HID Global
Data Processing Terms
THESE DATA PROCESSING TERMS ARE BY AND BETWEEN HID GLOBAL CORPORATION AND ITS AFFILIATED ENTITIES (“HID”) AND COMPANY, AS HEREIN DEFINED. THESE TERMS APPLY ONLY TO THE EXTENT PERSONAL DATA IS PROCESSED BY HID, OR ITS SUB-PROCESSORS, AS NECESSARY TO PROVIDE A SERVICE (“SERVICE”).
These Data Processing Terms shall continue in full force and effect until expiry or termination of the Service.
1. Definitions
“Affiliate” or “Affiliates” means entities which are controlled by a party, which controls a party or which is under common control with a party, where "control" means the direct or indirect ownership of at least fifty percent (50%) of the shares or interests entitled to vote for the directors thereof or the equivalent, so long as such control exists.
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed by HID, or a sub-processor, in the performance of the Service.
“CCPA” means the California Consumer Privacy Act of 2018, as amended (Cal. Civ. Code §§ 1798.100 to 1798.199), and any related regulations or guidance provided by the California Attorney General. If the CCPA applies to provision of or use of the Service, the parties further agree to be bound by the terms set forth in Exhibit 1, attached hereto.
“Channel Partner” means an entity that HID has authorized as a “reseller” of the Service.
“Controller” has the meaning set forth in the GDPR. Unless otherwise specified, with respect to the Service, End Customer is the Controller of Personal Data.
“Company” means: (i) End Customer if HID provisions the Service directly to the End Customer; or (ii) Channel Partner if Channel Partner provisions the Service to End Customer(s) as a Managed Service Provider.
“Data Privacy Laws” means laws, rules, regulations, governmental requirements, codes as well as international, federal, state, provincial laws applicable to the Personal Data and HID’s provision of the Service.
“Data Processing Specifications” means the Service-specific document located at: https://www.hidglobal.com/legal/saas-data-processing-specs.
“End Customer” means the end customer that purchases the Service, either directly from HID or indirectly from a Channel Partner, for internal use by such party, and not for further resale.
“GDPR” means the General Data Protection Regulation ((EU) 2016/679) (“GDPR”), the European Directives 95/46 and 2002/58/EC (as amended by Directive 2009/136/EC) and any legislation and/or regulation implementing or made pursuant to them, or which amends, replaces, re-enacts or consolidates any of them.
“Hosting Provider” means a third-party hosting provider that manages the cloud infrastructure on which the Service is hosted. The Service may be hosted by a Hosting Provider not controlled by HID. The Hosting Provider is identified in the applicable Data Processing Specifications.
“Managed Service Provider” is a Channel Partner that: (i) resells the Service to End Customers; and (ii) provisions the Service directly to End Customer from a platform managed by Channel Partner either as a stand-alone solution or in conjunction with Channel Partner’s own offerings.
“Personal Data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Unless otherwise specified herein, the Personal Data processed by HID in its provision of the Service is limited to the Personal Data transmitted by Company or End Customer, or on its behalf, or by end users, directly into the infrastructure where the Service is hosted. The Personal Data types that may be used to perform the Service are those specifically set forth in the applicable Data Processing Specifications.
“Privacy Notice” means the applicable Privacy Notice located at https://www.hidglobal.com/about/privacy.
“Processor” has the meaning set forth in the GDPR. Unless otherwise specified, with respect to the Service, HID is a Processor of Personal Data.
“Rights of Individuals” means the legal rights of individuals to access, rectify, delete, and port Personal Data.
“Service Agreement” means the agreement(s) governing the purchase of the Service directly from HID.
“Standard Contractual Clauses” means: (i) the Standard Contractual Clauses – Controller to Processor located at: https://www.hidglobal.com/legal/standard-contractual-clauses-controller-processor if Company is the End Customer; or (ii) the Standard Contractual Clauses – Processor to Processor located at: https://www.hidglobal.com/legal/standard-contractual-clauses-processor-processor if Company is a Managed Service Provider. For clarity, Standard Contractual Clauses only apply when Controllers in the EU transfer data to Processors (and sub-processors) established outside the EU or European Economic Area (EEA). The applicable Standard Contractual Clauses are incorporated herein by reference.
2. Data Processing Specifications
The Data Processing Specifications describe: (i) the subject matter of the data processing; (ii) the type of Personal Data processed; (ii) the name and location of the party hosting the Personal Data; (iii) where the Service is hosted; (iv) sub-processors involved in the processing of the Personal Data, if any; (iv) the purpose of the data processing; and (v) the period of time the Personal Data is retained. The applicable Data Processing Specifications are hereby incorporated by reference into these Data Processing Terms.
3. Instructions
The parties agree that these Data Processing Terms, the Service Agreement, and the Terms of Service, if applicable, constitute the documented instructions regarding HID’s processing of Personal Data. HID and its sub-processors will process Personal Data only in accordance with such instructions.
4. Data Processing and Disclosure
HID, and its sub-processors, will only access, use, review, share, disclose, distribute, or reference Personal Data as necessary to maintain and perform the Service. Notwithstanding, HID may disclose Personal Data as necessary to comply with the law or a valid and binding order of a governmental body (such as a subpoena or court order). If compelled to disclose Personal Data to a governmental body, unless HID is legally prohibited, HID will give Company reasonable notice of the demand. Any change in the processing of Personal Data will be in accordance with applicable Data Privacy Laws.
5. Standard Contractual Clauses and On-Ward Transfer
5.1 Any transfer of Personal Data resulting from the Service will be subject to the applicable Standard Contractual Clauses. Cross-border transfers, if any, are described in the applicable Data Processing Specifications and/or the Annexes to the applicable Standard Contractual Clauses.
5.2 To the extent that the parties are relying on a specific statutory mechanism or regulatory guidance to authorize cross-border transfers (as required by the Data Privacy Laws) that is subsequently modified, revoked, or held in a court of competent jurisdiction to be invalid as a result of a change in law, HID shall be entitled to immediately suspend any processing of Personal Data to the extent such processing is in conflict with such change in law.
6. Sub-Processors
6.1 HID has Company’s general authorization for the engagement of sub-processor(s) from an agreed list. HID shall specifically inform Company in writing of any intended changes to that list through the addition or replacement of sub-processors at least thirty (30) days in advance, thereby giving Company sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). HID shall provide Company with the information necessary to enable Company to exercise its right to object. Sub-processors, if any, are identified in the applicable Data Processing Specifications.
6.2 HID will restrict sub-processor access to Personal Data to only what is necessary to maintain or provide the Service. HID will prohibit its sub-processors from accessing Personal Data for any other purpose. HID will enter into a written agreement with each sub-processor generally consistent with these Data Processing Terms and applicable Data Privacy Laws.
7. Obligations
7.1 Each party will comply with Data Privacy Laws, rules and regulations applicable to it in the use and performance of the Service. HID will keep appropriate records of processing activities.
7.2 HID will cooperate with governmental and regulatory authorities in the event of an inquiry regarding the Service and compliance with applicable Data Privacy Laws. If HID: (i) determines that HID, or a sub-processor, is unable to comply with the obligations set forth in these Data Processing Terms; or (ii) becomes aware of any circumstance or change in the applicable Data Privacy Laws, that is likely to have a substantial adverse effect on its ability to meet the obligations set forth in these Data Processing Terms, HID will promptly notify the Company and Company will have the right to temporarily suspend the processing of Personal Data until the non-compliance is remedied.
7.3 Company represents and warrants that the Personal Data it provides to HID for processing can be processed lawfully (e.g., lawful collection, compliance with obligation to inform, and compliance with the applicable Data Privacy Law) and for the purpose of providing the Service. Company shall not, by any act or omission, put HID or its sub-processors in breach of any Data Privacy Laws in connection with the processing of Personal Data. Company will ensure that Personal Data is accurate, adequate and complete.
8. Security of Data Processing
With respect to the Personal Data, HID will maintain reasonable security measures and protect Personal Data in a manner legally required or otherwise reasonably appropriate to the nature of the Personal Data, including, as applicable, the measures referred to in Article 32(1) of the GDPR. HID will take appropriate steps to ensure compliance with these Data Processing Terms. HID shall ensure that those processing Personal Data are subject to a duty of confidence. HID imposes appropriate contractual obligations upon its personnel and sub-processors, including relevant obligations regarding confidentiality, data protection and data security. Notwithstanding anything to the contrary in the Service Agreement, HID’s obligations extend only to those systems, networks, network devices, facilities and components over which HID exercises control.
9. Security Breach Notification
9.1 After becoming aware of a Personal Data Breach, HID will (a) notify Company of the Personal Data Breach without undue delay, unless otherwise prohibited by law, and (b) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Personal Data Breach. To assist Company in relation to any personal data breach notifications Company is required to make under applicable Data Privacy Laws, HID will include in the notification such information about the Personal Data Breach as HID is reasonably able to disclose to Company, taking into account the nature of the Service, the information available to HID at the time of the notification, and any restrictions on disclosing the information, such as confidentiality.
9.2 Notification of a Personal Data Breach will be delivered to Company’s administrator(s) or, at HID’S discretion, by direct Company communication (e.g., by email, phone call or an in-person meeting). Company acknowledges that it is solely responsible for ensuring that its contact information is current and valid. Company is solely responsible for fulfilling any third-party notification obligations.
9.3 Promptly following HID’s notification to Company of a Personal Data Breach, Company and HID shall coordinate with each other to investigate the Personal Data Breach. HID will lead the investigation, and agrees to reasonably cooperate with Company in the handling of the Personal Data Breach, including, without limitation: (i) assisting with any investigation; (ii) providing Company with physical access to the facilities and operations affected which are under the control of HID; (iii) facilitating interviews with relevant HID employees, contractors, and sub-processors; and (iv) making available the relevant records, logs, files, data reporting and other materials related to Company and required to comply with applicable Data Privacy Laws, regulation, or as otherwise reasonably required by Company.
9.4 Notwithstanding anything to the contrary, an unsuccessful or suspected Personal Data Breach will not be subject to this Section. Unless otherwise contemplated in applicable Data Privacy Laws, an unsuccessful Personal Data Breach is one that results in no unauthorized access to nonredacted and unencrypted Personal Data. HID’s obligation to report or respond to a Personal Data Breach under this Section will not be construed as an acknowledgement by HID of any fault or liability with respect to the Personal Data Breach.
10. Audits
Once per calendar year or following a successful Personal Data Breach, Company may request to audit HID’s security controls with respect to the Service and compliance with applicable Data Privacy Laws and these Data Processing Terms. Such request shall be sent by Company to HID via either the contact notification set forth in the Service Agreement. HID and Company will discuss and agree in advance on: (i) the identity of a suitably qualified and independent third party auditor to carry out the audit; (ii) a reasonable start date for the audit (i.e., at a minimum thirty (30) calendar days from the date of receipt by HID of the request to audit); (iii) scope and duration of the audit; and (iv) the security and confidentiality controls applicable to such audit. HID is not responsible for any costs incurred by Company or any fees charged by the third-party auditor in connection with an audit. Any audit pursuant to this Section shall be subject to the rules and policies of any applicable Hosting Provider or sub-processor. Upon request, HID is available to provide details on such limits, if any. Notwithstanding, this Section does not entitle Company to perform a physical audit of any HID facilities or the facilities of any subcontractor, Hosting Provider and/or sub-processor.
11. Assistance
HID will deal promptly and appropriately with inquiries by Company related to the processing of Personal Data. HID will use commercially reasonable efforts to cooperate with Company where necessary for the performance of Company’s privacy impact assessments. HID will promptly comply with reasonable requests or instructions by Company requiring HID to provide, amend, transfer, or delete Personal Data or to otherwise assist with requests pursuant to the Rights of Individuals under applicable Data Privacy Laws. Should an individual data subject contact HID, HID will use commercially reasonable efforts to forward such request to Company. HID does not respond to individual data subjects directly except where HID or a sub-processor is required by law to respond. HID will cooperate with Company to address and resolve any such complaints, requests or inquiries. Company shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by HID.
12. Personal Data Retention and Destruction
In accordance with applicable Data Privacy Laws, as a general principle HID does not keep Personal Data longer than necessary for the provision of the Service. Unless otherwise agreed in writing by the parties, after the data retention period set forth in the applicable Data Processing Specifications, Personal Data is deleted irretrievably.
13. Support Services
13.1 HID may process basic contact information from select Company representatives when providing support services. The processing of such data for the purpose of providing support is subject to the Privacy Notice.
13.2 With respect to software-as-a-service offerings, HID may access Company’s environment for the purpose of providing support in accordance with the Terms of Service. The processing of data within Company’s environment for the purpose of providing support is subject to these Data Processing Terms.
14. Limitation of Liability
14.1 HID IS ONLY LIABLE FOR A PERSONAL DATA BREACH IF SUCH PERSONAL DATA BREACH WAS CAUSED, IN WHOLE OR IN PART, BY HID’S FAILURE TO ADHERE TO: (I) DATA PRIVACY LAWS APPLICABLE TO HID’S PROVISION OF THE SERVICE; AND/OR (II) THE TERMS OF THESE DATA PROCESSING TERMS.
14.2 EXCEPT FOR GROSS NEGLIGENCE OR WILFULL MISCONDUCT AND CLAIMS WHICH LIABLITY MAY NOT BE EXCLUDED BY LAW, HID’s AGGREGATE LIABILITY IN CONNECTION WITH ANY CLAIMS ARISING OUT OF OR RELATING TO THESE DATA PROCESSING TERMS (INCLUDING ANY EXHIBITS HERETO) SHALL NOT EXCEED AMOUNTS PAID TO HID FOR THE SERVICE GIVING RISE TO THE CLAIM IN THE TWELVE (12) MONTHS PRIOR TO THE DATE THE CLAIM FIRST AROSE. THIS LIMIT, WHICH INCLUDES COSTS AND FEES ARISING OUT OF ANY SUCH CLAIM, SHALL APPLY TO ANY AND ALL CLAIMS REGARDLESS OF THE LEGAL THEORY ON WHICH THEY ARE BASED. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT WILL HID OR ITS AFFILIATES BE LIABLE FOR INDIRECT, INCIDENTAL, SPECIAL, PUNITIVE OR CONSEQUENTIAL DAMAGES OF ANY KIND OR TYPE, INCLUDING, BUT NOT LIMITED TO, LOSS OF PROFITS OR REVENUE, LOSS OF DATA, LOSS OF BUSINESS, LOSS OF OPPORTUNITIES, LOSS OF USE OF THE PRODUCT(S) OR SERVICE(S) OR ANY ASSOCIATED PRODUCT(S) OR SERVICE(S), OR COST OF COVER OR COST OF SUBSTITUTE SERVICE WHICH ARISE OUT OF PERFORMANCE, NON-PERFORMANCE OR FAILURE TO PERFORM ANY OBLIGATION CONTAINED WITHIN THESE DATA PROCESSING TERMS, REGARDLESS OF THE LEGAL THEORY ON WHICH THEY ARE BASED, EVEN IF THE HID HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
15. Changes
HID may update these Data Processing Terms and the Data Processing Specifications overtime based on changes and improvements to the Service and to better align the rights and obligations of the parties with applicable Data Privacy Laws. HID will provide Company with notice of any material change to these Data Processing Terms or the Data Processing Specifications prior to the implementation of such change. Subject to Section 6, notice will be: (i) delivered through the Service (if applicable); (ii) posted at the applicable website; or (iii) provided to Company’s administrator(s), as applicable. By continuing to use the Service after such notice, Company agrees to the changes and agrees to be bound by same. If changes are required in the processing of Personal Data in order to comply with applicable Data Privacy Law, Company and HID shall collaborate to evaluate the changes to be made.
16. Governing Law
If there is a Service Agreement in place between HID and Company, governing law and jurisdiction shall be as set forth in the Service Agreement. If there is no Service Agreement in place between HID and End Customer, these Data Processing Terms shall be construed and interpreted in accordance with the laws of the State of Texas. Any action, suit or proceeding relating to these Data Processing Terms may be brought in the appropriate court located in Travis County, Texas and the parties hereby consent to such jurisdiction. The parties hereby irrevocably waive any and all rights to trial by jury in any legal proceedings arising out of or related to these Data Processing Terms or the transactions contemplated hereby. The provisions of the United Nations Convention on Contracts for the International Sale of Goods will not apply to these Data Processing Terms. In the event of a conflict between this Section and any applicable Standard Contractual Clauses, the Standard Contractual Clauses shall govern.
Exhibit 1
CCPA Addendum
If the CCPA applies to provision of or use of the Service, the parties further agree to be bound by the terms of this CCPA Addendum in addition to Data Processing Terms.
Applicability and Treatment of Personal Information.
To the extent HID: (i) receives from Company personal information (as defined in the CCPA) of a consumer (as defined in the CCPA) (hereinafter referred to as “Personal Information”); and (ii) processes (as defined in the CCPA) such Personal Information on behalf Company to provide the Service, the following additional terms and conditions shall apply. Unless otherwise specified in this Addendum, Personal Information will be treated as Personal Data under the Data Processing Terms. For clarity, with respect to the Service, HID is a “service provider” as defined in the CCPA.
CCPA Compliance.
HID will comply with applicable requirements of the CCPA when using, retaining, or disclosing Personal Information. For the avoidance of doubt, CCPA Compliance shall be interpreted to include compliance with amendments made to the CCPA, including the CPRA.
Retention, Use & Disclosure.
HID will limit use, retention, and disclosure to activities reasonably necessary and proportionate for the business purpose set forth in the Service Agreement and the Terms of Service. HID shall not retain, use or disclose Personal Information for a commercial purpose other than providing the Service. HID shall not use, retain, disclose, or otherwise make Personal Information available outside the direct business relationship between HID and Company, for HID’s own commercial purpose(s) or in a way that does not comply with the CCPA. Notwithstanding, HID may use de-identified data for its own business purpose(s) solely as necessary to perform the Service or otherwise in compliance with the Terms of Service and the Data Processing Terms. Except to the extent permitted under applicable regulations, HID shall not combine Personal Information received from Company with any Personal Information received from other sources.
Assistance.
HID will use commercially reasonable efforts to timely assist Company in complying with a verifiable consumer request.
Subcontractors.
If HID authorizes any subcontractor, HID or third party to process Personal Information, HID acknowledges that such subcontractor, HID or third party is also a “service provider” as defined in the CCPA. If HID authorizes any subcontractor, HID shall notify Company of the engagement, which shall be pursuant to a written contract in which the subcontractor agrees to comply with all privacy and security obligations applicable to HID.
No Sale or Sharing of Personal Information.
HID will not sell or share any Personal Information. For clarity, if Company purchases the Service through a Channel Partner or expresses interest in purchasing HID offerings through a Channel Partner, HID may disclose certain Personal Information constituting business contact information to the Channel Partner. Company agrees that it has intentionally triggered such disclosure and same does not constitute the selling or sharing of Personal Information as contemplated under the CCPA.
Security Safeguards
HID shall implement reasonable security procedures and practices appropriate to the nature of the information, to protect the Personal Information from unauthorized access, destruction, use, modification, or disclosure.