Data Processing Addendum
Last Updated: August 12, 2022
This Data Processing Addendum (“DPA”) is incorporated into the Terms between You (also, “Customer”) and NICE and reflects the parties’ agreement with regard to the processing of Data (as these terms are defined below).
You agree to this DPA by clicking on "ACCEPT" to the Terms when you create or otherwise register for your account, and you are confirming your acceptance each time you use ElevateAI thereafter. By clicking “ACCEPT” to the Terms when you access Elevate AI for the first time, you affirm that you are authorized by your organization, such as your business or employer, to bind such organization to the DPA.
This DPA consists of the main body of the DPA and Appendices I-III.
DATA PROCESSING TERMS
"controller", "processor", "data subject", "personal data" and "processing" (and "process") shall have the meanings given in EU/UK Data Protection Law.
“Affiliate” means an entity which is controlling, controlled by or under common control with a party. For purposes of this definition, "control" means possessing, directly or indirectly, the power to direct or cause the direction of the management, policies or operations of an entity, whether through ownership of voting securities, by contract or otherwise.
"Applicable Data Protection Law" means all worldwide data protection and privacy laws and regulations applicable to the personal data in question, including, where applicable, EU/UK Data Protection Law.
"Customer" means the party which entered into the Terms, or an Affiliate thereof, and signatory to this DPA.
"Data" has the meaning given to it in Clause 2.1.
"DPA" means this Data Processing Addendum.
"EU/UK Data Protection Law" means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the "EU GDPR"); (ii) the EU GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 (the "UK GDPR"); (iii) the EU e-Privacy Directive (Directive 2002/58/EC); and (iv) any and all applicable national data protection laws made under, pursuant to or that apply in conjunction with any of (i), (ii) or (iii); in each case as may be amended or superseded from time to time.
"NICE" means NICE Systems, Inc.
"Restricted Transfer" means: (i) where the EU GDPR applies, a transfer of personal data from the European Economic Area to a country outside of the European Economic Area which is not subject to an adequacy determination by the European Commission; and (ii) where the UK GDPR applies, a transfer of personal data from the United Kingdom to any other country which is not subject to an adequacy determination based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018.
"Security Incident" has the meaning given to it in Clause 2.8.
“Self-Service Tools” means functionality which may be made available by NICE in the software licensed or made available to Customer which permits Customer to comply with controller obligations under Applicable Data Protection Law relevant to Customer’s use of the Services.
"Services" means the services provided by NICE to Customer under or in connection with the Terms.
"Agreement" has the meaning ascribed to it in the NICE ElevateAI Terms of Use.
Standard Contractual Clauses" means: (i) where the EU GDPR applies, the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council ("EU SCCs"); and (ii) where the UK GDPR applies, standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR ("UK SCCs").
“TOMs” means the security provisions set out in the Agreement, and as applicable the technical and organizations measures set out as an appendix to this DPA, in each case as relates to the applicable Services detailed therein if so limited.
Customer (the controller) appoints NICE as a processor to process the personal data that is the subject of the Agreement and as further described in Appendix I (the "Data").
Customer shall not disclose (and shall not permit any data subject to disclose) any sensitive data (special categories) of Data or Data that imposes specific data security or data protection obligations on NICE in addition to or different from those specified in this DPA or the Agreement to NICE for processing except where and to the extent expressly disclosed in Appendix I.
The term of this DPA, including its Appendices, shall continue until all processing of Customer’s personal data by NICE ceases.
NICE shall process the Data as a processor as necessary to perform its obligations under the Agreement, including for the purposes described in Appendix I to this DPA and strictly in accordance with the documented instructions of Customer (the "Permitted Purpose"), except where otherwise required by law(s) that are not incompatible with Applicable Data Protection Law. In no event shall NICE process the Data for its own purposes or those of any third party. Each party is solely responsible for compliance with its respective obligations under Applicable Data Protection Law. The Customer shall comply with all necessary transparency and lawful requirements under Applicable Data Protection Law in order to disclose the Data to NICE for the Permitted Purposes. NICE shall immediately inform Customer if it becomes aware that Customer's processing instructions infringe Applicable Data Protection Law (but without obligation to actively monitor Customer's compliance with Applicable Data Protection Law). If a change in Applicable Data Protection Law prevents NICE from processing the Data as intended by the Agreement, Customer will immediately stop transmission of the Data to NICE and the parties will negotiate in good faith changes to the Agreement which may include but are not limited to additional services or solutions, if and when made available by NICE. Notwithstanding anything to the contrary, data localization laws in Applicable Data Protection Law shall not require NICE to change the storage location of any data centres agreed in, or permitted by, the Agreement; provided that NICE will negotiate in good faith commercially-reasonable changes to the storage location.
The parties agree that when the transfer of Data from Customer to NICE is a Restricted Transfer it shall be subject to the appropriate Standard Contractual Clauses as follows
(a) in relation to data that is protected by the EU GDPR, the EU SCCs will apply completed as follows:
i. Module Two will apply;
ii. in Clause 7, the optional docking clause will apply;
iii. in Clause 9, Option 2 will apply, and the time period for prior notice of subprocessor changes shall be as set out in Clause 2.10 of this DPA;
iv. in Clause 11, the optional language will not apply;
v. in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;
vi. in Clause 18(b), disputes shall be resolved before the courts of Ireland;
vii. Annex I of the EU SCCs shall be deemed completed with the information set out in Appendix I to this DPA; and
viii. Annex II of the EU SCCs shall be deemed completed with the TOMs.
(b) in relation to data that is protected by the UK GDPR, the UK SCCs will apply completed as follows:
i. for so long as it is lawfully permitted to rely on standard contractual clauses for the transfer of personal data to processors set out in the European Commission’s Decision 2010/87/EU of 5 February 2010 (“Prior C2P SCCs”) for transfers of personal data from the United Kingdom, the Prior C2P SCCs shall apply between NICE and the Customer on the following basis:
(A) Appendix 1 of the UK SCCs shall be deemed completed with the information set out under the relevant headings Appendix I to this DPA; and
(B) Appendix 2 of the UK SCCs shall be deemed completed with the information set out in the TOMs; and
(C) the optional illustrative indemnification clause will not apply.
ii. where sub-clause (b)(i) of this Clause above does not apply, but NICE and the Customer are lawfully permitted to rely on the EU SCCs for transfers of personal data from the United Kingdom subject to completion of a “UK Addendum to the EU Standard Contractual Clauses” (“UK Addendum”) issued by the Information Commissioner’s Office under s.119A(1) of the Data Protection Act 2018, then:
(A) the EU SCCs, completed as set out above in clause (a) of this Clause shall also apply to transfers of such Data, subject to sub-clause (B) below;
(B) the UK Addendum shall be deemed executed between the transferring Customer and NICE, and the EU SCCs shall be deemed amended as specified by the UK Addendum in respect of the transfer of such Data.
(iii) If neither sub-clause (b)(i) or sub-clause (b)(ii) of this Clause applies, then NICE and the Customer shall cooperate in good faith to implement appropriate safeguards for transfers of such Data as required or permitted by the UK GDPR without undue delay.
(c) in the event that any provision of this DPA contradicts, directly or indirectly, the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
NICE shall not participate in (nor permit any subprocessor to participate in) any other Restricted Transfers of Data (whether as an exporter or an importer of the Data) unless the Restricted Transfer is made in full compliance with Applicable Data Protection Law. Subject to the provisions in Clause 2.9 (Subprocessing), where a Restricted Transfer is protected by the UK GDPR the Customer authorises NICE to enter into UK SCCs on its behalf.
NICE shall ensure that any person that it authorises to process the Data (including NICE's staff, agents and subprocessors) (an "Authorised Person") shall be subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty), and shall not permit any person to process the Data who is not under such a duty of confidentiality. NICE shall ensure that all Authorised Persons process the Data only as necessary for the Permitted Purpose.
NICE shall implement and maintain appropriate technical and organisational measures as set out in the TOMs to protect the Data from accidental or unlawful destruction, loss, alteration, or unauthorised disclosure or access (a "Security Incident").
The technical and organizational measures are subject to technological progress and advancements. As such, NICE may implement alternative, adequate measures which meet or exceed the security level of the measures described in the TOMs.
Customer consents to NICE engaging NICE Affiliates and third party subprocessors to process the Data for the Permitted Purpose provided that: (i) NICE maintains an up-to-date list of its subprocessors that may process personal data; (ii) NICE imposes data protection terms on any subprocessor it appoints that protect the Data, in substance, to the same standard provided for by this DPA; and (iii) NICE remains liable for any breach of this DPA that is caused by an act, error or omission of its subprocessor. Lists of NICE subprocessors are available upon request via Customer’s normal contacts for the applicable Services or may be published in the documentation portal for the applicable Service, and NICE shall update them with details of any change in subprocessors at least 10 days' prior to any such change. Customer may object to NICE's appointment or replacement of a subprocessor prior to its appointment or replacement, provided such objection is based on reasonable grounds relating to data protection. In such event, NICE will either not appoint or replace the subprocessor or, if this is not possible, Customer may elect to suspend or terminate the Agreement (without prejudice to any fees incurred by Customer prior to suspension or termination).
Taking into account the nature of the processing and to the extent a response to a request cannot be achieved using the Service's Self-Service Tools available to the Customer, NICE will provide commercially reasonable assistance to the Customer (at Customer's expense) to: (i) fulfil a Customer's obligation to respond to data subjects' requests under Applicable Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable); and (ii) in relation to any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Data. If any such request, correspondence, enquiry or complaint is made directly to NICE, NICE shall promptly inform Customer providing full details of the same.
NICE shall, which may be subject to reimbursement of NICE's then-current hourly fees, provide Customer with all such reasonable and timely assistance as Customer may require in order to conduct a data protection impact assessment in accordance with Applicable Data Protection Law.
Upon termination or expiry of the Agreement, NICE shall destroy all Data (including all copies of the Data) in its possession or control, except as otherwise stated in the Agreement. This requirement shall not apply to the extent that NICE is required by any applicable law to retain some or all of the Data, or to Data it has archived on back-up systems, in which event NICE shall isolate and protect the Data from any further processing except to the extent required by such law until deletion is possible.
Documentation materials that serve as evidence that Data was processed in a proper manner consistent with the stipulations of this DPA may be stored by NICE after termination of this DPA in accordance with the applicable retention periods.
(a) Customer may audit NICE’s compliance of its obligations under this DPA, at its own expenses by itself or by a certified auditor. Customer shall provide at least 60 days, prior written notice of its intention of doing so and NICE shall make available all information reasonably necessary to demonstrate such compliance, and shall allow for and contribute to audits, including inspections, by Customer. Such audits shall be conducted during regular business hours and Customer shall ensure that it does not disrupt the regular operations of NICE. Customer will not exercise its audit rights more than once in any twelve month period (in aggregate with any information rights in the Agreement), except (i) if and when required by instruction of a competent data protection authority; (or) if Customer believes a further audit is necessary due to a Security Incident suffered by NICE. For any audit or right of access exercised under this section, the SCCs or any similar right granted by law, NICE will not be required to provide information, evidence or access of any kind that includes other customers’ information, and to preserve the rights, confidentiality, security, and data integrity of other customers.
(b) Alternatively at NICE's discretion and if available for the applicable Service, NICE may satisfy its obligations under this Clause (Audit) (and any similar obligations under the Standard Contractual Clauses) by presenting a summary copy of its SOC 2 Type II, PCI-DSS, ISO 27001, SOC 2+HITRUST, FedRAMP or IRAP audit or certification report(s) to Customer, which reports shall be subject to the confidentiality provisions of the Agreement.
(c) Customer shall be responsible for all costs and fees, including all reasonable costs and fees for any and all time NICE expends for any such audit.
2.16. Governing law:
This DPA shall be governed by the laws of same jurisdiction as agreed in the Terms.
Data Processing Description
This Appendix I forms part of the DPA and describes the processing that the processor will perform on behalf of the controller.
Controller(s) / Data exporter(s): [Identity and contact details of the controller(s) /data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]
1. | Name: | As Listed on Your account |
|---|---|---|
| Address: | As Listed on Your account |
| Contact person’s name, position and contact details: | As Listed on Your account |
| Activities relevant to the data transferred under this DPA: | The Services |
| Role (controller/processor): | Controller |
Processor(s) / Data importer(s): [Identity and contact details of the processor(s) /data importer(s), including any contact person with responsibility for data protection]
1. | Name: | NICE Systems, Inc. |
|---|---|---|
| Address: | 221 River St., 10th Floor, Hoboken, NJ 07030 |
| Contact person’s name, position and contact details: | For general matters: NICE’s Data Protection Office at [email protected] For security matters: NICE’s Information Security Office at [email protected] |
| Activities relevant to the data transferred under this DPA: | The Services |
| Role (controller/processor): | Processor |
Categories of data subjects whose personal data is transferred: | End users of Customer’s services |
|---|---|
Categories of personal data transferred: | Personal categories of data may include: Personal contact information such as name, home address, home telephone or mobile number, fax number, email address, and passwords; information concerning family, lifestyle and social circumstances including age, date of birth, marital status, number of children and name(s) of spouse and/or children; employment details including employer name, job title and function, employment history, salary and other benefits, job performance and other capabilities, education/qualification, identification numbers, and business contact details; financial details; goods and services provided; unique IDs collected from mobile devices, network carriers or data providers; IP addresses and online behavior and interest data. |
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: | N/A |
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): | One-off |
Nature of the processing: | As required to perform the Services, and may include but is not limited to organisation, structuring, storage, adaptation or alteration, retrieval, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure and destruction. |
Purpose(s) of the data transfer and further processing: | For processing in Processor software solutions, support and maintenance, and development, in each case as permitted in the Agreement. |
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: | As detailed in the Agreement. |
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: | As permitted by the Agreement. In particular, transfers to hosting subprocessors may be required for storage and remote data processing, and shall be for a nature and duration as permitted by the Agreement. |
| |
|---|---|
Identify the competent supervisory authority/ies in accordance (e.g. in accordance with Clause 13 of the EU SCCs) | Ireland Data Protection Commission |