Annex 1

Data Sharing, Data Transfers and Shared Data

1 Data Sharing

1.1 Both parties acknowledge that each party will solely determine the legal basis and conditions for which it processes the personal data shared under this Agreement (the “Shared Data”) as set out in their respective Privacy Statement or other notice required under Applicable Data Protection Laws as amended from time to time

1.2 ComponentSource’s Privacy Statement can be found here.

1.3 Each party and its staff, workers, agents or consultants (“Personnel”) will comply with its respective obligations under Applicable Data Protection Laws in relation to its processing of the Shared Data and will process the Shared Data in accordance with its respective Privacy Statement.

1.4 You will ensure that you have a legal basis for processing Shared Data that complies with Applicable Data Protection Laws, and that you do not supply any Shared Data to ComponentSource relating to a data subject to whom a copy of the Privacy Statement has not been provided at the time the Shared Data was collected;

1.5 Each party will:

1.5.1 promptly provide such information, assistance and/or access as the other party may reasonably require in responding to any request from a data subject and in ensuring compliance with its obligations under the Applicable Data Protection Laws with respect to security, breach notifications, audit, impact assessments and consultations with supervisory authorities and/or regulators;

1.5.2 ensure that the Shared Data is accurate and complete;

1.5.3 within two (2) business days notify the other party in writing: (i) if it has not fulfilled any of its obligations under clause 1 of this Annex; (ii) if it discovers that any of the Shared Data is inaccurate or incomplete; (iii) with details of any data subject request as a result of exercising any of its rights under Applicable Data Protection Laws. In no event will you respond directly to any such request or correspondence without ComponentSource’s prior written consent unless required by Applicable Data Protection Laws or where it is unrelated to ComponentSource’s processing activities; and (iv) of any suspected, potential, actual or threatened personal data breach involving any Shared Data it, or a third party on its behalf, processes; and

1.5.4 indemnify the other party against all liabilities arising out of or in connection with any breach of this Schedule including all amounts paid or payable by the indemnified party to a third party (including its Personnel) which would not have been paid or payable if the breach of this Schedule had not occurred. For the avoidance of doubt, the parties agree that any limitation or exclusion of liability set out in this Agreement, will not apply to their indemnification or reimbursement obligations under this Schedule.

1.6 You will:

1.6.1 promptly enter into with ComponentSource at its written request, any further agreement, and/or appropriate safeguard required under Applicable Data Protection Laws for the international transfer of the Shared Data, such as the standard contractual clauses in the form issued by the European Commission or other competent body under Applicable Data Protection Laws;

1.6.2 ensure that for any Shared Data you receive from data subjects in jurisdictions different from your own, that appropriate international transfer safeguards are put in place in accordance with Applicable Data Protection Laws;

2 INTERNATIONAL DATA TRANSFERS

EEA to Non-EEA Transfers

2.1 Where Shared Data which originated in the EEA, is transferred to a territory outside of the EEA (including in the UK) that has not been designated as an Adequate Territory, then the relevant module of the EU SCCs will be deemed to apply to such transfer in accordance with the requirements set out in this clause 2 and in addition to the terms of this Agreement as follows:

2.1.1 each party will be deemed to have entered into the Module 1 of the EU SCCs in its own name and on its own behalf in relation to the Shared Data disclosed;

2.1.2 the provisions of Schedule 1 (Permitted Purposes) will be deemed to be set out in Annex I to Module 1 of the EU SCCs;

2.1.3 the provisions of Schedule 2 (Security Measures) will be deemed to be set out in Annex II to Module 1 of the Model Clauses;

2.1.4 Clause 7 (docking clause) will be unselected;

2.1.5 the optional element of Clause 11(a) (redress) will be unselected.

2.1.6 the following optional Clause 13(a) (supervision) will be selected:

2.1.6.1 Ireland as the supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, will act as competent supervisory authority.

2.1.7 option [1] of Clause 17 (Governing law) shall be selected and the following governing law will apply:

2.1.7.1 These Clauses will be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this will be the law of Ireland.

2.1.8 The following forum and jurisdiction will be selected at Clause 18(b) (Choice of forum and jurisdiction):

2.1.8.1 The Parties agree that those will be the courts of Ireland (specify Member State).

2.1.9 The Data Importer will not disclose Personal Data to a third party located outside the EEA in the same country as the Data Importer or in another third country (an “Onward Transfer”) unless the third party is or agrees to be bound by the EU SCCs, under the appropriate module. Otherwise, an Onward Transfer by the Data Importer may only take place if the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 of the EU GDPR with respect to the Processing;

2.1.10 Where there is any omission or conflict between this Agreement and the applicable module of the EU SCCs, the provisions of the applicable module will prevail.

UK to Non-EEA Transfers

2.2 Where Shared Data which originated in the UK, is transferred to a territory outside of the UK that has not been designated as an Adequate Territory, then the EU SCCs as clarified in clause 2 above and the UKs international data transfer addendum to the EU SCCs (UK SCC Addendum) will be deemed to apply to the transfer in addition to the terms of this Agreement and in addition as follows:

2.2.1 each party will be deemed to have entered into the EU SCCs and the UK SCC Addendum in its own name and on its own behalf in relation to Shared Data disclosed;

2.2.2 The description of transfer and the technical and organizational measures are as set out in Schedule 1 and Schedule 2 to this Annex;

2.2.3 the provisions of Schedule 2 (Security Measures) will be deemed to be set out in Appendix 2 to the Old Model Clauses; and

2.2.4 if there is any conflict between this Agreement and the EU SCCs and UK SCC Addendum the latter will prevail

Non-EEA to Non-EEA Transfers

2.3 Where a Data Importer Processes Shared Data that originated in a non-EEA territory (the “Exporting Territory”) and the Processing takes place in a territory which is different from the Exporting Territory (the “Importing Territory”), then the Data Importer will Process the Shared Data to a standard consistent with the Applicable Privacy Law(s) of the Exporting Territory. In particular the Data Exporter will inform the Data Importer about any standards that may be required of it by the Applicable Privacy Law(s) and will cooperate fully with the Data Importer to ensure that its Processing of the Shared Data is consistent with those standards.

2.4 In any event, if any Applicable Privacy Law(s) conflict with the provisions of this Agreement, then to the extent of a conflict:

2.4.1 where the standard of data protection required by Applicable Privacy Law(s) exceeds the standard required by this Agreement, the Data Importer will Process the Shared Data to a standard consistent with Applicable Privacy Law(s); and

2.4.2 where the standard of data protection required by this Agreement exceeds the standard required by Applicable Privacy Law(s), the Data Importer will Process the Shared Data to a standard consistent with this Agreement.

Schedule 1

Permitted Purpose is as defined above.

Processing - Shared Data

Data subjects

The Personal Data transferred concern the following categories of past, present and prospective Data Subjects:

  • Employees
  • End users
  • Publishers
  • Resellers

Categories of data

The Personal Data transferred concern the following categories of data:

  • Personal details: Name and contact details
  • Payment details: Payment method and details; and payment history and correspondence.
  • Profile information: Account information collected from or about the Data Subject in connection with the services
  • Device data: IP addresses, cookie data, device identifiers and similar device-related information.
  • Usage and analytics information: Statistical and analytical data collated from customer usage of the service.
  • Survey data: Demographic information and feedback voluntarily submitted by the Data Subject in surveys (including race/ethnic origin data).
  • Correspondence data: Correspondence and other communications (including lawfully-recorded telephone communications data) with the Data Subject for the purpose of providing customer support.
  • Marketing preferences: newsletter subscriptions and other preferences in connection with marketing or advertising.
  • Other categories of Personal Data that Data Exporter(s) are authorised to transfer to Data Importer(s).

Recipients The Personal Data transferred may be disclosed only to the following recipients or categories of recipients:

  • Companies in the same group as Data Importer: As necessary for the purposes described in, and subject to the protections set out in, these clauses.
  • Data Importer staff: Duly authorised sales, marketing customer support, IT and other employees, managers, and directors of the Data Importer will have access to the Personal Data on a need to know basis for the fulfilment of their roles and strictly for the purposes described above.
  • Third-party service providers: Accountants, auditors, lawyers, and other outside professional advisors; call centre service providers; IT systems, support and hosting service providers; credit card transaction processors; advertising, marketing and market research and analysis service providers; banks and financial institutions; document and records management providers; and similar third-party vendors and outsourced service providers assisting the Data Importer in carrying out business activities.
  • Public bodies and law enforcement authorities: Duly authorised staff at public bodies and law enforcement authorities who make enquiries of or require reporting of information from the Data Importer in accordance with applicable law.

Schedule 2

Security Measures

Technical and Organizational Security Measures

ComponentSource employs a variety of security measures and procedures to protect personal data, including but not limited to:

  1. Designated employees responsible for the implementation of ComponentSource security procedures.
  2. Maintenance of data protection, retention and security policies which are reviewed on a regular basis and at least once annually.
  3. Data and network security controls which include restricted access and deployment of commercial industry-standard encryption technologies.
  4. Password controls to ensure strong and unique passwords are used and updated regularly.
  5. Access controls which restrict electronic access to personal data and system functionality based on job responsibilities and management level, and which include revocation of access to employees who leave the company.
  6. Multi-factor authentication and use of a virtual private network for any remote access to systems or Personal Data.
  7. Use of firewalls and security software to detect, filter and defeat attacks, and deployment of encryption software in relation to transmission of personal data.
  8. Event logging and related monitoring procedures to proactively record system activity and user access for purposes of both investigatory and routine review.
  9. Physical and environmental security of server room and other areas containing personal data to prevent unauthorised access and to protect personal data from hazards such as fire or water damage.
  10. Operational practices and controls for the configuration, monitoring and maintenance of technology and information systems to industry standards, including the secure disposal of systems and media that render all personal data indecipherable or irrecoverable prior to final release from ComponentSource possession.
  11. Network security controls including enterprise firewalls and intrusion detection systems in order to protect systems from intrusion and limit the scope of any successful attack.
  12. Regular vulnerability assessment, patch management and other monitoring procedures to aid the detection and defeat or mitigation of identified security threats, viruses and other malicious code.
  13. Business continuity procedures designed to maintain service deliveries and security of personal data in the event of emergency or disaster situations.

Additional useful information (storage limits and other relevant information)

Personal Data will not be held for longer than is necessary for the purposes described above or to the extent this is required by applicable legal requirements. In any event, Personal Data will never be retained for longer than is allowed by applicable law.

Contact points for all data related enquiries or requests:
dpm@componentsource.com OR if urgent
ComponentSource at: (770) 250 6105 or +1 (770) 250 6105 or +44 (118) 982 2108

CSWWLIC 11/2023