Falkor

Supplier Data Protection Addendum (DPA)

 

Last Updated On: January 7, 2025

This Data Protection Addendum (“Addendum”) forms an integral part of the Service and/or any other agreement(s), order(s), statement(s) of work, and/or other legally binding instrument(s) (collectively, the “Agreement”) in connection with the provision of Services by and between Falkor Vision Ltd (“Falkor”) and the supplier identified in the applicable Agreement (“Supplier”). Each of Falkor and Supplier may be referred to herein as a “Party” and collectively the “Parties”.

Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement. Except as modified below, the terms of the Agreement shall remain in full force and effect. The exhibits, annexes, appendices, and schedules attached to this Addendum (each an “Annex”) form an integral part hereof and are expressly incorporated herein by this reference.

In consideration of the mutual obligations set out herein, the Parties hereby agree that the terms and conditions set out below shall be added as an Addendum to the Agreement. Except where the context requires otherwise, references in this Addendum to the Agreement are to the Agreement as supplemented or amended, including by this Addendum. This Addendum shall enter into force together with the execution of the Agreement.

  • 1 Definitions
    • 1 “Authorized Personnel” means Supplier’s personnel to whom access to Falkor Personal Data is strictly necessary in order to provide the Services.
    • 2 “Falkor Personal Data” means Personal Data Processed by Supplier on behalf of Falkor pursuant to the Agreement and/or this Addendum.
    • 3 “Data Protection Laws” means, as applicable, domestic and foreign laws, rules, directives and regulations that apply to data privacy, data security and/or the protection of Personal Data, including the GDPR, Israel’s Protection of Privacy Law, 5741-1981 (“PPL”), the regulations enacted thereunder, including but not limited to the Protection of Privacy Regulations (Data Security), 5777-2017 (“Data Security Regulations”) and applicable guidelines issued by the Israeli Registrar of Databases.
    • 4 EEA” means the European Economic Area;
    • 5 “GDPR” means EU Regulation (EU) 2016/679 of 27 April 2016 (General Data Protection Regulation and the UK GDPR as defined Data Protection Act 2018 (Addendum 2018).
    • 6 “Services” means the services to be provided by Supplier to Falkor pursuant to the Agreement;
    • 7 “Standard Contractual Clauses” means (1) with respect to the EU – the Standard Contractual Clauses attached as Schedule 2 hereto (“EU SCCs”); or, (2) with respect to the UK – the EU SCCs together with the international data transfer addendum to the European Commission’s standard contractual clauses for international data transfers published by the Information Commissioner’s Office on 2 February 2022, which are attached as Schedule 4 (“UK SCCs”). Should any subsequent version thereof be released by the European Commission and/or the UK government, Schedules 2 and/or 3 shall be amended accordingly;
    • 8 “Sub-processor” means any person appointed by or on behalf of Supplier to Process Personal Data in connection with the Agreement.
    • 9 “UK GDPR” means the UK Data Protection Act 2018, as well as the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI 2019/419).

The terms “Controller”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Process”, “Processor” and “Supervisory Authority”, or their equivalent, shall have the same meaning as in the applicable Data Protection Laws, and their cognate terms shall be construed accordingly.

  • 2 Legal framework for processing
    • 1 Supplier shall Process Falkor Personal Data as a “Processor” or a “sub-Processor” in accordance with the provisions of the Data Protection Laws, as will be in effect from time to time.
    • 2 Supplier shall Process Falkor Personal Data solely as instructed by Falkor and on behalf of Falkor, who is the “Controller” or a “Processor” of the Falkor Personal Data, as applicable. Supplier shall only collect, Process or use Falkor Personal Data to the extent necessary to perform the Services. Supplier shall not, in any manner, collect, Process or use any Falkor Personal Data for any other purpose or in any illegal manner.
    • 3 Falkor’ instructions shall be documented. This is carried out either by this Addendum, by Falkor giving the instructions in text form, or – if Falkor gives the instructions only orally – by Supplier confirming the instructions to Falkor without undue delay after the instructions in text form and giving Falkor the option to confirm or correct the documentation of the instruction. Where Supplier believes that compliance with any Falkor’ instructions infringes applicable data protection law, Supplier shall immediately notify Falkor thereof.
    • 4 Schedule 1 to this Addendum sets out certain information regarding the Processing of the Falkor Personal Data by Supplier as required by Article 28(3) of the GDPR and/or UK GDPR. Nothing in Schedule 1 confers any right or imposes any obligation on any Party to this Addendum.
  • 3 Supplier’s Obligations
    • 1 Supplier shall take all technical and organizational measures to ensure the appropriate level of security for Falkor Personal Data. Supplier shall ensure the implementation of technical and organizational measures that comply with the applicable requirements under Data Protection Laws, in order to protect against unauthorized or unlawful Processing of Falkor Personal Data and against accidental loss or destruction of, or damage to, Falkor Personal Data, appropriate to the harm that might result from the unauthorized or unlawful Processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures, and take adequate administrative, physical and technical measures for securing Falkor Personal Data and protecting its confidentiality, availability and integrity, and ensuring the privacy of persons to whom the Personal Data relates. The minimum technical and organizational measures to be taken by Supplier are listed in Annex A to the Data Protection and Privacy Undertaking included in the Agreement.
    • 2 As to the correction, deletion and blocking of Falkor Personal Data, Supplier shall comply with Falkor’s instructions. Prior to any correction, deletion or blocking of Falkor Personal Data, Supplier shall inform Falkor thereof in writing reasonably in advance; Supplier shall then follow the specific instructions Falkor may give in that respect.
    • 3 Immediately following the execution of the Agreement, the Supplier shall submit to Falkor contact details of its internal data protection officer (to the extent appointed).
  • 4 Supplier’s Personnel

Supplier shall take all of the means that are necessary to maintain the confidentiality of the Falkor Personal Data at a high level of security and protection and shall ensure that:

  • 1 Falkor Personal Data is Processed and accessed only by Authorized Personnel, on a strict need-to-know basis and solely for the provision of the Services. Any use of Falkor Personal Data for any other purpose shall be deemed a material breach of this Addendum.
  • 2 all Authorized Personnel are bound by a written confidentiality undertaking to keep Falkor Personal Data confidential, to use it only in accordance with this Addendum, and to implement the data protection measures mentioned herein or otherwise required under Data Protection Laws, prior to allowing them any access to Falkor Personal Data.
  • International Transfer of Personal Data
    • 1 Falkor Personal Data may be transferred outside of the EEA and UK in the following cases: (a) Falkor Personal Data is transferred to a country or based upon a scheme (such as a an agreement between the European Union and a certain country) which is approved by the European Commission and/or by the authorized UK government authority (as applicable), as ensuring an adequate level of protection (“Approved Jurisdictions”); (b) subject to the entry into the Standard Contractual Clauses or any other lawful mechanism by the transferor and the transferee with respect to the transfer of Falkor Personal Data; or (c) if the transfer falls within a permitted derogation under the Data Protection Laws.
    • 2 Transfer of GDPR-governed Falkor Personal Data (“EEA Transferred Data”) to a country which is not included in the Approved Jurisdictions, is made in accordance with the EU SCCs, in accordance with Schedule 2.
    • 3 Transfer of UK GDPR-governed Falkor Personal Data (“UK Transferred Data”) to a country which is not included in the Approved Jurisdictions, shall be in accordance with the UK SCCs, as detailed in Schedule 3.
    • 4 Other cross-border data transfers shall be made in accordance with the applicable Data Protection Laws.
  • 6 Rights of the Data Subject, Further Support and Information
    • 1 Supplier shall assist Falkor to fulfill its obligations to respond to Data Subjects’ requests and prepare Supplier’s IT systems so that they will allow dealing with all such requests in an efficient manner. If Falkor is obliged to provide a Data Subject a copy of his/her data or allow for data portability, Supplier shall prepare all required data in the required format allowing Falkor to comply with the Data Subject’s request. If Supplier should receive any corresponding inquiries of individuals, Supplier shall immediately pass on such inquiries to Falkor to allow a direct answer, or answer the inquiry, as instructed by Falkor in the respective case.
    • 2 Supplier shall assist, and cooperate with, Falkor in ensuring compliance with the following obligations:
      • maintaining records of Processing activities (or a similar document required under the applicable Data Protection Laws) and cooperating with a Supervisory Authority.
      • assessing the appropriate level of security and implementation of appropriate technical and organizational measures; and
      • Conducting data protection impact assessments and prior consultations with Supervisory Authorities, which Falkor considers to be required.
    • 3 Supplier shall constantly monitor its compliance with applicable Data Protection Laws and this Addendum. In the event of suspicion of infringement of applicable Data Protection Laws or of this Addendum (arising from Supplier, its employees, or other third parties) and any other irregularity in relation to the Processing of Falkor Personal Data, Supplier shall inform Falkor immediately thereof in writing.
  • 7 Personal Data Breach
    • 1 If Supplier becomes aware of a Personal Data Breach, Supplier shall immediately notify Falkor providing at least the following information:
      • a description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects concerned;
      • the name and contact details of the Supplier contact person from whom more information can be obtained;
      • a description of the measures taken or proposed to be taken to address the Personal Data Breach, including measures to mitigate its possible adverse effects; and
      • a suggestion for a temporary solution to handle the Personal Data Breach immediately and avoid any further negative consequences for the Data Subject and Falkor.
    • 2 Supplier shall continue to update Falkor with respect to the development of the Personal Data Breach and the investigation thereof.
    • 3 Supplier shall further cooperate with Falkor and provide reasonable assistance requested by Falkor with respect to any Personal Data Breach.
    • 4 In close consultation with Falkor, Supplier must take all required measures to secure Falkor Personal Data and limit any possible detrimental effect on Data Subjects. Where obligations are placed on Falkor under applicable Data Protection Laws, Supplier must assist Falkor in meeting them. Supplier shall coordinate in good faith with Falkor on developing the content of any related public statements and any required notices to the affected Data Subjects and/or the relevant regulators in connection with a Personal Data Breach.
  • 8 Control Rights
    • 1 Falkor may, by itself or via a third party (subject to confidentiality obligations), carry out an audit of Supplier’s compliance with this Addendum and applicable Data Protection Laws. Such audit shall be carried out no more than once a calendar year, unless a Personal Data Breach occurs – in which case such audit can be conducted more than once a calendar year.
    • 2 Supplier shall fully cooperate with and support such audit. Supplier shall provide to Falkor, upon request, all information which is necessary or helpful to demonstrate compliance with Data Protection Laws and this Addendum, and to carry out a comprehensive review of the Processing.
    • 3 If an audit reveals that the Supplier is not in compliance with applicable Data Protection Laws, Supplier immediately shall take all corrective actions necessary to ensure compliance with these provisions, and shall comply with the instructions given by Falkor in this regard.
    • 4 Supplier shall provide a report to Falkor, upon its request and no more than once a calendar year, with respect to the manner of its compliance with its undertakings pertaining to data security as stated in this Addendum.
    • 5 Supplier will further provide Falkor with information relating to its compliance with this Addendum that is reasonably necessary to Falkor for responding to any inquiry, request, order, etc. addressed to the Falkor, in a manner which will enable Falkor to effectively respond to the relevant inquiry, complaint, order, etc., within three (3) business days from Falkor’s request.
  • 9 Sub-processors
    • 1 Falkor authorizes Supplier to engage Sub-processors, who will Process Falkor Personal Data, if the provisions of this Section 9 are complied with. The Sub-processor must be engaged as a Supplier in a contractual agreement that would impose requirements which are no less stringent than those imposed on the Supplier under this Addendum.
    • 2 Supplier shall be authorized to use additional Sub-processors subject to Falkor’s prior written approval of each such Sub-processor. Supplier shall submit the request for authorization at least thirty (30) days prior to the engagement of the sub-processor, together with the information necessary to enable Falkor to decide on the authorization. 
    • 3 Supplier’s engagement with Sub-processors shall not derogate from Supplier’s responsibility to Falkor under the Agreement, this Addendum and/or Data Protection Laws and the Supplier shall remain fully liable to Falkor for the performance of the Sub-processor’s obligations thereunder.
  • Term of the Data Processing, Data Storage Media, and Deletion of Personal Data
    • 1 This Addendum shall enter into force upon execution of the Agreement and shall be valid until the later of (i) the termination or expiration of the Agreement; and (ii) when Supplier no longer Processes any Falkor Personal Data.
    • 2 All submitted data storage media and copies thereof shall remain in the ownership of Falkor. Supplier shall store these securely, so that they are not accessible to third parties. Supplier shall at all times give information to Falkor about Falkor’s data and records.
    • 3 Upon termination of the Agreement, or upon Falkor’s request, Supplier shall return all data storage media and copies thereof to Falkor and shall thereafter, at Falkor’s choice, return to Falkor or safely and permanently delete any Falkor Personal Data. Supplier shall provide Falkor with a written certificate attesting the return or deletion of all of Falkor Personal Data, executed by an authorized executive on Supplier’s behalf.
  • Miscellaneous
    • 1 As needed to comply with Data Protection Laws, or to the extent required by any changes in such Data Protection Laws or the enactment of new applicable laws, the Parties agree to work cooperatively and in good faith to amend this Addendum in a mutually agreeable and timely manner in an effort to comply with any such Data Protection Laws. If the Parties cannot so agree, or if Supplier cannot comply with the new or additional requirements, Falkor may terminate the Agreement upon written notice to Supplier.
    • 2 In the event of any conflict or inconsistency between this Addendum and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail. With regard to the subject matter of this Addendum, in the event of inconsistencies between the provisions of this Addendum and any other agreements between the parties, including the Agreement and including (except where explicitly agreed otherwise in writing, signed on behalf of the parties) agreements entered into or purported to be entered into after the date of this Addendum, the provisions of this Addendum shall prevail.
    • 3 Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
    • 4 Any claims brought under this Addendum will be subject to the terms and conditions of the Agreement. Any alteration or modification of this Addendum is not valid unless made in writing and executed by duly authorized personnel of both Parties.

 

******

 

 

SCHEDULE 1
Data Processing Details Addendum

  1. Subject matter of Processing of Falkor Personal Data

The subject matter of the Processing of Falkor Personal Data is the provision of Services under the Agreement.

  1. Duration of Processing of Falkor Personal Data

The Duration of Processing is for the term of the Agreement.

  1. The nature and purpose of the Processing of Falkor Personal Data

Performing the Agreement between the Parties, this Addendum and/or other contracts executed by the Parties.

  1. The types of Falkor Personal Data to be Processed (including special categories of data, if applicable)

Falkor Personal Data may include data that is publicly available on the internet, including social networks, such as name, email, telephone number and other contact details, physical address, age, hobbies, photos, posts, and participating in groups. 

  1. The categories of Data Subjects to whom the Falkor Personal Data relates

The categories of Data Subject may include:

  • Employees, agents, advisors, and freelancers of Falkor (who are natural persons);
  • Employees, agents, advisors, and freelancers of Falkor’s clients (who are natural persons);
  • Prospects, customers, business partners, and vendors of Falkor’s clients (who are natural persons);
  • Employees or contact persons of Falkor client’s prospects, customers, business partners, and vendors; and
  • Any other third-party individual that Falkor’s client decides to use Falkor’s services in his/her connection.
  1. Processing activities

Receipt, collection, storage, copying, review, analyzation, disclosure, exposure, transfer, or grant of access (to the extent permitted under the Agreement) to Falkor Personal Data.

  1. Access to Falkor’s systems

None, unless otherwise permitted under the Agreement.

  1. The obligations and rights of the parties

The obligations and rights of the Falkor and Supplier are set out in the Agreement, including this Addendum.

  1. Supplier’s Contact Person

Immediately following the execution of the Agreement, the Supplier shall submit to Falkor the contact details of the contact person.

 

SCHEDULE 2

EU STANDARD CONTRACTUAL CLAUSES

 

  1. Module Two (Controller to Processor) or Module Three (Processor to Processor) of the Standard Contractual Clauses shall apply.
  2. Clause 7 (Docking Clause): shall apply.
  3. Clause 9 (Use of sub-processors): SPECIFIC AUTHORISATION shall apply. The applicable time period is as detailed in the Addendum.
  4. Clause 11 (Redress): the optional language will not apply.
  5. Section 13(a): Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679: The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as the competent supervisory authority.
  6. Clause 17 (Governing Law): Option 1 shall apply. The Parties agree that the Standard Contractual Clauses shall be governed by the laws of Ireland.
  7. Clause 18(b) (Choice of forum and jurisdiction): disputes will be resolved before the courts of Ireland.
  8. Annex I:
  9. List of Parties: As detailed in the Agreement. The Standard Contractual Clauses shall be deemed as signed on the date of the Agreement.
  10. Description of transfer: as detailed in Annex 1.
  11. Competent supervisory authority:
  12. Annex II – Technical and Organizational Measures: As detailed in Annex A to the Data Protection and Privacy Undertaking included in the Agreement. Annex III – List of Sub-processors: As authorized by Falkor.

 

 

 

SCHEDULE 3

INTERNATIONAL DATA TRANSFER ADDENDUM TO THE EU COMMISSION STANDARD CONTRACTUAL CLAUSES

Part 1: Tables

Table 1: Parties

Start date

The date of the Agreement

The Parties

Exporter (who sends the Restricted Transfer)

Importer (who receives the Restricted Transfer)

Parties’ details

As detailed in the Agreement.

As detailed in the Agreement.

Key Contact

As communicated to the Importer.

As communicated to the Exporter.

Signature (if required for the purposes of Section 2)

This Schedule 3 shall be deemed as signed on the date of the Agreement.

This Schedule 3 shall be deemed as signed on the date of the Agreement.

 

Table 2: Selected SCCs, Modules and Selected Clauses

Addendum EU SCCs

 The version of the Approved EU SCCs which this Addendum is appended to, detailed below, including the Appendix Information:

Date:       

Reference (if any):       

Other identifier (if any):       

Or

 the Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum:

Module

Module in operation

Clause 7 (Docking Clause)

Clause 11
(Option)

Clause 9a (Prior Authorisation or General Authorisation)

Clause 9a (Time period)

Is personal data received from the Importer combined with personal data collected by the Exporter?

1

 

 

 

 

 

 

2

X

Applicable

Not applicable

Specific Authorisation

As detailed in the Addendum.

 

3

X

Applicable

Not applicable

Specific Authorisation

As detailed in the Addendum.

 

4

 

 

 

 

 

 

 

 

 

Table 3: Appendix Information

Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:

Annex 1A: List of Parties: As detailed in the Agreement.

Annex 1B: Description of Transfer: As detailed in Schedule 1 above.

Annex II: Technical and organizational measures including technical and organizational measures to ensure the security of the data: As detailed in Annex A to the Data Protection and Privacy Undertaking included in the Agreement.

Annex III: List of Sub processors (Modules 2 and 3 only): As approved by Falkor.

Table 4: Ending this Addendum when the Approved Addendum Changes

Ending this Addendum when the Approved Addendum changes

Which Parties may end this Addendum as set out in Section 18:

 Importer

 Exporter

 neither Party

 

Part 2: Mandatory Clauses

Mandatory Clauses

Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses.