EU Data Processing Addendum
If Namely, or any of its subcontractors, Processes any Personal Data governed by EU Data Protection Laws that has been provided or made available by or on behalf of Client to Namely or uploaded by Client to the Platform in connection with using the services (“EU Personal Data”), the following terms shall apply to such EU Personal Data. In the event of a conflict between this EU Data Processing Addendum and the Terms, this EU Data Processing Addendum shall control with respect to EU Personal Data.
- “EU Data Protection Laws” means (i) the national laws from EU Member States implementing the Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the Processing of EU Personal Data and on the free movement of such data (the “Directive”), (ii) from May 25, 2018, the General Data Protection Regulation (EU 2016/679) and the national laws from EU Member States and the United Kingdom supplementing or replacing the General Data Protection Regulation (EU 2016/679) (together the “GDPR”) and (iii) any applicable data protection legislation that amends, re-enacts, replace or supplements the GDPR and which arises from the withdrawal of the United Kingdom from the European Union.
- “Personal Data”, “Process”, “Controller”, “Processor”, “Data Subject”, and “Supervisory Authority” shall have the same meaning as defined by the GDPR and interpreted by the EU Data Protection Laws.
- “EEA” means the European Economic Area and includes the European Union member states, Iceland, Liechtenstein, and Norway.
2. Processing of EU Personal Data.
- Client acknowledges that it may be necessary for Client to provide access or transfer to EU Personal Data to Namely in the United States in order for the EU Personal Data to be included in the Platform and for the Client to receive the services. To the extent that Namely shall Process any EU Personal Data, the parties agree that (i) Namely shall be the Data Processor and the Client the Data Controller and (ii) the parties will enter into appropriate Controller-to- Processor Standard Contractual Clauses approved by the European Commission.
- Namely shall provide such assistance as Client requires in relation to EU Personal Data in order for Client to (a) respond to requests relating to Namely’s Processing of EU Personal Data from Data Subjects and (b) the preparation of any necessary data protection impact assessments and the undertaking of any necessary data protection consultations that are required pursuant to EU Data Protection Laws.
- Namely shall make available, upon Client’s written request and at Client’s expense, information necessary to demonstrate compliance with this EU Data Processing Addendum. If EU Data Protection Laws require Namely to provide Client with access to Namely’s facilities or
information, then Namely shall permit Client to audit Namely’s compliance with the data security and data protection obligations under this EU Data Processing Addendum. Client may request such audit no more than once in each twelve (12) month period and such audit shall
be conducted during regular business hours. In order to request an audit of Namely’s facilities and information, Client shall (a) notify Namely in writing thirty (30) days in advance, detailing the
dates and duration of the audit and the identity and the qualifications of the auditor, (b) agree in writing with Namely on the scope of the audit and the security and confidentiality controls required for access to the information, facilities or processes in scope of such audit and (c) cause such auditor to sign a non-disclosure agreement that is satisfactory to Namely with Namely. Namely may object to any external auditor if, in Namely’s reasonable opinion, the auditor is not qualified, does not have an appropriate security clearance, is a competitor to
Namely, or is not independent. If Namely objects to the identity or qualifications of any proposed auditor, Namely shall provide reasons for such objection and Client will be required to propose another auditor. All information provided or made available to Client or its auditor
pursuant to such audit shall be considered Namely’s Confidential Information.
- Namely shall promptly provide all assistance and information which is requested by any Supervisory Authority regarding EU Personal Data. Namely shall immediately notify Client of any request regarding EU Personal Data that it receives from any Supervisory Authority for
assistance or information, unless prohibited by applicable law.
- Namely shall maintain and provide to Client upon request, records of all Processing activities related to EU Personal Data carried out on behalf of Client, including the different types of Processing being carried out and of any sub-Processors, any transfers of EU Personal Data
outside of the EEA or UK, including the identification of the relevant country or international organization and any documentation required to demonstrate suitable safeguards.
- Namely shall not engage any third party, including without limitation, an affiliate of Namely to carry out Processing of EU Personal Data in connection with its obligations under the Agreement (“Sub-Processor”) without Client’s consent. The Client hereby consents to each
Namely affiliate and the third parties identified at https://www.namely.com/eu-data-partners/ (“Notice URL”), as well as any additions or replacements included in the Notice URL from time to time, provided that Namely will afford the Client the ability to object to such addition or replacement within thirty (30) days of such addition or replacement. Namely shall provide Client the ability to subscribe to any changes to the information provided via the Notice URL. In the event that Client does object to such addition or replacement, Namely shall have the right to either (i) accept the objection and ensure such Sub-Processor does not Process any EU Personal Data of Client or (ii) terminate the Subscription module(s) for which such Sub- Processor will process EU Personal Data as part of its services to Namely. Namely shall enter
into a written agreement with the Sub-Processor and each Sub-Processor and sub-contractor to such Sub-Processor shall provide sufficient guarantees to implement appropriate technical and organizational measures to comply with its applicable obligations under EU Data Protection Laws when processing EU Personal Data. Namely shall be liable for such
obligations of its Sub-Processors to the extent required under EU Data Protection Laws.
- Upon the expiration or termination of the Agreement, Namely shall procure that each Subprocessor shall destroy all copies of EU Personal Data, except to the extent that such EU Personal Data is required to be kept pursuant to applicable law.
3. Notice of Non-Compliance.
- In the event that Namely can no longer meet its obligations under section 2 above, Namely shall (i) promptly notify Client in writing and work with Client to take all reasonable steps to stop and remediate, to the extent possible, any Processing until such Processing meets the
requirements of section 2 above; and (ii) promptly stop, and cause all Sub-Processors to promptly, stop Processing EU Personal Data, if in Client’s sole discretion, Client determines that Namely cannot correct any non-compliance with section 2 above within a reasonable time.
Client may consider Namely’s inability to meet its obligations under section 2 above a material breach in accordance with the Terms.