Data Processing Agreement

This Data Processing Addendum (“DPA”) is incorporated into the Master Relationship Agreement and all related orders between Customer and NICE and reflects the parties’ agreement with regard to the processing of Data (as these terms are defined below). This DPA consists of the main body of the DPA and Appendix I.

DATA PROCESSING

1. DEFINITIONS

"controller", "processor", "data subject", "personal data" and "processing" (and "process") shall have the meanings given in EU/UK Data Protection Law.

Affiliate” means an entity which is controlling, controlled by or under common control with a party. For purposes of this definition, "control" means possessing, directly or indirectly, the power to direct or cause the direction of the management, policies or operations of an entity, whether through ownership of voting securities, by contract or otherwise.

"Applicable Data Protection Law" means all worldwide data protection and privacy laws and regulations applicable to the personal data in question, including, where applicable, EU/UK Data Protection Law.

"Customer" means the party which entered into the Master Relationship Agreement, or an Affiliate thereof, and signatory to this DPA.

"Data" has the meaning given to it in Clause 1.

"DPA" means this Data Processing Addendum.

"EU/UK Data Protection Law" means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the "EU GDPR"); (ii) the EU GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 (the "UK GDPR"); (iii) the EU e-Privacy Directive (Directive 2002/58/EC); and (iv) any and all applicable national data protection laws made under, pursuant to or that apply in conjunction with any of (i), (ii) or (iii); in each case as may be amended or superseded from time to time.

Master Relationship Agreement” means (i) each applicable order for the Services Customer has purchased from NICE; and (ii) the applicable master agreement referenced in the applicable order.

"NICE" means NICE Ltd. or the Affiliate thereof who has entered into the Master Relationship Agreement with the Customer.

"Restricted Transfer" means: (i) where the EU GDPR applies, a transfer of personal data from the European Economic Area to a country outside of the European Economic Area which is not subject to an adequacy determination by the European Commission; and (ii) where the UK GDPR applies, a transfer of personal data from the United Kingdom to any other country which is not subject to an adequacy determination based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018.

"Security Incident" has the meaning given to it in Clause 8.

Self-Service Tools” means functionality which may be made available by NICE in the software licensed or made available to Customer which permits Customer to comply with controller obligations under Applicable Data Protection Law relevant to Customer’s use of the Services.

"Services" means the services provided by NICE to Customer under or in connection with the Master Relationship Agreement.

"Standard Contractual Clauses" means: (i) where the EU GDPR applies, the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council ("EU SCCs"); and (ii) where the UK GDPR applies, standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR ("UK SCCs").

TOMs” means the security provisions located at Cloud Services Technical and Organizational Measures for NICE Cloud Services, and at Technical and Organizational Measures – NICE WCX On-Premise based Maintenance Services for NICE on-premise Services.

PROCESSING DATA

2.1 Relationship of the parties: Customer (the controller) appoints NICE as a processor to process the personal data that is the subject of the Master Relationship Agreement and as further described in Appendix I (the "Data").

2.2 Prohibited data: Customer shall not disclose (and shall not permit any data subject to disclose) any sensitive data (special categories) of Data or Data that imposes specific data security or data protection obligations on NICE in addition to or different from those specified in this DPA or the Master Relationship Agreement to NICE for processing except where and to the extent expressly disclosed in Appendix I.

2.3 Term and termination: The term of this DPA, including its Appendices, shall continue until all processing of Customer’s personal data by NICE ceases.

2.4 Purpose limitation: NICE shall process the Data as a processor as necessary to perform its obligations under the Master Relationship Agreement, including for the purposes described in Appendix I to this DPA and strictly in accordance with the documented instructions of Customer (the "Permitted Purpose"), except where otherwise required by law(s) that are not incompatible with Applicable Data Protection Law. In no event shall NICE process the Data for its own purposes or those of any third party. Each party is solely responsible for compliance with its respective obligations under Applicable Data Protection Law. The Customer shall comply with all necessary transparency and lawful requirements under Applicable Data Protection Law in order to disclose the Data to NICE for the Permitted Purposes. NICE shall immediately inform Customer if it becomes aware that Customer's processing instructions infringe Applicable Data Protection Law (but without obligation to actively monitor Customer's compliance with Applicable Data Protection Law). If a change in Applicable Data Protection Law prevents NICE from processing the Data as intended by the Master Relationship Agreement, Customer will immediately stop transmission of the Data to NICE and the parties will negotiate in good faith changes to the Master Relationship Agreement which may include but are not limited to additional services or solutions, if and when made available by NICE. Notwithstanding anything to the contrary, data localization laws in Applicable Data Protection Law shall not require NICE to change the storage location of any data centres agreed in, or permitted by, the Master Relationship Agreement; provided that NICE will negotiate in good faith commercially-reasonable changes to the storage location.

2.5 Restricted transfers: The parties agree that when the transfer of Data from Customer to NICE is a Restricted Transfer it shall be subject to the appropriate Standard Contractual Clauses as follows:

    1. in relation to data that is protected by the EU GDPR, the EU SCCs will apply completed as follows:
      1. Module Two will apply;
      2. in Clause 7, the optional docking clause will apply;
      3. in Clause 9, Option 2 will apply, and the time period for prior notice of subprocessor changes shall be as set out in Clause 10 of this DPA;
      4. in Clause 11, the optional language will not apply;
      5. in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;
      6. in Clause 18(b), disputes shall be resolved before the courts of Ireland;
      7. Annex I of the EU SCCs shall be deemed completed with the information set out in Appendix I to this DPA; and
      8. Annex II of the EU SCCs shall be deemed completed with the TOMs.
    2. in relation to data that is protected by the UK GDPR, the UK SCCs will apply and the "International Data Transfer Addendum to the EU Commission Standard Contractual Clauses" issued by the Information Commissioner's Office under s.119A(1) of the Data Protection Act 2018 ("UK Addendum") shall be deemed executed between Customer and NICE and completed as follows:
      1. The EU SCCs, completed as set out above in clause 2.5(a), shall apply to transfers of such Data, and the EU SCCs shall be deemed amended as specified by Part 2 of the UK Addendum in respect of the transfer of such Data.
      2. In addition, tables 1 to 3 in Part 1 of the UK Addendum shall be deemed completed with the information set out above at clause 2.5(a) (as applicable), the TOMs and in Appendix 1 of this DPA, and table 4 in Part 1 of the UK Addendum shall be deemed completed by selecting "neither party".
    3. in the event that any provision of this DPA contradicts, directly or indirectly, the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.

2.6 Onward transfers: NICE shall not participate in (nor permit any subprocessor to participate in) any other Restricted Transfers of Data (whether as an exporter or an importer of the Data) unless the Restricted Transfer is made in full compliance with Applicable Data Protection Law.

2.7 Confidentiality of processing: NICE shall ensure that any person that it authorises to process the Data (including NICE's staff, agents and subprocessors) (an "Authorised Person") shall be subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty), and shall not permit any person to process the Data who is not under such a duty of confidentiality. NICE shall ensure that all Authorised Persons process the Data only as necessary for the Permitted Purpose.

2.8 Security: NICE shall implement and maintain appropriate technical and organisational measures as set out in the TOMs to protect the Data from accidental or unlawful destruction, loss, alteration, or unauthorised disclosure or access (a "Security Incident").

2.9 Updates to security measures: The technical and organizational measures are subject to technological progress and advancements. As such, NICE may implement alternative, adequate measures which meet or exceed the security level of the measures described in the TOMs.

2.10 Subprocessing: Customer consents to NICE engaging NICE Affiliates and third party subprocessors to process the Data for the Permitted Purpose provided that: (i) NICE maintains an up-to-date list of its subprocessors that may process personal data. These lists are available upon request via Customer’s normal contacts for the applicable Services or may be published in the documentation portal for the applicable Service, and NICE shall update such lists with details of any change in subprocessors at least 10 days' prior to any such change; (ii) NICE imposes data protection terms on any subprocessor it appoints that protect the Data, in substance, to the same standard provided for by this DPA; and (iii) NICE remains liable for any breach of this DPA that is caused by an act, error or omission of its subprocessor.

2.11 Cooperation and data subjects' rights: Taking into account the nature of the processing and to the extent a response to a request cannot be achieved using the Service's Self-Service Tools available to the Customer, NICE will provide commercially reasonable assistance to the Customer (at Customer's expense) to: (i) fulfil a Customer's obligation to respond to data subjects' requests under Applicable Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable); and (ii) in relation to any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Data. If any such request, correspondence, enquiry or complaint is made directly to NICE, NICE shall promptly inform Customer providing full details of the same.

2.12 Data Protection Impact Assessment: NICE shall, which may be subject to reimbursement of NICE's then-current hourly fees, provide Customer with all such reasonable and timely assistance as Customer may require in order to conduct a data protection impact assessment in accordance with Applicable Data Protection Law.

2.13 Deletion or return of Data: Upon termination or expiry of the Master Relationship Agreement, NICE shall destroy all Data (including all copies of the Data) in its possession or control, except as otherwise stated in the Master Relationship Agreement. This requirement shall not apply to the extent that NICE is required by any applicable law to retain some or all of the Data, or to Data it has archived on back-up systems, in which event NICE shall isolate and protect the Data from any further processing except to the extent required by such law until deletion is possible.

2.14 Data records: Documentation materials that serve as evidence that Data was processed in a proper manner consistent with the stipulations of this DPA may be stored by NICE after termination of this DPA in accordance with the applicable retention periods.

2.15 Audit

  1. Customer may audit NICE’s compliance of its obligations under this DPA, at its own expenses by itself or by a certified auditor. Customer shall provide at least 60 days, prior written notice of its intention of doing so and NICE shall make available all information reasonably necessary to demonstrate such compliance, and shall allow for and contribute to audits, including inspections, by Customer. Such audits shall be conducted during regular business hours and Customer shall ensure that it does not disrupt the regular operations of NICE. Customer will not exercise its audit rights more than once in any twelve (12) month period (in aggregate with any information rights in the Master Relationship Agreement), except (i) if and when required by instruction of a competent data protection authority; (or) if Customer believes a further audit is necessary due to a Security Incident suffered by NICE. For any audit or right of access exercised under this section, the SCCs or any similar right granted by law, NICE will not be required to: (x) provide information, evidence or access of any kind that includes other customers’ information, and to preserve the rights, confidentiality, security, and data integrity of other customers; or (y) provide any access to or inspections of any of its premises, networks, systems, equipment or other infrastructure of NICE or its subprocessors.
  2. Alternatively at NICE's discretion and if available for the applicable Service, NICE may satisfy its obligations under this Clause (Audit) (and any similar obligations under the Standard Contractual Clauses) by presenting a summary copy of its SOC 2 Type II, PCI-DSS, ISO 27001, SOC 2+HITRUST, FedRAMP or IRAP audit or certification report(s) to Customer, which reports shall be subject to the confidentiality provisions of the Master Relationship Agreement.
  3. Customer shall be responsible for all costs and fees, including all reasonable costs and fees for any and all time NICE expends for any such audit.
  4. All information disclosed or developed as a result of an audit and inspection constitutes Confidential Information of NICE.

2.16 Governing law: This DPA shall be governed by the laws of same jurisdiction as agreed in the Master Relationship Agreement.

This Appendix I forms part of the DPA and describes the processing that the processor will perform on behalf of the controller.

A. LIST OF PARTIES

Controller(s) / Data exporter(s): [Identity and contact details of the controller(s) /data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]

 

1.

Name:

Customer (as defined in the applicable Master Relationship Agreement)

 

Address:

As defined in the applicable Master Relationship Agreement or as otherwise provided by the Customer

 

Contact person’s name, position and contact details:

Customer’s point of contact for notices or as otherwise provided by Customer

 

Activities relevant to the data transferred under this DPA:

The Services

 

Role (controller/processor):

Controller

Processor(s) / Data importer(s): [Identity and contact details of the processor(s) /data importer(s), including any contact person with responsibility for data protection]

 

1.

Name:

NICE (as defined in the applicable Master Relationship Agreement)

 

Address:

As defined in the applicable Master Relationship Agreement or as otherwise provided by NICE

 

Contact person’s name, position and contact details:

For general matters: NICE’s Data Protection Office at privacy@nice.com

For security matters: NICE’s Information Security Office at security@nice.com

 

Activities relevant to the data transferred under this DPA:

The Services

 

Role (controller/processor):

Processor

В. DESCRIPTION OF TRANSFER

 

Categories of data subjects whose personal data is transferred:

Categories of data subjects whose Personal Data may be Processed in order to perform the Services may include, among others, Customer’s customers, prospects, representatives and end users, such as Customer’s employees, job applicants, contractors, collaborators, partners, suppliers, customers and clients.

Categories of personal data transferred:

Personal categories of data may include but are not limited to: Personal contact information such as name, contact information, email address; information concerning family, lifestyle and social circumstances including age, date of birth, gender; employment details including employee schedules and performance; goods and services provided; unique IDs collected from mobile devices, network carriers or data providers; Customer IP addresses and online behavior and interest data. Customer shall use reasonable efforts to limit such personal data disclosed to NICE.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:

Based on the applicable Services, Customer’s end users may disclose sensitive information that is not currently contemplated. Customer shall use reasonable efforts to limit such data disclosed to NICE, which is applicable to the Services and is necessary for Processing.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):

Continuous or as otherwise provided in the Master Relationship Agreement.

Nature of the processing:

As required to perform the Services, and may include but is not limited to organisation, structuring, storage, adaptation or alteration, retrieval, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure and destruction.

Purpose(s) of the data transfer and further processing:

For processing in Processor software solutions, support and maintenance, and development, in each case as permitted in the Master Relationship Agreement. 

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:

As detailed in the Master Relationship Agreement.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:

As permitted by the Master Relationship Agreement. In particular, transfers to hosting subprocessors may be required for storage and remote data processing, and shall be for a nature and duration as permitted by the Master Relationship Agreement.

C. COMPETENT SUPERVISORY AUTHORITY

 

Identify the competent supervisory authority/ies in accordance (e.g. in accordance with Clause 13 of the EU SCCs)

Ireland Data Protection Commission