LogicGate Transfer Mechanisms

The below Transfer Mechanisms and U.S. State Specific Contract Clauses are made available by LogicGate under the written agreement or electronic terms of service or subscription agreement between LogicGate and Customer that expressly references this site, including the UK Addendum (the “Agreement”), and, where applicable, are incorporated into the Agreement by reference. All capitalized terms not defined herein shall have the meanings set forth in the Agreement.

In the event of any conflict between these Transfer Mechanisms and the LogicGate Master Services Agreement (“MSA”) or Data Processing Addendum (“DPA”), the DPA shall prevail with respect to data protection matters, and the MSA shall prevail with respect to all other matters, except as expressly required by applicable Data Protection Laws.

Definitions

• “CCPA” means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act.
• “Data Privacy Framework” means (as applicable) the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework self-certification programs operated by the U.S. Department of Commerce, and their respective successors.
• “Data Privacy Framework Principles” means the Principles and Supplemental Principles contained in the relevant Data Privacy Framework, as may be amended, superseded, or replaced from time to time.
• “DPA” means the Data Processing Addendum incorporated into the Agreement and made available at https://www.logicgate.com/data-processing-addendum.
• “European Transfer” means a transfer (directly from Customer to LogicGate or via onward transfer by LogicGate) of Customer Personal Data that is subject to EU & UK Data Protection Laws or Data Protection Laws of Switzerland to a country outside the European Economic Area, the United Kingdom, and Switzerland.
• “Standard Contractual Clauses” means the standard contractual clauses approved pursuant to Commission Decision (EU) 2021/91 of 4 June 2021 located at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=en&uri=CELEX:32021D0914.
• “UK Addendum” means the International Data Transfer Addendum issued by the Information Commissioner’s Office under s.119(A) of the UK Data Protection Act 2018 located at https://ico.org.uk/media2/migrated/4019539/international-data-transfer-addendum.pdf.

1. European Transfers

If the Data Privacy Framework applies to the European Transfer, LogicGate shall ensure that it provides at least the same level of protection to such Customer Personal Data as is required by the Data Privacy Framework Principles.

If Data Protection Laws applicable to the European Transfer require the European Transfer to be subject to appropriate safeguards, the Parties agree to the application of the Standard Contractual Clauses and UK Addendum (as applicable) to such European Transfer, and the respective European Transfer shall be governed by such terms as further described below.

EEA Transfers

In the case of data transfers from the EEA, the parties deem Module 1 of the Standard Contractual Clauses (Controller to Controller), Module 2 of the Standard Contractual Clauses (Controller to Processor) and/or Module 3 of the Standard Contractual Clauses (Processor to Processor) (as applicable pursuant to Section 3.1 of the DPA) to be entered into, incorporated into the Agreement by this reference and completed as follows:

• Clause 7: The optional docking clause will not apply.
• Clause 9: Option 2 will apply and the written notice period for changes related to sub-processors will be as set forth in Section 4.3 of the DPA.
• Clause 11: The optional language will not apply.
• Clause 14: The parties agree to complete and document a transfer impact assessment. The importer agrees to provide the relevant information necessary to conduct such an assessment including but not limited to, the location of the data processing, the utilized transfer tool(s) and their effectiveness, and, where applicable, the supplementary measures required to be implemented under Data Protection Laws.
• Option 1 of Clause 17: Standard Contractual Clauses will be governed by Dutch law.
• Clause 18.b: disputes will be resolved by the Courts of the Netherlands.

Part A (List of Parties) of Annex I of the EU Commission’s Standard Contractual Clauses is completed as follows:

• Data Exporter(s): Customer.
  • Contact data: The email address and other contact details as set forth in the applicable Order Form.
  • Activities relevant to the data transferred under the Standard Contractual Clauses: The activities set forth in Section 3.5 of the DPA.
  • Signature and date: Effective date of the Agreement.
  • Role (controller/processor): The role set forth in Section 3.1 of the DPA.

• Data importer: LogicGate.
  • Contact data: The email address and other contact details as set forth in Section 13.7 of the MSA.
  • Activities relevant to the data transferred under the Standard Contractual Clauses: The activities set forth in Section 3.5 of the DPA.
  • Signature and date: Effective date of the Agreement.
  • Role (controller/processor): The role set forth in Section 3.1 of the DPA.

Part B (Description of Transfer) of Annex I of the Standard Contractual Clauses is completed as follows: Section 3.5 of the DPA will serve as Part B (Description of Transfer) of Annex I of the Standard Contractual Clauses.

Part C (Competent Supervisory Authority) of Annex I of the Standard Contractual Clauses is completed as follows:

• If the exporter is established in an EU Member State: the applicable EU Member State in which the exporter is established.
• If the exporter is not established in an EU Member State but falls within the territorial scope of the GDPR and has appointed a representative pursuant to the GDPR: the supervisory authority of the Member State in which the representative is established. 
• If the exporter is not established in an EU Member State but falls within the territorial scope of the GDPR and has not appointed a representative pursuant to the GDPR: the supervisory authority of the EU Member State in which the majority of Data Subjects whose Personal Data are transferred under the Standard Contractual Clauses are located.

Annex II (Technical and Organisational Measures including Technical and Organisational Measures to Ensure the Security of the Data) of the Standard Contractual Clauses is completed as follows: Section 5.1 of the DPA will serve as Annex II of the Standard Contractual Clauses.

Swiss transfers

In the case of data transfers from Switzerland, the Parties agree to the application of the Standard Contractual Clauses incorporated into the Agreement by this reference, which was formally recognized by the Federal Data Protection and Information Commissioner of Switzerland and completed where applicable as set out in Section 1.A (EEA transfers) above with the following amendments: (i) references made to the General Data Protection Regulation in the Standard Contractual Clauses shall include the reference to the similar provisions of Switzerland’s Federal Act on Data Protection (as amended or replaced), (ii) the Federal Data Protection and Information Commissioner shall be the exclusive competent supervisory authority according to Clause 13 and Part C of Annex I of the Standard Contractual Clauses, (iii) in accordance with Clause 17, the Standard Contractual Clauses will be governed by Swiss law if the data transfer is exclusively subject to Switzerland’s Federal Act on Data Protection (as amended or replaced), and (iv) the term ‘member state’ included in the Standard Contractual Clauses should not be interpreted in a way that would preclude data subjects in Switzerland to enforce their rights at their place of habitual residence.

UK transfers

In the case of data transfers from the UK, the parties agree to the application of the UK Addendum incorporated into the Agreement by this reference and completed as follows.

• Table 1/Parties: The details of parties are as set forth in Section 1.A (EEA Transfers) above.
• Table 2/Selected SCCs, modules, and Selected Clauses: The details about Standard Contractual Clauses and selected clauses are as set forth in Section 1.A (EEA Transfers) above.
• Table 3/Appendix Information:
  • List of Parties: The details about parties are as set forth in Section 1.A (EEA Transfers) above.
  • Description of Transfer: The description of the transfer is as set forth in Section 3.5 of the DPA.
  • Technical and organisational measures including technical and organisational measures to ensure the security of the data: Security measures are as set forth in Section 5.1 of the DPA.
  • List of Sub processors: Authorizations related to transfers to sub-processors are as set forth in Section 3.5 of the DPA.
• Table 4: Ending this Addendum when the Approved Addendum Changes: Both the importer and exporter may end the UK Addendum as set forth in the UK Addendum.

If the Data Privacy Framework or Standard Contractual Clauses apply and LogicGate makes a determination that (i) it can no longer comply with its obligations under the Data Privacy Framework, Standard Contractual Clauses or UK Addendum, respectively, and (ii) use of another Transfer Mechanisms is not possible, LogicGate shall promptly notify Customer and work with Customer to take reasonable and appropriate steps to remediate such non-compliance.

2. U.S. State-Specific Contract Clauses Prescribed by Data Protection Laws

California: If Customer uploads Customer Personal Data to the Service, which includes personal information governed by the CCPA, then the below clauses shall additionally apply in relation to LogicGate’s role as a ‘Service Provider’ for such Customer Personal Data. Terms used below that are defined by the CCPA shall have the definition in the CCPA.

1. LogicGate shall not sell or share Customer Personal Data.
2. LogicGate shall not combine Customer Personal Data with Personal Information obtained from, or on behalf of, sources other than Customer, except as expressly permitted under the CCPA. However, Customer’s use of the Service to combine Customer Personal Data with Personal Information which it receives from or on behalf of another person or persons shall be deemed combining by Customer, and not LogicGate.
3. LogicGate shall process the Customer Personal Data on behalf of Customer only to provide the LogicGate Offerings and acknowledges that Customer is disclosing the Customer Personal Data to  LogicGate only for the limited and specified business purpose(s) set forth within the Agreement. For the avoidance of doubt, the specific business purposes include; the Service and Technical Services (both as defined in the Agreement), as well as any support and other ancillary services (including, without limitation, services to prevent or address service or technical problems) provided pursuant to the Agreement.
4. LogicGate shall not retain, use, or disclose the Customer Personal Data (i) for any purposes (including commercial purposes) other than those business purposes specified in the Agreement and as described in section 3 above, or (ii) outside the direct business relationship between LogicGate and Customer, unless, in each case, expressly permitted by the CCPA and its regulations.
5. LogicGate shall comply with all applicable sections of the CCPA and its regulations, including, with respect to Customer Personal Data, providing the same level of privacy protection as required of businesses by the CCPA and its regulations.
6. LogicGate’s commitments related to security and safeguards for Customer Personal Data, audits, use of its own service providers, and LogicGate’s cooperation in connection with data subject requests are all as set forth in the Agreement.
7. LogicGate shall notify Customer no later than five business days after LogicGate makes a determination that it can no longer meet its obligations under the CCPA and its regulations. Upon such notice from LogicGate, Customer may direct LogicGate to take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Data by deleting all or the relevant portion of Customer Personal Data from the Service or by such other means as agreed between the parties.