The Atmospheric G2 (“AG2”) Data Processing Addendum (DPA) applies to the Processing of Personal Data by AG2 on behalf of Client under the Agreement in order to provide and improve the AG2 Services that utilize the same underlying technology or tools, and as otherwise set out in the Agreement, if and to the extent i) the European General Data Protection Regulation (EU/2016/679) (GDPR); or ii) any other data protection laws identified below apply.
The Appendix on Additional Safeguards to EU Standard Contractual Clauses, reported below, supplements and is made part of the EU SCCs, set out in the DPA Exhibit, as applicable.
The DPA prevails over any conflicting term of the Agreement.
European Economic Area:
European Union Regulations and EEA Member State laws, other than GDPR, requiring a contract governing the processing of personal data, identical to or substantially similar to the requirements specified in Art. 28 of the GDPR.
United Kingdom:
The UK General Data Protection Regulation (as incorporated into UK law under the European Union (Withdrawal) Act 2018), and the UK Data Protection Act 2018, both as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019, as amended, superseded or replaced.
Serbia:
Law on Personal Data Protection (Zakon o zaštiti podataka o ličnosti; Official Gazette of the Republic of Serbia, no 87/2018).
In the case of a transfer of Client Personal Data to a Non-Adequate Country, by entering into the Agreement, the Client is entering to the Serbian Standard Contractual Clauses (Serbian SCC) as adopted by the “Serbian Commissioner for Information of Public Importance and Personal Data Protection”, published at https://www.poverenik.rs/images/stories/dokumentacija-nova/podzakonski-akti/Klauzulelat.docx to provide an adequate level of protection. References to the EU Standard Contractual Clauses (EU SCC) in Section 8 of the DPA and in the DPA Exhibit shall mean the Serbian SCC.
Information required to complete Appendices 1 to 8 of the Serbian SCC for the purpose of governing the transfer of Personal Data to a Non-Adequate Country can be found in the DPA and DPA Exhibit.
Upon request, AG2 will provide a copy of the Serbian SCCs in the Serbian language signed by the AG2 Data Importers and a courtesy translation in English. Please submit requests to admin@atmosphericg2.com.
Brazil:
The Brazil’s General Data Protection Law, Lei Geral de Proteção de Dados (LGPD), upon entering into force. For the sake of clarity, AG2’s obligations to a Client under the DPA are only those express obligations imposed by LGPD on a “Data Processor (operador)” for the benefit of a “Data Controller (Controlador)” (including new Section 1.6 below), as “Data Controller (controlador)” and “Data Processor (operador)” are defined by the LGPD:
1.6 Each party is responsible to fulfil its respective obligations set out in the LGPD, and Client will only issue Processing instructions, as set forth in Section 1.3 of this DPA, that enable AG2 to fulfill its LGPD obligations.
For the purpose of Section 8, the EU SCC will be used for transfers to non-adequate countries as per GDPR.
Appendix on Additional Safeguards to EU Standard Contractual Clauses (EU SCCs)
- In accordance with the July 16, 2020 decision of the Court of Justice of the European Union (CJEU) in Case C-311/18 Data Protection Commissioner v. Facebook Ireland Limited and Maximillian Schrems, and without prejudice to any provisions of the DPA, AG2 will undertake additional safeguards to secure Personal Data transferred on the basis of European Union (EU) Standard Contractual Clauses (SCCs) to those countries whose laws are likely to have a substantial adverse effect on the level of data protection offered by the EU SCCs and required under EU data protection law.
- AG2 will implement and maintain the technical and organizational measures, as specified in the DPA Exhibit, such as encryption, access controls, or similar technologies, as applicable and agreed with the Client, to protect Client Personal Data against any processing for national security or other government purposes that are determined to be massive, disproportionate, or indiscriminate in a manner that goes beyond what is necessary in a democratic society, considering the type of processing activities and the AG2’s scope of responsibility.
- For the purposes of safeguarding Client Personal Data when any government or regulatory authority requests access to such data, AG2 has implemented and shall continue to comply with the provisions of the following documents which remain accurate and valid: “Letter to Our Clients About Government Access to Data” and available to Clients since its publication on March 14, 2014 (“Data Access Letter”); and “Law Enforcement Requests Transparency Report” (“Transparency Report”).
- In the event of any such request for access to Client Personal Data by a government or regulatory authority:
- in accordance with the Data Access Letter and Transparency Report, AG2 will notify Client of such request to enable the Client to take all necessary actions to communicate directly with the relevant authority and respond to such request. If AG2 is prohibited by law to notify the Client of such request, it will make best reasonable efforts to challenge such prohibition and it commits to providing the minimum amount of information permissible when responding, based on a reasonable interpretation of the order; and
- if, regardless of all such efforts, AG2 is prohibited by law to notify the Client, upon request of the Client and in accordance with applicable law, AG2 will provide to such Client general information relative to any such request received from a government or regulatory authority during the preceding 12-month period.