Common use of EEA Personal Data Clause in Contracts

EEA Personal Data. With respect to any Customer Data that is subject to the EU General Data Protection Regulation (GDPR) or similar laws of other countries as "personal data," Sendbird accepts the following obligations as a data importer, processor or subprocessor of Customer: (a) processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by European Union or EU Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest; also, the processor shall immediately inform the controller if, in its opinion, an instruction infringes the GDPR, national data protection laws in the EU or other applicable law; (b) ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; (c) takes all measures required pursuant to Article 32 of the GDPR (security of processing); (d) respects the conditions referred to in paragraphs 2 and 4 of Article 28 of the GDPR for engaging another processor; (e) taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the GDPR, including, without limitation, right to access, rectification, erasure and portability of the data subject's personal data; (for the avoidance of doubt, processor shall only assist and enable controller to meet controller’s obligations to satisfy data subjects' rights, but processor shall not respond directly to data subjects) (f) assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR (Security of personal data) taking into account the nature of processing and the information available to the processor; (g) at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data; (h) makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.

EEA Personal Data. With respect to any Customer Data that is subject to the EU General Data Protection Regulation (GDPR) or similar laws of other countries including the UK as "personal data," Sendbird SPLASHTOP accepts the following obligations as a data importer, processor or subprocessor of Customer:Customer and warrants that SPLASHTOP (a) processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by European Union or EU Member State law to which the processor Splashtop is subject; in such a case, the processor Splashtop shall inform the controller of that legal requirement before processing, unless that prohibited by law prohibits such information on important grounds of public interest; also, the processor shall immediately inform the controller if, in its opinion, an instruction infringes the GDPR, national data protection laws in the EU or other applicable lawfrom doing so; (b) ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; (c) takes all measures required pursuant to Article 32 of the GDPR (security of processing); (d) respects the conditions referred to in paragraphs 2 and 4 of Article 28 of the GDPR for engaging another processor; (e) taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the GDPR, including, without limitation, right to access, rectification, erasure and portability of the data subject's personal data; (for the avoidance of doubt, processor shall only assist and enable controller to meet controller’s obligations to satisfy data subjects' rights, but processor shall not respond directly to data subjects) (f) assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR (Security of personal data) taking into account the nature of processing and the information available to the processor; (g) at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data;. By default, on termination of services, controller’s data will be deleted; encrypted backups will be retained until they are cycled out, over a 2-year cycle. (h) makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller. For Customers based in the EU, SPLASHTOP will process their Customer Data in the EU. For Customers based outside of the EU, SPLASHTOP will process their Customer Data in the USA. SPLASHTOP notes that Customer Data from Customers based outside of the EU may at times include the personal data of EU individuals. To the extent that SPLASHTOP processes personal data of EU individuals in the USA, the transfer of personal data to the USA will be pursuant to the Standard Contractual Clauses for international transfer (“SCCs”) (xxxxx://xxx-xxx.xxxxxx.xx/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN). For purposes of the SCCs, module 2 (controller to processor) shall apply. Clause 7 is opted out. In Clause 9 option 2 (general written authorisation) will apply, authorization period will be 14 days; a list of approved subprocessors is available at [xxxxx://xxx.xxxxxxxxx.xxx/subprocessors] and Customer may at its discretion sign up there for notifications of changes to that list. In Clause 11 the optional language will not apply. In Clause 17 governing law will be Dutch law; In Clause 18 disputes shall be resolved by the courts of Netherlands. In Annex I Customer is the ‘Data exporter’, SPLASHTOP is the ‘Data importer’; the ‘Data subjects’, ‘Categories of data’, ‘Frequency of the transfer’, ‘Nature of processing’, ‘Purpose’, ‘Retention period’ and ‘Subject matter, nature and duration of the processing’ are as described in Annex 1. The ‘competent supervisory authority’ is the Dutch data protection authority. To the extent that SPLASHTOP processes personal data of UK individuals in the USA, the transfer of Customer Data to SPLASHTOP is made on the basis of the UK’s International Data Transfer Addendum to the EU SCCs (“UK Addendum”) dated, March 21, 2022 (xxxxx://xxx.xxx.xx/media/for-organisations/documents/4019539/international-data- transfer-addendum.pdf ), hereby incorporated by the parties into this DPA. The UK Addendum shall incorporate the EU SCCs, as described above, excluding the amendments and exceptions included in the UK Addendum.

EEA Personal Data. With respect to any Customer Subscriber Data that is subject to the EU General Data Protection Regulation (GDPR) or similar laws of other countries as "“personal data," Sendbird ” Xxxxx accepts the following obligations as a data importer, processor or subprocessor of Customer:Subscriber and warrants that Xxxxx (a) processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by European Union or EU Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest; also, the processor shall immediately inform the controller if, in its opinion, an instruction infringes the GDPR, national data protection laws in the EU or other applicable law; (b) ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; (c) takes all measures required pursuant to Article 32 of the GDPR (security of processing); (d) respects the conditions referred to in paragraphs 2 and 4 of Article 28 of the GDPR for engaging another processor; (e) taking into account the nature of the processing, assists the controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the GDPR, including, without limitation, right to access, rectification, erasure and portability of the data subject's personal data; (for the avoidance of doubt, processor shall only assist and enable controller to meet controller’s obligations to satisfy data subjects' rights, but processor shall not respond directly to data subjects) (f) assists the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR (Security of personal data) taking into account the nature of processing and the information available to the processor; (g) at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data; (h) makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.

EEA Personal Data. With respect to any Customer Data that is subject to the EU General Data Protection Regulation (GDPR) or similar laws of other countries as "personal data," Sendbird INTEL accepts the following obligations as a data importer, processor or subprocessor of Customer:Customer and warrants that INTEL (a) processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisationorganization, unless required to do so by European Union or EU Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest; also, the processor shall immediately inform the controller if, in its opinion, an instruction infringes the GDPR, national data protection laws in the EU or other applicable law; (b) ensures that persons authorised authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; (c) takes all measures required pursuant to Article 32 of the GDPR (security of processing); (d) respects the conditions referred to in paragraphs 2 and 4 of Article 28 of the GDPR for engaging another processor; (e) taking into account the nature of the processing, assists the controller by appropriate technical and organisational organizational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the GDPR, including, without limitation, right to access, rectification, erasure and portability of the data subject's personal data; (for the avoidance of doubt, processor shall only assist and enable controller to meet controller’s obligations to satisfy data subjects' rights, but processor shall not respond directly to data subjects) (f) assists the controller in ensuring compliance with the obligations pursuant to Articles 32 33 to 36 of the GDPR (Security of personal data) taking into account the nature of processing and the information available to the processor; (g) at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data; (h) makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.