Cloudera Partner Data Processing Addendum
This Partner Data Processing Addendum (“DPA”) forms part of and is incorporated into the Cloudera Partner Network Terms, Partnership Terms and Conditions, or similar contract, agreement, or legal document (“Agreement”) between Cloudera, Inc. and any Cloudera affiliates, and the Partner and any Partner affiliates. Cloudera and Partner are each a “Party” and, together, “the Parties.” This Partner DPA forms a legally binding contract between Cloudera and Partner and applies to the extent that the Parties Process Personal Data pursuant to the Agreement. This Partner DPA shall prevail over any prior partner data processing addendum or similar agreement entered into by the Parties.
- Cloudera and Partner intend and agree to process Personal Data, as separate and independent Controllers, subject to the terms and conditions of this DPA, for their own respective purposes.
- Cloudera and Partner have entered into this DPA to set out the framework for the Processing of Personal Data by the Parties, including the sharing of such data, each acting in the capacity as a Controller, and to define the procedures, obligations, responsibilities, liabilities, and rights of the Parties.
In relation to the Processing of Personal Data, the following terms, and their cognate words, shall have the same meaning as set forth and defined in and by Applicable Data Protection Law:
“Business”; “Collect”; “Consent”; “Consumer”; “Controller”; “Data Subject”; “Personal Data”; “Personal Data Breach”; “Personal Information”; “Process(es)” or “Processing”; “Processor”; “Recipient”; “Sell”; “Sensitive Personal Data”; “Service Provider”; “Special categories of Personal Data”; and “Third party”.
The following terms shall have the meanings set forth below and cognate terms shall be construed in accordance with these definitions and Applicable Data Protection Law:
“Applicable Law” means any law, rule, or regulation to which a Party is subject.
“Applicable Data Protection Law” means all data protection and privacy laws, rules, and regulations applicable to the Processing and protection of Personal Data under this DPA, including, among others, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), the United Kingdom Data Protection Act 2018, the Switzerland Federal Act on Data Protection, the California Consumer Privacy Act of 2018, Canada’s Personal Information Protection and Electronic Documents Act, the Australia Privacy Act 1988, and Brazil’s General Data Protection Law (Lei Geral de Proteção de Dados Pessoais), as well as any sectoral privacy-related laws and data breach notification laws.
“Data Protection Authority” means the relevant or competent government or public authority in charge of regulating the Processing of Personal Data and enforcing Applicable Data Protection Law.
“Restricted Data Transfer” means any transfer of Personal Data from the European Union (EU), the European Economic Area (EEA), Switzerland, or the United Kingdom (UK) to a third country outside of any of those regions, countries, or jurisdictions that does not ensure an adequate level of data protection (i.e., does not have an “adequacy decision”) according to the respective governmental authority, including any Data Protection Authority, in the EU, the EEA, Switzerland, or the UK. A Restricted Data Transfer includes any transfer or onward transfer of Personal Data subject to the Applicable Data Protection Law in the EU, the EEA, Switzerland, or the UK to a third country that does not ensure an adequate level of data protection.
“EU Standard Contractual Clauses (SCCs)” means Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, which constitute appropriate safeguards for transferring Personal Data to a third country.
2. DPA Purpose, Scope, and Description of Processing
2.1. Parties as Independent Controllers
Each Party shall act as an independent Controller with respect to the Processing of Personal Data under or pursuant to the Agreement.
2.2. Purpose and Scope of the DPA
This DPA’s purpose is to ensure that the Processing of Personal Data by each Party, including, among other things, any transfer, sharing, transmission, or dissemination of Personal Data between the Parties, for the purposes set forth in section 2.3 of this DPA, complies with Applicable Data Protection Law. This DPA shall govern such Processing.
2.3. Description of the Processing
Exhibit II of this DPA specifies the details of the Processing. Each Party may propose reasonable amendments to Exhibit II by providing written notice to the other Party. The Parties may make reasonable amendments to Exhibit II as the Parties reasonably consider necessary to meet requirements of Applicable Data Protection Law or explicit guidance or a direct mandate issued by a Data Protection Authority.
3. Controller Obligations
3.1. General Obligations
3.1.1. The Parties shall each Process Personal Data in compliance with Applicable Data Protection Law and according to this DPA, unless required to do so otherwise by Applicable Law to which each or either Party is subject.
3.1.2. Neither Party shall knowingly perform its respective obligations in a manner that causes the other Party to breach any of its own respective obligations under Applicable Data Protection Law and/or this DPA.
3.1.3. Each Party shall implement and maintain appropriate technical and organizational measures to ensure that the Processing of Personal Data complies with Applicable Data Protection Law, considering the nature, scope, context, and purposes of Processing, as well as the risks to Data Subjects’ fundamental rights and freedoms.
3.1.4. Each Party shall at all times remain responsible for the acts and omissions of each Party’s respective personnel and vendors, suppliers, contractors, and agents in respect of the Personal Data.
3.2. Purpose Limitation
Each Party shall Process the Personal Data only for the specific purposes set out in Exhibit II. A Party may only Process the Personal Data for another purpose:
3.2.1. where it has obtained the Data Subject’s prior consent;
3.2.2. where necessary to establish, exercise, or defend legal claims in the context of specific administrative, regulatory, or judicial proceedings;
3.2.3. where necessary to protect the vital interests of the Data Subject or another person; or
3.2.4. where otherwise permitted by Applicable Data Protection Law.
To enable Data Subjects to effectively exercise their rights under Applicable Data Protection Law, each Party shall inform the Data Subjects, either directly or through the other Party, at a minimum:
3.3.1. of the Party’s identity and contact details;
3.3.2. of the categories of Personal Data Processed; and
3.3.3. where the Party intends to make an onward transfer of the Personal Data to any third party/ies, of the recipient(s) or categories of recipients, the purpose(s) of such onward transfer(s), and the ground(s) of such transfer(s).
The foregoing shall not apply where the Data Subject already has the above information, including when such information has already been provided by the Party, or providing the information proves impossible or would involve a disproportionate effort for that Party. In the latter case, the Party shall, to the extent possible, make the information publicly available (such as through a privacy notice or statement).
3.4. Data Accuracy and Data Minimization
3.4.1. Each Party shall ensure that the Personal Data is accurate and, where necessary, kept up to date. Having regard to the purpose(s) of Processing, each Party shall take every reasonable step to ensure that Personal Data that is inaccurate or incomplete is erased or rectified or made complete without delay.
3.4.2. If one of the Parties becomes aware that the Personal Data it has collected, transferred, shared, transmitted, or received is inaccurate, or has become outdated, it shall inform the other Party without undue delay.
3.4.3. Each Party shall ensure that the Personal Data is adequate, relevant, and limited to what is necessary in relation to the purpose(s) of the Processing.
3.5. Processing under the authority of the Controller
3.5.1. Each Party shall ensure that any person acting under its authority, including, among others, employees, personnel, staff, and/or Processors, Processes the Personal Data only on the Party’s instructions.
3.5.2. Each Party shall grant access to the Personal Data undergoing Processing to members of its personnel or staff only to the extent strictly necessary for fulfilling the terms of this DPA and purposes set forth herein.
3.5.3. Each Party shall ensure that persons authorized to access, use, or otherwise Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory or professional obligation of confidentiality.
3.6. Duration of Processing
Processing shall only take place for the duration specified in Exhibit II.
3.7. Direct Marketing
To the extent that a Party intends to Process the Personal Data for direct marketing, that Party shall do the following:
3.7.1. ensure that the appropriate level of any necessary consents have been obtained from the relevant Data Subjects or otherwise establish a lawful basis to allow the Personal Data to be used for direct marketing in compliance with Applicable Data Protection Law;
3.7.2. implement effective procedures and communications to allow a Data Subject to exercise the right to opt out from or object to direct marketing; and
3.7.3. implement effective procedures to enable the Party to notify relevant third parties of any Data Subject’s choice to opt-out of or object to such marketing.
4. Technical and Organizational Measures
4.1. Security Measures
Each Party shall implement technical and organizational measures to ensure the security, confidentiality, integrity, and availability of the Personal Data, including protecting such data against a Personal Data Breach. In assessing the appropriate level of security, each Party shall take account of the state of the art, the costs of implementation, the nature, scope, context, and purposes of Processing, and the risks of varying likelihood and severity for Data Subjects’ rights and freedoms.
Each Party shall keep accurate records of the technical and organizational security measures which each Party has implemented and maintains, and each Party shall make such records available to the Data Protection Authority upon request.
5. Data Retention and Deletion
Each Party shall retain the Personal Data for no longer than is necessary to carry out the purpose(s) of Processing set forth in this DPA and do so in accordance with Applicable Data Protection Law. Each Party shall implement appropriate technical or organizational measures to ensure compliance with this obligation, including appropriate data retention policies and procedures, and mechanisms to securely delete, erase, destroy, dispose of, or anonymize the Personal Data.
Each Party may continue to retain the Personal Data in accordance with any statutory or professional retention periods applicable in their respective countries and/or industry, any documented backup policies and procedures, and/or as otherwise permitted by Applicable Data Protection Law. During this retention period, the Party shall continue to treat the Personal Data in accordance with Applicable Data Protection Law and shall not Process such data for purposes other than those set forth in this DPA.
6. International Personal Data Transfers
6.1. International Personal Data Transfers
For any Data Sharing that involves the Restricted Data Transfer(s) by one Party to the other Party, the Parties shall ensure compliance with Applicable Data Protection Law by using a lawful transfer mechanism under the law, such as EU SCCs, provided that the conditions for the use of the lawful transfer mechanism are met and that any required modifications to such mechanism are made.
6.2. Onward Transfer
The Parties shall not make the onward transfer(s) of the Personal Data that was part of the Restricted Data Transfer, including the onward transfer to a third party (such as to an affiliate or a Processor), unless the onward transfer complies with the conditions for lawful data transfers under Applicable Data Protection Law. A Party may ensure that the onward transfer complies with Applicable Data Protection by using a lawful transfer mechanism, such as EU SCCs, provided that the conditions for the use of the lawful transfer mechanism are met and that any required modifications to such mechanism are made.
7. Data Subjects
7.1.1. Each Party shall inform Data Subjects in a transparent and easily accessible format, through individual notice or on their websites, of a contact point authorized to handle complaints, inquiries, and privacy rights requests.
7.1.2. In case of a dispute between a Data Subject and one of the Parties as regards compliance with Applicable Data Protection Law, that Party shall use its best efforts to resolve the issue amicably in a timely fashion.
7.1.3. Each Party, where relevant with the assistance of the other Party, shall, without undue delay, deal with any inquiries and requests it receives from Data Subjects relating to the Processing of their Personal Data and the exercise of their rights under Applicable Data Protection Law. Each Party shall take appropriate measures to facilitate such inquiries, requests, and the exercise of Data Subjects’ rights. Any information provided to the Data Subjects shall be in an intelligible and easily accessible form, using clear and plain language.
7.1.4. Each Party shall, upon the Data Subject’s request, fulfill the rights request free of charge, unless otherwise permitted under Applicable Data Protection Law.
7.1.5. Where a Party Processes the Data Subject’s Personal Data for direct marketing purposes, the Party shall cease Processing for such purposes if the Data Subject objects to or opts out of such marketing.
7.1.6. A Party may refuse a Data Subject’s request if Applicable Data Protection Law allows such refusal. In this case, the Party shall inform the Data Subject of the reasons for the refusal and, if applicable, of the Data Subject’s right to contest the refusal and/or lodge a complaint with the Data Protection Authority and/or seek judicial redress.
7.2. Mutual Assistance
The Parties agree that the responsibility for complying with a Data Subject’s rights request belongs to the Party receiving such a request in respect of the Personal Data held by that Party.
However, the Parties shall provide each other reasonable assistance, as is necessary, to enable each Party to comply with their obligations to respond to Data Subjects’ requests to exercise their rights and to respond to any other queries or complaints from Data Subjects. The Parties shall, as is necessary, keep each other informed about such disputes and, where appropriate, reasonably cooperate in resolving them.
8.1. General Documentation and Compliance
8.1.1. Each Party shall be able to demonstrate compliance with its respective obligations under this DPA and Applicable Data Protection Law. In particular, each Party shall keep appropriate documentation of the Processing activities carried out under its responsibility pursuant to this DPA.
8.1.2. Each Party shall deal promptly and adequately with reasonable inquiries from the other Party about the Processing under this DPA.
8.1.3. The Parties shall make documentation about the Processing under this DPA and required under Applicable Data Protection Law available to the Data Protection Authority on request.
8.1.4. The Parties agree to submit themselves to the jurisdiction of and cooperate with the Data Protection Authority in any procedures aimed at ensuring compliance with this DPA. In particular, the Parties agree to respond to inquiries, submit to audits and comply with the measures adopted or mandated by the Data Protection Authority, including remedial and compensatory measures. Where applicable and necessary, the Parties shall provide such authority with written confirmation that the necessary actions have been taken.
8.2. Compliance Assistance
8.2.1. In the event of a dispute or claim brought by a Data Subject or the Data Protection Authority concerning the Processing of Personal Data against either or both Parties, the Parties will inform each other about any such disputes or claims and cooperate with a view to settling them amicably in a timely fashion.
8.2.2. In respect of breaches relating to this DPA, each Party shall abide by a decision of a competent, independent court of the other Party’s country of establishment or of any binding decision of the Data Protection Authority.
8.2.3. Taking into account the nature of the Processing, each Party shall provide each other with reasonable assistance to the other Party in ensuring compliance with the following obligations, if applicable:
184.108.40.206. To carry out an assessment of the impact of the envisaged Processing on the protection of Personal Data (i.e., a ‘privacy impact assessment,’ and/or a ‘data protection impact assessment’) where a type of Processing is likely to result in a high risk to the rights and freedoms of Data Subjects; and
220.127.116.11. To consult the Data Protection Authority prior to engaging in a type of Processing where such impact assessment indicates that the Processing would likely result in a high risk in the absence of measures taken by each Party to mitigate the risk.
9. Personal Data Breach
In the event a Party experiences a Personal Data Breach concerning the Personal Data subject to Processing under this DPA, that Party shall take appropriate measures to address the Personal Data Breach, including adopting measures to mitigate the breach’s possible adverse effects.
9.2. Data breach notification
9.2.1. In case of a Personal Data Breach that is likely to result in a risk to the rights and freedoms of Data Subjects or that otherwise requires notification under Applicable Data Protection Law, the Party that has experienced the breach shall, without undue delay, notify both the other Party and the Data Protection Authority. The notification shall contain, at a minimum, the following information:
18.104.22.168. A description of the nature of the breach (including, where possible or appropriate, the categories and approximate number of Data Subjects and records concerned);
22.214.171.124. The details of a contact point where or from whom the other Party can obtain more information about the breach;
126.96.36.199. The breach’s likely consequences;
188.8.131.52. The measures taken or proposed to be taken to address the breach, including to mitigate its possible adverse effects.
To the extent that the Party is unable to provide all the information at the same time, it may do so in phases without undue further delay.
9.2.2. In case of a Personal Data Breach that is likely to result in a high risk to the rights and freedoms of affected Data Subjects, the Party shall, in addition to complying with 9.2.1., notify, without undue delay, the affected Data Subjects of the Personal Data Breach and the relevant information referred to in 184.108.40.206. through 220.127.116.11., unless the Party has implemented measures to significantly reduce the risk to the rights or freedoms of said Data Subjects, or notification would involve disproportionate efforts. However, the Party must provide such notification if otherwise required by Applicable Data Protection Law.
9.2.3. The Party that has experienced the Personal Data Breach shall document all relevant facts relating to the breach, including its effects and any remedial action taken, and keep a record thereof.
9.3. Data breach assistance
Where necessary and appropriate, the Parties shall provide reasonable assistance to each other to facilitate the handling of a Personal Data Breach in a timely manner and to comply with their respective obligations under Applicable Data Protection Law, including taking steps to assist each other in the investigation, mitigation, remediation, and notification(s) of the breach.
10. Government or Law Enforcement Request for Cloudera Personal Data
If a Party receives a legally binding request, demand, or other order from a government (including judicial) or law enforcement authority for the disclosure of Personal Data, the Party shall not disclose such data requested until required to do so under the applicable procedural rules and shall provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request. The Party shall attempt to redirect the request to the Data Subject(s) or to notify the Data Subject(s) of the request to the extent permitted by applicable law. The Party agrees to preserve and document the information related to the request.
11. Non-Compliance, Termination, and Liability
Each Party shall inform the other Party if it is unable to comply with this DPA, for whatever reason.
If a Party is in violation of its obligations under this DPA or unable to comply with the DPA, the other Party may suspend the Processing under this DPA until that Party complies with the DPA or the DPA is terminated.
A Party shall be entitled to terminate this DPA if:
11.3.1. The Party has suspended the Processing pursuant to 11.2. and if the other Party does not restore compliance with this DPA within a reasonable time and no later than thirty (30) days following suspension;
11.3.2. The other Party is in substantial or persistent breach of this DPA based on documented evidence; or
11.3.3. The other Party fails to comply with a binding decision of an independent competent court or a Data Protection Authority regarding its obligations pursuant to this DPA.
11.4.1. Each Party shall be liable to the other Party for any damages it causes the other Party by any violation of this DPA. Each Party’s (and each of its affiliate’s) liability, taken together in the aggregate, arising out of or related to this DPA, including without limitation under the EU SCCs, whether in contract, tort, or under any other theory of liability, is subject to the limitations and exclusions of liability under the Agreement, and any reference in such section(s) to the liability of a Party means the aggregate liability of that Party and all of its affiliates under the Agreement, this DPA, and the EU SCCs together.
11.4.2. Each Party shall be liable to a Data Subject if it violates the Data Subject’s rights in relation to this DPA and/or under Applicable Data Protection Law. The Data Subject shall be entitled to receive compensation, for any material or non-material damages, from the Party that causes(ed) the Data Subject by breaching the Data Subject’s rights under this DPA and/or Applicable Data Protection Law.
11.4.3. Where more than one Party is responsible for any damage caused to the Data Subject as a result of a violation of Applicable Data Protection Law in relation to this DPA, all responsible Parties shall be jointly and severally liable and the Data Subject is entitled to bring an action in a competent, independent court against any Party.
18.104.22.168. The Parties agree that if one Party is held liable under paragraph 11.4.3., it shall be entitled to claim back from the other Party that part of the compensation corresponding to its responsibility for the damage.
11.4.4. The liable Party or Party in breach may not invoke the conduct of a Processor or sub-processor to avoid its own liability.
A Party that is in breach of its obligations under this DPA shall indemnify the other Party against any claims by a third party or Data Protection Authority that arise as a result of the breaching Party.
12. General Terms
12.1.1. Each Party may propose in a written notice, from time to time, amendments to this DPA, a Party reasonably considers to be necessary to address Applicable Data Protection Law or guidance or requirements issued by a Data Protection Authority.
12.1.2. Upon receipt of such notice, each Party shall agree to cooperate and negotiate in good faith with a view to agreeing to and implementing the proposed amendments or alternatives, if appropriate, as soon as is reasonably practicable. The Parties shall not unreasonably withhold or delay agreement to any consequential variations to this DPA that places a Party at risk of infringing Applicable Data Protection Law.
12.1.3. Any variation of this DPA shall only be effective if it is in writing and signed by the authorized representatives of each Party.
12.2. No Waivers
No failure or delay by a Party to exercise any right or remedy provided under this DPA or by Applicable Law or Applicable Data Protection Law shall constitute a waiver of that or any other right or remedy, nor shall it prevent or restrict the further exercise of that or any other remedy. No single or partial exercise of such right or remedy shall prevent or restrict the further exercise of that or any other right or remedy.
In the event of any conflict or contradiction with respect to Processing of Personal Data between this DPA and related agreements, including the Agreement, this DPA shall prevail, except where explicitly agreed otherwise in writing and signed on behalf of by both Parties.
In the event of any conflict or inconsistency between this DPA and the EU SCCs, if applicable, the EU SCCs shall prevail.
This DPA does not and will not establish any joint venture between any of the Parties, constitute any Party the agent of another Party, or authorize any Party to make or enter into any commitments for or on behalf of any other Party.
Should an independent, competent court within a country, jurisdiction, or territory in which the Parties are subject to Applicable Data Protection Law deem any provision of this DPA to be invalid or unenforceable, then the remainder of the DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (a) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible; or (b), if this is not possible, construed in a manner as if the invalid or unenforceable part had never been contained therein.
This DPA shall take effect on the date the Parties execute or enter into the Agreement and shall remain in effect for the term of the Agreement, or until terminated by a Party on ninety (90) days’ written notice to the other Party.
14. Governing Law and Jurisdiction
14.1. Governing Law
The laws of the country or territory stipulated in the Agreement shall govern this DPA and all non-contractual or other obligations arising out of or in connection with it.
14.2. Forum and Jurisdiction
The Parties shall submit to the jurisdiction stipulated in the Agreement with respect to any disputes or claims arising out of or in connection with this DPA, including disputes regarding its existence, validity, or termination or the consequences of its nullity.
Exhibit I - List of Parties to this DPA
Address: 5470 Great America Pkwy, Santa Clara, CA 95054 USA
Partner: the Party signing, entering into, or executing the Agreement
Address: the Party’s principal place of business or headquarters
Exhibit II - Description of the Data Processing
Categories of Data Subjects
- Employees, Personnel, and/or Staff
- Customers, Clients, and/or End Customers
- Vendors, Suppliers, and/or Third-party Service Providers
- Prospective Customers and/or Clients (prospects)
- Event or Webinar Audience Members, Attendees, Registrants, and/or Participants
Categories of Personal Data
The categories of Personal Data may include Account Data and:
- Name: First name and last name
- Business contact information: email, telephone or mobile number, office/mailing/billing address/location
- Professional information: Employer (company) name; Job title, role, or position
- Other Identifiers: System username/user ID; IP address
Nature and Purpose(s) for which the Personal Data are Processed
- To process personal data for purposes of the partner relationship, which involves, among other things, account creation, administration, and management; business activities necessary to operate the partnership program; the collection, recording, managing, organizing, storage, sharing, transmission, disclosure, transfer, and exchange of the data for advertising, promotional, marketing, and/or sales related activities; contract or customer relationship management; internal auditing, research, and development; and activities related to product and service quality, enhancement, and improvement.
Frequency of the Processing
- As determined by the Parties in accordance with the Agreement
Duration of Processing
- The duration of the Data Processing is stipulated in provision 13 of this DPA.
Data Retention Period
- The data retention period is set forth in provision 5 of this DPA.
Cloudera affiliates and Sub-Processors
The Cloudera affiliates and Sub-Processors engaged or involved in the Processing of Personal Data depend on the terms and conditions of the Agreement, any other contractual arrangements made between the Parties, and the geographical location of the Processing. Refer to Cloudera's Authorized Sub-processors and Affiliates for more information.
Exhibit III - Technical & Organizational Measures
In accordance with subsection 4.1 of this DPA, the Parties each agree to implement and maintain technical and organizational measures (“TOMs”) that ensure the security, confidentiality, integrity, and availability of the Personal Data, including protecting such data against a Personal Data Breach. In doing so, the Parties agree to implement and maintain commercially reasonable and accepted industry standards and practices, e.g., ISO 27001 standards, for the protection of personal data. For more information on Cloudera’s TOMs, refer to Cloudera’s Trust Center.
Exhibit IV - EU Standard Contractual Clauses
By entering into this DPA, the Parties are hereby executing the European Commission Standard Contractual Clauses (“EU SCCs”) as a legally binding contract. The Parties agree to the EU SCCs for MODULE ONE: Transfer controller to controller, as follows:
- Depending on the circumstances, (a) Cloudera may be the data exporter and Partner may be the data importer or (b) Cloudera may be the data importer and Partner may be the data exporter.
- The optional Clause 7 [Docking Clause] shall NOT apply.
- For Clause 8.5(b), the technical and organisational measures are set out in Exhibit III of this DPA.
- The optional provision in Clause 11(a) [Redress] shall NOT apply.
- For Clause 17 [Governing Law], the laws of the Republic of Ireland shall govern the EU SCCs.
- For Clause 18(b), [Choice of forum and jurisdiction], the courts of the Republic of Ireland shall resolve any disputes arising from these SCCs.
- Annex I.A [List of Parties] is set forth in Exhibit I of this DPA.
- Annex I.B [Description of Transfer] is set forth in Exhibit II of this DPA.
- For Annex I.C, the Competent Supervisory Authority is the Data Protection Commission of the Republic of Ireland in accordance with Clause 13.
- Annex II [Technical and Organisational Measures] is set forth in Exhibit III of this DPA.
- Annex III [List of Sub-Processors]: Not Applicable
Exhibit V - UK International Data Transfer Addendum
With respect to any transfer of Personal Data outside of the United Kingdom (“UK”) or of Personal Data subject to UK data protection legislation to a third country (without an adequacy decision or its equivalent), the Parties agree that the UK International Data Transfer Addendum (“IDTA”) to the EU Commission Standard Contractual Clauses (“EU SCCs”) (Version B1.0) issued by the UK Information Commissioner for Parties making Restricted Transfers (as may be amended, updated, or superseded from time to time) shall apply to the EU SCCs in Exhibit IV of this DPA as follows:
- Table 1: Parties
- The Start Date is the date of the execution of this DPA by the Parties.
- The Parties are set forth in Annex I.A of the EU SCCs to which this IDTA is appended.
- Table 2: Selected SCCs, Modules and Selected Clauses
- Addendum EU SCCs:
- The version of the Approved EU SCCs to which this IDTA is appended, including the Appendix Information, applies.
- Addendum EU SCCs:
- Table 3: Appendix Information
- Annex 1A: List of Parties:
- The Parties are set forth in Annex I.A of the EU SCCs to which this IDTA is appended.
- Annex 1B: Description of Transfer:
- The Description of the Transfer is set forth in Annex I.B of the EU SCCs to which this IDTA is appended.
- Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data:
- The technical and organisational measures are set forth in Annex II of the EU SCCs to which this IDTA is appended.
- Annex III: List of Sub processors:
- Not Applicable
- Annex 1A: List of Parties:
- Table 4: Ending this Addendum when the Approved Addendum Changes:
- Cloudera, whether acting as the Exporter or Importer, may end this IDTA as set out in Section 19 of the IDTA.
- Part 2 of IDTA is incorporated herein by reference. However, the Alternative Part 2 Mandatory Clauses will not apply.
By entering into this DPA and the EU SCCs in Exhibit IV, the Parties are hereby entering into the UK IDTA as a legally binding contract.
Exhibit VI - Switzerland Data Transfers
With respect to any transfer of Personal Data outside of Switzerland or of Personal Data governed by the Switzerland Federal Act on Data Protection (“FADP”) and, when applicable, the revised FADP (“revFADP”), to a third country (without an adequacy decision or its equivalent), the Parties agree that the EU Standard Contractual Clauses (“EU SCCs”) in Exhibit IV of this DPA shall apply, subject to the following terms and conditions:
- References: To the extent applicable, the terms “General Data Protection Regulation” or “Regulation (EU) 2016/679” as utilized in the EU SCCs shall be interpreted to include the Federal Act on Data Protection of 19 June 1992 (the “FADP,” and as revised as of 25 September 2020, the “revFADP”) insofar as the data transfers are subject to the FADP or revFADP.
- Clause 13: Insofar as the transfer of Personal Data is governed by the FADP, the competent supervisory authority with parallel supervision (in accordance with Annex I.C of the EU SCCs) is the Federal Data Protection and Information Commissioner of Switzerland. Insofar as the transfer is governed by the GDPR, the criteria of Clause 13(a) for the selection of the competent authority must be observed.
- Clause 17: The EU SCCs shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights.
- Clause 18(b): Any dispute arising from the EU SCCs shall be resolved by the courts of an EU Member State.
- Clause 18(c): The term “Member State” must not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs.
- revFADP: The EU SCCs shall protect the data of legal entities until the entry into force of the revised Switzerland FADP.