.:Realstaff:.Legal

DATA PROCESSING AGREEMENT (CUSTOMER)

DATA PROCESSING AGREEMENT

This Data Processing Agreement (the “DPA”) amends and forms part of the Terms of Use, pursuant to which Customer has obtained the right to use one or more Services.

1. DEFINITIONS

Capitalized terms used but not defined below or in Attachment 1 to this DPA will have the meanings set forth in the Terms of Use.

2. DATA PROCESSING AND PROTECTION

2.1. Limitations on Use.

Realstaff will Process Personal data and personal data of your employees, which you provide us (Cumulative Data) only:

(a) in a manner consistent with documented instructions from Customer, which will include Processing
- (i) to provide the Services,
- (ii) as authorized or permitted under the Agreement, including as specified in Attachment 2 to this DPA, and
- (iii) consistent with other reasonable instructions of Customer; and
(b) as required by applicable law, provided that Realstaff will inform Customer (unless prohibited by such applicable law) of the applicable legal requirement before Processing pursuant to such applicable law.

2.2. Customer Obligations.

Customer will not instruct Realstaff to perform any Processing of Personal data and personal data of your employees, which you provide us (Cumulative Data) that violates any Data Protection Law. Customer represents and warrants that any Processing of Personal data and personal data of your employees, which you provide us (Cumulative Data) by Realstaff performed in accordance with the Agreement does not and will not violate any Data Protection Law. Realstaff may suspend Processing based upon any Customer instructions that Realstaff reasonably suspects violate Data Protection Law. Customer will be solely liable for the legality of Processing, and, subject to the cooperation of Realstaff as specified in this DPA, safeguarding the rights of Data Subjects. Customer will promptly notify Realstaff about any faults or irregularities in the Processing by Realstaff discovered by Customer.

2.3. Confidentiality.

Realstaff will ensure that persons or outsourcing agency authorized by Realstaff to Process any Personal data and personal data of your employees, which you provide us (Cumulative Data) are subject to appropriate confidentiality obligations.

2.4. Security.

Realstaff will protect Personal data and personal data of your employees, which you provide us (Cumulative Data) in accordance with requirements under Data Protection Law, including by implementing appropriate technical and organizational measures designed to protect Personal data and personal data of your employees, which you provide us (Cumulative Data) against Personal data and personal data of your employees, which you provide us (Cumulative Data) Breach that will meet or exceed the requirements specified in Realstaff’sstatutory notices.

2.5. Return or Disposal.

At the choice of Customer, Realstaff will delete or return (or will enable Customer via the Services to delete or retrieve) all Personal data and personal data of your employees, which you provide us (Cumulative Data) after the end of the provision of Services (unless applicable law requires the storage of such Personal data and personal data of your employees, which you provide us (Cumulative Data), by Realstaff).

3. DATA PROCESSING ASSISTANCE

3.1. Data Subject’s Rights Assistance.

Taking into account the nature of the Processing of Personal data and personal data of your employees, which you provide us (Cumulative Data), by Realstaff under the Agreement, Realstaff will provide reasonable assistance to Customer by appropriate technical and organizational measures, insofar as possible and as necessary, for the fulfillment of Customer’s obligations to respond to requests for exercising Data Subject's rights under Chapter III of the GDPR with respect to Personal data and personal data of your employees, which you provide us (Cumulative Data) solely to the extent Customer does not have the ability to address such Data Subject request without such assistance.

3.2. Security Assistance.

To assist Customer in its efforts to ensure compliance with the security requirements under Article 32 of the GDPR, Realstaff has made available to Customer its Data Security Addendum per section 2.4 above.

3.3. Data Protection Impact Assessment Assistance.

Taking into account the nature of Realstaff’s Processing of Personal data and personal data of your employees, which you provide us (Cumulative Data) and the information available to Realstaff, Realstaff will provide reasonable assistance to Customer as required for Customer to comply with its obligations under Articles 35 and 36 of the GDPR in connection with Realstaff’s Processing of Personal data and personal data of your employees, which you provide us (Cumulative Data), under the Agreement.

3.4. Personal data and personal data of your employees, which you provide us (Cumulative Data) Breach Notice and Assistance.

Realstaff will notify Customer without undue delay after becoming aware of a Personal data and personal data of your employees, which you provide us (Cumulative Data) Breach. Taking into account the nature of Processing and the information available to Realstaff, Realstaff will provide reasonable assistance to Customer as may be necessary for Customer to satisfy any notification obligations required under Articles 33 or 34 of the GDPR related to any Personal data and personal data of your employees, which you provide us (Cumulative Data) Breach.

4. AUDITS.

Realstaff will allow for and contribute to audits, including inspections and as required or permitted under the Standard Contractual Clauses, conducted by Customer or another auditor mandated by Customer that is reasonably acceptable to Realstaff in accordance with the terms of this Section 4. Any such audit must occur during Realstaff’s normal business hours and will be permitted only to the extent required for Customer to assess Realstaff’s compliance with this DPA. In connection with any such audit, Customer will ensure that the auditor will:

(a) review any information on Realstaff’s premises;
(b) observe reasonable on-site access and other restrictions reasonably imposed by Realstaff;
(c) comply with Realstaff’s on-site policies and procedures, and
(d) not unreasonably interfere with Realstaff’s business activities. Realstaff reserves the right to restrict or suspend any audit in the event of any breach of the conditions specified in this Section 4. Customer’s auditor will not be entitled to access information subject to third-party confidentiality obligations. Customer will provide written communication of any audit findings to Realstaff, and the results of the audit will be the confidential information of Realstaff. Customer will provide no less than forty-five (45) days' advance notice of its request for any such audit, and will cooperate in good faith with Realstaff to schedule any such audit on a mutually agreed upon date and time (such agreement not to be unreasonably withheld by either party).

5. SUBPROCESSORS.

Customer authorizes Realstaff to use Realstaff’s Affiliates and third-party subcontractors to Process Personal data and personal data of your employees, which you provide us (Cumulative Data), in connection with the provision of Services to Customer (“Subprocessor”). Realstaff will provide Customer with notice of any intended changes concerning the addition or replacement of its Subprocessors, and provide Customer with the opportunity to object to such changes. If Customer objects to any Subprocessor, Realstaff may terminate the Agreement immediately upon notice to Customer without liability. Realstaff will impose data protection obligations upon any Subprocessor that are no less protective than those included in this DPA

6. DATA TRANSFERS.

Personal data and personal data of your employees, which you provide us (Cumulative Data), may be transferred to, and stored and processed in any country in which Realstaff or its Subprocessors maintain facilities. The following terms apply to any transfer of Personal data and personal data of your employees, which you provide us (Cumulative Data) outside of the European Economic Area or Switzerland (“Covered Data”):

6.1. Privacy Shield.

Realstaff Data Services and its Indian Subsidiaries (collectively, “Realstaff India”) have awareness about the INDIA Privacy Shield Framework Principles established by the Ministry of Commerce, Government of India.For Covered Data transferred from the European Economic Area to Realstaff India, Realstaff India will provide at least the same level of privacy protection as is required by the INDIA Privacy Shield Framework Principles. Realstaff will notify Customer if Realstaff India determines it can no longer meet its obligations under this Section 6.1. Realstaff India will take reasonable and appropriate steps to stop and remediate, and will cooperate with Customer’s reasonable requests regarding; any unauthorized processing of such Covered Data by Realstaff. Realstaff India may provide a summary or a representative copy of the relevant privacy provisions of this DPA to the Ministry of Commerce, Government of India, upon request.

6.2. Other Data Transfers.

For Covered Data transferred outside of the European Economic Area or Switzerland, other than pursuant to Section 6.1, to a country that has not received a binding adequacy decision in accordance with applicable Data Protection Law of the European Economic Area or Switzerland, as applicable, (collectively, an “Other Country”): Realstaff will conduct such transfer: (a) pursuant to the Standard Contractual Clauses; or (b) any other data transfer mechanism permitted under Data Protection Law, such as binding corporate rules.

6.3. Third-Party Subprocessors.

If Realstaff transfers Covered Data to a third-party Subprocessor in any Other Country, Realstaff shall enter into the Standard Contractual Clauses with such third-party Subprocessor, with such Subprocessor being deemed the “data importer” and with Customer being deemed the “data exporter”. Notwithstanding anything to the contrary in the Terms of Use, Customer hereby authorizes Realstaff to act as Customer’s agent solely for the purpose of entering into the Standard Contractual Clauses with any third-party Subprocessor on Customer’s behalf for the above-mentioned purpose. In connection with any such agreement, Customer will remain solely liable for all acts and omissions of the “data exporter” under such agreement, and shall defend, indemnify and holdRealstaff harmless for any third-party claims to the extent arising from or related to the performance of obligations by the “data exporter” under such agreement.

7. MISCELLANEOUS

7.1. Customer Affiliates.

To the extent Realstaff processes Personal data and personal data of your employees, which you provide us (Cumulative Data), on behalf of Customer’s Affiliates, Customer enters into this DPA on behalf of itself and as agent for its Affiliates, and references to Customer under this DPA shall include Customer and its Affiliates, provided however that the Customer is the sole entity which may enforce this DPA on its own behalf and on behalf of its Affiliates.

7.2. Realstaff Group.

Each entity within the Realstaff Group contracts on a several basis and shall not be liable for the performance (or failure in performance) of any other entity within the Realstaff Group, provided, however, that Realstaff will remain liable for any breach of this DPA by any of its Affiliates as if such breach were by Realstaff.

7.3. General.

The terms of this DPA will control to the extent there is any conflict between terms of this DPA and the Terms of Use. In the event of a conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail. Except as specifically amended and modified by this DPA, the terms and provisions of the Terms of Use remain unchanged and in full force and effect. Without limiting the foregoing, the governing law clause and forum selection clause of the Terms of Use will apply to any disputes arising out this DPA. This DPA and the Standard Contractual Clauses will automatically terminate upon the termination or expiration of the Terms of Use except as otherwise stated therein.

Attachment 1: Definitions

For purposes of this DPA, the following terms will have the meaning ascribed below:

“Affiliate” means, as to any entity, any other entity that, directly or indirectly, Controls, is controlled by or is under common Control with such entity. “Control” for the purposes of this clause will mean with respect to any person or entity, the right to exercise or cause the exercise of at least fifty per cent (50%) or more of the voting rights in such person or entity.

“Agreement” means the this DPA and Terms of Use.

“Business Contact Data” means information relating to any individual that uses the Services on behalf of Customer, which may include name, email address and other contact information.

“Data Protection Law” means any and all data protection laws and regulations that apply to the Processing of Personal data and personal data of your employees, which you provide us (Cumulative Data) by Realstaff under the Agreement.

“Data Subject” means an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

“Realstaff” means only the applicable entity within the Realstaff Data Services that entered into this DPA and Terms of Use with Customer.

“Realstaff Group” means, collectively, Realstaff Data Services and its Subsidiaries.

“Terms of Use” means that certain agreement between the parties pursuant to which Customer obtains the right to use the Services, as may be amended by Realstaff from time to time, including any terms incorporated by reference therein, any enrollment forms for Services completed by Customer and any Services exhibits executed by Customer in connection therewith.

“Personal Data” means any data that Realstaff Processes via the Services on behalf of Customer that relates to a Data Subject. Personal data and personal data of your employees, which you provide us (Cumulative Data) does include Business Contact Data.

“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal data and personal data of your employees, which you provide us (Cumulative Data).

“Process” or “Processing” means any operation or set of operations which is performed on personal data and personal data of your employees, which you provide us (Cumulative Data) or on sets of personal data and personal data of your employees, which you provide us (Cumulative Data), whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Services” means any of the following services provided by Realstaff pursuant to the Terms of Use: (a) Realstaff-branded product offerings made available via the Internet from equipment owned or operated by or for Realstaff, (b) consulting or training services provided by Realstaff either remotely via the Internet or in person, and (c) any support services provided by Realstaff, including access to Realstaff’s help desk.

“Standard Contractual Clauses” means the standard contractual clauses annexed to the EU Commission Decision 2010/87/EU of 5 February 2010 for the transfer of personal data to processors established in third countries, attached as Attachment 3 to this DPA.

“Subsidiary” means a subsidiary of Realstaff Data Services or Realstaff subsidiary as applicable, that is included the Subprocessors of Realstaff.

Attachment 2 - Scope of Processing

Subject-Matter and Duration of Processing

Realstaff Processes Personal data and personal data of your employees, which you provide us (Cumulative Data), for the subject matter specified under the Terms of Use. In particular, the subject matter is determined by the Service(s) to which Customer subscribes and the data which Customer uploads to the Service.

Nature and Purpose of Processing

The nature and purpose of Processing is determined by the Service(s) to which Customer subscribes and the data which Customer uploads to the Service. For instance:

1. Data Integration Cloud Services Process data uploaded to the Service, including Personal data and personal data of your employees, which you provide us (Cumulative Data) if uploaded, to connect, transform, and integrate data, applications, and processes across on-premise and cloud systems.
2. Data Management, Quality, and Governance Cloud Services Process data uploaded to the Service, including Personal data and personal data of your employees, which you provide us (Cumulative Data) if uploaded, to help Customer understand and enrich data, to help ensure that data are relevant and trustworthy, and to help optimize compliance and business value from data.
3. Infrastructure Hosting Services Process data uploaded to the Service, including Personal data and personal data of your employees, which you provide us (Cumulative Data) if uploaded, in accordance with the function performed by the Realstaff software product that Realstaff is hosting for Customer.
4. Data-as-a-Service Address Content and Web Services (including Address Verification, Email Verification, Global Phone Number Validation, and SMS Alerts and Notifications) Process data uploaded to the Service, including Personal data and personal data of your employees, which you provide us (Cumulative Data), if uploaded, to help verify and enrich contact data.

Types of Personal data

Other than in connection with Data-as-a-Service Address Content and Web Services, Customer controls the types of Personal data and personal data of your employees, which you provide us (Cumulative Data), processed via the Services. Data-as-a-Service Address Content and Web Services may Process postal addresses, email addresses, and/or telephone numbers, in accordance with the specific Service to which Customer subscribes.

Categories of Data Subjects

Customer controls the categories of Data Subjects to which the Personal data and personal data of your employees, which you provide us (Cumulative Data) relates. For instance, Customer may Process via the Services Personal data and personal data of your employees, which you provide us (Cumulative Data) that relates to its current or prospective customers, employees or business partners.

Attachment 3 - Standard Contractual Clauses

For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection

Customer (as defined in the DPA)
(the “data exporter”)
And
Realstaff (as defined in the DPA)
(the “data importer”)
each a “party”; together “parties’,

HAVE AGREED on the following Contractual Clauses (the “Clauses”) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data and personal data of your employees, which you provide us (Cumulative Data) specified in Appendix 1.

Clause 1

Definitions

For the purposes of the Clauses:

(a)‘personal data and personal data of your employees, which you provide us (Cumulative Data)’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and personal data of your employees, which you provide us (Cumulative Data) and on the free movement of such data;

(b)‘the data exporter’ means the controller who transfers the personal data and personal data of your employees, which you provide us (Cumulative Data);

(c)‘the data importer’ means the processor who agrees to receive from the data exporter personal data and personal data of your employees, which you provide us (Cumulative Data) intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;

(d)‘the sub-processor’ means any processor engaged by the data importer or by any other sub-processor of the data importer who agrees to receive from the data importer or from any other sub-processor of the data importer personal data and personal data of your employees, which you provide us (Cumulative Data) exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;

(e)‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data and personal data of your employees, which you provide us (Cumulative Data), applicable to a data controller in the State in which the data exporter is established, namely as specified in the Terms of Use.

(f)‘technical and organizational security measures’ means those measures aimed at protecting personal data and personal data of your employees, which you provide us (Cumulative Data), against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

Clause 2

Details of the transfer

The details of the transfer and in particular the special categories of personal data and personal data of your employees, which you provide us (Cumulative Data), where applicable are specified in Appendix 1 which forms an integral part of the Clauses.

Clause 3

Third-party beneficiary clause

1.The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
2.The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
3.The data subject can enforce against the sub-processor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.
4.The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.

Clause 4

Obligations of the data exporter

The data exporter agrees and warrants:

(a) that the processing, including the transfer itself, of the personal data and personal data of your employees, which you provide us (Cumulative Data) has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the State where the data exporter is established) and does not violate the relevant provisions of that State/Country;
(b) that the processing, including the transfer itself, of the personal data and personal data of your employees, which you provide us (Cumulative Data) has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the State where the data exporter is established) and does not violate the relevant provisions of that State/Country;
(c) that the data importer will provide sufficient guarantees in respect of the technical and organizational security measures specified in Appendix 2 to this contract;
(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data and personal data of your employees, which you provide us (Cumulative Data), against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
(e) that it will ensure compliance with the security measures;
(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
(g) ) to forward any notification received from the data importer or any sub-processor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for sub-processing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
(i) that, in the event of sub-processing, the processing activity is carried out in accordance with Clause 11 by a sub-processor providing at least the same level of protection for the personal data and personal data of your employees, which you provide us (Cumulative Data) and the rights of data subject as the data importer under the Clauses; and
(j) that it will ensure compliance with Clause 4(a) to (i).

Clause 5

Obligations of the data importer

The data importer agrees and warrants:

(a) to process the personal data and personal data of your employees, which you provide us (Cumulative Data), only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(c) that it has implemented the technical and organizational security measures specified in Appendix 2 before processing the personal data and personal data of your employees, which you provide us (Cumulative Data) transferred;
(d) that it will promptly notify the data exporter about:
- (i) any legally binding request for disclosure of the personal data and personal data of your employees, which you provide us (Cumulative Data), by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;
- (ii) any accidental or unauthorized access; and
- (iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorized to do so;
(e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data and personal data of your employees, which you provide us (Cumulative Data), subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
(f) at the request of the data exporter to submit its data-processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
(g) ) to make available to the data subject upon request a copy of the Clauses, or any existing contract for sub-processing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
(h) that, in the event of sub-processing, it has previously informed the data exporter and obtained its prior written consent;
(i) that the processing services by the sub-processor will be carried out in accordance with Clause 11;
(j) to send promptly a copy of any sub-processor agreement it concludes under the Clauses to the data exporter.

Clause 6

Liability

1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations, referred to in Clause 3 or in Clause 11 by any party or sub-processor is entitled to receive compensation from the data exporter for the damage suffered
2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his sub-processor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.
The data importer may not rely on a breach by a sub-processor of its obligations in order to avoid its own liabilities.
3. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the sub-processor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the sub-processor agrees that the data subject may issue a claim against the data sub-processor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the sub-processor shall be limited to its own processing operations under the Clauses.

Clause 7

Mediation and jurisdiction

1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
- (a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
- (b) to refer the dispute to the courts in the State in which the data importer is established.
2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

Clause 8

Cooperation with supervisory authorities

1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any sub-processor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any sub-processor preventing the conduct of an audit of the data importer, or any sub-processor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5(b).

Clause 9

Governing law

The Clauses shall be governed by the law of the State in which the data importer is established.

Clause 10

Variation of the contract

The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.

Clause 11

Sub-processing

1. . The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the sub-processor which imposes the same obligations on the sub-processor as are imposed on the data importer under the Clauses. Where the sub-processor fails to fulfill its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the sub-processor’s obligations under such agreement.
2. The prior written contract between the data importer and the sub-processor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.
3. The provisions relating to data protection aspects for sub-processing of the contract referred to in paragraph 1 shall be governed by the law of the State in which the data importer is established, namely as specified in the Terms of Use.
4. The data exporter shall keep a list of sub-processing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5(j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.

Clause 12

Obligation after the termination of personal data processing services

1. The parties agree that on the termination of the provision of data-processing services, the data importer and the sub-processor shall, at the choice of the data exporter, return all the personal data and personal data of your employees, which you provide us (Cumulative Data), transferred and the copies thereof to the data exporter or shall destroy all the personal data and personal data of your employees, which you provide us (Cumulative Data), and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data and personal data of your employees, which you provide us (Cumulative Data), transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data and personal data of your employees, which you provide us (Cumulative Data), transferred and will not actively process the personal data and personal data of your employees, which you provide us (Cumulative Data), transferred anymore.
2. The data importer and the sub-processor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data-processing facilities for an audit of the measures referred to in paragraph 1.

On behalf of the data exporter:

_________________________________ (“Customer”)

Name: _______________________________

Authorized Signature: ___________________________

On behalf of the data importer:

Name: Realstaff Data Services (on behalf of itself and as an agent on behalf of its Subsidiaries, as defined in the DPA)

Authorized Signature: ___________________________

Appendix 1 to the Standard Contractual Clauses

This Appendix forms part of the Clauses and must be completed and signed by the parties

The States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix

Data exporter

Customer as identified in the Data Processing Agreement entered into between Realstaff and the Customer, to which these Clauses are attached (“DPA”).

Data importer

Realstaffas identified in the DPA.

Data subjects

Data subjects are defined in Attachment 2 of the DPA.

Categories of data

Categories of data are defined in Attachment 2 of the DPA.

Special categories of data (if appropriate)

Categories of data are defined in Attachment 2 of the DPA.

Processing operations

Other processing operations are defined in Attachment 2 of the DPA.

Appendix 2 to the Standard Contractual Clauses

This Appendix forms part of the Clauses and must be completed and signed by the parties.

Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):

See Section 2.4 of the DPA