This webpage sets out Aura Vision's and its clients data processing obligations in addition to the Data Protection Legislation ("DPA").
"Controller, Processor, Data Subject, Personal Data, personal data breach, Processing and appropriate technical and organisational measures" shall each have the meaning given to it in the Data Protection Legislation.
“Data Protection Legislation” means all applicable privacy and data protection laws, including the EU General Data Protection Regulation (Regulation 2016/679) ("GDPR"), the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 ("UK GDPR"), the Data Protection Act 2018, and any applicable national implementing laws, regulations and secondary legislation in England and Wales relating to the processing of personal data and the privacy of electronic communications, as amended, replaced or updated from time to time, including the Privacy and Electronic Communications Directive (2002/58/EC) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426)).
“Data Subject Request” means a request from a Data Subject to access, correct, amend, transfer, or delete that Data Subject's Personal Data consistent with their rights under the Data Protection Legislation.
"Data Transfer Provisions" means the standard contractual clauses for the transfer of Personal Data to third countries pursuant to the GDPR, adopted by the European Commission under Commission Decision (EU) 2021/914 2021 ("EU SCCs") and the UK International Transfer Addendum to the EU SCCs ("UK Addendum").
1. Interpretation
1.1 Capitalised terms used in this DPAand not otherwise defined in the Agreement shall have the meaning given to them in the Data Protection Legislation.
1.2 If there is a conflict between the Agreement and this DPA, the terms of this DPA shall prevail. In the event of any conflict or inconsistency between this DPA and the Data Transfer Provisions, the Data Transfer Provisions shall prevail.
2. Data Processing Obligations
2.1 The Parties acknowledge and agree that for the purposes of the Data Protection Legislation, the Client is the Data Controller and Aura Vision is the Data Processor of the Personal Data.
3. The Supplier’s processing obligations
3.1 To the extent that Aura Vision processes any Personal Data on behalf of the Client in connection with the Services, Aura Vision shall:
3.1.1 only Process such Personal Data in accordance with the purposes set out in this DPA and notify the Client immediately if in its opinion the Client’s instructions infringes applicable law;
3.1.2 maintain a record of its Processing activities under this DPA in accordance with and to the extent required by Article 30(2) GDPR, and Aura Vision shall at any time upon request, deliver up to the Client details of such Processing activities;
3.1.3 ensure that access to any such Personal Data is restricted to those of its personnel who need to have access in order to perform the Services and who are subject to confidentiality obligations in respect of the Personal Data;
3.1.4 notify the Client without undue delay if it suffers a Personal Data Breach, if it receives any Data Subject Request relating to the Personal Data, and shall: (a) not respond to the Data Subject Request without the Client’s prior written consent and in accordance with the Client’s instructions; and (b) shall provide such assistance as the Client may reasonably require in respect of such Personal Data in order for the Client to comply and respond to the Data Subject Request in accordance with the Data Protection legislation;
3.1.5 provide reasonable assistance to the Client in inputting into and carrying out data protection impact assessments and, to the extent required under the Data Protection Legislation, prior notification under Article 36 of GDPR; and
3.1.6 ensure that it has implemented appropriate organisational and technical measures in order to comply with its obligations under this paragraph 3.
3.2 To the extent legally permitted, the Client shall be responsible for any costs arising from Aura Vision's provision of assistance beyond the existing functionality of the Services.
3.3 The Supplier is permitted to engage a sub-processor to Process any of the Personal Data on the Client's behalf in connection with the Services. The Client pre-approves Aura Vision's use of third party processors for the purposes of fulfilling its obligations. Aura Vision shall:
3.3.1 inform the Client prior to the appointment or removal of any such sub-processor, thereby giving the Client an opportunity to object to the appointment or removal. If the Client objects on reasonable grounds, Aura Vision shall either: i) alter its plans to use the sub-processor with respect to Personal Data, or (ii) take corrective steps to remove the Client's objections. If none of the above options are reasonably available or the issue is not resolved within 30 days of the objection, either party may terminate this Agreement;
3.3.2 ensure that such sub-processor is subject to a written agreement which imposes on it binding contractual obligations which are equivalent to the terms imposed on Aura Vision under this DPA; and
3.3.3 ensure that the sub-processor’s Processing of such Personal Data terminates upon termination of Aura Vision's right to Process the data, provided that the Supplier shall be liable for the acts and omissions of such Sub-processors in relation to the Processing of such Personal Data.
3.4 The Client acknowledges that Aura Vision and its sub-processors may Process Personal Data outside of the European Economic Area ("EEA") or UK in non-adequate countries. The Supplier will abide by the requirements of the Data Protection Legislation regarding the transfer and Processing of Personal Data from the EEA or UK. Aura Vision will ensure that transfers of Personal Data to a third country or an international organisation that does not ensure an adequate level of protection are subject to appropriate safeguards as described in Article 46 of the GDPR or UK GDPR such as the Data Transfer Provisions.
3.5 If any Personal Data transfer between Aura Vision and the Client requires execution of the Data Transfer Provisions to comply with the Data Protection Legislation the parties shall comply with the Annexes to this DPA. As applicable, execution of the Agreement includes execution of the Data Transfer Provisions.
3.6 In the event any replacement Data Transfer Provision include a transition period for implementation, Aura Vision shall notify the Client of the date on which such Data Transfer Provisions shall become effective which in any event shall be prior to the expiration of such transition period.
3.7 Upon termination or expiry of this Agreement, Aura Vision shall cease all Processing of any Personal Data Processed on the Client's behalf under this Agreement and shall, at Client's option, return or destroy and delete all such Personal Data.
3.8 In order to demonstrate Aura Vision's compliance with the Data Protection Legislation and the terms of this DPA, Aura Vision shall:
3.8.1 provide the Client with such information as the Client reasonably requests from time to time to enable the Client to satisfy itself that Aura Vision is complying with its obligations under this DPA and the Data Protection Legislation; and
3.8.2 allow the Client, at the Client's sole cost and expense access (on reasonable notice and no more than once a year) to its premises where Personal Data is Processed under this Agreement to allow the Client to audit its compliance with this DPA and the Data Protection Legislation and shall provide reasonable co-operation as requested by the Client in the performance of such audit. The parties shall agree in advance on the reasonable start date, duration and security and confidentiality controls applicable to such audit.
4. Obligations of the Client
4.1 Client shall:
4.1.1 have at all times during the term of this DPA appropriate technical and organisational measures to ensure a level of security appropriate to the risk to protect any Personal Data;
4.1.2 provide clear and comprehensible written instructions to Aura Vision for the processing of Personal Data to be carried out under this DPA; and
4.1.3 ensure that it has all the necessary licences, permissions, consents and notices in place to enable lawful transfer of Personal Data to Aura Vision for the duration and purposes of this DPA.
Annex 1EU TO THIRD COUNTRY TRANSFERS
1. INCORPORATION OF THE EU SCCS
1.1 To the extent the transfer is made pursuant to the GDPR, this Annex 1 and the following terms shall apply: Module 2 of the EU SCCs, and no other optional clauses unless explicitly specified, are incorporated into this Annex 1 as if they had been set out in full in the case where the exporter is a Controller, the importer is a Processor and the transfer requires such additional protection;
2. CLARIFICATIONS TO THE EU SCCS
2.1 Deletion of data. For the purposes of clause 8.5 of the EU SCCs (Duration of processing and erasure or return of data), the parties agree as follows: At the end of the provision of the processing services the importer shall delete all Personal Data and shall certify to the exporter that it has done so, if requested to provide such certification by the exporter in writing.
2.2 Auditing. The parties acknowledge that the importer complies with its obligations under clause 8.9 of the EU SCCs (Documentation and compliance) by exercising its contractual audit rights it has agreed with its sub-processors.
2.3 Sub-Processors. For the purposes of clause 9 of the EU SCCs (Use of sub-processors), the parties agree that the process for appointing sub-processors set out in paragraph 3.3 of Exhibit C applies.
2.4 International Transfer Assessments. For the purposes of clause 14(c) of the EU SCCs (Local laws and practices affecting compliance with the Clauses) the exporter has been provided with a transfer impact assessment by the importer which the exporter accepts as sufficient to fulfil the importer's obligations pursuant to clause 14(c) and 14(a). The exporter acknowledges that it has been provided with the security measures applied to the Personal Data and approves such measures as being in compliance with the EU SCCs.
2.5 Best Efforts Obligations. For the purposes of clauses 14(c), 15.1(b) and 15.2 of the EU SCCs (Local laws and practices affecting compliance with the clauses) the parties agree that "best efforts" and the obligations of the importer under clause 15.2 shall mean exercising the degree of skill and care, diligence, prudence and foresight which would reasonably and ordinarily be expected from a leading practice engaged in a similar type of undertaking under the same or similar circumstances and shall not include actions that would result in civil or criminal penalty such as contempt of court under the laws of the relevant jurisdiction.
2.6 Competent Supervisory Authority. For the purposes of clause 13 of the EU SCCs, the competent Supervisory Authority shall be:
2.6.1 if the exporter is established in an EU Member State: The Irish Data Protection Commissioner;
2.6.2 where the exporter is not established in an EU Member State and has appointed a representative pursuant to Article 27(1) GDPR, it shall notify the importer of this and the EU Member State in which the exporter's representative is appointed shall be the competent Supervisory Authority; and
2.6.3 where the exporter is not established in an EU Member State, but falls within the territorial scope of Article 3(2) GDPR but has not appointed a representative pursuant to Article 27(1) GDPR: the exporter shall notify the importer of its chosen competent supervisory authority, which must be the Supervisory Authority of an EU Member State in which the Data Subjects whose personal data is transferred under the EU SCCs in relation to the offering of goods or services to them, or whose behaviour is monitored, are located.
2.7 Governing Law & Jurisdiction. For the purposes of clauses 17 and 18 of the EU SCCs, the parties agree that the governing law shall be where the exporter is established. If those laws do not allow for third party rights, the law of Ireland shall apply.
3. APPENDICES AND ANNEXURES TO THE EU SCCS
3.1 The processing details required by the EU SCCs are set out in paragraph 4:
3.1.1 the details required at Annex 1.A of the EU SCCs are set out at paragraphs 4.1 – 4.2;
3.1.2 the details required at Annex 1.B of the EU SCCs are set out at paragraph 4.3 – 4.10; and
3.1.3 the details required at Annex 1.C of the EU SCCs are set out a paragraph 4.11 and
3.1.4 the details required at Annex 2 of the EU SCCs is set out at paragraph 4.12.
4. PROCESSING PARTICULARS FOR THE EU SCCS
The Parties
4.1 Exporter (Controller): Client
4.2 Importer (Processor): Aura Vision
Description Of Data Processing
4.3 Categories of data subjects: Staff and customers of the Controller visiting the Location.
4.4 Categories of personal data transferred: Images captured by the Cameras.
4.5 Sensitive data transferred: None.
4.6 Frequency of the transfer: Continuous.
4.7 Nature of the processing: Storage and anonymisation for analytics.
4.8 Purpose of the processing: The performance of the Services by Aura Vision and its sub-processors under the Agreement.
4.9 Duration of the processing: For the Term of the Agreement.
4.10 Sub-Processor Transfers: As set out at paragraph 3.3 of Exhibit C
4.11 Competent Supervisory Authority: As set out at paragraph 2.6.
Annex UK ADDENDUM
1. Parties
As set out in Annex 1.
2. Selected SCCs, Modules and Clauses
Module 2 of the EU SCCs and no other optional clauses unless explicitly specified, and as amended by the clarifications in Annex 1, paragraph 2.
3. Appendix Information
The processing details required by the UK Addendum are as set out in Annex 1, paragraph 4.
4.1.3 Termination of the UK Addendum
In the event the template UK Addendum issued by the Information Commissioner's Office ("ICO") and laid before Parliament in accordance with s119A of the DPA 2018 on 2 February 2022, as it is revised under Section 18 is amended, either party may terminate this Annex 2 on written notice to the other in accordance with Table 4 and paragraph 19 of the UK Addendum and replace it with a mutually acceptable alternative.
