HOK's Third-Party Data Privacy Addendum
Version: 2.0 | Date: 2 January 2020
The following apply to all contracts (each a “Third-Party Contract”) between any HOK Group, Inc. (including all subsidiaries and affiliates each referred to individually or collectively as “HOK”) and any third-party supplier of products or services including all vendors and subconsultants (each a “Third-Party Contractor”):
The following defined terms shall have the following meanings:
“Applicable Data Protection Laws” shall mean the data protection regulations with jurisdiction over a Third-Party Contract including, without limitation, the CCPA and GDPR as defined below.
“CCPA” shall mean the California Consumer Privacy Act of 2018.
“EU” shall mean the European Union.
“GDPR” shall mean the EU General Data Protection Regulation 2016/679, read in conjunction with and subject to: (a) the UK Data Privacy Act of 1998; (b) from 25th May 2018, the UK Data Privacy Act of 2018; or (b) from the date of implementation, any applicable UK national legislation that supersedes or replaces the EU General Data Protection Regulation 2016/679 in the UK or which applies the operation of this regulation as if it were part of UK national law.
“UK” shall mean the United Kingdom of Britain, Wales, Scotland and Northern Ireland.
“Personal Information” shall have the meanings set out in the Applicable Data Protection Laws or, in the absence of a statutory definition, Personal Information shall mean any information relating to a person or their household that enables that person to be identified either directly or indirectly.
“data subject”, “consumer”, “controller”, “processor”, “processing”, and “sell” shall have the meanings set out in the Applicable Data Protection Laws or, in the absence of a statutory definition, as they are commonly defined.
From the date written above, this Third-Party Data Privacy Addendum applies only to the Personal Information of residents of the EU, UK, Switzerland and the State of California.
HOK and Third-Party Contractor:
- Shall comply with the Applicable Data Protection Laws and this Third-Party Data Privacy Addendum and shall not perform its obligations under the Third-Party Contract in such a way as to cause the other to breach any of its applicable obligations under Applicable Data Protection Laws and this Third-Party Data Privacy Addendum;
- Agree that, under the GDPR, the factual arrangements between them may dictate the classification of Third-Party Contractor as a “data processor”;
- Agree that, under the CCPA, the Third-Party Contractor shall act as a Service Provider in its provision of services to HOK for the business purposes set forth in the Third-Party Contract, including where the Third-Party Contractor collects Personal Information on the behalf of HOK;
- Acknowledge that HOK retains all rights, title and interest in the data (Personal Information or otherwise) including any amendments or alterations to such data made by Third-Party Contractor or on Third-Party Contractor’s behalf; and
- If any of these obligations are unclear, Third-Party Contractor shall notify HOK and seek clarification, in writing, by email to firstname.lastname@example.org or by mail to HOK Group, Inc., 10 South Broadway, Suite 200, St. Louis, MO 63102; Attention: Corporate Compliance.
4.0 PROCESSOR/HANDLER OF PERSONAL INFORMATION
Where Third-Party Contractor processes or otherwise handles Personal Information on behalf of HOK, Third-Party Contractor shall:
- Process and handle the Personal Information only in accordance with the Third-Party Contract and the documented instructions of HOK and not make any use of the Personal Information for its own purposes, regardless of whether the Personal Information is converted to an anonymized and/or aggregated form;
- Implement appropriate technical and organizational measures to protect the Personal Information against unauthorized or unlawful processing and handling and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm and risk which might result from any unauthorized or unlawful processing or handling, accidental loss, destruction or damage to the Personal Information and having regard to the nature of the Personal Information which is to be protected and shall include inter alia as appropriate:
- The pseudonymization and encryption of the Personal Information;
- The ability to ensure the ongoing confidentiality, integrity, availability and resilience of systems and services processing the Personal Information;
- The ability to restore the availability and access to the Personal Information in a timely manner in the event of a physical or technical incident; and
- A process for regular testing, assessing and evaluating the effectiveness of technical and organization measures for ensuring the security of any processing;
- Only permit the Personal Information to be processed or handled by persons who are bound by enforceable confidentiality obligations and take steps to ensure such persons only act on Third-Party Contractor’s instructions in relation to the processing or handling;
- Not transfer Personal Information outside of the European Economic Area without the prior written consent of HOK and, where HOK consents to such transfer, warrant that the transfer shall be made in such a way as to ensure that the level of protection offered to natural persons by the Applicable Data Protection Laws is not undermined;
- Obtain prior written consent from HOK to transfer the Personal Information to any agents, subcontractors, affiliates or any other third parties and, where HOK consents, Third-Party Contractor shall:
- Ensure that any such agents, subcontractors, affiliates or other third parties are subject to, and contractually bound by, at least the same obligations as Third-Party Contractor is to HOK under this Third-Party Data Privacy Addendum;
- Provide to HOK copies of any documentation to demonstrate compliance with the obligations in this Third-Party Data Privacy Addendum; and
- Remain fully liable to HOK for all acts and omissions of any agents, subcontractors, affiliates or third parties;
- Promptly alert and inform HOK of a breach of Personal Information (including, but not limited to, any unauthorized or unlawful processing, handling, access to, loss of, damage to or destruction of Personal Information) suffered by Third-Party Contractor or by any agents, subcontractors, affiliates or third parties to which Personal Information has been transferred and provide all necessary cooperation and assistance to enable HOK to comply with its obligations under Applicable Data Protection Laws and to reduce the impact of the incident on its business operations and reputation. Third-Party Contractor shall not inform any third party of the Personal Information breach without first obtaining HOK’s prior written consent, except when law or regulation requires it;
- Permit HOK (subject to reasonable and appropriate confidentiality undertakings and to inspect and audit Third-Party Contractor’s data processing activities to enable HOK to verify and/or procure that Third-Party Contractor is complying with its obligations under this Third-Party Data Privacy Addendum;
- On HOK’s request, assist HOK to respond to requests from data subjects and consumers who are exercising their rights under Applicable Data Protection Laws (having obtained HOK’s consent to do so) and forward to HOK all communications it receives from third-parties relating to the processing or handling of any Personal Information which suggests non-compliance by HOK or Third-Party Contractor with Applicable Data Protection Laws and not do anything or enter into any communication with such third-party unless expressly authorized to do so by HOK or required by applicable law;
- On HOK’s request, assist HOK to comply with HOK’s obligations pursuant to Articles 32-36 of the GDPR (or such corresponding provisions of the Applicable Data Protection Laws), comprising (if applicable): (a) notifying a supervisory authority that Third-Party Contractor has suffered a data breach; (b) communicating a data breach to an affected individual; (c) carrying out an impact assessment; and (d) where required under an impact assessment, engaging in prior consultation with a supervisory authority;
- Unless applicable law requires otherwise, upon termination of the agreement at the option of HOK comply or procure compliance with the following: (i) delete all Personal Information provided by HOK to Third-Party Contractor permanently, safely and securely and provide HOK with a certificate of destruction; and/or (ii) return to HOK all Personal Information and any other information provided by HOK to Third-Party Contractor; and (iii) cease to process the Personal Information;
- Not sell to any third-party the Personal Information of any person (including without limitation, Sell the Personal Information of any Consumer as these terms are defined under the CCPA);
- Upon receipt of a request to know or a request to delete from a Consumer regarding the Personal Information and does not comply with such request, Third-Party Contractor shall explain the basis for the denial and inform the Consumer to submit the request directly to HOK and provide the Consumer with the contact information for HOK;
- Upon HOK’s written request, and subject to and in accordance with all applicable laws, Third-Party Contractor, as a Service Provider, agrees to promptly delete any and all Personal Information of a Consumer;
- Indemnify and keep indemnified HOK against all losses, costs, expenses, damages, liabilities, demands, claims, actions or proceedings which HOK may incur or suffer, including fines or penalties awarded against it by the relevant data protection regulator, because of any breach of any of the obligations set out in this Third-Party Data Privacy Addendum; and
- If Third-Party Contractor is unable to comply with any of the foregoing obligations, promptly notify HOK in writing by email to email@example.com or by mail to HOK Group, Inc., 10 South Broadway, Suite 200, St. Louis, MO 63102; Attention: Corporate Compliance.
5.0 PROCESSING PARTICULARS
Third-Party Contractor acknowledges that the factual description of the subject-matter, duration of the processing or handling, the nature and purpose of the processing or handling, the type of Personal Information and the categories of data subjects and consumers (the “Processing Particulars”) are as set out in the Third-Party Contract. Third-Party Contractor will notify HOK if the Processing Particulars are not set out in the Third-Party Contract to a reasonably satisfactory level of detail (taking into consideration any applicable regulatory guidance available from time to time).
6.0 CHANGES TO THIS POLICY
As we strive to improve our practices, we may review HOK’s Third-Party Data Privacy Addendum from time to time. We reserve the right to change this policy at any time and to notify you of those changes by posting an updated version of this policy on our website. It is your responsibility to check our policy each time before you access our website for any changes.
For questions about this Third-Party Data Privacy Addendum, please contact us by email to firstname.lastname@example.org or by mail to HOK Group, Inc., 10 South Broadway, Suite 200, St. Louis, MO 63102; Attention: Corporate Compliance Officer.