Data Processing Agreement

 

The entity identified as Customer in the applicable Order Form, and the Roller entity identified in Section 13.3 of the Master Term, enter into this data processing agreement (“DPA”). This DPA, including its attachments, are incorporated by reference into the Master Terms.

  1. Definitions
  1. For purposes of this DPA, the terms below have the meanings set forth below. Capitalized terms that are used but not defined in this DPA have the meanings given in the Master Terms, all applicable Order Forms and Supplemental Terms (collectively, the “Agreement”). 
  1. Applicable Data Protection Laws means the privacy, data protection and data security laws and regulations of any jurisdiction applicable to the Processing of Venue Guest Data under the Agreement, including, without limitation, European Data Protection Laws and the CCPA. 

  2. CCPA means the California Consumer Privacy Act of 2018, as amended, and any regulations promulgated thereunder.

  3. Venue Guest Data means Personal Information provided or made available to Roller for Processing on Customer’s behalf to perform the Services. 

  4. EEA means the European Economic Area. 

(g) EEA SCCs or EEA Standard Contractual Clauses means MODULE TWO of the Annex to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.

  1. EU GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, as amended from time to time. 

  2. European Data Protection Laws means the GDPR and other data protection laws and regulations of the European Union, its Member States, Switzerland, Iceland, Liechtenstein, Norway, and the United Kingdom, in each case, to the extent applicable to the Processing of Venue Guest Data under the Agreement. 

  3. GDPR means the EU GDPR and the UK GDPR, as amended from time to time together with any applicable implementing or supplementary legislation in any member state of the EEA or the UK (including the UK Data Protection Act 2018). 

  4. Information Security Incident means a breach of Roller’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Venue Guest Data in Roller’s possession, custody, or control. Information Security Incidents do not include unsuccessful attempts or activities that do not compromise the security of Venue Guest Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems. 

  5. Personal Information shall have the meaning assigned to the term “personal data,” “personal information,” or “personally identifiable information” in Applicable Data Protection Law, or information of a similar character regulated thereby. 

  6. Processing means any operation or set of operations which is performed on Venue Guest Data or on sets of Venue Guest Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

  7. Relevant Body:
    1. in the context of the UK and the UK GDPR, means the UK Information Commissioner’s Office and/or UK Government (as and where applicable); and/or
    2. in the context of the EEA and EU GDPR, means the European Commission.

  8. Restricted Country
    1. in the context of the UK, means a country or territory outside the UK; and
    2. in the context of the EEA, means a country or territory outside the EEA (which shall, as and where applicable, be interpreted in line with Article FINPROV.10A(1) of the Trade and Cooperation Agreement between the EU and the UK), and
    3. that the Relevant Body has not deemed that a country or territory to provide an ‘adequate’ level of protection for Venue Guest Data pursuant to a decision made in accordance Article 45(1) of the GDPR. 

  9. Security Measures has the meaning given in Section 4(a) (Roller’s Security Measures).

  10. Standard Contractual Clauses or SCCs means the EEA SCCs or UK SCCs, as appropriate.

  11. Subprocessors means third parties that Roller engages to Process Venue Guest Data in relation to the Services. 

  12. Supervisory Authority
    1. in the context of the UK and the UK GDPR, means the UK Information Commissioner’s Office; and
    2. in the context of the EEA and EU GDPR, shall have the meaning given to that term in Article 4(21) of the EU GDPR.

  13. Third Party Subprocessors has the meaning given in Section 5 (Subprocessors) of Annex 1.

  14. The terms controller, data subject and processor as used in this DPA have the meanings given in the GDPR. 

(p) UK means the United Kingdom of Great Britain and Northern Ireland.

  1. UK GDPR means the EU GDPR as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018, as amended (including by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019).

(o) UK SCCs or the UK Standard Contractual Clauses means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B1.0, in force 21 March 2022, including their “part 2: mandatory clauses”), issued by the Commissioner under S119A(1) of the UK Data Protection Act 2018( https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf) . 

  1. Duration, Scope, and Applicability of this DPA
    1. This DPA will remain in effect so long as Roller Processes Venue Guest Data, notwithstanding the expiration or termination of the Agreement.

    2. This DPA applies only as follows:
      1. Sections ‎3 - ‎7 below apply generally to the Processing of Venue Guest Data by Roller.
      2. Annex 1 (Europe Annex) to this DPA applies solely to Processing of Venue Guest Data that is subject to European Data Protection Laws pursuant the territorial scope of the GDPR (including pursuant to Article 3 of the GDPR).
      3. Annex 2 (California Annex) to this DPA applies solely to Processing subject to the CCPA, where Venue is a “business” or “service provider” (as defined in CCPA) with respect to such Processing.
      4. This DPA does not apply to Personal Information pertaining to Customer’s personnel or representatives who are business contacts of Roller, for which Roller acts as a controller.

  2. Nature of Processing Venue Guest Data
    1. Customer Instructions. Roller will Process Venue Guest Data only in accordance with Customer’s instructions to Roller. This DPA is a complete expression of such instructions. Customer instructs Roller to Process Venue Guest Data to provide the Services as contemplated by this Agreement. Customer’s additional instructions other than the foregoing must, (a) be consistent with the characteristics and nature of the Services; and (b) be made in writing pursuant to an amendment to this DPA signed by both parties.
    2. De-Identified Venue Guest Data. Customer acknowledges and agrees that Roller: (a) will Process Venue Guest Data in aggregated, anonymized and / or de-identified form, and (b) use such resulting data for quality assurance and for the development and enhancement of Roller’s products and services (including the Roller platform applications, websites, kiosks).

  3. Security
    1. Roller Security Measures. Roller will implement and maintain technical and organizational measures designed to protect Venue Guest Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Venue Guest Data, as described in https://www.roller.software/security/ (the “Security Measures”). Roller may update the Security Measures from time to time, so long as the updated measures do not decrease the overall protection of Venue Guest Data.
    2. Information Security Incidents. Roller will notify Customer without undue delay of any Information Security Incident of which Customer becomes aware. Such notifications will describe available details of the Information Security Incident, including information to allow Customer to meet any obligations under Applicable Data Protection Laws to report the Information Security Incident to affected data subjects; or the relevant Supervisory Authority(ies) or other relevant enforcement or investigative authorities. Roller’s notification of or response to an Information Security Incident will not be construed as Roller’s acknowledgement of any fault or liability with respect to the Information Security Incident. 
    3. Customer’s Security Responsibilities and Assessment
      1. Customer’s Security Responsibilities. Customer agrees that, without limitation of Roller’s obligations under Section 4 (Security), Customer is solely responsible for its use of the Services, including (a) making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of the Venue Guest Data; (b) securing the account authentication credentials, systems and devices Customer uses to access the Services; (c) securing Customer’s systems and devices that Roller uses to provide the Services; and (d) backing up Venue Guest Data.
      2. Customer’s Security Assessment. Customer agrees that the Services, the Security Measures and Roller’s commitments under this DPA are adequate to meet Customer’s needs, including with respect to any security obligations of Customer under Applicable Data Protection Laws, and provide a level of security appropriate to the risk in respect of the Venue Guest Data.

  4. Data Subject Rights
    1. Roller’s Data Subject Request Assistance. Roller will (considering the nature of the Processing of Venue Guest Data) provide Customer with assistance reasonably necessary and technically possible in the circumstances for Customer to perform its obligations under Applicable Data Protection Laws to fulfill requests by data subjects to exercise their rights under Applicable Data Protection Laws (“Data Subject Requests”) with respect to Venue Guest Data in Roller’s possession or control. Customer shall compensate Roller for any such assistance at Roller’s then-current professional services rates, which shall be made available to Customer upon request.
    2. Customer’s Responsibility for Requests. If Roller receives a Data Subject Request, Roller will advise the data subject to submit the request to Customer and Customer will be responsible for responding to the request. 

  5. Customer Responsibilities
    1. Customer Compliance. Customer shall comply with its obligations under Applicable Data Protection Laws. Customer shall ensure (and is solely responsible for ensuring) that its instructions under Section 3 comply with Applicable Data Protection Laws.
    2. Prohibited Data. Customer represents and warrants to Roller that Venue Guest Data does not and will not, without Roller’s prior written consent, contain any social security numbers or other government-issued identification numbers, protected health information subject to the Health Insurance Portability and Accountability Act (HIPAA) or other information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; health insurance information; biometric information; passwords for online accounts; credentials to any financial accounts; tax return data; credit reports or consumer reports; any payment card information subject to the Payment Card Industry Data Security Standard; information subject to the Gramm-Leach-Bliley Act, Fair Credit Reporting Act or the regulations promulgated under either such laws.

  6. Data Deletion. Roller shall delete all the Venue Guest Data on Roller’s systems on Customer’s request and after the end of the provision of Services, and shall delete existing copies unless continued storage of the Venue Guest Data is required by (i) applicable laws of the European Union, the member states of the European Union or EEA, or United Kingdom, with respect to Venue Guest Data subject to European Data Protection Laws or (ii) Applicable Data Protection Laws, with respect to all other Venue Guest Data. Roller will comply with such instruction as soon as reasonably practicable and no later than 180 days after such expiration or termination unless Applicable Data Protection Laws require storage. Customer may choose to request a copy of such Venue Guest Data from Roller for an additional charge by requesting it in writing at least 30 days prior to expiration or termination of the Agreement. Upon the parties’ agreement to such charge pursuant to a work order or other amendment to the Agreement, Roller will provide such copy of such Customer Guest Data before it is deleted in accordance with this clause

  7. Miscellaneous

Except as expressly modified by the DPA, the terms of the Agreement remain in full force and effect. In the event of any conflict or inconsistency between this DPA and the other terms of the Agreement, this DPA will govern. Notwithstanding anything in the Agreement or any Order Form entered in connection therewith to the contrary, the parties acknowledge and agree that Roller’s access to and processing of Venue Guest Data does not constitute part of the consideration provided to Roller in respect of the Agreement. Notwithstanding anything to the contrary in the Agreement, any notices required or permitted to be given by Roller to Customer under this DPA may be given (a) in accordance with any notice clause of the Agreement; (b) to Roller’s primary points of contact with Customer; or (c) to any email provided by Customer for the purpose of providing it with Services-related communications or alerts. Customer is solely responsible for ensuring that such email addresses are valid.

Annex 1 to DPA

Europe Annex

  1. Processing of Data
    1. Subject Matter and Details of Processing. The parties acknowledge and agree that the details of Roller’s Processing of Venue Guest Data are specified in Schedule A below. 
    2. Roles and Regulatory Compliance; Authorization. The parties acknowledge and agree that (i) Roller is a processor of the Venue Guest Data under European Data Protection Laws; (ii) Customer is a controller (or a processor acting on the instructions of a controller) of that Venue Guest Data under European Data Protection Laws; and (iii) each party will comply with the obligations applicable to it in such role under the European Data Protection Laws with respect to the Processing of the Venue Guest Data. If Customer is a processor, Customer represents and warrants to Roller that Customer’s instructions and actions with respect to Venue Guest Data, including its appointment of Roller as another processor, have been authorized by the relevant controller.
    3. Roller’s Compliance with Instructions. Roller will Process Venue Guest Data only in accordance with Customer’s instructions pursuant to this DPA unless applicable European Data Protection Laws require otherwise, in which case Roller will notify Customer (unless that law prohibits Roller from doing so on important grounds of public interest).

  2. Data Security
    1. Roller Security Measures, Controls and Assistance
      1. Roller Security Assistance. Roller will (taking into account the nature of the Processing of Venue Guest Data and the information available to Roller) provide Customer with reasonable assistance necessary for Customer to comply with its obligations in respect of Venue Guest Data under European Data Protection Laws, including Articles 32 to 34 (inclusive) of the GDPR, by (a) implementing and maintaining the Security Measures; (b) complying with the terms of Section 4(b) (Information Security Incidents) of the DPA; and (c) complying with this Annex 1.
      2. Security Compliance by Roller Staff. Roller ensures that its personnel who are authorized to access Customer Guest Data are subject to appropriate confidentiality obligations. 
    2. Reviews and Audits of Compliance
      1. Frequency. Customer may audit Roller’s compliance with its obligations under this DPA up to once per year and on such other occasions as may be required by European Data Protection Laws, including where mandated by Customer’s Supervisory Authority. 
      2. Provision of Information. Roller will contribute to such audits specified above by providing Customer or Customer’s Supervisory Authority with the information and assistance that Roller considers appropriate in the circumstances and reasonably necessary to conduct the audit. 
      3. Third Party Auditor. If a third party is to conduct the audits specified above, Roller may object to the auditor if the auditor is, in Roller’s reasonable opinion, not independent, a competitor of Roller, or otherwise manifestly unsuitable. Such objection by Roller will require Customer to appoint another auditor or conduct the audit itself. 
      4. Arrangements for On-Site Audits. In the event that Customer (acting reasonably) is able to provide documentary evidence that the information made available by Roller is not sufficient in the circumstances to demonstrate Roller’s compliance with this DPA, Roller shall allow for and contribute to audits, including on premise inspections, by Customer or a third party auditor mandated by Customer in relation to the Processing of the Venue Guest Data by Roller. To request an audit, Customer must submit a proposed audit plan to Roller at least two weeks in advance of the proposed audit date and any third party auditor must sign a customary non-disclosure agreement mutually acceptable to the parties (such acceptance not to be unreasonably withheld) providing for the confidential treatment of all information exchanged in connection with the audit and any reports regarding the results or findings thereof. The proposed audit plan must describe the proposed scope, duration, and start date of the audit. Roller will review the proposed audit plan and provide Customer with any concerns or questions (for example, any request for information that could compromise Roller security, privacy, employment, or other relevant policies). Roller will work cooperatively with Customer to agree on a final audit plan. 
      5. Conducting On-Site Audits. The on-site audits specified above must be conducted during regular business hours, subject to the agreed final audit plan and Roller’s safety, security, or other relevant policies, and may not unreasonably interfere with Roller business activities. Customer shall use its best efforts (and ensure that each of its mandated auditors uses its best efforts) to avoid causing, and hereby indemnifies Roller in respect of, any damage, injury or disruption to Roller’s premises, equipment, its personnel, data, and business (including any interference with the confidentiality or security of the data of Roller’s other customers or the availability of Roller’s services to such other customers) while its personnel and/or its auditor’s personnel (if applicable) are on those premises in the course of any on premise inspection.
      6. Confidentiality. Nothing in this Section 2(b) shall require Roller to breach any duties of confidentiality. 
      7. Audit Results. Customer will promptly notify Roller of any non-compliance discovered during the course of an audit and provide Roller any audit reports generated in connection with any audit under this Section 2(b), unless prohibited by European Data Protection Laws or otherwise instructed by a Supervisory Authority. Customer may use the audit reports only for the purposes of meeting Customer’s regulatory audit requirements and/or confirming compliance with the requirements of this DPA. 
      8. Costs. Any audits are at Customer’s sole expense. Customer shall reimburse Roller for any time expended by Roller and any third parties in connection with any audits or inspections under this Section 2(b) at Roller’s then-current professional services rates, which shall be made available to Customer upon request. Customer will be responsible for any fees charged by any auditor appointed by Customer to execute any such audit. 
      9. Auditor Reports in Lieu of Inspections. If the controls or measures to be assessed in a requested audit are addressed in an SOC 2 Type 2, ISO, NIST or similar audit report performed by a qualified third party auditor within twelve (12) months of Customer’s audit request and Roller has confirmed there have been no known material changes in the controls audited since the date of such report, Customer agrees to accept such report in lieu of requesting an audit of such controls or measures.

  3. Data Protection Impact Assessments and Consultations

Taking into account the nature of the Processing and the information available to Roller, Roller will reasonably assist Customer, at Customer’s cost, in complying with its obligations under Articles 35 and 36 of the GDPR, in each case solely in relation to Processing of Venue Guest Data, by (a) making available documentation describing relevant aspects of Roller’s information security program and the security measures applied in connection therewith and (b) providing the other information contained in the Agreement, including this DPA.

  1. Data Transfers
    1. Data Processing Facilities. Subject to Section 4(b) (Transfers out of the EEA) and 4(c) (Transfers out of the UK), Roller may store and Process Venue Guest Data in the United States or anywhere Roller or its Subprocessors maintains facilities. However, if Customer is established in the European Union, the United Kingdom or the United Arab Emirates, Roller will store and Process Venue Guest Data in a data center located in the European Union (without prejudice to Processing locations of Roller’s other Subprocessors).
    2. Transfers out of the EEA. If the Roller entity contracting with the Customer under the Agreement and this DPA is ROLLER Australia or ROLLER USA, then parties hereby agree to the EEA Standard Contractual Clauses, the terms of which are hereby incorporated by reference into this DPA, in accordance with Schedule A and as follows:
      1. data importer will provide the copies of the subprocessor agreements that must be sent by the data importer to the data exporter pursuant to Clause 5(j) of the EEA Standard Contractual Clauses upon data exporter’s request, and that data importer may remove or redact all commercial information or clauses unrelated the EEA Standard Contractual Clauses or their equivalent beforehand;
      2. the audits described in Clause 5(f) and Clause 12(2) of the EEA Standard Contractual Clauses shall be performed in accordance with Section 2(b) of this Annex 1 (Reviews and Audits of Compliance); 
      3. Customer’s authorizations in Section 5 (Subprocessors) of this Annex 1 will constitute Customer’s prior written consent to the subcontracting by Roller of the Processing of Venue Guest Data if such consent is required under Clause 5(h) of the EEA Standard Contractual Clauses; and
      4. certification of deletion of Venue Guest Data as described in Clause 12(1) of the EEA Standard Contractual Clauses shall be provided upon data importer’s request.
    3. Transfers out of the UK. . If the Roller entity contracting with the Customer under the Agreement and this DPA is ROLLER Australia or ROLLER USA, then the parties hereby agree to the UK Standard Contractual Clauses in accordance with Schedule B. 
    4. Notwithstanding the foregoing, the Standard Contractual Clauses (or obligations the same as those under the Standard Contractual Clauses) will not apply to the extent an alternative recognized compliance standard for the transfer of Venue Guest Data outside the EEA or the UK in accordance with European Data Protection Laws applies to the transfer. In the event of any conflict or inconsistency between (a) this Annex 1 and any other provision of this DPA, this Annex 1 will govern or (b) the Standard Contractual Clauses and any other provision of this Agreement, the Standard Contractual Clauses will govern. 

  2. Subprocessors
    1. Consent to Subprocessor Engagement. Customer specifically authorizes the engagement of Roller’s corporate group affiliates specified in Section 13.3 of the Master Terms as Subprocessors and generally authorizes the engagement of other third parties as Subprocessors (“Third Party Subprocessors”).
    2. Information about Subprocessors. Information about Subprocessors, including their functions and locations, is available at: https://www.roller.software/sub-processors (as may be updated by Roller from time to time) or such other website address as Roller may provide to Customer from time to time.
    3. Requirements for Subprocessor Engagement. When engaging any Subprocessor, Roller will enter into a written contract with such Subprocessor containing data protection obligations which are the same in substance as those in this DPA with respect to Venue Guest Data to the extent applicable to the nature of the services provided by such Subprocessor. Roller shall be liable for all obligations under the Agreement subcontracted to, the Subprocessor or its actions and omissions related thereto. 
    4. Opportunity to Object to Subprocessor Changes. When Roller engages any new Third Party Subprocessor after the effective date of the Agreement, Roller will notify Customer of the engagement (including the name and location of the relevant Subprocessor and the activities it will perform) by written means (email permissible). If Customer objects to such engagement in a written notice to Roller within 15 days after being informed of the engagement on reasonable grounds relating to the protection of Venue Guest Data, Customer and Roller will work together in good faith to find a mutually acceptable resolution to address such objection. If the parties are unable to reach a mutually acceptable resolution within a reasonable timeframe, Customer may, as its sole and exclusive remedy, terminate the Agreement and cancel the Services by providing written notice to Roller and pay Roller for all amounts due and owing under the Agreement as of the date of such termination.

Annex 2 to DPA

California Annex

  1. For purposes of this Annex 2, the terms “business,” “commercial purpose,” “sell” and “service provider” shall have the respective meanings given thereto in the CCPA, and “personal information” shall mean Venue Guest Data that constitutes personal information governed by the CCPA.
  2. It is the parties’ intent that with respect to any personal information, Roller is a service provider. Roller shall not (a) sell any personal information; (b) except as otherwise permitted under 11 CCR §7051(c), retain, use or disclose any personal information for any purpose other than for the specific purpose of providing the Services, including retaining, using, or disclosing the personal information for a commercial purpose other than the provision of the Services; or (c) except as otherwise permitted under 11 CCR §7051(c), retain, use or disclose the personal information outside of the direct business relationship between Roller and Customer. Roller hereby certifies that it understands its obligations under this Section 2 and will comply with them.
  3. The parties acknowledge that Roller’s retention, use and disclosure of personal information authorized by Customer’s instructions documented in the DPA are integral to Roller’s provision of the Services and the business relationship between the parties.
  • SCHEDULE A 
  • PARTICULARS OF DATA PROCESSING AND PARTICULARS UNDER THE EEA STANDARD CONTRACTUAL CLAUSES

Item

Subject Matter

Description

Section II (Obligations of the Parties), Clause 9(a)

Subprocessor authorization 

The data importer has the data exporter’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least 15 days in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.

Section IV (Final Provisions), Clause 17

Governing law

Republic of Ireland

Section IV (Final Provisions), Clause 18(b)

Court jurisdiction and venue

Dublin, Ireland

Annex I, A – List of Parties | Data Exporter

Details of controller

The Customer, as detailed in the Order Form

Annex I, A – List of Parties | Data Importer

Details of processor

The Roller entity identified in Section 13.3 of the Master Term

Annex I, B – Description of Transfer

Categories of data subjects

Venue Guests

Annex I, B – Description of Transfer

Categories of personal data
  • Contact information: depending on the nature of the interaction with the data subject, this may include information such as name, email address, phone number and residential address.
  • Engagement information: data subject interact with the Customer by purchasing Venue tickets or gift cards, attending Venue events, signing participation waivers, making reservations, completing Venue surveys, consuming goods or services that the Venue offers, submitting an inquiry or posting on our page on social networks such as Facebook, LinkedIn or Twitter. Information is processed about the nature and substance of these interaction, such as tickets or gift cards purchased or used, Venue events attended, participation waivers signed, reservations made, Venue surveys completed, goods or services consumed, and the substance of the inquiry sent to the Venue.
  • Analytics information: information such as the IP address from which the data subject accesses the Roller Services, time and date of access, type of browser used, language used, links clicked, and actions the data subject has taken while using the Roller Services.

Annex I, B – Description of Transfer

Sensitive data

None, unless otherwise agreed in writing by the data exporter and data importer

Annex I, B – Description of Transfer

Frequency of transfer

Ongoing and continuous for the duration of the Agreement

Annex I, B – Description of Transfer

Nature of processing

Collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, use, disclosure, combination, and erasure.

Annex I, B – Description of Transfer

Purpose(s) of the data transfer and further processing

Roller’s provision of the Services

Annex I, B – Description of Transfer

Retention period

From Roller’s receipt of Venue Guest Data until deletion of all Venue Guest Data by Roller in accordance with the Agreement

Annex I, B – Description of Transfer

Transfers of subprocessors

Annex I, C – Description of Transfer

Competent Supervisory Authority
  • Where the data exporter is established in an EU Member State, the supervisory authority is the one established in the EU Member State (or Bundesland or Stadtstaaten, in Germany) where the data exporter is established.
  • Where the data exporter is not established in an EU Member State, but falls within the territorial scope of Article 3(2) of the GDPR and has appointed a representative pursuant to Article 27(1) of the GDPR, the supervisory authority is that of the Member State (or Bundesland or Stadtstaaten, in Germany) in which that representative is established. 
  • Where the data exporter is not established in an EU Member State, but falls within the territorial scope of Article 3(2) of the GDPR without having appointed a representative pursuant to Article 27(1) of the GDPR, the supervisory authority is the one established in the EU Member State (or Bundesland or Stadtstaaten, in Germany) in which the data subjects whose personal data is transferred in relation to the offering of goods or services to them, or whose behaviour is monitored, are located.

Annex II

Technical and Organizational Measures

The Security Measures specified at https://www.roller.software/security/

 

  • SCHEDULE B 
  • PARTICULARS UNDER THE UK STANDARD CONTRACTUAL CLAUSES

 

Item

Subject Matter

Description

Table 1 – Parties 

Start date

The date indicated in the Order Form for the commencement of the Services

Table 2 – Parties 

Parties’ details and key contacts
  • The Customer, as detailed in the Order Form
  • The Roller entity identified in Section 13.3 of the Master Term

Table 2 

Selected SCCs, Modules and Selected Clauses

The version of the Approved EU SCCs which the International Data Transfer Addendum is appended to, is the Standard Contractual Clauses, as specified in Section 4(b) of Annex 1 (Europe Annex) to the DPA.

Table 4

Ending the Addendum when the Approved Addendum changes

Data exporter