Marketplace Data Processing Addendum

Other than the terms defined in the body of this DPA or in the Agreement, these terms have the following meaning:

"Data Breach" means a breach of security of the Services leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed by the Recruiter under this DPA.

"Data Protection Legislation" means, as applicable to a party and its Processing of Personal Data, the EU Data Protection Laws and any other law applicable for the provision of the Services.

"EU Data Protection Laws" mean Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the "GDPR") and the EU e-Privacy Directive (Directive 2002/58/EC). The terms "Controller", "Processor", "Process", "Processing", and "Data Subject" shall have the same meanings given to them under the GDPR.

"Personal Data" means any information that (i) is protected as "personal data", "personal information" or "personally identifiable information" under Data Protection Legislation; and (ii) is Processed by the Recruiter on behalf of Finlay in the course of providing the Services, as more particularly described in Annex A of this DPA.

"Restricted Transfer" means a transfer of Personal Data from the European Economic Area to a country outside of the European Economic Area which is not subject to an adequacy determination by the European Commission.

"Sub-processor" means any third party engaged by the Recruiter to assist in fulfilling its obligations with respect to providing the Services and that Processes Personal Data as a Processor.

“Services” mean the services provided pursuant to and as described in the Marketplace Terms.

"Standard Contractual Clauses" means the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 (the "EU SCCs").The terms "Controller", "Processor", "Process", "Processing" and "Data Subject" shall have the same meanings given to them under the EU Data Protection Laws.

2.1 Roles.
‍For the purposes of this DPA, Finlay (or a third party on whose behalf Finlay is authorized to instruct the Recruiter) is the Controller of the Personal Data, and the Recruiter shall Process Personal Data as a Processor (or Sub-processor, as applicable to Finlay's use of the Services).
‍
2.2 Permitted Purposes.
‍The Recruiter shall Process Personal Data for the purposes described in Annex A and in accordance with Finlay's documented lawful instructions ("Permitted Purposes"), except where otherwise required by the Data Protection Legislation. To the extent required by Data Protection Legislation, this Section 2.2 constitutes the certification from the Recruiter to the Processing instructions herein. The Recruiter is obliged at all times to Process Personal Data in compliance with Data Protection Legislation and fulfil all its obligations arising out of Data Protection Legislation.

2.3 Processing Instructions.
‍The Recruiter shall immediately inform Finlay if it becomes aware that Finlay's Processing instructions infringe Data Protection Legislation. If the Recruiter is unable to Process Personal Data in accordance with Finlay's documented lawful instructions, the Recruiter is obliged to promptly notify Finlay of its inability to comply.

2.4 Security Measures.
‍The Recruiter shall implement and maintain reasonable and appropriate technical and organizational measures designed to protect Personal Data from Data Breaches and preserve their security, integrity, and confidentiality. Such measures shall have regard to the state of the art, the costs of implementation and the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. At a minimum, these measures must include the measures identified in Annex B of this DPA.

2.5 Access and Confidentiality.
‍The Recruiter shall ensure that any person it authorizes to Process the Personal Data (including Recruiter's staff, agents and Sub-processors) ("Personnel") are under appropriate obligations of confidentiality (whether a contractual or statutory duty), have received proper training, and are informed about the confidential nature of the Personal Data, their obligations related to it, and have access to Personal Data only on a need-to-know basis. The Recruiter shall ensure that Personnel Process the Personal Data only as necessary for the Permitted Purposes.

2.6 Data Returns and Deletion.
‍Upon request, termination, or expiration of the Agreement, the Recruiter must (at Finlay’s election) delete or return to Finlay all Personal Data (including copies) in its possession or control in accordance with the Agreement.

8.1 International Data Transfers.
‍The Recruiter shall take all such measures necessary to ensure that the Processing and transfer of Personal Data in or to a territory other than the territory in which the Personal Data was first collected complies with Data Protection Legislation.
‍
8.2 Data Transfer.
The Parties agree that Personal Data may be transferred from the European Economic Area ("EEA") or the UK, as applicable, to a third country, only if one of the following conditions applies: (a) there is an applicable decision of the European Commission that states that the third country ensures an adequate level of protection; (b) the transfer is done in accordance with Clause 6.2 for transfers from the EEA and with Clause 6.3 for transfers from the UK; or (c) the derogations for specific situation under Art. 49 of the GDPR or UK GDPR, as applicable apply.
‍
8.3 Application of Standard Contractual Clauses.
The Parties agree that when and to the extent the transfer of Personal Data from Finlay to the Recruiter is a restricted transfer and EU Data Protection Laws require that appropriate safeguards are put in place, such transfer shall be governed by the EU SCCs, which shall be incorporated by reference into and form an integral part of this DPA.

8.4 EU Data.
‍For the purposes of Personal Data that is subject to the EU Data Protection Laws ("EU Data"):

a) where Finlay is a Controller of Personal Data, Module Two (Controller to Processor Clauses) will apply and where Finlay is a Processor acting on behalf of third-party Controllers, Module 3 (Processor to Processor Clauses) will apply;

b) in Clause 7 (Docking Clause), the optional docking clause will apply;

c) in Clause 9 (Use of Sub-processors), Option 2 will apply, and the time period for prior notice of Sub-processor changes shall be as set out in Section 8.2 of this DPA and the period for notification of objections in Section 8.3 of this DPA;

d) in Clause 11 (Redress), the optional language to permit data subjects to lodge complaints with an independent dispute resolution body will not apply;

e) in Clause 17 (Governing Law), Option 1 will apply, and the EU SCCs will be governed by Czech law;

f) in Clause 18(b) (Choice of forum and jurisdiction), disputes shall be resolved before the courts of Prague, Czech Republic;

g) Annex I of the EU SCCs shall be deemed completed with the information set out in Annex A to this Agreement; Annex II of the New EU SCCs shall be deemed completed with the information set out in Annex B to this DPA.
‍

Data Processing Addendum

Annex A
Description of the Processing Activities / Transfer

Annex B
Technical and Organisational Measures

Annex C
Approved Sub-processors

Data Processing Addendum

Annex ADescription of the Processing Activities / Transfer

Annex BTechnical and Organisational Measures

Annex CApproved Sub-processors

Annex A
Description of the Processing Activities / Transfer

Annex B
Technical and Organisational Measures

Annex C
Approved Sub-processors