Data Processing Terms
In the course of providing the Mine’s platform (“Service”) to Customer pursuant to the Agreement, Mine may Process Customer Personal Data on behalf of Customer. The parties agree to comply with the following provisions with respect to Customer Personal Data Processed by Mine as part of the Services.
1. DEFINITIONS
- 1.1. “Affiliate” means a corporation which directly controls or is controlled by or is under common control with Customer. As used in this section, control means direct ownership of fifty percent (50%) or more of the shares of stock entitled to vote for the election of directors.
- 1.2. “Data Controller”, “Business”, “Data Processor”, and “Service Provider” will have the same meaning as under applicable Privacy Laws and Regulations.
- 1.3. “Customer Personal Data” means Personal Data that Mine Processes on behalf of Customer as part of the provision of Services.
- 1.4. “Data Subject” means an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Data Subject includes Consumer as such term is defined under the CCPA.
- 1.5. “Personal Data” means any information relating to a Data Subject. Personal Data includes Personal Information as such term is defined under the CCPA.
- 1.6. “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
- 1.7. “Personnel” means persons authorized by Mine to Process Customer Personal Data.
- 1.8. “Privacy Laws and Regulations” means: (A) Regulation (EU) 2016/679 (“GDPR”); (B) the GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 (the “UK GDPR”); and, (C) the California Consumer Privacy Act of 2018 Cal. Civil Code § 1798.100 et seq. and any successor thereof (“CCPA”).
- 1.9. “Third Country” means a country outside the European Economic Area (“EEA”), the UK or Switzerland, which was not acknowledged by the EU Commission, a UK Secretary of State or the FDPIC (as applicable) as providing an adequate level of protection in accordance with Article 45(3) of the GDPR, Article 45 of the UK GDPR or the equivalent
2. DATA PROCESSING
- 2.1. Scope and Roles. This DPA applies when Customer Personal Data is Processed by Mine as part of Mine’s provision of the Service. In this context, for the purposes of the GDPR, Customer is the Data Controller and Mine is the Data Processor and for the purposes of the CCPA, Customer is a Business and Mine is the Service Provider.
- 2.2. Subject Matter, Duration, Nature and Purpose of Processing. Mine Processes Customer Personal Data as part of providing Customer with the Service, pursuant to the specifications and for the duration under the terms of the Agreement.
- 2.3. Instructions for Mine’s Processing of Customer Personal Data. Mine will Process Customer Personal Data on behalf of and in accordance with Customer’s instructions. Customer instructs Mine to Process Customer Personal Data for the following purposes:
- 2.3.1. Processing in accordance with the Agreement and applicable order forms, including, without limitation to provide, operate, control, supervise, and safeguard the Services – all integral parts of the provision of Services to Customer; and,
Processing to comply with other reasonable instructions provided by Customer where such instructions are consistent with the terms of the Agreement and comply with applicable Privacy Laws and Regulations. Processing outside the scope of this DPA (if any) will require prior written agreement between Mine and Customer on additional instructions for Processing, including agreement on any additional fees Customer will pay to Mine for carrying out such instructions. Customer undertakes to provide Mine with lawful instructions only. - 2.4. As required under the GDPR, Mine will inform Customer immediately, if in Mine’s opinion an instruction infringes any provision under the GDPR and will be under no obligation to follow such instruction, until the matter is resolved in good-faith between the parties.
- 2.5. Mine will not (1) Sell Customer Personal Data, or (2) retain, use or disclose Customer Personal Data (A) for any purpose other than for the specific purpose of performing the Service, or (B) outside of the direct business relationship between Customer and Mine, except as permitted under applicable Privacy Laws and Regulations. Mine acknowledges and will comply with the restrictions set forth in this Section 2.5.
- 2.6. Customer undertakes to provide all necessary notices to Data Subjects and receive all necessary permissions and consents, or otherwise secure the required lawful ground of Processing, as necessary for Mine to Process Customer Personal Data on Customer’s behalf under the terms of the Agreement and this DPA, pursuant to applicable Privacy Laws and Regulations. Customer undertakes to advise its customers of Mine’s data Processing activities on behalf of Customer (namely that the exercise of Data Subjects’ rights is Processed and managed by Mine).
- 2.7. To the extent required under applicable Privacy Laws and Regulations, Customer will appropriately document Data Subjects’ notices and consents, or necessary assessment with other applicable lawful grounds of Processing.
- 2.8. CCPA specific provisions. To the extent that the CCPA applies to the processing of Customer Personal Data by Mine, the following provisions apply to such processing:
- 2.8.1. Customer and Mine acknowledge that: (A) Customer Personal Data is disclosed to Mine only for the following the limited Business Purpose of providing Customer with the Platform and Services (the “Purpose”); and, (B) Customer is not Selling Customer Personal Data to Mine.
- 2.8.2. Customer will notify Mine of any valid request received from an Individual pursuant to CCPA that Mine must comply with and will provide all information necessary for Mine to comply with such request.
- 2.8.3. Mine will: (A) comply with all provisions under CCPA applicable to Mine, including with respect to providing the same level of protection to privacy as required under CCPA; and, (B) notify Customer no later than within five (5) business days after determining that Mine can no longer meet its obligations under CCPA.
- 2.8.4. Mine will not: (A) Sell Customer Personal Data; (B) Share (within the meaning thereof under the CCPA) Customer Personal Data other than with Mine’s Other Processors in accordance with the provisions of the DPA; (C) unless otherwise permitted under CCPA, retain, use, or disclose Customer Personal Data: (i) for any purposes other than those specified under the DPA; (ii) for any commercial purpose other than the Purpose, including in providing services to other customers of Mine; or, (iii) outside the direct business relationship between Customer and Mine.
- 2.8.5. Customer may: (A) take reasonable and appropriate steps to ensure that Mine uses Customer Personal Data in a manner consistent with Customer’s obligations under CCPA; (B) upon notice, take reasonable and appropriate steps to stop and remediate Mine’s unauthorized use of Customer Personal Data.
3. ASSISTANCE
- 3.1. Taking into account the nature of the Processing, Mine will assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to requests for exercising Data Subjects’ rights, as required under applicable Privacy Laws and Regulations.
- 3.2. Mine will further assist Customer in ensuring compliance with Customer’s obligations in connection with the security of Processing, notification of a Personal Data Breach related to Customer Personal Data to supervisory authorities and affected Data Subjects, Customer’s data protection impact assessments and Customer’s prior consultation with supervisory authorities, in relation to Mine’s Processing of Customer Personal Data under this DPA. Except for negligible costs, Customer will reimburse Mine with costs and expenses incurred by Mine in connection with the provision of assistance to Customer under this DPA.
4. PERSONNEL
- 4.1. Limitation of Access. Mine will ensure that Mine’s access to Customer Personal Data is limited to those Personnel who require such access to perform the Agreement.
- 4.2. Confidentiality. Mine will impose appropriate contractual obligations upon its Personnel engaged in the Processing of Customer Personal Data, including relevant obligations regarding confidentiality, data protection, and data security. Mine will ensure that its Personnel engaged in the Processing of Customer Personal Data are informed of the confidential nature of Customer Personal Data, have received appropriate training in their responsibilities, and have executed written confidentiality agreements. Mine will ensure that such confidentiality agreements survive the termination of the employment or engagement of its Personnel.
5. OTHER PROCESSORS
- 5.1. Mine may engage third-party service providers to Process Customer Personal Data on behalf of Customer (“Other Processors”). Customer hereby provides Mine with a general authorization to engage the Other Processors listed on Mine’s website here. (“Other Processors List”). All Other Processors have entered into written agreements with Mine that bind them by substantially the same material obligations under this DPA.
- 5.2. Mine may engage with a new Other Processor (“New Processor”) to Process Customer Personal Data on Customer’s behalf. Customer may subscribe to receive notifications of any New Processor additions via the mechanism described on the Other Processors List.
- 5.3. Customer may object to the Processing of Customer Personal Data by the New Processor, for reasonable and explained grounds, within five (5) business days following Mine’s written notice to Customer of the intended engagement with the New Processor. If Customer timely sends Mine a written objection notice, the parties will make a good-faith effort to resolve Customer’s objection. In the absence of a resolution, Mine will make commercially reasonable efforts to provide Customer with the same level of Service, without using the New Processor to Process Customer Personal Data.
- 5.4. Where an Other Processor fails to fulfill its data protection obligations in connection with the Processing of Customer Personal Data under this DPA, Mine will remain fully liable to Customer for the performance of that Other Processor’s obligations.
6. ONWARD AND TRANS-BORDER DATA TRANSFER
- Transfers by Mine, or by Mine’s New Processors or Mine’s Other processors of Customer Personal Data to a Third Country is subject to the data transfer requirements under ANNEX C.
7. INFORMATION SECURITY
- Mine will maintain administrative, physical, and technical safeguards for the protection of the security, confidentiality, and integrity of Customer Personal Data, and will regularly monitor compliance with such safeguards. Mine will not materially decrease the overall security of the Service during the term of the Agreement. Further information about Mine’s technical and organizational measures is detailed here under ANNEX B.
8. PERSONAL DATA BREACH MANAGEMENT AND NOTIFICATION
- 8.1. Mine will maintain security incident management policies and procedures and will notify Customer without undue delay (and no more than 24 hours) after becoming aware of a Personal Data Breach related to Customer Personal Data which Mine, or any of Mine’s Other Processors, Process. Mine’s notice will at least:
- 8.1.1. describe the nature of the Personal Data Breach including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Customer Personal Data records concerned;
- 8.1.2. communicate the name and contact details of the Mine’s data protection team, which will be available to provide any additional available information about the Personal Data Breach;
- 8.1.3. describe the likely consequences of the Personal Data Breach with respect to Customer Personal Data; and,
- 8.1.4. describe the measures taken or proposed to be taken by Mine to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.
- 8.2. Mine will work diligently, pursuant to its incident management policies and procedures to promptly identify and remediate the cause of the Personal Data Breach and will inform Customer accordingly.
9. AUDIT AND DEMONSTRATION OF COMPLIANCE
- 9.1. Mine will make available to Customer all information necessary for Customer to demonstrate compliance with the obligations laid down under Article 28 to the GDPR in relation to the Processing of Customer Personal Data under this DPA by Mine and its Other Processors.
- 9.2. To the extent required under applicable Privacy Laws and Regulations, Mine will allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer, in relation to Mine’s obligations under this DPA. Mine may satisfy the audit obligation under this section by providing Customer with attestations, certifications and summaries of audit reports conducted by accredited third party auditors. Audits by Customer are subject to the following terms: (A) the audit will be pre-scheduled in writing with Mine, at least forty-five (45) days in advance and will be performed not more than once a year (except for an audit following a Personal Data Breach); (B) the auditor will execute a non-disclosure and non-competition undertaking toward Mine; (C) the auditor will not have access to non-Customer data (D) Customer will make sure that the audit will not interfere with or damage Mine’s business activities and information and network systems; (E) Customer will bear all costs and assume responsibility and liability for the audit; (F) the auditor will first deliver a draft report to Mine and allow Mine reasonable time and no less than ten (10) business days, to review and respond to the auditor’s findings, before submitting the report to the Customer; (G) Customer will receive only the auditor’s report, without any Mine ‘raw data’ materials, will keep the audit results in strict confidentiality and will use them solely for the specific purposes of the audit under this section; and (H) as soon as the purpose of the audit is completed, Customer will permanently dispose of the audit report.
10. DELETION OF PERSONAL DATA
- 10.1. Data Deletion. Within reasonable time but no later than 30 days following the end of the provision of the Service, Mine will return Customer Personal Data to Customer or delete such data.
- 10.2. Data Retention. Notwithstanding, Customer acknowledges and agrees that Mine may retain copies of Customer Personal Data as necessary in connection with its routine backup and archiving procedures and to ensure compliance with its legal obligations and its continuing obligations under applicable law, including to retain data pursuant to legal requirements and to use such data to protect Mine, its affiliates, agents, and any person on their behalf in court and administrative proceedings.
11. DISCLOSURE TO COMPETENT AUTHORITIES
- 11.1. Mine may disclose Customer Personal Data (A) if required by a subpoena or other judicial or administrative order, or if otherwise required by law; or (B) if Mine deems the disclosure necessary to protect the safety and rights of any person, or the general public; provided however that to the extent permitted under applicable law, Mine will notify Customer in advance before making such a disclosure.
12. ANONYMIZED AND AGGREGATED DATA
- 12.1. Mine may Process data based on extracts of Customer Personal Data on an aggregated and non-identifiable form, for Mine’s legitimate business purposes, including for testing, development, controls, and operations of the Service, and may share and retain such data at Mine’s discretion.
13. DISPUTE RESOLUTION
- 13.1. Any dispute related to this DPA will be subject to the section “Dispute Resolution” of the Agreement.
14. LIMITATION OF LIABILITY
- 14.1. Each party’s liability arising out of or related to this DPA (whether in contract, tort, or under any other theory of liability) is subject to the section ‘Limited Liability’ of the Agreement, and any reference in such section to the liability of a party means that party and its Affiliates in the aggregate.
15. TERM
- 15.1. This DPA will commence on the effective date of the Agreement and will continue until the Agreement expires or is terminated.
16. COMPLIANCE
- 16.1. Mine is responsible to make sure that all relevant Mine’s Personnel adhere to this DPA.
Mine's compliance team can be reached at: privacy@saymine.com
17. MISCELLANEOUS
- 17.1. Invalidation of one or more of the provisions under this DPA will not affect the remaining provisions. Invalid provisions will be replaced to the extent possible by those valid provisions which achieve essentially the same objectives.
ANNEX A
- DETAILS OF THE PERSONAL DATA PROCESSING -
(Also Serves As Annex I To The EE SCCs)
A. LIST OF PARTIES
Data exporter
Name, address and contact details: Customer, whose name, address, and contact details are as detailed in the applicable order form.
Activities relevant to the data transferred under these Clauses: Provision of the Services under the Agreement.
Signature and date: The data exporter’s signature on the DPA or agreement between the parties applies herein.
Role (controller/processor): Controller.
Data importer
Name: Mine Technologies Ltd.
Address: Alon 1 Tower, 94 Yigal Alon St, Tel Aviv-Yafo, 6789139, Israel
Contact person’s name, position and contact details: As detailed under the applicable order form.
Activities relevant to the data transferred under these Clauses: Provision of services under the agreement.
Signature and date: The data importer’s signature on the DPA or agreement between the parties, applies herein.
Role (controller/processor): Processor
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
- Customer’s end-users.
- Customer’s employees.
- Customer’s customers.
Categories of personal data transferred
Customer may submit Personal Data to the Platform or otherwise provide Personal Data to Mine as part of the provision of Services, the extent of which is determined and controlled solely by Customer. Such Personal Data may include, without limitation, Contact Information (name, age, gender, address, telephone number, email address etc.) related to the above mentioned categories of data subjects.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
Customer may submit special categories of Personal Data to the Services, or otherwise provide Mine with special categories of Personal Data as part of the provision of Services, the extent of which is determined and controlled solely by Customer. The applicable security measures are detailed under ANNEX B to the DPA.
The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis).
Continuous.
Nature of the processing
Provision of the services under the agreement between the parties.
Purpose(s) of the data transfer and further processing
Provision of the services under the agreement between the parties.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
Duration of the agreement.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
Hosting and ancillary services for the duration of the agreement.
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13:
Where the data exporter is established in an EU Member State - the supervisory authority of such EU Member State shall act as competent supervisory authority
Where the data exporter is not established in an EU Member State but falls within the territorial scope of the GDPR in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) - the supervisory authority of the Member State in which the representative is established shall act as competent supervisory authority.
Where the data exporter is not established in an EU Member State but falls within the territorial scope of the GDPR in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) - the supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses, shall act as competent supervisory authority.
ANNEX B
- TECHNICAL AND ORGANIZATIONAL MEASURES -
(Also Serves as Annex II To The EU SCCs)
MINE TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Description of the technical and organizational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
Measures of pseudonymization and encryption of personal data
- Raw data is encrypted at rest and in transit in accordance with industry standards (and at least AES256 CTR).
- Mine will set adequate procedures for using cloud-based storage services in a multi-tenant environment which will include encryption and adequate access criteria.
- Mine will implement a procedure for Customer Data backups which sets, inter alia, backup method and frequency, appropriate encryption measures according to the level of sensitivity of the Customer Data and the location of the backup storage.
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of Processing systems and services
Mine will use measures to guarantee the integrity of Customer Data in backups, and to maintain the possibility to restore Customer Data in the event of data loss or destruction. Without limiting the above, to the extent that Mine uses backup media, Mine will store such media in a fireproof and waterproof safe environment which is located outside of the facility that contains Customer Data.
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
- Mine will securely backup Customer Data that Mine possesses.
- Mine will implement a procedure for Customer Data backups which sets, inter alia, backup method and frequency, appropriate encryption measures according to the level of sensitivity of the Customer Data and the location of the backup storage. Mine will follow this procedure throughout the term of the agreement. Mine will use measures to guarantee the integrity of Customer Data in backups, and to maintain the possibility to restore Customer Data in the event of data loss or destruction. Without limiting the above, to the extent that Mine uses backup media, Mine will store such media in a fireproof and waterproof safe environment which is located outside of the facility that contains Customer Data.
- Mine will conduct ongoing technical Disaster Recovery sessions to review its related technical operations and to conduct 'fire drills' to test it in real time.
- Mine’s disaster recovery and business continuity processes will be approved by Mine’s management, audited by a non-dependent third party on an annual basis and will be practiced on an ongoing basis.
- Mine’s information security officer will ensure the backup of the following data, on a weekly basis, in a manner which guarantees that the possibility to perform data restoration in any given time:
- Entries and departures from Mine’s offices and other sites that store the following Customer Data: infrastructure and hardware systems, communication, and information security components.
- Administration of access to the Customer Data.
- Identification and validation of access to the Customer Data.
- Control and documentation to Mine’s systems which store or process Customer Data, including user’s identification, time & date of the attempt at access, system’s components attempted to be accessed to and whether access was granted or denied.
- Security breaches (any event which raises concerns to the integrity of data or use of data without or in excess of access permission).
- Security of communications (implementing adequate means to protect from unauthorized access and from exploits and malware.
Processes for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the Processing
Mine will monitor its systems and networks for security related events and will conduct periodic penetration tests by a credible external security adviser and a penetration test, in order to detect data security related risks. Mine will discuss the results of the assessment and test and further review the need to update information security processes. Mine will remediate any detected vulnerabilities.
Measures for user identification and authorization
- Access to applications, specifically when entering, changing and deleting data is logged.
- Access to Customer Data is made via a strong identification mechanism which includes at least two identification means (2FA), based on “something you know” and “something you have”.
- Identification means provided to employees or other authorized persons are not shared with any other employee or other authorized person, not even at a later stage. Mine keeps records of all identifications allocated to authorized personnel and operates identification verification measures prior to granting access to Customer Data.
- Non-active user’s access is blocked following six months of inactivity, other than with respect to users created for support and maintenance purposes.
- Access to Customer Data is blocked for users of personnel no longer involved in the provision of services to customer.
- Mine enforces a policy which reduces the risk for passwords’ confidentiality breach. Passwords are stored in an encrypted manner, in a manner that will keep them illegible.
- Mine maintains an internal procedure for allocating, distributing, and storing passwords. Passwords are periodically reset. Passwords must include at least 8 characters and any string which can be easily related to a Mine’s employee (e.g. employee’s name, last name, family members’ name, birthdays etc.) is prohibited. Access is automatically blocked after three consecutive failed access attempts. Records of last five passwords of every authorized user are retained.
Measures for the protection of data during transmission
Data transfer between Customer and Mine, if required, will be made in accordance with the acceptable standards, including through VPN, encryption, point-to-point communication or other secure and encrypted means such as TLS 1.2 or higher.
Measures for the protection of data during storage
- Customer Data and backup data are encrypted at rest according to NIST best practices (at least AES256 CTR).
- Data Systems’ storage devices are marked, labelled and placed in a surrounding accessible solely to Mine’s authorized personnel on a need-to-know basis.
- Mine maintains adequate procedures for using cloud-based storage services in a multi-tenant environment which will include encryption and adequate access criteria.
- When Customer Data is stored by third party service providers, Mine ensures that its subcontractors providing Mine with storage services are carefully vetted with regard to data security, comply with EU data protection regulations, and are certified with known information security standards, such as ISO27001 or SOC2 Type II.
- Mine implements a system for documenting media devices received from third parties or submitted by Mine to third parties. Such documentation includes the type of media, date & time of the receipt/submission of media, identity of the recipient and sender, the media’s serial number and description of the media’s content.
- Access to backup data is restricted.
Measures for ensuring physical security of locations at which personal data are processed
- Mine documents and controls access to facilities containing Customer Data that are under Mine’s control.
- Mine documents all computer and network equipment transfer into and out of Mine’s facility, or on any other entity’s facilities on Mine’s behalf, which contains Customer Data.
- Servers and any equipment used for storage, processing and access to Mine’s services or applications are protected by adequate means for entry control in a manner that ensures that only authorized employees have access thereto.
Measures for ensuring events logging
- All access to applications is logged, specifically when entering, changing, and deleting data.
- Audit logs cannot be accessed or tampered by unauthorized personnel.
- Mine has the ability to send/fetch logs to Customer’s SIEM system on authentication and authorization.
- Mine has intrusion detection solutions and the ability to generate the relevant security alerts upon detection.
- Mine implements a procedure for responding, managing, and reporting security incidents which are related or may be related to Customer Data. Mine will keep a record of any security incident that Mine becomes aware of, which will include the date of the event, the identity of the reporter, the identity of persons reported to and consequences of the event.
- Mine implements a procedure for the restoration of lost or corrupted Customer Data due to security breach.
- Mine will hold periodic discussions regarding security incidents and reviews the necessity to update relevant procedures
Measures for ensuring system configuration, including default configuration
- Testing and development environments are separated and isolated from the production environment.
- Changes are pre-approved by authorized personnel and traced accordingly.
Measures for internal IT and IT security governance and management
ISO27001 & SOC II type 2 certifications
Measures for certification/assurance of processes and products
- New staff across the company are trained in Secure Software Development Lifecycle (SSDLC) practices.
- New product initiatives are reviewed by the security team according to SPbD (Security and Privacy by Design) concepts at the design phase.
- System code is tested against known vulnerabilities (e.g., OWASP top 10).
- Existing core systems and infrastructure are tested for security vulnerabilities periodically. In some cases, testing is conducted by automatic scanners as well as manually by external independent parties.
Measures for ensuring data minimization
- Collection is limited only to required data to fulfill the specific purpose of the Agreement.
- Data minimization is assured during our SDLC process.
Measures for ensuring limited data retention
Customer Data is retained for the duration of the contract. Following termination, Customer Data is deleted or de-identified in accordance with the terms of the Agreement and the DPA.
Measures for ensuring accountability
- Mine has in place internal policies containing formal instructions for data processing procedures.
- Mine carefully vets its relevant contractors with regard to data security.
- Mine’s personnel are being vetted prior to engagement and trained periodically to maintain awareness regarding data protection and security requirements.
Measures for allowing data portability and ensuring erasure
Data can be exported from the system by authorized customer’s users.
For transfers to (sub-) processors, also describe the specific technical and organizational measures to be taken by the (sub-) processor to be able to provide assistance to the Controller and, for transfers from a processor to a sub-processor, to the data exporter.
Measures that Mine has in place to assist the Customer in fulfilling its obligations to respond to Data Subject’s requests
Responding to DSARs is at customer’s control through the platform.
ANNEX C
- CROSS-BORDER PERSONAL DATA TRANSFER -
1. DEFINITIONS
Capitalized terms not defined herein will have the meaning set forth in the DPA or under Privacy Laws and Regulations.
- 1.1. “EU SCCs” means the Standard Contractual Clauses pursuant to EU Commission Decision C(2021)3972.
- 1.2. “FADP” means the Swiss Federal Act on Data Protection of 19 June 1992 (Status as of 1 March 2019) as replaced by its amendment of September 25, 2020 (effective as of September 1, 2023).
- 1.3. “IDTA” means the International Data Transfer Agreement, issued by the ICO in accordance with section 119A of the Data Protection Act 2018, or any other applicable standard contractual clauses issued, approved, or otherwise recognized by the ICO.
- 1.4. “Swiss SCCs” means the applicable standard contractual clauses issued, approved, or otherwise recognized by the Swiss Federal Data Protection and Information Commissioner (“FDPIC”).
- 1.5. “Third Country” means a country outside the European Economic Area (“EEA”), the UK or Switzerland, which was not acknowledged by the EU Commission, a UK Secretary of State or the FDPIC (as applicable) as providing an adequate level of protection in accordance with Article 45(3) of the GDPR, Article 45 of the UK GDPR or the equivalent.
- 1.6. A “Transfer” means a transfer by Mine, Mine’s New Processors or Mine’s Other Processors of: (1) GDPR-governed Customer Personal Data transferred outside the EEA (“EEA Transferred Data”); (2) UK-GDPR governed Customer Personal Data transferred outside the UK (“UK Transferred Data”); and, (3) FADP-governed Customer Personal Data transferred outside of Switzerland (“Swiss Transferred Data”, and with EEA and UK Transferred Data: “Transferred Data”).
- 1.7. “UK Addendum” means the UK addendum published by the Information Commissioner's Office's (“ICO”) in accordance with section 119A(1) of the Data Protection Act of 2018, incorporating the EU SCCs.
2. EEA Transfers
Transfers of EEA Transferred Data to a Third Country, will be made under the EU SCCs, giving effect to module 2 or 3, as applicable, which is incorporated by reference to this DPA, as follows:
- 2.1. In Clause 7, the optional docking clause will apply.
- 2.2. If applicable - in clause 9, Option 2 will apply, and the time period for prior notice of sub-processor changes will be as set out in Section 5 of this DPA.
- 2.3. In clause 11, the optional language will not apply.
- 2.4. In clause 17, Option 1 will apply, and the EU SCC will be governed by the Irish law.
- 2.5. In clause 18(b), disputes will be resolved before the courts of Ireland.
- 2.6. Annexes (I)-(II) to the EU SCCs will be completed with the relevant details in ANNEXES A-B to this DPA.
3. UK Transfers
Transfers of UK Transferred Data to a Third Country, will be made -
- 3.1. In accordance with the EU SCCs as detailed in section 2 above, as amended by the UK Addendum, which is incorporated by reference to this DPA, with the necessary changes made as detailed in sections 12-15 to the UK Addendum; or,
- 3.2. if the EU SCCs as implemented above cannot be used to lawfully Transfer UK Transferred Data, the IDTA will instead be incorporated by reference, will form an integral part of this DPA, and will apply to Swiss Transferred Data. In such case, the relevant Annexes of the Swiss SCCs will be populated using the information contained in ANNEXES A-B.
4. Swiss Transfers
Transfers of Swiss Transferred Data to a Third Country, will be made -
- 4.1. In accordance with the EU SCCs as detailed in section 2 above, as recognized by the FDPIC on August 27, 2021, with the following modifications: (A) references to ‘EU’, ‘Union’, ‘Member State’ and ‘Member State law’ will be interpreted as references to ‘Switzerland’, and ‘Swiss law’, as applicable; and, (B) references to ‘Competent supervisory authority’ and ‘Competent courts’ will be interpreted as references to the FDIPC and Competent courts in Switzerland; or,
- 4.2. if the EU SCCs as implemented above cannot be used to lawfully Transfer Swiss Transferred Data in compliance with the FADP, the Swiss SCCs will instead be incorporated by reference, will form an integral part of this DPA, and will apply to Swiss Transferred Data. In such case, the relevant Annexes of the Swiss SCCs will be populated using the information contained in ANNEXES A-B.
5. Supplemental Measures
In accordance with Article 46 of the GDPR, the EU SCCs and guidelines published by the European Data Protection Board (EDPB), and without prejudice to any provisions of the DPA or this Annex, Mine undertakes to implement the following organizational and technical safeguards, in addition to the safeguards mandated by the EU SCCs, to ensure the required adequate level of protection to Transferred Data:
- 5.1. Technical and Organizational Measures. Mine will implement and maintain the technical and organizational measures, as specified in ANNEX B, which is attached and incorporated by reference to this DPA, with a purpose to protect Customer Personal Data against any processing for national security or other government purposes that go beyond what is necessary and proportionate in a democratic society, considering the type of processing activities under the Agreement and relevant circumstances.
- 5.2. Contractual Measures. For the purposes of safeguarding Transferred Data when any Third Country’s government or regulatory authority requests access to such data (“Request”), and unless required by a valid court order or if otherwise Mine may face criminal charges for failing to comply with orders or demands to disclose or otherwise provide access to EEA Transferred Data, or where the access is requested in the event of imminent threat to lives, Mine will:
- 5.2.1. not purposefully create back doors or similar programming that could be used to access EEA Transferred Data;
- 5.2.2. not provide the source code or encryption keys to any government agency for the purpose of accessing EEA Transferred Data;
- 5.2.3. upon Customer’s written request, provide reasonable available information about the requests of access to Customer Personal Data by government agencies Mine has received in the 6 months preceding to Customer’s request; and,
- 5.2.4. notify Customer upon receiving a request by a government agency to access Customer Personal Data to enable Customer to take necessary actions, communicate directly with the relevant authority and to respond to the request. If Mine is prohibited by law to notify the Customer of such request, Mine will make reasonable efforts to challenge such prohibition through judicial action or other means at Customer’s expense and, to the extent possible, will provide only the minimum amount of information necessary.
6. Future Adequacy
As applicable, if: (A) the Adequacy Recognition is invalidated or otherwise terminated by the EU Commission or a UK Secretary of State; (B) the EU SCC are invalidated or are no longer in effect; or (C) any other Transfer safeguard used for the Transfer of Transferred Data is no longer in effect for any reason, then Mine will take such alternative lawful measures, as may be available and applicable, to continue facilitating the lawful Transfer of Transferred Data by Mine, Mine’s Other Processors, Mines’ New Processors, or equivalents thereof.