Data Processing Guidelines
This Global Data Processing Addendum (this “Addendum”) sets forth the Parties’ obligations with respect to the processing of Covered Personal Information as defined in an Engagement Letter or Client Service Agreement. Employer and Prime Pensions are referred to individually as a “Party” and collectively as the “Parties.
Definitions
1.1 “Covered Personal Information” means any personal information or personal data provided by Employer to Prime Pensions, collected by Prime Pensions on behalf of Employer, processed by Prime Pensions on behalf of Employer, or otherwise made available to Prime Pensions pursuant to an Engagement Letter or Client Service Agreement.
1.2 “Portable Format” means to the extent technically feasible a structured, commonly used, machine readable, readily usable format that allows the consumer to transmit the Covered Personal Information to another entity or controller without hindrance, as further specified in the Privacy Laws.
1.3 “Privacy Laws” means applicable statutes, regulations or other laws pertaining to privacy or data protection, processing of Personal Information, and/or information security, including, but not limited to, the California Consumer Privacy Act, Cal. Civ. Code 1798.100 et seq. (“CCPA”), as amended including by the California Privacy Rights Act (“CPRA”); the Virginia Consumer Data Protection Act, Code of Virginia title 59.1, Chapter 52 (“VCDPA”); the Colorado Privacy Act, Colorado Rev. Stat. 6-1-1301 et seq. (“CPA”), the Utah Consumer Privacy Act, Utah Code 13-61-101 et seq. (“UCPA”), the Connecticut Act Concerning Personal Data Protection and Online Monitoring, Conn. PA 22-15 § 1 et seq. (“PDPOM”); and any other applicable federal or state laws or regulations regarding information privacy that are similar in scope and are in effect or will come into effect during the term of an Engagement Letter or Client Service Agreement.
1.4 “Services” means the services provided by Prime Pensions to Employer as defined in an Engagement Letter of Client Service Agreement.
1.5 The terms “business,” “business purposes,” “consumer,” “controller,” “data subject,” “de-identified data,” “personal data,” “personal information,” “process” or “processing,” “processor,” “sell,” “sensitive data,” “sensitive personal information,” “service provider,” “share,” “subcontractor,” and “supervisory authority” shall have the meanings given to those terms in the Privacy Laws to the extent such meanings are materially similar to the meaning of terms in effect on the Effective Date. In the event of a conflict in the meanings of terms among the Privacy Laws, the Parties agree that only the meanings in applicable Privacy Laws will apply.
1.6 Capitalized terms not otherwise defined shall have the meaning given to them in an Engagement Letter or Client Service Agreement.
Terms of Data Processing
2.1 Data Processing Roles – The Parties acknowledge and agree that Employer is the “business” or “controller” and Prime Pensions is a “processor” or “service provider” with respect to Covered Personal Information.
2.2 Data Processing Instructions – Prime Pensions shall process the Covered Personal Information for the duration of an Engagement Letter or Client Service Agreement (unless otherwise agreed in writing) only (a) as necessary to effect Prime Pensions’ obligations under an Engagement Letter or Client Service Agreement; and/or (b) on documented and customary instructions from Employer, unless otherwise required by applicable law. Prime Pensions shall promptly notify Employer if Prime Pensions believes such instructions violate the applicable Privacy Laws.
2.3 Nature of the Data Processing – Prime Pensions shall process the Covered Personal Information as is necessary to enable Prime Pensions to comply with its obligations and exercise its rights under an Engagement Letter or Client Service Agreement.
2.4 Purpose of the Data Processing – Prime Pensions agrees to process Covered Personal Information for limited and specified purposes described in an Engagement Letter, Client Service Agreement, this Addendum, or as otherwise directed by authorized personnel of Employer in writing (email acceptable). The specific business purposes for Prime Pensions’ processing of Covered Personal Information include performing the Services.
2.5 Types of Personal Data Processed – The Covered Personal Information that Prime Pension will process will consists of, at minimum: Name, date of birth, annual compensation, date of hire and/or termination, annual hours worked, employee and employer plan contributions, loan repayments, company division, gender, and sensitive data, in the form of union status and Social Security number.
2.6 Categories of Data Subjects – Prime Pensions will process Covered Personal Information about employees of Employer.
2.7 Compliance with Obligations – Prime Pensions represents and warrants that Prime Pensions, its employees, agents, subcontractors, and sub-processors (a) understand and shall comply with the Privacy Laws and this Addendum while providing the Services, (b) will provide the level of privacy protection required by the Privacy Laws, and (c) shall provide Employer with all reasonably-requested assistance to enable Employer to fulfill its own obligations under the Privacy Laws. Upon the reasonable request of Employer and in accordance with the requirements of the applicable Privacy Laws, Prime Pensions shall make available to Employer information in Prime Pensions’ possession necessary to demonstrate Prime Pensions’ compliance with this subsection and with applicable Privacy Laws in a manner consistent with Prime Pensions’ obligations under the applicable Privacy Laws.
2.8 Audit Rights – Employer shall have the right to take reasonable and appropriate steps to monitor Prime Pensions’ compliance with this Addendum. Prime Pensions shall cooperate fully with any audit initiated by Employer, provided that such audit will not unreasonably interfere with the normal conduct of Prime Pensions’ business. Upon the reasonable request of Employer, Prime Pensions shall make available to Employer all information in Prime Pensions’ possession necessary to demonstrate Prime Pensions’ compliance with Prime Pensions’ obligations under this Addendum and the Privacy Laws with respect to Covered Personal Information.
2.9 Compliance Remediation; Termination Rights – Prime Pensions agrees to notify Employer promptly if Prime Pensions determines that it can no longer meet its obligations under applicable Privacy Laws. Upon receiving notice from Prime Pensions in accordance with this subsection, Employer may direct Prime Pensions to take steps as reasonable and appropriate to remediate unauthorized use of Covered Personal Information or terminate an Engagement Letter or Client Service Agreement upon thirty (30) days’ notice.
2.10 Changes to Privacy Laws – To the extent this Addendum requires a Party to comply with the Privacy Laws, compliance will be in accordance with the Privacy Laws as in force and applicable at the time of performance and, if the relevant obligation is not then a requirement under the Privacy Laws, it shall not apply until it is so required. The Parties agree to cooperate in good faith to enter into additional terms to address any modifications, amendments, or updates to the applicable Privacy Laws.
2.11 Obligations at Termination – When an Engagement Letter or Client Service Agreement expires, Prime Pensions will discontinue processing and delete or destroy Covered Personal Information without undue delay unless (a) otherwise instructed by Employer, (b) Prime Pensions is under a legal or regulatory obligation to maintain the Covered Personal Information, or (c) Prime Pensions retains such Covered Personal Information in accordance with Prime Pensions’ internal compliance and record retention policies.
2.12 Impact Assessments – If applicable, Prime Pensions shall, upon the reasonable request of Employer, provide Employer with such assistance and information as is reasonably necessary to enable Employer to carry out privacy impact assessments, data protection impact assessments, and required consultations with supervisory authorities under applicable Privacy Laws
Limitations on Processing of Covered Personal Information
3.1 Data Restrictions – Prime Pensions will not: (a) sell or share Covered Personal Information, (b) retain, use, or disclose Covered Personal Information for any purpose other than the limited purposes specified in an Engagement Letter or Client Service Agreement and this Addendum; or (c) unless permitted by applicable Privacy Laws (i) retain, use, or disclose Covered Personal Information outside the direct business relationship with Employer; or (ii) retain, use, or disclose Covered Personal Information for any commercial purpose not specified in an Engagement Letter or Client Service Agreement or this Addendum. Prime Pensions may process Covered Personal Information to create de-identified data provided that (a) Prime Pensions takes reasonable measures to ensure that such de-identified data cannot be associated with a consumer or household; (b) publicly commits to maintain and use the data only in de-identified form and not attempt to re-identify the data; and (c) contractually obligates any recipients of the information to comply with this sentence in the same manner as Prime Pensions. Notwithstanding the foregoing, Prime Pensions may retain all Covered Personal Information in accordance with Prime Pensions’ internal compliance and record retention policies for such period of time as proscribed under such policies, whether or not disclosed to the Employer.
3.2 Subcontractors; Sub-processors – Prime Pensions shall engage subcontractors or sub-processors that process Covered Personal Information only with Employer’s general written authorization. Prime Pensions shall notify Employer of any intended changes concerning the addition or replacement of subcontractors or sub-processors. Further, Prime Pensions shall ensure that Prime Pensions’ subcontractors or sub-processors who collect, process, store, or transmit Covered Personal Information on Prime Pensions’ behalf agree in writing to the same restrictions and requirements that apply to Prime Pensions in this Addendum and an Engagement Letter or Client Service Agreement with respect to Covered Personal Information, as well as to comply with applicable Privacy Laws.
3.3 Right to Object – Employer may object in writing to Prime Pensions’ appointment of a new subcontractor or sub-processor on reasonable grounds relating to data protection by notifying Prime Pensions in writing within 30 calendar days of receipt of notice in accordance with Section 3.2. In the event Employer objects, Prime Pensions will use reasonable efforts to make available to Employer a change in the Services or recommend a commercially reasonable change to Employer’s configuration or use of the Services to avoid processing of Covered Personal Information by the objected-to new subcontractor or sub processor without unreasonably burdening Employer. If Prime Pensions is unable to make available such change within a reasonable period of time, which shall not exceed sixty (60) days, Employer may terminate the applicable ordering or purchasing documents with respect only to those Services which cannot be provided by Prime Pensions without the use of the objected-to new subcontractor or sub-processor by providing written notice to Prime Pensions. Prime Pensions will refund Employer any prepaid fees covering the remainder of the term of such ordering or purchasing documents following the effective date of termination with respect to such terminated Services, without imposing a penalty for such termination on Employer.
Consumer and Data Subject Requests
4.1 Cooperation – Prime Pensions will implement and maintain reasonable processes and procedures to satisfy Employer’s requests with respect to Covered Personal Information held by Prime Pensions.
4.2 Fulfillment of Consumer Requests – Upon receipt of a written request from Employer (email is sufficient), Prime Pensions shall, as applicable:
(a) Securely erase or destroy, or cause to be erased or destroyed, specific pieces of Covered Personal Information, including any copies of such Covered Personal Information maintained by Prime Pensions’ subcontractor(s) or sub-processor(s); provided, however, Prime Pensions may retain all Covered Personal Information in accordance with Prime Pensions’ internal compliance and record retention policies for such period of time as proscribed under such policies, whether or not disclosed to the Employer.
(b) Provide information reasonably requested by Employer about Prime Pensions’ collection of the Covered Personal Information, including, without limitation, the categories of Covered Personal Information that were collected and categories of subcontractors or sub-processors to whom Prime Pensions has disclosed the Covered Personal Information.
(c) Provide the specific pieces of Covered Personal Information that Prime Pensions and/or one of its subcontractors or sub-processors has collected or otherwise obtained about the consumer on behalf of Employer in a Portable Format.
(d) Modify, and direct its subcontractors or sub-processors to modify, specific pieces of Covered Personal Information.
(e) Limit processing of Covered Personal Information in accordance with the instructions of Employer.
Notwithstanding the foregoing, all obligations set forth in this Section 4.2 are in all circumstances subject to any limitations that are necessary for Prime Pensions’ compliance with applicable law.
4.3 Referral of Direct Requests – Prime Pensions agrees promptly to refer to Employer applicable consumer requests submitted directly to Prime Pensions for Covered Personal Information.
Security Controls
5.1 Duty of Confidentiality – Except as required by applicable law, subpoena, court order, or any regulatory authority, Prime Pensions, its employees, agents, subcontractors, and sub-processors are subject to a duty of confidentiality with respect to the Covered Personal Information.
5.2 Security Measures – Prime Pensions shall implement and maintain reasonable technical and organizational security measures, procedures, and practices appropriate to the nature of the Covered Personal Information to protect such Covered Personal Information from unauthorized access, destruction, use, modification, or disclosure (“Security Measures”). Such Security Measures shall meet or exceed applicable industry standards and any obligations set forth in an Engagement Letter or Client Service or applicable law.
5.3 Access Controls – Prime Pensions shall implement appropriate access controls restricting access to Covered Personal Information to only such employees, agents, subcontractors, and sub-processors as need to know the information in order to perform their obligations in furtherance of an Engagement Letter or Client Service Agreement.
5.4 Security Incident – Prime Pensions will inform Employer without undue delay upon Prime Pensions having become aware of any unauthorized access, destruction, use, modification, or disclosure (each, a “Security Incident”) of any Covered Personal Information (to include, without limitation, any personal data breach as defined by applicable law). Prime Pensions will provide Employer with any information and cooperation reasonably requested by Employer regarding such Security Incident. Prime Pensions shall not provide notice of such Security Incident to any person or entity other than Employer without the prior written consent of Employer, unless required by applicable law.
5.5 Encryption – Prime Pensions will use best efforts to ensure that Covered Personal Information in Prime Pensions’ control is sufficiently protected against unauthorized access and use, including by appropriate encryption, tokenization, or other substantially similar safeguards.
5.6 Security Program – Prime Pensions shall implement a comprehensive written security program that includes industry-standard administrative, technical, and physical safeguards designed to ensure the confidentiality, security, and integrity of Covered Personal Information (“Security Program”). Upon Employer’s reasonable request, Prime Pensions will provide Employer with documentation that demonstrates its compliance with this Section.
Inquiries
6.1 Notification of Regulatory Inquiry – In the event that Prime Pensions receives any regulatory inquiry or correspondence regarding Covered Personal Information in which Vendor or Employer is named (an “Inquiry”), Prime Pensions shall, to the extent not prohibited by applicable law, subpoena, court order, or any regulatory authority:
(a) Promptly notify Employer of such Inquiry;
(b) Provide Employerwith all copies of documents and correspondence relating to the Inquiry without unduly delay after receipt or delivery of such documents or correspondence;
(c) Not disclose any confidential information of Employer or any affiliated party to the applicable authority without Employer’s prior written consent.
6.2 Response to Inquiry – Prime Pensions shall take all other measures necessary to respond to or otherwise address the Inquiry adequately and in a timely manner.
Miscellaneous
7.1 Severability – If any provision of this Addendum shall be found to be void by a court of law, such provision shall be deemed to be severable from the other provisions of this Addendum, and the remainder of this Addendum shall be given effect, as if the Parties had not included the severed provision.
7.2 Survival – All representations, warranties, and indemnities shall survive the termination and/or expiration of this Addendum and shall remain in full force and effect. All of a Party’s rights and privileges — to the extent they are fairly attributable to events or conditions occurring or existing on or prior to the termination and/or expiration of this Addendum — shall survive termination and shall be enforceable by that Party.
7.3 General – Except as expressly set forth herein, the terms of an Engagement Letter or Client Service Agreement shall remain unmodified and in full force and effect. In the event of a conflict between the terms of an Engagement Letter or Client Service Agreement and the terms of this Addendum, the terms of this Addendum shall control. Headers are for convenience and do not affect the interpretation of the terms of this Addendum.