Epsilon Legal

DATA PROCESSING AGREEMENT

All Americas Data Licensing DPA

This Data Processing Agreement (the DPA) is entered into by and between your company (Supplier) and the Epsilon or Retargetly entity ("Epsilon") that is party to any written statements of work, orders, partnerships, or licenses (collectively, the Agreement) for the provision of services and Licensing of Data from Supplier to Epsilon (the Services).

Supplier and Epsilon may individually be referred to as a Party and jointly as the Parties.

The Parties acknowledge and agree that this DPA is intended to supplement or replace the Agreement in relation to data protection obligations of the Parties. The Parties agree that this DPA shall replace: (i) any existing data processing agreement the parties may have previously entered into in connection with the Services; and (ii) any conflicting data protection and security terms in the body of the Agreement, in each case as such data processing agreement and terms relate to Personal Data within the scope of this DPA. In this context and upon execution, this DPA shall be incorporated into and deemed a part of the Agreement. In the event of a conflict between the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA will prevail insofar as it concerns Personal Data protection.

In consideration of the mutual promises contained herein, and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the parties agree as follows:

Definitions.
1. Applicable Data Protection Law means any and all federal or state/provincial laws or regulations of any North American, Central American and/or South American country relating to the protection of Personal Data to the extent they apply to the Personal Data Processed by a party pursuant to the Agreement.
2. Controller means a party that, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
3. Data means Personal Data that is created, developed, or collected by Supplier or its Affiliates, including but not limited to data products or data models, that is Licensed to Epsilon.
4. Data Collector means the party or third party that collected the Personal Data directly from the Data Subject.
5. Data Subject means an natural person or household that can be identified, directly or indirectly.
6. Deidentified Data means data that cannot be reasonably linked to an identified or identifiable nature person, or a device linked to such person.
7. Disclosing Controller means a Controller that discloses or makes available Personal Data to a Recipient.
8. Epsilon Data means Personal Data that (i) Epsilon, or a third party on Epsilons behalf, provides to Supplier, or (ii) Supplier collects solely for the benefit of Epsilon.
9. License (Licensing and Licensed) shall mean licenses, provides, or otherwise gives a right to use Personal Data.
10. "Permitted Purpose(s)" means the purposes described in Annex A.
11. Personal Data means any information relating to a Data Subject and includes personal data, personal information, personally identifiable information, and any substantially similar term as defined under Applicable Data Protection Law.
12. Processing means any operation or set of operations performed on Personal Data.
13. Processor means a party that Processes Personal Data on behalf of a Controller and in accordance with the Controllers instructions.
14. Recipient means a party that receiving Personal Data from a Disclosing Controller.
15. Sale, Sell or Share have the meaning set forth in Applicable Data Protection Law.
16. Sensitive Data means Sensitive Personal Information, Sensitive Data, or substantially similar categories of Personal Data as defined under Applicable Data Protection Law.
Purpose.
1. Licensing of Supplier Data. The Parties acknowledge that, pursuant to the Agreement, Supplier shall disclose Data, as described in the Agreement, to Epsilon for Processing. The Parties shall process the Data in their possession or control as independent Controllers. Supplier does not give any instructions to Epsilon on how to process the Data, and Epsilon is not a Processor of the Data. Epsilon shall process the Data it receives from Supplier in accordance with the Permitted Purposes and the means of the processing as described in Annex A. If Epsilon wishes to Process the Data for a new or different purpose other than the Permitted Purpose (an Alternative Purpose), it may do so provided it first ensures that its proposed Processing of the Data for the Alternative Purpose fulfils the requirements of Applicable Data Protection Law (such as, obtaining consent from Data Subjects, where necessary). Provided such requirements are met, the Alternative Purpose shall be deemed a Permitted Purpose.
2. Other Services. Where Supplier provides additional Services to Epsilon that include the Processing of Epsilon Data as a Processor, the recitals, Sections 1, 3, 7-12, and the attached Annex B, Processor Services, of this DPA shall apply to such Processing.
Applicable law. Each Party shall comply with its obligations under Applicable Data Protection Law and this Agreement when processing the Data. Notwithstanding Suppliers requirements in Section 5 and Annex B herein, neither Party shall be responsible for the other Party's compliance with Applicable Data Protection Law. In particular, Supplier and Epsilon shall be individually responsible for ensuring that its processing of the Data is lawful, fair and transparent, and shall make available to Data Subjects a privacy notice that fulfils the requirements of Applicable Data Protection Law.
Epsilon Requirements. Where required by Applicable Data Protection Law, Epsilon agrees that it will:
1. upon request of Supplier, Epsilon will provide an attestation confirming Epsilons Processing of the Data is consistent with Applicable Data Protection Law;
2. notify Supplier if Epsilon determines it can no longer meet its obligations under Applicable Data Protection Law related to Epsilons Processing of the Data and the parties will negotiate a suitable resolution in good faith; and
3. in the event of Epsilons unauthorized use of the Data, Supplier may require Epsilon to stop Processing the Data immediately until Supplier can reasonably confirm Epsilons compliance.
Supplier Requirements.
1. Supplier represents and warrants that it has obtained the Data in accordance with Applicable Data Protection Law and that it has taken all necessary steps to enable Epsilon to process the Data for the Permitted Purpose(s), including but not limited to the following:
  1. Supplier and the Data Collector (if not Supplier) provided a privacy notice to Data Subjects advising that their Personal Data (i) may be Sold and that the Data Subject has the right to opt-out of the Sale of their Personal Data, (ii) will be Processed for the Permitted Purposes by Epsilon and its Clients, and (ii) may be retained in perpetuity by Epsilon and its Clients, as required by and in accordance with all applicable laws.
  2. Where required by Applicable Data Protection Law, the Data Collector collected the express consent from the Data Subjects allowing their Personal Data to be (i) sold to third parties, (ii) Processed for the Permitted Purpose by Epsilon and its Clients, (iii) transferred outside of the jurisdiction in which the Data Subject resides, and (iv) retained in perpetuity by Epsilon and its Clients. If Applicable Data Protection Law requires the express consent of Data Subjects for the Processing of their Sensitive Data, Supplier represents that it collected the Sensitive Data directly from the Data Subject and has obtained the Data Subjects express or the express and written consent to the Processing of their Sensitive Data by Epsilon for the Permitted Purpose, in accordance with Applicable Data Protection Law.
2. Supplier will pass on the deletion requests that Supplier receives from Data Subjects to Epsilon, as required by Applicable Data Protection Law.
3. Supplier will ensure the Data does not contain the Personal Data of Data Subjects who opted out of the Sale or other Processing of their Personal Data prior to Suppliers disclosure of the Data to Epsilon.
4. Supplier will ensure that the Data does not include the Personal Data of any Data Subjects under the age of 18 years.
5. Supplier represents and warrants that the Data is up-to-date, adequate, pertinent and not excessive in relation to the scope and purpose for which it was obtained at the time of disclosure to Epsilon.
6. If the Data Collector is not Supplier, Supplier has obtained contractual representations and warranties from the Data Collector substantially similar with Suppliers obligations in Section 5 herein.
Cooperation and Data Subjects' Rights. In the event that either Party receives: (i) a request from a Data Subject to exercise any of its rights under Applicable Data Protection Law (including but not limited to its rights of access, correction, opt-out, deletion and data portability, as applicable); or (ii) any other correspondence, inquiry or complaint received from a Data Subject, government authority, regulator or other third party in connection with the Processing of the Data (collectively, "Correspondence"), then, where such Correspondence relates (or also relates) to Processing conducted by the other Party, it shall promptly inform the other Party and the Parties shall cooperate in good faith as necessary to respond to such Correspondence and fulfil their respective obligations under Applicable Data Protection Law.
Deidentified Data. Each Party agrees that to the extent it is a recipient of Deidentified Data from the other Party, it will not reidentify such data, unless otherwise mutually agreed by the Parties in writing and approved by each Partys privacy counsel.
International Transfers. The Parties may Process Personal Data throughout the world provided that such transfer is subject to an appropriate data export mechanism as required by the applicable data protection law of the country from which the Personal Data is transferred.
Indemnification. Each Party (the Indemnitor) shall indemnify and hold the other Party (the Indemnitee) harmless from any third party claims and resulting loss, cost, damages, and expenses incurred by the Indemnitee that arises from the Indemnitors breach of its obligations under the DPA or failure to comply with Applicable Data Protection Law.
Technical and Organizational Measures. Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of the Processing of Personal Data, each Party shall implement and maintain technical and organizational measures designed to protect Personal Data in its possession or control that was transferred to it from the other Party from (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorised disclosure of, or access to such Personal Data, that are appropriate to the risk and designed to be adequate under Applicable Data Protection Law. At a minimum, such measures shall include the measures identified in Annex C.
Term and Termination
1. This Agreement shall commence on the Effective Date and shall continue until terminated by either Party in accordance with the Agreement.
2. The termination or expiration of the DPA or Agreement for any reason shall not release either Party from any liabilities or obligations set forth in this DPA that (i) the Parties have expressly agreed shall survive any such termination or expiration, or (ii) by their nature would be intended to be applicable following any such termination or expiration.
3. As of the Effective Date, the Parties will assess the ongoing effectiveness of this Agreement periodically as well as each time a change in circumstances or in the rationale for this Agreement arises, including but not limited to a material change in Applicable Data Protection Law. Depending on their assessment of this Agreement's effectiveness, the Parties agree collaborate in good faith to revisit the provisions of this Agreement as necessary, and if the Parties cannot reach an agreement, then the parties may mutually agree to terminate the DPA and the Agreement without penalty.
Miscellaneous
1. This DPA supersedes all prior agreements and understandings between Epsilon and the Supplier whether oral or written, regarding the subject matter hereof, namely the Processing of Personal Data in connection with the Agreement.
2. Each party irrevocably agrees that any disputes shall be determined in accordance with the manner specified in the Agreement, except to the extent that Applicable Data Protection Law requires otherwise, in which case disputes will be governed in accordance with Applicable Data Protection Law.
3. This DPA may be executed in any number of counterparts, each of which shall be deemed an original, but all of which together shall constitute one and the same instrument. The DPA may be delivered by facsimile, email or other means of electronic transmission, and the Parties hereby agree that any electronic or facsimile signatures hereto are legal, valid and enforceable as originals.

Annex A - Description of Processing

The subject-matter and duration of Processing by Supplier, the nature and purpose of Processing, and the type of Personal Data and categories of Data Subjects shall be as set forth in the Agreement, provided, however, that solely to the extent any of the foregoing is not fully set forth in the Agreement, the provisions of this Annex A - Description of Processing shall apply.

Disclosing Controller (Supplier) to Recipient Controller (Epsilon)

Applicable Services	Licensing of Data from Supplier to Epsilon
Role of Supplier:	Disclosing Controller
Role of Epsilon:	Recipient Controller
Data Subjects:	Consumers
Purpose / Nature of the Processing:	Sale of the Data (or a modified form of the Data) to third parties for the third parties advertising (inclusive of targeted advertising), marketing, or industry analytics purposes Analytics and insights development from the Data Creation of personalized profiles for advertisements and content Measuring of advertising performance Delivery of advertising or content Development and improvement of Epsilons products and services (data licensing and advertising/marketing services) Ensuring security, preventing fraud and debugging
Categories of Personal Data Processed:	Personal identifiers Commercial or transactional information Demographic or statistic information Attitudinal or preferences Internet or electronic network activity Location (not precise geolocation) Professional or employment information Audio, electronic, visual, thermal, olfactory or similar information Education information Government identification (sensitive data) Account log-in or other credentials for access (sensitive data) Precise geolocation (derived from device within area of 1,850 feet) (sensitive data) Ethnicity/Race (sensitive data) Religion/philosophical belief (sensitive data) Union membership (sensitive data) Health condition (sensitive data) Other health information (non-condition) (sensitive data) Sex life or sexual orientation (sensitive data) Citizenship or immigration status (sensitive data) Data collected from a minor (under 18) (sensitive data) Victim of a crime status (sensitive data)
Duration of the Processing:	The Data will be Processed for as long as is necessary for the Permitted Purposes, unless otherwise agreed in the Agreement, or as needed to comply with another legal obligation

Data Protection Officer (or other contact point) details for data protection inquiries

Supplier

Role: specified in the Agreement

Contact: specified in the Agreement

Epsilon

Role: Chief Privacy Officer for Publicis Groupe (Epsilons parent company)

Contact: DPOfficer@epsilon.com

Annex B - Processor Services

Supplier Processing epsilon Data as a Processor. The following provisions apply only where Supplier is providing Services to Epsilon that involve the Processing of Epsilon Data by Supplier as a Processor.

Epsilon Instructions; Details of Processing. Supplier will Process Epsilon Data only for the purposes of providing the Services in accordance with Epsilons written instructions, which will comply with Applicable Data Protection Law. The parties agree that the Agreement (including this DPA) sets out Epsilons full instructions to Supplier as of the date of this DPA, and Processing outside the scope of these instructions (if any) will require prior written agreement between the parties for which email with mutual acceptance will suffice. Unless specified elsewhere in this DPA, the Agreement will identify the Data Subjects whose Personal Data will be Processed, the categories of Personal Data Processed, the nature and purpose of Processing (must be a specific business purpose as defined by California Consumer Privacy Act), Sub-Processors, and the duration of Processing of such Personal Data. If the description of Processing is not sufficiently described in the Agreement, the Parties will complete the description of Processing via email.
Restrictions on Processing. Supplier will not: (i) retain, use or disclose Epsilon Data other than for the specific purpose of performing the Services; (ii) further collect, Sell, Share, or use the Epsilon Data, except as necessary to perform the business purpose, or outside of its direct business relationship with Epsilon; or (iii) combine Epsilon Data with any third party or Supplier collected Personal Data, unless permitted by Applicable Data Protection Law. Supplier certifies that it understands the restrictions in this Section and will comply with them.
Data Subject Requests. In the event Supplier receives a Data Subject request referencing Epsilon, Supplier shall not respond to such communication directly without Epsilon's prior authorization, unless required by applicable law. To the extent Epsilon does not have direct access to Epsilon Data through its use of the Services, and therefore does not have the ability to address such Data Subject request itself, Supplier shall, upon Epsilon's request, provide commercially reasonable cooperation to assist Epsilon to respond, to the extent required under Applicable Data Protection Law.
Return or Deletion of Personal Data. Upon termination or expiration of the Agreement and this DPA, Supplier shall (at Epsilon's written election) delete or return to Epsilon all Epsilon Data in its possession or control, that Supplier has not already deleted. This requirement shall not apply to the extent Supplier is required by applicable laws to retain some or all Epsilon Data, which Epsilon shall securely archive, isolate and protect from any further Processing.
Engagement of Sub-Processors. Sub-Processor means a Processor contracted by Supplier to Process Epsilon Data in relation to the Services provided by Supplier. Epsilon authorizes Suppliers to use Sub-Processors, to assist in providing the Services. Supplier will: (i) provide an up-to-date list of the Sub-Processors it has appointed upon written request from Epsilon; and (ii) notify Epsilon (for which email will suffice) of any intended changes concerning the addition or replacement of Sub-Processors; thereby, giving the Epsilon the opportunity to object to such changes within ten (10) calendar days of such notice. In such event, the parties will discuss such concerns in good faith with a view to achieving resolution. Supplier will: (i) enter into a written agreement with each Sub-Processor imposing data protection terms that require the Sub-Processor to protect Epsilon Data to the same standards provided for by this DPA, to the extent applicable to the nature of the services provided by the Sub-Processor; and (ii) remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-Processor consistent with this DPA.
Confidentiality. Suppliers personnel and Sub-Processors shall be subject to confidentiality obligations related to Epsilon Data.
Cooperation. Supplier will provide reasonably requested information regarding the Services to enable Epsilon to demonstrate its compliance with Applicable Data Protection Law.
Records and Audit. Supplier shall allow and cooperate with a reasonable assessment by Epsilon (or its third party auditors). In the event that Suppliers policies do not allow third party audits, Supplier shall arrange its own independent audit to conduct an assessment of its personal data protection policies and technical and organizational measures in support of its obligations of Applicable Data Privacy Laws using an accepted control standard or framework, and shall provide a report of such assessment to Epsilon.

Personal Data Breach. Personal Data Breach means the unauthorized access, loss, theft, or disclosure of Personal Data. Supplier shall, upon becoming aware of a Personal Data Breach affecting Epsilon Data in Suppliers possession or control, shall, without undue delay and within the timeframes required by Applicable Data Protection Law, notify Epsilon and provide reasonable information relating to the Personal Data Breach to the extent known to Epsilon. Notification to be made to the following email address: privacyofficer@publicisgroupe.com. Epsilon and Supplier will, in good faith, discuss mitigation or remediation efforts, where possible.

Annex C Technical and Organizational Measures

Recipient must maintain an effective information security program (in line with industry standards such as ISO 27001, NIST, etc.) and security measures requirements while handling Personal Data and confidential information of the Disclosing Controller including but not limited to the below requirements.

Security policies and procedures: Recipient shall maintain a management approved documented Information Security Policy and an established security risk management process to continually assess and evaluate new security risk and manage them through adequate security controls or safeguards.
Confidentiality, integrity, and availability: Recipient shall maintain confidentiality, integrity, and availability of the Personal Data disclosed to it by the Disclosing Controller by identifying assets that store, process, or transmit such data and deploying adequate technical and organization measures such as, but not limited to, data encryption, physical and logical access control, strong password control, malware and content protection, security vulnerability assessment and patching, secure hardening, and network/data segregation controls.
Vulnerability management: Wherever applicable, a party must ensure that any software component (such as code or API) provided to the other party is free from any security vulnerability or issues and ensure security of data processed using such component.
Asset management: Recipient shall maintain an IT asset management program to manage allocation and ownership of assets. Such program shall require, at a minimum, that (a) employees must return Recipients assets upon termination of employment; (b) assets shall be disposed of securely when they are no longer required; and (c) retired assets shall be decommissioned in accordance with industry standards regarding secure wiping and physical destruction of software, hardware, and removable media.
Identity and access management: Any employee of Recipient having access to Personal Data shall be assigned a unique login ID that is managed by authorized persons or departments. Access to Personal Data is to be granted on a need-to-know basis and as appropriate to the sensitivity of the Personal Data.
Availability controls: Recipient shall maintain a comprehensive business continuity and disaster recovery plan to prevent any interruption of services and business impact to the Disclosing Controller.
Security risk management program relating to third parties: The Recipient will ensure a similar level of security controls wherever the Personal Data disclosed or authorized to be collected by the Disclosing Controller is exchanged with a third party.
Encryption: To the extent the parties have agreed in writing that the Disclosing Controller can share sensitive data (as defined by Applicable Data Protection Laws) with the Recipient, Recipient will ensure that any such sensitive data is encrypted at rest and in transit.

Annex D Standard Contractual Clauses Prepared and Approved by the Brazilian National Data Protection Authority (ANPD)

CLUSULAS-PADRO CONTRATUAIS

STANDARD CONTRACTUAL CLAUSES

SEO I - INFORMAES GERAIS

SECTION I - GENERAL INFORMATION

CLUSULA 1. Identificao das Partes

CLAUSE 1. Identification of the Parties

1.1. Pelo presente instrumento contratual, o Exportador e o Importador (doravante, Partes), abaixo identificados, resolvem adotar as clusulas-padro contratuais (doravante Clusulas) aprovadas pela Autoridade Nacional de Proteo de Dados (ANPD), para reger a Transferncia Internacional de Dados descrita na Clusula 2, em conformidade com as disposies da Legislao Nacional.

1.1. By this contractual instrument, the Exporter and the Importer (hereinafter, Parties), identified below, agree to adopt the standard contractual clauses (hereinafter Clauses) approved by the Brazilian Data Protection Authority (ANPD), to govern the International Data Transfer described in Clause 2, in accordance with the provisions of Brazilian Legislation.

Nome: conforme definido no prembulo do contrato celebrado com o Importador

Qualificao: conforme definida no prembulo do contrato celebrado com o Importador

Endereo principal: conforme definido no prembulo do contrato celebrado com o Importador

Endereo de e-mail: conforme definido no prembulo do contrato celebrado com o Importador

Contato para o Titular: conforme definido no prembulo do contrato celebrado com o Importador

Outras informaes: N/A

Name: as defined in the preamble of the agreement executed with the Importer

Qualification: as defined in the preamble of the agreement executed with the Importer

Main address: as defined in the preamble of the agreement executed with the Importer

Email address: as defined in the preamble of the agreement executed with the Importer

Contact for the Data Subject: as defined in the preamble of the agreement executed with the Importer

Other Information: N/A

(X) Exportador/Controlador

( ) Exportador/Operador

(X) Exporter/Controller

( ) Exporter/Processor

Nome: RETARGETLY BRASIL SISTEMAS LTDA., DIRICHLET LLC ou BETHINK SRL, conforme definido no prembulo do contrato celebrado com o Exportador

Qualificao: conforme definida no prembulo do contrato celebrado com o Exportador

Endereo principal: conforme definido no prembulo do contrato celebrado com o Exportador

Endereo de e-mail: conforme definido no prembulo do contrato celebrado com o Exportador

Contato para o Titular: DPOfficer@epsilon.com

Outras informaes: N/A

Name: RETARGETLY BRASIL SISTEMAS LTDA., DIRICHLET LLC, or BETHINK SRL, as defined in the preamble of the agreement executed with the Exporter

Qualification: as defined in the preamble of the agreement executed with the Exporter

Main address: as defined in the preamble of the agreement executed with the Exporter

Email address: as defined in the preamble of the agreement executed with the Exporter

Contact for the Data Subject: DPOfficer@epsilon.com

Other Information: N/A

(X) Importador/Controlador

( ) Importador/Operador

(X) Importer/Controller

( ) Importer/Processor

CLUSULA 2. Objeto

CLAUSE 2. Scope

2.1. Estas Clusulas se aplicam s Transferncias Internacionais de Dados do Exportador para o Importador, conforme a descrio abaixo.

2.1. These Clauses apply to the International Data Transfers from the Exporter to the Importer, as described below.

Descrio da transferncia internacional de dados: licenciamento de dados pelo Exportador ao Importador

Principais finalidades da transferncia: publicidade, marketing e anlise de mercado; desenvolvimento de anlises e insights; criao de perfis personalizados para anncios e contedo; medio de desempenho publicitrio; entrega de publicidade ou contedo; desenvolvimento e aprimoramento de produtos e servios; garantia de segurana, preveno de fraudes e depurao

Categorias de dados pessoais transferidos: identificadores pessoais; informaes comerciais ou transacionais; informaes demogrficas ou estatsticas; atitudes ou preferncias; atividade na internet ou rede eletrnica; dados de geolocalizao; informaes profissionais ou de emprego; informaes em udio, eletrnicas, visuais, trmicas, olfativas ou similares; informaes educacionais; identificao governamental; dados de acesso ou outras credenciais; etnia/raa; religio/crena filosfica; filiao a sindicato; dados de sade; vida sexual ou orientao sexual; cidadania ou status de imigrao; status de vtima de crime

Perodo de armazenamento dos dados: enquanto vigorar o relacionamento comercial entre as Partes

Outras informaes: N/A

Description of the international data transfer: licensing of data from the Exporter to the Importer

Main purposes of the international data transfer: advertising, marketing, and industry analytics purposes; analytics and insights development; creation of personalized profiles for advertisements and content; measuring of advertising performance; delivery of advertising or content; development and improvement of products and services; ensuring security, preventing fraud and debugging

Categories of personal data transferred: personal identifiers; commercial or transactional information; demographic or statistic information; attitudinal or preferences; internet or electronic network activity; geolocation data; professional or employment information; audio, electronic, visual, thermal, olfactory or similar information; education information; government identification; account log-in or other credentials for access; ethnicity/race; religion/philosophical belief; union membership; health data; sex life or sexual orientation; citizenship or immigration status; victim of a crime status

Data retention period: for as long as the commercial relationship between the Parties remains in effect

Other information: N/A

CLUSULA 3. Transferncias Posteriores

CLAUSE 3. Subsequent Transfers

3.1. O Importador poder realizar Transferncia Posterior dos Dados Pessoais objeto da Transferncia Internacional de Dados regida por estas Clusulas nas hipteses e conforme as condies descritas abaixo e desde que observadas as disposies da Clusula 18.

3.1. The Importer may carry out Subsequent Transfers of the Personal Data subject to the International Data Transfer governed by these Clauses in the cases and under the conditions described below and provided that the provisions of Clause 18 are observed.

Perodo de armazenamento dos dados: enquanto vigorar o relacionamento comercial entre as Partes

Outras informaes: N/A

Data retention period: for as long as the commercial relationship between the Parties remains in effect

Other information: N/A

CLUSULA 4. Responsabilidades das Partes

CLAUSE 4. Responsibilities of the Parties

4.1. Sem prejuzo do dever de assistncia mtua e das obrigaes gerais das Partes, caber Parte Designada abaixo, na condio de Controlador, a responsabilidade pelo cumprimento das seguintes obrigaes previstas nestas Clusulas:

4.1. Without prejudice to the duty of mutual assistance and the general obligations of the Parties, the Designated Party below, in the capacity of Controller, shall be responsible for fulfilling the following obligations provided for in these Clauses:

a) Responsvel por publicar o documento previsto na Clusula 14;

(X) Exportador (X) Importador

a) Responsible for publishing the document provided for in Clause 14;

(X) Exporter (X) Importer

b) Responsvel por atender s solicitaes de titulares de que trata a Clusula 15:

(X) Exportador (X) Importador

b) Responsible for responding to data subject requests as provided for in Clause 15:

(X) Exporter (X) Importer

c) Responsvel por realizar a comunicao de incidente de segurana prevista na Clusula 16:

(X) Exportador (X) Importador

c) Responsible for communicating security incidents as provided for in Clause 16:

(X) Exporter (X) Importer

4.2. Para os fins destas Clusulas, verificado, posteriormente, que a Parte Designada na forma do item 4.1. atua como Operador, o Controlador permanecer responsvel:

4.2. For the purposes of these Clauses, if it is later verified that the Designated Party under item 4.1 acts as a Processor, the Controller shall remain responsible:

a) pelo cumprimento das obrigaes previstas nas Clusulas 14, 15 e 16 e demais disposies estabelecidas na Legislao Nacional, especialmente em caso de omisso ou descumprimento das obrigaes pela Parte Designada;

a) for fulfilling the obligations provided for in Clauses 14, 15, and 16 and other provisions established in Brazilian Legislation, especially in case of omission or non-compliance with the obligations by the Designated Party;

b) pelo atendimento s determinaes da ANPD; e

b) for complying with ANPD's determinations; and

c) pela garantia dos direitos dos Titulares e pela reparao dos danos causados, observado o disposto na Clusula 17.

c) for guaranteeing the Data Subjects rights and for repairing damages caused, as provided for in Clause 17.

SEO II - CLUSULAS MANDATRIAS

SECTION II - MANDATORY CLAUSES

CLUSULA 5. Finalidade

CLAUSE 5. Purpose

5.1. Estas Clusulas se apresentam como mecanismo viabilizador do fluxo internacional seguro de dados pessoais, estabelecem garantias mnimas e condies vlidas para a realizao de Transferncia Internacional de Dados e visam garantir a adoo das salvaguardas adequadas para o cumprimento dos princpios, dos direitos do Titular e do regime de proteo de dados previstos na Legislao Nacional.

5.1. These Clauses serve as a mechanism to enable the secure international personal data flow, establish minimum guarantees and valid conditions for the execution of International Data Transfers, and aim to ensure the adoption of appropriate safeguards to comply with the principles, Data Subjects rights, and the data protection regime provided in Brazilian Legislation.

CLUSULA 6. Definies

CLAUSE 6. Definitions

6.1. Para os fins destas Clusulas, sero consideradas as definies do art. 5 da Lei n 13.709, de 14 de agosto de 2018, e do art. 3 do Regulamento de Transferncia Internacional de Dados Pessoais, sem prejuzo de outros atos normativos expedidos pela ANPD. As Partes concordam, ainda, em considerar os termos e seus respectivos significados, conforme exposto a seguir:

6.1. For the purposes of these Clauses, the definitions in Article 5 of Law No. 13,709, dated August 14, 2018, and Article 3 of the Regulation on International Data Transfers, without prejudice to other normative acts issued by ANPD, shall be considered. The Parties also agree to consider the terms and their respective meanings as outlined below:

a) Agentes de tratamento: o controlador e o operador;

a) Data processing agents: the controller and the processor;

b) ANPD: Autoridade Nacional de Proteo de Dados;

b) ANPD: Brazilian Data Protection Authority;

c) Clusulas: as clusulas-padro contratuais aprovadas pela ANPD, que integram as Sees I, II e III;

c) Clauses: the standard contractual clauses approved by ANPD, which are part of Sections I, II, and III;

d) Contrato Coligado: instrumento contratual firmado entre as Partes ou, pelo menos, entre uma destas e um terceiro, incluindo um Terceiro Controlador, que possua propsito comum, vinculao ou relao de dependncia com o contrato que rege a Transferncia Internacional de Dados;

d) Linked Contract: a contractual instrument signed between the Parties or at least between one of them and a third party, including a Third-Party Controller, which has a common purpose, linkage, or dependency relationship with the contract governing the International Data Transfer;

e) Controlador: Parte ou terceiro ("Terceiro Controlador") a quem compete as decises referentes ao tratamento de Dados Pessoais;

e) Controller: Party or third party ("Third-Party Controller") responsible for decisions regarding the processing of Personal Data;

f) Dado Pessoal: informao relacionada a pessoa natural identificada ou identificvel;

f) Personal Data: information related to an identified or identifiable natural person;

g) Dado Pessoal Sensvel: dado pessoal sobre origem racial ou tnica, convico religiosa, opinio poltica, filiao a sindicato ou a organizao de carter religioso, filosfico ou poltico, dado referente sade ou vida sexual, dado gentico ou biomtrico, quando vinculado a uma pessoa natural;

g) Sensitive Personal Data: personal data on racial or ethnic origin, religious belief, political opinion, membership in a union or organization of a religious, philosophical, or political nature, data concerning health or sexual life, genetic or biometric data when linked to a natural person;

h) Eliminao: excluso de dado ou de conjunto de dados armazenados em banco de dados, independentemente do procedimento empregado;

h) Deletion: removal of data or a set of data stored in a database, regardless of the procedure used;

i) Exportador: agente de tratamento, localizado no territrio nacional ou em pas estrangeiro, que transfere dados pessoais para Importador;

i) Exporter: data processing agent, located in the Brazilian territory or in a foreign country, who transfers personal data to an Importer.

j) Importador: agente de tratamento, localizado em pas estrangeiro ou que seja organismo internacional, que recebe dados pessoais transferidos por Exportador;

j) Importer: a data processing agent located in a foreign country or an international organization that receives personal data transferred by the Exporter;

k) Legislao Nacional: conjunto de dispositivos constitucionais, legais e regulamentares brasileiros a respeito da proteo de Dados Pessoais, incluindo a Lei n 13.709, de 14 de agosto de 2018, o Regulamento de Transferncia Internacional de Dados e outros atos normativos expedidos pela ANPD;

k) Brazilian Legislation: the set of Brazilian constitutional, legal, and regulatory provisions regarding the protection of Personal Data, including Law No. 13.709, of August 14, 2018, the International Data Transfer Regulation, and other normative acts issued by the ANPD;

l) Lei de Arbitragem: Lei n 9.307, de 23 de setembro de 1996;

l) Arbitration Law: Law No. 9.307, of September 23, 1996;

m) Medidas de Segurana: medidas tcnicas e administrativas adotadas para proteger os dados pessoais de acessos no autorizados e de situaes acidentais ou ilcitas de destruio, perda, alterao, comunicao ou difuso;

m) Security Measures: technical and administrative measures adopted to protect personal data from unauthorized access and accidental or unlawful situations of destruction, loss, alteration, communication, or dissemination;

n) rgo de Pesquisa: rgo ou entidade da administrao pblica direta ou indireta ou pessoa jurdica de direito privado sem fins lucrativos legalmente constituda sob as leis brasileiras, com sede e foro no Pas, que inclua em sua misso institucional ou em seu objetivo social ou estatutrio a pesquisa bsica ou aplicada de carter histrico, cientfico, tecnolgico ou estatstico;

n) Research Entity: a body or entity of direct or indirect public administration or a non-profit private legal entity legally constituted under Brazilian laws, headquartered and domiciled in the country, which includes in its institutional mission or social or statutory objective the basic or applied research of a historical, scientific, technological, or statistical nature;

o) Operador: Parte ou terceiro, incluindo um Subcontratado, que realiza o tratamento de Dados Pessoais em nome do Controlador;

o) Processor: a Party or third party, including a Subcontractor, that processes Personal Data on behalf of the Controller;

p) Parte Designada: Parte do contrato designada, nos termos da Clusula 4 ("Opo A"), para cumprir, na condio de Controlador, obrigaes especficas relativas transparncia, direitos dos Titulares e comunicao de incidentes de segurana;

p) Designated Party: the Party to the contract designated, under Clause 4 ("Option A"), to fulfill specific obligations related to transparency, data subject rights, and security incident communication as the Controller;

q) Partes: Exportador e Importador;

q) Parties: Exporter and Importer;

r) Solicitao de Acesso: solicitao de atendimento obrigatrio, por fora de lei, regulamento ou determinao de autoridade pblica, para conceder acesso aos Dados Pessoais objeto da Transferncia Internacional de Dados regida por estas Clusulas;

r) Access Request: a mandatory request, by law, regulation, or public authority determination, to grant access to Personal Data subject to the International Data Transfer governed by these Clauses;

s) Subcontratado: agente de tratamento contratado pelo Importador, sem vnculo com o Exportador, para realizar tratamento de Dados Pessoais aps uma Transferncia Internacional de Dados;

s) Subcontractor: a data processing agent contracted by the Importer, without a link to the Exporter, to process Personal Data after an International Data Transfer;

t) Terceiro Controlador: Controlador dos Dados Pessoais que fornece instrues por escrito para a realizao, em seu nome, da Transferncia Internacional de Dados entre Operadores regida por estas Clusulas, na forma da Clusula 4 ("Opo B");

t) Third-Party Controller: the Controller of Personal Data who provides written instructions for the execution, on its behalf, of the International Data Transfer between Processors governed by these Clauses, under Clause 4 ("Option B");

u) Titular: pessoa natural a quem se referem os Dados Pessoais que so objeto da Transferncia Internacional de Dados regida por estas Clusulas;

u) Data Subject: the natural person to whom the Personal Data subject to the International Data Transfer governed by these Clauses refers;

v) Transferncia: modalidade de tratamento por meio da qual um agente de tratamento transmite, compartilha ou disponibiliza acesso a Dados Pessoais a outro agente de tratamento;

v) Transfer: a processing modality whereby a data processing agent transmits, shares, or provides access to Personal Data to another data processing agent;

w) Transferncia Internacional de Dados: transferncia de Dados Pessoais para pas estrangeiro ou organismo internacional do qual o pas seja membro; e

w) International Data Transfer: the transfer of Personal Data to a foreign country or an international organization of which the country is a member; and

x) Transferncia Posterior: transferncia Internacional de Dados, originada de um Importador, e destinada a um terceiro, incluindo um Subcontratado, desde que no configure Solicitao de Acesso.

x) Subsequent Transfer: an International Data Transfer originating from an Importer and destined for a third party, including a Subcontractor, provided it does not constitute an Access Request.

CLUSULA 7. Legislao Aplicvel e Fiscalizao da ANPD

CLAUSE 7. Applicable Law and ANPD Oversight

7.1. A Transferncia Internacional de Dados objeto das presentes Clusulas submete-se Legislao Nacional e fiscalizao da ANPD, incluindo o poder de aplicar medidas preventivas e sanes administrativas a ambas as Partes, conforme o caso, bem como o de limitar, suspender ou proibir as transferncias internacionais decorrentes destas Clusulas ou de um Contrato Coligado.

7.1. The International Data Transfer subject to these Clauses is governed by Brazilian Legislation and supervised by the ANPD, including the power to apply preventive measures and administrative sanctions to both Parties, as applicable, as well as to limit, suspend, or prohibit international transfers arising from these Clauses or a Linked Contract.

CLUSULA 8. Interpretao

CLAUSE 8. Interpretation

8.1. Qualquer aplicao destas Clusulas deve ocorrer de acordo com os seguintes termos:

8.1. Any application of these Clauses must occur according to the following terms

a) estas Clusulas devem sempre ser interpretadas de forma mais favorvel ao Titular e de acordo com as disposies da Legislao Nacional;

a) these Clauses must always be interpreted most favorably to the Data Subject and in accordance with the provisions of Brazilian Legislation;

b) em caso de dvida sobre o significado de termos destas Clusulas, aplica-se o significado que mais se alinha com a Legislao Nacional;

b) in case of doubt about the meaning of terms in these Clauses, the meaning that most aligns with Brazilian Legislation applies.

c) nenhum item destas Clusulas, incluindo-se aqui um Contrato Coligado e as disposies previstas na Seo IV, poder ser interpretado com o objetivo de limitar ou excluir a responsabilidade de qualquer uma das Partes em relao a obrigaes previstas na Legislao Nacional; e

c) no item of these Clauses, including a Linked Contract and the provisions set forth in Section IV, may be interpreted with the aim of limiting or excluding the liability of any of the Parties concerning obligations under Brazilian Legislation; and

d) as disposies das Sees I e II prevalecem em caso de conflito de interpretao com Clusulas adicionais e demais disposies previstas nas Sees III e IV deste instrumento ou em Contratos Coligados.

d) the provisions of Sections I and II shall prevail in case of a conflict of interpretation with additional Clauses and other provisions set forth in Sections III and IV of this instrument or Linked Contracts.

CLUSULA 9. Possibilidade de Adeso de Terceiros

CLAUSE 9. Possibility of Third-Party Adherence

9.1. Em comum acordo entre as Partes, possvel a um agente de tratamento aderir a estas Clusulas na condio de Exportador ou de Importador, por meio do preenchimento e assinatura de documento escrito, que integrar o presente instrumento.

9.1. By mutual agreement between the Parties, it is possible for a data processing agent to adhere to these Clauses as an Exporter or Importer by filling out and signing a written document, which will become part of this instrument.

9.2. A parte aderente ter os mesmos direitos e obrigaes das Partes originrias, conforme a posio assumida de Exportador ou Importador e de acordo com a categoria de agente de tratamento correspondente.

9.2. The adhering party shall have the same rights and obligations as the original Parties, depending on the position assumed as Exporter or Importer and in accordance with the corresponding category of data processing agent.

CLUSULA 10. Obrigaes Gerais das Partes

CLAUSE 10. General Obligations of the Parties

10.1. As Partes se comprometem a adotar e, quando necessrio, demonstrar a adoo de medidas eficazes e capazes de comprovar a observncia e o cumprimento das disposies destas Clusulas e da Legislao Nacional e, inclusive, da eficcia dessas medidas e, em especial:

10.1. The Parties commit to adopting and, when necessary, demonstrating the adoption of effective measures capable of proving compliance with the provisions of these Clauses and Brazilian Legislation, including the effectiveness of these measures, and in particular:

a) utilizar os Dados Pessoais somente para as finalidades especficas descritas na Clusula 2, sem possibilidade de tratamento posterior de forma incompatvel com essas finalidades, observadas, em qualquer caso, as limitaes, garantias e salvaguardas previstas nestas Clusulas;

a) use Personal Data only for the specific purposes described in Clause 2, without the possibility of subsequent processing incompatible with these purposes, observing, in any case, the limitations, guarantees, and safeguards provided in these Clauses;

b) garantir a compatibilidade do tratamento com as finalidades informadas ao Titular, de acordo com o contexto do tratamento;

b) ensure the compatibility of the data processing with the purposes informed to the Data Subject, according to the context of the data processing;

c) limitar o tratamento ao mnimo necessrio para a realizao de suas finalidades, com abrangncia dos dados pertinentes, proporcionais e no excessivos em relao s finalidades do tratamento de Dados Pessoais;

c) limit the data processing to the minimum necessary to achieve its purposes, encompassing relevant, proportional, and non-excessive data concerning the purposes of Personal Data processing;

d) garantir aos Titulares, observado o disposto na Clusula 4.

(d.1.) informaes claras, precisas e facilmente acessveis sobre a realizao do tratamento e os respectivos agentes de tratamento, observados os segredos comercial e industrial;

(d.2.) consulta facilitada e gratuita sobre a forma e a durao do tratamento, bem como sobre a integralidade de seus Dados Pessoais; e

(d.3.) a exatido, clareza, relevncia e atualizao dos Dados Pessoais, de acordo com a necessidade e para o cumprimento da finalidade de seu tratamento;

d) ensure to Data Subjects, observing the provisions in Clause 4:

(d.1.) clear, precise, and easily accessible information about the data processing and the respective data processing agents, observing commercial and industrial secrecy;

(d.2.) facilitated and free consultation on the form and duration of the processing, as well as on the entirety of their Personal Data; and

(d.3.) the accuracy, clarity, relevance, and updating of Personal Data, according to the necessity and for the fulfillment of the purpose of their data processing;

e) adotar as medidas de segurana apropriadas e compatveis com os riscos envolvidos na Transferncia Internacional de Dados regida por estas Clusulas;

e) adopt appropriate security measures compatible with the risks involved in the International Data Transfer governed by these Clauses;

f) no realizar tratamento de Dados Pessoais para fins discriminatrios ilcitos ou abusivos;

f) not process Personal Data for illicit or abusive discriminatory purposes;

g) assegurar que qualquer pessoa que atue sob sua autoridade, inclusive subcontratados ou qualquer agente que com ele colabore, de forma gratuita ou onerosa, realize tratamento de dados apenas em conformidade com suas instrues e com o disposto nestas Clusulas; e

g) ensure that any person acting under their authority, including subcontractors or any agent collaborating with them, whether free of charge or for a fee, processes data only following their instructions and the provisions of these Clauses; and

h) manter registro das operaes de tratamento dos Dados Pessoais objeto da Transferncia Internacional de Dados regida por estas Clusulas, e apresentar a documentao pertinente ANPD, quando solicitado.

h) keep a record of the Personal Data processing operations subject to the International Data Transfer governed by these Clauses, and present the pertinent documentation to the ANPD when requested.

CLUSULA 11. Dados Pessoais Sensveis

CLAUSE 11. Sensitive Personal Data

11.1. Caso a Transferncia Internacional de Dados envolva Dados Pessoais sensveis, as Partes aplicaro salvaguardas adicionais, incluindo medidas de segurana especficas e proporcionais aos riscos da atividade de tratamento, natureza especfica dos dados e aos interesses, direitos e garantias a serem protegidos, conforme descrito na Seo III.

11.1. If the International Data Transfer involves sensitive Personal Data, the Parties shall apply additional safeguards, including specific security measures proportional to the risks of the data processing activity, the specific nature of the data, and the interests, rights, and guarantees to be protected, as described in Section III.

CLUSULA 12. Dados Pessoais de Crianas e Adolescentes

CLAUSE 12. Personal Data of Children and Adolescents

12.1. Caso a Transferncia Internacional de Dados envolva Dados Pessoais de crianas e adolescentes, as Partes aplicaro salvaguardas adicionais, incluindo medidas que assegurem que o tratamento seja realizado em seu melhor interesse, nos termos da Legislao Nacional e dos instrumentos pertinentes de direito internacional.

12.1. In the event that the International Data Transfer involves the Personal Data of children and adolescents, the Parties shall apply additional safeguards, including measures that ensure the data processing is carried out in their best interest, in accordance with Brazilian Legislation and relevant international law instruments.

CLUSULA 13. Uso Legal dos Dados

CLAUSE 13. Lawful Use of Data

13.1. O Exportador garante que os Dados Pessoais foram coletados, tratados e transferidos para o Importador de acordo com a Legislao Nacional.

13.1. The Exporter guarantees that the Personal Data has been collected, processed, and transferred to the Importer in accordance with Brazilian Legislation.

CLUSULA 14. Transparncia

CLAUSE 14. Transparency

14.1. A Parte Designada publicar, em sua pgina na Internet, documento contendo informaes facilmente acessveis redigidas em linguagem simples, clara e precisa sobre a realizao da Transferncia Internacional de Dados, incluindo, pelo menos, informaes sobre:

14.1. The Designated Party shall publish, on its website, a document containing easily accessible information written in simple, clear, and precise language about the execution of the International Data Transfer, including at least information on:

a) a forma, a durao e a finalidade especfica da transferncia internacional;

a) the form, duration, and specific purpose of the international data transfer;

b) o pas de destino dos dados transferidos;

b) the destination country of the transferred data;

c) a identificao e os contatos da Parte Designada;

c) the identification and contact details of the Designated Party;

d) o uso compartilhado de dados pelas Partes e a finalidade;

d) the shared use of data by the Parties and the purpose;

e) as responsabilidades dos agentes que realizaro o tratamento;

e) the responsibilities of the agents who will process the data;

f) os direitos do Titular e os meios para o seu exerccio, incluindo canal de fcil acesso disponibilizado para atendimento s suas solicitaes e o direito de peticionar contra o Controlador perante a ANPD; e

f) the rights of the Data Subject and the means to exercise them, including an easily accessible channel provided for addressing their requests and the right to file a complaint against the Controller before the ANPD; and

g) Transferncias Posteriores, incluindo as relativas aos destinatrios e finalidade da transferncia.

g) Subsequent Transfers, including those related to the recipients and the purpose of the transfer.

14.2. O documento referido no item 14.1. poder ser disponibilizado em pgina especfica ou integrado, de forma destacada e de fcil acesso, Poltica de Privacidade ou documento equivalente.

14.2. The document referred to in item 14.1. may be made available on a specific page or integrated, prominently and easily accessible, into the Privacy Policy or an equivalent document.

14.3. A pedido, as Partes devem disponibilizar, gratuitamente, ao Titular uma cpia destas Clusulas, observados os segredos comercial e industrial.

14.3. Upon request, the Parties must provide the Data Subject with a copy of these Clauses free of charge, observing commercial and industrial secrecy.

14.4. Todas as informaes disponibilizadas aos titulares, nos termos destas Clusulas, devero ser redigidas na lngua portuguesa.

14.4. All information provided to data subjects, under these Clauses, must be written in Portuguese.

CLUSULA 15. Direitos do Titular

CLAUSE 15. Data Subjects Rights

15.1. O Titular tem direito a obter da Parte Designada, em relao aos Dados Pessoais objeto da Transferncia Internacional de Dados regida por estas Clusulas, a qualquer momento, e mediante requisio, nos termos da Legislao Nacional:

15.1. The Data Subject has the right to obtain from the Designated Party, regarding the Personal Data subject to the International Data Transfer governed by these Clauses, at any time, and upon request, in accordance with Brazilian Legislation:

a) confirmao da existncia de tratamento;

a) confirmation of the existence of data processing;

b) acesso aos dados;

b) access to the data;

c) correo de dados incompletos, inexatos ou desatualizados;

c) correction of incomplete, inaccurate, or outdated data;

d) anonimizao, bloqueio ou eliminao de dados desnecessrios, excessivos ou tratados em desconformidade com estas Clusulas e com o disposto na Legislao Nacional;

d) anonymization, blocking, or deletion of unnecessary, excessive data, or data processed in non-compliance with these Clauses and Brazilian Legislation;

e) portabilidade dos dados a outro fornecedor de servio ou produto, mediante requisio expressa, de acordo com a regulamentao da ANPD, observados os segredos comercial e industrial;

e) data portability to another service or product provider, upon express request, in accordance with ANPD regulations, observing commercial and industrial secrecy;

f) eliminao dos Dados Pessoais tratados com o consentimento do Titular, exceto nas hipteses previstas na Clusula 20;

f) deletion of Personal Data processed with the Data Subject's consent, except in cases provided for in Clause 20;

g) informao das entidades pblicas e privadas com as quais as Partes realizaram uso compartilhado de dados;

g) information on public and private entities with which the Parties have shared data;

h) informao sobre a possibilidade de no fornecer consentimento e sobre as consequncias da negativa;

h) information on the possibility of not providing consent and the consequences of refusal;

i) revogao do consentimento mediante procedimento gratuito e facilitado, ratificados os tratamentos realizados antes do requerimento de eliminao;

i) withdrawal of consent through a free and facilitated procedure, with the processing carried out before the deletion request being ratified.

j) reviso de decises tomadas unicamente com base em tratamento automatizado de dados pessoais que afetem seus interesses, includas as decises destinadas a definir o seu perfil pessoal, profissional, de consumo e de crdito ou os aspectos de sua personalidade; e

j) review of decisions made solely based on automated data processing that affect their interests, including decisions intended to define their personal, professional, consumer, and credit profile or aspects of their personality; and

k) informaes a respeito dos critrios e dos procedimentos utilizados para a deciso automatizada, observados os segredos comercial e industrial.

k) information regarding the criteria and procedures used for automated decision-making, observing commercial and industrial secrecy.

15.2. O Titular pode opor-se a tratamento realizado com fundamento em uma das hipteses de dispensa de consentimento, em caso de descumprimento ao disposto nestas Clusulas ou na Legislao Nacional.

15.2. The Data Subject may object to data processing carried out based on one of the consent waiver hypotheses, in case of non-compliance with the provisions of these Clauses or Brazilian Legislation.

15.3. O prazo para atendimento s solicitaes previstas nesta Clusula e no item 14.3. de 15 (quinze) dias contados da data do requerimento do titular, ressalvada a hiptese de prazo distinto estabelecido em regulamentao especfica da ANPD.

15.3. The deadline for responding to requests provided for in this Clause and item 14.3. is 15 (fifteen) days from the date of the data subject's request, except in cases where a different deadline is established in specific ANPD regulations.

15.4. Caso a solicitao do Titular seja direcionada Parte no designada como responsvel pelas obrigaes previstas nesta Clusula ou no item 14.3., a Parte dever:

15.4. If the Data Subject's request is directed to the Party not designated as responsible for the obligations provided for in this Clause or in item 14.3., the Party must:

a) informar ao Titular o canal de atendimento disponibilizado pela Parte Designada; ou

a) inform the Data Subject of the service channel provided by the Designated Party; or

b) encaminhar a solicitao para a Parte Designada o quanto antes, a fim de viabilizar a resposta no prazo previsto no item 15.2.

b) forward the request to the Designated Party as soon as possible to enable a response within the deadline provided in item 15.2.

15.5. As Partes devero informar, imediatamente, aos Agentes de Tratamento com os quais tenham realizado uso compartilhado de dados a correo, a eliminao, a anonimizao ou o bloqueio dos dados, para que repitam idntico procedimento, exceto nos casos em que esta comunicao seja comprovadamente impossvel ou implique esforo desproporcional.

15.5. The Parties must immediately inform the Data Processing Agents with whom they have shared data of the correction, deletion, anonymization, or blocking of the data, so that they can repeat the same procedure, except in cases where this communication is proven to be impossible or involves disproportionate effort.

15.6. As Partes devem promover assistncia mtua com a finalidade de atender s solicitaes dos Titulares.

15.6. The Parties must promote mutual assistance to meet the Data Subjects' requests.

CLUSULA 16. Comunicao de Incidente de Segurana

CLAUSE 16. Security Incident Reporting

16.1. A Parte Designada dever comunicar ANPD e aos Titulares, no prazo de 3 (trs) dias teis, a ocorrncia de incidente de segurana que possa acarretar risco ou dano relevante para os Titulares, observado o disposto na Legislao Nacional.

16.1. The Designated Party must notify the ANPD and the Data Subjects within 3 (three) business days of the occurrence of a security incident that may pose a risk or significant harm to the data subjects, in accordance with Brazilian Legislation.

16.2. O Importador deve manter o registro de incidentes de segurana nos termos da Legislao Nacional.

16.2. The Importer must keep a record of security incidents as per Brazilian Legislation.

CLUSULA 17. Responsabilidade e Ressarcimento de Danos

CLAUSE 17. Liability and Compensation for Damages

17.1. A Parte que, em razo do exerccio da atividade de tratamento de Dados Pessoais, causar dano patrimonial, moral, individual ou coletivo, em violao s disposies destas Clusulas e da Legislao Nacional, obrigada a repar-lo.

17.1. The Party that, due to the exercise of personal data processing activities, causes property, moral, individual, or collective damage, in violation of the provisions of these Clauses and Brazilian Legislation, is obliged to repair it.

17.2. O Titular poder pleitear a reparao do dano causado por quaisquer das Partes em razo da violao destas Clusulas.

17.2. The Data Subject may seek compensation for the damage caused by any of the Parties due to the violation of these Clauses.

17.3. A defesa dos interesses e dos direitos dos Titulares poder ser pleiteada em juzo, individual ou coletivamente, na forma do disposto na legislao pertinente acerca dos instrumentos de tutela individual e coletiva.

17.3. The defense of the Data Subjects' interests and rights may be sought in court, individually or collectively, as provided in the relevant legislation regarding individual and collective protection instruments.

17.4. A Parte que atuar como Operador responde, solidariamente, pelos danos causados pelo tratamento quando descumprir as presentes Clusulas ou quando no tiver seguido as instrues lcitas do Controlador, ressalvado o disposto no item 17.6.

17.4. The Party acting as the Processor is jointly liable for damages caused by the data processing when it fails to comply with these Clauses or when it has not followed the lawful instructions of the Controller, except as provided in item 17.6.

17.5. Os Controladores que estiverem diretamente envolvidos no tratamento do qual decorreram danos ao Titular respondem, solidariamente, por estes danos, ressalvado o disposto no item 17.6.

17.5. Controllers directly involved in the data processing that resulted in damages to the data subject are jointly liable for these damages, except as provided in item 17.6.

17.6. No caber responsabilizao das Partes se comprovado que:

17.6. The Parties will not be held liable if it is proven that:

a) no realizaram o tratamento de Dados Pessoais que lhes atribudo;

a) they did not carry out the data processing attributed to them;

b) embora tenham realizado o tratamento de Dados Pessoais que lhes atribudo, no houve violao a estas Clusulas ou Legislao Nacional; ou

b) although they carried out the data processing attributed to them, there was no violation of these Clauses or Brazilian Legislation; or

c) o dano decorrente de culpa exclusiva do Titular ou de terceiro que no seja destinatrio de Transferncia Posterior ou subcontratado pelas Partes.

c) the damage is due to the exclusive fault of the Data Subject or a third party who is not a recipient of Subsequent Transfer or subcontracted by the Parties.

17.7. Nos termos da Legislao Nacional, o juiz poder inverter o nus da prova a favor do Titular quando, a seu juzo, for verossmil a alegao, houver hipossuficincia para fins de produo de prova ou quando a produo de prova pelo Titular resultar-lhe excessivamente onerosa.

17.7. Under Brazilian Legislation, the judge may reverse the burden of proof in favor of the Data Subject when, in their judgment, the allegation is plausible, there is insufficiency for the purpose of producing evidence, or when the production of evidence by the Data Subject would be excessively burdensome.

17.8. As aes de reparao por danos coletivos que tenham por objeto a responsabilizao nos termos desta Clusula podem ser exercidas coletivamente em juzo, observado o disposto na legislao pertinente.

17.8. Actions for reparation of collective damages aimed at accountability under this Clause can be collectively exercised in court, in accordance with the relevant legislation.

17.9. A Parte que reparar o dano ao Titular tem direito de regresso contra os demais responsveis, na medida de sua participao no evento danoso.

17.9. The Party that compensates the damage to the Data Subject has the right of recourse against the other responsible parties, to the extent of their participation in the harmful event.

CLUSULA 18. Salvaguardas para Transferncia Posterior

CLAUSE 18. Safeguards for Subsequent Transfer

18.1. O Importador somente poder realizar Transferncias Posteriores dos Dados Pessoais objeto da Transferncia Internacional de Dados regida por estas Clusulas se expressamente autorizado, conforme as hipteses e condies descritas na Clusula 3.

18.1. The Importer may only carry out Subsequent Transfers of Personal Data subject to the International Data Transfer governed by these Clauses if expressly authorized, according to the hypotheses and conditions described in Clause 3.

18.2. Em qualquer caso, o Importador:

18.2. In any case, the Importer must:

a) deve assegurar que a finalidade da Transferncia Posterior compatvel com as finalidades especficas descritas na Clusula 2;

a) ensure that the purpose of the Subsequent Transfer is compatible with the specific purposes described in Clause 2;

b) deve garantir, mediante instrumento contratual escrito, que as salvaguardas previstas nestas Clusulas sero observadas pelo terceiro destinatrio da Transferncia Posterior; e

b) guarantee, through a written contractual instrument, that the safeguards provided in these Clauses shall be observed by the third-party recipient of the Subsequent Transfer; and

c) para fins destas Clusulas, e em relao aos Dados Pessoais transferidos, ser considerado o responsvel por eventuais irregularidades praticadas pelo terceiro destinatrio da Transferncia Posterior.

c) for the purposes of these Clauses, and in relation to the transferred Personal Data, be considered responsible for any irregularities committed by the third-party recipient of the Subsequent Transfer.

18.3. A Transferncia Posterior poder, ainda, ser realizada com base em outro mecanismo vlido de Transferncia Internacional de Dados previsto na Legislao Nacional, independentemente da autorizao de que trata a Clusula 3.

18.3. The Subsequent Transfer may also be carried out based on another valid mechanism of International Data Transfer provided in the Brazilian Legislation, regardless of the authorization referred to in Clause 3.

CLUSULA 19. Notificao de Solicitao de Acesso

CLAUSE 19. Notification of Access Request

19.1. O Importador notificar o Exportador e o Titular sobre Solicitao de Acesso relacionada aos Dados Pessoais objeto da Transferncia Internacional de Dados regida por estas Clusulas, ressalvada a hiptese de vedao de notificao pela lei do pas de tratamento dos dados.

19.1. The Importer shall notify the Exporter and the Data Subject about an Access Request related to the Personal Data subject to the International Data Transfer governed by these Clauses, except in cases where notification is prohibited by the law of the country where the data is processed.

19.2. O Importador adotar as medidas legais cabveis, incluindo aes judiciais, para proteger os direitos dos Titulares sempre que houver fundamento jurdico adequado para questionar a legalidade da Solicitao de Acesso e, se for o caso, a vedao de realizar a notificao referida no item 19.1.

19.2. The Importer shall take appropriate legal measures, including judicial actions, to protect the rights of the Data Subjects whenever there is a suitable legal basis to question the legality of the Access Request and, if applicable, the prohibition of making the notification referred to in item 19.1.

19.3. Para atender s solicitaes da ANPD e do Exportador, o Importador deve manter registro de Solicitaes de Acesso, incluindo data, solicitante, finalidade da solicitao, tipo de dados solicitados, nmero de solicitaes recebidas e medidas legais adotadas.

19.3. To meet the requests of the ANPD and the Exporter, the Importer must keep a record of Access Requests, including the date, requester, purpose of the request, type of data requested, number of requests received, and legal measures taken.

CLUSULA 20. Trmino do Tratamento e Eliminao dos Dados

CLAUSE 20. Termination of Processing and Data Deletion

20.1. As Partes devero eliminar os Dados Pessoais objeto da Transferncia Internacional de Dados regida por estas Clusulas aps o trmino do tratamento, no mbito e nos limites tcnicos das atividades, autorizada a conservao apenas para as seguintes finalidades:

20.1. The Parties must delete the Personal Data subject to the International Data Transfer governed by these Clauses after the end of data processing, within the scope and technical limits of the activities, with retention allowed only for the following purposes:

a) cumprimento de obrigao legal ou regulatria pelo Controlador;

a) compliance with a legal or regulatory obligation by the Controller;

b) estudo por rgo de Pesquisa, garantida, sempre que possvel, a anonimizao dos Dados Pessoais;

b) study by a Research Entity, ensuring, whenever possible, the anonymization of Personal Data;

c) transferncia a terceiro, desde que respeitados os requisitos previstos nestas Clusulas e na Legislao Nacional; e

c) transfer to a third party, provided that the requirements set forth in these Clauses and the Brazilian Legislation are respected; and

d) uso exclusivo do Controlador, vedado seu acesso por terceiro, e desde que anonimizados os dados.

d) exclusive use by the Controller, with third-party access prohibited, and provided that the data is anonymized.

20.2. Para fins desta Clusula, considera-se que o trmino do tratamento ocorrer quando:

20.2. For the purposes of this Clause, the termination of processing is considered to occur when:

a) alcanada a finalidade prevista nestas Clusulas;

a) the purpose provided in these Clauses is achieved;

b) os Dados Pessoais deixarem de ser necessrios ou pertinentes ao alcance da finalidade especfica prevista nestas Clusulas;

d) the Personal Data is no longer necessary or relevant to achieve the specific purpose provided in these Clauses;

c) finalizado o perodo de tratamento;

c) the processing period has ended;

d) atendida solicitao do Titular; e

d) the request of the Data Subject has been fulfilled; and

e) determinado pela ANPD, quando houver violao ao disposto nestas Clusulas ou na Legislao Nacional.

e) determined by the ANPD, when there is a violation of the provisions in these Clauses or the Brazilian Legislation.

CLUSULA 21. Segurana no Tratamento dos Dados

CLAUSE 21. Data Processing Security

21.1. As Partes devero adotar medidas de segurana que garantam proteo aos Dados Pessoais objeto da Transferncia Internacional de Dados regida por estas Clusulas, mesmo aps o seu trmino.

21.1. The Parties must adopt security measures that ensure the protection of Personal Data subject to the International Data Transfer governed by these Clauses, even after its termination.

21.2. As Partes informaro, na Seo III, as Medidas de Segurana adotadas, considerando a natureza das informaes tratadas, as caractersticas especficas e a finalidade do tratamento, o estado atual da tecnologia e os riscos para os direitos dos Titulares, especialmente no caso de dados pessoais sensveis e de crianas e adolescentes.

21.2. The Parties shall inform, in Section III, the Security Measures adopted, considering the nature of the information processed, the specific characteristics and purpose of the processing, the current state of technology, and the risks to the Data Subjects rights, especially in the case of sensitive personal data and data of children and adolescents.

21.3. As Partes devero realizar os esforos necessrios para adotar medidas peridicas de avaliao e reviso visando manter nvel de segurana adequado s caractersticas do tratamento de dados.

21.3. The Parties must make the necessary efforts to adopt periodic evaluation and review measures to maintain an adequate level of security for the characteristics of the data processing.

CLUSULA 22. Legislao do Pas Destinatrio dos Dados

CLAUSE 22. Law of the Data Recipient Country

22.1. O Importador declara que no identificou leis ou prticas administrativas do pas destinatrio dos Dados Pessoais que o impeam de cumprir as obrigaes assumidas nestas Clusulas.

22.1. The Importer declares that it has not identified any laws or administrative practices in the recipient country of the Personal Data that prevent it from fulfilling the obligations assumed in these Clauses.

22.2. Sobrevindo alterao normativa que altere esta situao, o Importador notificar, de imediato, o Exportador para avaliao da continuidade do contrato.

22.2. In the event of a regulatory change that alters this situation, the Importer shall immediately notify the Exporter for an evaluation of the contract's continuity.

CLUSULA 23. Descumprimento das Clusulas pelo Importador

CLAUSE 23. Non-Compliance with the Clauses by the Importer

23.1. Havendo violao das salvaguardas e garantias previstas nestas Clusulas ou a impossibilidade de seu cumprimento pelo Importador, o Exportador dever ser comunicado imediatamente, ressalvado o disposto no item 19.1.

23.1. In the event of a violation of the safeguards and guarantees provided in these Clauses or the impossibility of their compliance by the Importer, the Exporter must be immediately informed, notwithstanding the provisions of item 19.1.

23.2. Recebida a comunicao de que trata o item 23.1 ou verificado o descumprimento destas Clusulas pelo Importador, o Exportador adotar as providncias pertinentes para assegurar a proteo aos direitos dos Titulares e a conformidade da Transferncia Internacional de Dados com a Legislao Nacional e as presentes Clusulas, podendo, conforme o caso:

23.2. Upon receiving the communication referred to in item 23.1 or verifying the Importer's noncompliance with these Clauses, the Exporter will take the necessary measures to ensure the protection of the Data Subjects' rights and the compliance of the International Data Transfer with the Brazilian Legislation and these Clauses, which may include, as appropriate:

a) suspender a Transferncia Internacional de Dados;

a) suspending the International Data Transfer;

b) solicitar a devoluo dos Dados Pessoais, sua transferncia a um terceiro, ou a sua eliminao; e

b) requesting the return of the Personal Data, its transfer to a third party, or its deletion; and

c) rescindir o contrato.

c) terminating the contract.

CLUSULA 24. Eleio do Foro e Jurisdio

CLAUSE 24. Choice of Court and Jurisdiction

24.1. Aplica-se a estas Clusulas a legislao brasileira e qualquer controvrsia entre as Partes decorrente destas Clusulas ser resolvida perante os tribunais competentes do Brasil, observado, se for o caso, o foro eleito pelas Partes na Seo IV.

24.1. Brazilian legislation applies to these Clauses, and any dispute between the Parties arising from these Clauses shall be resolved before the competent courts of Brazil, observing, if applicable, the forum chosen by the Parties in Section IV.

24.2. Os Titulares podem ajuizar aes judiciais contra o Exportador ou o Importador, conforme sua escolha, perante os tribunais competentes no Brasil, inclusive naqueles localizados no local de sua residncia.

24.2. Data Subjects may file lawsuits against the Exporter or the Importer, at their choice, before the competent courts in Brazil, including those located in their place of residence.

24.3. Em comum acordo, as Partes podero se valer da arbitragem para resolver os conflitos decorrentes destas Clusulas, desde que realizada no Brasil e conforme as disposies da Lei de Arbitragem.

24.3. By mutual agreement, the Parties may resort to arbitration to resolve conflicts arising from these Clauses, provided it is conducted in Brazil and in accordance with the provisions of the Arbitration Law.

SEO III - MEDIDAS DE SEGURANA

SECTION III - SECURITY MEASURES

(i) governana e superviso de processos internos:

a) As Partes devero manter uma poltica de segurana da informao documentada e aprovada, bem como um processo estabelecido de gerenciamento de riscos de segurana, a fim de avaliar continuamente novos riscos de segurana e gerenci-los por meio de controles ou salvaguardas de segurana adequados.

b) As Partes devero manter um programa de gerenciamento de ativos de TI para administrar a alocao e propriedade dos ativos. Tal programa dever exigir, no mnimo, que: os empregados devolvam os ativos ao trmino de seu vnculo empregatcio; os ativos sejam descartados de forma segura quando no forem mais necessrios; e os ativos aposentados sejam descomissionados de acordo com os padres da indstria quanto limpeza segura e destruio fsica de software, hardware e mdias removveis.

c) Qualquer funcionrio das Partes com acesso a Dados Pessoais dever receber uma identificao de login nica, gerenciada por pessoas ou departamentos autorizados. O acesso aos Dados Pessoais ser concedido com base na necessidade de conhecimento e de acordo com a sensibilidade dos Dados Pessoais.

(ii) medidas de segurana tcnicas e administrativas, incluindo medidas para garantir a segurana das operaes realizadas, tais como a coleta, a transmisso e o armazenamento dos dados:

a) As Partes devero manter a confidencialidade, integridade e disponibilidade dos Dados Pessoais, identificando os ativos que armazenam, processam ou transmitem tais dados e implementando medidas tcnicas e organizacionais adequadas, tais como, mas no se limitando a: criptografia de dados, controle de acesso fsico e lgico, controle rigoroso de senhas, proteo contra malware e contedo, avaliao de vulnerabilidades de segurana e correes, endurecimento seguro e controles de segregao de rede/dados.

b) As Partes devero manter um plano abrangente de continuidade de negcios e recuperao de desastres para prevenir qualquer interrupo dos servios e impactos nos negcios.

c) As Partes devero garantir um nvel semelhante de controles de segurana sempre que os Dados Pessoais forem compartilhados com terceiros.

(i) governance and supervision of internal processes:

a) The Parties shall maintain a management approved documented information security policy and an established security risk management process to continually assess and evaluate new security risk and manage them through adequate security controls or safeguards.

b) The Parties shall maintain an IT asset management program to manage allocation and ownership of assets. Such program shall require, at a minimum, that: employees must return assets upon termination of employment; assets shall be disposed of securely when they are no longer required; and retired assets shall be decommissioned in accordance with industry standards regarding secure wiping and physical destruction of software, hardware, and removable media.

c) Any employee of the Parties having access to Personal Data shall be assigned a unique login ID that is managed by authorized persons or departments. Access to Personal Data is to be granted on a need-to-know basis and as appropriate to the sensitivity of the Personal Data.

(ii) technical and administrative security measures, including measures to ensure the security of operations carried out, such as the collection, transmission, and storage of data:

a) The Parties shall maintain confidentiality, integrity, and availability of the Personal Data by identifying assets that store, process, or transmit such data and deploying adequate technical and organization measures such as, but not limited to, data encryption, physical and logical access control, strong password control, malware and content protection, security vulnerability assessment and patching, secure hardening, and network/data segregation controls.

b) The Parties shall maintain a comprehensive business continuity and disaster recovery plan to prevent any interruption of services and business impact.

c) The Parties shall ensure a similar level of security controls wherever the Personal Data is exchanged with a third party.