We have updated our Data Processing Agreement. Find the full updated agreement here.
Summary of main changes:
1) Addition of 2 new optional sub-processors for users using the new AI Insights feature - OpenAI and Azure. Further information on these optional sub-processors can be found here, and the AI Insights feature here.
2) Addition of, or rewriting/restructuring of some clauses to add additional clarity (see list below)
3) Addition of the new EU SCCs to cover international data transfers to the US for OpenAI when using the AI Insights tool (for EU customers)
4) Addition of the new EU SCCs plus UK addendum to cover international data transfers to the US for OpenAI when using the AI Insights tool (for UK and rest of the world customers)
5) Clarification on clauses 1.1 and 27 to clarify which business entity customers are trading with, what laws the agreement is governed by and which courts will be used.
6) Amendments to reflect the UK leaving the EU
Full list of notable changes:
- 4.3.5 - clarification to cover any community group rather than a group created by a users of your organisation
- 4.3.6 - addition
- 4.7 - amended text to 'ensure you have a lawful basis'
- 5.3 - addition of 'Data controller' and removal of '3 month period'
- 7.1 - clarification - 'In such a case, the data processor shall inform the data controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.'
- 7.2.4 - addition of 'Data Incident'
- 7.3.1 - addition of '...and maintains the Security Measures for the duration of the processing;'
- 7.6 - addition
- 9.2 - added additional clarification and details
- 10.3 - changed '...reasonably requested by the data processor' to 'necessary'
- 10.7 - addition of '...are aware of their and IRIS Connect's obligations under the European Union and UK Data Protection Legislation,'
- 11.2 - addition of '....including the nature of the Data Incident, and the categories and approximate number of both data subjects and personal data records concerned;' and 'the likely consequences of the Data Incident.'
- 11.3 - addition of '...IRIS Connect may in addition to an email, deliver a notification of any Data Incident(s),by direct communication'
- 11.6 - addition
- 12.1.3 - addition
- 13.8 - clarification '...audit provided that IRIS Connect will not charge a fee, or will reimburse the Customer for any fees paid, in connection with an audit where IRIS Connect is found to have breached these Clauses of the Local Regulatory Framework.'
- 16.4.1/2/3 - addition
- 17.5 - clarification that '....the data processor will impose the same data protection obligations as set out in the Clauses shall be imposed on that sub-processor'
- 19.7.2 - clarification 'or the Agreement will be terminated in accordance with Section 19.8.'
- 19.8.2 - clarification 'that is material to the performance of the Agreement;'
- 19.9 - clarification 'Subject to the exceptions below you...'
- 20.1/2 - clarification '(during the term of the Agreement)'
- Appendix - Additional details added and inclusion of OpenAI and Microsoft Azure as optional sub-processors.
You can review the agreement here and will be prompted to accept it when logging onto the IRIS Connect platform from the 3rd June.