SUPPLIER DATA PROCESSING ADDENDUM
This Supplier Data Processing Addendum (“DPA”) forms a part of the parties’ purchasing agreement (“Agreement”) by and between Scout Motors Inc. (“Scout” or “Controller”) and Seller as defined in the Agreement (“Processor”). Each party to this DPA may be individually referred to as “Party” or collectively as the “Parties.”
Processor certifies that it understands and agrees to comply with the terms of this DPA. In the event of any conflict between this DPA and the Agreement, the terms of this DPA control.
1. CERTAIN DEFINITIONS
"Approved Subprocessor" means a service provider who has a need to know or access Personal Data to enable Processor to perform its obligations under this DPA, and who is either: (1) pre-approved by Controller; or (2) subsequently authorized by Scout as set forth in Section 7.
“Privacy and Data Protection Laws” means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, Switzerland, United Kingdom, and the United States applicable to the Processing of Personal Data under the Agreement, including but not limited to the General Data Protection Regulation, 2016/679 (the “GDPR”), UK General Data Protection Regulation, General Data Protection Regulation, 2016/679 (“Retained EU Law”) as also defined Section 3(10) DPA 2018, and the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (“CPRA”) and any related regulations or guidance (collectively the “CCPA”).
“Data Subject” means an identified or identifiable natural person, who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Personal Data” means any information relating to an identified or identifiable natural person that is Processed by Processor on behalf of Controller and any information defined as “Personal Data”, “Personal Information”, “Personally Identifiable Information”, or the like under Privacy and Data Protection Laws and includes the meaning set forth in the CCPA. The term Personal Data also includes “Sensitive Personal Information” as defined in the CCPA.
“Personal Data Breach” means a suspected or actual breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
“Process(ing/ed)” means any operation or set of operations that is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“EEA Standard Contractual Clauses” means the applicable Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, and any subsequent adopted versions.
“UK Standard Contractual Clauses” means the applicable Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to UK General Data Protection Regulation, General Data Protection Regulation, 2016/679 (Retained EU Law) as also defined in Section 3(10) DPA 2018 (the “UK GDPR”), and any subsequent adopted versions.
“Supervisory Authorities” means an independent public authority that is established by an EU Member State pursuant to the GDPR or its equivalent in the United Kingdom.
Capitalized terms used but not defined in this DPA will have the meaning set forth in the Agreement
2. PROCESSING OF PERSONAL DATA.
Role of the Parties. The Parties acknowledge and agree that Scout is the Controller under the Agreement and that the Controller determines the purposes and means of the Processing of Personal Data and that Processor is the Processor under the Agreement and that the Processor Processes Personal Data on behalf of Controller. Communications between the Parties related to this DPA shall be conducted primarily by the individuals set forth in the Agreement.
Processing Instructions. Controller shall determine the scope, purposes, and manner by which the Personal Data may be accessed or processed by Processor. A description of the Processing authorized under this DPA is set forth on Attachment A, Schedule 1. Processor shall only Process the Personal Data on behalf of Controller strictly in accordance with Controller’s instructions and only as instructed in writing by Controller for the purposes authorized by Controller in accordance with this DPA.
Controller Obligations. Controller represents that it has the right to lawfully provide the Personal Data to Processor for the Processing to be performed in relation to the Services and shall comply with all applicable Privacy and Data Protection Laws.
Processor’s Obligations. Without limiting the foregoing, Processor shall:
Comply with all applicable Privacy and Data Protection Laws;
Treat all Personal Data as confidential information and will not disclose such Personal Data without Controller’s prior written consent except to those personnel who need to know the confidential information in order to carry out the Services. Processor agrees to take all necessary steps to ensure such personnel are obliged to keep such Personal Data confidential through contractual obligations or statutorily. Where it is required by a court to disclose Personal Data, or there is a statutory obligation to do so, Processor may disclose Personal Data only to the minimum extent necessary to comply with such court order or statutory obligation provided that the Processor gives the Controller prompt written notice of such order or obligation prior to disclosure to the extent permitted by applicable law;
Not engage another processor to Process Personal Data without Controller's prior written approval;
Make available to Controller all information necessary to demonstrate its compliance with all Privacy and Data Protection Laws and obligations;
Immediately notify Controller if, in Processor's opinion, an instruction infringes upon a Privacy and Data Protection Law;
Take all necessary steps to ensure the reliability of any employee, agent or contractor of any Approved Subprocessor, if approved in accordance with this DPA, who may have access to Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know/access the relevant Personal Data, as strictly necessary for the purposes of the Agreement, and to comply with Privacy and Data Protection Law in the context of that individual's duties to the Approved Subprocessor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality;
Implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including the measures referred to in Article 32 of the GDPR and in compliance with all other Privacy and Data Protection Laws. Processor shall additionally maintain the confidentiality of the Personal Data using the same degree of care as Processor employs in maintaining in confidence Processor’s own proprietary and confidential information of a like nature, but in no event using less than a reasonable degree of care. Without limiting the generality of the foregoing, Processor has implemented and shall continue to maintain reasonable and effective physical, electronic, procedural, administrative and technical controls and safeguards (the “Safeguards”) similar to the ones found in the NIST CSF, ISO/IEC 27001, or other recognized standards or cyber security framework, which are designed to meet the following objectives:
to protect the security and confidentiality of the Personal Data;
to protect against anticipated threats or hazards to the security or integrity of the Personal Data; and
to protect against unauthorized access to, use of or disclosure of the Personal Data. Specifically, Processor shall encrypt, anonymize, and/or redact the Personal Data where possible. Processor shall ensure that all Safeguards are regularly reviewed and revised to address evolving threats and vulnerabilities while Processor has responsibility for the Personal Data under the terms of this Agreement, and additionally assist the Controller in ensuring compliance with the data security requirements in Articles 32 to 36 of the GDPR considering the nature of the Processing and the information available to the Processor; and
Not re-identify, reverse engineer or attempt to re-identify, any Personal Data, or any parts of it, to the extent that the Personal Data has been deidentified, anonymized or pseudonymized.
3. PERSONAL DATA BREACH
Policies/Procedures and Notification. Processor shall maintain security incident management policies and procedures, and shall notify Controller without undue delay (in any event, within 24 hours) upon Processor becoming aware of a Personal Data Breach affecting the Personal Data, providing Controller with sufficient information as Controller reasonably requires and to allow Controller to meet any obligations to report or inform Data Subjects of the Personal Data Breach under Privacy and Data Protection Laws including but not limited to
the nature of the Personal Data Breach, including the categories and approximate numbers of Data Subjects and approximate number of personal data records concerned;
the status of any investigations into such Personal Data Breach;
the likely consequences of the Personal Data Breach;
any measures to be taken to address the Personal Data Breach; and
the name and contact details of the data protection officer or other contact point where more information can be obtained. Processor further agrees to provide full cooperation and assistance in identifying the cause of such Personal Data Breach and shall take necessary action to remediate the cause. Processor shall additionally provide Controller full and prompt cooperation and assistance in relation to any notifications that Controller is required to make as a result of the Personal Data Breach.
4. RIGHTS OF DATA SUBJECTS
Data Subject Request. Processor shall promptly notify Controller if Processor receives any request from a Data Subject to exercise the following Data Subject rights in relation to Personal Data: access, to know, delete, opt-out of sale or sharing, rectification, restriction of Processing, erasure, data portability, objection to the Processing, or not to be subject to automated individual decision making, or any consumer request allowable under Privacy and Data Protection Law (each, a “Data Subject Request”). Processor shall not respond to a Data Subject Request without the Controller’s prior written approval.
Assistance. Processor shall provide best efforts supporting Controller’s obligations in connection with a Data Subject Request within the relevant timescales set out by Privacy and Data Protection Laws and in accordance with Controller’s instructions. Processor shall further assist Controller by implementing appropriate technical and organizational measures for the fulfillment of Controller’s obligations to respond to a Data Subject Request.
5. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION
Assistance from Processor. Processor shall provide reasonable assistance to Controller with any data protection impact assessments, and prior consultations with Supervisory Authorities or other competent data privacy authorities, which Controller considers to be required by Articles 35 or 36 of the GDPR or equivalent provisions of any other Privacy and Data Protection Law, in each case in relation to Processing of Personal Data by, and taking into account the nature of the Processing and information available to, the Processors or Approved Subprocessors, if any.
6. INTERNATIONAL DATA TRANSFERS
Consent and Compliance. Processor shall Process Personal Data involving European Economic Area, Switzerland or UK residents outside those jurisdictions, as the case may be, only as permitted under the GDPR, UK GDPR or other Privacy and Data Protection Laws, including but not limited to
where it is determined by the European Union that the destination of the transfer is deemed to have an adequate level of protection under Article 45 of the GDPR or
where such transfers are governed by a valid mechanism for the lawful transfer of Personal Data recognized under the GDPR and other Privacy and Data Protection Laws such as by entering into appropriate versions of the Standard Contractual Clauses or UK Standard Contractual Clauses.
7. SUBPROCESSORS
Authorization. Processor agrees that it will not subcontract any of its Processing activities in connection with this DPA unless:
it has obtained Scout’s written consent; and
any such Approved Subprocessor is subject to a written agreement to adhere to the same obligations that are imposed on Processor in this DPA. Should Scout provide a written authorization for Processor to engage Approved Subprocessors to process Scout Personal Data, any such authorization is conditioned upon Processor providing Scout an up-to-date list of all Approved Subprocessors prior to allowing any Approved Subprocessor to process Personal Data that includes:
Approved Subprocessor’s name, address, and contact information;
type(s) of service provided by the Approved Subprocessor; and
categories of Personal Data to be disclosed by Processor to Approved Subprocessor. Processor acknowledges that it shall remain fully liable to Controller for the performance of the Approved Subprocessor's obligations. If Processor engages an Approved Subprocessor to provide Services not authorized by Scout, Processor will be deemed to be the Controller for purposes of such Processing.
Additional Subprocessors. If Processor desires to engage additional subprocessors, it shall give Scout written notice and request Scout’s approval via email to security@scoutmotors.com to Scout’s designated contact at least one (1) month prior to allowing such subprocessor to Process Personal Data. If Scout does not approve the new subprocessor, Scout may terminate any Service or portions thereof without penalty or termination fees by providing written notice of such termination.
8. INDEMNIFICATION
Processor Indemnification. Processor agrees to indemnify, defend, and hold harmless Controller against all claims, actions, third party claims, losses, costs, damages and expenses including reasonable attorney fees incurred by Controller and arising directly or indirectly out of or in connection with a Personal Data Breach, breach of this DPA and/or violation of a Privacy and Data Protection Law by Processor.
9. RECORD-KEEPING
Record-Keeping. Processor shall maintain written records of all categories of its performance and Processing activities carried out pursuant to this DPA, including any applicable records the Parties are required to maintain under Privacy and Data Protection Laws. Processor shall make these records available to the Controller upon the Controller's request.
10. AUDIT RIGHTS
Records Availability. On the request of Controller, Processor shall make available to Controller all information necessary to demonstrate compliance with this DPA and Privacy and Data Protection Laws.
Audit. Processor agrees to allow for and contribute to audits, including any inspections, by Controller or an auditor mandated by Controller in relation to adherence to this DPA and the Processing of Controller Personal Data by Processor or Approved Subprocessors, if any. Controller may contact Processor to schedule an audit of Processor’s Processing activities covered by this DPA and Processor’s compliance with this DPA, including the security requirements set forth in Section 2.d.vii of this DPA. This audit may be conducted by Controller itself or through a thirdparty auditor selected by Controller at the relevant facilities of Processor or its affiliates. Controller shall provide at least one-week advance written notice and the audit shall be conducted during normal business hours. If Processor obtains and maintains privacy and security certifications through an internationally-recognized organization (e.g., ISO/IEC 27001 and ISO/IEC 27002; ISO 27701 (PIMS); ISO/IEC 27032; UK NIS Regulations 2018; NIST (CSF); etc.) or a report from an internationally-recognized external auditor, a copy of such certification or report may be acceptable to Scout to demonstrate annual data privacy or cybersecurity compliance.
11. CCPA SPECIFIC REQUIREMENTS
Parties’ Relationship. In connection with the Agreement, Scout will be sharing Personal Data for “Business Purposes” as defined in the CCPA, more specifically set forth in set out in Attachment A (collectively “Contracted Business Purposes”). As between the parties, Scout is the “Business” and Processor is the “Service Provider”, in each case, as those terms are defined in the CCPA.
Processor’s Obligations.
As a “Service Provider” under the CCPA, Processor will only collect, use, retain, or disclose Personal Data for the Contracted Business Purposes for which Scout provides or permits Personal Data access as additionally set out in Attachment A, Schedule 1.
Processor will not collect, use, retain, share, disclose, or otherwise make Personal Data available for Processor’s own commercial purposes or in any way that does not comply with the CCPA. This includes combining the Personal Data that Processor receives from Scout with Personal Data Processor receives from or on behalf of another person or persons or that Processor collects from its own interaction with any third parties. Processor will refrain from taking any action that would cause any transfers of Personal Data to or from Scout to qualify as “selling” or “sharing” as those terms are defined in the CCPA. If a law requires the Processor to disclose Personal Data for a purpose unrelated to the Contracted Business Purpose, the Processor must first inform Scout of the legal requirement and give Scout an opportunity to object or challenge the requirement.
Processor will limit Personal Data collection, use, retention, and disclosure to activities reasonably necessary and proportionate to achieve the Contracted Business Purposes or another compatible operational purpose and agrees to keep all Personal Data strictly confidential.
Any subcontractor used must qualify as a Service Provider under the CCPA and Processor cannot make any disclosures to the subcontractor or any other third party that the CCPA or Data Privacy and Protection Laws would treat as a “sale.”
Scout shall have the right to take reasonable and appropriate steps to help ensure that Processor uses the Personal Data transferred in a manner consistent with Scout’s obligations under Privacy and Data Protection Laws. Processor additionally grants Scout the right, upon reasonable notice, to take reasonable and appropriate steps to stop and remediate any unauthorized use of Personal Data by Processor.
Warranties and Certification. Processor will comply with all applicable requirements of the CCPA (including providing CPRA-level data privacy protection at minimum in all jurisdictions) when collecting, using, retaining, or disclosing Personal Data.
Processor certifies to Controller that it understands this DPA's and the CCPA's restrictions and prohibitions on selling or sharing Personal Data and retaining, using, or disclosing Personal Data outside of the Parties' direct business relationship, and it will comply with them.
Processor represents and warrants to Controller that it has no reason to believe any CCPA requirements or restrictions prevent it from providing any of the Contracted Business Purposes or otherwise performing under this DPA or the Parties’ Agreement. Processor must promptly notify Scout of any changes to the CCPA’s requirements that may adversely affect its performance under this DPA or the Parties’ Agreement.
Processor represents and warrants to Controller that it is receiving Personal Data only because it is necessary for the Processor to perform the Contracted Business Purposes.
12. DELETION/RETURN OF PERSONAL DATA
Return or Deletion of Personal Data. Processor shall promptly (in any event, within 10 business days of the date of cessation of any actions involving the Processing of Personal Data (the "Cessation Date"), either
delete and procure the deletion of all copies of Personal Data or
return any copies of Personal Data to Controller if so requested by Controller prior to the Cessation Date. Further, Processor shall return or delete Personal Data to Controller any time upon Controller’s written request.
Return or Destroy Personal Data. In case of Personal Data contained in physical forms or forms that are not possible for deletion, Processor shall promptly (in any event, within 10 business days of the Cessation Date), return or destroy and procure such action of all copies of such Personal Data.
Applicable Law. In the event applicable law prevents the destruction or return of certain Personal Data received by Processor, the Processor warrants that it will guarantee the confidentiality of such Personal Data and will not actively Process the Personal Data, and will guarantee the return or the destruction of Personal Data as requested by Controller when the legal obligation to not return or destroy the Personal Data is no longer in effect. To extent permitted by law, Processor shall notify Controller of any such retention obligation in writing and provide the retention schedules for all records retained by Processor.
Written Certification. Processor shall provide written certification to Controller that it has fully complied with this Section within 10 business days of the Cessation Date.
13. EFFECTIVE DATE AND TERMINATION
Effective Date. This DPA enters into force upon the latter of the Parties to execute the Agreement.
Termination of the Agreement. Termination or expiration of the Agreement will result in the termination of this DPA. However, Processor remains subject to the obligations set forth in this DPA and Privacy and Data Protection Laws to the extent that Processor continues to Process Personal Data on behalf of Controller.
14. MISCELLANEOUS
Costs. Each Party will perform its obligations under this DPA at its cost.
Entire Agreement. This DPA constitutes the entire agreement and understanding among the Parties with respect to the subject matter hereof.
Information Rights. Scout retains all right, title and interest in and to the Personal Data it provides or makes available to Processor. Processor does not acquire any intellectual property or licensing rights to the Personal Data.
Governing Law and Jurisdiction. This DPA shall be governed by and construed in accordance with the laws of the State of Delaware without regard to its conflict of laws or choice of law provisions. The courts of the State of Delaware or the United States District Court for the District of Delaware shall have the sole and exclusive jurisdiction over any lawsuit or judicial proceeding relating to or arising from this DPA. Either of these courts shall have proper venue for any such lawsuit or judicial proceeding, and the Parties hereby irrevocably waive any objection to venue, personal jurisdiction, or their convenience as a forum.
Supremacy. This DPA supersedes and replaces all prior and contemporaneous proposals, statements, sales materials or presentations and agreements, oral and written, with regard to the subject matter of this DPA, including any prior data processing agreements entered into between Processor and Controller. If there is any conflict between this DPA and any agreement, including the Agreement, the terms of this DPA shall control.
Separability. In case any provision or phrase in this DPA shall be invalid, illegal or unenforceable, the validity, legality and enforceability of the remaining provisions or phrases shall not in any way be affected or impaired thereby.
Attachment A
SCHEDULE 1
DESCRIPTION OF THE PROCESSING
Subject-Matter
The subject matter consists of the Personal Data processed by Processor pursuant to this DPA.
Duration
The duration of the Personal Data Processing under this DPA is the period during which the Agreement is in place and is necessary for the Contracted Business Purposes as forth in this DPA.
Nature, Extent, Type and Business Purpose of the Processing
Processor will process Personal Data only as necessary for the performance of the Agreement and Contracted Business Purposes as set forth in this DPA.
Data Subjects
Scout’s employees, customers, and partners.
Categories of Data
Processor shall process the categories of Personal Data as necessary to perform the Contracted Business Purposes, including the categories of Personal Data specified in the Agreement, applicable statement of work or purchase order and may include the names, email addresses and other contact details of data subjects.
Types of Data
The Personal Data relating to Scout’s employees and customers and as otherwise described in this DPA, Agreement, applicable statement of work or purchase order.
Special Categories of Data
Special Categories of Data are not being processed under the Agreement.
Retention Period
The Retention Period for the Personal Data shall be as set forth in Section 12 of the DPA.
Location of Data Centers used by Processor
Processor shall only process the Personal Data in locations specified and agreed to by Scout in the Agreement, applicable statement of work or purchase order.