBPROCESSORS
Sub-processor | Corporate Address |
FreshDesk | USA |
USA | |
Mailchimp | USA |
Zoho | USA |