Change information:
The Polar Security Data Processing Addendum at https://www.polar.security/legal/dpa (DPA) applies to the Processing of Personal Data by Polar Security on behalf of Customer under the Agreement in order to provide and improve the Polar Security Services and other Polar Security services that utilize the same underlying technology or tools, and as otherwise set out in the Agreement, if and to the extent i) the European General Data Protection Regulation (EU/2016/679) (GDPR); or ii) any other data protection laws identified below apply.
The Appendix on Additional Safeguards to EU Standard Contractual Clauses, reported below, supplements and is made part of the EU SCCs and UK SCCs, set out in the Schedule 1 of the DPA.
The DPA prevails over any conflicting term of the Agreement.
European Economic Area:
European Union Regulations and EEA Member State laws, other than GDPR, requiring a contract governing the processing of personal data, identical to or substantially similar to the requirements specified in Art. 28 of the GDPR.
United Kingdom:
The UK General Data Protection Regulation (as incorporated into UK law under the European Union (Withdrawal) Act 2018), and the UK Data Protection Act 2018, both as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019, as amended, superseded or replaced.
For the purpose of Section 8 of the DPA, the EU SCC and United Kingdom’s International Data Transfer Addendum to the European Commission’s standard contractual clauses for international transfers (together, the UK SCC) will be implemented for transfers to Non-Adequate Countries subject to the UK General Data Protection Regulation. By entering into the Agreement, the Parties therefore agree that reference to the EU SCC in Section 8 of the DPA shall also include the UK SCC.
Switzerland:
The Swiss Federal Act on Data Protection of 19 June 1992 (“FADP”), as amended, superseded or replaced.
For the purpose of Section 8 of the DPA the Transborder Data Processing of Schedule 1 of the DPA, the EU SCC will be implemented for transfers to Non-Adequate Countries subject to the FADP, as amended and adapted, as follows:
Serbia:
Law on Personal Data Protection (Zakon o zaštiti podataka o ličnosti; Official Gazette of the Republic of Serbia, no 87/2018).
In the case of a transfer of Customer Personal Data to a Non-Adequate Country, by entering into the Agreement, the Customer is entering to the Serbian Standard Contractual Clauses (Serbian SCC) as adopted by the "Serbian Commissioner for Information of Public Importance and Personal Data Protection", published at https://www.poverenik.rs/images/stories/dokumentacija-nova/podzakonski-akti/Klauzulelat.docx to provide an adequate level of protection. References to the EU Standard Contractual Clauses (EU SCC) in Section 8 of the DPA and in the Schedule 1 of the DPA shall mean the Serbian SCC.
Information required to complete Appendices 1 to 8 of the Serbian SCC for the purpose of governing the transfer of Personal Data to a Non-Adequate Country can be found in the DPA and Schedule 1 of the DPA.
Upon request, Polar Security will provide a copy of the Serbian SCCs in the Serbian language signed by the Polar Security Data Importers and a courtesy translation in English. Please submit requests to ChiefPrivacyOffice@ca.ibm.com.
Brazil:
The Brazil's General Data Protection Law, Lei Geral de Proteção de Dados (LGPD), upon entering into force. For the sake of clarity, Polar Security's obligations to a Customer under the DPA are only those express obligations imposed by LGPD on a "Data Processor (operador)" for the benefit of a "Data Controller (Controlador)" (including new Section 1.6 below), as "Data Controller (controlador)" and "Data Processor (operador)" are defined by the LGPD:
1.6 Each party is responsible to fulfil its respective obligations set out in the LGPD, and Customer will only issue Processing instructions, as set forth in Section 1.3 of this DPA, that enable Polar Security to fulfill its LGPD obligations.
For the purpose of Section 8, the EU SCC will be used for transfers to non-adequate countries as per GDPR.
State of California, United States:
The California Consumer Privacy Act of 2018 (CCPA), as amended by the California Privacy Rights Act of 2020 (CPRA) and its implementing regulations upon entering into force (referred to together below as the CCPA). Polar Security's obligations to Customer under the DPA are those that the CCPA requires that a "Business" have in place with a "Service Provider" (including amended Section 1.3 and new Sections 1.6 - 1.7), as "Service Provider" and "Business" are defined by the CCPA:
1.3 The following wording is added to the end of Section 1.3 of the DPA: Polar Security will notify Customer if Polar Security determines that it can no longer meet its obligations under the CCPA. In the event of unauthorised use of Customer Personal Information, Customer has the right, on notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Information.
1.6 Polar Security will not further combine Customer Personal Information, or use, retain or disclose Customer Personal Information outside of the direct business relationship between Polar Security and Customer or, for any purpose other than to perform the Services and business purpose(s) specified in the Agreement (including Schedule 1 o the DPA), or as otherwise permitted by CCPA. Polar Security will not sell or Share Customer Personal Information.
1.7 Unless expressly permitted in a TD, Polar Security commits not to re-identify any Customer deidentified data Polar Security processes on behalf of Customer (Customer Deidentified Data), and to take reasonable measures that are available to Polar Security to avoid Customer Deidentified Data being associated with a Consumer or Household, in compliance with its obligations under CCPA. If Polar Security is instructed by Customer in a TD to re-identify Customer Deidentified Data, Polar Security will treat Customer Deidentified Data as Customer Personal Information subject to the terms of this DPA.
The terms used in the applicable provisions of the DPA shall be replaced as follows: "Personal Data" shall mean "Personal Information"; "Controller" shall mean "Business"; "Processor" shall mean "Service Provider"; "Data Subject" shall mean "Consumer"; “Special Categories of Personal Data” shall mean “Sensitive Personal Information”; “Deidentified Data” shall mean data that cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable Consumer, or a device linked to such person; and “business purpose”, “Household”, and “Share” shall have the meaning given to them by the CCPA.
China:
The People’s Republic of China Personal Information Protection Law (PIPL) upon entering into force. For the sake of clarity, Polar Security's obligations to Customer under the DPA are those that the PIPL requires that Polar Security as "Entrusted Person" have in place with a "Personal Information Handler, as "Entrusted Person" and "Personal Information Handler" are referenced in the PIPL.
Singapore:
The Personal Data Protection Act 2012 No. 26 of 2012, as amended from time to time, and its accompanying regulations. For the sake of clarity, Polar Security's obligations to Customer under the DPA are only those express obligations imposed by PDPA on a "Data Processor (data intermediary)” when processing personal data on behalf of “Data Controller (organisation)” pursuant to a contract, as “organisation” and “data intermediary" are defined by the PDPA.
In case of a transfer of Customer Personal Data outside of Singapore, the DPA applies excluding Section 8.
South Africa:
The Protection of Personal Information Act (POPIA) upon entry into force. For the sake of clarity, Polar Security's obligations to Customer under the DPA are those that POPIA requires that Polar Security as ”Operator" have in place with a ”Responsible Party”, as ”Responsible Party" and ”Operator" are referenced in POPIA.
In case of a transfer of Customer Personal Data outside of South Africa, the DPA applies excluding Section 8.
Thailand:
The Personal Data Protection Act B.E. 2562 (2019) (PDPA) upon entry into force.
In case of a transfer of Customer Personal Data outside of Thailand, the DPA applies excluding Section 8.
States of Virginia, Colorado and Connecticut (as applicable), United States:
The Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (COPA), and the Connecticut Data Privacy Act (CTDPA), upon entering into force. For the sake of clarity, Polar Security's obligations to Customer under the DPA are only those express obligations imposed by the VCDPA, COPA and CTDPA (as applicable) on a “Processor” when processing Customer Personal Data on behalf of a “Controller” (including new Section 1.6 below), as "Processor" and "Controller" are defined by the VCDPA, COPA and CTDPA (as applicable):
1.6 Unless expressly permitted in a TD, Polar Security commits not to re-identify any Customer De-identified Data Polar Security processes on behalf of Customer (Customer De-identified Data), and to take reasonable measures that are available to Polar Security to avoid Customer De-identified Data being associated with a natural person, in compliance with its obligations under VCDPA, COPA and CTDPA (as applicable). If Polar Security is instructed by Customer in a TD to re-identify Customer De-identified Data, Polar Security will treat Customer De-identified Data as Customer Personal Data subject to the terms of this DPA.
The terms used in the applicable provisions of the DPA shall be replaced as follows: "subprocessor" shall mean "subcontractor"; "Data Subject" shall mean "Consumer"; "Special Categories of Personal Data" shall mean "Sensitive data"; "Data Protection Impact Assessment" shall mean "data protection assessment"; and “De-identified Data” shall mean “data that cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable natural person, or a device linked to such person in accordance with VCDPA, COPA and CTDPA (as applicable).”
Japan:
The Japanese Act on the Protection of Personal Information no. 57 of 2003 (APPI), as amended and its accompanying regulations.
For the sake of clarity, Polar Security's obligations to Customer under the DPA shall be those that the APPI requires Customer to have in place as “Business Operator”, to entrust the processing of Customer Personal Data to Polar Security as “entrusted Business Operator”, as such terms are used in the APPI.
In case of a transfer of Customer Personal Data from Japan to an overseas country for purposes of the APPI, the DPA applies and Section 8 "Transborder Data Processing" is replaced as follows:
8. The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the Customer Personal Data by Polar Security prevent them from implementing their obligations under the DPA and Schedule 1 of the DPA.
The parties agree to notify the other party if, after having agreed to this DPA and for the duration of the contract, a party has reason to believe that either party cannot comply with its obligation under the DPA. In which case, the parties will cooperate in good faith to identify appropriate measures to be adopted to address the situation. If no appropriate measures can be implemented, the parties will evaluate together whether to suspend the transfer of Customer Personal Data.
Customer acknowledges that Polar Security’s service is not designed to handle Specific Personal Information as defined and subject to the Japanese My Number Act (i.e., the Act on the Use of Numbers to Identify a Specific Individual in the Administrative Procedure (Act No.27 of 2013), as may be amended), unless otherwise agreed between Polar Security and Customer in the Agreement.
Appendix on Additional Safeguards to EU Standard Contractual Clauses (EU SCCs)
1. In accordance with the July 16, 2020 decision of the Court of Justice of the European Union (CJEU) in Case C-311/18 Data Protection Commissioner v. Facebook Ireland Limited and Maximillian Schrems, and without prejudice to any provisions of the DPA, Polar Security will undertake additional safeguards to secure Personal Data transferred on the basis of European Union (EU) Standard Contractual Clauses (SCCs) to those countries whose laws are likely to have a substantial adverse effect on the level of data protection offered by the EU SCCs and required under EU and UK data protection law.
2. Polar Security will implement and maintain the technical and organizational measures, as specified in Schedule 1 of the DPA, such as encryption, access controls, or similar technologies, as applicable and agreed with the Customer, to protect Customer Personal Data against any processing for national security or other government purposes that are determined to be massive, disproportionate, or indiscriminate in a manner that goes beyond what is necessary in a democratic society, considering the type of processing activities and the Polar Security’s scope of responsibility.
3. For the purposes of safeguarding Customer Personal Data when any government or regulatory authority requests access to such data, Polar Security has implemented and shall continue to comply with the provisions of the following documents which remain accurate and valid: "Letter to Our Customers About Government Access to Data" and available to Customers since its publication on March 14, 2014 ("Data Access Letter"); and "Law Enforcement Requests Transparency Report" ("Transparency Report").
4. In the event of any such request for access to Customer Personal Data by a government or regulatory authority:
a. in accordance with the Data Access Letter and Transparency Report, Polar Security will notify Customer of such request to enable the Customer to take all necessary actions to communicate directly with the relevant authority and respond to such request. If Polar Security is prohibited by law to notify the Customer of such request, it will make best reasonable efforts to challenge such prohibition and it commits to providing the minimum amount of information permissible when responding, based on a reasonable interpretation of the order; and
b. if, regardless of all such efforts, Polar Security is prohibited by law to notify the Customer, upon request of the Customer and in accordance with applicable law, Polar Security will provide to such Customer general information relative to any such request received from a government or regulatory authority during the preceding 12-month period.
