Vendor Data Processing Agreement Exhibit

1. GLOBAL PRIVACY REQUIREMENTS. 

a. General Requirements. For the purposes of this Agreement, the term “personal information” means: (i) any information relating to, describing, or associated with, or that could reasonably be linked, directly or indirectly, to, an identified or identifiable individual or (ii) data that identifies or could be used to identify any individual, including without limitation, an individual’s name, address, telephone number, or email address. Notwithstanding anything to the contrary contained in this Agreement, with respect to any personal information provided, delivered or made available to, or collected, processed or created by, Vendor under or pursuant to this Agreement (“C&W PII Data”), Vendor agrees that:

i. As between C&W and Vendor, C&W owns and retains all rights in and to such C&W PII Data, and Vendor shall not, and shall not permit any third party to, access, use, erase, copy, disclose, transfer, transmit, sell, share for targeted advertising purposes, or otherwise process such C&W PII Data other than as expressly instructed in writing by C&W and as permissible under applicable Data Protection Legislation (as defined below); 

ii. Vendor shall maintain an effective information security program that, at a minimum, meets the requirements set forth in Exhibit A (Information and Physical Security Terms and Conditions) as modified by C&W from time to time, keep such C&W PII Data confidential and take appropriate administrative, organizational, technical and physical measures to secure and protect such C&W PII Data against unauthorized, unlawful or accidental access, disclosure, transfer, destruction, loss or alteration; 

iii. Vendor shall limit access to such C&W PII Data to a need-to-know basis and to those personnel who are subject to express contractual obligations of confidentiality in respect of such C&W PII Data, and shall inform such personnel of the limitations and procedures that apply to access to and use of such C&W PII Data;

iv. Vendor shall not disclose or make C&W PII Data available to contractors, subcontractors or agents (collectively, “Sub-Processors”) without: (i) C&W's specific prior written consent; and (ii) entering into an agreement in writing with the Sub-Processor whereby the Sub-Processor agrees to comply with and treat such C&W PII Data in accordance with this Section; 

v. Vendor shall use and process C&W PII Data in accordance with all Data Protection Legislation (as defined below) applicable to Vendor or to C&W or any C&W Party, including by providing the same level of privacy protection for C&W PII as required of C&W under applicable Data Protection Legislation (as defined below); 

vi. Vendor shall provide C&W reasonable cooperation, assistance and information, and do related things and execute applicable documents as C&W may request, to enable C&W and its affiliates to comply with any Data Protection Legislation, and Vendor shall reasonably cooperate and comply with the directions or decisions of any governmental or regulatory authority and any competent data protection or privacy authority in relation to C&W PII Data, and in each case within such time as would enable C&W (or a C&W Party, as applicable) to meet any time limit imposed by such Data Protection Legislation or authority; 

vii. Neither party shall transfer C&W PII Data out of any country or territory nor require the other party to make such a transfer, except on the written instructions, or with the written consent, of C&W, and then subject to any additional restrictions set by C&W; 

viii. Standard Contractual Clauses

1. In this Section (viii), “controller” and “processor” have the same meanings as those given to them in the GDPR (in the case of sub-sections 2 and 3) and UK GDPR (in the case of sub-section 4).

2. Transfers from EU (Controller to Processor)

a. The Standard Contractual Clauses approved by the European Commission in its Decision of 4 June 2021 (2021/914) with Module Two (Transfer Controller to Processor) selected (“C2P SCCs”), are incorporated herein by reference and apply to all transfers of C&W PII Data by or on behalf of C&W to Vendor or any Sub-Processor where:

i. C&W is acting as a controller in respect of the processing of the C&W PII Data;
ii. GDPR applies to that processing; and
iii. the C&W PII Data is transferred to any country or territory outside the European Economic Area (EEA) that is not recognized by the European Commission as providing an adequate level of protection for personal data.

b. For the purposes of the C2P SCCs, the following apply:

i. Clause 7 (Docking Clause) shall apply;
ii. Clause 9 (Use of sub-processors): Option 1 is selected for clause 9(a) and the time period specified is sixty (60) days;
iii. Clause 11 (Redress): The Optional provision shall not apply;
iv. Clause 13 (Supervision): The first paragraph of clause 13(a) shall apply and the other two paragraphs are deleted;
v. Clause 17 (Governing Law): Option 1 is selected and the law of the Republic of Ireland shall apply;
vi. Clause 18 (Choice of Forum and Jurisdiction): The courts of the Republic of Ireland are specified for purposes of clause 18(b); and
vii. Exhibit B sets out the relevant data processing details.

3. Transfers from EU (Processor to Processor)

a. The Standard Contractual Clauses approved by the European Commission in its Decision of 4 June 2021 (2021/914) with Module Three (Transfer Processor to Processor) selected (“P2P SCCs”), are incorporated herein by reference and apply to all transfers of C&W PII Data by or on behalf of C&W to Vendor or any Sub-Processor where:

i. C&W is acting as a processor in respect of the processing of the C&W PII Data;
ii. GDPR applies to that processing; and
iii. the C&W PII Data is transferred to any country or territory outside the EEA that is not recognized by the European Commission as providing an adequate level of protection for personal data.

b. For the purposes of the P2P SCCs, the following apply:

i. Clause 7 (Docking Clause) shall apply;
ii. Clause 9 (Use of sub-processors): Option 1 is selected for clause 9(a) and the time period specified is sixty (60) days;
iii. Clause 11 (Redress): The Optional provision shall not apply;
iv. Clause 13 (Supervision): The first paragraph of clause 13(a) shall apply and the other two paragraphs are deleted;
v. Clause 17 (Governing Law): Option 1 is selected and the law of the Republic of Ireland shall apply;
vi. Clause 18 (Choice of Forum and Jurisdiction): The courts of the Republic of Ireland are specified for purposes of clause 18(b); and
vii. Exhibit C sets out the relevant data processing details.

4. The UK international data transfer addendum to the European Commission’s Standard Contractual Clauses (as set out in Exhibit D) will apply to all transfers of C&W PII Data by or on behalf of C&W to Vendor or any Sub-Processor where:

a. C&W is acting as a controller or processor in respect of the processing of the C&W PII Data;
b. UK GDPR applies to that processing; and
c. the C&W PII Data is transferred to any country or territory outside the UK that is not recognized by the UK as providing an adequate level of protection for personal data.

ix. Vendor shall, upon the request of C&W, and at least once every 12 months without request by C&W, provide C&W with information regarding its privacy/data protection practices and shall allow C&W and any governmental or regulatory authority and any competent data protection or privacy authority access to audit compliance by it with this Section [1] (Global Privacy Requirements); 

x. Vendor shall, upon expiration or termination of this Agreement, promptly and in a secure manner return to C&W all C&W PII Data and any copies, or, at C&W’s written direction,  destroy such C&W PII Data and copies (and certify in writing to C&W that such 
destruction has occurred);

xi. Vendor shall promptly notify C&W of any request to exercise data protection or privacy rights (including to notice, access, rectification, erasure, restriction of processing, opt-out of or into sale, opt-out of or into financial incentives, portability, objection, or avoid profiling) made to it directly by individuals whose personal information may have been delivered or made available to it pursuant to this Agreement (“Data Subjects”), and shall provide to C&W copies of any such personal information that it is processing, and any other co-operation, information or assistance that C&W may request in connection with any such request (whether received by Vendor or by C&W), within such reasonable time limits as may be specified by C&W; and 

xii. Vendor shall promptly notify C&W if it determines that it can no longer meet its obligations under applicable Data Protection Legislation (as defined below).

b. “Data Protection Legislation” means all laws in relation to: (a) data protection; (b) privacy; (c) interception and monitoring of communications; (d) restrictions on, or requirements in respect of, the processing of personal information of any kind; and (e) actions required to be taken in respect of unauthorized or accidental access to or use or disclosure of personal information, and includes, without limitation (w) Regulation (EU) 2016/679 of the European Parliament, the Council of the European Union and the European Commission (when effective) (the “General Data Protection Regulation” or “GDPR”); (x) all laws implementing GDPR (in whole or in part); (y) any law of the European Union replacing GDPR (in whole or in part); (z) the UK GDPR (as defined in Section 3(10) of the UK Data Protection Act 2018) (“UK GDPR”); and (aa) the California Consumer Privacy Act of 2018 (“CCPA”), including as amended by the California Privacy Rights Act of 2020,and its Regulations. 

c. Security Breach.

i. Notice. Vendor shall notify C&W in accordance with this Section upon its confirmation of: (1) an unauthorized or accidental disclosure, possession, use, or processing of C&W PII Data by any person, or any attempt by any person to gain possession of C&W PII Data without authorization, (2) any attempt to use or acquire knowledge of any C&W PII Data without authorization, or (3) the loss of any media or device on which C&W PII Data is or has been stored or recorded (each, a “Security Breach”). Vendor shall notify the appropriate C&W personnel by telephone and e-mail within twenty-four (24) hours of, and by a confirmatory written notice as soon as practicable (but in any event within two (2) calendar days) following, Vendor becoming aware of a Security Breach.

ii. Vendor Requirements. If a Security Breach was due to Vendor’s acts or omissions, Vendor shall:

1. investigate and promptly remediate the effects of the Security Breach;

2. provide C&W with reasonable assurances that safeguards consistent with Vendor’s obligations under the Agreement have been implemented or, where such assurances cannot be provided, a detailed explanation of why such safeguards were not implemented and Vendor’s proposals for rectifying those deficiencies; 

3. promptly furnish to C&W full details that Vendor has or may obtain regarding such Security Breach and use best efforts to assist C&W in investigating such Security Breach and preventing its reoccurrence;

4. cooperate with C&W in any litigation and investigation against third parties deemed reasonably necessary by C&W; and

5. promptly take all reasonable actions necessary to prevent its reoccurrence.

iii. Notification and Costs. 

1. Without limiting the foregoing, C&W shall make the final decision on notifying (including the contents of such notice) C&W's customers, employees, Vendor’s, regulators and/or the general public of any Security Breach, and the implementation of the remediation plan. 

2. If a notification to C&W’s customers is required under any law or pursuant to any of C&W’s policies and procedures, then notifications to all customers who are affected by the same event (as reasonably determined by C&W) shall be considered legally required.

3. Vendor shall reimburse C&W for all Notification Related Costs incurred by C&W or any C&W Party arising out of or in connection with any Security Breach arising out of Vendor’s acts or omissions and resulting in a requirement for legally required notifications (as determined in accordance with the previous subSection). “Notification Related Costs” shall include C&W’s and any C&W Parties’ internal and external costs associated with addressing and responding to the Security Breach, including: 

a. preparation and mailing or other transmission of legally required notifications;
b. preparation and mailing or other transmission of such other communications to customers, agents or others as C&W deems reasonably appropriate;
c. establishment of a call center or other communications procedures in response to such Security Breach (e.g., customer service FAQs, talking points and training);
d. public relations and other crisis management services;
e. legal, auditing and accounting fees and expenses associated with C&W’s investigation of and response to such event;
f. costs for commercially reasonable credit reporting services that are associated with legally required notifications or are advisable under the circumstances; and
g. court costs, reasonable fees and expenses of attorneys, accountants and other experts and all other reasonable fees and expenses of litigation or other proceedings.

4. If a Security Breach was not due to Vendor’s acts or omissions, the Parties shall reasonably cooperate regarding which of the foregoing or other activities may be appropriate under the circumstances, including any applicable charges for the same.

EXHIBIT A

INFORMATION AND PHYSICAL SECURITY TERMS AND CONDITIONS

The Information and Physical Security Terms and Conditions are specified at https://www.cushmanwakefield.com/en/vendor-infosec-exhibit and are incorporated into these Global Privacy Requirements by reference.

EXHIBIT B

APPENDIX TO THE STANDARD CONTRACTUAL CLAUSES (PROCESSOR TO PROCESSOR)

ANNEX I

A. LIST OF PARTIES

Data exporter(s): [Identity and contact details of the data exporter(s) and, where applicable, of its/their data 
protection officer and/or representative in the European Union]

Data importer(s): [Identity and contact details of the data importer(s), including any contact person with 
responsibility for data protection]

B. DESCRIPTION OF TRANSFER

C. COMPETENT SUPERVISORY AUTHORITY

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by 
the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a subprocessor, to the data exporter

ANNEX III

LIST OF SUB-PROCESSORS

The controller has authorised the use of the following sub-processors:

EXHIBIT C

APPENDIX TO THE STANDARD CONTRACTUAL CLAUSES (PROCESSOR TO PROCESSOR)

ANNEX I

A. LIST OF PARTIES

Data exporter(s): [Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]

Data importer(s): [Identity and contact details of the data importer(s), including any contact person with 
responsibility for data protection]

B. DESCRIPTION OF TRANSFER

C. COMPETENT SUPERVISORY AUTHORITY

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by 
the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a subprocessor, to the data exporter

ANNEX III

LIST OF SUB-PROCESSORS

The controller has authorised the use of the following sub-processors:

EXHIBIT D

INTERNATIONAL TRANSFER ADDENDUM FOR TRANSFERS OUTSIDE THE UK

1. Parties

2.  Selected SCCs, Modules and Selected Clauses

3. Appendix Information

“Appendix Information” means the information which must be provided for the selected modules as set out in the 
Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:

Annex 1A: List of Parties: As set out in Exhibits B and C 

Annex 1B: Description of Transfer: As set out in Exhibits B and C 

Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: As set out in Exhibits B and C 

Annex III: List of Sub processors (Modules 2 and 3 only): As set out in Exhibits B and C

4. Ending this Addendum when the Approved Addendum Changes

5. Mandatory Clauses

Mandatory Clauses of the International Transfer Addendum for Transfers Outside the UK, being the template 
Addendum B.1.0 issued by the ICO and laid before the United Kingdom Parliament in accordance with 
s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those 
Mandatory Clauses.