Data Processing Addendum
for Resale of PCCW Global and Console Connect Services
This Data Processing Addendum for Resale of PCCW Global and Console Connect Services (“Addendum”) sets out the terms on which a Party (“Data Processor”) and/or its sub-processors processes Personal Data on behalf of the other Party (“Data Controller”) in connection with the performance of the Data Processor’s obligations under the Specific Terms for Resale of Console Connect Services (“Specific Terms”) and related Master Services Agreement (collectively, the “Principal Agreements”).
This Addendum is incorporated into and made a part of the Specific Terms for Resale of Console Connect Services (the “Specific Terms”). Capitalised terms used herein and not otherwise defined shall have the meanings set forth in the Specific Terms or the EU GDPR, as applicable.
1. Interpretation
1.1 The following terms have the meanings set out below:
| “Applicable Law” | means any and all: (i) legislation (including statutes, statutory instruments, treaties, regulations, orders, directives, by-laws, and decrees) and common law; and (ii) judgments, resolutions, decisions, orders, notices or demands of a competent court, tribunal, regulatory body or governmental authority in each case having the force of binding law or by which either party is bound; in each case in any jurisdiction relevant to the parties in the context of this Addendum; |
| “Data Breach” | means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed; |
| “Data Controller” | shall have the meaning given in the DP Law; |
| “Data Controller’s Group” | means the Data Controller, its subsidiaries and subsidiary undertakings from time to time, any holding company of the Data Controller and all other subsidiaries and subsidiary undertakings of any such holding company; |
| “Data Processor” | shall be used in accordance with the DP Law; |
| “Data Processor’s Group” | means the Data Processor, its subsidiaries and subsidiary undertakings from time to time, any holding company of the Data Processor and all other subsidiaries and subsidiary undertakings of any such holding company; |
| “data subject” | shall have the meaning given in the General Data Protection Regulation (EU) 2016/679, as the same may be amended or updated from time to time (“EU GDPR”); |
| “DP Law” | means all Applicable Law from time to time relating to the processing of personal data and privacy including (where applicable) the General Data Protection Regulation (EU) 2016/679 as the same may be amended or updated from time to time; |
| “National Privacy Law” | means the DP Law of a jurisdiction outside of the EEA or UK applicable to the non-EEA/UK jurisdiction in which a Party is established; |
| “Personal Data” | means all personal data (which has the meaning given to that term in DP Law) processed under this Addendum |
| “processing” | has the meaning given to that term in DP Law, and “process” and “processed” shall have a corresponding meaning; |
| “Regulator” | means the UK Information Commissioner, a supervisory authority (as defined in the General Data Protection Regulation (EU) 2016/679) or any other person having regulatory or supervisory authority over processing of Personal Data by the parties; and |
| “Restricted Transfer” | means: (a) a transfer of Personal Data from Data Controller to Data Processor; or (b) an onward transfer of Personal Data from Data Processor to another Sub-Processor, in each case, where such transfer would be prohibited by the DP Law in the absence of any data transfer safeguard; |
| “Sub-Processor” | has the meaning given to that term in sub-clause [2.4(C)]. |
1.2 In this Addendum, unless otherwise specified:
(A) references to clauses are to clauses of this Addendum;
(B) use of any gender includes the other genders;
(C) references to a “company” shall be construed so as to include any corporation or other body corporate, wherever and however incorporated or established;
(D) references to a “person” shall be construed so as to include any individual, firm, company, corporation, body corporate, government, state or agency of a state, local or municipal authority or government body or any joint venture, association or partnership (whether or not having separate legal personality);
(E) a reference to any statute or statutory provision shall be construed as a reference to the same as it may have been, or may from time to time be, amended, modified or re-enacted and shall include any subordinate legislation made from time to time under that statute or statutory provision;
(F) a reference to any other document referred to in this Addendum is a reference to that other document as amended, varied or supplemented at any time;
(G)
(i) the rule known as the ejusdem generis rule shall not apply and accordingly general words introduced by the word “other” shall not be given a restrictive meaning by reason of the fact that they are preceded by words indicating a particular class of acts, matters or things; and
(ii) general words shall not be given a restrictive meaning by reason of the fact that they are followed by particular examples intended to be embraced by the general words and any words following the terms “including”, “include”, “in particular” or any other similar expression shall be construed as illustrative only; and
(H) the expressions “holding company”, “subsidiary” and “subsidiary undertaking” shall have the meaning given in the Companies Act 2006.
1.3 In this Addendum, unless otherwise specified all headings and titles are inserted for convenience only and are to be ignored in the interpretation of this Addendum.
2. Data Protection
2.1 Where this Addendum or the Principal Agreements require the Data Processor to process Personal Data on behalf of the Data Controller, this Clause 2 shall apply.
2.2 The Data Processor shall comply with its obligations under DP Law.
2.3 The description of the nature and purpose of the processing carried out by the Data Processor under this Addendum, and the type of Personal Data and categories of data subjects contained in the Personal Data is set out in the Schedule to this Addendum.
2.4 The Data Processor shall:
process the Personal Data only on documented instructions from the Data Controller including with regard to transfers of Personal Data to a third country or an international organisation, unless the Data Processor is legally required to process the Personal Data for another purpose by European or Member State law to which the Data Processor is subject and provided it informs the Data Controller of that legal requirement and the proposed processing before such processing takes place (unless that law prohibits such information on important grounds of public interest);
(A) ensure that persons authorised to process the Personal Data are contractually bound to, or under an appropriate statutory obligation of, confidentiality;
(B) take all measures required by DP Law, including implementing appropriate technical and organisational measures, to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risks for the rights and freedoms of natural persons and the risks presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed. Such measures shall include (as appropriate):
(i) pseudonymising and encrypting Personal Data;
(ii) ensuring the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(iii) having the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
(iv) having a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
(C) have general authorisation to engage another processor to process the Personal Data (a “Sub-Processor”) provided that it enters into a contract with such Sub‑Processor in accordance with sub-clause 2.4(D);
(D) if a Sub-Processor is engaged, the Data Processor shall ensure that such Sub-Processor is bound by the terms of a contract which imposes on such Sub‑Processor the same data protection obligations as are set out in this Addendum and in particular the Data Processor shall obtain sufficient guarantees from the Sub-Processor that it shall implement appropriate technical and organisational measures in such a manner that the processing shall meet the requirements of DP Law. Where the Sub-Processor fails to fulfil its data protection obligations, the Data Processor shall remain fully liable to the Data Controller for the performance of the Sub-Processor’s obligations;
(E) taking into account the nature of the processing, assist the Data Controller by appropriate technical and organisational measures (as far as this is possible) for the fulfilment of the Data Controller’s obligation to respond to requests for exercising the data subject's rights under DP Law;
(F) taking into account the nature of the processing and the information available to the Data Processor, provide to the Data Controller such assistance as the Data Controller may from time to time reasonably require to enable it to comply with its security, breach notification, breach communication, impact assessment and prior consultation responsibilities under DP Law, including:
(i) otifying the Data Controller without undue delay after becoming aware of a Data Breach; and
(ii) assisting the Data Controller with making any mandatory notifications to Regulators and/or affected data subjects in the event of a Data Breach;
(G) following the termination or expiry of this Addendum, (at the Data Controller’s choice) delete, or return to the Data Controller, all Personal Data and delete existing copies of the Personal Data unless such Personal Data is required to be retained by the Data Processor under DP Law;
(H) make available to the Data Controller all information reasonably required to demonstrate compliance with this clause 2 and allow for and contribute to audits, including inspections, conducted by or on behalf of the Data Controller (any such audit or inspection shall be carried out no more than once each calendar year of the term of this Addendum as described in the Schedule hereto and only on providing not less than four (4) weeks’ prior written notice to the Data Processor);
(I) with regards to sub-clause 2.4(H), immediately inform the Data Controller if, in its opinion, an instruction from the Data Controller infringes DP Law.
3. Cross-border Data Transfers
3.1 For Data Controller based in the European Economia Area (“EEA”)(“EEA Data Controller”) or Data Controller based in the United Kingdom (“UK”)(“UK Data Controller”), any transfer of Personal Data to an jurisdiction outside the EEA or UK (as the case maybe) shall be subject to the Standard Contractual Clauses based on the Commission Implementing Decision (EU) 2021/914 of 4th June 2021 (as amended and updated from time to time) (the “Standard Contractual Clauses”) and as supplemented by the International Data Transfer Addendum to the Standard Contractual Clauses which applies to UK Personal Data only. Other than the EU and the UK, there is also cross-border data transfer restriction under the National Privacy Law of certain jurisdictions (including without limitation Singapore).
3.2 Data Controller, as data exporter, and the Data Processor on behalf of itself and each Sub-Processor that it engages as data importer shall enter into the Standard Contractual Clauses, the UK Addendum or the relevant clauses under National Privacy Law, in respect of any Restricted Transfer, which terms shall take precedence over any in this Addendum. Therefore, the Parties shall, in addition to this Addendum, enter into a separate data transfer agreement ("Data Transfer Agreement") before carrying out any Restricted Transfer (whichever is earlier) so that:
(a) the EEA Data Controller exporter enters into the relevant Standard Contractual Clauses Data Transfer Agreement with the Non-EEA importing Data Processor;
(b) the UK Data Controller exporter enters into the UK Addendum and relevant Data Transfer Agreement with the Non-UK importing Data Processor; and
(c) the Non-EEA and Non-UK Data Controller exporters that are located in jurisdiction with cross-border data transfer restrictions under National Privacy Law (including without limitation Singapore) shall enter into the relevant data transfer contractual clauses with the importing Data Processor not located in the Data Controller exporter's jurisdiction.
4. Choice of Governing Law and Dispute Resolution
This Addendum is to be governed by and construed in accordance with the laws of the jurisdiction where the PCCW Global entity named in the Order Form is incorporated (“Governing Jurisdiction”). Any matter, claim or dispute arising out of or in connection with this Addendum , whether contractual or non-contractual, is to be governed by and determined in accordance with the laws of the Governing Jurisdiction and each party irrevocably agrees that the courts of the Governing Jurisdiction shall have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with this Addendum or its subject matter or formation (including non-contractual disputes or claims).
Schedule
Nature and Purpose of Processing:
To enable the Data Processor to perform its duties and obligations set out in this Addendum and the Principal Agreements.
Term of this Addendum/Duration of Processing:
From the commencement of the Principal Agreements until the discharge of all the duties and obligations on the part of the Data Processor pursuant to the Principal Agreements and/or for compliance with applicable legal, tax or accounting requirements.
Types of Personal Data which may be processed:
Business contact details of the other party and its business customers, limited to name, office phone number, mobile number, email address, fax number and business address.
Categories of Data Subject:
Employees, workers and contractors of the other party and/or the other party’s business customers.
