Hong Kong Model Contractual Clauses for Cross-Border Transfer of Personal Data from Data User to Data Processor

By signing the Master License and Services Agreement (“MLSA”), the Data User (Controller) agrees to the terms of these Model Contractual Clauses as a supplement to the MLSA and to be incorporated therein to the extent the Data User is subject to the privacy laws of Hong Kong and where required by Hong Kong law

Definitions

For the purposes of these clauses, including the Data Transfer Schedule (collectively, the “Clauses”):

• “PDPO” means the Personal Data (Privacy) Ordinance (Cap. 486), as may be amended from time to time;
• “Permitted Jurisdictions” means the place(s) listed in the Data Transfer Schedule or any other place where the Personal Data Transferred may from time to time be processed or held in accordance with these Clauses;
• “Personal Data Transferred” means personal data of the types or categories listed in the Data Transfer Schedule;
• “Purposes of Transfer” means the purposes for processing the Personal Data Transferred listed in the Data Transfer Schedule or the directly related purposes;
• “Retention Period” means any period of time identified as such in the Data Transfer Schedule; and
• Sub-processor” has the meaning given in Clause 3.8.

The terms “personal data” and “processing” shall have the meaning given to those terms in the PDPO (and “process” shall have a corresponding meaning).

Interpretation

The Clauses shall be read and interpreted in the light of the provisions of the PDPO. The Clauses shall not be interpreted in a way that may conflict with the relevant requirements under the PDPO.

The Transferee warrants and undertakes to the Transferor that it will:

• only process the Personal Data Transferred for the Purposes of Transfer;
• ensure that the Personal Data Transferred be adequate but not excessive in relation to the Purposes of Transfer;
• process, hold and transmit the Personal Data Transferred using the security measures set out in the Data Transfer Schedule;
• not retain the Personal Data Transferred for longer that is necessary for the processing instructed by the Transferor and, in any event, not longer than any applicable Retention Period;
• take all practicable steps to erase the Personal Data Transferred: (i) once it is no longer required to be retained in accordance with Clause 3.4; or (ii) as instructed by the Transferor;
• take all practicable steps to ensure that the Personal Data Transferred be accurate, having regard to the Purposes of Transfer;
• take all practicable steps to ensure that any inaccurate Personal Data Transferred; (i) should not be processed unless it is rectified; or (ii) should be erased;
• not transfer the Personal Data Transferred to or permit access to the Personal Data Transferred by any person unless it is: (i) permitted under the Data Transfer Schedule; or (ii) made with the Transferor’s prior written consent in each case (each, a “Sub-processor”);
• ensure that each Sub-processor should enter into a binding written contract with the Transferee which imposes the same or substantially similar data protection obligations as contained in these Clauses; and
• not: (i) process or hold the Personal Data Transferred; or (ii) permit any Sub-processor to process or hold the Personal Data Transferred, in either case, in a place outside Hong Kong other than the Permitted Jurisdictions, without the Transferor’s prior written consent.

DATA TRANSFER SCHEDULE

Data User (Controller)/Transferor: Entity identified in the Master License and Services Agreement (Command Alkon customer)

Data Processor/Transferee: Command Alkon Incorporated, including Command Alkon’s sister companies and subsidiaries as defined in the MLSA

Transferee Contact:

David R. Burkholder, Chief Privacy Officer

Command Alkon Incorporated, 6750 Crosby Court, Dublin, Ohio 43016

+1.205.263.6624 ext. 2837 / privacy@commandalkon.com

DESCRIPTION OF TRANSFER

• Categories of Personal Data Transferred: Transferor may upload, submit, or otherwise provide certain Personal Data to the products and/or services, the extent of which is typically determined and controlled by Transferor in its sole discretion and may include contact information; website, product, and service interaction information; addresses; date of birth; location of birth; e-mail addresses; names; gender; title; telephone numbers; driver’s license number; signature; employee number; geo-location information; pay rate; username; password; performance information; qualifications and restrictions; device information
• Purposes of Transfer: Personal Data is processed for the purposes of providing and supporting the products and/or services described in the MLSA and associated documents, including security, audit, and product/service improvement
• Permitted Jurisdiction(s): All Command Alkon locations and locations identified on the Command Alkon Incorporated Data Sub-Processor list, as revised from time to time, located at https://dev-marketing.commandalkon.com/sub-processor-list/, which jurisdictions are hereby agreed to in writing by Transferor; Transferor may sign up to receive notifications of changes
• Retention Period: In accordance with the MLSA and this DPA, and as necessary to provide the products and services as well as comply with the Transferee’s data retention schedule and/or applicable legal requirements

SUB-PROCESSING

• Categories of Personal Data Sub-processed: Transferee may provide certain Personal Data to identified sub-processors necessary to provide the products and/or services in accordance with the MLSA; this Personal Data may include contact information; website, product, and service interaction information; addresses; date of birth; location of birth; e-mail addresses; names; gender; title; telephone numbers; driver’s license number; signature; employee number; geo-location information; pay rate; username; password; performance information; qualifications and restrictions; device information
• Sub-processor (specifically or by class): All Sub-processors identified on the Command Alkon Incorporated Data Sub-Processor list, as revised from time to time, located at https://dev-marketing.commandalkon.com/sub-processor-list/, which list is hereby agreed to in writing by Transferor; Transferor may sign up to receive notifications of changes
• Permitted Jurisdiction(s): All Command Alkon locations and locations identified on the Command Alkon Incorporated Data Sub-Processor list, as revised from time to time, located at https://dev-marketing.commandalkon.com/sub-processor-list/, which jurisdictions are hereby agreed to in writing by Transferor; Transferor may sign up to receive notifications of changes
• Retention Period: In accordance with the MLSA and this DPA, and as necessary to provide the products and services as well as comply with the Transferee’s data retention schedule and/or applicable legal requirements

SECURITY MEASURES

• Transferee agrees to implement reasonable and appropriate technical, administrative, operational and physical measures to protect the confidentiality, integrity and availability of Personal Data
• The Transferee governs itself under the NIST 800-171 security framework, as well as the SOC 2 security framework, and has been independently certified in both. The Transferee is in the process of obtaining SOC 1 certification
• All Sub-processors or the Transferee are subject to security review
• Security certifications and additional details are available upon request