IPONWEB GmbH Data Processing Addendum for Curator

IPONWEB GmbH Data Processing Addendum for Curator

There are two versions of the Grid Data Processing Addendum, the version applicable to You depends on the Effective Date of Your Term Sheet.

Part A – Term Sheet with Effective Date of September 27, 2021 or later.

Part B – Term Sheet with Effective Date prior to September 27, 2021.

 

Part A – Data Processing Addendum for Term Sheet with Effective Date of September 27, 2021 or later.

This Data Processing Addendum was updated on September 27, 2021 and applies to all Customers with a Term Sheet Effective Date of September 27, 2021 or later.

  1. The terms and conditions in this Data Processing Addendum (“DPA”), are entered into between IPONWEB GmbH on behalf of itself and any Affiliates that are providing Services (as defined below) to Customer (“Grid”); and You (“Customer”), pursuant to the terms of the Agreement (defined below).
  2. This DPA together with the Agreement, constitute a legally binding agreement between the parties and governs Your use of the Grid Services and the parties processing of any personal data under the Agreement. Customer agrees that this DPA is like any written negotiated agreement signed by Customer and agrees to enter into this DPA on behalf of itself and, to the extent required under Applicable Data Protection Law, in the name and on behalf of any group companies or affiliates that use the Services. All capitalized terms not defined herein shall have the meaning set forth in the Agreement.
  3. Background

3.1. Grid and Customer have entered into a master services agreement, together with one or more connected service orders and/or agreements (collectively the “Agreement“), pursuant to which Grid has agreed to provide the Services.

3.2. The parties wish to define their respective data protection obligations relating to the Grid’s provision of Services to Customer.

  1. Definitions

In this DPA, the following terms shall have the following meanings:

(a) “controller“, “processor“, “data subject“, “personal data“, “processing” (and “process“), “business”, “service provider” and “special categories of personal data” shall have the meanings given in Applicable Data Protection Laws.

(b) “Applicable Data Protection Laws” shall mean all applicable international, federal, national and state data protection and privacy laws, regulations, and industry self-regulatory rules, codes and guidelines that apply to the processing of personal data as applicable to Grid, including without limitation: (i) the EU General Data Protection Regulation (Regulation 2016/679) (“GDPR“) and the GDPR as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the “UK GDPR“); (ii) the EU e-Privacy Directive (Directive 2002/58/EC); and (iii) any national laws made under or pursuant to (i) or (ii) (in each case, as superseded, amended or replaced); (iv) the California Consumer Privacy Act of 2018, California Civil Code §1798.100 et seq. (“CCPA“); (v) the rules, codes and guidelines of the European Interactive Digital Advertising Alliance (“EDAA“); and (vi) the Network Advertising Initiative (“NAI“).

(c) “data subject” as used herein shall also refer to “consumer” as that term is defined under Applicable Data Protection Laws.

(d) “personal data” as used herein shall also refer to “personal information” as that term is defined under Applicable Data Protection Laws.

(e) “Services” has the meaning given to it in the Agreement or if not set forth in the Agreement, means the services provided by Grid to Customer in accordance with and as described in the Agreement.

(f) “Standard Contractual Clauses” means either the Module Two: Transfer controller to processor standard contractual clauses or Module Three: Transfer processor to processor standard contractual clauses (as the case may be) approved by the European Commission or the United Kingdom’s Secretary of State (as applicable), as may be amended or replaced by the European Commission or the United Kingdom’s Secretary of State (as applicable) from time to time. The Standard Contractual Clauses as at the date of this DPA are as set out at: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX%3A32021D0914&locale=en.

(g) “sub-processor” shall mean a party appointed by a processor or service provider to process personal data on behalf of that processor or service provider.

(h) “Supplementary Measures” means the provisions set out in Appendix 2 to this DPA.

  1. Details of the processing

5.1. The subject-matter of processing of personal data by Grid is the personal data processing required to performance of the Services pursuant to the Agreement. The duration of the processing is for the Term of the Agreement; the nature and purpose of the Processing is to provide the Services under the Agreement, the types of personal data is information unique to internet user(s), used by advertisers to present advertising to that internet user(s) and categories of data subjects processed under this DPA are the aforementioned internet users. If the Agreement is materially deficient in respect of the subject matter of this Clause 5, the parties may supplement the Agreement with additional information.

  1. Data Protection Obligations

6.1. Relationship of the parties: Customer (as the controller in its own right or as the processor who acts under instruction from third party controller(s)) or another business appoints Grid as a processor (or sub-processor, as the case may be) to process the personal data described in the Agreement (the “Data“) for the purposes described in the Agreement (or as otherwise agreed in writing by the parties) (the “Permitted Purpose“). Each party shall comply with the obligations that apply to it under Applicable Data Protection Laws. If Grid becomes aware that processing for the Permitted Purpose infringes an Applicable Data Protection Law, it shall promptly inform Customer.

6.2. Service provider limitations: Customer is a business and Grid is a service provider as those terms are defined under the Applicable Data Protection Law. Grid shall not: (a) sell personal data; (b) retain, use, or disclose personal data for any purpose other than for the Permitted Purpose; (c) retain, use, or disclose personal data for a commercial purpose other than for the Permitted Purpose; or (d) retain, use, or disclose personal data outside of the direct business relationship between Grid and Customer. Grid certifies that it understands these restrictions and will comply with them.

6.3. Prohibited data: Customer shall not disclose (and shall not permit any data subject to disclose) any special categories of personal data or sensitive data to Grid for processing.

6.4. International transfers: Grid shall not transfer the Data outside of the European Economic Area (“EEA“) unless it has taken such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Laws. Where Grid processes personal data (i) relating to individuals located in the European Economic Area in a territory outside of the European Economic Area that does not have adequate data protection laws (as determined by the EU Commission); or (ii) relating to individuals located in the United Kingdom in a territory outside of the United Kingdom that does not have adequate data protection laws (as determined by the United Kingdom’s Secretary of State), the Standard Contractual Clauses shall be incorporated by reference into this DPA and shall apply in relation to such Personal Data, the Supplementary Measures herein shall also apply.

For the purposes of the Standard Contractual Clauses:

(a) Customer is the “data exporter” and Grid is the “data importer”;

(b) Where Customer is a data controller, the parties choose Module Two: Transfer controller to processor as being the only applicable terms between the parties and any terms related to and references therein to Module One, Module Three and Module Four shall be deemed deleted. However, where Customer is a data processor, the parties choose Module Three: Transfer processor to processor as being the only applicable terms between the parties and any terms related to and references therein to Module One, Module Two and Module Four shall be deemed deleted;

(c) In Clause 9, irrespective of the chosen Module, the Parties choose Option 2 and agree the time period shall be completed as at least 10 days in advance;

(d) the optional language in Clause 11(a) shall be deemed deleted;

(e) Clause 13(a) shall be amended as applicable depending on where the Customer is established (as identified in the Agreement);

(f) In Clause 17, the Parties choose Option 1 and agree that this shall be the law of Germany;

(g) Clause 18(b) shall be deemed completed with the courts of Berlin, Germany;

(h) Annex I to the Standard Contractual Clauses shall be deemed completed with the information set out in Appendix 1 to this DPA; and

(i) Annex II to the Standard Contractual Clauses shall be deemed completed with the information set out in Appendix 2 to this DPA.

6.5. Sub-processing: Customer may object to Grid’s appointment or replacement of a sub-processor prior to Grid’s engagement of such sub-processor, provided such objection is based on reasonable grounds relating to data protection. In such event, Grid will either not appoint or replace the sub-processor or, if this is not possible, Customer may suspend or terminate the Agreement (without prejudice to any fees incurred by Customer prior to suspension or termination).

6.6. Cooperation and data subjects’ rights: Grid shall provide reasonable and timely assistance to Customer (at Customer’s expense) to enable Customer to respond to: (i) any request from a data subject to exercise any of its rights under Applicable Data Protection Laws (including its rights of access, correction, objection, erasure and data portability, as applicable); and (ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Data.

6.7. Data Protection Impact Assessment: Grid shall and provide reasonable cooperation to Customer (at Customer’s expense) in connection with any data protection impact assessment that may be required under Applicable Data Protection Laws.

6.8. Audit: Customer acknowledges that Grid is audited against ISO 27001, standards by independent third party auditors. Upon request, Grid shall supply a summary copy of its audit report(s) to Customer, which shall be subject to the confidentiality provisions of the Agreement. Grid shall also respond to any written audit questions submitted to it by Customer, provided that Customer shall not exercise this right more than once per year.

Appendix 1

  1. LIST OF PARTIES

Data exporter: the organisation identified as Customer. Customer’s contact information is specified in the Agreement. Customer’s activities are as described in the Agreement and in relation to these activities Customer is acting as a data controller for the personal data.

 

Data importer: the organisation identified as Grid. Grid’s contact information is specified in the Agreement. Grid’s activities are as described in the Agreement and in relation to these activities Grid is acting as a data processor for the personal data.

  1. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred: The categories of data subjects identified in Clause 5 of the DPA.

Categories of personal data transferred: The data identified in Clause 5 of the DPA.

Sensitive data transferred (if applicable): No special categories of data or sensitive date is transferred.

Frequency of the transfer: On a continuous basis depending on Customer’s use of the Services.

Nature of the processing: The nature of processing identified in Clause 5 of the DPA

Purpose(s) of the data transfer and further processing: The objective of processing of personal data by the parties is as set out in Clause 5 of the DPA.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: The Services has different automated retention/deletion periods for different types of data and settings but in no event is personal data retained longer than is necessary.

Transfers to (sub-) processors: Grid maintains an up-to-date list of its sub-processors at https://www.iponweb.com/policies-legal/iponweb-sub-processors/. The subject matter of processing of personal data by sub-processors is the personal data processing required for performance of the Services pursuant to the Agreement. The nature of the processing is to provide the Services under the Agreement and duration of the processing is for the Term of the Agreement.

 

  1. COMPETENT SUPERVISORY AUTHORITY

In accordance with Clause 13, the competent supervisory authority is determined depending on where the data exporter is established and is identified in the Agreement.

Appendix 2

Description of the technical and organisational measures implemented by the data importer, including technical and organisation measures to ensure security of the data:

In all cases, the data importer uses various security technologies and procedures that help protect personal data from unauthorized access, use, disclosure, alteration or destruction.

For example:

  • Personnel: Only qualified and authorized employees are permitted to access personal data, and they may do so only for permitted business functions.
  • Additional Safeguards: We maintain physical, electronic and procedural safeguards in connection with the collection, storage and disclosure of your Information. Our security procedures mean that we may request proof of your identity before we disclose personal data to you.
  • Trusted Vendors: We rely only on vendors who ensure an appropriate level of security of your Data. In this context, we use only secure cloud servers, including AWS cloud – a secure, private cloud platform.
    Amazon Web Services (“AWS”) and Google Cloud Platform are Grid sub-processors. AWS and Google Cloud Platform each use various security technologies and procedures to protect personal data and is compliant with third-party assurance frameworks such as ISO 27017 for cloud security, ISO 27018 for cloud privacy, PCI DSS Level 1, and SOC 1, SOC 2, and SOC 3. For more details please see security and privacy policy at aws.amazon.com and Google Cloud Platform at www.cloud.google.com.

Supplementary Measures:

  1. If Grid receives an order or request to disclose personal data transferred under the Agreement (“Transferred Personal Data”) to a law enforcement, regulatory, judicial or governmental authority (an “Authority“), whether on a binding or voluntary basis, Grid shall:

(a) promptly notify the Customer of such Authority’s data access request;

(b) inform the Authority that it is a Processor of the Personal Data and that the Customer has not authorised Grid to disclose that Personal Data to the Authority;

(c) inform the Authority that any and all requests or demands for relating to the Transferred Personal Data should be notified to or served upon the Customer (as the Controller) in writing; and

(d) not provide the Authority with access to Transferred Personal Data unless and until authorised by the Customer,

save to the extent any such order or request or other legally binding obligation on Grid requires Grid to do otherwise.

  1. In the event Grid is under a legal prohibition or a legal compulsion that prevents it from complying with paragraphs 1(a) to 1(a) in full, Grid shall use reasonable and lawful efforts to challenge such prohibition or compulsion (and the Customer acknowledges that such challenge may not always be reasonable or possible in light of the nature, scope, context and purposes of the intended Authority access request and the reasonable prospects and costs of successfully challenging the prohibition or compulsion).
  2. Paragraphs 1 and 2 shall not apply in the event that, taking into account the nature, scope, context and purposes of the intended Authority’s access to the Data, Grid has a reasonable and good-faith belief that urgent access is necessary to prevent an imminent risk of serious harm to any individual. In such event, Grid shall notify the Customer as soon as practicable following such Authority’s access and provide the Customer with full details of the same, unless and to the extent Grid is legally prohibited from doing so.
  3. Grid shall not knowingly disclose the Transferred Personal Data in a massive, disproportionate and indiscriminate manner that goes beyond what is necessary in a democratic society.
  4. Grid shall have in place, maintain and comply with a policy governing personal data access requests from Authorities which at minimum prohibits:

(a) massive, disproportionate or indiscriminate disclosure of personal data relating to data subjects in the European Economic Area or the United Kingdom; and

(b) disclosure of personal data relating to data subjects in European Economic Area or the United Kingdom to an Authority without a subpoena, warrant, writ, decree, summons or other legally binding order that compels disclosure of such personal data.

  1. Grid shall have in place and maintain in accordance with good industry practice measures to protect the Transferred Personal Data from unauthorised interception (including in transit from the Customer to Grid and between different systems and services). This includes having in place and maintaining network protection to deny attackers the ability to intercept Transferred Personal Data and encryption of Transferred Personal Data whilst in transit to deny attackers the ability to read Transferred Personal Data.

 

Part B – Data Processing Addendum for Term Sheet with Effective Date prior to September 27, 2021.

This Data Processing Addendum was last updated on April 22, 2021 and applies to all Customers with a Term Sheet Effective Date prior to September 27, 2021.

  1. The terms and conditions in this Data Processing Addendum (“DPA”), are entered into between IPONWEB GmbH on behalf of itself and any Affiliates that are providing services to Customer (“Grid”); and You (“Customer”), pursuant to the terms of the Agreement (defined below).
  2. This DPA together with the Agreement, constitute a legally binding agreement and governs Your use of the Grid Services. Customer agrees that this DPA is like any written negotiated agreement signed by Customer and agrees to enter into this DPA on behalf of itself and, to the extent required under Applicable Data Protection Law, in the name and on behalf of any group companies or affiliates whom use the Services. All capitalized terms not defined herein shall have the meaning set forth in the Agreement.
  3. Background

3.1. Grid and Customer have entered into a master services agreement, together with one or more connected service orders and/or agreements (collectively the “Agreement“), pursuant to which Grid has agreed to provide the Services.

3.2. The parties wish to define their respective data protection obligations relating to the Grid’s provision of Services to Customer.

  1. Details of the processing.

4.1. The subject-matter of processing of personal data by Grid is the personal data processing required to performance of the Services pursuant to the Agreement. The duration of the processing is for the Term of the Agreement; the nature and purpose of the Processing is to provide the Services under the Agreement, the types of personal data is information unique to internet user(s), used by advertisers to present advertising to that internet user(s) and categories of data subjects processed under this DPA are the aforementioned internet users. If the Agreement is materially deficient in respect of the subject matter of this Clause 4, the parties may supplement the Agreement with additional information.

  1. Data Protection Obligations

5.1. Definitions: In this Clause, the following terms shall have the following meanings:

(a) “controller“, “processor“, “data subject“, “personal data“, “processing” (and “process“), “business”, “service provider” and “special categories of personal data” shall have the meanings given in Applicable Data Protection Law;

(b) “Applicable Data Protection Law” shall mean the EU General Data Protection Regulation (Regulation 2016/679) (the “GDPR“), the GDPR as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the “UK GDPR“) and the California Consumer Privacy Act of 2018 California Civil Code § 1798.100 et seq. (“California Consumer Privacy Act” or “CCPA”), together with any other laws applicable to the processing of personal data;

(c) “personal data” as used herein shall also refer to “personal information” as that term is defined under Applicable Data Protection Law;

(d) “data subject” as used herein shall also refer to “consumer” as that term is defined under Applicable Data Protection Law

(e) “Standard Contractual Clauses” means the standard contractual clauses for Processors approved by the European Commission or the United Kingdom’s Secretary of State (as applicable), as may be amended or replaced by the European Commission or the United Kingdom’s Secretary of State (as applicable) from time to time. The Standard Contractual Clauses as at the date of this DPA are as set out at: https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32010D0087;

(f) “Supplementary Measures” means the provisions set out in Appendix 3 to this DPA; and

(g) “subprocessor” shall mean a party appointed by a processor or service provider to process personal data on behalf of that processor or service provider.

5.2. Relationship of the parties: Customer (as the controller in its own right or as the processor who acts under instruction from third party controller(s)) or another business appoints Grid as a processor (or subprocessor, as the case may be) to process the personal data described in the Agreement (the “Data“) for the purposes described in the Agreement (or as otherwise agreed in writing by the parties) (the “Permitted Purpose“). Each party shall comply with the obligations that apply to it under Applicable Data Protection Law. If Grid becomes aware that processing for the Permitted Purpose infringes Applicable Data Protection Law, it shall promptly inform Customer.

5.3. Service provider limitations: Customer is a business and Grid is a service provider as those terms are defined under the Applicable Data Protection Law. Grid shall not: (a) sell personal data; (b) retain, use, or disclose personal data for any purpose other than for the Permitted Purpose; (c) retain, use, or disclose personal data for a commercial purpose other than for the Permitted Purpose; or (d) retain, use, or disclose personal data outside of the direct business relationship between Grid and Customer. Grid certifies that it understands these restrictions and will comply with them.

5.4. Prohibited data: Customer shall not disclose (and shall not permit any data subject to disclose) any special categories of personal data to Grid for processing.

5.5. International transfers: Grid shall not transfer the Data outside of the European Economic Area (“EEA“) unless it has taken such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Law. Where Grid processes personal data (i) relating to individuals located in the European Economic Area in a territory outside of the European Economic Area that does not have adequate data protection laws (as determined by the EU Commission); or (ii) relating to individuals located in the United Kingdom in a territory outside of the United Kingdom that does not have adequate data protection laws (as determined by the United Kingdom’s Secretary of State), the Standard Contractual Clauses shall be incorporated by reference into this DPA, shall apply in relation to such Personal Data and the Supplementary Measures shall apply. For the purposes of the Standard Contractual Clauses: (a) Customer is the “data exporter” and Grid is the “data importer” for the purposes of the Standard Contractual Clauses; (b) Appendix 1 to the Standard Contractual Clauses shall be deemed completed with the information set out in Appendix 1 to this DPA; (c) Appendix 2 to the Standard Contractual Clauses shall be deemed completed with the information set out in Appendix 2 to this DPA; and (d) the optional illustrative indemnification clause in the Standard Contractual Clauses shall be deemed deleted.

5.6. Confidentiality of processing: Grid shall ensure that any person it authorises to process the Data (an “Authorised Person“) shall protect the Data in accordance with Grid’s confidentiality obligations under the Agreement.

5.7. Security: Grid shall implement technical and organisational measures to protect the Data (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorised disclosure of, or access to the Data (a “Security Incident“).

5.8. Subcontracting: Customer consents to Grid engaging third party organisations (“subcontractors”) to process the Data for the Permitted Purpose provided that: (i) Grid maintains an up-to-date list of its subcontractors at www.iponweb.com/subprocessors which it shall update with details of any change in subcontractors at least 10 days’ prior to any such change; (ii) Grid imposes data protection terms on any subcontractor it appoints that require it to protect the Data to the standard required by Applicable Data Protection Law; and (iii) Grid remains liable for any breach of this Clause that is caused by an act, error or omission of its subcontractor. Customer may object to Grid’s appointment or replacement of a subcontractor prior to its appointment or replacement, provided such objection is based on reasonable grounds relating to data protection. In such event, Grid will either not appoint or replace the subcontractor or, if this is not possible, Customer may suspend or terminate the Agreement (without prejudice to any fees incurred by Customer prior to suspension or termination).

5.9. Cooperation and data subjects’ rights: Grid shall provide reasonable and timely assistance to Customer (at Customer’s expense) to enable Customer to respond to: (i) any request from a data subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable); and (ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Data. In the event that any such request, correspondence, enquiry or complaint is made directly to Grid, Grid shall promptly inform Customer providing full details of the same.

5.10. Data Protection Impact Assessment: Grid shall and provide reasonable cooperation to Customer (at Customer’s expense) in connection with any data protection impact assessment that may be required under Applicable Data Protection Law.

5.11. Security incidents: If it becomes aware of a confirmed Security Incident, Grid shall inform Customer without undue delay and shall provide reasonable information and cooperation to Customer so that Customer can fulfil any data breach reporting obligations it may have under (and in accordance with the timescales required by) Applicable Data Protection Law. Grid shall further take such any reasonably necessary measures and actions to remedy or mitigate the effects of the Security Incident and shall keep Customer informed of all material developments in connection with the Security Incident.

5.12. Deletion or return of Data: Upon termination or expiry of the Agreement, Grid shall (at Customer’s election) destroy or return to Customer all Data in its possession or control. This requirement shall not apply to the extent that Grid is required by applicable law to retain some or all of the Data, or to Data it has archived on back-up systems, in which event Grid shall securely isolate and protect from any further processing except to the extent required by such law until deletion is possible.

5.13. Audit: Customer acknowledges that Grid is audited against ISO 27001, standards by independent third party auditors. Upon request, Grid shall supply a summary copy of its audit report(s) to Customer, which shall be subject to the confidentiality provisions of the Agreement. Grid shall also respond to any written audit questions submitted to it by Customer, provided that Customer shall not exercise this right more than once per year.

Appendix 1 – Subject Matter and Details of the Processing

Data subjects: The Personal Data transferred concern the following categories of Data Subjects:

The categories of data subjects identified in Clause 4 of the DPA.

Categories of data: The Personal Data concern the following categories of data:

The data identified in Clause 4 of the DPA.

Special categories of data (if appropriate)

The personal data transferred concern the following special categories of data (please specify):

No special categories of data

Processing operations:

The objective of processing of personal data by the parties is as set out in Clause 4 of the DPA. 

Appendix 2 – Description of the technical and organisational security measures implemented by the data importer

In all cases, the data importer uses various security technologies and procedures that help protect personal data from unauthorized access, use, disclosure, alteration or destruction.

For example:

  • Personnel: Only qualified and authorized employees are permitted to access personal data, and they may do so only for permitted business functions.
  • Additional Safeguards: We maintain physical, electronic and procedural safeguards in connection with the collection, storage and disclosure of your Information. Our security procedures mean that we may request proof of your identity before we disclose personal data to you.
  • Trusted Vendors:We rely only on vendors who ensure an appropriate level of security of your Data. In this context, we use only secure cloud servers, including AWS cloud – a secure, private cloud platform.
    Amazon Web Services (“AWS”) and Google Cloud Platform are Grid sub-processors. AWS and Google Cloud Platform each use various security technologies and procedures to protect personal data and is compliant with third-party assurance frameworks such as ISO 27017 for cloud security, ISO 27018 for cloud privacy, PCI DSS Level 1, and SOC 1, SOC 2, and SOC 3. For more details please see security and privacy policy at aws.amazon.com and Google Cloud Platform at www.cloud.google.com.

Appendix 3 – Supplementary Measures

  1. If Grid receives an order or request to disclose Transferred Personal Data to a law enforcement, regulatory, judicial or governmental authority (an “Authority“), whether on a binding or voluntary basis, Grid shall:

(a) promptly notify the Customer of such Authority’s data access request;

(b) inform the Authority that it is a Processor of the Personal Data and that the Customer has not authorised Grid to disclose that Personal Data to the Authority;

(c) inform the Authority that any and all requests or demands for relating to the Transferred Personal Data should be notified to or served upon the Customer (as the Controller) in writing; and

(d) not provide the Authority with access to Transferred Personal Data unless and until authorised by the Customer,

save to the extent any such order or request or other legally binding obligation on Grid requires Grid to do otherwise.

  1. In the event Grid is under a legal prohibition or a legal compulsion that prevents it from complying with paragraphs 1(a) to 1(a) in full, Grid shall use reasonable and lawful efforts to challenge such prohibition or compulsion (and the Customer acknowledges that such challenge may not always be reasonable or possible in light of the nature, scope, context and purposes of the intended Authority access request and the reasonable prospects and costs of successfully challenging the prohibition or compulsion).
  2. Paragraphs 1 and 2 shall not apply in the event that, taking into account the nature, scope, context and purposes of the intended Authority’s access to the Data, Grid has a reasonable and good-faith belief that urgent access is necessary to prevent an imminent risk of serious harm to any individual. In such event, Grid shall notify the Customer as soon as practicable following such Authority’s access and provide the Customer with full details of the same, unless and to the extent Grid is legally prohibited from doing so.
  3. Grid shall not knowingly disclose the Transferred Personal Data in a massive, disproportionate and indiscriminate manner that goes beyond what is necessary in a democratic society.
  4. Grid shall have in place, maintain and comply with a policy governing personal data access requests from Authorities which at minimum prohibits:

(a) massive, disproportionate or indiscriminate disclosure of personal data relating to data subjects in the European Economic Area or the United Kingdom; and

(b) disclosure of personal data relating to data subjects in European Economic Area or the United Kingdom to an Authority without a subpoena, warrant, writ, decree, summons or other legally binding order that compels disclosure of such personal data.

  1. Grid shall have in place and maintain in accordance with good industry practice measures to protect the Transferred Personal Data from unauthorised interception (including in transit from the Customer to Grid and between different systems and services). This includes having in place and maintaining network protection to deny attackers the ability to intercept Transferred Personal Data and encryption of Transferred Personal Data whilst in transit to deny attackers the ability to read Transferred Personal Data.