A-dec Dental Equipment
Contact Sales

Data Processing Agreement

Effective Date: January 7, 2022

This Data Processing Agreement (“DPA”) is incorporated into and forms part of the Independent Dealer Agreement or any other agreement (“Agreement”) between A-dec, Inc. (“A-dec”) and the authorized dealer (“Dealer”) named in such Agreement to reflect the understanding of the parties regarding the Processing of Personal Data (as those terms are defined below). This DPA will apply to all Processing of Personal Data by Dealer while providing the services described and/or defined in the Agreement (“Services”).

1. Definitions

Applicable Laws” means all statutes, laws, rules, regulations, ordinances, and the like of any federal, international, city, state, provincial, or local government or governmental agency applicable to the Services.
Data Protection Laws” means Applicable Laws relating to privacy, security, or protection of Personal Data (including but not limited to the EU General Data Protection Regulation (Regulation 2016/679), the GDPR as amended and incorporated into UK law under the UK European Union (Withdrawal) Act 2018 and as amended by Schedule 1 to the Data Protection, Privacy and Electronic Communications (Addendums etc.) (EU Exit) Regulations 2019 (SI 2019/419) (“UK GDPR”), the Swiss Federal Data Protection Act of 19 June 1992 and its corresponding ordinances (“Swiss DPA”) the California Consumer Protection Act, and the amending California Privacy Rights Act) and any subsequent supplements, amendments, or replacements to the same. 
Personal Data” means any Personal Data Processed by Dealer in connection with the Services, including Personal Data provided by or made available by A-dec to Dealer or collected by Dealer on behalf of A-dec. 
A-dec Systems” means any hardware, software, networks, or other information technology resources owned or operated by, or on behalf of, A-dec.
Data Breach” means any unauthorized interference with the availability of, or any unauthorized, unlawful or accidental loss, misuse, destruction, alteration, acquisition of, access to, disclosure of, or damage to the Personal Data, or any other unauthorized Processing of Personal Data or unauthorized access to A-dec Systems.
Data Subject” means an identified or identifiable natural person about whom Personal Data is Processed under this Agreement or as otherwise defined (including under similar terms such as “consumer”) under Data Protection Laws.
Personal Data” means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household or with a particular individual’s or household’s device; or any inferences drawn therefrom. Personal Data includes, but is not limited to, name, alias, postal address, social security number, identification number, biometric identifiers, credit/debit card information, driver’s license number (or other unique government identifier, such as passport or military ID), phone number, physical address, email address, details of orders and fulfilments, location data, employment or educational information, online identifiers such as internet protocol addresses, cookie or other unique identifiers, criminal background check, work authorization, or to one or more factors specific to the physical, physiological, genetic, mental, economic, financial, cultural, sexual orientation, union status, or social identity of the individual, or as otherwise defined (including under similar terms such as personal information, personal data, personal health information, personally identifiable information, and sensitive personal information) under Data Protection Laws.
Process,” Processed,” or “Processing” means the collection, receipt, recording, organization, structuring, alteration, use, transmission, access, sharing, provision, disclosure, distribution, copying, transfer, storage, management, retention, deletion, combination, restriction, summarizing, aggregation, correlation, inferring, derivation, analysis, adaptation, retrieval, consultation, destruction, disposal, or other handling or control of Personal Data.
Sell” or “Selling” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s Personal Data to another business or a third party for monetary or other valuable consideration.  
Share” or “Sharing” means sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, Personal Data to a third party, whether or not for monetary or other valuable consideration.
Standard Contractual Clauses” or “SCCs” or “Clauses” means the standard contractual clauses for international transfers published by the European Commission on June 4, 2021, governing the transfer of European Area Personal Data to Third Countries as adopted by the European Commission, the UK Information Commissioner (“UK ICO”) (as they may apply for UK to Third Country transfers), the  Swiss Federal Data Protection and Information Commissioner (“Swiss FDPIC”) relating to data transfers to Third Countries or any similar such clauses by a data protection regulator relating to data transfers to Third Countries, including without limitation any successor clauses thereto.
Third Country” or “Third Countries” means countries that, where required by Data Protection Laws, have not received an adequacy decision from an applicable authority relating to data transfers, such as regulators from the European Commission, UK ICO, or the Swiss FDPIC.
The terms “Controller,” “Sub-processor,” “Processor,” “Business,” and “Service Provider” will have the meanings given to them under Data Protection Laws.

2. Ownership/Licenses

For purposes of this DPA, as between A-dec and Dealer, A-dec retains all right, title, and interest in and to Personal Data. A-dec grants to Dealer a limited, revocable, non-exclusive, non-transferable (except as permitted under the Agreement) right and license to use and otherwise Process Personal Data and to sublicense to approved Sub-processors and/or Service Providers, as applicable, solely as necessary to perform the Services under the Agreement and subject to restrictions and obligations in this DPA and Data Protection Laws.

3. Roles and Responsibilities

3.1 Roles of Parties. The parties acknowledge and agree that with respect to Processing of Personal Data, Dealer is, as applicable, a Processor and/or a Service Provider and A-dec is, as applicable, a Controller and/or a Business.
3.2 Details of Processing. Dealer will provide to A-dec in writing appropriate and accurate information regarding its Processing of Personal Data Processed in connection with the Services including information about the categories of Personal Data, how such data is collected and Processed, and the purposes for which such data is used, in a manner appropriate to allow A-dec to meet its record keeping and notice and consent obligations under Data Protection Laws, including information as set forth in Annex A (Details of Processing).
3.3 Instructions. Dealer will use, retain, disclose or otherwise Process Personal Data only on behalf of A-Dec and for the specific business purpose of providing the Services and in accordance with A-dec’s written instructions, including as described in the Agreement. Dealer will inform A-dec if, Dealer determines that it is no longer able to meet its obligations under Data Protection Laws or where any of its instructions infringe any Data Protection Laws. A-dec reserves the right to take reasonable and appropriate steps to discontinue and remediate unauthorized use of Personal Data.  
3.4 Limitation on Use. (a) Dealer will have rights to use, retain, and/or disclose Personal Data solely (i) to the extent necessary or appropriate to (A) perform its obligations under the Agreement; (B) create and disclose aggregate statistics about Personal Data and the Service in a manner that prevents individual identification of A-dec or the individual Data Subjects of Personal Data; and/or (C) protect the Service from a threat to the Service, Personal Data, A-dec Systems, and/or Dealer systems; or (ii) if required by Applicable Laws or imposed by judicial or administrative process or any governmental or court order (collectively, “Order”), provided that prior notice first be given to A-dec, unless such notice is prohibited by Applicable Laws or Order; or (iii) as otherwise expressly authorized by A-dec in writing; (b) Dealer will not otherwise Sell or Share Personal Data, including but not limited to for purposes of cross-contextual behavioral advertising; (c) Dealer will not combine Personal Data with Personal Data Dealer may receive from other sources and customers, including Personal Data collected from Dealer’s independent interaction with the Data Subjects (this restriction does not include combining Personal Data solely in the context of the business purpose of providing the Services); and (d) Dealer will not engage in Processing of Personal Data, or any other activities, in connection with this Agreement in a way that may cause A-dec to breach any of its obligations regarding Personal Data under Data Protection Laws or obligations to other A-dec customers.
3.5 Certification. Dealer certifies that it understands these obligations and restrictions under this Section 3 and will comply with them.
3.6 Personnel Training and Confidentiality. Dealer will ensure that all Dealer employees, agents, officers, consultants, Processors, Sub-processors, Service Providers, and any third party authorized to Process Personal Data are (a) properly trained regarding obligations under this DPA and Data Protection Laws; and (b) subject to written confidentiality agreements that provide substantially the same level of protection for Personal Data as provided in this DPA and the Agreement and as required by Data Protection Laws.

4. Security 

4.1 Data Security Obligations. Dealer will implement and maintain commercially reasonable organizational, administrative, technical, and physical safeguards, including procedures and practices commensurate with the level of sensitivity of the Personal Data and the nature of its activities under the Agreement, to protect the security, confidentiality, and integrity of the Personal Data in Dealer’s control, including such safeguards designed to (a) protect the security of systems upon which Personal Data is Processed; and (b) prevent any Data Breach. To the extent required by Data Protection Laws, any such measures will include procedures and practices further described in an appendix to the Agreement. Dealer’s personnel will not process Personal Data without authorization.
4.2 Data Breach. (a) In addition to, and without limiting, any other right or remedy available to A-dec under this Agreement or at law or equity, in the event of any actual or potential Data Breach, Dealer will immediately take reasonable and appropriate steps to: (i) notify A-dec of such Data Breach after Dealer discovers or learns of such Data Breach; (ii) furnish to A-dec full details of the Data Breach; (iii) take appropriate steps without unreasonable delay to investigate, mitigate, and remedy the Data Breach and prevent further Data Breaches, including, if deemed appropriate by A-dec, hiring qualified forensics investigators, approved and under contract of confidentiality with A-dec, to assist with the same; (iv) assist A-dec in its investigation, mitigation, and remedying of the Data Breach; (v) assist A-dec in preparing and providing notices to individuals affected by the Data Breach, and any others as deemed appropriate by A-dec, to inform such persons of the facts and circumstance of the incident which may include, naming Dealer in connection with Data Breach; (vi) cooperate with A-dec in any litigation or regulatory action related to the Data Breach; and (vii) cooperate with A-dec in any other reasonable action, step, or proceeding as may be deemed necessary by A-dec in connection with the Data Breach and any dispute, inquiry or claim concerning the Data Breach. Dealer agrees to completely remedy any Data Breach no later than within 30 days of discovery of a Data Breach and provide full details of steps Dealer will take to prevent such a Data Breach from reoccurring. Dealer agrees to take the foregoing responsive measures, including cost of notice and, if applicable, costs of credit monitoring and repair services at its sole cost and expense if Dealer’s actions or omissions cause or contribute to the Data Breach.  Dealer's failure to remedy any Data Breach in a timely manner will be a material breach of the Agreement. (b) Unless prohibited by Applicable Laws or Order, Dealer will immediately notify A-dec of any third-party legal process relating to any Data Breach, including, but not limited to, any legal process initiated by any governmental entity. (c) Dealer’s cooperation or obligation to report or respond to Data Breaches under this DPA will not be deemed an acknowledgment by Dealer of any fault or liability of Dealer with respect to a Data Breach.
4.3 Security Audit. Dealer will ensure that the systems that process, handle, and/or store A-dec Personal Data are audited annually against commercially accepted industry-recognized standards. Upon request from A-dec, the summary report of any security audit will be provided to A-dec following the completion of such audit. Dealer will promptly correct each material vulnerability discovered and will certify the same in writing to A-dec upon written request.

5. Sub-processors and Service Providers

5.1 Sub-processors. To the extent required by Data Protection Laws, Dealer may provide access to or transfer Personal Data to a third party (including any affiliates, group companies, or subcontractors) only with the express, prior, written consent of A-dec. Dealer will maintain a list of its current Sub-processors. A-dec consents to access and/or transfer to only those Sub-processors approved by A-dec in writing. When requested by A-dec, Dealer will make available to A-dec an up-to-date list of current Sub-processors.
5.2 Sub-processors and Service Providers. Dealer will enter into written agreements with Sub-processors and/or Service Providers. Those agreements will contain obligations that are no less protective of Personal Data than the obligations placed on Dealer under this DPA. Where a Sub-processor and/or Service Provider appointed by Dealer to Process Personal Data in performance of the Services fails to fulfill its obligations under any sub-processing agreement or Data Protection Laws, Dealer will remain fully liable to A-dec for the fulfilment of Dealer’s obligations under this DPA and the Agreement.

6. Compliance Assistance

6.1 General. Dealer certifies that it understands the obligations and restrictions under this DPA and will comply with, and assist A-dec in complying with, obligations (e.g., Data Protection Impact Assessments, if applicable) regarding Personal Data under this DPA, the Data Protection Laws, and applicable and accepted industry standards, including any applicable self-regulatory programs. Upon request by A-dec, Dealer will provide reasonable assistance and information to A-dec regarding Dealer’s Processing of Personal Data. 
6.2 Inquiries and Consultations. Dealer will assist A-dec in complying with A-dec’s obligations relating to investigation or inquiries from government entities or regulators and any consultations with any supervisory or regulatory authority.
6.3 Audits and Assessments. Upon request by A-dec, in addition to the security audits described in Section 4.3, Dealer will procure and make available to A-dec audit and assessment reports conducted by a qualified independent third party approved by A-dec to confirm Dealer’s compliance with its obligations under this DPA. If the audit reveals any vulnerability or inadequacy, Dealer will correct any such vulnerability or inadequacy at its sole cost and expense and will certify the same in writing to A-dec. Dealer will use best efforts to correct or mitigate all vulnerabilities and inadequacies without unreasonable delay.
6.4 Complaints. Dealer will promptly notify A-dec if it receives or learns of: (a) any complaint, inquiry, investigation, request, or any other communication relating an actual or alleged violation of privacy or data security relating to the Service, Personal Data, or A-dec Systems and (b) any request from a government entity or regulator provided such notice to A-dec is not prohibited by law or court order. Dealer will provide A-dec with full co-operation and assistance in relation to any such communication or request including by providing A-dec with full details of any such communication or request, investigation of any actual or alleged violation, and information needed to further investigate any actual or alleged violation and respond to such communications or request. Dealer will comply with any instructions given by A-dec regarding responding to such communications.
6.5 Data Subject Rights. Dealer will immediately notify A-dec in writing, and in any case without undue delay, if Dealer receives (i) any requests from a Data Subject, including individual opt-out requests, requests for access and/or deletion, and all similar individual rights requests; or (ii) any complaint or inquiry relating to the Processing of Personal Data, including allegations that the Processing infringes on any individual's or third party's rights. Dealer will not respond to any such request or complaint unless expressly authorized to do so by A-dec in writing or required to respond under Data Protection Laws. Dealer will comply with any instructions given by A-dec regarding responding to such requests, complaints, or inquiries.

7. Location of Processing

To the extent required by Data Protections Laws, Dealer may Process Personal Data in the locations listed in Annex A, provided Dealer cooperates with A-dec to comply with applicable data transfer restrictions and obligations required by Data Protection Laws. Dealer will not Process such Personal Data outside of the locations listed in Annex A without A-dec’s knowledge and written authorization.

8. Transfers to Third Countries

8.1 European Area Personal Data Transfers. Transfers of European Area Personal Data (except UK Personal Data) by A-dec to Dealer or Dealer to A-dec in Third Countries are subject to the Standard Contractual Clauses (Module Two (Controller to Processor) and Module Three (Processor to Processor)) attached to this DPA as Annex B.  In the event Dealer is a European Area Processor transferring Personal Data to A-dec, and where A-dec is a Controller of such Personal Data, Module 4 (Processor to Controller) will apply. The information required for the purposes of the SCCs is provided in Annex A (Details of Processing) to this DPA.
8.2 UK and Swiss Personal Data Transfers. Where the Personal Data is subject to the UK GDPR or the Swiss DPA, the SCCs above will be read to be modified as described in Annex A. The information required for the purposes of UK data transfers is provided in Annex A (Details of Processing).
8.3 Onward Transfers. In connection with the provision of the Services, Dealer may receive from or transfer and Process Personal Data to Third Countries provided that its Sub-processors take measures to adequately protect such data consistent with applicable Data Protection Laws. Such measures may include to the extent available and applicable under such laws: (a) Adequacy. Processing in a country, a territory, or one or more specified sectors that are considered under applicable Data Protection Laws as providing an adequate level of data protection; (b) SCCs. The parties’ agreement to enter in to and comply with the Standard Contractual Clauses in Annex B and any successors or amendments to such clauses or such other applicable contractual terms adopted and approved under Data Protection Laws; (c) BCRs. Processing in compliance with Binding Corporate Rule in accordance with Data Protection Laws; or (d) Other Approved Transfer Mechanisms. Implementing any other data transfer mechanisms or certifications approved under Data Protection Laws, including, as applicable, any approved successor or replacement to the EU–US Privacy Shield framework, the Swiss–US Privacy Shield framework.
8.4 To the extent that any substitute or additional appropriate safeguards or mechanisms under any Data Protection Laws are required to transfer data to a Third Country the parties agree to implement the same as soon as practicable and document such requirements for implementation in an attachment to this DPA.

9. Retention, Deletion, and Return

Upon expiration or termination of the Agreement for any reason or within seven days after A-dec’s request, Dealer will (a) destroy all Personal Data under Dealer’s control or provide A-dec with the ability to delete such Personal Data directly through tools or functionality made available by Dealer. Notwithstanding the foregoing, Dealer may retain, subject to the terms of this DPA, Personal Data that (i) Dealer is required to retain by Applicable Laws, or (ii) are automatically retained as part of a computer back-up, recovery, or similar archival or disaster recovery system; provided that such copies are overwritten within a reasonable period of time (e.g., within 90 days) and not intentionally accessed except where required or requested by Applicable Laws or Order; and/or (b) provide a copy of all Personal Data in Dealer’s control to A-dec. Upon written verification from A-dec of A-dec’s receipt of such Personal Data, or absent such request, Dealer will promptly destroy such data in a reasonably secure manner. Upon A-dec’s request, an officer of Dealer will certify in writing that no Personal Data has been retained, except as provided under this Section 9.

10. Limitation of Liability and Indemnification

Liability and indemnification arising out of or in connection with this DPA will be subject to the exclusions, limitations, and obligations set forth in the Agreement.

11. General Terms

11.1 Term. This DPA will remain in effect for as long as Dealer Processes Personal Data.
11.2 Prior Agreements. This DPA will replace any existing data processing agreement or similar document that the parties may have previously entered into.
11.3 Notices. All notices under this DPA will be in writing and delivered as set forth in the Agreement.
11.4 Governing Law and Venue. Governing law and venue are set forth in the Agreement.
11.5 Survival. The provisions of this DPA that, by their terms, require performance after the termination or expiration of this DPA or have application to events that may occur after the termination or expiration of this DPA, will survive the termination or expiration of this DPA, including but not limited to Sections 2, 3, 4, 5, 6, 10, and 11.
11.6 Severance. If any provision in this DPA is found or held to be invalid or unenforceable under Applicable Laws, then the meaning of such provision will be construed, to the extent feasible, so as to render the provision enforceable, and if no feasible interpretation would save such provision, it will be severed from the remainder of this DPA, which will remain in full force and effect. In such event, the parties will negotiate, in good faith, a substitute, valid, and enforceable provision which most nearly effects the intent of the parties in entering into this DPA.
11.7 Enforcement. No one other than a party to this DPA or its successors and permitted assignees will have any right to enforce its terms.
11.8 Order of Precedence. Should there be a conflict between this DPA and the Agreement, this DPA will govern. Should there be a conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses will govern.
11.9 Updates. A-dec may modify this DPA at any time. If material changes are made to this DPA, A-dec will notify Dealer here, by e-mail, or by means of a notice on the A-dec home page prior to the change becoming effective.

Annex A – Details of Processing

1. Data Exporter

Company Name Address Contact name, position, and contact information Role
A-dec, Inc. 2601 Crestview Drive
Newberg, Oregon 97132 USA
Privacy Office
privacy@a-dec.com
Controller

2. Data Importer

Company Name Address Contact name, position, and contact information Role
See applicable Agreement Processor

3. Activities
The activities relevant to the Personal Data transferred are more fully described in the Agreement.

4. Processing Information

Data Subjects
Employees, customers (e.g., dentist offices, employees of dentist offices, etc.), potential customers, and as may be set forth in the Agreement
Personal Data Categories Name, business email address, business address, business fax number, business phone number, and as may be set forth in the Agreement
Sensitive Personal Data None
Frequency of Transfer Continuous
Nature and Purpose To facilitate the Services, as set forth in the Agreement
Duration As set forth in the Agreement
Sub-processor Transfers As set forth in the Agreement

5. Standard Contractual Clauses Information

SCC Clause GDPR Swiss DPA UK GDPR
Clause 7 – Docking Clause An entity that is not a Party to these Clauses may, with the agreement of the Parties, accede to these Clauses at any time, either as a data exporter or as a data importer by, by completing the Appendix to the Clauses and signing Annex I.A. to the Clauses.
Clause 9(a) – Use of Sub-processors GENERAL WRITTEN AUTHORISATION: The data importer has the data exporter’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least 30 days in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.
Clause 17 – Governing Law Module Two:
These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of Ireland.

Module Four:
These Clauses shall be governed by the law of a country allowing for third-party beneficiary rights. The Parties agree that this shall be the law of Ireland.
These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of Switzerland. These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of England and Wales.
Clause 18 – Choice of Forum and Jurisdiction Module Two:
Any dispute arising from these Clauses shall be resolved by the courts of an EU Member State. The Parties agree that those shall be the courts of Ireland.

Module Four:
Any dispute arising from these Clauses shall be resolved by the courts of Ireland.
The Parties agree that those will be the competent courts of Switzerland. The Parties agree that those will be the courts of England and Wales.
Annex I.A. – List of Parties This information can be found in Sections 1, 2, and 3 above.
Annex I.B. – Description of Transfer This information can be found in Section 4 above. To the extent applicable, the descriptions of safeguards applied to the special categories of Personal Data can be found in the applicable appendix to the Agreement.
Clause 13 and Annex I.C. – Competent Supervisory Authority Irish Data Protection Commission FDPIC UK ICO
Annex II – Technical and Organizational Measures The description of technical and organization measures designed to ensure the security of Personal Data are more fully described in the applicable appendix of the Agreement.
Annex II – Technical and Organizational Measures – Sub-processors The description of technical and organization measures designed to ensure the security of Personal Data are more fully described in the applicable appendix of the Agreement.
Annex III – List of Sub-processors Intentionally omitted as not applicable based on the general authorization of sub-processors under Clause 9(a).
  1. Where the data exporter is a processor subject to Regulation (EU) 2016/679 acting on behalf of a Union institution or body as controller, reliance on these Clauses when engaging another processor (sub-processing) not subject to Regulation (EU) 2016/679 also ensures compliance with Article 29(4) of Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39), to the extent these Clauses and the data protection obligations as set out in the contract or other legal act between the controller and the processor pursuant to Article 29(3) of Regulation (EU) 2018/1725 are aligned. This will in particular be the case where the controller and processor rely on the standard contractual clauses included in Decision 2021/915.
  2. This requires rendering the data anonymous in such a way that the individual is no longer identifiable by anyone, in line with recital 26 of Regulation (EU) 2016/679, and that this process is irreversible.
  3. The Agreement on the European Economic Area (EEA Agreement) provides for the extension of the European Union’s internal market to the three EEA States Iceland, Liechtenstein and Norway. The Union data protection legislation, including Regulation (EU) 2016/679, is covered by the EEA Agreement and has been incorporated into Annex XI thereto. Therefore, any disclosure by the data importer to a third party located in the EEA does not qualify as an onward transfer for the purpose of these Clauses.
  4. The Agreement on the European Economic Area (EEA Agreement) provides for the extension of the European Union’s internal market to the three EEA States Iceland, Liechtenstein and Norway. The Union data protection legislation, including Regulation (EU) 2016/679, is covered by the EEA Agreement and has been incorporated into Annex XI thereto. Therefore, any disclosure by the data importer to a third party located in the EEA does not qualify as an onward transfer for the purpose of these Clauses.
  5. See Article 28(4) of Regulation (EU) 2016/679 and, where the controller is an EU institution or body, Article 29(4) of Regulation (EU) 2018/1725.
  6. The Agreement on the European Economic Area (EEA Agreement) provides for the extension of the European Union’s internal market to the three EEA States Iceland, Liechtenstein and Norway. The Union data protection legislation, including Regulation (EU) 2016/679, is covered by the EEA Agreement and has been incorporated into Annex XI thereto. Therefore, any disclosure by the data importer to a third party located in the EEA does not qualify as an onward transfer for the purposes of these Clauses.
  7. This includes whether the transfer and further processing involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions or offences.
  8. This requirement may be satisfied by the sub-processor acceding to these Clauses under the appropriate Module, in accordance with Clause 7.
  9. This requirement may be satisfied by the sub-processor acceding to these Clauses under the appropriate Module, in accordance with Clause 7.
  10. That period may be extended by a maximum of two more months, to the extent necessary taking into account the complexity and number of requests. The data importer shall duly and promptly inform the data subject of any such extension.
  11. As regards the impact of such laws and practices on compliance with these Clauses, different elements may be considered as part of an overall assessment. Such elements may include relevant and documented practical experience with prior instances of requests for disclosure from public authorities, or the absence of such requests, covering a sufficiently representative time-frame. This refers in particular to internal records or other documentation, drawn up on a continuous basis in accordance with due diligence and certified at senior management level, provided that this information can be lawfully shared with third parties. Where this practical experience is relied upon to conclude that the data importer will not be prevented from complying with these Clauses, it needs to be supported by other relevant, objective elements, and it is for the Parties to consider carefully whether these elements together carry sufficient weight, in terms of their reliability and representativeness, to support this conclusion. In particular, the Parties have to take into account whether their practical experience is corroborated and not contradicted by publicly available or otherwise accessible, reliable information on the existence or absence of requests within the same sector and/or the application of the law in practice, such as case law and reports by independent oversight bodies.