PPG LINQ Data Processing Agreement

PPG Data Processing Agreement

This PPG Data Processing Agreement and its Schedules ("DPA") reflect the parties' agreement with respect to processing of personal information by PPG on your behalf in connection with your subscription to PPG LINQ services under PPG LINQ™ Software License Agreement between you and PPG (also referred to in this DPA as "Agreement").

This DPA is supplemental to, and forms an integral part of, the Agreement and is effective upon its incorporation into the Agreement, which may be specified in the Agreement, an Order Form or an executed amendment to the Agreement. In case of any conflict or inconsistency with the terms of the Agreement, this DPA will take precedence over the terms of the Agreement to the extent of such conflict or inconsistency.

The term of this DPA will follow the term of the Agreement. Terms not otherwise defined in this DPA will have the meaning as set forth in the Agreement.

1. Definitions

“Agreement Personal Data” means Personal Data (or "Personal Information") which is to be Processed under the Agreement.

“Data Privacy Laws” mean all applicable laws relating to data privacy or data security, the processing of personal data, including without limitation (i) the General Data Protection Regulation (EU) 2016/679 (GDPR), (ii) the UK GDPR and Data Protection Act 2018, (iii) state and federal US privacy laws; (iv) China Personal Information Protection Law (PIPL); (v) the Personal Information Protection and Electronic Documents Act 2000 (PIPEDA); (vi) the General Data Protection Law (LGPD); and any legislation and regulation implementing or made pursuant to them, or which amends, replaces, re-enacts or consolidates any of them. References to “Data Processor”, “Data Subjects”, “Personal Data”, "Personal Information", “Process”, “Processed”, “Processing”, “Processor” and “Supervisory Authority”, “Sell” or “Sale” have the meanings set out in and will be interpreted in accordance with such applicable laws.

“Data Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Agreement Personal Data transmitted, stored or otherwise Processed

“International Transfer” means a transfer of Agreement Personal Data from one country or territory to another country or territory to which such transfer is prohibited or subject to any requirement to take additional steps to adequately protect personal data.

“Services” means services, including software licensing, provided to you by PPG under the Agreement. The Services include, but are not limited to, provision of PPG LINQ™ Software.

“Sub-Processor” means any third party appointed by PPG to Process Agreement Personal Data

2. Authorization and purpose limitation

You authorize PPG to process Agreement Personal Data during the term of the Agreement as a Processor for the purpose of providing the Services.

3. Compliance with laws

Each party will comply with the Data Privacy Laws in respect of Agreement Personal Data. You warrant to PPG that you have all necessary rights to authorize PPG to Process Personal Data in accordance with these terms and applicable Data Privacy Laws and the instructions to PPG relating to Processing of Personal Data will not put PPG in breach of applicable Data Privacy Laws, including without limitation with regard to International Transfers.

4. Instructions

The parties agree that the Agreement (including this DPA), together with your use of the Services in accordance with the Agreement, constitute your complete Instructions to us in relation to the Processing of Personal Data. If PPG reasonably considers that any instructions from you or a member of your corporate group relating to Processing of Agreement Personal Data may put PPG in breach of Data Privacy Laws, PPG will be entitled not to carry out that Processing and will not be in breach of the Agreement or otherwise liable to you or any member of your corporate group as a result of PPG failure to carry out that Processing.

5. Sale

The parties agree that the disclosure of Agreement Personal Data by you to PPG does not form part of any monetary or other valuable consideration exchanged between the parties.

6. Confidentiality 

PPG will ensure that any individual authorized to Process Agreement Personal Data accesses such Agreement Personal Data strictly on a need-to-know basis as necessary to perform their role in the performance of the Agreement and subject to binding confidentiality obligations in respect of Agreement Personal Data or is under an appropriate statutory obligation of confidentiality.

7. Retention

PPG will, at your discretion, delete or return to you all Agreement Personal Data after the end of the provision of Services, and delete any remaining copies. PPG will be entitled to retain any Agreement Personal Data which it has to keep complying with any applicable law or which it is required to retain for insurance, accounting, taxation or record keeping purposes.

8. Appropriate security

PPG will implement appropriate technical and organizational measures to protect Agreement Personal Data.

9. Data incidents

PPG will notify you promptly after becoming aware of a Data Security Incident.

10. Assistance

PPG will provide you reasonable assistance in complying with your obligations under the Data Privacy Laws relating to the security of Processing Agreement Personal Data; responding to requests for exercising Data Subjects’ rights under the Data Privacy Laws, including without limitation by appropriate technical and organizational measures, insofar as this is possible; documenting any Data Security Incidents and reporting any Data Security Incidents to any Supervisory Authority and/or Data Subjects; and conducting privacy impact assessments of any Processing operations and consulting with Supervisory Authorities, Data Subjects and their representatives accordingly. PPG reserves the right to charge a reasonable cost of such assistance.

11. Appointment of Sub-processors

Subject to additional terms in Schedule 2, you authorize PPG to engage any person/PPG as a sub-processor for the processing of personal data. In such case, PPG will put a written contract in place between PPG and the sub-processor that specifies the sub-processor’s processing activities and imposes on the sub-processor substantially similar terms to those imposed on PPG by this DPA. PPG will remain liable to you for performance of the sub-processor’s obligations.

12. International Transfers

Subject to additional terms in Schedule 2, you agree that PPG may process Personal Data on a global basis as necessary to provide Services in accordance with the Agreement. Whenever Personal Data is transferred outside of the country of origin, each party will ensure that transfers are made in compliance with the requirements of Data Privacy Laws.  

13. Audit Rights

PPG will allow for and contribute to audits, including inspections, conducted by you or another auditor mandated by you, provided that (i) you give PPG at least 14 days’ prior written notice of each such audit, (ii) each audit is carried out at your cost, during business hours, so as to cause the minimum disruption to the PPG’s business and (iii) you or your mandated auditor will not have access to any data other than the Agreement Personal Data. You agree to keep any materials disclosed during such audits and the results of and/or outputs from such audits confidential and you acknowledge that they will be deemed Confidential Information.

14. Limitation of Liability

PPG’s liability arising out of or related to this DPA (including any other DPA between the parties) where applicable, whether in contract, tort or under any other theory of liability, will be subject to the limitations and exclusions of liability set out in the 'Limitation of Liability' section of the Agreement. In no event shall PPG’s liability be limited to in respect to any individual’s rights under this DPA.

SCHEDULE 1 "SUBJECT MATTER OF PROCESSING"

Subject Matter of ProcessingThe subject matter of the processing under the Agreement is Agreement Personal Data.
Nature of ProcessingPPG and its Sub-Processors are providing Services or fulfilling contractual obligations to you as set out in the Agreement. These Services may include the processing of Agreement Personal Data by PPG and/or its Sub-Processors.
Purpose of ProcessingThe Agreement Personal Data will be processed only for the purposes of performance of the Services under the Agreement.
Duration of ProcessingDuration of the Processing equals the duration of the Agreement.
Types of Personal DataThe categories of personal data shall include name, address, phone number, email address, physical address, as well as the vehicle information (plate number, VIN) of your end customers.
Categories of Data SubjectsThe categories of Data Subjects whose personal data are Processed are as set out in the Agreement (Licensee’s end customers).
Frequency of the transferFrequency of the transfer depends on your use of the Services.


SCHEDULE 2 "ADDITIONAL PRIVACY PROVISIONS"

EEA: To the extent Agreement Personal Data originates in the EEA, the following additional provisions shall apply:

1. International Transfers

If PPG transfers Agreement Personal Data outside of EEA, PPG will take appropriate safeguards before any such transfer is made including ensuring that the country or territory to which the International Transfer is to be made is subject to a valid adequacy decision issued by the European Commission or adequacy is determined by another valid method under applicable Data Privacy Laws.

2. 2021 Standard Contractual Clauses

The parties agree that the 2021 Standard Contractual Clauses will apply to Agreement Personal Data that is transferred via the Services from the European Economic Area, either directly or via onward transfer, to any country or recipient outside the European Economic Area that is not recognized by the European Commission as providing an adequate level of protection for Personal Data. For data transfers from the European Economic Area that are subject to the 2021 Standard Contractual Clauses, the 2021 Standard Contractual Clauses Module 2 Controller to Processor will be deemed entered into (and incorporated into this DPA by this reference) and completed as follows:

Clause 7will not apply
Clause 9Option 2 will apply
Clause 11optional language will not apply
Clause 17French law
Clause 18(b)courts of France
Annex I Part ALicensee (data exporter) and PPG (data importer)
Annex I Part Bas described in this license
Annex I, Part Cla CNIL

3. Authorized Sub-Processors:

Sub-Processor Entity (Name)Brief Description of Processing and Services
to be provided
Location of Processing
Microsoft Azure
Microsoft Building 92
NE 36th St
Redmond, WA 98052
Cloud HostingUS, HONG KONG (China customers)
US (North/South America)
US, GERMANY (Rest of world)
Openarc
109 VIP Drive, Suite 200 Wexford, PA 15090
Development ConsultingUS
Navisite
400 Minuteman Rd
Andover, MA 01810
Operational SupportUS
INDIA

4. Conflict

To the extent there is any conflict between the Standard Contractual Clauses, and any other terms in this DPA, the provisions of the Standard Contractual Clauses will prevail.

UNITED KINGDOM: To the extent Agreement Personal Data originates in the UK, the following additional provisions shall apply:

5. UK Standard Contractual Clauses

The parties agree that template Addendum B.1.0 issued by the United Kingdom Information Commissioner’s Office and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it may be revised under Section 18 thereof (the “UK Addendum”) will apply to personal data that is transferred from the United Kingdom, either directly or via onward transfer, to any country or recipient outside of the United Kingdom that is not recognized by the competent United Kingdom regulatory authority or governmental body for the United Kingdom as providing an adequate level of protection for personal data. For data transfers from the United Kingdom that are subject to the UK Addendum, the UK Addendum will be deemed entered into and appended to the EU Standard Contractual Clauses (and incorporated into this DPA by this reference) and completed as indicated in Clause 6 of this Schedule 2.

6. Part I of the UK Addendum completion

As permitted by clause 17 of the UK Addendum, the Parties agree to change the format of the information set out in Part 1 of the UK Addendum so that:

  • the details of the parties in table 1 and table 2 shall be as set out in the Agreement (with no requirement for signature); 
  • for the purposes of table 2, the UK Addendum shall be appended to the EU Standard Contractual Clauses (including the selection of modules and options and the disapplication of optional clauses as noted above in clause 2 of this Schedule 2);
  • the appendix information listed in table 3 is set out in Schedule 1 of this DPA; and
  • neither the data exporter or data importer party can terminate the UK Addendum as per table 4 of the UK Addendum. 

CHINA: To the extent Agreement Personal Data originates in the People’s Republic of China (“China” or “PRC”), the following additional provisions apply:

7. Definitions

For the purposes of this DPA, any references to “Personal Data”, “Control/Controller”, “Processor” and “Data Subject” shall have the same meaning as “Personal Information”, “Process/Personal Information Processor”, “Entrusted Party”, and “Personal Information Subject” as defined in the PIPL and other PRC laws as applicable.

8. Authorization to use Entrusted Parties

The Parties agree that PPG may engage Entrusted Parties for the purposes of Processing Agreement Personal Data. Parties agree that PPG will not need any prior specific written consent of another party to engage any other Entrusted Parties or transfer or disclose any Agreement Personal Data to any Entrusted Party or other party (including PPG affiliates).

9. International Transfers

a. If PPG transfers Agreement Personal Data outside of China, you shall inform the owner of the Agreement Personal Data of the contact information of the overseas recipient, the purpose and method of the processing, and the type of personal information involved, as well as the way for the owner of the Agreement Personal Data to exercise his/her rights provided for by the Law against the overseas recipient, and you confirm that you shall obtain specific consent from such owners of the Agreement of Personal Data.

b. The parties agree that the Standard Contract for Outbound Cross-Border Transfer of Personal Information (“China Standard Contract”) will apply to Agreement Personal Data that is transferred via the Services from China, either directly or via onward transfer, to any country or recipient outside China, with you as “Personal Information Processor” and PPG as “Overseas Recipient” under the China Standard Contract, in the event that no exemption under Chinese law applies that exempts the parties from being required to enter into such cross-border transfer contract.