DREMIO DATA PROTECTION ADDENDUM – CONTROLLER - CONTROLLER

1. SCOPE

  1. This Data Processing Agreement ("DPA") forms an integral part of the agreement signed between the Dremio Corporation entity which is a party to the principal agreement ("Company" and “Agreement” respectively) and its counter party (“Partner”, each “Party”, together “Parties”).
  2. If Partner Processes Personal Data, or if Partner has access to Personal Data in the course of the Agreement, Partner shall comply with the terms and conditions of this Data Protection Addendum.
  3. Each Party acknowledges that they shall qualify as a separate and independent Data Controller. For the removal of doubt, the Parties will not be defined as and will not act as "joint controllers" in accordance with Article 26 of the GDPR (as defined below). Each Party is individually responsible to comply with its respective obligations that apply to it in its capacity as a controller under any applicable Data Protection Laws (as defined below).

2. DEFINITIONS

All capitalized terms not defined in this Data Protection Addendum have the meanings set forth in the Agreement.

  1. "Agreement" means the agreement between Company and Partner which involves Partner having access to or otherwise Processing Personal Data;
  2. "Approved Jurisdiction" means a member state of the EEA, or other jurisdiction as may be approved as having adequate legal protections for data by the European Commission currently found here: http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm.
  3. "Breach Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed;
  4. "Data Protection Laws" means any and/or all applicable domestic and foreign laws, rules, directives and regulations, on any local, provincial, state or deferral or national level, pertaining to data privacy, data security and/or the protection of Personal Data, including Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data ("GDPR").
  5. "EEA" means those countries that are member of the European Economic Area.
  6. "Partner" refers to the legal entity, regardless of the form of organization, identified in the Agreement.
  7. "Personal Data" or "personal data" means any information that is about, or can be related to, an identifiable individual. It includes any information that can be linked to an individual or used to directly or indirectly identify an individual, natural person. Personal Data shall be considered Confidential Information regardless of the source.
  8. "Process" or "process" means any operation or set of operations that is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, access to, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction. "Processes" or "processes" and "Processing" or "processing" shall be construed accordingly.

3. DATA PROTECTION AND PRIVACY

  1. Each Party shall:
    1. Only Process the Personal Data in accordance with the requirements of this DPA and Data Protection Laws as applicable to Data Controllers.
    2. Without derogating from the foregoing, be responsible to provide data subject with any information required under the Data Protection Laws, and to allow data subjects to exercise their rights under the Data Protection Laws, and shall provide Company with reasonable cooperation and assistance to fulfill the foregoing.
    3. In accordance with the Data Protection Laws, implement and maintain commercially reasonable and appropriate physical, technical and organizational security measures to protect Personal Data against accidental or unlawful destruction; accidental loss, alteration, unauthorized disclosure or access to personal data transmitted, stored or otherwise processed, and all other unlawful forms of Processing.
    4. Comply with any notification obligations of personal data breach to the supervisory authority and communication obligations to data subjects, as required under Data Protection Laws;
    5. Provide to the other party to this Data Protection Addendum the contact information of its data protection officer, or other individual that that Party has designated to handle all privacy related inquires.
  2. The Party who initially obtains the Personal Data from a data subject shall be responsible for obtaining any consents that may be required from the data subject (in each case to the extent necessary to comply with Data Protection Laws) and for the provision of information to the data subject prior to the collection of the Personal Data (e.g. "Privacy Notice" or "Privacy Policy"), as necessary to comply with Data Protection Laws. The foregoing shall not derogate from the other Party's responsibilities under the Data Protection Laws (such as the requirement to provide information to the data subject when the Personal Data in connection with the processing of Personal Data).

4. THE TRANSFER OF PERSONAL DATA

  1. The Parties shall not Processes Personal Data from the EEA in a territory outside of the EEA, unless one (or more) of the following applies:
    1. The Transfer is done to an Approved Jurisdiction;
    2. The Transfer is done in accordance with any of the exceptions listed in the Data Protection Laws.
  2. A Party that transfers Personal Data outside of the EEA will assume complete and sole liability for such transfer and will ensure that an applicable exception applies.

5. GENERAL

  1. If any of the Data Protection Laws are superseded by new or modified Data Protection Laws (including any decisions or interpretations by a relevant court or governmental authority relating thereto), the new or modified Data Protection Laws shall be deemed to be incorporated into this Data Protection Addendum, and Partner will promptly begin complying with such Data Protection Laws.
  2. Any ambiguity in this Data Protection Addendum shall be resolved to permit Company to comply with all Data Protection Laws. In the event and to the extent that the Data Protection Laws impose stricter obligations on the Partner than under this Data Protection Addendum, the Data Protection Laws shall prevail.
  3. Partner agrees that, in the event of a breach of this Data Protection Addendum, neither Company nor any relevant Company's customer will have an adequate remedy in damages and therefore either Company or an affected customer shall be entitled to seek injunctive or equitable relief to immediately cease or prevent the use or disclosure of Personal Data not contemplated by the Agreement and to enforce the terms of this Data Protection Addendum or ensure compliance with all Data Protection Laws.