Data Processing Agreement (DPA)

This DPA is between RealVNC Limited incorporated and registered in England and Wales with company number 04446945 whose registered office is at Edinburgh House, St John's Innovation Park, Cowley Rd, Cambridge CB4 0DS ("RealVNC") and the customer identified in the relevant agreement for Services (the "Customer").

Agreed Terms

1.  INTERPRETATION

1.1 The following definitions and rules of interpretation apply in this DPA:

1.1.1 “business”, “consumer”, "controller", "processor", "data subject", "personal data", “personal information”, "processing" ("process"), “service provider” and "special categories of personal data" shall have the meanings given in Applicable Data Protection Law;

1.1.2 "Applicable Data Protection Law" shall mean: all applicable privacy and data protection laws, including the EU General Data Protection Regulation (Regulation 2016/679), the UK GDPR; the Data Protection Act 2018 and any applicable national implementing laws, regulations and secondary legislation in England and Wales relating to the processing of personal data and the privacy of electronic communications, as amended, replaced or updated from time to time, including the Privacy and Electronic Communications Directive (2002/58/EC) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426), and the California Consumer Privacy Act of 2018 and its implementing regulations (collectively CCPA), and other United States federal or state privacy, data security, and data breach notification laws and regulations as adopted, further amended, replaced or updated from time to time;

1.1.3 “Data” means Personal Data, Personal Information or any functional equivalent of these terms relevant under any Applicable Data Protection Law which RealVNC is Processing in connection with the provision of the Services, as described in the Schedule to this DPA;

1.1.4 “Services” means the Data Processing RealVNC is to carry out on behalf of the Customer in connection with any end user license agreement in place between the parties;

1.1.5 "Standard Contractual Clauses" means as applicable (a) the standard contractual clauses available at https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=EN pursuant to the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to the GDPR ("EU SCCs"); and (b) the International Data Transfer Addendum to the EU SCCs issued by the Information Commissioner's Office under S119A(1) of the Data Protection Act available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf effective from 21 March 2022 ("UK Addendum");

1.1.6 “Territory of Adequate Protection” means a country (or sector) within the European Economic Area or UK and/or in respect of which any positive adequacy decision (under Article 45 of the GDPR or UK GDPR) is issued;

1.1.7 "UK GDPR" means the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018;

1.1.8 Clause, Schedule and paragraph headings shall not affect the interpretation of this DPA;

1.1.9 the Schedules form part of this DPA and shall have effect as if set out in full in the body of this DPA. Any reference to this DPA includes the Schedules;

1.1.10 if there is any conflict between the terms of this DPA and the agreement to which it relates the terms of this DPA shall prevail. If there is any conflict between the terms of Schedule 1 and the DPA or agreement to which it relates the terms of Schedule 1 shall prevail; and

1.1.11 any words following the terms including, include, in particular or for example or any similar phrase shall be construed as illustrative and shall not limit the generality of the related general words.

2. Customer’s Responsibilities in relation to the data

2.1 Customer will share Data with RealVNC and hereby appoints RealVNC as a Processor to Process the Data in connection with the provision of the Services (the "Permitted Purpose”).

2.2 Customer:

2.2.1 warrants, represents and undertakes that RealVNC’s use of the Data for the Permitted Purpose will comply with Applicable Data Protection Law;

2.2.2 shall obtain all necessary consents or satisfy another lawful ground for processing; and

2.2.3 shall provide privacy notices to its customers (as required by Applicable Data Protection Law),

such that Customer can share the Data with RealVNC for the Permitted Purpose and that RealVNC can perform the Services in accordance with Applicable Data Protection Law.

2.3.            Customer shall not provide to RealVNC or otherwise cause RealVNC to create, receive, transmit or maintain “protected health information” subject to the U.S. Health Insurance Portability and Accountability Act’s Privacy, Security and Breach Notification  Rules (45 C.F.R. Parts, 160, 164) (“HIPAA Rules”) without previously having entered into a separate business associate agreement with RealVNC that satisfies the requirements of the HIPAA Rules.

3 RealVNC’s Responsibility in relation to the data

3.1 RealVNC shall:

3.1.1 process the Data only for the Permitted Purpose and in accordance with the Customer’s written and lawful instructions as issued from time to time, unless required to do so by law to which RealVNC is subject. In such circumstances, RealVNC shall inform the Customer of that legal requirement prior to processing, unless that law prohibits such information on important grounds of public interest;

3.1.2 ensure that any person it authorises to process the Data is subject to a statutory or contractual obligation of confidentiality;

3.1.3 implement technical and organisational measures to protect the Data from accidental or unlawful destruction, and loss, alteration, unauthorised disclosure, or unauthorized acquisition or access (a "Security Incident");

3.1.4 if it becomes aware of a confirmed Security Incident, inform Customer without undue delay and provide reasonable information and cooperation to Customer so that Customer can fulfil any data breach reporting obligations it may have under Applicable Data Protection Law;

3.1.5 not transfer the Data outside of the European Economic Area ("EEA") or UK unless it has taken such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Law;

3.1.6 notify the Customer as soon as reasonably practicable if it receives a request from a Data Subject to exercise their right under the Applicable Data Protection Law in relation to the Data;

3.1.7 provide reasonable and timely assistance to Customer (at Customer’s expense) to enable Customer to:

3.1.7.1 comply with its responsibilities in connection with Applicable Data Protection Law, including but not limited to compliance with relevant security, breach notification, impact assessment and prior consultation obligations;

3.1.7.2 respond to any request from a Data Subject to exercise any of its rights under Applicable Data Protection Law. RealVNC must not disclose the Data to any Data Subject other than at the Customer’s request or instruction, as provided for in this DPA or as required by law; and

3.1.7.3 respond to any other correspondence, enquiry or complaint received from a Data Subject, regulator or other third party in connection with the processing of the Data. In the event that any such request, correspondence, enquiry or complaint is made directly to RealVNC, RealVNC shall promptly inform the Customer, providing full details of the request.

3.2 To the extent Customer is acting as a Business and RealVNC is acting as a Service Provider for purposes of the CCPA, RealVNC shall not retain, use or disclose any Personal Information received from Customer for any commercial or other purpose except for the specific purpose of performing the Services as specified in the DPA unless otherwise permitted by the CCPA. RealVNC will comply with the obligations of a Service Provider under the CCPA, to the extent applicable, including deleting Personal Information at the direction of Customer in response to a verifiable Consumer request.

 

3.3 To the extent Customer is subject to the Massachusetts “Standards for the Protection of Personal Information of Residents of the Commonwealth” (201 CMR 17.00), and Data that RealVNC processes on Customer’s behalf constitutes Personal Information under those regulations, RealVNC will implement appropriate security measures to protect such Personal Information consistent with 201 CMR 17.00.

 

4 Subcontracting

4.1 Customer consents to RealVNC engaging the third party subprocessors listed on RealVNC’s website at https://help.realvnc.com/hc/en-us/articles/360014324617-Sub-processors in connection with the Permitted Purpose, provided that:

4.1.1 RealVNC notifies the Customer with details of any change in such subprocessor at least 14 days prior to any such change, giving the Customer a chance to object to such proposed change, provided such objection is based on reasonable grounds of data protection. Customer acknowledges that to receive such notifications, it must subscribe to receive them on RealVNC’s subprocessor webpage at the link set out in clause 4.1;

4.1.2 RealVNC imposes data protection terms on any subprocessor it appoints that require it to protect the Data to the standard required by Applicable Data Protection Law; and

4.1.3 RealVNC remains liable for any breach of this Clause that is caused by an act, error or omission of its subprocessor.

 

5 International transfers

5.1 The provisions of Schedule 1 shall apply to the extent RealVNC provides Services based outside of a Territory of Adequate Protection, and no alternative protection mechanism  is being relied on by the parties.

5.2 If RealVNC uses a subprocessor based outside of a Territory of Adequate Protection, then RealVNC shall enter into module three (processor to processor) or another module of the Standard Contractual Clauses with the relevant subprocessor as appropriate. RealVNC will make the executed Standard Contractual Clauses available to the Customer on request.

5.3 Customer acknowledges that to ensure the relevant Services comply with Applicable Data Protection Law, RealVNC may use the complete range of protection measures available under Applicable Data Protection Law to protect any international transfers of the Data.

6 Deletion / return of Data

Upon termination or expiry of this DPA, RealVNC shall (at Customer's election) destroy or return to Customer all Data in its possession or control.  This requirement shall not apply to the extent that RealVNC is required by applicable law to retain some or all of the Data, or to Data it has archived on back-up systems, which RealVNC shall securely isolate and protect from any further Processing except to the extent required by law until deletion is possible.

7 Audit

Upon 30 days' written notice, the Customer or Customer's auditor may, not more than once per calendar year audit RealVNC's compliance with this DPA. The parties shall agree the scope and duration of the audit before the audit. Any audit shall be at the Customer's cost.

8 Liability

8.1 Nothing in this DPA shall limit any liability which cannot be limited by law.

8.2 Subject to clause 8.1, RealVNC shall not be liable, whether in contract, tort or otherwise, for any indirect, consequential or special losses relating to or in connection with this DPA.

8.3 Subject to clauses 8.1. and 8.2, RealVNC's total liability, whether in contract, tort or otherwise, for any losses or damages relating to or in connection with this DPA shall be £500,000.

9 Complaints

If the Customer receives a complaint, notice or communication which relates directly or indirectly to the Processing of Data by RealVNC or to RealVNC’s compliance with the Applicable Data Protection Law, it shall as soon as reasonably practicable notify RealVNC and shall provide RealVNC with reasonable co-operation and assistance in relation to any such compliant, notice or communication.

10 ASSIGNMENT

This DPA is personal to the parties and neither party shall assign, transfer, mortgage, charge, subcontract, declare a trust of or deal in any other manner with any of its rights and obligations under this DPA without the prior written consent of the other (which is not to be unreasonably withheld or delayed).

11 ENTIRE AGREEMENT

11.1 This DPA constitutes the entire agreement between the parties and supersedes and extinguishes all previous agreements, promises, assurances, warranties, representations and understandings between them, whether written or oral, relating to its subject matter.

11.2 Each party acknowledges that in entering into this DPA it does not rely on, and shall have no remedies in respect of, any statement, representation, assurance or warranty (whether made innocently or negligently) that is not set out in this DPA. Each party agrees that it shall have no claim for innocent or negligent misrepresentation or negligent misstatement based on any statement in this DPA.

12 SEVERANCE

If any provision or part-provision of this DPA is or becomes invalid, illegal or unenforceable, it shall be deemed modified to the minimum extent necessary to make it valid, legal and enforceable. If such modification is not possible, the relevant provision or part-provision shall be deemed deleted. Any modification to or deletion of a provision or part-provision under this clause shall not affect the validity and enforceability of the rest of this DPA.

13 THIRD-PARTY RIGHTS

Except as expressly provided elsewhere in this DPA, a person who is not a party to this Agreement shall not have any rights under the Contracts (Rights of Third Parties) Act 1999 to enforce any term of this DPA. This does not affect any right or remedy of a third party which exists, or is available, apart from that Act, and the consent of any third party shall not be required to vary this DPA.

14 GOVERNING LAW AND jurisdiction

14.1 Subject to Schedule 1, this DPA and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with the law of England.

14.2 Subject to Schedule 1, each party irrevocably agrees that the courts of England shall have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with this DPA or its subject matter or formation (including non-contractual disputes or claims).

 

 

 

SCHEDULE 1 - STANDARD CONTRACTUAL CLAUSES

The parties agree that the Standard Contractual Clauses are incorporated into this DPA by reference, as if they had been set out in full, and are populated as follows. Unless expressly stated below, any optional clauses contained within the Standard Contractual Clauses shall not apply. The Supplementary Clauses shall apply.

As applicable, the following Modules of the Standard Contractual Clauses shall apply where Personal Data is transferred to a country based outside of a Territory of Adequate Protection, and no alternative protection mechanism is being relied on by the parties:

 

a) CONTROLLER -> PROCESSOR (Module Two of the EU SCCs) if the Customer, acting as a Controller, is making a restricted transfer of Personal Data subject to the GDPR and/or UK GDPR to RealVNC, acting as a Processor; and/or

 

b) PROCESSOR -> CONTROLLER (Module Four of the EU SCCs) if the RealVNC acting as a Processor, makes a restricted transfer of Personal Data subject to the GDPR and/or UK GDPR to the Customer, acting as a Controller.

 

Governing Law and Jurisdiction: For the purposes of Clauses 17 and 18, Section IV of Module Two of the EU SCCs, the parties agree the governing law and jurisdiction shall be Ireland. For the purposes of Clauses 17 and 18, Section IV of Module Four of the EU SCCs and the UK Addendum, the Parties agree that the laws and courts of England and Wales will apply.

 

Sub-Processors: For the purposes of Clause 9, Section II of Module Two of the EU SCCs, the parties agree that option 2: general written authorization shall apply and the data importer shall notify the data exporter of any changes in accordance with clause 4 of the DPA.

Competent Supervisory Authority: In respect of the EU SCCs, the competent supervisory authority shall be determined in accordance with Clause 11, Section II of Module Two of the EU SCCs. In respect of the UK Addendum, the competent supervisory shall be read as Information Commissioner.  

UK Addendum

Start Date

The UK Addendum is effective from 21 March 2022.  

1. Table 1: Parties

Exporter and key contact: As set out in Annex 1 of the Standard Contractual Clauses below.

Importer and key contact: As set out in Annex 1 of the Standard Contractual Clauses below.

 

2. Table 2: Selected SCCs, Modules and Clauses

Module Two of the EU SCCs and/or Module Four of the EU SCCs, as detailed above.

 

3. Table 3: Appendix Information

As set out in Annex 1 and Annex 2 of the of the Standard Contractual Clauses below.

4. Table 4: Ending this Addendum when the Approved Addendum Changes

In the event the Information Commissioner's Office issues a revised Approved Addendum, in accordance with Section ‎18 of the UK Addendum which as a direct result of such changes has a substantial, disproportionate and demonstrable increase in: (a) the data importer's direct costs of performing its obligations under the Addendum; and/or (b) the data importer's risk under the Addendum, the data importer may terminate this UK Addendum on reasonable written notice to the data exporter in accordance with Table 4 and paragraph 19 of the UK Addendum.

Annex 1 to the Standard Contractual Clauses

 

The Parties

14.3 For Module Two of the EU SCCs the exporter is: the Customer whose details are set out in the agreement for Services.

14.4 For Module Two of the EU SCCs the importer is: RealVNC whose details are set out in the agreement for Services.

14.5 For Module Four of the EU SCCs the exporter is: Real VNC whose details are set out in the agreement for Services.

14.6 For Module Four of the EU SCCs the importer is: the Customer

Description of Data Processing

14.7 Categories of data subjects: employees of the customer and employees of clients of the customer.

14.8 Categories of personal data transferred: first name, last name, User Principal Name (UPN) (only if SSO is in use), country, phone number (if provided), email address, computer name (hostname), team name, device name, screenshots taken during the connection (only if enabled), labels, IP address, Mac addresses, product usage data and chat transcripts.

14.9 Sensitive data transferred:

14.10 Frequency of the transfer:

14.11 Nature of the processing: Provide VNC Connect services to customers utilising RealVNC Cloud services (address book synchronisation, cloud brokered connections, RealVNC On-Demand Assist (formerly known as Instant Support). As part of providing the VNC Connect service, RealVNC may need to analyse service log files to assist in problem diagnosis In order to provide insights into customer product usage to inform future development, aggregated queries may be run against product usage data periodically.

14.12 Purpose of the processing: to provide the Services as set out in the DPA.

14.13 Duration of the processing: for the duration of this DPA.

14.14 Sub-Processor Transfers: as set out at https://help.realvnc.com/hc/en-us/articles/360014324617-Sub-processors.

14.15 Technical and Organisational Measures: Restriction of access to buildings, data centres and server rooms as necessary, adequate locks on all doors, monitoring of unauthorised access, written procedures for employees, contractors and visitors covering confidentiality and security of information, restricting access to systems depending on the sensitivity/criticality of such systems, use of password protection where such functionality is available, maintaining records of the access granted to which individuals, ensuring prompt deployment of updates, bug-fixes and security patches for all systems.

Supplementary Clauses

Erasure and deletion: For the purposes of Clause 8.5, Section II of Module Two of the Standard Contractual Clauses the data importer shall delete the Personal Data in accordance with clause 6 of this DPA. For the purposes of Clause 8.1(d), Section II of Module Four of the Standard Contractual Clauses, the data exporter shall delete the Personal Data in accordance with clause 7 of this DPA.  

Audit: The parties acknowledge that the data importer complies with its obligations under Clause 8.9, Section II of Module Two of the Standard Contractual Clauses by complying with clause 7 of this DPA and exercising its contractual audit rights it has agreed with its Sub-Processors.

Transfer impact assessment: The data exporter acknowledges a transfer impact assessment has been made available by the data importer which the data exporter accepts as sufficient to fulfil the data importer’s obligations pursuant to Clause 14(c) and 14(a) of the Standard Contractual Clauses.

For the purposes of Clause 14(c), 15.1(b) and 15.2, Section III of Module Two of the Standard Contractual Clauses, the parties agree that “best efforts” and the obligations of the data importer under clause 15.2 shall mean exercising the degree of skill and care, diligence, prudence and foresight which would reasonably and ordinarily be expected from a leading practice engaged in a similar type of undertaking under the same or similar circumstances and shall not include actions that would result in civil or criminal penalty such as contempt of court under the laws of the relevant jurisdiction.