PPG LINQ Data Processing Agreement
This PPG Data Processing Agreement and its Schedules ("DPA") reflect the parties' agreement with respect to processing of personal information by PPG on your behalf in connection with your subscription to PPG LINQ services under PPG LINQ™ Software License Agreement between you and PPG (also referred to in this DPA as "Agreement").
This DPA is supplemental to, and forms an integral part of, the Agreement and is effective upon its incorporation into the Agreement, which may be specified in the Agreement, an Order Form or an executed amendment to the Agreement. In case of any conflict or inconsistency with the terms of the Agreement, this DPA will take precedence over the terms of the Agreement to the extent of such conflict or inconsistency.
The term of this DPA will follow the term of the Agreement. Terms not otherwise defined in this DPA will have the meaning as set forth in the Agreement.
1. Definitions
“Agreement Personal Data” means Personal Data (or "Personal Information") which is to be Processed under the Agreement.
“Data Privacy Laws” mean all applicable laws relating to data privacy or data security, the processing of personal data, including without limitation (i) the General Data Protection Regulation (EU) 2016/679 (GDPR), (ii) the UK GDPR and Data Protection Act 2018, (iii) state and federal US privacy laws; (iv) China Personal Information Protection Law (PIPL); (v) the Personal Information Protection and Electronic Documents Act 2000 (PIPEDA); (vi) the General Data Protection Law (LGPD); and any legislation and regulation implementing or made pursuant to them, or which amends, replaces, re-enacts or consolidates any of them. References to “Data Processor”, “Data Subjects”, “Personal Data”, "Personal Information", “Process”, “Processed”, “Processing”, “Processor” and “Supervisory Authority”, “Sell” or “Sale” have the meanings set out in and will be interpreted in accordance with such applicable laws.
“Data Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Agreement Personal Data transmitted, stored or otherwise Processed
“International Transfer” means a transfer of Agreement Personal Data from one country or territory to another country or territory to which such transfer is prohibited or subject to any requirement to take additional steps to adequately protect personal data.
“Services” means services, including software licensing, provided to you by PPG under the Agreement. The Services include, but are not limited to, provision of PPG LINQ™ Software.
“Sub-Processor” means any third party appointed by PPG to Process Agreement Personal Data
2. Authorization and purpose limitation
You authorize PPG to process Agreement Personal Data during the term of the Agreement as a Processor for the purpose of providing the Services.
3. Compliance with laws
Each party will comply with the Data Privacy Laws in respect of Agreement Personal Data. You warrant to PPG that you have all necessary rights to authorize PPG to Process Personal Data in accordance with these terms and applicable Data Privacy Laws and the instructions to PPG relating to Processing of Personal Data will not put PPG in breach of applicable Data Privacy Laws, including without limitation with regard to International Transfers.
4. Instructions
The parties agree that the Agreement (including this DPA), together with your use of the Services in accordance with the Agreement, constitute your complete Instructions to us in relation to the Processing of Personal Data. If PPG reasonably considers that any instructions from you or a member of your corporate group relating to Processing of Agreement Personal Data may put PPG in breach of Data Privacy Laws, PPG will be entitled not to carry out that Processing and will not be in breach of the Agreement or otherwise liable to you or any member of your corporate group as a result of PPG failure to carry out that Processing.
5. Sale
The parties agree that the disclosure of Agreement Personal Data by you to PPG does not form part of any monetary or other valuable consideration exchanged between the parties.
6. Confidentiality
PPG will ensure that any individual authorized to Process Agreement Personal Data accesses such Agreement Personal Data strictly on a need-to-know basis as necessary to perform their role in the performance of the Agreement and subject to binding confidentiality obligations in respect of Agreement Personal Data or is under an appropriate statutory obligation of confidentiality.
7. Retention
PPG will, at your discretion, delete or return to you all Agreement Personal Data after the end of the provision of Services, and delete any remaining copies. PPG will be entitled to retain any Agreement Personal Data which it has to keep complying with any applicable law or which it is required to retain for insurance, accounting, taxation or record keeping purposes.
8. Appropriate security
PPG will implement appropriate technical and organizational measures to protect Agreement Personal Data.
9. Data incidents
PPG will notify you promptly after becoming aware of a Data Security Incident.
10. Assistance
PPG will provide you reasonable assistance in complying with your obligations under the Data Privacy Laws relating to the security of Processing Agreement Personal Data; responding to requests for exercising Data Subjects’ rights under the Data Privacy Laws, including without limitation by appropriate technical and organizational measures, insofar as this is possible; documenting any Data Security Incidents and reporting any Data Security Incidents to any Supervisory Authority and/or Data Subjects; and conducting privacy impact assessments of any Processing operations and consulting with Supervisory Authorities, Data Subjects and their representatives accordingly. PPG reserves the right to charge a reasonable cost of such assistance.
11. Appointment of Sub-processors
Subject to additional terms in Schedule 2, you authorize PPG to engage any person/PPG as a sub-processor for the processing of personal data. In such case, PPG will put a written contract in place between PPG and the sub-processor that specifies the sub-processor’s processing activities and imposes on the sub-processor substantially similar terms to those imposed on PPG by this DPA. PPG will remain liable to you for performance of the sub-processor’s obligations.
12. International Transfers
Subject to additional terms in Schedule 2, you agree that PPG may process Personal Data on a global basis as necessary to provide Services in accordance with the Agreement. Whenever Personal Data is transferred outside of the country of origin, each party will ensure that transfers are made in compliance with the requirements of Data Privacy Laws.
13. Audit Rights
PPG will allow for and contribute to audits, including inspections, conducted by you or another auditor mandated by you, provided that (i) you give PPG at least 14 days’ prior written notice of each such audit, (ii) each audit is carried out at your cost, during business hours, so as to cause the minimum disruption to the PPG’s business and (iii) you or your mandated auditor will not have access to any data other than the Agreement Personal Data. You agree to keep any materials disclosed during such audits and the results of and/or outputs from such audits confidential and you acknowledge that they will be deemed Confidential Information.
14. Limitation of Liability
PPG’s liability arising out of or related to this DPA (including any other DPA between the parties) where applicable, whether in contract, tort or under any other theory of liability, will be subject to the limitations and exclusions of liability set out in the 'Limitation of Liability' section of the Agreement. In no event shall PPG’s liability be limited to in respect to any individual’s rights under this DPA.
SCHEDULE 1 "SUBJECT MATTER OF PROCESSING"
Subject Matter of Processing | The subject matter of the processing under the Agreement is Agreement Personal Data. |
Nature of Processing | PPG and its Sub-Processors are providing Services or fulfilling contractual obligations to you as set out in the Agreement. These Services may include the processing of Agreement Personal Data by PPG and/or its Sub-Processors. |
Purpose of Processing | The Agreement Personal Data will be processed only for the purposes of performance of the Services under the Agreement. |
Duration of Processing | Duration of the Processing equals the duration of the Agreement. |
Types of Personal Data | The categories of personal data shall include name, address, phone number, email address, physical address, as well as the vehicle information (plate number, VIN) of your end customers. |
Categories of Data Subjects | The categories of Data Subjects whose personal data are Processed are as set out in the Agreement (Licensee’s end customers). |
Frequency of the transfer | Frequency of the transfer depends on your use of the Services. |
SCHEDULE 2 "ADDITIONAL PRIVACY PROVISIONS"
EEA: To the extent Agreement Personal Data originates in the EEA, the following additional provisions shall apply:
1. International Transfers
If PPG transfers Agreement Personal Data outside of EEA, PPG will take appropriate safeguards before any such transfer is made including ensuring that the country or territory to which the International Transfer is to be made is subject to a valid adequacy decision issued by the European Commission or adequacy is determined by another valid method under applicable Data Privacy Laws.
2. 2021 Standard Contractual Clauses
The parties agree that the 2021 Standard Contractual Clauses will apply to Agreement Personal Data that is transferred via the Services from the European Economic Area, either directly or via onward transfer, to any country or recipient outside the European Economic Area that is not recognized by the European Commission as providing an adequate level of protection for Personal Data. For data transfers from the European Economic Area that are subject to the 2021 Standard Contractual Clauses, the 2021 Standard Contractual Clauses Module 2 Controller to Processor will be deemed entered into (and incorporated into this DPA by this reference) and completed as follows:
Clause 7 | will not apply |
Clause 9 | Option 2 will apply |
Clause 11 | optional language will not apply |
Clause 17 | French law |
Clause 18(b) | courts of France |
Annex I Part A | Licensee (data exporter) and PPG (data importer) |
Annex I Part B | as described in this license |
Annex I, Part C | la CNIL |