1.1. For the purposes of this DPA:
(a) "Affiliate" means an entity that directly or indirectly controls, is controlled by or is under common control with an entity.
(b) "Agreement" means the main written or electronic agreement between Customer and RingCentral for the provision of any of the services set out at Annex B to Customer (each a "Service" and collectively the "Services").
(c) "Applicable Data Protection Laws" means all data protection and privacy laws applicable to the processing of Personal Data under this DPA, including, where applicable, EU and California Data Protection Laws.
(d) "EEA" means the European Economic Area, including the United Kingdom.
(e) "EU Data Protection Laws" means the applicable European data protection legislation, including, but not limited to, EU Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (also known as the General Data Protection Regulation) (the “GDPR”), and any and all applicable national data protection laws, rules and regulations in the United Kingdom, including the Data Protection Act 2018, and the EEA, which may be adopted from time to time including the French Law No 78-17 of 6 January 1978 on information technology, data files and civil liberties as last amended by the Ordonnance n° 2018-1125 of 12 December 2018.
(f) “California Data Protection Laws” means all applicable privacy and data security-related legislation and regulations adopted by the State of California, including, but not limited to, the California Consumer Privacy Act ("CCPA") (when in force) and any implementing regulations promulgated thereunder.
(g) "Controller" shall mean the entity which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
(h) "Processor" shall mean an entity which processes Personal Data on behalf of the Controller.
(i) "Personal Data" means any information relating to an identified or identifiable natural person or household consisting of natural persons.
(j) “Sale” has the meaning set out in the CCPA, as and where the CCPA applies. Disclosure of Personal Data to a Sub-processor pursuant to the terms of this DPA is expressly excluded from the definition of Sale.
(k) "Privacy Shield Framework" means the EU-US and Swiss-US Privacy Shield self-certification programs operated and administered by the U.S. Department of Commerce.
(l) "Privacy Shield Principles" means the Privacy Shield Framework Principles (as supplemented by the Supplemental Principles) contained in Annex II to the European Commission Decision C/2016/4176 of July 12, 2016 (as amended, superseded or replaced, as the case may be).
(m) "Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to Personal Data.
(n) "Usage Data" means any data resulting from the Customer's use or operation of the Services, including, without limitation, traffic data, call detail records, metadata, log data, billing information, emails, customer authentication and audit logs, any data related to professional services, access logs, system logs, server logs.
2. Applicability of DPA
2.1 Applicability of DPA. This DPA will apply to the extent that RingCentral processes Personal Data on behalf of a Customer or Customer Affiliate as a Processor.
2.2 Usage Data. Notwithstanding anything to the contrary contained in this DPA, RingCentral is a Controller of Usage Data. To the extent that such Usage Data is collected or generated by RingCentral, such data may be used by RingCentral for purposes including regulatory compliance, network security, fraud detection and prevention, billing, internal analytics and other lawful purposes, but shall not be subject to Sale. For the avoidance of doubt, with the exception of this Section 2, this DPA will not apply to Usage Data.
3. Roles and Responsibilities
3.1 Parties' Roles. As between the parties and for the purposes of this DPA, Customer shall be the Controller of the Personal Data that is processed by RingCentral under the Agreement as described in Annex A and RingCentral shall process the Personal Data as a Processor on Customer's behalf.
3.2 Obligations of the Customer. Customer undertakes to:
(a) Ensure that it may lawfully disclose the Personal Data to RingCentral for the purposes set out in the Agreement;
(b) Comply with Applicable Data Protection Laws in its use of the Services, and its own collection and processing of Personal Data (for the avoidance of doubt, Customer's instructions to RingCentral shall comply with Applicable Data Protection Laws and Customer shall have sole responsibility for the accuracy, quality and legality of the Personal Data and the means by which Customer acquired Personal Data); and
(c) Ensure that no special categories of data or sensitive data (as defined in the GDPR or Applicable Data Protection Laws), nor any Personal Data concerning children or minors is stored within the Services.
3.3 Purpose Limitation.
(b) Any additional processing required by Customer outside of the scope of the Agreement will require prior written agreement between the parties, including an agreement on any additional fees that Customer may be required to pay.
(c) For the avoidance of doubt, RingCentral shall not engage in the Sale of the Personal Data.
3.4 Confidentiality of Processing. RingCentral shall ensure that any person that it authorizes to process the Personal Data shall be subject to a duty of confidentiality (either a contractual or a statutory duty).
3.5 Security. RingCentral will maintain appropriate technical and organizational security measures to safeguard the security of Personal Data. RingCentral will maintain an information security and risk management programme based on commercial best practices to preserve the confidentiality, integrity and accessibility of Personal Data with administrative, technical and physical measures conforming to generally recognized industry standards and practices. RingCentral shall implement appropriate technical and organisational measures designed to protect the Personal Data from a Security Incident.
3.6 Security Incidents. Upon becoming aware of a Security Incident, RingCentral shall notify Customer without undue delay at the contact information that Customer has provided in the Administrative Portal and shall provide such timely information as Customer may reasonably require, including to enable Customer to fulfil any data breach reporting obligations under Applicable Data Protection Laws.
3.7 Provision of Security Reports. RingCentral shall provide, upon Customer's request, copies of any relevant summaries of external security certifications or security audit reports necessary to verify RingCentral's compliance with this DPA.
3.8 Deletion or Return of Data. Upon termination or expiry of the Agreement, and upon written request, RingCentral shall, at Customer's election, either delete or return to Customer the Personal Data (including copies) in RingCentral's possession, save to the extent that RingCentral is required by applicable law to retain some or all of the Personal Data.
4. GDPR Obligations
4.1 Applicability of Section. This Section 4 shall apply to the processing of Personal Data that is subject to the protection of the GDPR or the CCPA.
4.2 Sub-processors. Customer agrees that RingCentral may engage RingCentral Affiliates and third party sub-processors (collectively, "Sub-processors
") to process the Personal Data on RingCentral's behalf. RingCentral shall impose on such Sub-processors data protection terms that protect the Personal Data to an equivalent standard provided for by this DPA and shall remain liable for any breach of the DPA caused by a Sub-processor. The Sub-processors engaged by RingCentral in respect of each of the Services at the time of the Agreement are noted on the RingCentral Sub-processor List available at https://netstorage.ringcentral.com/documents/RingCentral_Subprocessor_List.pdf
4.3 Changes to Sub-processors. RingCentral may, by giving reasonable notice to the Customer, add or make changes to the Sub-processors. If the Customer objects to the appointment of an additional Sub-processor within 30 calendar days of such notice on reasonable grounds relating to the protection of the Personal Data, then the parties will discuss such concerns in with a view to achieving resolution. If such resolution cannot be reached, then RingCentral will either not appoint the Sub-processor or, if this is not possible, Customer will be entitled to suspend or terminate the affected RingCentral Service in accordance with the termination provisions of the Agreement. Notwithstanding the foregoing, in the event of an unforeseeable force majeure (such as a Sub-processor failure) that can provoke a degradation or interruption of the Service, RingCentral reserves the right to immediately change the failing Sub-processor in order to maintain or restore the standard conditions of Service. In this situation, the notification of Sub-processor change may be exceptionally sent after the change.
4.4 Cooperation and Data Subjects' Rights. Some of the RingCentral Services may provide direct technical means to enable Customer to fulfil its duties to respond to requests from data subjects under Applicable Data Protection Laws. For the avoidance of doubt, it is the Customer’s responsibility to respond to any data subject request. If Customer is unable to address the data subject's request through such technical means, or where such functionality is not available, RingCentral shall, taking into account the nature of the processing, provide reasonable assistance to Customer insofar as this is possible, to enable Customer to respond to such data subject requests. In the event that such request is made directly to RingCentral, RingCentral shall promptly inform the data subject to contact the Customer of the same. It is Customer’s sole responsibility to ensure that any account Administrator identified for Customer’s RingCentral account to manage and carry out data subject requests has appropriate authority to do so.
4.5 Data Protection Impact Assessments. RingCentral shall, to the extent required by EU Data Protection Laws, and upon Customer's request and at Customer’s expense, provide Customer with reasonable assistance with data protection impact assessments or prior consultations with data protection authorities that Customer is required to carry out under EU Data Protection Laws in relation to the scope of the Services to be provided by RingCentral pursuant to the Agreement.
4.6 International Transfers. RingCentral may transfer and process Personal Data anywhere in the world where RingCentral, its Affiliates or its Sub-processors maintain data processing operations. To the extent that RingCentral processes (or causes to be processed) any Personal Data originating from the EEA in a country that has not been recognized by the European Commission as providing an adequate level of protection for Personal Data, RingCentral shall put in place such measures as are necessary to ensure the transfer is in compliance with EU Data Protection Laws, which may include reliance on RingCentral, Inc.'s self-certification to the Privacy Shield Framework and its compliance with the Privacy Shield Principles, the execution of standard contractual clauses approved by the European Commission, or the putting in place of any other valid transfer mechanism under EU Data Protection Laws.
(a) While it is the parties' intention ordinarily to rely on the provision of the security reports at Section 3.7 above to verify RingCentral's compliance with this DPA, RingCentral shall permit the Customer (or its appointed third-party auditors) to carry out an audit of RingCentral's processing of Personal Data under the Agreement following a Security Incident suffered by RingCentral, or upon the instruction of a data protection authority. Customer must give RingCentral thirty (30) days prior notice of such intention to audit and such conduct will be at Customer’s own costs. Any such audit shall be subject to RingCentral's security and confidentiality terms and guidelines.
(b) Customer shall use its reasonable endeavours to ensure that the conduct of each audit does not unreasonably disrupt RingCentral's operations or delay the provision of the Services. RingCentral shall provide Customer (and its auditors and other advisers) with all reasonable cooperation, access and assistance in relation to each audit. The audit shall be conducted at RingCentral’s place of business during normal business hours and shall last no longer than two business days.
(c) For the avoidance of doubt, RingCentral is not obligated to disclose to the Customer any documents or other material relating to RingCentral’s profitability, legally privileged documents or information, or documents that is commercially confidential or RingCentral is bound to maintain as confidential by written obligation to a third party or under applicable law or regulation. Audit results, including information and documentation disclosed or made available to Customer in the course of any such audit, will be deemed RingCentral’s Confidential Information.
5.1 Except as amended by this DPA, the Agreement will remain in full force and effect.
5.2 If there is a conflict between the Agreement and this DPA, the terms of this DPA will control.
5.3 Any claims brought under this DPA shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Agreement.