BECOME A member Get involved Donate Now!
Donate Now! BECOME A member

Data Processing Agreement

  • Home
  • Data Processing Agreement

This Data Processing Agreement (“Agreement“) forms part of the Contract for Services under the Anita Borg Institute for Women and Technology (“AnitaB.org“) Terms and Conditions (the “Principal Agreement“). This Agreement is an amendment to the Principal Agreement and is effective upon its incorporation to the Principal Agreement, which incorporation may be specified in the Principal Agreement or an executed amendment to the Principal Agreement. Upon its incorporation into the Principal Agreement, this Agreement will form a part of the Principal Agreement.

The term of this Agreement shall follow the term of the Principal Agreement. Terms not defined herein shall have the meaning as set forth in the Principal Agreement.
 
WHEREAS

(A) Your company acts as a Controller or Business (the “Data Controller”).

(B) Your company wishes to subcontract certain Services (as defined below), which imply the Processing of Personal Data, to AnitaB.org, acting as a Processor or Service Provider (the “Data Processor”).

(C) The Parties seek to implement a data processing agreement that complies with the requirements of Data Protection Laws.

(D) The Parties wish to lay down their rights and

 
IT IS AGREED AS FOLLOWS:

1. Definitions and Interpretation

1.1. Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the following meaning:

1.1.1. “Binding Corporate Rules” means personal data protection policies which are adhered to by a controller or processor established on the territory of an EU member state for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity;

1.1.2. “Company Personal Data” means any Personal Data or Personal Information that is Collected or Processed by the Data Processor or its Subprocessors on the Data Controller’s behalf to provide the Services pursuant to or in connection with the Principal Agreement;

1.1.3. “Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other state or country, including the California Consumer Privacy Act of 2018 (California Civil Code §§ 1798.100 to 1798.199) and its implementing regulations, as amended or superseded from time to time (“CCPA”);

1.1.4. “EU Data Protection Laws” means EU means the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the e-Privacy Directive 2002/58/EC (as amended by Directive 2009/136/EC), their national implementations in the European Economic Area (“EEA”), including the European Union, and all other data protection laws of the EEA, the United Kingdom (including the UK GDPR and the UK Data Protection Act 2018, together “UK Data Protection Law”), and Switzerland (including the Swiss Federal Act on Data Protection), each as applicable, and as may be amended or replaced from time to time;

1.1.5. “International Data Transfer” means any transfer of Personal Data from the EEA, UK or Switzerland to an international organization or to a country outside of the EEA, UK or Switzerland, and includes any onward disclosure of Personal Data to another recipient within that country, as well as any onward transfer of Personal Data from the international organization or the country outside of the EEA, UK or Switzerland to another country outside of the EEA, UK or Switzerland;

1.1.6. “Standard Contractual Clauses” means the clauses annexed to the EU Commission Implementing Decision 2021/914 of June 4, 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (OJ L 199, 7.6.2021, p. 31-61), as amended or replaced from time to time;

1.1.7. “UK Addendum” means the addendum to the Standard Contractual Clauses issued by the UK Information Commissioner under Section 119A of the UK Data Protection Act 2018 (version B1.0, in force March 21, 2022);

1.1.8. “UK GDPR” means the GDPR as applicable in the UK pursuant to section 3 of the European Union (Withdrawal) Act 2018;

1.1.9. “Subprocessor” means any person appointed by or on behalf of the Data Processor to process Personal Data on behalf of the Data Controller in connection with the Agreement; and

1.1.10. “Services” means all services provided by AnitaB.org. The Services are described more in detail in Schedule 1.

1.2. The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processor”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

1.3. The terms, “Business”, “Collect”, “Consumer”, “Personal Information”, “Sell” and “Service Provider” shall have the same meaning as in the CCPA, and their cognate terms shall be construed accordingly.

2. Processing of Company Personal Data

2.1. The Data Processor shall:

2.1.1. Comply with all applicable Data Protection Laws in the Collecting and Processing of Company Personal Data;

2.1.2. Not process Company Personal Data other than on the Data Controller’s documented instructions or as required by applicable laws to which the Data Processor is subject, in which case the Data Processor shall, to the extent permitted by applicable laws, inform the Data Controller of that legal requirement;

2.1.3. Not retain, use or disclose Company Personal Data for any purpose other than performing the Services, except as permitted by applicable law; and

2.1.4. Not Sell Company Personal Data.

2.2. The Data Controller instructs the Data Processor to Collect and Process Company Personal Data to provide the Services and related technical support.

3. Processor Personnel

3.1. The Data Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor of the Data Processor and Subprocessor who may have access to Company Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Company Personal Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with applicable laws in the context of that individual’s duties to the Data Processor and Subprocessor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

4. Security

4.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Data Processor shall in relation to the Company Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR. This includes, but is not limited to, the measures listed in Schedule 2.

4.2. In assessing the appropriate level of security, the Data Processor shall take into account the risks that are presented by Processing, in particular from a Personal Data Breach.

5. Subprocessing

5.1. The Data Processor shall not appoint (or disclose any Company Personal Data to) any Subprocessor unless required or authorized by the Data Controller. The Data Controller hereby authorizes the Data Processor to engage the Subprocessors listed in Schedule 4.

5.2. Notwithstanding the general authorization to engage Subprocessors as described in Section 5.1, the Data Controller may object to a Subprocessor by sending an email to Privacy@AnitaB.org.

5.3. The Data Processor must obtain sufficient guarantees from all Subprocessors that they will implement appropriate technical and organizational measures in such a manner that the Processing will meet the requirements of Data Protection Laws and this Agreement.

5.4. The Data Processor must enter into a written agreement with all Subprocessors which imposes materially the same obligations on the Subprocessors as the obligations imposed on the Data Processor under this Agreement.

6. Data Subject Rights

6.1. During the term of the Agreement, if the Data Processor receives any request from a Data Subject or Consumer in relation to Company Personal Data, the Data Processor will advise the Data Subject or Consumer to submit their request to the Data Controller and the Data Controller will be responsible for responding to any such request. Taking into account the nature of the Processing, the Data Processor shall assist the Data Controller by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Data Controller obligations, as reasonably understood by the Data Controller, to respond to requests to exercise Data Subject or Consumer rights under the Data Protection Laws.

6.2. The Data Processor shall:

6.2.1. Promptly notify the Data Controller if it receives a request from a Data Subject or Consumer under any Data Protection Law in respect of Company Personal Data; and

6.2.2. Ensure that it does not respond to that request except as specified in 6.1; on the documented instructions of the Data Controller; or as required by applicable laws to which the Data Processor is subject, in which case the Data Processor shall, to the extent permitted by applicable laws, inform the Data Controller of that legal requirement before the Data Processor responds to the request.

7. Personal Data Breach

7.1. The Data Processor shall notify the Data Controller without undue delay upon becoming aware of a Personal Data Breach affecting Company Personal Data, providing the Data Controller with sufficient information to allow the Data Controller to meet any obligations to report or inform Data Subjects or Consumers of the Personal Data Breach under the Data Protection Laws.

7.2. The Data Processor shall co­operate with the Data Controller and take reasonable commercial steps as are directed by the Data Controller to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

7.3. The Data Controller is solely responsible for complying with incident notification laws applicable to the Data Controller and fulfilling any third-party notification obligations related to any Personal Data Breach.

8. Data Protection Impact Assessment and Prior Consultation

8.1. The Data Processor shall, at the Data Controller’s expense, provide reasonable assistance to the Data Controller with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which the Data Controller reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Company Personal Data by, and taking into account the nature of the Processing and information available to the Data Processor.

9. Deletion or return of Company Personal Data

9.1. Subject to this section 9, the Data Processor shall promptly as of the date of cessation of any Services involving the Processing of Company Personal Data (the “Cessation Date”), delete and procure the deletion of all copies of those Company Personal Data.

9.2. The Data Processor shall provide written certification to the Data Controller that it has fully complied with this section 9.1 upon the written request of the Data Controller.

9.3. The Data Controller may in its absolute discretion by written notice to the Data Processor within thirty (30) days of the Cessation Date require the Data Processor to return a complete copy of all Company Personal Data. The Data Processor shall comply with any such written request as soon as reasonably practicable.

9.4. Operational clarification relevant to the Standard Contractual Clauses: certification of deletion of Personal Data as described in Clauses 8.5 and 16(d) of the Standard Contractual Clauses shall be provided only upon the Data Controller’s written request.

10. Audit rights

10.1. Subject to this section 10, the Data Processor shall, at the Data Controller’s expense, make available to the Data Controller on request all information reasonably necessary to demonstrate compliance with this Agreement, and shall allow for and contribute to audits, including inspections, by the Data Controller or an auditor mandated by the Data Controller in relation to the Processing of the Company Personal Data by the the Data Processor

10.2. Information and audit rights of the Data Controller only arise under section 10.1 to the extent that the Agreement does not otherwise give the Data Controller information and audit rights meeting the relevant requirements of Data Protection Laws.

10.3. The Data Processor may object in writing to an auditor appointed by the Data Controller to conduct any audit if the auditor is, in the Data Processor’s reasonable opinion, not suitably qualified or independent, or otherwise manifestly unsuitable. Any such objection by the Data Processor will require the Data Controller to appoint another auditor.

10.4. The Data Controller shall bear any third-party costs in connection with such inspection or audit and reimburse the Data Processor for all costs incurred by the Data Processor and time spent by the Data Processor in connection with any such inspection or audit.

10.5. Operational clarification relevant to the Standard Contractual Clauses: the audits described in Clauses 8.9(c) and 8.9(d) of the Standard Contractual Clauses shall be performed in accordance with this clause 10, subject to any relevant conditions, limitations or restrictions detailed herein.

11. International Data Transfer

11.1. The Data Controller hereby authorizes the Data Processor to perform International Data Transfers of Personal Data subject to the GDPR or Swiss data protection law:

– to any country subject to a valid adequacy decision of the European Commission

– on the basis of an organization’s Binding Corporate Rules; and

– to any data importer with whom the Data Processor has entered into Standard Contractual Clauses.

11.2. By incorporating this Agreement into the Principal Agreement, the Data Controller and the Data Processor conclude Module 2 (Controller-to-Processor) of the Standard Contractual Clauses, which shall apply to Personal Data subject to the GDPR or Swiss data protection law, and which are hereby incorporated and completed as follows: the “Data Exporter” is the Data Controller; the “Data Importer” is the Data Processor; the optional docking clause in Clause 7 is implemented; Clause 9(a) option 1 is implemented and the time period therein is specified at thirty (30) days; the optional redress clause in Clause 11(a) is struck; Clause 17 option 1 is implemented and the governing law is the law of Ireland; the courts in Clause 18(b) are the Courts of Ireland; Annex I, II and III to the Standard Contractual Clauses are Schedule 3, 2 and 4 to this agreement respectively.

11.3. The Data Controller hereby authorizes the Data Processor to perform International Data Transfers of Personal Data subject to UK Data Protection Law:

– to any country subject to a valid adequacy decision of the UK government;

– to the extent authorized by the competent UK authority on the basis of an organization’s Binding Corporate Rules; and

– to any data importer with whom the Data Processor has entered into the UK Addendum or other standard contractual clauses approved by the UK Information Commissioner’s Office.

11.4. By incorporating this Agreement into the Principal Agreement, the Data Controller and the Data Processor conclude the UK Addendum in addition to the Standard Contractual Clauses, which applies to Personal Data subject to UK Data Protection Law, and which is hereby incorporated, and Part 1 of the UK Addendum is completed as follows: (i) in Table 1, the “Exporter” is the Data Controller and the “Importer” is the Data Processor, their details are set forth in the preamble of this Agreement, and their key contacts and signatures are laid down in the signature page of the Principal Agreement or amendment to the Principal Agreement incorporating this Agreement by reference; (ii) in Table 2, the first option is selected and the “Approved EU SCCs” are the Standard Contractual Clauses referred to in Section 11.2 of this Agreement; (iii) in Table 3, “Annex 1A” and “Annex 1B” to the “Approved EU SCCs” is Schedule 3 to this Agreement, “Annex II” to the “Approved EU SCCs” is Schedule 2 to this Agreement and “Annex III” to the “Approved EU SCCs” is Schedule 4 to this Agreement; and (iv) in Table 4, both the “Importer” and the “Exporter” can terminate the UK Addendum.

11.5. All authorizations of International Data Transfers are expressly conditioned upon the Data Processor’s ongoing compliance with the requirements of EU Data Protection Laws and any applicable legal instrument for International Data Transfers. If such compliance is affected by circumstances outside of the Data Processor’s control, including circumstances affecting the validity of an applicable legal instrument, the Data Controller and the Data Processor will work together in good faith to reasonably resolve such non-compliance.

12. General Terms

12.1. Notices. All notices and communications given under this Agreement must be in writing and will be sent by email. The Data Controller shall be notified by email sent to the address related to its use of the Services under the Principal Agreement. The Data Processor shall be notified by email sent to the address: privacy@AnitaB.org

12.2. Confidentiality. Each Party must keep any information it receives about the other Party and its business in connection with this Agreement (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that:

(a) disclosure is required by law;

(b) the relevant information is already in the public domain.

13. Governing Law and Jurisdiction

13.1. This Agreement is governed by the law of Ireland.

13.2. Any dispute arising in connection with this Agreement, which the Parties will not be able to resolve amicably, will be submitted to the exclusive jurisdiction of the courts of Ireland.

 
 

Schedule 1: Data Processing and Security

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

The Data Processor will, at a minimum, implement the following types of security measures:

1. Physical access control

Technical and organizational measures to prevent unauthorized persons from gaining access to the data processing systems available in premises and facilities (including databases, application servers and related hardware), where Company Personal Data are Processed, include:

☐         Establishing security areas, restriction of access paths;

☐         Establishing access authorizations for employees and third parties;

☐         Access control system (ID reader, magnetic card, chip card);

☐         Key management, card-keys procedures;

☐         Door locking (electric door openers etc.);

☐         Surveillance facilities, video/CCTV monitor

2. Virtual access control

Technical and organizational measures to prevent data processing systems from being used by unauthorized persons include:

☐         User identification and authentication procedures;

☐         ID/password security procedures

☐         Monitoring of break-in-attempts

☐         Creation of single sign-on access for users; and

☐         Encryption of archived data media.

3. Data access control

Technical and organizational measures to ensure confidentiality and that persons entitled to use a data processing system gain access only to such Company Personal Data in accordance with their access rights, and that Company Personal Data cannot be read, copied, modified or deleted without authorization, include:

☐         Internal policies and procedures;

☐         Control authorization schemes;

☐         Differentiated access rights (depending on the roles);

☐         Monitoring and logging of accesses;

☐         Disciplinary action against employees who access Company Personal Data without authorization;

☐         Access procedure;

☐         Change procedure;

☐         Deletion procedure; and

☐         Encryption.

4. Disclosure control

Technical and organizational measures to ensure that Company Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media (manual or electronic), and that it can be verified to which companies or other legal entities Company Personal Data are disclosed, include:

☐         Encryption/Pseudonymization/tunneling;

☐         Logging; and

☐         Transport security.

5. Entry control

Technical and organizational measures to monitor whether Company Personal Data have been entered, changed or removed (deleted), and by whom, from data processing systems, include:

☐         Logging and reporting systems; and

☐         Audit trails and documentation.

6. Control of instructions

Technical and organizational measures to ensure that Company Personal Data are Processed solely in accordance with the instructions of the Data Controller include:

☐         Unambiguous wording of the contract;

☐         Formal commissioning (request form); and

☐         Criteria for selecting the Data Processor.

7. Availability control

Technical and organizational measures to ensure the integrity, availability and resilience of the processing systems, and that Company Personal Data are protected against accidental destruction or loss (physical/logical) include:

☐         Backup procedures;

☐         Highly available, fault tolerant Cloud data storage)

☐         Uninterruptible power supply (UPS);

☐         Remote storage;

☐         Anti-virus/firewall systems; and

☐         Disaster recovery plan, in the event of a physical or technical incident

8. Separation control

Technical and organizational measures to ensure that Company Personal Data collected for different purposes can be Processed separately include:

☐         Separation of databases;

☐         “Internal client” concept / limitation of use;

☐         Segregation of functions (production/testing); and

☐         Procedures for storage, amendment, deletion, transmission of data for different purposes.

9. Testing controls

Technical and organizational measures to test, assess and evaluate the effectiveness of the technical and organizational measures implemented in order to ensure the security of the Processing include:

☐         Periodic review and testing of disaster recovery plan;

☐         Testing and evaluation of software updates before they are installed; and

☐         Authenticated (with elevated rights) vulnerability scanning.

10. IT governance

Technical and organizational measures to improve the overall management of IT and ensure that the activities associated with information and technology are aligned with the compliance efforts include:

☐         Certification/assurance of processes and products;

☐         Processes for data minimization;

☐         Processes for data quality;

☐         Processes for limited data retention;

☐         Processes for ensuring accountability; and

☐         Data subject rights policies.

11. Employee checks and training

☐         Background check of employees at time of hire

☐         Requiring new employees to complete security training and receive annual and targeted training (as needed and appropriate to their role)

☐         Periodic security awareness campaigns to educate personnel

☐         Preventing terminated employees from accessing information systems

12. Incident response and breach notification

☐         Employing incident response framework to manage and minimize the effects of Personal Data Breaches

☐         Internal incident response team

☐         Investigation team performing a root cause analysis and identifying affected parties

☐         Internal reporting and documenting

☐         Post-incident review

☐         Providing notice to affected customers

 

The measures in this Appendix apply to all transfers described in this Agreement. The Data Processor will contractually require its Subprocessors to implement materially equivalent security measures.

 
 

Schedule 2: Description of the data processing carried out on behalf of the Controller

In addition to the information provided in this policy and elsewhere in the Agreement, the Parties wish to document the following information in relation to the Processing of Company Personal Data:

A. LIST OF PARTIES

Data Exporter

  • Name: The Data Controller
  • Address: See the signature page of the Principal Agreement or amendment to the Principal Agreement incorporating this Agreement by reference
  • Contact person’s name, position and contact details: See the signature page of the Principal Agreement or amendment to the Principal Agreement incorporating this Agreement by reference
  • Activities relevant to the data transferred under these Clauses: Sharing Personal Data with the Data Processor for the provision of the Services described in the Agreement
  • Signature and date: See signature page of the Principal Agreement or amendment to the Principal Agreement incorporating this Agreement by reference
  • Role (controller/processor): Controller

 

Data Importer

  • Name: The Data Processor
  • Address: See the signature page of the Principal Agreement or amendment to the Principal Agreement incorporating this Agreement by reference
  • Contact person’s name, position and contact details: See the signature page of the Principal Agreement or amendment to the Principal Agreement incorporating this Agreement by reference
  • Activities relevant to the data transferred under these Clauses: Providing the Services described in the Agreement
  • Signature and date: See the signature page of the Principal Agreement or amendment to the Principal Agreement incorporating this Agreement by reference
  • Role (controller/processor): Processor on behalf of the Controller

 

B. DESCRIPTION OF INTERNATIONAL DATA TRANSFER

  • Categories of Data Subjects whose Personal Data is transferred:
# Category of Data Subjects
1. Attendees of events hosted by AnitaB.org, its affiliates or communities.
2. End-users of AnitaB.org products and services.
  • Categories of Personal Data transferred:
# Category of Personal Data
1. Name
2. Email Address
3. Country of Residence
4. Date of Birth
5. Company Affiliation(s)
6. Career Level
7. Information typically included on a resume
8. Payment Processing information
9. Gender
10. Mailing Address
11. Phone Number
12. Age
13. Organization/Company
14. Professional Title
15. Professional Affiliation
16. Education Level
17. Special Accommodations
18. Social Media Data (handles, content, etc.)
19. Biological Sex
20. Caregiver Status
21. Sensitive Data (All Optional):
a. – Racial background
b. – Food Allergies
  • While some of the data collected is mandatory to carry out the purpose of the organization and provide products and services to the individual, much of it is optional, including the sensitive data category in its entirety.
  • Additional measures are taken with respect to the sensitive data to ensure its security, including:
  • Access Restrictions: Access to sensitive data is limited to those who “need to know” and never shared with sponsors or third parties unless absolutely necessary to perform the terms of a contract (such as with a catering vendor, whether aggregated and anonymized or otherwise). Additionally, the staff with access to this data has completed training on how to handle data in a way to limit unauthorized disclosures.
  • Data Erasure: Once the sensitive data is no longer data, it is promptly and completely deleted and erased from all sources.
  • The frequency of the International Data Transfer (e.g. whether the Personal Data is transferred on a one-off or continuous basis): On a continuous basis.
  • Nature of the processing: The Personal Data will be Processed and transferred as described in the Principal Agreement and the Agreement.
  • Purpose(s) of the International Data Transfer and further Processing: The Personal Data will be transferred and further Processed for the provision of the Services as described in the Principal Agreement.
  • The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period: Personal Data will be retained for as long as necessary taking into account the purpose of the Processing, and in compliance with applicable laws.
  • For International Data Transfer to (Sub)Processors, also specify subject matter, nature and duration of the Processing: For the subject matter and nature of the Processing, reference is made to the Principal Agreement and this Agreement. The Processing will take place for the duration of the Agreement.

 

C. COMPETENT SUPERVISORY AUTHORITY

  • The Supervisory Authority is the supervisory authority of Ireland.

 
 

Schedule 3 : List of subprocessors

The Data Controller authorizes the Data Processor to engage the Subprocessors listed in the following page, as updated from time to time: https://anitab.org/subprocessor-list/