EX-4.a.3

EX-4.A.3 3 d709976dex4a3.htm EX-4.A.3 EX-4.a.3

EXHIBIT 4.a.3

THE SYMBOL “[*]” INDICATES MATERIAL WHERE CERTAIN IDENTIFIED INFORMATION

HAS BEEN EXCLUDED FROM THE EXHIBIT BECAUSE IT IS BOTH (i) NOT MATERIAL AND

(ii) WOULD LIKELY CAUSE COMPETITIVE HARM TO THE COMPANY IF PUBLICLY

DISCLOSED.

Amendment 1

No. 53258.C

between

AT&T Services, Inc.

and

Amdocs Development Limited

Amendment 53258.A.001

AMENDMENT NO.1

AGREEMENT NO. 53258.C

After all Parties have signed, this Amendment is made effective as of the last date signed by a Party (“Effective Date”) and is between Amdocs Development Limited, a Cyprus corporation (“Supplier” or “Amdocs”), as successor-in-interest to Amdocs, Inc.,(hereinafter referred to as “Supplier”), and AT&T Services, Inc., a Delaware corporation (hereinafter referred to as “AT&T”), each of which may be referred to in the singular as a “Party” or in the plural as the “Parties.”

WITNESSETH

WHEREAS, Supplier and AT&T entered into Agreement No.53258.C on February 28, 2017 (the “Agreement”); and

WHEREAS, Supplier and AT&T desire to amend the Agreement as hereinafter set forth.

NOW, THEREFORE, in consideration of the premises and the covenants hereinafter contained, the Parties hereto agree as follows:

1.	Section 3.5 Compliance with Laws is modified by renumbering subsection e. as subsection f. and by adding the following as subsection e:

e. General Data Protection Regulation (GDPR)

Supplier shall comply with the requirements set forth in Appendix K – EU Data Privacy and GDPR Data Processing Obligations attached hereto.

2.	A new Appendix K – EU Data Privacy and GDPR Data Processing Obligations, a copy of which is attached hereto, is made a part of the Agreement by this reference.

The terms and conditions of the Agreement in all other respects remain unmodified and in full force and effect.

Proprietary and Confidential

This Amendment and information contained therein is not for use or disclosure outside of AT&T Services, Inc., its Affiliates, and third-party representatives, and Amdocs, Inc. except under written agreement by the contracting parties.

Amendment 53258.A.001

Original signatures transmitted and received via facsimile or other electronic transmission of a scanned document, (e.g., .pdf or similar format) are true and valid signatures for all purposes hereunder and shall bind the Parties to the same extent as that of an original signature. This Amendment may be executed in multiple counterparts, each of which shall be deemed to constitute an original but all of which together shall constitute only one document.

IN WITNESS WHEREOF, the Parties have caused this Amendment to the Agreement to be executed, as of the Effective Date.


Amdocs Development Limited				AT&T Services, Inc.

By:				By:

Printed Name: _________________________				Printed Name: Donna McCluskey

Title: ________________________________				Title: Sr. Sourcing Manager

Date:				Date:

Proprietary and Confidential

Amendment 53258.A.001

APPENDIX K

EU DATA PRIVACY AND GDPR DATA PROCESSING OBLIGATIONS

The provisions in this Appendix shall be applicable to the Processing of Personal Data that is subject to Data Privacy Laws. To the extent that there is a conflict between the terms and conditions elsewhere in this Agreement and those in this Appendix, the latter shall control to the extent of such conflict.

1.	Definitions

The following definitions shall apply to this Appendix:

Data Controller: a natural or legal person who is considered to be a “controller” in relation to the Personal Data under the GDPR.

Data Processor: a natural or legal person who is considered to be a “processor” of the Data Controller under the GDPR.

Data Privacy Laws: applicable laws or regulations of the European Union (including those applicable in the European Economic Area) and member states of the European Economic Area in relation to Personal Data.

Data Subject: has the meaning ascribed to “data subject” under the GDPR.

GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

Personal Data: any information that is considered under the GDPR to be “personal data” that Supplier Processes under this Agreement.

Personal Data Breach: has the meaning ascribed to “personal data breach” under the GDPR, to the extent that such breach occurs with respect to Personal Data.

Process and Processing: have the meaning ascribed to “process” or “processing” under the GDPR.

Restricted Jurisdiction: a country outside the European Union or, if applicable, a specific territory or sector within such a country, or an international organization, in each case, which the European Commission has not decided ensures an adequate level of data protection.

Sub-Data Processor: a natural or legal person who is engaged (directly or indirectly) by the Data Processor to carry out specific Processing activities on behalf of the Data Controller.

Supervisory Authority: any governmental authority, agency or regulator in relation to Personal Data, including “supervisory authorities” as understood under Data Privacy Laws.

2.	Supplier as Data Processor or Sub-Data Processor

This Section 2 applies to the extent that in relation to particular Personal Data:

•

AT&T is a Data Controller and Supplier is its Data Processor; or

•

AT&T is a Data Processor and Supplier is its Sub-Data Processor.

Proprietary and Confidential

Amendment 53258.A.001

2.1	Supplier Obligations

Without limiting its obligations under Section 2, Supplier shall:

(a)

Process such Personal Data only in accordance with the instructions that are set forth in this Agreement and Exhibit 1 to this Appendix or are otherwise agreed to by the Parties in writing including as to the subject-matter and duration of the Processing, the nature and purpose of the Processing, the type of Personal Data and categories of Data Subjects;

(b)

ensure that Supplier’s employees, agents and contractors who Process such Personal Data are subject to written obligations of confidentiality;

(c)

implement the technical and organizational security measures that are set forth in this Agreement and Exhibit 1 to this Appendix to ensure a level of security appropriate to the risk, taking into account: (i) the state of the art, costs of implementation, nature, scope, context and purposes of the Processing; and (ii) the risks of accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to such Personal Data that is Processed with respect to all Processing of Personal Data;

(d)

not have such Personal Data Processed by another natural or legal person except to the extent that Supplier has:

•

received the prior specific or general written authorization of AT&T for such Processing;

•

imposed on such other natural or legal person data protection obligations that are the same in all material respects as those set forth in this Appendix, to the extent required pursuant to Data Privacy Laws;

•

with respect to Sub-Data Processors for which Supplier has received general written authorization, informed AT&T in writing of any changes concerning the addition or replacement of such Sub-Data Processors and obtained AT&T’s written consent prior to allowing Processing by such Sub-Data Processor;

(e)

notify AT&T in writing through its business contact of any communications or requests in relation to Personal Data received from Data Subjects, Supervisory Authorities or other third parties without undue delay following receipt of such communications or requests. Supplier shall provide such notices via e-mail to its business contact with a copy to privacypolicy@att.com with the subject line stating “URGENT—Personal Data Related.”

(f)

taking into account the nature of Supplier’s Processing activities, assist AT&T at AT&T’s reasonable request to enable the (i) Data Controller to fulfill its obligations to respond to requests by Data Subjects in relation to their rights under Data Privacy Laws, and (ii) Data Controller (and if different, AT&T) to fulfill its obligations to respond to requests by Supervisory Authorities and other third parties;

Proprietary and Confidential

Amendment 53258.A.001

(g)

taking into account the nature of Supplier’s Processing of such Personal Data and information available to Supplier:

•

notify AT&T by calling AT&T Asset Protection (at 800-807-4205 within the U.S. or +1 908-658-0380 outside the U.S.) of any Personal Data Breach without undue delay after becoming aware of such breach; and

•

without undue delay provide reasonable assistance to AT&T in relation to any obligations of the Data Controller (including under Data Privacy Laws) in relation to:

•

a Personal Data Breach; and

•

the performance of data protection impact assessments by the Data Controller.

To the extent that the assistance required of Supplier under subsections (f) and (g) above may require Supplier to incur substantial costs, Supplier will notify AT&T in advance of incurring such costs and the Parties will negotiate in good faith the fees, if any, to be paid to Supplier for such assistance.

(h)

securely delete all such Personal Data, including all existing copies (or, to the extent AT&T reasonably requests, securely return the Personal Data and copies to AT&T in a commonly used data format (to be agreed by the Parties acting reasonably), when no longer needed for the purposes for which it was collected, which shall be within 30 days of the end of the term of this Agreement at the latest unless otherwise reasonably requested by AT&T, provided, however, that no such deletion will be required to the extent that (a) applicable law requires storage of such data beyond such period; or (b) AT&T instructs Supplier in writing to retain such data beyond such period; and

(i)

at AT&T’s request, make available to AT&T all information necessary to demonstrate compliance with Supplier’s obligations under this Appendix concerning the Supplier’s data security and privacy procedures relating to the processing of Personal Data for the purpose of demonstrating compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller in accordance with Section 3.31 of this Agreement, provided that Supplier shall notify AT&T in writing if it believes in good faith that the exercise of rights under this Section 3.1(i) would infringe Data Privacy Laws. Supplier agrees that AT&T has the right under the GDPR to disclose some or all of the information contained in, or obtained in connection with, this Appendix to:

•

Data Controllers, Supervisory Authorities, Data Subjects; and

•

other third parties to the extent required under Data Privacy Laws; and

Proprietary and Confidential

Amendment 53258.A.001

(j)

provide and keep current its processing-related information, Data Protection Officer information, and point of contact information in a medium and form acceptable to AT&T.

2.2

Cross-Border Transfers to Restricted Jurisdictions. With respect to Personal Data originating in a country identified in Table 1, below, and processed by Supplier in a Restricted Jurisdiction, Supplier shall process (including making any transfers of) such data in accordance with (i) the terms and conditions set out in this Appendix, (ii) Appendix L, Standard Contractual Clauses and (iii) Data Privacy Laws.

TABLE 1


AUSTRIA	FINLAND	LATVIA	PORTUGAL
BELGIUM	FRANCE	LIECHTENSTEIN	ROMANIA
BULGARIA	GERMANY	LITHUANIA	SLOVAKIA
CROATIA	GREECE	LUXEMBOURG	SLOVENIA
CYPRUS	HUNGARY	MALTA	SPAIN
CZECH REPUBLIC	ICELAND	NETHERLANDS	SWEDEN
DENMARK	IRELAND	NORWAY	SWITZERLAND
ESTONIA	ITALY	POLAND	UNITED KINGDOM

2.3	Permitted Sub-Data Processors

AT&T acknowledges that it has authorized Supplier to engage the natural or legal persons identified by Supplier as of the date of this Appendix in Exhibit 2 to this Appendix to process Personal Data on behalf of the Data Controller. In respect of any permitted Sub-Data Processors, AT&T hereby authorizes Supplier to enter into the Standard Contractual Clauses for and on behalf of AT&T to the extent necessary to secure compliance with the Data Privacy Laws.

Proprietary and Confidential

Amendment 53258.A.001

EXHIBIT 1

DESCRIPTION OF PROCESSING OF PERSONAL DATA

The below describes the Processing of Personal Data under this Agreement.

Additional details with breakdown of applications currently identified as impacted by European data is provided in Attachment 1 – Impact By Application. The Parties will maintain the details of Attachment 1 – Impact By Application and the list of Subcontractors for Exhibit 2 without the need to amend this Agreement to include the updates.

Subject Matter

Supplier Processes Personal Data in relation to provision of the Services under this Agreement.

Nature of Processing

Personal Data will be subject to the following Processing operations: [Note: Insert “Y” to indicate those that apply and “N” to indicate those that don’t]

[Y]	Provisioning, testing, delivering, monitoring, maintaining, managing and de-provisioning/winding down the Services

[Y]	Managing network devices

[N]	Monitoring and analyzing network utilization/network management information

[Y]	Identifying and resolving service performance issues

[Y]	Creating, storing, utilizing, and delivering reports and related data

[Y]	Enabling access to AT&T facilities and systems

[Y]	Transmitting and storing electronic communications

[Y]	Creating, storing and delivering bills; and receiving, storing, investigating and responding to billing inquiries

[N]	Storing, utilizing, and maintaining contract documents and related materials

[Y]	Storing, utilizing, and maintaining other documents and records containing Personal Data

Proprietary and Confidential

Amendment 53258.A.001

[Y]	Communicating with AT&T employees/representatives, AT&T’s customer’s employees/representatives, other suppliers’ (other than Supplier’s) employees/representatives and/or the employees/representatives of such suppliers’ subcontractors of any tier regarding the Services

[Y]	Performing other functions in support of the Services (please specify): Please see Exhibit Attachment 1 – Impact by Application.

[Y]	Transferring Personal Data to Restricted Jurisdictions in connection with any processing operation

Purpose of Processing

Supplier Processes Personal Data to provide the Services, perform its obligations and exercise its rights under this Agreement, and comply with its legal obligations

Categories of Personal Data

The Personal Data processed for AT&T concerns the following categories of Personal Data: [ Note: Insert “Y” to indicate those that apply and “N” to indicate those that don’t]

[Y]	Business contact data

[Y]	Electronic communications metadata

[Y]	Device identification data

[Y]	Geolocation data

[Y]	Authentication credentials

[Y]	Recorded content of electronic communications

[Y]	Application content (e.g., managing content in a database)

[Y]	Payment card and similar payment data/other financial data

[Y]	Government issued identification numbers

[Y]	Personal (e.g., date of birth, family-related, education-related, personal history-related)

[Y]	Other (please specify): AT&T Webphone data stored in Datalake

Proprietary and Confidential

Amendment 53258.A.001

Categories of Sensitive Personal Data (if applicable)

The Personal Data processed for AT&T concerns the following special categories of Personal Data [Note: Insert “Y” to indicate those that apply and “N” to indicate those that don’t]

[N]	Racial or ethnic origin

[N]	Political affiliation

[N]	Religious beliefs

[N]	Sexual orientation

[N]	Trade union membership

[N]	Genetic data

[Y]	Biometric data

[N]	Health Data

Categories of Data Subjects

The Personal Data processed by Supplier concern the following categories of Data Subjects: [ Note: Insert “Y” to indicate those that apply and “N” to indicate those that don’t]

[Y]	Employees/representatives of AT&T and/or its affiliates (i.e., the AT&T group of companies)

[Y]	Employees/representatives of AT&T’s customers and/or their affiliates

[N]	Employees/representatives of AT&T’s suppliers (other than Supplier) and/or their subcontractors of any tier

[Y]	Other (please specify): AT&T Webphone data stored in Datalake

Duration of Processing

Until the Personal Data is no longer needed for the purposes for which it was collected, which shall be at the end of the term of this Agreement at the latest unless otherwise requested by AT&T.

Location of Processing

Approved locations under Appendix C – Offshore Locations of the Agreement and/or locations listed in an Order for Services with respect to which the GDPR would be applicable.

Proprietary and Confidential

Amendment 53258.A.001

Details of Supplier Data Protection Officer(s) and point(s) of contact for all notices (if different than Supplier Data Protection Officer(s))*


NAME		Yaron Moore

TITLE		Commercial Contract Partner

LOCATION		Timberlake, MO

EMAIL		Yaron.moore@amdocs.com

TELEPHONE 1		314-212-7225

TELEPHONE 2		303-210-7354

*	Supplier shall keep current its contact information for its Data Protection Officer(s) and other point(s) of contact listed above, without the need to amend this Agreement, by informing Supplier’s AT&T business contact of all changes in a medium and form acceptable to AT&T.

Proprietary and Confidential

Amendment 53258.A.001

EXHIBIT 2

SUBCONTRACTORS AUTHORIZED BY AT&T TO PROCESS PERSONAL DATA*


COMPANY NAME & REGISTERED ADDRESS	POINT OF CONTACT NAME & TITLE	POINT OF CONTACT PHONE & EMAIL
*[]**	*[][]*	*[][]*
*[]**	*[] []*	*[][]*

*	Supplier shall keep current its subcontractor contact information listed above, without the need to amend this Agreement, by informing Supplier’s AT&T business contact of all changes in a medium and form acceptable to AT&T.

Proprietary and Confidential

Amendment 53258.A.001

Appendix L

Standard Contractual Clauses (processors)

For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection

Name of the data exporting organisation:

Address:

Tel.: ; fax: ; e-mail:

Other information needed to identify the organisation

……………………………………………………………

(the data exporter)

And

Name of the data importing organisation:

Address:

Tel.: ; fax: ; e-mail:

Other information needed to identify the organisation:

(the data importer)

each a “party”; together “the parties”,

HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.

Proprietary and Confidential

Amendment 53258.A.001

Clause 1

Definitions

For the purposes of the Clauses:

(a)

‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data¹;

(b)	‘the data exporter’ means the controller who transfers the personal data;

(c)

‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;

(d)

‘the subprocessor’ means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;

(e)

‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;

(f)

‘technical and organisational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

Clause 2

Details of the transfer

The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.

¹	Parties may reproduce definitions and meanings contained in Directive 95/46/EC within this Clause if they considered it better for the contract to stand alone.

Proprietary and Confidential

Amendment 53258.A.001

Clause 3

Third-party beneficiary clause

1.	The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.

The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.

The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.

4.	The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.

Clause 4

Obligations of the data exporter

The data exporter agrees and warrants:

(a)

that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;

(b)	that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;

(c)	that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;

Proprietary and Confidential

Amendment 53258.A.001

(d)

that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;

(e)	that it will ensure compliance with the security measures;

(f)	that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;

(g)	to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;

(h)

to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;

(i)	that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and

(j)	that it will ensure compliance with Clause 4(a) to (i).

Proprietary and Confidential

Amendment 53258.A.001

Clause 5

Obligations of the data importer²

The data importer agrees and warrants:

(a)

to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(b)

that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(c)	that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;

(d)	that it will promptly notify the data exporter about:

(i)

any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,

(ii)

any accidental or unauthorised access, and

(iii)

any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;

(e)	to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;

(f)

at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;

(g)

to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;

(h)	that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;

(i)	that the processing services by the subprocessor will be carried out in accordance with Clause 11;

(j)	to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.

Mandatory requirements of the national legislation applicable to the data importer which do not go beyond what is necessary in a democratic society on the basis of one of the interests listed in Article 13(1) of Directive 95/46/EC, that is, if they constitute a necessary measure to safeguard national security, defence, public security, the prevention, investigation, detection and prosecution of criminal offences or of breaches of ethics for the regulated professions, an important economic or financial interest of the State or the protection of the data subject or the rights and freedoms of others, are not in contradiction with the standard contractual clauses. Some examples of such mandatory requirements which do not go beyond what is necessary in a democratic society are, inter alia, internationally recognised sanctions, tax-reporting requirements or anti-money-laundering reporting requirements.

Proprietary and Confidential

Amendment 53258.A.001

Clause 6

Liability

1.	The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.

If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.

The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.

If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.

Clause 7

Mediation and jurisdiction

1.	The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:

(a)

to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;

(b)

to refer the dispute to the courts in the Member State in which the data exporter is established.

Proprietary and Confidential

Amendment 53258.A.001

2.	The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

Clause 8

Cooperation with supervisory authorities

1.	The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.

2.	The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.

The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).

Clause 9

Governing Law

The Clauses shall be governed by the law of the Member State in which the data exporter is established, namely

Clause 10

Variation of the contract

The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.

Proprietary and Confidential

Amendment 53258.A.001

Clause 11

Subprocessing

The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses³. Where the subprocessor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor’s obligations under such agreement.

The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.

3.	The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established, namely

4.	The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.

Clause 12

Obligation after the termination of personal data processing services

The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.

³	This requirement may be satisfied by the subprocessor co-signing the contract entered into between the data exporter and the data importer under this Decision.

Proprietary and Confidential

Amendment 53258.A.001

2.	The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.

On behalf of the data exporter:

Name (written out in full):

Position:

Address:

Other information necessary in order for the contract to be binding (if any):

Signature

(stamp of organisation)

On behalf of the data importer:

Name (written out in full):

Position:

Address:

Other information necessary in order for the contract to be binding (if any):

Signature

(stamp of organisation)

Proprietary and Confidential

Amendment 53258.A.001

APPENDIX 1 TO THE STANDARD CONTRACTUAL CLAUSES

This Appendix forms part of the Clauses and must be completed and signed by the parties The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix

Data exporter

The data exporter is (please specify briefly your activities relevant to the transfer):

Data importer

The data importer is (please specify briefly activities relevant to the transfer):

Data subjects

The personal data transferred concern the following categories of data subjects (please specify):

Categories of data

The personal data transferred concern the following categories of data (please specify):

Special categories of data (if appropriate)

The personal data transferred concern the following special categories of data (please specify):

Processing operations

The personal data transferred will be subject to the following basic processing activities (please specify):

DATA EXPORTER

Name:

Authorised Signature

DATA IMPORTER

Name:

Authorised Signature

Proprietary and Confidential

Amendment 53258.A.001

APPENDIX 2 TO THE STANDARD CONTRACTUAL CLAUSES

This Appendix forms part of the Clauses and must be completed and signed by the parties Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):

ILLUSTRATIVE INDEMNIFICATION CLAUSE (OPTIONAL)

Liability

The parties agree that if one party is held liable for a violation of the clauses committed by the other party, the latter will, to the extent to which it is liable, indemnify the first party for any cost, charge, damages, expenses or loss it has incurred.

Indemnification is contingent upon:

(a)	the data exporter promptly notifying the data importer of a claim; and

(b)	the data importer being given the possibility to cooperate with the data exporter in the defence and settlement of the claim⁴.

⁴	Paragraph on liabilities is optional.

Proprietary and Confidential