DATA PROTECTION SCHEDULE
The following terms shall apply to Epiq eDiscovery Solutions, Inc and its affiliated companies (collectively "Epiq") and the Client identified in the Epiq Legal Solutions Master Services Agreement signed by Epiq and the Client.
Unless otherwise expressly stated herein, the defined terms set out in the Epiq Legal Solutions Master Services Agreement shall apply to this Schedule.
The following defined terms shall apply to this Data Protection Schedule:
"Client Data" shall mean the copy of the Original Data delivered to Epiq for use in providing the Services.
"Data Controller" means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be processed.
"Data Processor", in relation to personal data, means any person (other than an employee of the Data Controller) who Processes the data on behalf of the Data Controller.
Data Protection Laws" means (i) the European Data Protection Laws; (ii) the UK Data Protection Laws; (iii) CCPA; (iii) to the extent applicable, all other laws and regulations and sector recommendations containing rules for the protection of individuals with regard to the processing of personal data in any other country, including without limitation security requirements for, and the free movement of, personal data; and (iv) any laws, regulations, and rules promulgated under part (i), (ii), or (iii) above.
"Data Subject Consent" shall mean, as required under applicable law, a written authorization from each necessary person, whether an individual or entity, that approves Epiq’s collection or use of all data or information under their control, solely to the extent necessary for Epiq to provide the Services.
"European Data Protection Laws" means the EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council (“GDPR”) and laws implementing or supplementing the GDPR, together with the Directive on Privacy and Electronic Communications 2002/58 and other data protection or privacy legislation in force from time to time in the EEA;
"Original Data" shall mean the original version of all data and materials of Client.
"Processed" and “Processes” each, in relation to information or data, means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including the: (a) organization, adaptation or alteration of the information or data; (b) retrieval, consultation or use of the information or data; (c) disclosure of the information or data by transmission, dissemination or otherwise making it available; or (d) alignment, combination, blocking, erasure or destruction of the information or data.
- the standard contractual clauses (processors) for the transfer of personal data to processors established in third party countries which do not provide an adequate level of protection as set out in Commission Decision 2010/87/EC as the same are revised, updated or replaced from time to time by the European Commission;
- in relation to the UK, relevant standard contractual clauses specified in either:
- regulations pursuant to Article 46(2)(c) UK GDPR; or
- documents issued (and not withdrawn) pursuant to Article 46(2)(d) UK GDPR; or
- where required from time to time by a Supervisory Authority for use with respect to any transfer, any other set of contractual clauses or other similar mechanism approved by such supervisory authority or by Data Protection Laws for use in respect of the transfer, as updated, replaced or superseded from time to time by each Supervisory Authority or Data Protection Laws.
- an independent public authority which is established by a member state pursuant to Article 51 GDPR/UK GDPR; and
- any similar regulatory authority responsible for the enforcement of Data Protection Legislation.
"UK Data Protection Laws" means the UK GDPR, together with the Data Protection Act 2018, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as amended), the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 and other data protection or privacy legislation in force from time to time in the United Kingdom;
"UK GDPR" means the GDPR as transposed into the United Kingdom national law by operation of section 3 of the European Union (Withdrawal) Act 2018 and subsequently amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.
Except as expressly stated herein, "Controller", "Processor", "Personal Data", "Data Subject", "Personal Data Breach" and "Processing" shall have the same meanings as in the Data Protection Legislation and "Processed" and "Process" shall be construed in accordance with the definition of "Processing".
- The parties agree that Epiq is a Data Processor processing personal data on behalf of the Client (as Data Controller).
- To the extent that the Services involve the processing of any personal data, Epiq shall at all times process personal data in accordance with the Data Protection Laws and comply with all obligations applicable to processors under such laws and shall:
- not process Client personal data other than on Client’s documented instructions, including with regards to transfers of personal data to a third country or an international organization, unless processing is required by applicable laws to which the Epiq is subject, in which case the Epiq shall inform Client of that legal requirements before such processing, unless that law prohibits such information on important grounds of public interest;
- maintain a record of its processing activities conducted for and on behalf of Client. Such record shall contain:
- the name and contact details of the Epiq and the name and contact details of Client;
- the categories of processing carried out on behalf of Client;
- where applicable, details of transfers of Client personal data to a third country including the identification of that third country or international organization and record of the safeguards that the Epiq has put in place to ensure that the transfer will be in accordance with Data Protection Laws;
- details of the technical and organizational and security measures the Epiq has put in place to ensure the security of Client personal data.
- where requested by Client, the Epiq shall make available the record of processing at (c) above to Client within forty eight (48) hours of receiving such request.
- process such personal data only as is reasonable in connection with the Services;
- implement and maintain appropriate technical and organizational measures against unauthorized or unlawful processing of such personal data, including the engagement of reliable staff and the implementation of appropriate security measures to ensure a level of security appropriate to the risk, as required by Article 32 GDPR/UKGDPR or similar provisions under any other Data Protection Law;
- reasonably promptly following receipt, pass on to Client any requests for details regarding, or requests for access to, any personal data and shall not answer such requests in its own right;
- where Epiq receives any data subject access request, reasonably promptly following a written request from Client, provide reasonable assistance to Client to allow Client to respond to the relevant request, in each case solely in relation to the processing of Client personal data by Epiq and taking in account the nature of the processing and information available to the Epiq;
- take reasonable steps to ensure the reliability of any of its staff and/or Agents and/or contractors who will have access to the personal data, ensuring that any such staff and/or Agents and/or contractors are contractually obliged to maintain the confidentiality of the personal data;
- inform Client without undue delay if it becomes aware of any accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure of or access to the personal data and provide Client with all reasonable assistance in investigating and mitigating the impact of any such data breach. Epiq shall also provide all reasonable assistance to Client in relation to its or their obligations to provide adequate notifications to the relevant data protection authorities and affected data subjects; no more than once annually, upon no less than thirty (30) days’ prior written notice to Epiq and during normal business hours, allow a representative of Client access to any relevant premises where the Services are being provided owned or controlled by Epiq to inspect the measures, programs and procedures adopted in performance of and in compliance with this Agreement. Epiq shall also make available to Client, at Client’s reasonable request, all information necessary to demonstrate compliance with this Agreement;
- upon the termination of the Agreement for whatever reason, at Client’s instruction and expense, return all personal data and all copies of the personal data to Client forthwith, transfer the personal data to a third party designated by Client, retain the personal data for a fee, or in the event Client does not provide any instruction hereunder, destroy all copies of the same as set forth in Section 4 (Effects of Termination; Continuation of Services) and certify to Client that it has done so, unless Epiq is prevented by its national law, internal policies or local regulator from destroying or returning all or part of such data, in which event the data will be kept confidential and will not be actively processed for any purpose; and
- not subcontract any processing of the personal data or otherwise disclose the personal data to any third party except as expressly permitted by this Agreement or otherwise permitted by Client in writing.
- Epiq will only collect, use, retain, or disclose personal information for the Services for which Client provides or permits personal information access. Epiq will not collect, use, retain, disclose, sell, share or otherwise make personal information available for Epiq’s own commercial purposes in a way that does not comply with the CCPA or Data Protection Laws. If a law requires the Epiq to disclose personal information for a purpose unrelated to the contracted Services, the Epiq must first inform the Client of the legal requirement and give the Client an opportunity to object or challenge the requirement, unless the law prohibits such notice. Epiq will not combine any personal information in Client Data with any personal information that Epiq receives from or on behalf of any person or entity other than Client or its employees (or a third party acting on behalf of Client or its employees), or that Epiq collects from its own interactions with data subjects. Epiq will comply with applicable Data Protection Laws and will provide the same level of protection to personal information as is required under applicable Data Protection Laws. Epiq will notify Client immediately if Epiq determines that it can no longer meet its obligations to comply with applicable Data Protection Laws. Epiq acknowledges that Client has the right to take reasonable and appropriate steps to help ensure that Epiq Processes personal information in a manner consistent with applicable Data Protection Laws, including without limitation, the right, upon notice, to stop and remediate any unauthorized Processing
- Client shall ensure that it acts in complete compliance with the applicable Data Protection Laws in respect of all personal data, and represents and warrants to Epiq that, in respect of any and all personal data that it transfers, or otherwise makes available, to Epiq, (a) it is lawfully able to transfer or make such personal data available, and (b) it has any and all necessary consents from the relevant data subjects including Data Subject Consent.
- Client represents and warrants that (a) the provision of Client Data to Service Provider and the processing of the Client Data by the Service Provider in accordance with the terms of this Agreement will not cause Service Provider to be in breach of any Data Protection Laws applicable to the Client Data; (b) it will accumulate and collect all Client Data in compliance all relevant Data Protection Laws; and (c) it will secure Data Subject Consents for Service Provider to collect any data, if relevant, and to use it along with all other Client Data, associated hardware and software, in providing the Services. The parties agree that where Client Data may be processed outside of the EEA and United States then the relevant parties may enter into the SCCs in respect of any such transfer from Client to a contracted processor (or onward transfer). The SCCs come into effect on the later of (i) the data exporter becoming a party to them; (ii) the data importer becoming a party to them; and (iii) commencement of the relevant transfer to which the SCCs relate. If, at any time, a Supervisory Authority or a court with competent jurisdiction over a party mandates that transfers from controllers in the EEA or the UK to processors established outside the EEA or the UK must be subject to additional safeguards (including but not limited to technical and organizational measures), the parties shall work together in good faith to implement such safeguards and ensure that any transfer of Client personal data is conducted with the benefit of such additional safeguards.