This Partner Data Sharing and Processing Addendum (the "DSPA") forms part of Notion Solutions Partner Program Agreement (“Partner Agreement”) between Notion Labs, Inc., ("Notion") and Partner.
1.1 The parties acknowledge that they will exchange and share certain Personal Data, as defined below, under the Partner Agreement. The sharing of such Personal Data is necessary for the performance of each party’s obligations under the Partner Agreement and to achieve the purposes of the partnership. The parties acknowledge and agree that, when sharing and receiving Personal Data from the other party they will process such Personal Data in compliance with the terms of this DSPA.
1.2 This DSPA is annexed to, and forms part of, the Partner Agreement, and is subject to the terms of the Partner Agreement. Capitalised terms used but not defined in this DSPA shall have the meanings given to them in the Partner Agreement. In the event of any conflict between this DSPA and the Partner Agreement, this DSPA shall take precedence.
2.1 Definitions: **In this DSPA, the following terms shall have the following meanings
“Applicable Data Protection Law” means any and all privacy, data security, and data protection laws applicable to the Processing of Personal Data pursuant to this DSPA, including (where applicable) any Jurisdiction-Specific Requirements, EU Data Protection Law, Swiss Data Protection Law and UK Data Protection Law.
“Controller” means (a) the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data; and any entity that is defined to be a “business” or substantially analogous concept under Applicable Data Protection Laws.
“EU Data Protection Law” means: (i) EU Regulation 2016/679 (the "EU GDPR"); (ii) EU Directive 2002/58/EC; and (iii) the national laws of each EEA member state made under, pursuant to, or that implement (i) or (ii), or which otherwise relate to the Processing of Personal Data; in each case, as amended or superseded from time to time.
“DSPA Effective Date” means the date on which this DSPA has been executed by both parties.
“Jurisdiction-Specific Requirements” means country or region-specific privacy and data protection requirements, if and to the extent applicable to the Processing of Personal Data pursuant to this DSPA.
“Personal Data” means (a) any information relating to a data subject; and (b) includes any “personal data”, “personal information”, “personally identifiable information”, “protected health information”, or substantially analogous concept under Applicable Data Protection Laws that relates to a data subject.
“Process” or “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. The terms "Process" and "Processes" shall be construed accordingly.
“Processor” means: (a) an entity that Processes Personal Data on behalf of, and in accordance with the instructions of, a Controller; and (b) any entity that is defined to be a “processor”, “service provider”, or substantially analogous concept under Applicable Data Protection Laws
"Restricted Transfer" means: (i) where the EU GDPR applies, a transfer of personal data from the EEA to a country outside of the EEA which is not subject to an adequacy determination by the European Commission; (ii) where the UK GDPR applies, a transfer of personal data from the United Kingdom to any other country which is not subject based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018, in case whether such transfer is direct or via onward transfer.; and (iii) where the Swiss DPA applies, a transfer of Personal Data from Switzerland to any other country which is not subject to an adequacy determination by the Swiss Federal Data Protection and Information Commissioner or Federal Council (as applicable).
“Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
“Shared Data” means the Personal Data that each party discloses or otherwise makes available to the other party on a controller-to-controller basis pursuant to this DSPA.
“Standard Contractual Clauses” means: (i) where the EU GDPR or the Swiss DPA applies, the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCCs”); and (ii) where the UK GDPR applies, the "International Data Transfer Addendum to the EU Commission Standard Contractual Clauses" issued by the Information Commissioner under s.119A(1) of the DPA 2018 (“UK Addendum”).