Data Protection Requirements

These Data Protection Requirements (“DPR”) form part of the Agreement between Forcepoint and Contractor for the Contractor’s provision of services to Forcepoint (“Services”). This DPR reflects the parties’ agreement that Contractor will only access, use, Transfer and Process Forcepoint Data (as defined below) in compliance with applicable laws and Forcepoint’s Privacy Policy, which is incorporated into this DPR by reference.

1. Definitions

    1.1 “Agreement” means the agreement between Forcepoint and Contractor for the provision of Services by Contractor.

    1.2 “CCPA” means the California Consumer Privacy Act of 2018.

    1.3 “Contractor” means the company, affiliate, or other legal entity that is providing Services to Forcepoint pursuant to the Agreement. Contractor may also be referred to as “Vendor”, “Supplier” or “Seller” as identified in the Agreement or purchase order issued by Forcepoint. They may also be referred to as “Processor” for purposes of this DPR.

    1.4 “Data Subject” means the natural person to whom the Personal Data relates.

    1.5 "EU Data Protection Law" means the EU laws regarding the Processing of Personal Data, including, without limitation, the General Data Protection Regulation 2016/679 (“GDPR”), and any subsequent or replacing European legislation.

    1.6 “Forcepoint” means, as the context requires: (i) Forcepoint LLC, a Delaware limited liability company with its principal place of business at 10900-A Stonelake Blvd., 3rd Floor, Austin, Texas 78759, USA; or (ii) Forcepoint International Technology Limited, with a principal place of business at 85 South Mall, Cork, T12 A3XN, Ireland; (iii) Forcepoint Federal LLC, with a principal place of business at 12950 Worldgate Drive, Suite 600, Herndon, VA 20170; or (iv) a corporation or entity controlling, controlled by or under the common control of those entities included under (i), (ii), or (iii).

    1.7 "Forcepoint Data" means any data and/or information of Forcepoint submitted by Forcepoint or accessed by Contractor during or as a result of the provisioning of the Services, including Forcepoint Personal Data as defined below.

    1.8 “Personal Data”, sometimes referred to as “Personally Identifiable Information” or “PII”, means any information relating to an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.

    1.9 “Privacy Shield Principles and Supplementary Principles” means the Privacy Shield principles, details of which are available at www.privacyshield.gov.

    1.10 “Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

    1.11 “Process/Processing” means any operation or set of operations performed upon data or sets of data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

    1.12 “Sell” means to sell, lease, rent, or share for anything of value.

    1.13 “Standard Contractual Clauses” / “SCC” means the standard contractual clauses set forth in the EU Commission’s Implementing Decision 2021/914 of 4 June 2021 and any official amendments thereto.

    1.14 “Subprocessor/Subcontractor” means a natural or legal person, public authority, agency or other body which processes Forcepoint Data.

    1.15 “Transfer” for purposes of this DPR means the movement of data, by any means and regardless of media, from one place to another or the accessing of electronic data from any system or location other than the system or location where the data is stored.

    1.16 “UK International Data Transfer Addendum” means the International Data Transfer Addendum to the Standard Contractual Clauses attached to this DPR as Exhibit 2.

    1.17 “UK GDPR” means GDPR, as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018.

 

2. Processing of Forcepoint Data

Contractor will ensure that it will (i) Process Forcepoint Data only in accordance with applicable laws, including without limitation EU Data Protection Laws, such as Article 28 of the GDPR, UK GDPR, and CCPA; (ii) maintain records of its Processing activities in relation to Forcepoint Data; (iii) act in accordance with the terms of the Agreement, including this DPR, or other instructions Forcepoint may provide; (iv) not Sell any Forcepoint Data; (v) only Process Forcepoint Data for the purposes of performing Contractor’s obligations and providing the agreed Services under the Agreement; (vi) verify the legal basis of any government authority data requests and reject those Contractor has reason to believe are not valid.; and (vii) promptly notify Forcepoint of any legally binding request for disclosure of the Forcepoint Data by a law enforcement authority (where Forcepoint or a Forcepoint customer is identified by name by the law enforcement authority and/or the response provided by Contractor will result in identifying Forcepoint or the Forcepoint customer by name to the law enforcement authority) unless otherwise prohibited from doing so by law. For the avoidance of doubt, nothing in this document or the agreement between Forcepoint and the Contractor, should be construed as authorization for the Contractor to use data received from Forcepoint for any purpose other than performance of Contractor’s agreement with Forcepoint.

 

3. Transfers of Personal Data

    3.1 Contractor will not Process or Transfer Personal Data provided by Forcepoint outside the European Economic Area (“EEA”) or Switzerland without (i) providing reasonable prior written notice to Forcepoint, (ii) having Forcepoint’s approval, and (iii) taking all measures necessary to ensure that such Personal Data will be subject to an adequate level of protection in accordance with the requirements of applicable data protection laws, including EU Data Protection Law.

    3.2 With respect to Personal Data that the Contractor or its Subcontractors Process in and/or Transfer from the EEA or Switzerland to the United States of America, Contractor will ensure it and its Subcontractors adhere to the Privacy Shield Framework Principles and Supplementary Principles. The Contractor and/or its Subcontractors will comply with: (i) the Standard Contractual Clauses when transferring Personal Data to a third country that has not received an adequacy decision from the European Union in accordance with GDPR, with Annexes I-III (attached as Exhibit 1 for reference) of the Standard Contractual Clauses to be provided to Forcepoint by Contractor in the case such a transfer is necessary; and (ii) the UK International Data Transfer Addendum when conducting a Restricted Transfer of Customer Personal Data that is subject to the UK GDPR to a third country that has not received an adequacy decision from the UK in accordance with the UK GDPR. Contractor may be required by Forcepoint to execute other data protection and security terms as necessary to comply with applicable law.

    3.3 The Data Exporter will be Forcepoint and the Data Importer will be Contractor.

    3.4 For the purposes of the SCCs:

  • Module Two or Module Three will apply (as applicable);
  • In Clause 7, the optional docking clause will not apply;
  • In Clause 9, Option 1 will apply, and Contractor will submit a request for approval of the sub-processor to Forcepoint at least 30 days prior to engaging the sub-processor;
  • In Clause 11, the optional language will apply;
  • In Clause 17, Option 1 will apply, and the SCCs will be governed by Irish law;
  • In Clause 18(b), disputes will be resolved before the courts of Ireland.

 

4. Security Measures

Contractor will ensure that it has in place, and undertake to maintain throughout the time it possesses or accesses Forcepoint Data, (i) appropriate technical and organizational measures against the accidental, unauthorized or unlawful Processing, destruction, loss, damage or disclosure of the Forcepoint Data; (ii) adequate security programs and procedures to ensure that unauthorized persons do not have access to such Forcepoint Data or to any equipment used to Process such Forcepoint Data; and (iii) that such technical and organizational security measures will (at a minimum) include the following measures:

  1. encrypt all portable devices and media that hold Forcepoint Data using encryption standards in accordance with applicable laws, regulations and guidelines;
  2. take all reasonable care with the handling of communications (including post, fax and email) to ensure the protection of Forcepoint Data;
  3. securely dispose of all paper waste and all redundant computer and other related assets used for Processing Forcepoint Data in accordance with NIST 800-88;
  4. ensure information security controls are in place, adequate and aligned to ISO 27001 and/or NIST 800-83;
  5. ensure the ongoing confidentiality, integrity, availability and resilience of Contractor processing systems and services;
  6. ensure the ability to restore the availability and access to Forcepoint Data in a timely manner in the event of a physical or technical incident;
  7. ensure Contractor has a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measure for ensuring the security of the processing.

 

5. Training and confidentiality obligations of Employees and subcontractors

Contractor will ensure that Contractor employees, agents, subcontractors and other personnel who deal with Forcepoint Data (i) receive appropriate training to ensure that Forcepoint Data is handled securely and in accordance with the terms of this DPR; and (ii) are bound by industry standard obligations of confidentiality as regards all such Forcepoint Data, provided that in no case shall such terms be less onerous than those contained in the Agreement and/or this DPR.

 

6. Data Breach Notification

In the event of any accidental, unauthorized or unlawful Processing, access, destruction, loss, damage or disclosure of Forcepoint Data (“Data Breach”), Contractor will (i) comply with applicable laws, (ii) immediately notify Forcepoint of its discovery of a Data Breach, and, where feasible not later than twenty-four (24) hours of Data Breach discovery; (iv) immediately take reasonable and appropriate steps to remediate such Data Breach, and (v) comply in a timely manner with all reasonable Forcepoint requests regarding the remediation and investigation of the Data Breach.

The Contractor’s Data Breach notification will include such information as the nature of the breach, categories of Forcepoint Data impacted by the Data Breach, the number of impacted data subjects, the types of records concerned, the likely consequences, and proposed or taken measures.

Contractor shall promptly reimburse Forcepoint for all costs incurred by Forcepoint in responding to and mitigating the Data Breach.

 

7. Subcontracting

Contractor will not subcontract the Processing of Forcepoint Data unless (i) Contractor provides reasonable prior notice to Forcepoint, (ii) Forcepoint does not object (acting reasonably) to such subcontracting; and (iii) Contractor has in place a signed contract with such subcontractor setting out terms for the Processing of such Personal Data that are no less onerous than those the Contractor is required to satisfy under the terms of the Agreement, this DPR, and Forcepoint’s written instructions. Contractor will remain liable to Forcepoint for the actions and omissions of Contractor subcontractors. Upon request by Forcepoint, Contractor will provide a list of subcontractors who Process Forcepoint Data as well as a copy of the relevant extracts of the contract between Contractor and the subcontractor relating to such Processing. If Forcepoint has a reasonable basis to object to Contractor’s use of a subcontractor, then Forcepoint may terminate the Agreement by providing written notice to the Contractor.

 

8. Enquiries and Requests

Contractor will immediately inform Forcepoint if it receives any enquiry, complaint or claim from any court, governmental official, third parties or individuals, including but not limited to, any Data Subjects or Supervisory Authorities as defined under GDPR. In relation to such requests received by Contractor or Sub-processor, or any such request received directly by Forcepoint, Contractor and Sub-processor will provide Forcepoint timely support and cooperation in responding to any such request. Should Forcepoint, on the basis of applicable law, be obliged to provide access or information to a Data Subject about the Processing of Personal Data relating to him or her, Contractor will, without levying a fee, promptly assist Forcepoint in providing such access or information.

 

9. Auditing

Contractor will, upon reasonable written notice of Forcepoint and during regular business hours, submit Contractor facilities, data files and documentation related to the Processing the Forcepoint Data (and/or those of Contractor agents, affiliates and Sub-processors) to review and/or audit by Forcepoint (or any independent or impartial inspection, agents or auditors bound by a duty of confidentiality, selected by Forcepoint and not reasonably objected to by Contractor) to ascertain compliance with the obligations in this DPR, the Agreement, and applicable laws which govern the Processing of such Forcepoint Data. If Forcepoint, in its sole discretion, believes that Contractor (or Contractor agents, affiliates or subcontractors) are in breach of any of the obligations under this DPR, the Agreement, or applicable laws which govern the Forcepoint Data, the requirement for Forcepoint to give reasonable notice under this Section shall not apply.

 

10. Termination and Return of Forcepoint Data upon Termination or Expiration

    10.1 In addition to the termination rights included in the Agreement, Forcepoint will be entitled to terminate the Agreement in the event of non-compliance by Contractor with this DPR. Upon termination, Contractor (and its agents, affiliates or subcontractors) will immediately cease all Processing of Forcepoint Data; and upon request by Forcepoint, either (i) return (in a format accessible by Forcepoint) all such Forcepoint Data; or (ii) destroy or otherwise render inaccessible all Forcepoint Data (except as prohibited by law) and provide confirmation in writing of such destruction.

    10.2 If the Contractor or its Subcontractors establish, to Forcepoint’s satisfaction, that they have a lawful basis to retain Forcepoint Data, Contractor warrants that it will (i) ensure the confidentiality of the Forcepoint Data in accordance with the Agreement, this DPR, and Forcepoint’s instructions, (ii) not use the Forcepoint Data post termination for any reason other than to comply with applicable law, and (iii) will destroy or return the Forcepoint Data once they no longer have a lawful requirement to retain it. This provision survives the termination of relevant Agreements and applies for the time the Contractor continues to possess the Personal Data.

 


 

 

APPENDIX

 

EXPLANATORY NOTE:

It must be possible to clearly distinguish the information applicable to each transfer or category of transfers and, in this regard, to determine the respective role(s) of the Parties as data exporter(s) and/or data importer(s). This does not necessarily require completing and signing separate appendices for each transfer/category of transfers and/or contractual relationship, where this transparency can achieved through one appendix. However, where necessary to ensure sufficient clarity, separate appendices should be used.

 


 

 

Exhibit 1
SCC Annexes I-III

ANNEX I

 

A. LIST OF PARTIES

MODULE TWO: Transfer controller to processor

MODULE THREE: Transfer processor to processor

Data exporter(s): [Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]

1. Name: Forcepoint as defined in the DPR or an affiliate of Forcepoint. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Address: . . As provided in the relevant Agreement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Contact person’s name, position and contact details:

Forcepoint,
Attn: Data Protection Officer,
10900-A Stonelake Blvd., Quarry Oaks 1, Suite 350
Austin, TX 78759
Email: privacy@forcepoint.com

Activities relevant to the data transferred under these Clauses: .Activities as expressly authorized in the Agreement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Signature and date: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Role (controller/processor): . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Data importer(s): [Identity and contact details of the data importer(s), including any contact person with responsibility for data protection]

1. Name: Contractor as defined in the DPR. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Address: As provided in the relevant Agreement. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Contact person’s name, position and contact details: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Activities relevant to the data transferred under these Clauses: . Activities as expressly authorized in the Agreement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Signature and date: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Role (controller/processor): . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

B. DESCRIPTION OF TRANSFER

MODULE TWO: Transfer controller to processor

MODULE THREE: Transfer processor to processor

Categories of data subjects whose personal data is transferred . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Categories of personal data transferred . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

N/A. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Nature of the processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Purpose(s) of the data transfer and further processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C. COMPETENT SUPERVISORY AUTHORITY
MODULE TWO: Transfer controller to processor
MODULE THREE: Transfer processor to processor

Identify the competent supervisory authority/ies in accordance with Clause 13
Ireland

 


 

 

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

 

MODULE TWO: Transfer controller to processor
MODULE THREE: Transfer processor to processor

The Contractor/Data Importer will be expected to implement technical and organisational security measures that include, but are not limited to:

  1. encrypt all portable devices and media that hold Personal Data provided to Contractor by Forcepoint using encryption standards in accordance with applicable laws, regulations and guidelines;
  2. take all reasonable care with the handling of communications (including post, fax and email) to ensure the protection of Personal Data provided to Contractor by Forcepoint;
  3. securely dispose of all paper waste and all redundant computer and other related assets used for Processing Personal Data provided to contractor by Forcepoint in accordance with NIST 800-88, and its successor or replacement;
  4. ensure information security controls are in place, adequate and aligned to ISO 27001 and/or NIST 800-83 and their successors or replacement;
  5. ensure the ongoing confidentiality, integrity, availability and resilience of Contractor’s/Data Importer’s processing systems and services;
  6. ensure it has the ability to restore the availability and access to Personal Data provided by Forcepoint in a timely manner in the event of a physical or technical incident;
  7. ensure it has a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measure for ensuring the security of the processing.

 

ANNEX III
LIST OF SUB-PROCESSORS

 

MODULE TWO: Transfer controller to processor
MODULE THREE: Transfer processor to processor

EXPLANATORY NOTE:

This Annex must be completed for Modules Two and Three, in case of the specific authorisation of sub-processors (Clause 9(a), Option 1).

The controller has authorised the use of the following sub-processors:

1. Name: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Address: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Contact person’s name, position and contact details: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorised): . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .


 

 

Exhibit 2
International Data Transfer Addendum to the Standard Contractual Clauses

ANNEX I

is UK International Data Transfer Addendum to the EU Commision Standard Contractual Clauses (the “UK International Data Transfer Addendum”) has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.

Part 1: Tables

Table 1: Parties

Start date

The Effective Date as stated in the applicable Forcepoint Customer Agreement

The Parties

Exporter (who sends the Restricted Transfer)

Importer (who receives the Restricted Transfer)

Parties’ details

Full legal name: Forcepoint (as defined in the DPR)
Main address (if a company registered address):
As provided in the applicable services Agreement Official registration number (if any) (company number or similar identifier):

Full legal name: Contractor (as defined in the DPR)
Main address (if a company registered address): As provided in the applicable services Agreement
Official registration number (if any) (company number or similar identifier):

Key Contact

Job Title: DPO
Contact details including email: privacy@forcepoint.com

Job Title:
Contact details including email:

Signature (if required for the purposes of Section ‎2)

 

 

Table 2: Selected SCCs, Modules and Selected Clauses

 

Addendum EU SCCs

The version of the Approved EU SCCs which this Addendum is appended to, detailed below, including the Appendix Information:
Date: As of the Effective Date of the applicable services Agreement
Reference (if any): The Standard Contractual Clauses as referenced and agreed to in the DPR to which this UK International Data Transfer Addendum is attached as Exhibit 2.

 

Table 3: Appendix Information

 

“Appendix Information” means the information which must be provided for the selected modules as set out in the Annexes of the Standard Contractual Clauses (other than the Parties), and which for this Addendum is set out in:

Annex IA: List of Parties: As included in Exhibit 1, Annex I.A. to the DPR.

Annex IB: Description of Transfer: As included in Exhibit 1, Annex I.B. to the DPR.

Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: As included in Exhibit 1, Annex II to the DPR

Annex III: List of Sub processors (Modules 2 and 3 only): As described in Exhibit 1, Annex III of the DPR

 

Table 4: Ending this Addendum when the Approved Addendum Changes

 

Ending this Addendum when the Approved Addendum changes

Which Parties may end this UK International Data Transfer Addendum as set out in Section ‎19:
.... Importer
.... Exporter
.... neither Party

 

Part 2: Mandatory Clauses

 

Mandatory Clauses of this UK International Data Transfer Addendum, being the template Addendum B.1.0 issued by the U.K. Information Comissioner’s Office and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section ‎‎18 of those Mandatory Clauses.


1 Where the data exporter is a processor subject to Regulation (EU) 2016/679 acting on behalf of a Union institution or body as controller, reliance on these Clauses when engaging another processor (sub-processing) not subject to Regulation (EU) 2016/679 also ensures compliance with Article 29(4) of Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39), to the extent these Clauses and the data protection obligations as set out in the contract or other legal act between the controller and the processor pursuant to Article 29(3) of Regulation (EU) 2018/1725 are aligned. This will in particular be the case where the controller and processor rely on the standard contractual clauses included in Decision 2021/915.

2 This requires rendering the data anonymous in such a way that the individual is no longer identifiable by anyone, in line with recital 26 of Regulation (EU) 2016/679, and that this process is irreversible.

3 The Agreement on the European Economic Area (EEA Agreement) provides for the extension of the European Union’s internal market to the three EEA States Iceland, Liechtenstein and Norway. The Union data protection legislation, including Regulation (EU) 2016/679, is covered by the EEA Agreement and has been incorporated into Annex XI thereto. Therefore, any disclosure by the data importer to a third party located in the EEA does not qualify as an onward transfer for the purpose of these Clauses.

4 The Agreement on the European Economic Area (EEA Agreement) provides for the extension of the European Union’s internal market to the three EEA States Iceland, Liechtenstein and Norway. The Union data protection legislation, including Regulation (EU) 2016/679, is covered by the EEA Agreement and has been incorporated into Annex XI thereto. Therefore, any disclosure by the data importer to a third party located in the EEA does not qualify as an onward transfer for the purpose of these Clauses.

5 See Article 28(4) of Regulation (EU) 2016/679 and, where the controller is an EU institution or body, Article 29(4) of Regulation (EU) 2018/1725.

6 The Agreement on the European Economic Area (EEA Agreement) provides for the extension of the European Union’s internal market to the three EEA States Iceland, Liechtenstein and Norway. The Union data protection legislation, including Regulation (EU) 2016/679, is covered by the EEA Agreement and has been incorporated into Annex XI thereto. Therefore, any disclosure by the data importer to a third party located in the EEA does not qualify as an onward transfer for the purposes of these Clauses.

7 This includes whether the transfer and further processing involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions or offences.

8 This requirement may be satisfied by the sub-processor acceding to these Clauses under the appropriate Module, in accordance with Clause 7.

9 This requirement may be satisfied by the sub-processor acceding to these Clauses under the appropriate Module, in accordance with Clause 7.

10 That period may be extended by a maximum of two more months, to the extent necessary taking into account the complexity and number of requests. The data importer shall duly and promptly inform the data subject of any such extension.

11 The data importer may offer independent dispute resolution through an arbitration body only if it is established in a country that has ratified the New York Convention on Enforcement of Arbitration Awards.

12 As regards the impact of such laws and practices on compliance with these Clauses, different elements may be considered as part of an overall assessment. Such elements may include relevant and documented practical experience with prior instances of requests for disclosure from public authorities, or the absence of such requests, covering a sufficiently representative time-frame. This refers in particular to internal records or other documentation, drawn up on a continuous basis in accordance with due diligence and certified at senior management level, provided that this information can be lawfully shared with third parties. Where this practical experience is relied upon to conclude that the data importer will not be prevented from complying with these Clauses, it needs to be supported by other relevant, objective elements, and it is for the Parties to consider carefully whether these elements together carry sufficient weight, in terms of their reliability and representativeness, to support this conclusion. In particular, the Parties have to take into account whether their practical experience is corroborated and not contradicted by publicly available or otherwise accessible, reliable information on the existence or absence of requests within the same sector and/or the application of the law in practice, such as case law and reports by independent oversight bodies.