As of: January 1, 2023
This Data Processing Agreement and its Appendixes, including the Standard Contractual Clauses and their Annexes, (collectively, the “Agreement”) is incorporated into and forms a part of the written (including in electronic form) agreement between StepStone Group LP or one of its consolidated subsidiaries (the “Company”) and Vendor for the provision of the services identified in the relevant agreement (“Services”) between Company and Vendor (the “Main Contract”) to reflect the Parties’ agreement with regard to the Processing of Personal Data. For the avoidance of doubt, execution of the Main Contract shall be deemed to constitute signature and acceptance of the Standard Contractual Clauses incorporated herein, including their Annexes.
1. Subject matter and duration
1.1 Unless otherwise set out below, each capitalized term in this Agreement shall have the meaning set out in the Main Contract:
“Company Personal Data” means any Personal Data Vendor Processes in relation to the Services, including Personal Data (i) provided by or on behalf of Company to Vendor, (ii) obtained, developed, produced or otherwise Processed by Vendor, or its agents or Subprocessors, for purposes of providing the Services, and (iii) any information derived therefrom.
“Affiliates” means the current and future respective affiliated companies of Company.
“Applicable Data Protection Law” means all applicable laws, rules, regulations, and governmental requirements currently in effect, or as they become effective, relating in any way to the privacy, confidentiality, or security of Personal Data, including but not limited to the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et seq., including any amendments and implementing regulations thereto that become effective on or after the effective date of this Agreement, (the “CCPA”), as amended by the California Privacy Rights Act, the European Union General Data Protection Regulation 2016/679 of the European Parliament and of the Council (the “GDPR”) and any applicable national legislation implementing or supplementing the GDPR, the Swiss Federal Data Protection Act of 1992 and its Ordinance, in each case as amended, replaced or superseded from time to time, and all applicable legislation protecting the fundamental rights and freedoms of persons and their right to privacy with regard to the Processing of Personal Data.
“Business Purpose” means the specific purpose of performing the Services identified in the Main Contract and Processing the Company Personal Data in accordance with Company’s written instructions.
“Controller” means the natural or legal person which alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
“Data Subject” means an identified, or identifiable, natural person to whom Personal Data relates.
“Personal Data” means any information relating to an identified or identifiable individual, or is otherwise “personal data,” “personal information,” “personally identifiable information,” or similar designation under and regulated by Applicable Data Protection Law. Specifically, under the CCPA, “personal information” means any information relating to any identifiable person or household directly or indirectly.
“Process(ing)” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, adaptation or alteration, retrieval, consultation, use, modification, storage, disclosure, restriction, erasure or destruction. The nature and purpose of the Processing as well as the types of Personal Data and the categories of Data Subjects that are subject to this Agreement are set out in Annex I.
“Processor” means a natural or legal person which Processes Personal Data on behalf of the Controller subject to contractual restrictions consistent and in compliance with Applicable Data Protection Law, including a “processor” as such term is defined by the GDPR and a “service provider” or a “contractor” as applicable and defined in each case by the CCPA.
“Subprocessor” means a natural or legal person engaged by the Vendor who Processes any Company Personal Data on behalf of the Vendor.
1.2 The subject matter of this Agreement is the Processing of Company Personal Data by Vendor.
1.3 The Parties acknowledge and agree that Company is disclosing the Company Personal Data to the Vendor only for the limited and specified Business Purpose(s) set forth in this Agreement.
1.4 The Parties acknowledge and agree that Vendor shall act as a Processor in relation to its Processing of Company Personal Data and Vendor shall only Process Company Personal Data in accordance with:
(a) the Main Contract and this Agreement, to the extent necessary to provide the Services to Company, and
(b) Company’s written instructions.
1.5 This Agreement shall commence with the signature by both Parties of the Main Contract and shall terminate automatically following the termination of the Main Contract upon the completion of the last Processing activity carried out thereunder. The right of either Party to terminate this Agreement with immediate effect for cause remains unaffected, provided that if this Agreement is terminated, the Parties acknowledge and agree that no further Processing of Company Personal Data is permitted under the Main Contract. Any notice of termination must be given in writing in order to be legally effective.
2. Processing location and Standard Contractual Clauses
2.1 Where required by Applicable Data Protection Law, the Parties will enter into standard contractual clauses or other similar documentation required by Applicable Data Protection Law for the international transfer of Company Personal Data to ensure an adequate level of data protection (“Standard Contractual Clauses”), as set forth in Appendix 1. The country/countries where Vendor will process Company Personal Data shall be set forth in Appendix 2. In the event that Vendor intends to change the country/countries it processes Company Personal Data, the Parties shall amend Appendix 2 in writing to reflect such change. Without limiting the foregoing, any Processor who will Process data in a country that does not ensure an adequate level of data protection in accordance with Applicable Data Protection Law shall enter into the Standard Contractual Clauses appended to this Agreement.
2.2 In the event of a change in any Applicable Data Protection Law relating to the country/countries where an adequate level of data protection exists, the Parties will discuss and agree on an alternative solution permitting Vendor to continue to Process the Personal Data in said country/countries.
2.3 In the case of any inconsistency between any of the provisions of the Main Contract, this Agreement and the Standard Contractual Clauses respectively, the provisions of the Standard Contractual Clauses shall prevail in preference to the Main Contract and this Agreement, and the provisions of this Agreement shall prevail over the provisions of the Main Contract. Notwithstanding the foregoing, if the Main Contract includes or references a security plan (“Security Plan”), the provisions of the Security Plan shall prevail over the provisions of this Agreement (including Annex II), and a provision in the Main Contract otherwise conflicting with a provision in this Agreement shall further prevail, in each case solely to the extent such provision relates to information other than Company Personal Data, provides greater protection for Company Personal Data or imposes additional restrictions on Vendor’s Processing of Company Personal Data.
3.Instructions of Company
3.1 Company has the sole right to give Vendor instructions with regard to the Processing of Company Personal Data.
3.2 Company herewith instructs Vendor to Process the Company Personal Data to the extent required to provide the Services.
3.3 Instructions of Company will regularly be given in writing. Oral instructions will be confirmed in writing without undue delay.
3.4 If the execution of an instruction of Company would result in the breach of this Agreement, the Main Contract, the Standard Contractual Clauses (if any), or Applicable Data Protection Law, Vendor will immediately notify Company thereof in writing. Such notification shall be duly justified and documented. In such case, Vendor will suspend the execution of the instruction until the instruction is confirmed by Company in writing.
3.5 It is incumbent upon Vendor to prove that it has acted as a Processor under Company’s instruction pursuant to Applicable Data Protection Law when Processing Company Personal Data. Company remains the Controller of the Personal Data within the meaning of Applicable Data Protection Laws. As a consequence, Vendor recognizes and agrees that it is not permitted to:
- sell, share for cross-contextual advertising, retain, use, disclose nor otherwise Process the Company Personal Data for its own commercial purposes or for any purpose other than for the specific Business Purpose(s) set forth in this Agreement;
- sell, share for cross-contextual advertising, retain, use, disclose nor otherwise Process the Company Personal Data outside the direct business relationship between the Vendor and Company;
- combine the Company Personal Data with Personal Data that Vendor receives from or on behalf of another person or entity, or collects from its own interaction with a Data Subject; and
- use Company Personal Data to perform services on behalf of another person or entity other than Company.
4. General obligations of Vendor
4.1 Vendor will only Process Company Personal Data in accordance with the instructions given by Company and for the Business Purpose(s) set forth within it, the Standard Contractual Clauses (if applicable), and Applicable Data Protection Law, and shall not cause Company to be in breach of Applicable Data Protection Law. Without limiting the generality of the foregoing, Vendor shall comply with all applicable sections of the CCPA with respect to the Company Personal Data, including but not limited to the obligations to provide the same level of privacy protection as required of Company by the CCPA. Vendor shall notify Company immediately if it makes a determination that it can no longer meet its obligations under Applicable Data Protection Law.
4.2 Vendor shall, however, have the right to Process Company Personal Data outside the scope set out in section 4.1: (a) in the case of Personal Data of Data Subjects resident in the European Union, to the extent required by the laws of the European Union or its member states; and (b) in the case of Personal Data of data subjects not resident in the European Union, to the extent required by any country’s laws to which Vendor may be subject. In such a case, Vendor shall inform Company of that legal requirement in writing before the Processing and provide such details as may be required by Company to evaluate whether the Data Subjects should be notified, unless to the extent that law prohibits such information.
4.3 Vendor will provide Company with such assistance and co-operation as Company may reasonably request to enable Company to comply with any obligations imposed on Company in relation to Company Personal Data including, but not limited to, providing any assistance with any data protection impact assessments and prior consultations of Company required under Applicable Data Protection Law, or other binding legal obligations, which may include litigation holds and responding to binding orders of a court or regulatory authority with jurisdiction. Vendor attests to having provided accurate responses to transfer impact assessments or other related Company provided questionnaires.
4.4 Vendor shall inform Company immediately, in writing, of any inquiry, complaint, notice, or other communication it receives from any supervisory authority or other governmental body or any individual, relating to either Vendor’s or Company’s Processing of Company Personal Data or related compliance with Applicable Data Protection Law. Vendor shall present, upon request, to Company such inquiries, complaints, notices, or other communications and shall provide all necessary assistance to Company to enable Company to respond to such inquiries, complaints, notices, or other communications. For the avoidance of doubt, Vendor shall not respond to any such inquiry, complaint, notice, or other communication without the prior written consent of Company.
4.5 Vendor will notify Company as soon as possible, and as far as it is legally permitted to do so, of any access request for disclosure of data which concerns Company Personal Data (or any part thereof) by any governmental or other regulatory authority, or by a court or other authority of competent jurisdiction. For the avoidance of doubt and as far as it is legally permitted to do so, Vendor shall not disclose or release any Company Personal Data in response to such request served on Vendor without first consulting with, and obtaining the written consent of, Company.
4.6 Company shall have the right, upon notice, to take reasonable and appropriate steps to stop and remediate the Vendor’s unauthorized use of Company Personal Data, including but not limited to the right to request Vendor to provide sufficient documentation that verifies its compliance with its obligations under this Agreement.
5. Technical and organizational security measures
5.1 Vendor will monitor its compliance with this Agreement on an ongoing basis.
5.2 Vendor has designated or will designate a data protection officer and/or a representative in the EU and/or any other jurisdiction to the extent required under Applicable Data Protection Law. Vendor will notify Company of (and of any changes to) the identity and contact details of any data protection officer and/or representative (if any) without undue delay in writing.
5.3 Vendor will maintain a record of all categories of Processing activities carried out on behalf of Company by Vendor to the extent required to enable Company to comply with its obligations under Applicable Data Protection Law. Vendor will cause each Subprocessor it retains to maintain a record of all categories of Processing activities carried out on behalf of Vendor by the Subprocessor to the extent required to enable Company or Vendor to comply with its obligations under Applicable Data Protection Law. The records required by this section 5.3 must include, without limitation:
- a description of the categories of Company Personal Data being Processed and the categories of the Processing activities undertaken;
- where permitted in accordance with this Agreement, details of any transfer of Company Personal Data, including details of: (i) the country in which the recipient is located and, if applicable, the recipient international organization; and (ii) the suitable safeguards implemented for the protection of Company Personal Data; and
- a general description of the technical and organizational security measures implemented pursuant to section 5.6.
Vendor shall make available (and shall cause any Subprocessor to make available) to Company copies of such records in electronic form or such other form acceptable to Company on no less than an annual basis or without undue delay upon first demand from Company.
5.4 Vendor will notify Company prior to Vendor or its Subprocessors adopting or implementing a new type of Processing activities (including, without limitation, the use of new technology to continue current Processing) in respect of Company Personal Data, and at Company’s request, Vendor shall participate in a data protection impact assessment in respect of the new type of Processing which is being proposed, in accordance with Applicable Data Protection Laws.
5.5 Vendor will take reasonable steps to ensure the reliability of any person, including employees and other personnel, authorized by Vendor to Process Company Personal Data, and will ensure that such persons have committed themselves in writing to confidentiality or are under an appropriate obligation of confidentiality and an obligation to act in compliance with Applicable Data Protection Law. Vendor will make available to Company an electronic copy of such commitment or appropriate evidence of such obligation without undue delay upon first demand.
5.6 Vendor will implement and maintain reasonable technical and organizational data protection and security measures appropriate to the nature of the Company Personal Data to ensure security of Company Personal Data, including but not limited to protection against unauthorized or unlawful Processing, unauthorized or unlawful disclosure of, access to and/or alteration of Company Personal Data, accidental loss, and destruction or damage of or to Company Personal Data, in accordance with Applicable Data Protection Law including but not limited to the requirements under California Civil Code section 1798.81.5.
5.7 Vendor will implement and maintain as a minimum standard the measures set out in Annex II. Vendor will constantly improve such measures in line with the development of best market practices and technical standards. Vendor will notify Company in writing in advance of any material changes to such security measures. Any changes that may adversely affect the security of Company Personal Data require Company’s prior written consent.
6. Data breach notifications
6.1 Vendor will immediately notify Company in writing of any breach of this Agreement, the Standard Contractual Clauses (if any), Applicable Data Protection Law applicable to the Processing of Company Personal Data, or any instruction by Company in connection with the Processing of Company Personal Data under this Agreement.
6.2 Without limiting the generality of Section 6.1, Vendor shall notify Company without undue delay and, in any event, not later than 36 hours after the discovery of any possible breach of security that is likely to lead to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to (including unauthorized internal access to), Company Personal Data transmitted, stored, or otherwise Processed by Vendor or any of its Subprocessors, and reasonably cooperate in the investigation of any such possible breach of security.
6.3 Where, and insofar it is possible for Vendor, the notification shall at least:
- describe the nature of the possible breach including, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned; and
- describe the likely consequences of the possible breach and the measures taken or proposed to be taken to address the possible breach, including, where appropriate, measures to mitigate its possible adverse effects.
Where, and in so far as it is not possible to provide the information at the same time, the information may be provided in phases without undue delay.
6.4 Vendor shall take all steps to restore, re-constitute, and/or reconstruct any Company Personal Data which is lost, damaged, destroyed, altered, or corrupted as a result of such a breach as if they were Vendor’s own data at its own cost with all possible speed. Vendor shall, without undue delay, send Company a detailed report of all the measures implemented pursuant to section 6.4.
6.5 Vendor will provide any assistance with Company’s investigation of the possible breach and any obligation of Company under Applicable Data Protection Law to make any notifications to the Data Subjects, supervisory authorities, or the public in respect of such breach as reasonably requested by Company. Vendor will not make any statement or notification to any Data Subject, supervisory authority, or otherwise relating to such breach without the prior written approval of Company.
6.6 Vendor shall provide any assistance with any obligation of Company under Applicable Data Protection Law to document any such possible breach as reasonably requested by Company.
7. Rights of the Data Subjects
7.1 As between the Parties, Company shall have sole discretion in responding to the rights asserted by any Data Subjects in relation to Company Personal Data.
7.2 Vendor will forward to Company without undue delay any request received by the Vendor or any Subprocessor from a Data Subject in respect of the Company Personal Data, and shall not respond to the Data Subject without first consulting with and obtaining the written consent of Company.
7.3 While respecting the technical and organizational security measures, Vendor will provide any cooperation and assistance in fulfilling any rights of the Data Subjects to the extent these rights relate to the Processing of Company Personal Data by Vendor as reasonably requested by Company, including:
- complying with any request from Company requiring Vendor to amend, transfer, or delete Company Personal Data as soon as possible and notifying its own service providers or contractors to do the same, unless otherwise exempted from Applicable Data Protection Law and provided that Company provides the information necessary for Vendor to comply with the request;
- taking all technical and organizational measures allowing Company to comply with any right of portability request formulated pursuant to Applicable Data Protection Law; and
- implementing, so far as possible, appropriate technical and organizational measures to provide Company with co-operation and assistance in complying with any Data Subject rights requests received by, or on behalf of, Company.
7.4 At Company’s request, Vendor will immediately send evidence of the accomplishment of measures taken pursuant to section 7.3.
8. Deletion and return of data upon termination of this Agreement
8.1 Upon Company’s first demand or, at the latest, upon termination or expiration of this Agreement, Vendor will at the choice of Company, while respecting data protection and security measures, delete or return to Company all Company Personal Data Processed and delete all existing copies unless: (a) in the case of the Personal Data of Data Subjects resident in the European Union, the laws of the European Union or its member states require a longer retention period; and (b) in the case of the Personal Data of Data Subjects not resident in the European Union, to the extent any country’s laws to which Vendor is subject require a longer retention period. Vendor shall provide any evidence of such deletion of Company Personal Data as reasonably requested by Company.
9. Right to engage Subprocessors
9.1 Vendor shall not engage, and shall not transfer or disclose any Company Personal Data to, another party (including any other Processor or Subprocessor) without prior specific or general written authorization of Company.
9.2 In the case of general written authorization, Vendor shall inform Company of its intention to engage such other third party in writing at least sixty days in advance of the date of the intended commencement of the engagement. Company may object to such intended engagement by giving written notice at the latest two weeks in advance of the date of the intended commencement of the engagement.
9.3 Where Vendor engages a Subprocessor in accordance with this Agreement, obligations providing at least for the level of data protection as established by this Agreement shall be imposed on that other party by way of a written contract such as a data processing agreement. Vendor shall make available to Company an electronic copy of such written contract (redacted for commercial terms) or other evidence acceptable to Company, acting reasonably, without undue delay, upon first demand. Where the Subprocessor fails to fulfil its data protection obligations, Vendor shall remain fully responsible to Company for the performance of that other party’s obligations and shall be liable to Company for the acts and omissions of the Subprocessor as if they were the acts and omissions of the Vendor.
10. Audits and inspections of Company, co-operation obligations of Vendor, co-operation with supervisory authorities
10.1 Company (itself or through a third-party) has the right to reasonably inspect or audit Vendor’s compliance with this Agreement. For this purpose, Vendor will grant Company, or a designated third-party, access to its business premises during Vendor’s regular business hours and without undue delay make available all information necessary to demonstrate compliance with this Agreement as reasonably requested by Company.
10.2 Company will notify Vendor in writing of any such audit or inspection at least 2 weeks in advance. Company will not conduct more than one audit or inspection per calendar year. However, if: (i) Vendor has provided a notice under section 6.1 or 6.2 of this Agreement; or (ii) Company reasonably believes that Vendor is in breach of this Agreement, the Standard Contractual Clauses (if any), Applicable Data Protection Law Applicable, or any direction by Company in connection with Processing of Company Personal Data; Company may, as the case may be without or with shorter prior notice, conduct such additional inspections within the same calendar year reasonably required to confirm compliance with this Agreement.
10.3 Vendor will provide any assistance in connection with any audits of any competent supervisory authority to the extent such audit relates to the Processing of Company Personal Data by Vendor under this Agreement as reasonably requested by Company.
10.4 Vendor shall ensure that substantially similar provisions are included in its agreements with Subprocessors.
11. Indemnification
11.1 Vendor agrees to indemnify, defend at its own expense and hold harmless, without setoff or deduction, Company from and against any and all claims, damages, costs and expenses (including, without limitation, reasonable legal costs) incurred by Company or its Affiliates arising from, or in connection with, the Processing of Company Personal Data by Vendor or breach of this Agreement by Vendor.
11.2 Any provision of this Agreement or the Main Contract excluding or limiting the liability of Vendor shall not apply to Vendor’s liability under Section 11.1 (Indemnification).
12. Insurance Obligation
12.1 At all times during the performance of Services pursuant to the Main Contract, Vendor shall (and shall cause Vendor personnel who are providing Services to) keep in full force and effect and maintain, at no additional cost to Company, technology/professional and network security/privacy (cyber) errors and omissions liability insurance covering acts, errors, omissions, breach of contract, and violation of any privacy or data protection laws (if applicable) arising out of Vendor’s operations or Services at levels consistent with prudent industry standards. Vendor shall notify the Company if it reduces materially the level or amount of insurance coverage during the performance of the Services.
12.2 By requiring insurance as provided in this Section 12, Company does not represent that coverage and limits shall be necessarily adequate to protect Company and Company’s Affiliates, and their officers, directors, employees and agents, and such limits shall not be deemed as a limitation of Vendor’s liability under this Agreement.
13. Final provisions
13.1 This Agreement is subject to the laws of the jurisdiction as stated in the Main Contract save that the Standard Contractual Clauses shall be governed by the law of the jurisdiction in which Company is established. The Parties exclusively submit to the courts of the chosen jurisdiction as set out in the Main Contract.
13.2 All rights granted to Company under this Agreement are for the benefit of Company and for the additional purpose of conferring the same benefit on each of its Affiliates as if they were a party hereto. Any claims in connection with this Agreement may be brought by Company, whether acting for itself or on behalf of an Affiliate.
13.3 Any amendments or supplements to, or a termination of, this Agreement must be in writing in order to be legally effective; this requirement applies accordingly to any waiver of this written form requirement. For the avoidance of doubt, any references to any written form requirement in this Agreement (e.g. “written” or “in writing”) include declarations and documents in electronic and text form whether bearing a signature or not (e.g. emails, fax copies or scans).
13.4 All notices, requests, consents, claims, demands, waivers, and other communications by Vendor to Company under this Agreement (each, a “Notice”) shall be made in writing and, at a minimum, delivered by email to legal@stepstonegroup.com (with confirmation of transmission). Notice pursuant to Section 5.7 and 6.2 shall also be delivered by email to privacy@stepstonegroup.com (with confirmation of transmission), and Notice pursuant to Section 6.2 shall also be delivered by overnight mail to:
StepStone Group LP
Attention: 4225 Executive Square, Suite 1600
La Jolla, CA 92037, United States
Notice pursuant to Section 6.2 relating to Company Personal Data in or from the European Economic Area or the United Kingdom shall also be delivered by email to PrivacyEurope@stepstonegroup.com. Notice under this Agreement is only effective (a) upon receipt by Company, and (b) if Vendor has complied with the requirements of this Section.
13.5 If a provision of this Agreement is or becomes ineffective in whole or in part, or if there is an omission, the remaining provisions of this Agreement shall remain unaffected. In place of the ineffective provision, and to fill the omission, the Parties will agree on a reasonable provision which comes – to the extent legally possible – closest to what the Parties agreed or would have agreed if they had considered this point.
13.6 Either Party’s failure to enforce any provisions of this Agreement shall not constitute a waiver of that or any other provision and will not relieve the other Party from the obligation to comply with such provision.
13.7 Any claim or dispute between the Parties arising out of, or in connection with, this Agreement (a “Dispute”) that cannot be resolved by direct discussions between the Parties shall be resolved in accordance with the procedure set out in the Main Contract, if any.
APPENDIX 1: STANDARD CONTRACTUAL CLAUSES
In accordance with the EC Standard Contractual Clauses for the Transfer of Personal Data to Third Countries pursuant to the Commission Implementing Decision (EU) 2021/914, Module Two (Transfer controller to processor) the following has been entered into and agreed to in full.
Name of the data exporting organization: StepStone Group LP contracting for and on behalf of itself and as agent on behalf of its consolidated subsidiaries and affiliates.
Address: 4225 Executive Square, Suite 1600, La Jolla, CA 92037
Attn: Legal Department
E-mail: legal@stepstonegroup.com
Other information needed to identify the organization: Not applicable
(each and all the data exporter)
and
Name of the data importing organization: The data importer is the Vendor, as defined in the Main Contract.
(the data importer)
each a “party”; together “the parties”,
HAVE AGREED on the following Contractual Clauses (the “Clauses”) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Annex I. From and after 25 May, 2018, any reference to Directive 95/46/EC shall be a reference to the applicable provision of Regulation (EU) 2016/679.
SECTION I
Clause 1
Purpose and scope
(a) The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) for the transfer of personal data to a third country.
(b) The Parties:
(i) the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter ‘entity/ies’) transferring the personal data, as listed in Annex I.A (hereinafter each ‘data exporter’), and
(ii) the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A (hereinafter each ‘data importer’)
have agreed to these standard contractual clauses (hereinafter: ‘Clauses’).
(c) These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.
(d) The Annexes to these Clauses form an integral part of these Clauses.
Clause 2
Effect and invariability of the Clauses
(a) These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46(2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Annexes. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.
(b) These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.
Clause 3
Third-party beneficiaries
(a) Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:
(i) Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;
(ii) Clause 8.1(b), 8.9(a), (c), (d) and (e);
(iii) Clause 9(a), (c), (d) and (e)
(iv) Clause 12(a), (d) and (f);
(v) Clause 13;
(vi) Clause 15.1(c), (d) and (e);
(vii) Clause 16(e);
(viii) Clause 18(a) and (b).
(b) Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.
Clause 4
Interpretation
(a) Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.
(b) These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.
(c) These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.
Clause 5
Hierarchy
In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.
Clause 6
Description of the transfer(s)
The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.
Clause 7
Docking Clause
Intentionally Omitted
SECTION II – OBLIGATIONS OF THE PARTIES
Clause 8
Data protection safeguards
The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.
8.1 Instructions
(a) The data importer shall process the personal data only on documented instructions from the data exporter. The data exporter may give such instructions throughout the duration of the contract.
(b) The data importer shall immediately inform the data exporter if it is unable to follow those instructions.
8.2 Purpose limitation
The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B, unless on further instructions from the data exporter.
8.3 Transparency
On request, the data exporter shall make a copy of these Clauses, including the Annexes as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including the measures described in Annex II and personal data, the data exporter may redact part of the text of the Annexes to these Clauses prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand the its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information. This Clause is without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.
8.4 Accuracy
If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to erase or rectify the data.
8.5 Duration of processing and erasure or return of data
Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the data exporter and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).
8.6 Security of processing
(a) The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter ‘personal data breach’). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.
(b) The data importer shall grant access to the personal data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
(c) In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify the data exporter without undue delay after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the breach including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
(d) The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer.
8.7 Sensitive data
Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter ‘sensitive data’), the data importer shall apply the specific restrictions and/or additional safeguards described in Annex II.
8.8 Onward transfers
The data importer shall only disclose the personal data to a third party on documented instructions from the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union (in the same country as the data importer or in another third country, hereinafter ‘onward transfer’) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:
(i) the onward transfer is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;
(ii) the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 Regulation of (EU) 2016/679 with respect to the processing in question;
(iii) the onward transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or
(iv) the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person.
Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.
8.9 Documentation and compliance
(a) The data importer shall promptly and adequately deal with enquiries from the data exporter that relate to the processing under these Clauses.
(b) The Parties shall be able to demonstrate compliance with these Clauses. In particular, the data importer shall keep appropriate documentation on the processing activities carried out on behalf of the data exporter.
(c) The data importer shall make available to the data exporter all information necessary to demonstrate compliance with the obligations set out in these Clauses and at the data exporter’s request, allow for and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non- compliance. In deciding on a review or audit, the data exporter may take into account relevant certifications held by the data importer.
(d) The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice.
(e) The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request.
Clause 9
Use of sub-processors
(a) The data importer has the data exporter’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least 90 days in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.
(b) Where the data importer engages a sub-processor to carry out specific processing activities (on behalf of the data exporter), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those binding the data importer under these Clauses, including in terms of third-party beneficiary rights for data subjects. The Parties agree that, by complying with this Clause, the data importer fulfils its obligations under Clause 8.8. The data importer shall ensure that the sub-processor complies with the obligations to which the data importer is subject pursuant to these Clauses.
(c) The data importer shall provide, at the data exporter’s request, a copy of such a sub-processor agreement and any subsequent amendments to the data exporter. To the extent necessary to protect business secrets or other confidential information, including personal data, the data importer may redact the text of the agreement prior to sharing a copy.
(d) The data importer shall remain fully responsible to the data exporter for the performance of the sub-processor’s obligations under its contract with the data importer. The data importer shall notify the data exporter of any failure by the sub-processor to fulfil its obligations under that contract.
(e) The data importer shall agree a third-party beneficiary clause with the sub-processor whereby – in the event the data importer has factually disappeared, ceased to exist in law or has become insolvent – the data exporter shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.
Clause 10
Data subject rights
(a) The data importer shall promptly notify the data exporter of any request it has received from a data subject. It shall not respond to that request itself unless it has been authorised to do so by the data exporter.
(b) The data importer shall assist the data exporter in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679. In this regard, the Parties shall set out in Annex II the appropriate technical and organisational measures, taking into account the nature of the processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required.
(c) In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions from the data exporter.
Clause 11
Redress
(a) The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject.
(b) In case of a dispute between a data subject and one of the Parties as regards compliance with these Clauses, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them.
(c) Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to:
(i) lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work, or the competent supervisory authority pursuant to Clause 13;
(ii) refer the dispute to the competent courts within the meaning of Clause 18.
(d) The Parties accept that the data subject may be represented by a not-for-profit body, organisation or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679.
(e) The data importer shall abide by a decision that is binding under the applicable EU or Member State law.
(f) The data importer agrees that the choice made by the data subject will not prejudice his/her substantive and procedural rights to seek remedies in accordance with applicable laws.
Clause 12
Liability
(a) Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.
(b) The data importer shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data importer or its sub-processor causes the data subject by breaching the third-party beneficiary rights under these Clauses.
(c) Notwithstanding paragraph (b), the data exporter shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data exporter or the data importer (or its sub-processor) causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter and, where the data exporter is a processor acting on behalf of a controller, to the liability of the controller under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable.
(d) The Parties agree that if the data exporter is held liable under paragraph (c) for damages caused by the data importer (or its sub-processor), it shall be entitled to claim back from the data importer that part of the compensation corresponding to the data importer’s responsibility for the damage.
(e) Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.
(f) The Parties agree that if one Party is held liable under paragraph (e), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its/their responsibility for the damage.
(g) The data importer may not invoke the conduct of a sub-processor to avoid its own liability.
Clause 13
Supervision
(a) [Where the data exporter is established in an EU Member State:] The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority.
[Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679:] The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority.
[Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679:] The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.
(b) The data importer agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Clauses. In particular, the data importer agrees to respond to enquiries, submit to audits and comply with the measures adopted by the supervisory authority, including remedial and compensatory measures. It shall provide the supervisory authority with written confirmation that the necessary actions have been taken.
SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES
Clause 14
Local laws and practices affecting compliance with the Clauses
(a) The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.
(b) The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:
(i) the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;
(ii) the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards;
(iii) any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.
(c) The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.
(d) The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.
(e) The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a).
(f) Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.
Clause 15
Obligations of the data importer in case of access by public authorities
15.1 Notification
(a) The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it:
(i) receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or
(ii) becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.
(b) If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.
(c) Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.).
(d) The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.
(e) Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses.
15.2 Review of legality and data minimisation
(a) The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).
(b) The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request.
(c) The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.
SECTION IV – FINAL PROVISIONS
Clause 16
Non-compliance with the Clauses and termination
(a) The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.
(b) In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).
(c) The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:
(i) the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;
(ii) the data importer is in substantial or persistent breach of these Clauses; or
(iii) the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.
In these cases, it shall inform the competent supervisory authority of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.
(d) Personal data that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall at the choice of the data exporter immediately be returned to the data exporter or deleted in its entirety. The same shall apply to any copies of the data. The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.
(e) Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.
Clause 17
Governing law
These Clauses shall be governed by the law of the EU Member State in which the data exporter is established. Where such law does not allow for third-party beneficiary rights, they shall be governed by the law of another EU Member State that does allow for third-party beneficiary rights. The Parties agree that this shall be the law of Ireland.
Clause 18
Choice of forum and jurisdiction
(a) Any dispute arising from these Clauses shall be resolved by the courts of an EU Member State.
(b) The Parties agree that those shall be the courts of the jurisdiction of the applicable Company data exporter.
(c) A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence.
(d) The Parties agree to submit themselves to the jurisdiction of such courts.
ANNEXES
The Parties hereby incorporate Annexes into the Standard Contractual Clauses.
ANNEXES TO THE STANDARD CONTRACTUAL CLAUSES
These Annexes form part of the Agreement and the Clauses.
ANNEX I TO THE STANDARD CONTRACTUAL CLAUSES
This Annex forms part of the Clauses and must be completed and signed by the parties. The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Annex.
Part A. List of parties
Data exporter(s):
Name: StepStone Group LP contracting for and on behalf of itself and as agent on behalf of its consolidated subsidiaries and affiliates
Address: 4225 Executive Square, Suite 1600, La Jolla, CA 92037 Attn: Legal Department
Contact person’s name, position, and contact details: Chief Legal Officer, legal@stepstonegroup.com
Activities relevant to the data transferred under the SCCs: Conducting the activities in compliance with the Main Contract
Role (controller): Controller
Data importer(s):
Name: The Vendor, as defined in the Main Contract
Address: The address of the Vendor in the Main Contract
Contact person’s name, position, and contact details: The contact information in the Main Contract
Activities relevant to the data transferred under the SCCs: Conducting the activities in compliance with the Main Contract
Role (processor): Processor
Part B. Description of transfer
Categories of data subjects whose Personal Data is transferred:
- Employees, contractors, temporary/agency workers, and consultants (collectively, “HR data”);
- Customers, including past, current and potential customers (collectively, “Customer data”); and
- Other third parties including representatives of and contacts at vendors, licensees, and other business partners (collectively, “B2B data”).
Categories of Personal Data transferred:
HR data includes:
- Personal details such as name (including known aliases or former names); prefix, personal and business email address, telephone number, and mailing address; date and place of birth; nationality; gender; marital status; language(s); signature; photograph(s); driver’s license and automobile license numbers or other national identification document(s); next of kin and emergency contact details; and dependent details (including names, date and place of birth, employment information, criminal records, addresses, email address, telephone number, and mailing address);
- Right to work and immigration information about employees such as social security, tax identification, or other government issued identification number (including copies of required identification documents); citizenship, residency, visa, or work permit information; identity card, passport, and/or birth certificate details; and, when required, the information necessary to obtain visa and work permit(s);
- Employment details such as job title, geographic location, area of responsibility, employee identification number; job title and grade level, including historical information regarding progression; department; location; supervisor; dates of employment; hours worked, absences, vacation dates; performance and evaluation records including review meetings and assessment interviews; disciplinary records or investigation records related to conduct impacting the workplace; training and attendance records; employer information (for contractors, consultants, agents, etc.); wage/salary records, records of overtime, bonuses and expenses; payroll records and severance pay records; statutory sick pay records; accident books and accident records/reports; business data, documents and administration concerning pension schemes and related subjects; and career and talent development programs, diversity programs, other HR policies;
- Talent, recruitment, education, and training details such as education and other academic and professional qualifications; details about previous experience, roles, and employment, including employment references; language and other relevant skills; resume, curriculum vitae, and application details; veteran status; and job applicant data;
- CCTV footage or other video recordings, such as information collected through video surveillance systems installed by StepStone Group for security purposes;
- Health information such as information necessary to provide health, disability, and life insurance or other benefits; to provide employees with parental, family, or disability leave, pay, or related benefits; information necessary for workers’ compensation claims; assessment of fitness to work; or to protect health and safety, including to monitor exposure to environmental or potentially hazardous conditions or provide urgent care for on-site injuries;
- Background-check information such as information related to offenses or criminal proceedings, outcomes, and sentences where required by law, relevant to job function, or necessary to protect the health and safety of personnel; certain other back-ground information including credit reports, pre-employment drug and alcohol testing where permitted by local law, driver’s records, or other reference checks;
- Data generated from monitoring programs; and
- Diversity and sensitive affiliation information such as information necessary to internally identify and review our equal opportunity employment practices, or in connection with the publication of aggregate information on the diversity of our workforce.
Customer data includes:
- Personal details such as name, date of birth, gender, driver’s license or passport number and expiration date; employer/company name, contact details for home, employer/company, or location stayed during travel, including address, telephone numbers, fax numbers, email addresses, and emergency contact details;
- Unique identification numbers;
- Location-based information;
- Financial information such as income; bank account information; anti-money laundering (AML) information; know your customer (KYC) information, and tax identification number;
- Customer relationship information such as customer agreements, customer offer and deal information; and customer payment and collection information;
- Data relating to lease objects, rent information, and lessee and landlord information;
- Recorded call information;
- Visitor and access control data, such as CCTV images or other video recordings; and
- Customer complaint information.
B2B data includes:
- Contact details such as name, gender, date of birth, email address, address, employer, and telephone and fax numbers;
- Complaints information;
- B2B relationship information such as contracts or agreements; and data relating to payments, expenses and collection;
- CCTV images or other video recordings; and
- Tax ID.
Categories of sensitive data including additional measures
- Data concerning health;
- Criminal convictions;
- Religious beliefs; and
- Trade union membership.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
- Continuous
Nature of the processing
- The nature of the Processing is the performance of the Services pursuant to this Agreement and the Main Contract.
Purpose(s) of the data transfer and further processing
- The data importer will Process Personal Data as necessary to perform the Services pursuant to the Main Contract and as further instructed by the data exporter in its use of the Services.
The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period:
- The data importer will Process Personal Data for the duration of this Agreement, unless otherwise agreed upon in writing, but, in no event, longer than permitted under the laws of the country of the data exporter..
- The data importer will return or destroy Personal Data within sixty days after the expiration or termination of this Agreement, unless otherwise required to be retained by applicable law or legal order.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
- Subprocessors shall Process Personal Data for purposes of assisting the data importer in providing the services to the data exporter under this Agreement and shall continue to process Personal Data for the length of the applicable agreement governing provision of the services or as otherwise required under applicable laws.
Part C. Competent supervisory authority
The competent supervisory authority (per Clause 13 of the Model Clauses) is the supervisory authority of the EU/EEA Member State where the data exporter is established.
ANNEX II TO THE STANDARD CONTRACTUAL CLAUSES
Taking into account the nature, scope, context and purpose of the Processing, and the risks for the rights and freedoms of individuals, Service Provider shall implement appropriate technical and organisational measures to ensure a level of security of Personal Data appropriate to the risk, as follows:
- Pseudonymisation
Personal data belonging to StepStone Group can be processed in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures which exclude the unauthorized identification of the data subject.
Nevertheless, data pseudonymized in this way remains personal data according to the GDPR. Pseudonymisation is a technical and organisational measure and can be implemented by the Processor as follows:
☒ separate storage of additional information for identification
☒ use of IDs instead of names
☒ encryption of additional information for identification
☒ management and documentation of differentiated authorizations concerning additional information for identification
☒ authorization process or approval routines for authorizations to process additional information for identification
☒ copy protection with regard to additional information for identification
☐ other measures / specification of the measures mentioned above:
2. Measures for encryption
☒ encryption of mobile devices such as laptops, tablets, smartphones
☒ encryption of mobile storage media (CD/DVD- ROM, USB sticks, external hard drives)
☒ encryption of files
☐ encryption of systems
☒ encrypted storage of passwords
☐ encryption of e-mails and e-mail attachments
☒ secured data sharing (e.g. SSL, FTPS, TLS)
☒ secured WLAN
☐ other measures / specification of the measures mentioned above:
3. Measures to ensure confidentiality
a. Measures which ensure that unauthorized persons do not have access:
☒ access control system, document reader (magnetic / chip card)
☒ door protections (electric door opener, number lock, etc.)
☐ safety doors / windows
☐ grates in front of windows / doors
☐ fence systems
☒ key management / documentation of key assignment
☐ protection of facilities, guards
☐ alarm system
☐ video surveillance
☒ special protective measures for the server room
☒ special protective measures for storage of back-ups and/or other data carriers
☒ irreversible destruction of data carriers
☒ employee and authorization documents
☒ prohibited areas
☐ visitor rules (e.g. pick-up at reception, documentation of visiting hours, visitor pass, accompanying visitors to exit after visit)
☐ other measures / specification of the measures mentioned above:
b. Measures which prevent that unauthorized persons can use the processing systems:
☒ personal and individual user log-in for registration in the systems or company network
☒ authorization process for access authorizations
☒ limitation of authorized users
☒ single sign-on
☒ two-factor authentication
☐ BIOS passwords
☒ password procedures (indication of password parameters with regard to complexity and update interval)
☐ electronic documentation of passwords and protection of this documentation against unauthorized access
☐ personalized chip cards, token, PIN/TAN, etc.
☒ logging of access
☐ additional system log-in for certain applications
☒ automatic locking of the clients after expiry of a certain period without user activity (also password protected screensaver or automatic stand-by)
☒ firewall
☐ other measures / specification of the measures mentioned above:
c. Measures which ensure that only authorized persons have access to the processing systems and that personal data cannot be read, copied, modified or removed without authorization:
☒ management and documentation of differentiated authorizations
☒ evaluations/logging of data processing
☒ authorization process for authorizations
☒ approval routines
☐ profiles/roles
☒ encryption of CD/DVD-ROM, external hard drives and/or laptops (e.g. per operating system, Safe Guard Easy, PGP)
☒ measures to prevent unauthorized transfer of data on data carriers which can be used externally (e.g. copy protection, locking of USB ports, Data Loss Prevention (DLP) system)
☒ Mobile Device Management system
☐ four-eyes principle
☒ segregation of functions “segregation of duties”
☐ expert destruction of records
☒ irreversible deletion of data carriers
☐ privacy foil for mobile data processing systems
☒ cyber-related logs retained for no less than six months
☐ other measures / specification of the measures mentioned above:
d. Measures which ensure that data collected for different purposes can be processed separately:
☐ storage of the data sets in physically separated databases
☒ separate systems
☒ access authorizations by functional responsibility
☐ separate data processing by differentiating access rules
☐ multi-client capability of IT systems
☒ use of test data
☒ separation of development and production environment
☐ other measures / specification of the measures mentioned above:
4. Measures to ensure integrity
☒ access rights
☒ system-side logging
☐ document management system (DMS) with change history
☒ security / logging software
☒ functional responsibilities, organisationally specified responsibilities
☐ multiple-eyes principle
☒ tunnelled remote data connections (VPN = virtual private network)
☒ Data Loss Prevention (DLP) system
☐ electronic signature
☒ logging of data transfer or data transport
☒ logging of read accesses
☒ logging of the copying, modifying or removal of data
☐ other measures / specification of the measures mentioned above:
5. Measures to ensure and restore availability
☒ security concept for software and IT applications
☒ back-up procedures
☒ storage process for back-ups (fire-protected safe, separate fire sections, etc.)
☒ ensuring data storage in secured network
☒ need-based installation of security updates
☐ mirroring of hard drives
☒ set-up of an uninterrupted power supply
☒ suitable archiving facilities for paper documents
☒ fire and/or extinguishing water protection for the server room
☐ fire and/or extinguishing water protection for the archiving facilities
☒ air-conditioned server room
☒ virus protection
☒ firewall
☒ emergency plan
☒ successful emergency exercises
☐ redundant, locally separated data storage (off-site storage)
☐ other measures / specification of the measures mentioned above:
6. Measures to ensure resilience
☒ emergency plan in case of machine breakdown / business recovery plan
☐ redundant power supply
☒ sufficient capacity of IT systems and plants
☐ logistically controlled process to avoid power peaks
☒ redundant systems / plants
☐ resilience and error management
☐ other measures / specification of the measures mentioned above:
7. Procedure for regular review, assessment and evaluation of the effectiveness of the technical and organisational measures
☒ procedures for regular controls/audits
☒ concept for regular review, assessment and evaluation
☐ reporting system
☒ penetration tests
☒ emergency tests
☒ certification; if available: SOC 2
☐ other measures / specification of the measures mentioned above:
8. “Control of instructions / assignment control”
☐ process of issuing and/or following instructions
☐ specification of contact persons and/or responsible employees
☐ control / examination that the assignment is executed in accordance with instructions
☐ training / instruction of all Service Provider’s access-authorized employees
☐ independent auditing of adherence to instructions
☒ commitment of employees to maintain confidentiality
☒ agreement on penalties for infringements of instructions
☒ appointment of a data protection officer according to art. 37 et seq. GDPR
☐ data protection manager / coordinator
☐ keeping records of processing activities in accordance with art. 30, para. 2 GDPR documentation and escalation process for personal data breaches
☒ guidelines / instructions which guarantee technical-organisational measures for the security of the processing
☐ process for forwarding requests of data subjects
☐ other measures / specification of the measures mentioned above:
APPENDIX 2
Processing locations
The personal data transferred will be processed in the following countries/locations (please specify):
- United States of America
- European Union
- Other – (please specify): Australia, Canada and Switzerland
