Exhibit B
Themis Data Protection Addendum
To the extent that Themis Processes any Subscriber Personal Data (each as defined below) and (i) the Subscriber Personal Data relates to individuals located in the EEA; or (ii) Subscriber is established in the EEA or UK, the provisions of this Data Processing Addendum (“DPA”) shall apply to the processing of such Subscriber Personal Data. In the event of any conflict between the remainder of the Agreement and the DPA, the DPA will prevail.
1. Definitions
1.1. The following capitalised terms used in this DPA shall be defined as follows:
(a) “Controller” has the meaning given in the GDPR.
(b) “Data Protection Laws” means the EU General Data Protection Regulation 2016/679 (“GDPR“) or the UK General Data Protection Regulation (“UK GDPR”), tailored by the Data Protection Act 2018, any applicable national implementing legislation in each case as amended, replaced or superseded from time to time, and all applicable legislation protecting the fundamental rights and freedoms of persons and their right to privacy with regard to the Processing of Subscriber Personal Data.
(c) “Data Subject” has the meaning given in the GDPR.
(d) “European Economic Area” or “EEA” means the Member States of the European Union together with Iceland, Norway, and Liechtenstein.
(e) “Processing” has the meaning given in the GDPR, and “Process” will be interpreted accordingly.
(f) “Processor” has the meaning given in the GDPR.
(g) “Security Incident” means any confirmed accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Subscriber Personal Data.
(h) “Standard Contractual Clauses” means the Standard Contractual Clauses (processors) approved by European Commission Decision (EU) 2021/914 of 4 June 2021 or any subsequent version thereof released by the European Commission (which will automatically apply).
The Standard Contractual Clauses are applicable to the extent they reference Module Two (Controller-to-Processor).
When (i) the Subscriber Personal Data relates to individuals located in the UK; or (ii) Subscriber is established in the UK, the parties agree to the Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section18 of those Mandatory Clauses.
(i) “Subprocessor” means any Processor engaged by Themis who agrees to receive from Themis Subscriber Personal Data.
(j) “Subscriber Personal Data” means the “personal data” (as defined in the GDPR) described in the Annex and any other personal data contained in the Content or that Themis processes on Subscriber’s behalf in connection with the provision of the Service.
(k) “Supervisory Authority” has the meaning given in the GDPR.
(l) “United Kingdom” or “UK” means the country of the United Kingdom.
2. Data Processing
2.1. The Parties acknowledge and agree that for the purpose of the Data Protection Laws, the Subscriber is the Controller and Themis is the Processor.
2.2 Instructions for Data Processing. Themis will only Process Subscriber Personal Data in accordance with Subscriber’s written instructions. The parties acknowledge and agree that the Agreement (subject to any changes to the Service agreed between the parties) and this DPA shall be Subscriber’s complete and final instructions to Themis in relation to the processing of Subscriber Personal Data.
2.3. Processing outside the scope of this DPA or the Agreement will require prior written agreement between Subscriber and Themis on additional instructions for Processing.
2.4. Required consents. Where required by applicable Data Protection Laws, Subscriber will ensure that it has obtained/will obtain all necessary consents and complies with all applicable requirements under Data Protection Laws for the Processing of Subscriber Personal Data by Themis in accordance with the Agreement.
3. Transfer of Personal Data
3.1. Authorised Subprocessors. Subscriber agrees that Themis may use Subprocessors listed to Process Subscriber Personal Data. The current list of Subprocessors may be accessed here: Exhibit C.
3.2. As per Clause 9(a), Module 2, OPTION 2 of the Standard Contractual Clauses, Subscriber agrees that Themis may use subcontractors to fulfil its contractual obligations under the Agreement. Themis shall notify Subscriber from time to time of the identity of any Subprocessors engaged. If Subscriber (acting reasonably) objects to a new Subprocessor on grounds related to the protection of Subscriber Personal Data only, then without prejudice to any right to terminate the Agreement, Subscriber may request that Themis move the Subscriber Personal Data to another Subprocessor and Themis shall, within a reasonable time following receipt of such request, use reasonable endeavours to ensure that the original Subprocessor does not Process any of the Subscriber Personal Data. If it is not reasonably possible to use another Subprocessor, and Subscriber continues to object for a legitimate reason, either party may terminate the Agreement on thirty (30) days written notice. If Subscriber does not object within thirty (30) days of receipt of the notice, Subscriber is deemed to have accepted the new Subprocessor.
3.3. Save as set out in clauses 3.1 and 3.2, Themis shall not permit, allow or otherwise facilitate Subprocessors to Process Subscriber Personal Data without Subscriber’s prior written consent and unless Themis:
(a) enters into a written agreement with the Subprocessor which imposes equivalent obligations on the Subprocessor with regard to their Processing of Subscriber Personal Data, as are imposed on Themis under this DPA; and
(b) shall at all times remain responsible for compliance with its obligations under the DPA and will be liable to Subscriber for the acts and omissions of any Subprocessor as if they were Themis’s acts and omissions.
3.4. International Transfers of Subscriber Personal Data. Themis commits to Processing Subscriber Personal Data within the EEA. To the extent that the Processing of Subscriber Personal Data by Themis involves the export of such Subscriber Personal Data to a third party in a country or territory outside the EEA, such export shall be:
(a) to a country or territory ensuring an adequate level of protection for the rights and freedoms of Data Subjects as determined by the European Commission;
(b) to a third party that is a member of a compliance scheme recognised as offering adequate protection for the rights and freedoms of Data Subjects as determined by the European Commission; or
(c) governed by the Standard Contractual Clauses between the Subscriber as exporter and such third party as importer. For this purpose, the Subscriber appoints Themis as its agent with the authority to complete and enter into the Standard Contractual Clauses as agent for the Subscriber on its behalf.
4. Data Security, Audits, and Security Notifications
4.1 Themis Security Obligations. Themis will implement and maintain appropriate technical and organizational security measures to ensure a level of security appropriate to the risk, including as appropriate, the measures referred to in Article 32(1) of the GDPR.
4.2 Upon Subscriber’s reasonable request, Themis will make available all information reasonably necessary to demonstrate compliance with this DPA.
4.3 Security Incident Notification. If Themis becomes aware of a Security Incident, Themis will (a) notify Subscriber of the Security Incident within 72 hours, (b) investigate the Security Incident and provide Subscriber (and any law enforcement or regulatory official) with reasonable assistance as required to investigate the Security Incident.
4.4 Themis Employees and Personnel. Themis will treat the Subscriber Personal Data as confidential, and shall ensure that any employees or other personnel have agreed in writing to protect the confidentiality and security of Subscriber Personal Data.
4.5 Audits. Themis will, upon Subscriber’s reasonable request and at Subscriber’s expense, allow for and contribute to audits, including inspections, conducted by Subscriber (or a third party auditor on Subscriber’s behalf and mandated by Subscriber) provided (i) such audits or inspections are not conducted more than once per year (unless requested by a Supervisory Authority); (ii) are conducted only during business hours; (iii) are conducted in a manner that causes minimal disruption to Themis’s operations and business; and (iv) Following completion of the audit, upon request, Subscriber will promptly provide Themis with a complete copy of the results of that audit.
5. Access Requests and Data Subject Rights
5.1 Data Subject Rights. Where applicable, and taking into account the nature of the Processing, Themis will use reasonable endeavours to assist Subscriber by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of Subscriber’s obligation to respond to requests for exercising Data Subject rights laid down in the Data Protection Laws.
6. Data Protection Impact Assessment and Prior Consultation
6.1 To the extent required under applicable Data Protection Laws, Themis will provide Subscriber with reasonably requested information regarding its Service to enable Subscriber to carry out data protection impact assessments or prior consultations with any Supervisory Authority, in each case solely in relation to Processing of Subscriber Personal Data and taking into account the nature of the Processing and information available to Themis.
7. Termination
7.1 Deletion or return of data. Subject to 7.2 below, Themis will, at Subscriber’s election and within 90 (ninety) days of the date of termination of the Agreement:
(a) make available for retrieval all Subscriber Personal Data Processed by Themis (and delete all other copies of Subscriber Personal Data Processed by Themis following such retrieval); or
(b) delete the Subscriber Personal Data Processed by us.
7.2 Themis and its Subprocessors may retain Subscriber Personal Data to the extent required by applicable laws and only to the extent and for such period as required by applicable laws and always provided that Themis ensures the confidentiality of all such Subscriber Personal Data and shall ensure that such Subscriber Personal Data is only Processed as necessary for the purpose(s) specified in the applicable laws requiring its storage and for no other purpose.
8. Governing law
8.1 This DPA shall be governed by, and construed in accordance with the laws of Ireland. Each of the parties irrevocably submits for all purposes (including any non-contractual disputes or claims) to the non-exclusive jurisdiction of the courts in Ireland. For Standard Contractual Clauses Clause 17 OPTION 1 and Clause 18, the parties agree to the laws and courts of Ireland.
Annex
Details of the Processing of Subscriber Personal Data
This Annex includes certain details of the processing of Subscriber Personal Data as required by Article 28(3) of the GDPR.
Subject matter and duration of the Processing of Subscriber Personal Data
The subject matter and duration of the Processing of the Subscriber Personal Data are set out in the Agreement and this DPA.
The nature and purpose of the Processing of Subscriber Personal Data
The Subscriber Personal Data will be subject to the following basic processing activities: transmitting, collecting, storing and analysing data in order to provide the Service to the Subscriber, and any other activities related to the provision of the Service or specified in the Agreement.
The types of Subscriber Personal Data to be processed
The Subscriber Personal Data concern the following categories of data: names; email addresses; personal and professional information; and any other personal data provided by the Subscriber in connection with its use of the Service.
The categories of data subject to whom the Subscriber Personal Data relates
Any categories of individuals whose data the Subscriber extracts, transfers, and/or loads onto the Service, which may include but is not limited to:
- Registered Clients; and
- Past, present and prospective clients, business relationship contacts, and outside counsel contacts of the Subscriber.
The obligations and rights of the Subscriber
The obligations and rights of the Subscriber are as set out in this DPA.