v3.0

Last modified: January 1, 2025

Document Download

If you need a signed copy of this document, please contact us at privacy@salesscreen.com.

Data Processing Agreement - SalesScreen [Template] v3.pdf

Data Processor Agreement

between the “Data Controller” and Dogu SalesScreen AS hereinafter the “Data Processor”

1. The purpose of the Data Processor Agreement

The purpose of this Data Processing Agreement (the “DPA”) is to regulate the parties' rights and obligations in connection with the Data Processor processing personal data on behalf of the Data Controller. The purpose of the DPA is to comply with the requirements for data processor agreements according to the Norwegian Personal Data Act (LOV-2018-06-15-38) and Personal Data Regulations, cf. chapter 1 of the Personal Data Act and all applicable laws and regulations (“Applicable Data Protection Law”) regarding the processing of personal data to the extent in connection of the provision of SalesScreen Services.

2. The processing of personal data

The Data Processor processes data on behalf of the Data Controller as a provider of software and services (“Services”) related to the SalesScreen Terms of Service Agreement (“Terms of Services”, “Services Agreement”).

The Data Processor will process the following types of personal data on behalf of the Data Controller:

Name, nickname, phone number, email, profile picture, birthday, IP address, Employees ID-numbers, sales and policy data related to the ID-number, such as target figures and sales reports.

The personal data is connected to the following categories of data subjects:

Employees of Data Controller
Customers of Data Controller

The Data Processor shall only process personal data for the following purposes:

To measure, incentivize, visualize and celebrate progress towards individual and team goals through SalesScreen.
Provide and operate software, support and maintenance regarding SalesScreen.
The delivery of a data analysis service to the Data Controller in order to fulfill the Terms of Services.

The processing involves receiving, sharing and transferring of personal data.

The Data Processor shall not process personal data in any other manner than what is agreed in this DPA and on documented instructions from the controller. This includes that the Data Processor is not allowed to process data for other purposes than as stated above or its own purposes or to disclose data to third parties.

3. The Data Processor’s duties

When processing personal data on behalf of the Data Controller, the Data Processor shall follow the routines and instructions stipulated by the controller at any given time.

The Data Processor shall implement technical and organizational security measures at least as stringent as those identified by the Data Controller and as described in Section 6 (Security) and shall provide assistance so that the Data Controller can fulfil its responsibilities pursuant to the Personal Data Act and the General Data Protection Regulation.

Unless otherwise agreed or pursuant to statutory regulations, the Data Controller is entitled to access all personal data being processed on behalf of the Data Controller and the systems used for this purpose. The Data Processor shall provide the necessary assistance for this.

The Data Processor is subject to an obligation of confidentiality regarding documentation and personal data that the Data Processor gets access to under the DPA. This provision also applies after the termination of the DPA. The Data Processor is obliged to ensure that persons who process to the data for the Data Processor, have committed themselves to confidentiality (including signing declarations of confidentiality), and shall upon request disclose such declarations to the Data Controller or the authorities.

The Data Processor shall not process personal data outside the EU/EEA. If the transferring of personal data to a country outside the EU/EEA or to an international organization outside the EU/EEA is required according to law in a EU/EEA member state which the Data Processor is subject to or EU/EEA law, the Data Processor shall inform the Data Controller of such requirement prior to the processing, unless the law prohibits such information from being given.

4. Sub-processors

The Data Processor may use the following sub-processor:

Microsoft Ireland Operations, Ltd (Ireland): Hosting
Intercom R&D Unlimited Company (Ireland): Live-chat, product updates.
Stripe Payment Europe, Ltd. (Ireland): Credit card payment processing.
Startdeliver AB (Sweden): Customer success software
Cloudinary UK Ltd (United Kingdom): Media delivery and optimization
Twilio, Inc (US): Email and SMS delivery.
- Transfer is pursuant to EU Standard Contractual Clause.

Depending on the physical location of the customer, one of our subsidiaries may be engaged as a sub-processor in the performance of the services:

SalesScreen AB (Sweden)
SalesScreen, Inc (US)
- Transfer is pursuant to EU Standard Contractual Clause

The Standard Contractual Clauses specified in this Section 4 are incorporated into this DPA by reference and apply to transfers of Personal Data to SalesScreen and its authorized affiliates.

In addition, the Data Processor has the right to use sub-processors, but is obliged to inform the Data Controller of any intended changes concerning the addition or replacement of other processors, so that the Data Controller has the opportunity to object to the changes. The information shall be given at least four weeks prior to the planned changes takes effect. If the Data Controller objects to the change, the Data Processor may not implement the change.

Where the Data Processor engages another processor for carrying out specific processing activities on behalf of the controller, the same data protection obligations as set out in this DPA shall be imposed on that other processor. However, Data Controller is aware that Data Processor utilizes sub-processors that offer standardized services with standard terms and do not permit Data Processor to enter into identical contracts such as this DPA. Data Processor is under no duty to ensure identical terms with sub-processors, but is obliged to enter into an agreement that complies with the requirements in the General Data Protection Regulation and to communicate the terms to Data Controller in the notice mentioned above. The requirements for security measures at the sub-processor may differ from Data Processor’s own security measures. Data Controller accepts this provided the security measures in general is not to be regarded as weaker than those offered by the Data Processor.

The Data Processor shall remain fully liable to the Data Controller for the performance of any sub-processors to the same extent Data Processor would be liable if performing the services of each sub-processor directly under the terms of this Data Processor Agreement and shall defend, indemnify and hold Data Controller harmless from and against any claims or liabilities arising out of the acts or omissions of such sub-Processors.

5. Transfer of personal data outside the EU / EEA

The Data Processor may not process or use sub-processors that process personal data outside the EU/EEA, except for the sub-processors as listed in section 4. Processing outside EU/EEA is subject to prior written approval from the Data Controller, which may be refused for any and all reasons. The Data Processors shall ensure that there is a legal basis for the processing of data outside the EU/EEA, or facilitate the establishment of such legal basis.

6. Security

The Data Processor shall fulfil the requirements for security measures in the General Data Protection Regulation article 32 Security of processing. The Data Processor shall through planned and systematic measures implement appropriate technical and organizational measures (and at least as stringent as those identified by the Data Controller) to ensure a satisfactory level of security, e.g. in relation to confidentiality, integrity and availability.

The requirements for security measures at the sub-processor may differ from Data Processor’s own security measures. The sub-processors requirements for security are described in Data Processor’s DPA with the sub-processor, which can be made available for Data Controller on inquiry.

The Data Processor shall document routines and other measures made to comply with these requirements regarding the information system and security measures. The documentation shall be available at request by the Data Controller and the authorities.

Any notification to the authorities regarding personal data breaches according to the Personal Data Regulation section 2-6, shall be given by the Data Controller, but the Data Processor shall notify any breach directly to the Data Controller. The Data Controller is responsible for reporting the breach to the Data Protection Authorities.

Upon becoming aware of a Security Incident, Data Processor shall notify Data Controller without undue delay and pursuant to the terms of the Agreement, but within no more than forty-eight (48) hours and shall provide such timely information as Data Controller may reasonably require to enable Data Controller to fulfil any data breach reporting obligations under application legislation. Data Processor will take steps to immediately identify and remediate the cause of such a Security Incident.Data Processor shall not inform any third party of any Security Incident related to Personal Data without first obtaining Data Controller’s prior written consent, except to the extent such notification is required by applicable law or where the third party is a sub-processor of Data Processor.“Security Incident” means the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, access or use of Personal Data.“Personal Data” means any information relating to: (i) an identified or identifiable natural person and, (ii) an identified or identifiable legal entity (where such information is protected similarly as personal data or personally identifiable information under applicable data protection laws and regulations), where for each (i) or (ii), such data is Data Controller data.

The Data Processor is obliged to assist the Data Controller in fulfilling the obligations of the General Data Protection Regulation article 32 to 36, taking into account the nature of the processing and the information available to the Data Processor. These requirements concern security of processing, notification of a personal data breach to the authorities and the data subjects and Data Protection Impact Assessments (as well as prior consultation with the authorities where applicable).

7. Documentation and security audits

The Data Processor shall have documentation that proves that the Data Processor complies with its obligations under this DPA and the General Data Protection Regulation. The documentation shall be available for the Data Controller on request. The Data Processor shall regularly conduct security audits, and shall submit the results of the audit to the Data Controller. The Data Controller shall be entitled to conduct audits and inspections regularly, for systems etc. covered by this DPA, in accordance with the requirements of the Personal Data Act, the Personal Data Regulations and the General Data Protection Regulation. Audits may be carried out by the Data Controller or a third party mandated by the Data Controller.

8. Fulfilling the rights of the data subjects

The Data Processor is obliged to assist the Data Controller in fulfilling the Data Controller’s obligations towards the data subjects within the time limits stated in the General Data Protection Regulation, where such assistance is reasonable considering the nature of the processing performed by the Data Processor on behalf of the Data Controller. The Data Processor may charge the Data Controller for such assistance.

9. The duration of the DPA and the processing

The DPA applies as long as the Data Processor processes personal data on behalf of the Data Controller according to the Services Agreement

In the event of a breach of the DPA, the Personal Data Act or the General Data Protection Regulation by the Data Processor, the Data Controller may demand that the Data Processor discontinues further processing with immediate effect.

10. Termination

The DPA may be terminated in accordance with the termination clauses in the Services Agreement. A termination of the Services Agreement also constitutes a termination of the DPA.

11. Return, deletion and / or destruction of data upon termination of the DPA

Upon the termination of the DPA, the Data Processor shall return all personal data received from or on behalf of the Data Controller which is comprised by the DPA. Any copies shall be deleted. The Data Controller may require that the Data Processor deletes or destroys all personal data processed under the DPA (regardless of where and how they are stored), instead of the data being returned. In this case, the Data Processor is obliged to delete the personal data within a reasonable time period, but at the latest within 30 days, unless the Data Processor is required by law to store the personal data. The Data Processor shall confirm the completion of the deletion in writing (hereunder electronically).

The deletion mentioned above means that personal data is permanently deleted from all systems, including backup systems.

12. Obligations under California Data Protection Laws

When the CCPA applies, Data Processor shall not (a) retain, use or disclose any personal data processed under this agreement (“Covered Data”) outside the direct business relationship between Data Processor and Data Controller, (b) retain, use or disclose the Covered Data for any purpose other than those described in this agreement, including any Commercial Purpose, or (c) Sell any Covered Data unless Data Processor has obtained Data Controller’s express prior written approval.

When the CPRA applies, Data Processor shall not (a) combine the Covered Data with Personal Information that it receives from another person, or collects from its own interactions with a consumer, unless permitted by the CPRA, and (b) Share any Covered Data for the purposes of Cross-Context Behavioral Advertising unless Data Processor has obtained Data Controller’s express prior written approval.

Until January 1, 2023, the terms "Business", “Business Purpose”, “Commercial Purpose”, "Consumer", “Personal Information”, “Sale,” (including the terms “Sell,” “Selling,” “Sold,” and other variations thereof) and "Service Provider" (the “CCPA Terms”) shall have the meaning given to them in the California Consumer Privacy Act of 2018 (the “CCPA”). On or after January 1, 2023, the CCPA Terms, as well as the terms “Cross-Context Behavioral Advertising”, “Share” and “Sharing”, shall have the meaning given to them in the California Privacy Rights Act of 2020 (the “CPRA”).

13. Law and legal venue

This DPA is governed by the laws of Norway and the parties accept that Oslo District Court (Oslo tingrett) is the legal venue.

APPENDIX 1 TO THE DPA – DETAILS OF PROCESSING

This Appendix 1 includes details of the Processing of Controller’s Personal Data

Data Subjects:

Employees of Data Controller

Customers of Data Controller

Categories of Personal Data:

Name, nickname, phone number, email, profile picture, birthday, IP address, Employees ID-numbers, sales and policy data related to the ID-number, such as target figures and sales reports.

Sensitive Information: The Personal Data to be sent through the Services is determined by the Controller and is not expected to contain any Sensitive Information.

Processing Operations: Provider processes Personal Data as necessary to provide the Services to the Data Controller.

Period of Personal Data Retention: Provider processes Personal Data for the duration described in the Services Agreement.

Sub-processors: A current list of Sub-processors is detailed in Section 4 (Sub-processors).

APPENDIX 2 TO THE DPA – TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Processor shall implement the measures outlined in our security overview to ensure an appropriate level of security for the provision of the Services.

Where applicable, this Appendix 2 will serve as Annex II to the Standard Contractual Clauses.

SCHEDULE 2

CROSS BORDER DATA TRANSFER MECHANISMS

1. Definitions

“EC” means the European Commission

“EEA” means the European Economic Area

"Standard Contractual Clauses” means, depending on the circumstances unique to the Data Controller, any of the following:

UK Standard Contractual Clauses, and

2021 Standard Contractual Clauses

“UK Standard Contractual Clauses” means the Standard Contractual Clauses for data controller to data processor transfers approved by the European Commission in decision 2010/87/EU (“UK Controller to Processor SCCs”), and

“2021 Standard Contractual Clauses” means the Standard Contractual Clauses approved by the European Commission in decision 2021/914.

2. Cross Border Data Transfer Mechanisms.

2.1 Order of Precedence. In the event the Services are covered by more than one Transfer Mechanism, the transfer of Personal Data will be subject to a single Transfer Mechanism in accordance with the following order of precedence: (a) the applicable Standard Contractual Clauses as set forth in Section 2.3 (UK Standard Contractual Clauses) or Section 2.4 (2021 Standard Contractual Clauses) of this Schedule 2; and, if (a) is not applicable, then (b) other applicable data Transfer Mechanisms permitted under Applicable Data Protection Law.

2.2 UK Standard Contractual Clauses. The parties agree that the UK Standard Contractual Clauses will apply to Personal Data that is transferred via the Services from the United Kingdom, either directly or via onward transfer, to any country or recipient outside of the United Kingdom that is: (a) not recognized by the competent United Kingdom regulatory authority or governmental body for the United Kingdom as providing an adequate level of protection for Personal Data. For data transfers from the United Kingdom that are subject to the UK Standard Contractual Clauses, the UK Standard Contractual Clauses will be deemed entered into (and incorporated into this DPA by this reference) and completed as follows:

The UK Controller to Processor SCCs will apply where SalesScreen is processing Personal Data. The illustrative indemnification clause will not apply. Appendix 1 (Details of Processing) of this DPA serves as Appendix I of the UK Controller to Processor SCCs. Appendix 2 (Technical and Organizational Security Measures) of this DPA serves as Appendix II of the UK Controller to Processor SCCs.

2.3 2021 Standard Contractual Clauses. The parties agree that the 2021 Standard Contractual Clauses will apply to Personal Data that is transferred via the Services from the European Economic Area or Switzerland, either directly or via onward transfer, to any country or recipient outside the European Economic Area or Switzerland that is not recognized by the European Commission (or, in the case of transfers from Switzerland, the competent authority for Switzerland) as providing an adequate level of protection for Personal Data. For data transfers from the European Economic Area that are subject to the 2021 Standard Contractual Clauses, the 2021 Standard Contractual Clauses will be deemed entered into (and incorporated into this DPA by this reference) and completed as follows:

(a) Module Two (Controller to Processor) of the 2021 Standard Contractual Clauses will apply where the Data Controller is a controller of Personal Data and SalesScreen is processing Personal Data.

(b) Module Three (Processor to Processor) of the 2021 Standard Contractual Clauses will apply where the Data Controller is a processor of Personal Data and SalesScreen is processing Personal Data.

(i) in Clause 7 of the 2021 Standard Contractual Clauses, the optional docking clause will not apply;

(ii) in Clause 9 of the 2021 Standard Contractual Clauses, Option 2 will apply and the time period for prior notice of sub-processor changes will be as set forth in Section 4 (Sub-processors) of this DPA;

(iii) in Clause 11 of the 2021 Standard Contractual Clauses, the optional language will not apply;

(iv) in Clause 17 (Option 1), the 2021 Standard Contractual Clauses will be governed by Norwegian law;

(v) in Clause 18(b) of the 2021 Standard Contractual Clauses, disputes will be resolved before the courts of Norway;

(vi) in Annex I, Part A of the 2021 Standard Contractual Clauses:

Data Exporter: the Data Controller.

Contact Details: The email address(es) designated by the Data Controller in the Data Controller’s account.

▪Data Exporter Role: Data Controller

Signature and Date: By entering into the Services Agreement, Data Exporter is deemed to have signed these Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date of the Services Agreement.

Data Importer: Dogu SalesScreen AS,

Contact details: SalesScreen Privacy Team – privacy@salesscreen.com

Data Importer Role: Data Processor.

Signature and Date: By entering into the Services Agreement, Data Importer is deemed to have signed these Standard Contractual Clauses, incorporated herein, including their Annexes, as of the Effective Date of the Services Agreement.

(vii) in Annex I, Part B of the 2021 Standard Contractual Clauses:

The categories of data subjects are described in Appendix 1 (Details of Processing) of this DPA.

The Sensitive Information transferred is described in Appendix 1 (Details of Processing) of this DPA.

The frequency of the transfer is a continuous basis for the duration of the Services Agreement.

The nature of the processing is described in Appendix 1 (Details of Processing) of this DPA.

The purpose of the processing is described in Appendix 1 (Details of Processing) of this DPA.

The period for which the Personal Data will be retained is described in Appendix 1 (Details of Processing) of this DPA.

For transfers to sub-processors, the subject matter, nature, and duration of the processing is set forth at https://salesscreen.com/gdpr.

(viii) in Annex I, Part C of the 2021 Standard Contractual Clauses: The Norwegian Data Protection Authority (Datatilsynet) will be the competent supervisory authority.

(ix) Schedule 2 (Technical and Organizational Security Measures) of this DPA serves as Annex II of the Standard Contractual Clauses.

SCHEDULE 3

JURISDICTION SPECIFIC TERMS

1. Australia:

1.1 The definition of “Applicable Data Protection Law” includes the Australian Privacy Principles and the Australian Privacy Act (1988).

1.2 The definition of “Personal Data” includes “Personal Information” as defined under Applicable Data Protection Law.

1.3 The definition of “Sensitive Information” includes “Sensitive Information” as defined under Applicable Data Protection Law.

2. Brazil:

2.1 The definition of “Applicable Data Protection Law” includes the Lei Geral de Proteção de Dados (LGPD).

2.2 The definition of “Security Breach” includes a security incident that may result in any relevant risk or damage to data subjects.

2.3 The definition of “processor” includes “operator” as defined under Applicable Data Protection Law.

3. California:

3.1 The definition of “Applicable Data Protection Law” includes the California Consumer Privacy Act (CCPA).

3.2 The definition of “Personal Data” includes “Personal Information” as defined under Applicable Data Protection Law.

3.3 The definition of “Data Subject” includes “Consumer” as defined under Applicable Data Protection Law. Any data subject rights, as described in Section 8 (Fulfilling the rights of the data subjects) of this DPA, apply to Consumer rights. In regards to data subject requests, SalesScreen can only verify a request from the Data Controller and not from the Data Controller’s end user or any third party.

3.4 The definition of “controller” includes “Business” as defined under Applicable Data Protection Law.

3.5 The definition of “processor” includes “Service Provider” as defined under Applicable Data Protection Law.

3.6 SalesScreen will process, retain, use, and disclose Personal Data only as necessary to provide the Services under the Services Agreement, which constitutes a business purpose. SalesScreen agrees not to (a) sell (as defined by the CCPA) the Data Controller’s Personal Data or the Data Controller end users’ Personal Data; (b) retain, use, or disclose the Data Controller’s Personal Data for any commercial purpose (as defined by the CCPA) other than providing the Services; or (c) retain, use, or disclose the Data Controller’s Personal Data outside of the scope of the Services Agreement. SalesScreen understands its obligations under Applicable Data Protection Law and will comply with them.

3.7 SalesScreen certifies that its sub-processors, as described in Section 4 (Sub-processors) of this DPA, are Service Providers under Applicable Data Protection Law, with whom SalesScreen has entered into a written contract that includes terms substantially similar to this DPA. SalesScreen conducts appropriate due diligence on its sub-processors.

3.8 SalesScreen will implement and maintain reasonable security procedures and practices appropriate to the nature of the Personal Data it processes as set forth in Section 6 (Security) of this DPA.

4. Canada:

4.1 The definition of “Applicable Data Protection Law” includes the Federal Personal Information Protection and Electronic Documents Act (PIPEDA).

4.2 SalesScreen’s sub-processors, as described in Section 4 (Sub-processors) of this DPA, are third parties under Applicable Data Protection Law, with whom SalesScreen has entered into a written contract that includes terms substantially similar to this DPA. SalesScreen has conducted appropriate due diligence on its sub-processors.

4.3 SalesScreen will implement technical and organizational measures as set forth in Section 6 (Security) of this DPA.

5. European Economic Area (EEA):

5.1 The definition of “Applicable Data Protection Law” includes the General Data Protection Regulation (EU 2016/679) (“GDPR”).

5.2 When SalesScreen engages a sub-processor under Section 6 (Sub-processors) of this DPA, it will:

(a) require any appointed sub-processor to protect the Personal Data to the standard required by Applicable Data Protection Law, such as including the same data protection obligations referred to in Article 28(3) of the GDPR, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR, and

(b) require any appointed sub-processor to (i) agree in writing to only process Personal Data in a country that the European Union has declared to have an “adequate” level of protection or (ii) only process Personal Data on terms equivalent to the Standard Contractual Clauses or pursuant to a Binding Corporate Rules approval granted by competent European Union data protection authorities.

5.3 Notwithstanding anything to the contrary in this DPA or in the Services Agreement (including, without limitation, either party’s indemnification obligations), neither party will be responsible for any GDPR fines issued or levied under Article 83 of the GDPR against the other party by a regulatory authority or governmental body in connection with such other party’s violation of the GDPR.

6. Israel:

6.1 The definition of “Applicable Data Protection Law” includes the Protection of Privacy Law (PPL).

6.2 The definition of “controller” includes “Database Owner” as defined under Applicable Data Protection Law.

6.3 The definition of “processor” includes “Holder” as defined under Applicable Data Protection Law.

6.4 SalesScreen will require that any personnel authorized to process Personal Data comply with the principle of data secrecy and have been duly instructed about Applicable Data Protection Law. Such personnel sign confidentiality agreements with SalesScreen in accordance with Section 3 (The Data Processor’s duties) of this DPA.

6.5 SalesScreen must take sufficient steps to ensure the privacy of data subjects by implementing and maintaining the security measures as specified in Section 6 (Security) of this DPA and complying with the terms of the Services Agreement.

6.6 SalesScreen must ensure that the Personal Data will not be transferred to a sub-processor unless such sub-processor has executed an agreement with SalesScreen pursuant to Section 4 (Sub-processors) of this DPA.

7. Japan:

7.1 The definition of “Applicable Data Protection Law” includes the Act on the Protection of Personal Information (APPI).

7.2 The definition of “Personal Data” includes “Personal Information” as defined under Applicable Data Protection Law.

7.3 The definition of “controller” includes “Business Operator” as defined under Applicable Data Protection Law. As a Business Operator, SalesScreen is responsible for the handling of Personal Data in its possession.

7.4 The definition of “processor” includes a business operator entrusted by the Business Operator with the handling of Personal Data in whole or in part (also a “trustee”), as described under Applicable Data Protection Law. As a trustee, SalesScreen will ensure that the use of the entrusted Personal Data is securely controlled.

8. Mexico:

8.1 The definition of “Applicable Data Protection Law” includes the Federal Law for the Protection of Personal Data Held by Private Parties and its Regulations (FLPPIPPE).

8.2 When acting as a processor, SalesScreen will:

(a) treat Personal Data in accordance with the Data Controller’s instructions set forth in Section 2 (The processing of personal data) of this DPA;

(b) process Personal Data only to the extent necessary to provide the Services;

(d) keep confidentiality regarding the Personal Data processed in accordance with the Services Agreement;

(e) delete all Personal Data in accordance with the Services Agreement; and

(f) only transfer Personal Data to sub-processors in accordance with Section 4 (Sub-processors) of this DPA.

9. Singapore:

9.1 The definition of “Applicable Data Protection Law” includes the Personal Data Protection Act 2012 (PDPA).

9.2 SalesScreen will process Personal Data to a standard of protection in accordance with the PDPA by implementing adequate technical and organizational measures as set forth in Section 6 (Security) of this DPA and complying with the terms of the Services Agreement.

10. Switzerland:

10.1 The definition of “Applicable Data Protection Law” includes the Swiss Federal Act on Data Protection.

10.2 When SalesScreen engages a sub-processor under Section 4 (Sub-processors) of this DPA, it will:

(a) require any appointed sub-processor to protect the Personal Data to the standard required by Applicable Data Protection Law, such as including the same data protection obligations referred to in Article 28(3) of theGDPR, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR, and

11. United Kingdom (UK):

11.1 References in this DPA to GDPR will to that extent be deemed to be references to the corresponding laws of the United Kingdom (including the UK GDPR and Data Protection Act 2018).

11.2 When SalesScreen engages a sub-processor under Section 4 (Sub-processors) of this DPA, it will:

(b) require any appointed sub-processor to (i) agree in writing to only process Personal Data in a country that the United Kingdom has declared to have an “adequate” level of protection or (ii) only process Personal Data on terms equivalent to the Standard Contractual Clauses or pursuant to a Binding Corporate Rules approval granted by competent United Kingdom data protection authorities.

11.3 Notwithstanding anything to the contrary in this DPA or in the Services Agreement (including, without limitation, either party’s indemnification obligations), neither party will be responsible for any UK GDPR fines issued or levied under Article 83 of the UK GDPR against the other party by a regulatory authority or governmental body in connection with such other party’s violation of the UK GDPR.