DATA PROTECTION APPENDIX
English v0.1, Published 07/2021
This Data Processing Appendix (DPA) and its applicable DPA Exhibits apply to the Processing of Personal Data by ForFarming on behalf of Client (Client Personal Data) subject to the General Data Protection Regulation 2016/679 (GDPR) and European Economic Area data protection law (together ‘Data Protection Laws’) in order to provide services (Services) pursuant to the Agreement between Client and ForFarming. DPA Exhibits for each Service will be provided in the applicable Transaction Document (TD). This DPA is incorporated into the Agreement. Capitalized terms used and not defined herein have the meanings given them in the applicable Data Protection Laws and ForFarming Data Security and Privacy Principles document (DSP). In the event of conflict, the DPA Exhibit prevails over the DPA which prevails over the rest of the Agreement.
a. Client is: (a) a Controller of Client Personal Data; or (b) acting as Processor on behalf of other Controllers and has been instructed by and obtained the authorization of the relevant Controller(s) to agree to the Processing of Client Personal Data by ForFarming as Client’s subprocessor as set out in this DPA. Client appoints ForFarming as Processor to Process Client Personal Data. If there are other Controllers, Client will identify and inform ForFarming of any such other Controllers prior to providing their Personal Data, in accordance with the DPA Exhibit.
b. A list of categories of Data Subjects, types of Client Personal Data, Special Categories of Personal Data and the processing activities is set out in the applicable DPA Exhibit for a Service. The duration of the Processing corresponds to the duration of the Service, unless otherwise stated in the DPA Exhibit. The purpose and subject matter of the Processing is the provision of the Service as described in the Agreement.
c. ForFarming will Process Client Personal Data according to Client’s documented instructions. The scope of Client’s instructions for the Processing of Client Personal Data is defined by the Agreement, and, if applicable, Client’s and its authorized users’ use and configuration of the features of the Service. Client may provide further legally required instructions regarding the Processing of Client Personal Data (Additional Instructions) as described in Section 9-b. If ForFarming notifies Client that an Additional Instruction is not feasible, the parties shall work together to find an alternative. If ForFarming notifies the Client that neither the Additional Instruction nor an alternative is feasible, Client may terminate the affected Service, in accordance with any applicable terms of the Agreement. If ForFarming believes an instruction violates the Data Protection Laws, ForFarming will immediately inform Client, and may suspend the performance of such instruction until Client has modified or confirmed its lawfulness in documented form.
d. Client shall serve as a single point of contact for ForFarming. As other Controllers may have certain direct rights against ForFarming, Client undertakes to exercise all such rights on their behalf and to obtain all necessary permissions from the other Controllers. ForFarming shall be discharged of its obligation to inform or notify another Controller when ForFarming has provided such information or notice to Client. Similarly, ForFarming will serve as a single point of contact for Client with respect to its obligations as a Processor under this DPA.
e. ForFarming will comply with all Data Protection Laws in respect of the Services applicable to ForFarming as Processor. ForFarming is not responsible for determining the requirements of laws or regulations applicable to Client’s business, or that a Service meets the requirements of any such applicable laws or regulations. As between the parties, Client is responsible for the lawfulness of the Processing of the Client Personal Data. Client will not use the Services in a manner that would violate applicable Data Protection Laws.
2. Technical and Organizational Measures
a. Client and ForFarming agree that ForFarming will implement and maintain the technical and organizational measures set forth in the applicable DPA Exhibit (TOMs) which ensure a level of security appropriate to the risk for ForFarming’s scope of responsibility. TOMs are subject to technical progress and further development. Accordingly, ForFarming reserves the right to modify the TOMs provided that the functionality and security of the ForFarming Services are not degraded.
3. Data Subject Rights and Requests
a. ForFarming will inform Client of requests from Data Subjects exercising their Data Subject rights (e.g., including but not limited to rectification, deletion and blocking of data) addressed directly to ForFarming regarding Client Personal Data. Client shall be responsible to handle such requests of Data Subjects. ForFarming will reasonably assist Client in handling such Data Subject requests in accordance with Section 9-b.
b. If a Data Subject brings a claim directly against ForFarming for a violation of their Data Subject rights, Client will reimburse ForFarming for any cost, charge, damages, expenses or loss arising from such a claim, to the extent that ForFarming has notified Client about the claim and given Client the opportunity to cooperate with ForFarming in the defense and settlement of the claim. Subject to the terms of the Agreement, Client may claim from ForFarming damages resulting from Data Subject claims for a violation of their Data Subject rights caused by ForFarming’s breach of its obligations under this DPA and the respective DPA Exhibit.
4. Third Party Requests and Confidentiality
a. ForFarming will not disclose Client Personal Data to any third party, unless authorized by the Client or required by law. If a government or Supervisory Authority demands access to Client Personal Data, ForFarming will notify Client prior to disclosure, unless such notification is prohibited by law.
b. ForFarming requires all of its personnel authorized to Process Client Personal Data to commit themselves to confidentiality and not Process such Client Personal Data for any other purposes, except on instructions from Client or unless required by applicable law.
5. Return or Deletion of Client Personal Data
a. Upon termination or expiration of the Agreement ForFarming will either delete or return Client Personal Data in its possession as set out in the respective DPA Exhibit, unless otherwise required by applicable law.
a. Client authorizes the engagement of other Processors to Process Client Personal Data (Subprocessors) in order to ensure the performance and development of ForFarming Services. Subprocessors only has access to Content to the extent necessary to the performance of their respective duties on behalf of ForFarming. A list of the current Subprocessors is set out in the respective DPA Exhibit.
b. ForFarming will notify Client in advance of any addition or replacement of the Subprocessors as set out in the respective DPA Exhibit. Within 30 days after ForFarming’s notification of the intended change, Client can object to the addition of a Subprocessor on the basis that such addition would cause Client to violate applicable legal requirements. Client’s objection shall be in writing and include Client’s specific reasons for its objection and options to mitigate, if any. If Client does not object within such period, the respective Subprocessor may be commissioned to Process Client Personal Data. ForFarming shall impose substantially similar but no less protective data protection obligations as set out in this DPA on any approved Subprocessor prior to the Subprocessor initiating any Processing of Client Personal Data.
c. If Client legitimately objects to the addition of a Subprocessor and ForFarming cannot reasonably accommodate Client’s objection, ForFarming will notify Client. Client may terminate the affected Services as set out in the Agreement, otherwise the parties shall cooperate to find a feasible solution in accordance with the dispute resolution process.
7. Transborder Data Processing
a. In the case of a transfer of Client Personal Data to a country not providing an adequate level of protection pursuant to the Data Protection Laws (Non-Adequate Country), the parties shall cooperate to ensure compliance with the applicable Data Protection Laws as set out in the following Sections. If Client believes the measures set out below are not sufficient to satisfy the legal requirements, Client shall notify ForFarming and the parties shall work together to find an alternative.
b. By entering into the Agreement, Client is entering into EU Standard Contractual Clauses as set out in the applicable DPA Exhibit (EU SCC) with; (i) ForFarming, if located in a Non-Adequate Country and (ii) each Subprocessor listed in the respective DPA Exhibit that is an ForFarming affiliate located in a Non-Adequate Country, as follows:
i. if Client is a Controller of all or part of the Client Personal Data, Client is entering into the EU SCC in respect to such Client Personal Data; and
ii. if Client is acting as Processor on behalf of other Controllers of all or part of the Client Personal Data, then Client is entering into the EU SCC:
• as back-to-back EU SCC in accordance with Clause 11 of the EU Standard Contractual Clauses (Back-to-Back SCC), provided that Client has entered into separate EU Standard Contractual Clauses with the Controllers; or
• on behalf of the other Controller(s).
Client agrees in advance that any new ForFarming Data Importer engaged by ForFarming in accordance with Section 6 shall become an additional data importer under the EU SCC and/or Back-to-Back SCC.
c. If a Subprocessor located in a Non-Adequate Country is not an ForFarming Data Importer (Third Party Data Importer) and EU SCC are entered into in accordance with Section 8.2, then, ForFarming or an ForFarming Data Importer shall enter into Back-to-Back SCC with such a Third Party Data Importer. Otherwise, Client on its own behalf and/or, if required, on behalf of other Controllers shall enter into separate EU Standard Contractual Clauses or Back-to-Back SCC as provided by ForFarming.
d. If Client is unable to agree to the EU SCC or Back-to-Back SCC on behalf of another Controller, as set out in section 8.2 and 8.3, Client will procure the agreement of such other Controller to enter into those agreements directly. Additionally, Client agrees and, if applicable, procures the agreement of other Controllers that the EU SCC or the Back-to-Back SCC, including any claims arising from them, are subject to the terms set forth in the Agreement, including the exclusions and limitations of liability. In case of conflict, the EU SCC and Back-to-Back SCC shall prevail.
8. Personal Data Breach
a. ForFarming will notify Client without undue delay after becoming aware of a Personal Data Breach with respect to the Services. ForFarming will promptly investigate the Personal Data Breach if it occurred on ForFarming infrastructure or in another area ForFarming is responsible for and will assist Client as set out in Section 9.
a. ForFarming will assist Client by technical and organizational measures for the fulfillment of Client’s obligation to comply with the rights of Data Subjects and in ensuring compliance with Clients obligations relating to the security of Processing, the notification and communication of a Personal Data Breach and the Data Protection Impact Assessment, including prior consultation with the responsible Supervisory Authority, if required, taking into account the nature of the processing and the information available to ForFarming.
b. Client will make a written request for any assistance referred to in this DPA. ForFarming may charge Client no more than a reasonable charge to perform such assistance or an Additional Instruction, such charges to be set forth in a quote and agreed in writing by the parties, or as set forth in an applicable change control provision of the Agreement. If Client does not agree to the quote, the parties agree to reasonably cooperate to find a feasible solution in accordance with the dispute resolution process.