DATA PROCESSING ADDENDUM (FOR EEA/UK USERS)

Pursuant to the RevComm T&Cs of Use entered into between RevComm Inc. (“RevComm”) and Customer made available at https://www.revcomm.co.jp/terms-english/ (together with other referenced policies and addenda in the RevComm T&Cs of Use, the “Agreement”), the Parties hereby adopt this Data Processing Addendum (For EEA/UK Users) (“DPA”) for so long as RevComm processes Personal Data on behalf of Customer located in the EEA and the UK. This DPA prevails over any conflicting terms of the Agreement.

 

　BY EXECUTING AN ORDER FORM OR ACCEPTING AN ONLINE ORDER CONFIRMATION OR OTHERWISE ACCESSING OR USING THE SERVICES, CUSTOMER AGREES THAT CUSTOMER HAS READ, UNDERSTOOD AND AGREES TO BE BOUND BY THIS DPA. IF CUSTOMER DOES NOT AGREE TO THIS TOS, THEN CUSTOMER MAY NOT USE THESERVICES.

 

　Capitalized terms used but not defined in this DPA have the meanings given to them in the Agreement.

 

1. DEFINITIONS. For the purposes of this DPA
   1. “EU GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
   2. “UK GDPR” means the EU GDPR as amended and incorporated into UK law under the European Union (Withdrawal) Act 2018, and applicable secondary legislation made under that Act.
   3. “GDPR” means, as applicable: (a) the EU GDPR; or (b) the UK GDPR.
   4. “Controller”, “Data Subject”, “Personal Data”, “Processing” (and any derivatives thereof), “Processor”, “Personal Data Breach” have the meaning given to them in the GDPR.

   “EU Standard Contractual Clauses” means the standard contractual clauses for international transfers annexed to the European Commission’s implementing decision on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 published on 4 June 2021 (available at: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=EN), as completed by Clause 4.1(a) of this Agreement.

   5. “UK Addendum” means the International Data Transfer Addendum(s) to the EU Commission Standard Contractual Clauses issued by the Information Commissioner’s Office with effect from 22 March 2022 (available at : https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf), as completed by Clause 4.1(b) of this Agreement.
   6. “Standard Contractual Clauses” means the EU Standard Contractual Clauses and the UK Addendum, as the context requires.
   7. “Regulatory Authority” means any governmental, statutory or regulatory body and other competent authority in any jurisdiction (or persons or entities appointed by or on the direction of such authority or body).
   8. “Relevant Data Transfer(s)” means the transfer(s) of Personal Data described in Schedule to this DPA, together with all other applicable transfers of Personal Data between the Parties.

 

2. Scope, Roles, and Termination.
   1. Applicability – This DPA applies only to RevComm’s Processing of Personal Data for the nature, purposes, and duration set forth in Appendix.
   2. Roles of the Parties – For the purposes of the Agreement and this DPA, Customer is the Party responsible for determining the purposes and means of Processing Personal Data as the Controller and appoints RevComm as a Processor to Process Personal Data on behalf of Customer for the limited and specific purposes set forth in Appendix.
   3. Conflicts between agreements – The Parties acknowledge that as a matter of law the Standard Contractual Clauses shall prevail over any contradictory provisions in any agreement(s) between the Parties.
   4. Severability – Notwithstanding Clause 2.3 above, where Standard Contractual Clauses conflict with the provisions of any agreement(s) the Parties agree that the positions in the Standard Contractual Clauses shall prevail only to the extent required by law in relation to the applicable data transfers and shall not replace previously agreed upon positions regarding the provision of goods/services more generally.

 

3. Compliance.
   1. Compliance with Obligations – RevComm, its officers, directors, employees, agents, subcontractors, and sub-processors (a) shall comply with the obligations of the GDPR, (b) shall provide the level of privacy protection required by the GDPR, and (c) shall provide Customer with all reasonably-requested assistance to enable Customer to fulfil its own obligations under the GDPR. Upon the reasonable request of Customer, RevComm shall make available to Customer reasonably necessary information in RevComm’s possession necessary to demonstrate RevComm’s compliance with this subsection.
   2. Compliance Assurance– Customer has the right to take reasonable and appropriate steps to ensure that RevComm uses Personal Data consistent with Customer’s obligations under the GDPR.
   3. Compliance Monitoring – Customer has the right to monitor RevComm’s compliance with this DPA through measures, including, but not limited to, ongoing manual reviews, automated scans, regular assessments, audits, or other annual technical and operational testing at least once every twelve (12) months.
   4. Compliance Remediation – RevComm shall notify Customer no later than five business days after determining that it can no longer meet its obligations under the GDPR. Upon receiving notice from RevComm in accordance with this subsection, Customer may direct RevComm to take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Data.
   5. Security – RevComm shall implement and maintain no less than commercially reasonable security procedures and practices described in Appendix of this DPA, appropriate to the nature of the information, to protect Personal Data from unauthorized access, destruction, use, modification, or disclosure.

 

4. Restrictions on Processing.
   1. Limitations on Processing – RevComm will Process Personal Data solely as documented instructions unless required to do so by the applicable laws. In this case, RevComm shall inform Customer of that legal requirement before processing, unless the law prohibits this on important grounds of public interest. The Agreement and this DPA shall constitute a part of Customer’s instructions for the RevComm to process Personal Data.
   2. Confidentiality – RevComm shall ensure that its officers, directors, employees, agents, subcontractors, and sub-processors are subject to a duty of confidentiality with respect to Personal Data.
   3. Sub-processors – RevComm may subcontract or sub-process; provided that RevComm shall ensure that its subcontractors or sub-processors who Process Personal Data on RevComm’s behalf agree in writing to the same or equivalent restrictions and requirements that apply to RevComm in this DPA and the Agreement with respect to Personal Data, as well as to comply with the GDPR.

 

5. Sub-processors.
   1. Customer hereby authorizes the Processor to appoint the entities listed in the Annex III of the Appendix of this DPA as sub-processors.
   2. RevComm shall make available in writing to the controller any intended changes of that list above through the addition or replacement of sub-processors at least two (2) weeks in advance. RevComm shall provide Customer with the information necessary to enable Customer to exercise the right to object.
   3. RevComm engages a sub-processor for carrying out the processing of Personal Data on behalf of Customer, it shall do so by way of a contract which imposes on the sub-processor, in substance, the same data protection obligations as the ones imposed on RevComm in accordance with this DPA. RevComm shall ensure that the Sub-processor complies with the obligations to which the RevComm is subject pursuant to this DPA and to the GDPR.
   4. RevComm shall remain fully responsible to Customer for the performance of Sub-processor’s obligations in accordance with its contract with RevComm. RevComm shall notify Customer of any failure by the Sub-processor to fulfil its contractual obligations.

 

6. Data Subject Rights.
   1. RevComm shall provide commercially reasonable assistance to Customer for the fulfilment of Customer’s obligations to respond to Data Subject’s rights requests under the GDPR regarding Personal Data.
   2. Customer shall inform RevComm of any Consumer request made pursuant to the GDPR that RevComm must comply with. Customer shall provide RevComm with the information necessary for RevComm to comply with such request.

 

7. Data Transfer.
   1. The Standard Contractual Clauses shall apply as follows:
      1. Where a Relevant Data Transfer involves data transfer out of the European Union, the EU Standard Contractual Clauses shall be incorporated into this Agreement and apply to such transfer(s) as set out below:
         1. Module Two applies where Customer is a Controller and the RevComm is a Processor;
         2. in Clause 7 of the EU Standard Contractual Clauses, the optional docking clause applies;
         3. in Clause 9(a) of the EU Standard Contractual Clauses, Option 2 applies, and the time period for prior notice of sub-processor changes is one (1) month;
         4. in Clause 11(a) of the EU Standard Contractual Clauses, the optional language does not apply;
         5. in Clause 17 of the EU Standard Contractual Clauses, Option 2 applies with the governing law being that of Ireland;
         6. in Clause 18(b) of the EU Standard Contractual Clauses, disputes will be resolved before the courts in Ireland; and
         7. Annexes I to III of the EU Standard Contractual Clauses are completed with the information in the Appendix of this DPA (as applicable).
      2. Where a Relevant Data Transfer involves a data transfer out of the United Kingdom, the UK Addendum shall be incorporated into this Agreement and apply to such transfer(s) as set out below:
         1. Tables 1 to 3 (Module Two) of the UK Addendum are completed with the Information in Clause 4.1(a) and the Appendix of this DPA (as applicable); and
         2. Table 4 of the UK Addendum is completed by selecting “neither party.”
   2. If more than one Relevant Data Transfer is covered by this Agreement then the word “Appendix”, where it appears in the Standard Contractual Clauses, shall be deemed to refer to the Appendix or part of the Appendix relating to the Relevant Data Transfer in question.
   3. Where data transfers are coming out the Channel Islands / Isle of Man, the EU Standard Contractual Clauses shall be deemed to include any additional or amended terms mandated by the local Government authority or Regulatory Authority.

 

8. Personal Data Breach.
   1. RevComm shall notify Customer without undue delay upon the RevComm becoming aware of a Personal Data Breach affecting the Personal Data, providing Customer with sufficient information to allow Customer to meet any obligations to report or inform Data Subjects or a Regulatory Authority of the Data Breach under the GDPR.
   2. RevComm shall fully cooperate with the Customer and take reasonable commercial steps as are directed by the Customer to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

 

9. Data Protection Impact Assessment.
   1. RevComm shall provide reasonable assistance to Customer with any data protection impact assessments and prior consultations with supervising authorities or other competent data privacy authorities, which Vender reasonably considers to be required by the GDPR, in each case solely in relation to processing of Customer Personal Data by and taking into account the nature of the processing and information available to RevComm.

 

10. Deletion or return of Personal Data.
    1. RevComm shall delete and procure the deletion of all copies of the Personal Data in accordance with Customer’s instruction after the date of termination or cessation of any agreement involving the processing of Personal Data.
    2. RevComm shall provide written certification to Customer that it has fully complied with this, Section 9, when Customer requires it.

 

11. Changes to GDPR.
    1. The Parties agree to cooperate in good faith to enter into additional terms to address any modifications, amendments, or updates to applicable statutes, regulations or other laws pertaining to privacy and information security, including, where applicable, the GDPR.

 

Appendix– Transfer and Processing Details

ANNEX I

A.   LIST OF PARTIES	Data exporter(s): Customer Role (controller/processor): Controller Activities relevant to the data transferred under these Clauses: The use of the services provided by RevComm Data exporter(s): RevComm Role (controller/processor): Processor Role (controller/processor): Controller Activities relevant to the data transferred under these Clauses: The provision of the services provided by RevComm
B.   DESCRIPTION OF TRANSFER / PROCESSING	Categories of data subjects whose personal data are transferred/processed is as follows:  The attendees of the Customer’s conferences, as described in the Privacy Policy Categories of personal data transferred/processed are as follows:  The contents of digital conferences, as described in the Privacy Policy, including the conferences’: Audio, video, images, and text-based communications; and Information that directly identifies conference or communication participants, such as names, titles, and contact information. Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures. The following special categories of personal data will be transferred/processed:  N/A The frequency of the transfer is as follows:  Continuous for duration of the Agreement between the Parties for the provision of services. Nature of the processing The Personal Data will be processed, as described in the Agreement and the Privacy Policy. Purpose(s) of the data transfer and further processing The Personal Data will be processed for the provision of the services as described in the Agreement and the Privacy Policy, in particular to: Analyze telephone sales and customer service calls; Analyze and transfer contents of digital conferences; Facilitate digital conferences between users and third party participants; and Store Personal Data from digital conferences, calls, emails, webinars and other audio, video, image or text-based communications. The period for which the personal data will be retained or, if that is not possible, the criteria used to determine that period For as long as necessary considering the purpose of the Processing and in compliance with applicable laws, including the GDPR.  For transfers to (sub-) processors, also must specify subject matter, nature and duration of the processing Same as above
C.   COMPETENT SUPERVISORY AUTHORITY	Identify the competent supervisory authority/(ies) in accordance with Clause 13 The competent supervisory authority of the Data Exporter, details of which are available on request

 

ANNEX II

TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

 

(1) Formulation of the Basic Policy and Policies for the Processing of Personal Data

To ensure the proper processing of Personal Data, RevComm has created the Privacy Policy (For EEA and UK Users) and this DPA in order to comply with laws and regulations pertaining to the protection of Personal Data, contact point for inquires and complaint processing and the like.
In addition, RevComm has created internal rules for the processing of Personal Data, including processing methods and responsible persons/persons in charge and their duties, etc., at each stage of acquisition, utilization, retention, provision, and deletion/disposal, etc.

 

(2) Organizational Security Controls

RevComm has appointed a manager to process Personal Data and identified RevComm’s employees engaged in the processing of Personal Data and the scope of Personal Data processed by such employees. RevComm has also developed a reporting system in the event that a violation of the GDPR or a breach of RevComm’s internal rules is discovered.
RevComm regularly conducts audits of its processing of Personal Data and periodically requests audits by other departments and outside auditors.

 

(3) Human Security Controls

RevComm provides employees with regular training with respect to the processing of Personal Data. It also sets forth the confidentiality of Personal Data in the Rules of Employment, etc.

 

(4) Physical Security Controls

RevComm monitors the entry and exit of employees, restricts equipment, etc. brought into areas where Personal Data is processed, and prevents unauthorized persons from browsing Personal Data. RevComm takes actions to prevent the theft or loss, etc. of equipment holding Personal Data, electronic media and documents, etc. and implements measures to avoid Personal Data from being easily found when carrying such equipment or electronic media, etc., including moving within an office.

 

(5) Technical Security Controls

RevComm limits access to Personal Data to specific employees and has introduced a mechanism to protect its information system from external unauthorized access or illicit software.

 

ANNEX III
LIST OF SUB-PROCESSORS