Schedule 1 Data Processing and Transfer Agreement
Main rule – No personal data is included: At the outset, LanguageWire will request its clients not to include any personal data in the material it receives. However, clients may forget that personal data is included in the material, or not be aware that personal data is included in the material. In rare situations, the material itself will consist of extensive amounts of personal data.
Exception – personal data is included: As an example, clients may request translation of CVs, job applications or other HR-related information. In those situations, the material provided by the client will include extensive amounts of personal data.
In those situations, LanguageWire will be regarded as a data processor on behalf of the client. When engaging a Vendor as a translator, the Vendor will be regarded as a subprocessor on behalf of LanguageWire. If the client actively informs LanguageWire that the material contains personal data, LanguageWire will inform the Vendor accordingly. The Vendor may not store any personal data from LanguageWire’s clients locally on the Vendor’s computer, translation memory or similar for more than 90 days after completion of the job. All processing of personal data, including storing of personal data, must be in accordance with applicable Data Protection Legislation, as this term is defined below in Clause 3 of this Schedule 1.
The EU General Data Protection Regulation (GDPR) sets out requirements in terms of how and when personal data is processed. This Schedule 1 (Data Processing and Transfer Agreement) sets out the requirements for the Vendor’s processing of such personal data.
The purpose of these provisions is to protect the Vendor and LanguageWire from infringement of GDPR.
In accordance with Clause 3 of the Vendor Agreement, the Vendor and LanguageWire (hereinafter the “Parties”) have entered into this Data Processing and Transfer Agreement.
During the term of the Vendor Agreement the following terms and conditions will govern the Vendor’s processing of personal data, when such personal data is processed by the Vendor. Requirements and obligations under Data Protection Legislation may exceed the terms of the Vendor Agreement; and to avoid any doubt, the Vendor shall remain responsible for complying with relevant requirements and obligations under Data Protection Legislation beyond the term of the Vendor Agreement, for as long as required under Data Protection Legislation.
The terms "personal data", "process/processing", "controller", "processor", "sub-processor" "data exporter" "data importer", "data subject", "technical and organizational measures", "standard contractual clauses", "EU", "EEA" and "personal data breach" as used in this Data Processing and Transfer Agreement shall be understood in accordance with the Data Protection Legislation.
2. Scope of the Data Processing and Transfer Agreement
During the term of the Vendor Agreement, the Vendor will be processing personal data on behalf of LanguageWire for the purpose of the provision of LanguageWire’s services.
The Vendor agrees not to process any personal data for any other purposes and only in accordance with this Data Processing and Transfer Agreement, unless instructed to do so by LanguageWire in writing.
Depending on the specific assignment, the Vendor will be required to process the following types of personal data under the Data Processing and Transfer Agreement:
- Professional and private contact details such as name, address, phone number and email address;
- Professional and work-related information such as place of work, job title and professional or educational background; and
- Other types of personal data as are specified in relation to the specific assignment
Depending on the specific assignment, the personal data will concern the following categories of data subjects:
- Client’s current and former employees;
- Client’s customers;
- Client’s vendors; and
- Such other categories of data subjects as are specified in relation to the specific assignment.
3. Instructions and security
Clause 3 sets out the overall security requirements that must be in place when a Vendor processes personal data on behalf of LanguageWire.
As a general rule, a Vendor is only entitled to process personal data in accordance with the restrictions and documented instructions provided by LanguageWire. The Vendor must ensure that personal data provided by LanguageWire is appropriately safeguarded in order to prevent its accidental or unlawful destruction, loss or alteration or similar.
If the Vendor represents a translation agency, the Vendor must ensure that its employees have committed themselves to the obligation of confidentiality as set out under the Vendor Agreement.
The Vendor shall only process personal data on behalf of LanguageWire, and only based on the documented instructions of LanguageWire and solely for the purpose listed above in Clause 2. LanguageWire retains a general right to issue instructions as to the nature, scope and method of processing of the personal data, which may be supplemented with individual instructions.
The Vendor shall implement appropriate technical and organizational security measures to protect the personal data against accidental or unlawful destruction, loss or alteration, and against unauthorized disclosure, abuse or other processing in violation of the provisions laid down in Directive 95/46 EC of the European Parliament and of the Council and any applicable laws implementing it and/or any later amendments thereof, including the Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing the EU Directive (hereinafter together (referred to as the “Data Protection Legislation”).
The Vendor will ensure that the employees processing personal data on its behalf have committed themselves to the obligation of confidentiality regarding any personal data processed under the Vendor Agreement. The obligation of confidentiality will continue after the termination of the Vendor Agreement.
The Vendor shall maintain documentation of the categories of personal data and the processing thereof. The documentation shall be available to LanguageWire upon written request.
The Vendor shall immediately inform LanguageWire if, in its opinion, an instruction from LanguageWire infringes the Data Protection Legislation.
Upon LanguageWire’s request, the Vendor will complete a security questionnaire submitted by Languagewire to the Vendor.
Upon LanguageWire’s request, the Vendor will provide full cooperation and assistance in relation to any complaint or request made. Furthermore, within no more than two (2) business days the Vendor will provide LanguageWire with detailed information concerning the current location of any personal data being processed or stored by the Vendor or any of its subprocessors.
If the Vendor is not a single translator, the Vendor must appoint a contact person who may be contacted by LanguageWire regarding the obligations under this Data Processing and Transfer Agreement.
Single translators: If the Vendor is a single translator (i.e. not part of an agency or a larger group of translators) that does not use subprocessors (i.e. third parties providing translation services), the following Clause 4 only applies to the Vendor if the Vendor engages a third party to conduct the translations on the Vendor’s behalf.
Subprocessors: For agencies that liaise with third party to complete translation tasks, the following Clause 4 applies. Pursuant to Clause 4 below, the agency is not entitled to transfer personal data to another data processor without the prior written consent of LanguageWire. By digitally signing this Agreement, LanguageWire has granted the Vendor permission to transfer personal data to a third party, imposing the same obligations on the Vendor as set out in Schedule 1. When an agency subcontracts any processing activities to a third party, the agency may only do so by way of a written agreement that imposes the same obligations towards the agency’s subprocessors as set out in this Schedule 1.
This Clause 4 is required under the GDPR and ensures that both the Vendor and LanguageWire comply with the GDPR.
The Vendor shall not subcontract any of its processing operations performed on behalf of LanguageWire to any other data processor (subprocessor) without the prior written consent of LanguageWire.
Where the Vendor subcontracts its obligations, as described above it shall do so only by way of a written agreement with the subprocessor that imposes the same obligations on the subprocessor as are imposed on the Vendor under this Data Processor and Transfer Agreement. Where the subprocessor fails to fulfil its data protection obligations under such written agreement, the Vendor shall remain fully liable to LanguageWire for the performance of the subprocessor’s obligations.
The Vendor may not transfer personal data out of the EU/EEA without the prior written approval of LanguageWire. By digitally signing this Agreement and in addition to the above, LanguageWire consents that personal data may be transferred outside of the EU/EEA, provided that information concerning such transfers is made available to LanguageWire upon request and that the Vendor complies with any requirements established by any data protection authority or any other governmental authorities necessary for the granting of approval by such authorities for the transfer of personal data outside of the EU/EEA, including by adherence to the Commission’s standard contractual clauses as set out by Commission Decision of 5 February 2010 with later amendments, to the extent applicable.
5. Non-EU/EEA Vendors
Subprocessors located inside the EU/EEA: If the Vendor is located within the EU/EEA, the following Clause 5 does not apply.
Subprocessors located outside the EU/EEA: If the Vendor is located outside the EU/EEA, there are certain steps that must be taken before LanguageWire can provide the Vendor with material that includes personal data. To avoid any doubt, no personal data may be transferred outside of the EU/EEA, including to subprocessors to the Vendor, without an appropriate legal basis for such transfer.
In order to transfer personal data outside the EU/EEA, appropriate legal means for such transfer must be in place. In practice, this means that an agreement based on the European Commission’s standard contractual clauses must be entered into between the Vendor as the subprocessor and LanguageWire.
To ensure that this is completed, Clause 5 below grants LanguageWire a right to enter into the European Commission’s standard contractual clauses with the relevant client on behalf of the Vendor as the data processor. LanguageWire will handle all contact with the relevant client on the Vendor’s behalf. The purpose of this Clause 5 is to protect the Vendor and LanguageWire from infringement of the GDPR.
For Vendors located outside the EU/EEA, the Vendor grants LanguageWire a general consent, and hereby issues a power of attorney to LanguageWire accordingly, which authorizes LanguageWire to at any time enter into the Commission’s standard contractual clauses, as set out by Commission Decision of 5 February 2010 with later amendments (the “Standard Contractual Clauses”) with LanguageWire’s clients on the Vendor’s behalf, in order for the Vendor to receive and process personal data on behalf of LanguageWire.
Furthermore, the Vendor acknowledges that LanguageWire may enforce the Commission’s standard contractual clauses directly against the Vendor on behalf of the client, if necessary.
6. Data breach notification
If the Vendor becomes aware of or suspects that any personal data may have been leaked, the Vendor must notify LanguageWire immediately and include the relevant information as set out below. A personal data breach has occurred when a breach of security leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.
The Vendor shall without undue delay, and always within a timeframe allowing LanguageWire to comply with the Data Protection Legislation, notify LanguageWire in writing with copy to firstname.lastname@example.org in the event of any identified or potential breach of personal data processed under the Vendor Agreement. Furthermore, the Vendor shall comply with further instructions on ensuring documentation of (possible) personal data breaches, as well as further instructions from LanguageWire or LanguageWire’s client, as the case may be.
The notification must at least:
- Describe the personal data breach, including the categories and number of data subjects concerned, date and time of the incident, summary of the incident that caused the personal data breach, the categories and number of data records concerned, and the nature and the content of the personal data concerned;
- Describe the circumstances of the personal data breach (e.g. loss, theft, copying);
- Communicate the identity and contact details of the Vendor’s data protection officer or other contact point where more information can be obtained;
- Recommend measures to mitigate the possible adverse effects of the personal data breach;
- Describe the likely consequences and potential risk to the data subject due to the personal data breach;
- Describe the measures proposed or taken by the Vendor and/or the subprocessor, as applicable, to address the personal data breach; and
- Include any other information required in order for LanguageWire to comply with the Data Protection Legislation, including duties of notification and disclosure in relation to public authorities.
7. Return or deletion of personal data
At all times, the Vendor must follow the requirements set out by LanguageWire in terms of return or deletion of personal data.
Following termination of the Vendor Agreement and at LanguageWire’s request, the Vendor shall (a) destroy, or (b) return to LanguageWire (in a mutually agreed, readily accessible and commercially reasonable file format), all personal data that is in its possession or control.
Upon LanguageWire’s request for deletion of personal data, the Vendor will effectively delete the personal data and provide documentation in evidence of the effective deletion of the personal data.
The Vendor is obliged to delete any received personal data within 90 days of it becoming unnecessary for job processing, regardless of a formal request from LanguageWire (usually after completion of the translation).