Qualtrics Contractor Agreement on the Commissioned Processing of Personal Data
(hereinafter referred to as the “CDPA”)
This CDPA is entered into by and between you, on behalf of you and your Contractor Affiliates (“Contractor”) and Qualtrics, LLC a Delaware limited liability company with its place of business at 333 W. River Park Drive, Provo, Utah 84604 (USA) on behalf of itself and the Qualtrics Affiliates (collectively referred to in this CDPA as “Qualtrics”; together with Contractor, the “Parties” and each a “Party”); it is effective as of the date both Parties have agreed to it in writing and may be updated from time to time.WHEREAS Contractor will provide Services to Qualtrics which include the possibility of Contractor processing Personal Data controlled by Qualtrics and/or Qualtrics Customers and Partners; AND
WHEREAS the Parties agree that the processing of Personal Data by Contractor and Subprocessors in connection with any Services must always be undertaken in accordance with Data Protection Law, including – where required pursuant to Data Protection Law – that a transfer of Personal Data to certain countries may only take place if an adequate level of protection is ensured.
Refer to this CDPA regularly to ensure compliance. Please read this CDPA carefully before signing a Master Services Agreement which references and incorporates this CDPA. This CDPA takes effect when referenced in a Master Services Agreement executed by and between Qualtrics and Contractor. Qualtrics may modify this Agreement at any time by posting a revised version on this website www.qualtrics.com/cdpa/ or otherwise providing notice to Contractor. By continuing to provide the Services or Deliverables after the effective date of any modifications to this Agreement, Contractor agrees to be bound by the modified terms. Last revised: July 20, 2023.
****************
- Application of this CDPA; Governance
- Application and Interpretation. This CDPA and the attached Exhibits set out Contractor’s obligations when processing Personal Data on behalf of Qualtrics or another Controller in connection with a Service. The Services Agreement sets out the details of the processing of Personal Data for each relevant Service and is hereby incorporated by reference. Capitalized terms have the meanings assigned in Section 7 (Definitions).
- Points of Contact. Contractor (for the Subprocessors) and Qualtrics (for the Controllers) act as central points of contact. To the extent permitted under Data Protection Law and subject to deviating Instructions by Controllers, all communication in connection with this CDPA and the processing of Personal Data under it shall be channeled through Qualtrics and Contractor respectively. Between Qualtrics and Contractor, Contractor shall inform its Subprocessors appropriately where required, and Qualtrics shall inform the other Controllers appropriately where required. This Section 1.2 shall not, however, limit any rights of Controllers under this CDPA, Standard Contractual Clauses or Data Protection Law.
- Qualtrics Affiliates. Qualtrics, LLC enters into this CDPA also on behalf of itself and the Qualtrics Affiliates and this CDPA shall apply correspondingly between Qualtrics Affiliates and Contractor when Contractor provides any Services to or for the benefit of Qualtrics Affiliates.
- Contractor Obligations
- Contractor’s Purpose of Processing; Restrictions on Use. Contractor shall process the Personal Data only on documented Instructions from Qualtrics and other Controllers as forwarded by Qualtrics to Contractor (including with regard to transfers of Personal Data to a Third Country or an international organization) unless required to do so by Union or Member State law to which Contractor is subject. Where so required by law, Contractor shall inform Qualtrics of such legal requirement before processing, unless prohibited by law from doing so on important grounds of public interest. For the avoidance of doubt, Contractor is prohibited from retaining, using or disclosing Personal Data for purposes other than the commissioned processing of Personal Data hereunder and from selling Personal Data for any reason. Contractor shall not use Personal Data for its own purposes, including but not limited to creating analyses or extracts.
- Controller Instructions; Instructions via Cloud Services. Where Qualtrics requests any correction, erasure, blocking or return of Personal Data, which is subject to this CDPA, Contractor will promptly fulfill such request. To the extent that Contractor provides a Cloud Service, a Controller may give Instructions also by using the functionalities available to the Controller within those Cloud Services. Instructions come from Qualtrics, except where Section 2.11 applies, in which case the other Controller’s Instructions must prevail in case of conflict.
- Restricted Access to Personal Data. Contractor shall require Personal Data to be kept strictly confidential (such confidentiality obligations must survive the employment relationship between Contractor and its employees) and disclosed only on a need-to know basis to personnel who are authorized to have access to Personal Data and who are regularly trained in applicable data security and data privacy measures.
- Technical and Organizational Measures; Security. Contractor shall implement and apply the technical and organizational measures as posted at https://www.qualtrics.com/supplier-toms/ (“TOMs”) whenever processing Personal Data hereunder. Contractor will conduct an internal audit at least once per year to verify its compliance with the TOMs. Contractor may use internal or external resources for such internal reviews. Qualtrics may request an affirmation in regular intervals beginning with the signing of this CDPA, in the form of a Qualtrics Data Protection/Information Security Questionnaire or otherwise, that Contractor complies with such measures.
- Return (or Destruction) of Personal Data. Any Personal Data stored by Contractor or Subprocessors shall be promptly returned to Qualtrics upon the earliest of the following events: (i) upon Qualtrics request; or (ii) upon completion of all tasks for which the respective Personal Data was transferred to Contractor; or (iii) upon of termination of this CDPA; or (iv) upon expiry or termination of the Service Agreement. Alternatively, where such data cannot be returned, or if Qualtrics so elects, Contractor shall destroy – and certify to Qualtrics in writing that it has destroyed – all such Personal Data within a time period considered reasonable under Data Protection Law (in any case not to exceed three months), unless a retention of the Personal Data is required by applicable law and permitted under Data Protection Law.
- Assistance on Inquiries from Data Subjects and Authorities. For the avoidance of doubt, this Section 2.6 is without prejudice to the Parties’, authorities’ and Data Subjects’ rights and obligations under the Standard Contractual Clauses. If Qualtrics receives inquiries and requests from Data Subjects (in particular data subject rights requests according to Data Protection Law), other Controllers, supervisory authorities, law enforcement authorities or other competent authorities and courts, Contractor shall assist Qualtrics in providing information regarding Contractor’s or Subprocessor’s processing of Personal Data, in particular where Qualtrics cannot easily produce this information without Contractor’s assistance. In the event that a Data Subject contacts Contractor or a Subprocessor to exercise its Data Subject rights directly with regard to Personal Data processed within the context of the Service, Contractor shall relay the request to Qualtrics promptly to privacy@qualtrics.com or other location as designated by Qualtrics in writing. Contractor shall not disclose any information to the requesting Data Subject in the absence of an express instruction from Qualtrics or the Controller unless it is required to do so under applicable law. In case there is a dispute with a Data Subject in relation to the processing, the Parties will use their best efforts to timely inform each other (information to Qualtrics to be directed to privacy@qualtrics.com) about such a dispute and to cooperate in order to amicably resolve it.
- In the event that an authority or a court files a request to, or otherwise contacts, Contractor or Subprocessors regarding the processing of Personal Data within the context of the Service (in particular a request for the disclosure of any Personal Data), Contractor shall inform Qualtrics without undue delay to privacy@qualtrics.com, unless prohibited from doing so by applicable law or competent court order. Qualtrics and Contractor shall discuss in good faith and agree on a response to the request that allows the Controller to assert any relevant objections, exclusions, exemptions, or protective measures. Contractor or Subprocessor shall not disclose any Personal Data without Qualtrics’s prior written consent unless (i) Contractor is required to do so under applicable law, (ii) Contractor has exercised all legal remedies to avoid fulfilling the request (without Qualtrics’s consent), and (iii) the fulfillment of the request is permissible under Data Protection Law. Where applicable given the nature of the Service, Contractor must ensure that Controllers can enable Data Subjects to access their Personal Data at any time during the Service, and that Controllers may be able to export and retrieve Personal Data it controls in a standard format upon request of a concerned Data Subject.
- Assistance on Data Protection Impact Assessments. If Qualtrics is required to perform a data protection impact assessment (or a similar assessment pursuant to Data Protection Law) or to have a prior consultation with a competent regulator, Contractor shall, at Qualtrics’s request, promptly provide all required information and documents available to it and its Subprocessors relating to the processing of Personal Data in the context of the Service.
- Documentation. Contractor shall maintain comprehensive documentation about the processing of Personal Data in line with Data Protection Law with respect to its area of responsibility and shall provide such documentation to Qualtrics upon request. The documentation shall enable Qualtrics to verify Contractor’s compliance with Data Protection Law, including the use of Subprocessors in accordance with Data Protection Law. Contractor shall further provide to Qualtrics all information with respect to the Service that concerns (i) Contractor, (ii) the Subprocessors, (iii) the processing of Personal Data, to the extent it is necessary for Qualtrics to maintain its register of processing activities according to Data Protection Law and (iv) furthermore notwithstanding Sections 3.2 et seq. in relation to audits, Contractor shall promptly and adequately deal with any enquiries from Qualtrics that relate to the processing of Personal Data under this CDPA.
- Provision of Information on Data Processing. Notwithstanding anything in the Service Agreement to the contrary, Contractor must on request provide to Qualtrics the agreements with its Subprocessors (including, where applicable the Standard Contractual Clauses) to the extent that they contain information relevant to the processing of Personal Data on behalf of the Controller. Additionally, Qualtrics may disclose to any other Controller or competent data protection authority: (i) this CDPA, (ii) any parts of the Service Agreement relevant to the processing of Personal Data on behalf of Controller, (iii) information, including subprocessing agreements, provided by Contractor and Contractor’s Subprocessors to the extent directly related to the processing of Personal Data on behalf of the Controller, and (iv) Contractor’s and Contractor’s Subprocessors’ audit reports, (v) reports on Personal Data Breaches and other data protection violations and (vi) any of Qualtrics’s own findings with respect to Contractor’s and Contractor’s Subprocessors’ processing of Personal Data on behalf of the Controller. Any disclosures to another Controller shall be subject to reasonable protections for confidential information.
- Contractor agrees that where Personal Data is controlled by a Controller different from Qualtrics (e.g. Qualtrics Customer or Partner), and to the extent that such other Controller’s Personal Data is processed, such other Controller shall benefit from the same rights as Qualtrics under this CDPA, except for Section 1.2 (Points of Contact).
- Personal Data Breach Reporting; Compliance; Audits
- Personal Data Breach Reporting. In the event that Contractor becomes aware of (i) any Personal Data Breach (by itself or a Subprocessor), (ii) any inability to perform under this CDPA or (iii) any failure by a Subprocessor to fulfill its processing related obligations under its contracts with Contractor, Contractor must report the same to Qualtrics without undue delay and if possible within 24 hours. Personal Data Breaches must be reported to notice@qualtrics.com, with a physical copy of such written notice delivered to Qualtrics, Attn: Legal, 333 W River Park Dr, Provo UT 84604, USA. The reporting of a Personal Data Breach shall contain all information (as set out in Clause 8.6 c) of Modules 2 and 3 of the New Standard Contractual Clauses) which is available to Contractor or Subprocessors and which may be required to enable the Controller to assess the situation and comply with its reporting obligations towards authorities and/or Data Subjects.
- Standard Audit. Notwithstanding any rights of Controller under Module 3 of the New Standard Contractual Clauses, Contractor agrees that Qualtrics may request, and Contractor will provide, evidence of Contractor’s compliance with the terms of this CDPA, including the TOMs and any other information that is required in order that Qualtrics may use Contractor as its (Sub-)Processor under applicable Data Protection Laws (such as information required by Qualtrics to fulfil its transparency obligations regarding international processing) in the form of a questionnaire or a request for current relevant certifications both prior to commencement of Personal Data processing and at any time later during the term of this CDPA. The Parties will use reasonable efforts to leverage current certifications or other audit reports to avoid or minimize repetitive standard audits. Additionally, Qualtrics or its independent third-party auditor reasonably acceptable to Contractor may conduct an audit to confirm Contractor’s compliance with the terms of this CDPA where:
- Contractor has not provided sufficient evidence of its compliance by responding to Qualtrics’s requests for information; or
- an audit is formally requested by a competent data protection authority; or
- Qualtrics has indications of noncompliance i.e. to the extent that a Personal Data Breach has occurred, or Contractor is not able to perform its obligations under this CDPA; or
- mandatory Data Protection Law provides Qualtrics with a direct audit right, provided that Qualtrics shall only audit Contractor once in any twelve-month period unless mandatory Data Protection Law requires more frequent audits.
- All audits will be subject to the following restrictions: (i) audits will be conducted upon reasonable notice (no fewer than thirty (30) calendar days unless shorter notice is required by a competent data protection authority or Data Protection Law), during regular business hours and without interrupting Contractor’s business operations; and (ii) the confidentiality terms of the Service Agreement with Contractor shall apply to Contractor’s confidential information accessed by Qualtrics or third-party auditors; provided that Qualtrics may disclose such information pursuant to Section 2.10 (Provision of Information on Data Processing).
- Exceptional Audit. Notwithstanding the foregoing, Qualtrics may conduct additional audits on shortened notice (no fewer than five (5) business days) either (i) where a Personal Data Breach has occurred, provided that the Parties will mutually agree on a timing that does not disrupt ongoing breach response or (ii) where Qualtrics has reasonable grounds to suspect that Contractor is not in compliance with its obligations under this CDPA.
- Cost of Audit. Each Party shall bear its own costs of any audit unless such audit reveals a breach by Contractor or Subprocessor of this CDPA in which case Contractor must reimburse Qualtrics (or Controller) for all reasonable fees and expenses charged by any external auditor or incurred in the course of an audit. If an audit determines that Contractor (or a Subprocessor) has breached its obligations under the CDPA, Contractor (or a Subprocessor) will promptly remedy the breach at its own cost.
- Contractor’s Subprocessors
- Permission for Subprocessing. Unless otherwise agreed (e.g. in the Service Agreement), Contractor is permitted to use Subprocessors in processing the Personal Data, subject to compliance with Subprocessor requirements in this CDPA. Subprocessors may be located outside the country in which the relevant Controllers are located where permitted under Data Protection Law. An approved Subprocessor is either listed in the relevant Service Agreement and/ or has been added in line with Section 4.3.
- Subprocessor Engagement. Contractor warrants to evaluate the security, privacy and confidentiality practices of a Subprocessor prior to selection and on a regular basis to establish that it is capable of providing the level of protection of Personal Data required by this CDPA, and Contractor shall impose on its Subprocessors at least the same protections for Personal Data required by this CDPA, including in particular the TOMs as set out at https://www.qualtrics.com/supplier-toms/ (for the avoidance of doubt, content-wise but not verbatim). The foregoing obligations apply to all Sections of this CDPA, irrespective of whether or not the application to Subprocessors is expressly mentioned. Notwithstanding, Contractor remains at all times responsible for its Subprocessors’ compliance with the relevant subprocessing agreements and Data Protection Law; specifically, Contractor shall allow for Controllers to audit Subprocessors and ensure Controllers may receive relevant subprocessing agreements.
- Subprocessor Changes and Replacement. Where the Contractor intends to replace a Subprocessor from the Agreed List in the relevant Service Agreement or to introduce a new Subprocessor, Contractor must notify Qualtrics prior to the intended use of such Subprocessor within (i) forty-five (45) calendar days in case Qualtrics is the Controller or ninety (90) calendar days in case Qualtrics is not the Controller. Qualtrics may object to the use of a new Subprocessor on reasonable grounds, including insufficient reliability in Qualtrics’s reasonable discretion or status as a competitor of Qualtrics. If Qualtrics objects to the use within ninety (90) calendar days after being notified (or forty-five (45) days in case Qualtrics is the Controller), Contractor must ensure that the Subprocessor is not used for the provision of the Services.
- List of Subprocessors. Contractor shall list all relevant information on Subprocessors in the relevant Service Agreement and notify Qualtrics prior to their engagement in line with this Section 4. Further, Contractor will make use of a technical solution for the agreed list if and when Qualtrics offers such solution to Contractors.
- International Processing
- Qualtrics and Contractor agree that the Standard Contractual Clauses govern the transfer of Personal Data to a Third Country, as specified in this Section 5. Exhibit 1 identifies the data exporter, the data importer, Data Subjects, categories of data, special categories of data and processing operations for a given Service. A description of the TOMs implemented by Contractor as the data importer in accordance with the Standard Contractual Clauses is detailed at https://www.qualtrics.com/supplier-toms/.
- Interim applicability of the Standard Contractual Clauses (2010). Contractor acknowledges that some Qualtrics Customers and Partners have not (yet) adopted the New Standard Contractual Clauses because either (i) they have closed agreements prior to September 27, 2021 which have not (automatically) been updated or (ii) they are data exporters located in countries which still rely on the use of the Standard Contractual Clauses (2010). In order to enable Qualtrics to comply with its contractual obligations, Qualtrics and Contractor agree on the following provisions:
- Contractor and Qualtrics enter into and comply with the Standard Contractual Clauses (2010) in addition to the New Standard Contractual Clauses until the later of December 27, 2022 in case of Section 5.2 (i) or as long as the relevant non-EEA Data Protection Law relies on the use of the Standard Contractual Clauses (2010) in case of Section 5.2 (ii);
- Annex I and Annex II of the New Standard Contractual Clauses shall also constitute Appendix 1 and Appendix 2 of the Standard Contractual Clauses (2010);
- Contractor agrees that Qualtrics Customers and Partners may join (i.e. become data exporters) to the Standard Contractual Clauses (2010) as an independent owner of rights and obligations;
- Any onwards transfer needs to occur in line with Clause 11 of the Standard Contractual Clauses (2010); and
- the Standard Contractual Clauses (2010) shall be governed by the law of the country in which the relevant Controller is established.
- Applicability of New Standard Contractual Clauses. The following shall apply with effect from September 27, 2021 and shall solely apply in respect of New SCC Relevant Transfers:
- Where Contractor is not located in a Third Country, Contractor as the data exporter enters into Module 3 of the New Standard Contractual Clauses with each Subprocessor as the data importer. Further, Contractor will oblige its Subprocessors to include Module 3 of the New Standard Contractual Clauses in any Subprocessor agreement in case the Subprocessor or further Subprocessors are acting as the data exporters.
- Where Qualtrics is not located in a Third Country, otherwise subject to the GDPR or in a country that requires the New Standard Contractual Clauses as a means to allow for international Personal Data transfers, Qualtrics hereby enters into the New Standard Contractual Clauses with Contractor as the data importer and Qualtrics as the data exporter and which shall apply to such New SCC Relevant Transfers as follows:
- Module 2 (Controller to Processor) shall apply where Qualtrics is a Controller; and
- Module 3 (Processor to Processor) shall apply where Qualtrics is a Processor. Where Qualtrics acts as Processor under Module 3 (Processor to Processor) of the New Standard Contractual Clauses, Contractor acknowledges that Qualtrics acts as Processor under the instructions of its Controller(s).
- With respect to a New SCC Relevant Transfer, on request from a Data Subject to Qualtrics, Qualtrics may make a copy of Module 2 or 3 of the New Standard Contractual Clauses entered into between Qualtrics and Contractor (including the relevant Schedules), available to Data Subjects.
- Onward transfers and third party beneficiary rights under the New Standard Contractual Clauses:
- Any onward transfers must follow the rules set forth in the Module of the New Standard Contractual Clauses applicable to the data importer and establish a third-party beneficiary clause in line with Clause 9 (e) of the New Standard Contractual Clauses with all relevant Subprocessors in the processing chain.
- Where Qualtrics Affiliate is located in a Third Country and acting as a data importer under Module 2 or Module 3 of the New Standard Contractual Clauses and Contractor is acting as Qualtrics’s sub-processor under the applicable Module(s), the respective data exporter shall have the following third party beneficiary right: in the event that Qualtrics has factually disappeared, ceased to exist in law or has become insolvent (in all cases without a successor entity that has assumed the legal obligations of the Qualtrics by contract or by operation of law), the respective data exporter shall have the right to terminate the affected Service solely to the extent that the data exporter’s Personal Data is processed. In such event, the respective data exporter also instructs Contractor to return or erase the Personal Data within a time period considered reasonable under Data Protection Law (in any case not to exceed three months in case of an erasure), unless a retention of the Personal Data is required by applicable law and permitted under Data Protection Law.
- Applicability of EU Standard Contractual Clauses where applicable Data Protection Law requires a variation to the EU Standard Contractual Clauses.
- Where applicable Data Protection Law requires a variation to the New Standard Contractual Clauses, then the New Standard Contractual Clauses are interpreted as follows:
- In relation to the Swiss Data Protection Act (“FDPA”):
- the references to a “Member State” in the New Standard Contractual Clauses will be deemed to include Switzerland;
- references to the law of the European Union or of a Member State in the New Standard Contractual Clauses shall be deemed to be a reference to the FDPA;
- the Swiss Federal Data Protection and Information Commissioner will be the sole or, where both the FDPA and the GDPR apply to such transfer, one of the competent data protection authorities, under the New Standard Contractual Clauses;
- the terms used in the New Standard Contractual Clauses that are defined in the FDPA will be construed to have the meaning of the FDPA; and
- where the FDPA protects legal entities as data subjects, the New Standard Contractual Clauses will apply to data relating to identified or identifiable legal entities.
- In relation to the Swiss Data Protection Act (“FDPA”):
- In relation to the GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (“UK GDPR”), from 21 September 2022, the New Standard Contractual Clauses shall be interpreted and construed in accordance with the Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of UK GDPR on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses, and attached at Exhibit 2 (the “Approved Addendum”). Annexes I and II of Exhibit 1 set out the information for Part 1, Tables of the Approved Addendum.
- Where applicable Data Protection Law requires a variation to the New Standard Contractual Clauses, then the New Standard Contractual Clauses are interpreted as follows:
- Relation of the Standard Contractual Clauses to the CDPA. Nothing in the CDPA shall be construed to prevail over any conflicting clause of the Standard Contractual Clauses. For the avoidance of doubt, where this CDPA further specifies audit and Subprocessor rules in Sections 3 and 4, such specifications also apply in relation to the Standard Contractual Clauses.
- Interpretation. If any provision in this CDPA is ineffective or void, this shall not affect the remaining provisions. The Parties hereto shall replace the ineffective or void provision with a lawful provision that reflects the business purpose of the ineffective or void provision. The Parties shall similarly add a necessary appropriate provision where such a provision is missing.
- CDPA Modifications. This CDPA, excluding the attached Standard Contractual Clauses, may be modified by a written agreement of both Parties. The same applies to a change of this written form requirement. This written form requirement can also be met by exchange of documents with an electronically transmitted signature (facsimile transmission, e-mail transmission with scanned signatures, or other electronically permissible form of contract conclusion provided by or on behalf of Qualtrics, such as DocuSign).
- Order of Precedence. This CDPA prevails over any additional, conflicting, or inconsistent terms and conditions appearing on any document submitted by either Party regarding the subject of this CDPA. No other agreement may limit or extend the rights, obligations and/or liability of either Party under this CDPA and under statutory law unless expressly agreed in this CDPA or an amendment to this CDPA. Any existing data protection or processing agreement between Qualtrics and Contractor (if any) is terminated and replaced with this CDPA.
- Assignments. Notwithstanding anything to the contrary, Contractor shall not assign this CDPA or any parts of it to any third party without the express written consent of Qualtrics, LLC. Qualtrics, LLC shall not assign this CDPA or any part of it to any third party without Contractor’s written consent, except nothing will prevent Qualtrics, LLC from assignment to a Qualtrics Affiliate or to a Qualtrics successor in interest. This CDPA shall inure to the benefit of and shall be binding upon Contractor and Qualtrics, LLC and their respective permitted successors and assigns. Where Qualtrics Affiliates cease to be part of the Qualtrics group, Contractor agrees to enter into a separate data processing agreement with such former Qualtrics Affiliates which mirror the terms of this CDPA within 3 months. Latest after 3 months after such cession date, unless otherwise agreed in writing, this CDPA shall automatically terminate with respect to such former Qualtrics Affiliate.
- Termination. In addition to the termination rights set out in Clause 16 of the New Standard Contractual Clauses, this CDPA may be terminated by either Party, if no contractual relationship between the Parties exists any longer where the processing of Personal Data is in scope.
- Governing Law and Venue. This CDPA shall be governed by Utah law and the venue for any disputes related to this CDPA shall be Salt Lake City, Utah.
- “CDPA” means this global Qualtrics Contractor Agreement on the Commissioned Processing of Personal Data.
- “Contractor Affiliate” means any current and future entity that is directly or indirectly, in Control of, Controlled by, or under common Control with the Contractor. Control means (i) the ownership, directly or indirectly, of more than fifty percent (50%) of the voting equity interest in an entity, and (ii) the ability, directly or indirectly, to direct or cause the direction of the management and policies of that entity, whether through ownership of voting securities, by contract, or otherwise.
- “Controller” means any natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data which is processed by Contractor and/or Subprocessor in connection with the Services. Controllers may include Qualtrics, Qualtrics Affiliates, and/or Qualtrics Customers and Partners who, as the case may be, determine alone or jointly the purposes and means of the processing of Personal Data in connection with the Services. For the purposes of this CDPA, where Qualtrics and/or Qualtrics Affiliates act as Processors for other Controllers, they shall, in relation to Contractor, be granted all rights under this CDPA and Data Protection Law towards Contractor and Subprocessors as if they were Controllers (in addition to the Controllers determined in accordance with sentence 1 of this definition).
- “Cloud Service” means a Service which consists of hosting and/or operating or otherwise managing a hosted software, platform or infrastructure.
- “Data Protection Law” means the applicable legislation protecting the fundamental rights and freedoms of persons and their right to privacy with regard to the processing of Personal Data in connection with the Services (and includes, as far as it concerns the obligations of Contractor and Subprocessors regarding the processing of Personal Data for Qualtrics and other Controllers under this CDPA, the GDPR as a minimum standard, irrespective of whether the Personal Data is subject to GDPR or not).
- “Data Subject” means any individual or other person who is protected by Data Protection Law and whose data is processed by Contractor or Subprocessor in connection with the Services.
- “EEA” means the European Economic Area, namely the European Union Member States along with Iceland, Liechtenstein and Norway.
- “GDPR” means the European Union’s General Data Protection Regulation 2016/679 as amended from time to time.
- “Instructions” means any instructions given by the Controller with respect to the lawful processing of Personal Data in accordance with Data Protection Law. Instructions may include, without limitation, the correction, erasure and/or the blocking of Personal Data in the legal responsibility of the respective Controller.
- “New SCC Relevant Transfer” means a transfer (or an onward transfer) to a Third Country of Personal Data that is either subject to GDPR or to applicable Data Protection Law and where any required adequacy means under GDPR or applicable Data Protection Law can be met by entering into the New Standard Contractual Clauses.
- “New Standard Contractual Clauses” means the unchanged standard contractual clauses, published by the European Commission, reference 2021/914 https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en or any subsequent final version thereof (which will automatically apply). To avoid doubt Modules 2 and 3 shall apply as set out in Section 5.
- “Personal Data” means any information relating to a Data Subject which is protected under Data Protection Law, and in particular includes any information relating to an identified or identifiable natural or legal person; an identifiable person includes any person who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity that is processed in relation to the Service.
- “Personal Data Breach” means an accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or unauthorized access to Personal Data.
- “Processor” means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller, be it directly as processor of a Controller or indirectly as Subprocessor of a Processor which processes Personal Data on behalf of the Controller.
- “Qualtrics Affiliates” means any of Qualtrics International Inc’s current and future affiliates and subsidiaries, meaning a corporation or other entity of which Qualtrics International Inc. owns, either directly or indirectly, more than fifty percent (50%) of the stock or other equity interests.
- “Qualtrics Customers and Partners” means (i) Qualtrics Affiliates, (ii) Qualtrics resellers, (iii) direct and indirect customers of Qualtrics, LLC, Qualtrics Affiliates and of Qualtrics resellers, and/or (iv) any other commercial end users of Qualtrics products.
- “Service” means any work or service which Contractor provides to Qualtrics and/or Qualtrics Customers and Partners under a Service Agreement which may or may not expressly incorporate the terms of this CDPA by reference.
- “Service Agreement” means any contract, purchase order or other agreement for the provision of the Service between Contractor and Qualtrics, LLC or a Qualtrics Affiliate.
- “Standard Contractual Clauses” means the Standard Contractual Clauses (2010) and the New Standard Contractual Clauses.
- “Standard Contractual Clauses (2010)” means the Standard Contractual Clauses (processors) published by the European Commission, reference 2010/87/EU (Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (notified under document C(2010) 593)Text with EEA relevance (europa.eu).
- “Subprocessor” or “sub-processor” means any third party (including Contractor Affiliates notwithstanding they are a party to this CDPA) that are directly or indirectly engaged by Contractor in connection with the Service and that process Personal Data in accordance with the terms of this CDPA.
- “Third Country” means any country, organization or territory outside the EEA and not acknowledged by the European Union under Article 45 of GDPR as a safe country with an adequate level of data protection.
- “TOMs” has the meaning defined in Section 2.4 (Technical and Organizational Measures; Security).
- Any terms not defined in this CDPA but defined in the GDPR or the Standard Contractual Clauses shall have the meaning assigned to them in the GDPR or the Standard Contractual Clauses. The term “processing” in particular includes any kind of disclosure of Personal Data, including the enablement of potential onsite and remote access irrespective of whether the access to Personal Data is actually exercised.
- For the avoidance of doubt, any reference to days shall mean calendar days.
Exhibit 1
New Standard Contractual Clauses
Clause 7 – Optional
Docking Clause
[The parties agree to not include this optional Clause]
Clause 9 a
Use of sub-processors
MODULE TWO: Transfer controller to processor
(a) GENERAL WRITTEN AUTHORISATION The data importer has the data exporter’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least 90 days in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.
MODULE THREE: Transfer processor to processor
(b) GENERAL WRITTEN AUTHORISATION The data importer has the controller’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the controller in writing of any intended changes to that list through the addition or replacement of sub-processors at least 90 days in advance, thereby giving the controller sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the controller with the information necessary to enable the controller to exercise its right to object. The data importer shall inform the data exporter of the engagement of the sub-processor(s).
Clause 11
Redress
(a) The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject.
Clause 17
Governing law
MODULE TWO: Transfer controller to processor
MODULE THREE: Transfer processor to processor
These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of Ireland.
Clause 18
Choice of forum and jurisdiction
MODULE TWO: Transfer controller to processor
MODULE THREE: Transfer processor to processor
(a) Any dispute arising from these Clauses shall be resolved by the courts of an EU Member State.
(b) The Parties agree that those shall be the courts of Ireland
(c) A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence.
(d) The Parties agree to submit themselves to the jurisdiction of such courts.
ANNEX I
A. LIST OF PARTIES
MODULE TWO: Transfer controller to processor
MODULE THREE: Transfer processor to processor
Data exporter(s): Qualtrics, LLC, and its affiliates, which provides an experience management solution – the Experience Management Platform™. The Qualtrics data protection officer can be reached at privacy@qualtrics.com.
Data importer(s): Contractor, which provides Services as described in the applicable Service Agreement.
B. DESCRIPTION OF TRANSFER
MODULE TWO: Transfer controller to processor
MODULE THREE: Transfer processor to processor
Categories of data subjects whose personal data is transferred
The data exporter may submit personal data to data importer and its affiliates, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, but is not limited to personal data relating to the following categories of data subjects:
- prospective customers, customers, resellers, referrers, business partners, and vendors of the data exporter (who are natural persons);
- employees or contact persons of the data exporter’s prospective customers, customers, resellers, referrers, subcontractors, business partners, and vendors (who are natural persons);
- employees, agents, advisors, and freelancers of the data exporter (who are natural persons); and/or
- natural persons authorized by the data exporter to use the services provided by data importer to the data exporter. Categories of personal data transferred
- names, titles, position, employer, contact information (email, phone, fax, physical address etc.), identification data, professional life data, personal life data, connection data, or localization data (including IP addresses). Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
- Limiting access to staff that has completed specialized training;
- Encryption of data at rest; and/or
- System access logging and general data access logging. The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
- Continuous transfer
- Date: Effective Date of the CDPA
- Reference: the EU Standard Contractual Clauses referenced in the CDPA
- Annex IA: List of Parties: See Annex I of Exhibit 1 to this CDPA
- Annex IB: Description of Transfer: See Annex I of Exhibit 1 to this CDPA
- Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: See Annex II of Exhibit 1 to this CDPA
- Exporter
The data exporter may submit personal data to the data importer and its affiliates, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, but is not limited to, the following categories of personal data:
The data exporter may submit special categories of data to the data importer and its Affiliates, the extent of which is determined and controlled by the data exporter in its sole discretion. Such special categories of data include, but may not be limited to, Personal Data with information revealing racial or ethnic origins, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning an individual’s health or sex life.
Contractor will implement the following additional technical and organizational measures for Special Categories of Data or Sensitive Data:
Unless otherwise described in the Service Agreement:
Nature of the processing
Processing necessary to provide the Services as set forth in the Service Agreement between Qualtrics and Contractor.
Purpose(s) of the data transfer and further processing
Purpose of the data transfer is providing the Services in accordance with the Service Agreement concluded between Qualtrics and Contractor. In order to provide these Services, it becomes necessary to transfer personal data.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
Defined in Section 2.5 of the CDPA (Return or Destruction of Personal Data).
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
Same as set forth above.
C. COMPETENT SUPERVISORY AUTHORITY
The competent supervisory authority/ies in accordance with Clause 13 is:
Data Protection Commission
21 Fitzwilliam Square South
Dublin 2
D02 RD28
Ireland
ANNEX II
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
MODULE TWO: Transfer controller to processor
MODULE THREE: Transfer processor to processor
Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d)and 5(c) (or document/legislation attached): https://www.qualtrics.com/supplier-toms/
ANNEX III
LIST OF SUB-PROCESSORS
MODULE TWO: Transfer controller to processor
MODULE THREE: Transfer processor to processor
The agreed list of sub-processors, if any have been agreed upon, is contained in the relevant Service Agreement.
Exhibit 2
UK Addendum, International Data Transfer Addendum to the EU Standard Contractual Clauses: Tables
TABLE 1: PARTIES
Addendum Effective Date / Start date: 21st September 2022 or the Effective Date of Agreement, whichever is later
The Parties:
Exporter (who sends the Restricted Transfer): Qualtrics, LLC, and its affiliates – see details in Annex I of Exhibit 1 to this CDPA. Qualtrics’ Data Protection Officer or other legal representative shall be the key contact. Qualtrics shall make these details available upon Contractor’s request.
Importer (who receives the Restricted Transfer): Contractor – see details in Annex I of Exhibit 1 to this CDPA. Contractor’s Data Protection Officer or other legal representative shall be the key contact. Contractor shall make these details available upon Qualtrics’ request.
TABLE 2: SELECTED SCCS, MODULES AND SELECTED CLAUSES
Addendum EU SCCs: The version of the Approved EU SCCs, which this Addendum is appended to, detailed below, including the Appendix Information:
TABLE 3: APPENDIX INFORMATION
“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:
TABLE 4: ENDING THIS ADDENDUM WHEN THE APPROVED ADDENDUM CHANGES
Which Parties may end this Addendum as set out in Section 19: