LOCAL COUNTRY AGREEMENT [European Union]
EX-10.1 2 exhibit101localcountryagre.htm EXHIBIT 10.1 Exhibit
EXECUTION COPY
CONFIDENTIAL
LOCAL COUNTRY AGREEMENT
[European Union]
This Local Country Agreement – European Union (this “Local Country Agreement”) is entered into effective November 1, 2016 (the “Local Country Agreement Date”), by and between Graphic Packaging International Europe NV, with offices at Fountain Plaza Belgicastraat 7 bus 5, 1930 Zaventem, Belgium (“Local GPI”), and Dell Corporation Ltd., a registered company under the law of England and Wales with offices at Dell House, The Boulevard, Cain Road, Bracknell, Berkshire, RG12 1LF (“Local Dell”) (Local GPI and Local Dell being the “Parties”, and each being a “Party” to this Local Country Agreement).
RECITALS:
Graphic Packaging International, Inc., a corporation formed in accordance with the laws of Delaware (“GPI”), and Dell Marketing L.P., a Texas limited partnership (“Dell”), are Parties to a Master Services Agreement (the “Master Services Agreement”) effective November 29, 2007 (together with any amendments thereto, and including the schedules and exhibits thereto, the "Agreement ");
The Agreement contemplates that, in the case of Service Recipients located outside of the United States, GPI or an Affiliate designated by GPI, and Dell or an Affiliate designated by Dell, may enter into a local country agreement for the provision of such Designated Services;
The purpose of this Local Country Agreement is to set forth the terms and conditions for Local Dell’s provision of the Designated Services as described in this Local Country Agreement to Service Recipients in the European Union as identified in Schedule 1.1(a) to the Master Services Agreement;
In consideration of the promises contained in this Local Country Agreement and other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, Local GPI and Local Dell agree as follows:
1. | GENERAL: |
1.1 | Incorporation of Agreement and Precedence of Obligations. Except as expressly modified or excluded in this Local Country Agreement, the terms and conditions of the Agreement will apply to, and are incorporated into, this Local Country Agreement. Local GPI and Local Dell agree that the terms and conditions of this Local Country Agreement shall consist of the terms and conditions of the Agreement, as modified and supplemented by this Local Country Agreement; and that they are bound by and subject to the terms and conditions of the Agreement, as modified and supplemented by this Local Country Agreement. References in the Agreement to “GPI” mean Local GPI, references in the Agreement to “Dell” and “Perot Systems” mean Local Dell, and references in the Agreement to “Agreement” mean the Agreement as modified and supplemented by this Local Country Agreement, for the purposes of this Local Country Agreement. In the event of a conflict between this Local Country Agreement and the Agreement, unless expressly specified otherwise, the terms of this Local Country Agreement will prevail. |
1.2 | References. All references in this Local Country Agreement to articles, sections and exhibits are to this Local Country Agreement, unless another reference is provided. |
1.3 | Definitions. Capitalized terms used in this Local Country Agreement, to the extent not otherwise defined in this Local Country Agreement, have the same meanings as in the Agreement. |
1.4 | Changes to the Agreement. The Parties acknowledge and agree that GPI and Dell may modify the Agreement at any time. Local GPI and Local Dell agree to all of the terms and conditions set forth in the Agreement as so modified, and hereby consent to, agree to be bound by, and waive |
1
EXECUTION COPY
CONFIDENTIAL
notice of any extensions, deletions or other modifications of the terms and conditions of the Agreement properly made by GPI and Dell including, without limitation, any extension of the LCA Term under the terms of the Agreement.
1 | TERM AND TERMINATION. |
2.1 | Term. The term of this Local Country Agreement (the “LCA Term”) will start on the Local Country Agreement Date and, unless terminated earlier pursuant to Article XV (Termination) of the Agreement or extended pursuant to Section 3 (Extension) of this Local Country Agreement, will continue until 11:59 p.m. Atlanta, Georgia time on January 31, 2022 (the “LCA Term Expiration Date”). For the avoidance of doubt, the terms and conditions of the Agreement will continue in full force and effect as to this Local Country Agreement for any period of time during which the LCA Term extends beyond the Term of the Agreement. |
2.2 | Termination. |
(a) | Local GPI may terminate: (a) this Local Country Agreement; or (b) any Service Tower under this Local Country Agreement, at any time following the Local Country Agreement Date for convenience by providing Dell with at least 120 days’ prior Notice of GPI’s intent to terminate and paying Local Dell the Termination Fee. In the case of the termination of this Local Country Agreement as a whole for convenience, upon its payment of the appropriate Termination Fee, Local GPI will be under no further obligation to pay any Charges arising from and after the date of termination. In the case of the termination for convenience of less than all then-current Service Towers under this Local Country Agreement, upon its payment of the appropriate Termination Fee, Local GPI will be under no further obligation to pay any Charges arising from and after the date of termination with respect to the terminated Service Towers. |
(b) | For the avoidance of doubt, except as modified by Section 2.2 (Termination) of this Local Country Agreement, Article XV (Termination) of the Agreement will apply to this Local Country Agreement fully in accordance with its terms. |
(c) | For purposes of this Local Country Agreement, “Termination Fee” means only the applicable fee set forth in Schedule 15.1. For the avoidance of doubt, “Termination Fee” as used in this Local Country Agreement does not include Wind-down Expenses or any other fees, costs or expenses (other than any amounts specified in Schedule 15.1). Section 15.11(a)(3) and Section 15.11(c) of the Agreement shall not apply to any termination pursuant to Section 2.2(a) of this Local Country Agreement. |
2 | INTENTIONALLY OMITTED. |
3 | LOCAL SERVICES. Local Dell will provide to the Service Recipients in the European Union identified in Schedule 1.1(a) to the Master Services Agreement the Designated Services described in Statement of Work No. 1 to this Local Country Agreement, in accordance with the applicable provisions of the Agreement. For the purposes of this Local Country Agreement, the definition of “Designated Services” (as set out in Section 2.1 of the Agreement) shall be amended to exclude Sub-sections 2.1(1) and (2). Local Dell will also timely perform or cause to be performed the obligations of Dell specified in the Agreement with respect to such Designated Services. |
4 | DATA PROTECTION. In this Clause 5, the terms “data controller”, “data processor”, “personal data” and “processing” shall be as defined in the European Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data (“Directive”) as amended or superseded (in particular by the General Data Protection Regulation (EU) 2016/679) from time to time. Local GPI shall comply with the provisions and |
2
EXECUTION COPY
CONFIDENTIAL
obligations imposed by the Directive (as implemented into applicable national laws) and, once it has entered into force, the General Data Protection Regulation (EU) 2016/679 in respect of the processing of the personal data.
(a) | Local GPI warrants and represents on behalf of itself and its Affiliates that it has obtained all necessary consents and permissions for lawful processing, prior to passing personal data to Local Dell. |
(b) | Local Dell shall process the personal data only in accordance with Local GPI’s instructions and this Local Country Agreement. This Local Country Agreement and its annexes set out the scope of Local GPI’s complete and final instructions to Local Dell for the processing of personal data. Any additional or alternate instructions must be agreed between the Parties in writing, such agreement shall not be unreasonably withheld, delayed or denied by either Party. To the extent Local Dell processes personal data as a data processor for Local GPI under or in connection with the Local Country Agreement, Local Dell shall take reasonable steps designed to ensure appropriate protection is in place to safeguard such personal data. For this reason Local Dell and Local GPI enter into a Data Processing Agreement which is attached as Annex 1 to this Local Country Agreement as a signed version. Service Recipients in the EEA/Switzerland as identified in Schedule 1.1(a) of the Agreement hereby accede to the Data Processing Agreement attached as Annex 1 to this Local Country Agreement and may directly enforce them against Local Dell with regard to the personal data they control as a data controller. |
(c) | Subject to section 21.4 of the Agreement, Local Dell must comply with any specific clauses that any applicable law enforcement authority (including the European Commission and the European Data Protection Supervisor) obligate or recommend are inserted into the Data Processing Agreement attached to this Local Country Agreement as Annex 1 and the Parties will amend it respectively. |
(d) | Local Dell shall use its reasonable efforts to assist Local GPI to respond to requests for access to personal data which may be made by individuals to whom the personal data relates and where the personal data are held by Local Dell, subject to the payment by Local GPI of Local Dell’s reasonable professional charges for the time engaged by Local Dell staff in so doing. |
(e) | Local GPI instructs and authorizes Local Dell to collect, use, store and transfer the personal data Local GPI provides to Local Dell for the purpose of and to the extent required to perform Local Dell’s obligations under the Local Country Agreement. |
(f) | In case Local Dell uses sub-processors (including its Affiliates) to perform the services under this Local Country Agreement in accordance with Clause 11 of the Data Processing Agreement attached to the Local Country Agreement as Annex 1, Local Dell will flow down similar rights and obligations to its sub-processors as set out in this Section 5 (Data Protection), provided that in the case of Affiliates of Local Dell, the EU model clauses (2010/87/EU) in place between all Affiliates within the Dell group shall be adequate for this purpose. If requested by Local GPI, Local Dell will procure that each sub-processor will enter into a data processing agreement as attached to this Local Country Agreement as Annex 1 with Local GPI and all Service Recipients located in the EEA/Switzerland as identified in Schedule 1.1(a) of the Agreement. |
(g) | Local Dell shall not be liable for any claim brought by Local GPI or a data subject arising from any action or omission by Local Dell to the extent that such action or omission resulted from compliance by Local Dell with Local GPI’s instructions. Local Dell shall, |
3
EXECUTION COPY
CONFIDENTIAL
at its own expense, defend Local GPI against all losses, claims, costs, damages or proceedings suffered or incurred by Local GPI and/or its Affiliates by a third party arising out of or in connection with a breach by Local Dell and/or its sub-processors of its obligations set out in this clause 5 of this Local Country Agreement and the Data Processing Agreement attached as Annex 1 and Local Dell will pay any costs of settlement or any damages finally awarded against Dell.
(h) | In the event of any conflict or inconsistency between this Local Country Agreement and the Agreement or the SOW, this Local Country Agreement shall prevail. In the event of any conflict or inconsistency between this Local Country Agreement and the Data Processing Agreement attached hereto as Annex 1, the Data Processing Agreement shall prevail. |
(i) | Local Dell and all subcontractor(s) performing Designated Services under this Local Country Agreement are certified as compliant with ISO 27001:2013 by an accredited certification body, and will remain certified as compliant with ISO 27001:2013 (or a successor) at all times during the LCA Term. Local Dell will provide all then-current certificates of compliance to Local GPI upon request. |
6. | LOCAL GPI OBLIGATIONS. Local GPI will timely perform or cause to be performed the obligations of GPI specified in the Agreement with respect to the Designated Services provided by Local Dell under this Local Country Agreement. |
7. | LOCAL CHARGES. |
7.1 | The Charges for the Designated Services to be provided by Local Dell under this Local Country Agreement are set forth Schedule 4.1 to the Agreement and in Statement of Work No. 1 to this Local Country Agreement. All Charges for the Designated Services under this Local Country Agreement are set out in Schedule 4.1 in U.S. Dollars. |
7.2 | Local Dell will invoice Local GPI for the Designated Services under this Local Country Agreement in Euro. Each invoice shall be in the form of Annex 2 (Form of Invoice). Local Dell will send all invoices to Local GPI addressed as follows: |
Graphic Packaging International Europe NV
Attn: Accounts Payable
Belgicastraat 7 bus 5
1930 Zaventem
Belgium
7.3 | Currency Conversion. |
(a) | Adjustment. Starting on January 1, 2017, the Charges under this Local Country Agreement shall be converted from U.S. Dollars into Euro on a consecutive three-month basis in accordance with this Section 7.3. The Charges in each Conversion Rate Period shall be subject to conversion from U.S. Dollars to Euro at the Average Exchange Rate calculated based on the immediately preceding Conversion Rate Period. Notwithstanding the foregoing, Adjustments shall be subject to conversion from U.S. Dollars to Euro based on the Average Exchange Rate in effect during the Conversion Rate Period in which the Services giving rise to the Adjustment were performed. |
(b) | Average Exchange Rate. The “Average Exchange Rate” shall be determined by calculating the average daily Exchange Rate in each Conversion Rate Period. The Average |
4
EXECUTION COPY
CONFIDENTIAL
Exchange Rate will be calculated by dividing the sum of the daily Exchange Rates during the Conversion Rate Period by the number of days in that Conversion Rate Period.
(c) Examples.
(i) | Calculation of Average Exchange Rate. |
If the sum of the daily Exchange Rates during the Conversion Rate Period starting July 1, 2017, and ending September 30, 2017, equals 82.8, then the Average Exchange Rate calculated on October 1, 2017, and applicable to the Charges under this Local Country Agreement during the Conversion Rate Period running from October 1, 2017, through December 31, 2017, will equal 0.90.
[82.8 / 92 = Average Exchange Rate of 0.90]
82.8 = the sum of daily Exchange Rates in the Conversion Rate Period
92 = the number of calendar days in the Conversion Rate Period
(ii) | Conversion of Charges. |
The Charges shall be converted from U.S. Dollars to Euro by multiplying the Charges as set out in Schedule 4.1 by the Average Exchange Rate calculated based on the immediately preceding Conversion Rate Period. For example, if the EU Cloud Service Fee identified in Schedule 4.1 is US$89,245, and the Average Exchange Rate calculated based on the Conversion Rate Period of January 1, 2017, to March 31, 2017, is USD 1.00 = EUR 0.90, then the EU Cloud Service Fee each month for the Conversion Rate Period commencing on April 1, 2017, will equal €80,320.50.
(d) Definitions.
(i) | “Conversion Rate Period” means the three-month period starting on a Measurement Date and ending on the earlier of (A) the day before the next Measurement Date, or (B) the effective date of termination or expiration of the Local Country Agreement or the applicable Statement of Work. Notwithstanding the foregoing, the initial Conversion Rate Period is October 1, 2016, to December 31, 2016. |
(ii) | “Exchange Rate” means the exchange rate of U.S. Dollars to Euro published at http://www.bloomberg.com/markets/currencies (or any successor resource designated by Bloomberg L.P.) as the rate at “close,” represented by the number of Euro received in exchange for USD 1.00. |
(iii) | The “Measurement Dates” are January 1, April 1, July 1 and October 1 of each calendar year during the term of this Local Country Agreement. |
7.4 | Taxes. |
(a) | Allocation of Responsibility. Except as provided in Section 6.2(e), Local GPI will be financially responsible for Taxes imposed on, based on, or measured by any consideration for any provision of services or transfer of property by Local Dell to Local GPI pursuant to this Local Country Agreement and for which Local Dell has an obligation under Law to collect such Taxes from Local GPI. Local GPI shall not be financially responsible for (i) any penalties, interest and other charges related to Taxes, (ii) except as provided in Section 6.2(c), any taxes (including related interest, penalties, and additions to tax) not within the scope of the term Taxes as defined in this Local Country Agreement, including but not limited to, any and |
5
EXECUTION COPY
CONFIDENTIAL
all non-U.K. value added taxes, non-U.S. goods and services taxes, non-U.K. sales taxes and similar types of non-U.K. taxes which are imposed on, based on, or measured by any consideration for any provision of services or transfer of property by Local Dell to Local GPI as a result of Local Dell’s decision to provide any services from, or otherwise undertake any action in, a non-U.K. jurisdiction, (iii) any Taxes on any amounts (including but not limited to taxes) previously paid or incurred by Local Dell and that are passed through to and reimbursed by Local GPI, (iv) any Taxes that are imposed on Local Dell’s acquisition, ownership, or use of property or services in the course of providing property or services to Local GPI, (v) any Taxes imposed on, based on, or measured by any consideration for any provision of services by Local Dell to Local GPI pursuant to this Local Country Agreement and for which Local Dell has an obligation under Law to collect such Taxes from Local GPI and that arise as a result of Local Dell’s decision to provide any services from a jurisdiction other than the United Kingdom and (vi) any Taxes on any amounts owed by Local Dell to any subcontractor.
(b) | Exemptions. Notwithstanding anything to the contrary in this Local Country Agreement, Local GPI will not pay or reimburse Local Dell for any Taxes related to the provision of goods or services for which Local GPI provides Local Dell with a valid and applicable exemption certificate, multi-state benefit certificate, resale certificate, direct pay permit, or other reasonable evidence of exemption. Each Party will make all reasonable efforts to accurately determine each Party’s tax liability and to minimize such liability to the extent legally permissible. |
(c) | Property and Ad Valorem Taxes. Local Dell will be responsible for reporting and payment of any real or personal property or ad valorem taxes due on property it owns and property or ad valorem taxes it otherwise has a responsibility under law to remit, and Local GPI will be responsible for reporting and payment of any real or personal property or ad valorem taxes due on property it owns and property or ad valorem taxes it otherwise has a responsibility under law to remit. Each Party will bear sole responsibility for all taxes for franchise and privilege taxes on its business, and for taxes based on its net income. |
(d) | Withholding Taxes. Local Dell shall be financially responsible for any Withholding Tax liability asserted by any tax authority against Local GPI as a result of payments made by Local GPI to Local Dell under the terms of this Local Country Agreement. Local GPI shall provide notice to Local Dell of any assertion of Withholding Tax liability by any tax authority and shall make available to Local Dell on a timely basis valid evidence of any Withholding Tax paid by Local GPI to such tax authority. |
(e) | Assessments. Notwithstanding any other provision of this Local Country Agreement, if Local Dell receives notice from any taxing authority with respect to an assessment or potential assessment or imposition of any Tax that Local GPI would be financially responsible pursuant to this Section 6.2 (an “Assessed Tax”), Local Dell shall promptly send notice to Local GPI of such notice. Local Dell shall also provide the Local GPI tax department a copy of any such notice, which notice will be directed to the director of state taxes or comparable position. To the extent directed by Local GPI in a notice sent to Local Dell, Local Dell shall timely contest (at Local GPI’s direction and expense relating to all actions to be taken to contest) such Assessed Tax with Local GPI’s participation, or, if Local GPI so directs, permit Local GPI to contest, to the extent permissible under applicable tax law and procedures, such Assessed Tax, at Local GPI’s expense, in a forum selected by Local GPI, and with counsel selected by Local GPI and reasonably acceptable to Local Dell, until Local GPI has decided to settle the matter or all appeals have been exhausted. To the extent Local Dell contests an Assessed Tax at Local GPI’s direction, and such contest involves claims with respect to taxes or Taxes for which Local GPI would not be financially responsible pursuant to this Section 6.2, Local GPI shall be responsible only for that portion of Local Dell’s expenses as |
6
EXECUTION COPY
CONFIDENTIAL
are reasonably allocable to the contest of the Assessed Tax. Local Dell may not compromise, settle, or resolve a contest with respect to such Assessed Tax under this Section 6.2(e) without Local GPI’s Consent. Notwithstanding any provision in this Local Country Agreement to the contrary, with respect to any Assessed Tax, if Local Dell fails to comply with any of the requirements of this Section 6.2(e), such Assessed Tax shall not be a Tax for which Local GPI is financially responsible under Section 6.2.
(f) | Refunds and Rebates. Local GPI will be entitled to any Tax refunds or rebates granted to the extent such refunds or rebates are of Taxes that were the responsibility of Local GPI under this Local Country Agreement. Local GPI may require Local Dell to choose and perform one of the following: (i) apply for and diligently pursue, at Local GPI’s expense, a refund of Taxes paid by Local GPI; (ii) if permitted by Law, assign its rights to a refund claim for such Taxes to Local GPI; or (iii) in the event that Local Dell has already received a refund or rebate of any Tax for which Local GPI was responsible under this Local Country Agreement, pay to Local GPI the amount of such Taxes refunded to Local Dell and any interest received thereon. |
(g) | Cooperation. The Parties agree to reasonably cooperate with each other to enable each to more accurately determine its own Tax Liabilities and to minimize such Taxes incurred in connection with this Local Country Agreement to the extent legally possible. Such cooperation shall include, but not be limited to, preparation of Invoices in accordance with Section 4.2(b), and maintaining data, as reasonably necessary for Tax compliance purposes, making such data available to the other Party (or permitting the other Party to copy, at the requesting Party’s expense, such data), and making information in its possession and employees with technical expertise available (at the providing Party’s reasonable cost) as reasonably necessary in connection with the preparation of any Tax returns or any audit, contest or refund claim related to Taxes. |
(h) | Indemnification of GPI Indemnitees. Local Dell shall indemnify, defend and hold harmless the Local GPI and its officers, directors and Affiliates from and against all Losses (including fines and penalties) (i) for property taxes, Withholding Taxes, taxes, and Taxes for which Local GPI is not financially responsible under this Local Country Agreement, including any interest, penalties, and other charges related thereto, (ii) arising from any Governmental Authority’s reclassification or attempt to reclassify any of Local Dell’s personnel, agents, subcontractors or suppliers as an employee of Local GPI or any of Local GPI’s Affiliates, including without limitation, any tax liability (including interest and penalties) resulting from Local GPI’s or any such Affiliate’s failure to pay, deduct or withhold any income or employment-related taxes with respect to any of Local Dell’s personnel, agents, subcontractors or suppliers, (iii) for penalties, interest and other charges related to Taxes, and (iv) for taxes that any non-U.K. taxing authority assesses, levies or charges Local GPI in any jurisdiction outside the United Kingdom from which services are provided by reason of the provision of the Designated Services by Local Dell to Local GPI. |
(i) | Indemnification of Dell Indemnitees. Local GPI will indemnify, defend and hold harmless Local Dell and its officers, directors and Affiliates from and against all Losses (including fines, interest, and penalties) for Taxes, property taxes, Withholding Taxes, interest and penalties assessed or claimed against Local Dell for which Local GPI is financially responsible under this Agreement. |
(j) | Definitions. For purposes of this Local Country Agreement, the following definitions shall apply: |
(i) | “Tax” or “Taxes” means U.K. value added, goods and services, sales, use, excise, and other similar types of U.K. transfer taxes, fees or charges (excluding any related |
7
EXECUTION COPY
CONFIDENTIAL
penalties, additions to tax, and interest), however designated or imposed, which are in the nature of a transaction tax, fee or charge, but not including any such taxes, duties, fees or charges imposed on or measured by net or gross income or gross receipts (other than any such taxes which are in the nature of transaction taxes of the type listed above), capital stock or net worth, or that are in the nature of an income, capital, franchise, or net worth tax.
(ii) | “Withholding Taxes” means non-U.K. and U.K. federal, state and local taxes, fees, or charges which are imposed on or by reference to gross or net income or gross or net receipts and are required by any Governmental Authority to be withheld by Local GPI from payments made to Local Dell under this Local Country Agreement (including any related penalties and interest thereon). |
(k) | Survival. The Parties’ obligations under Section 6.2 survive any expiration or termination of this Local Country Agreement. |
7.5 | Unless otherwise specified in this Local Country Agreement, the responsibilities of each Party for invoicing and payment for Designated Services provided under this Local Country Agreement will be as set forth in the Agreement. |
8. | HR PROVISIONS. The parties have agreed the provisions set out in the attached HR Provisions Schedule, which is hereby incorporated into this Local Country Agreement. |
9. | DISPUTES AND JURISDICTION. For avoidance of doubt, any dispute arising under this Local Country Agreement will be resolved in accordance with the provisions of Schedule 3.2 (Account Governance) and Schedule 20.1 (Dispute Resolution Procedure) of the Agreement. |
10. | GOVERNING LAW. Except as otherwise provided in this Local Country Agreement, this Local Country Agreement and performance under it wiII be governed by and construed in accordance with the applicable laws of the state of Georgia, without giving effect to the principles thereof relating to conflicts of laws. The application of the United Nations Convention on Contracts for the International Sale of Goods is expressly excluded. Notwithstanding the foregoing, if any provision of this Local Country Agreement is expressly required by the laws of England and Wales to be subject to specific laws of England and Wales and the applicability of such mandatory laws is not subject to contractual waiver or limitation, the construction, interpretation and performance of such provision will be governed by the internal mandatory laws of England and Wales (without reference to choice or conflict of laws). |
11. | NOTICE. Each Party will comply with the notice provisions of Section 21 .8 of the Agreement for all notices to the other Party that are related to this Local Country Agreement. |
12. | COUNTERPARTS. This Local Country Agreement may be executed in several counterparts, all of which taken together will constitute one single agreement between the parties hereto. |
13. | SEVERABILITY. In the event that any provision of this Local Country Agreement conflicts with the law under which this Local Country Agreement is to be construed or if any such provision is held invalid or unenforceable by a court with jurisdiction over the parties hereto, such provision will be deemed to be restated to reflect as nearly as possible the original intentions of the Parties in accordance with applicable law. The remaining provisions of this Local Country Agreement and the application of the challenged provision to persons or circumstances other than those as to which it is invalid or unenforceable will not be affected thereby, and each such provision will be valid and enforceable to the full extent permitted by law. |
8
EXECUTION COPY
CONFIDENTIAL
14. | NO THIRD PARTY RIGHTS. This Local Country Agreement is entered into solely between, and may be enforced only by, Local Dell and Local GPI, and this Agreement will not be deemed to create any rights in Third Parties, including employees, suppliers or subcontractors of a Party, or to create any obligations of a Party to any such Third Parties. Nothing in this Section 14, however, is intended to contravene a Party’s obligation to the other Party to indemnify the other Party’s Indemnitees, or Dell’s obligation to Local GPI to provide the Designated Services to Service Recipients. |
15. | ENTIRE AGREEMENT. Together with the Agreement, this Local Country Agreement constitutes the entire agreement between the Parties with respect to the subject matter hereof. There are no agreements, representations, warranties, promises, covenants, commitments or undertakings other than those expressly set forth herein and therein. This Local Country Agreement supersedes all prior agreements, representations, warranties, promises, covenants, commitments or undertakings, whether written or oral, with respect to the subject matter contained in this Local Country Agreement. No amendment, modification, change, waiver, or discharge hereof will be valid unless in writing and signed by an authorized representative of the Party against which such amendment, modification, change, waiver, or discharge is sought to be enforced (except, however, that amendments to the Agreement will be applicable to this Local Country Agreement). No “click-wrap”, “shrink-wrap” or other agreement, notice or terms that accompany the Designated Services shall be effective, nor shall Local GPI’s consent to any such click-wrap, shrink-wrap or other agreement be required for Local GPI to receive the Designated Services. Local Dell (and, for avoidance of doubt, Local Dell’s Affiliates or subcontractors) will not present any terms and conditions, terms of use or agreements to Service Recipient in connection with the Services. |
IN WITNESS WHEREOF, Local GPI and Local Dell have each caused this Local Country Agreement to be executed by their respective duly authorized representatives on the dates set forth below to be effective as of the Local Country Agreement Date.
GRAPHIC PACKAGING INTERNATIONAL EUROPE NV By: Name: Title: Date: | DELL CORPORATION LTD. By: Name: Title: Date: |
9
EXECUTION COPY
CONFIDENTIAL
HR PROVISIONS SCHEDULE
Application of Transfer Regulations on commencement
1.1 | It is not the intention of the Parties that any individual employed or engaged by GPI, any GPI Affiliate and/or any of their subcontractors will transfer to Dell or any of its Affiliates (or any of their subcontractors) pursuant to the Transfer Regulations on commencement of the Designated Services under the Agreement. |
1.2 | If any individual asserts the transfer of his or her employment relationship to Dell or any of Dell's Affiliates or any of their subcontractors or makes any claims relating to an employment relationship against any such entity (an “Unintended GPI Transfer”) and Dell, its relevant Affiliate or their subcontractors (as appropriate) in its or their sole discretion does not wish to employ the Unintended GPI Transfer, then: |
1.3 | Dell shall (or shall procure that the Dell Affiliate or relevant subcontractor shall) notify GPI in writing within five business days after becoming aware of such assertions or claims; |
1.4 | GPI, the relevant GPI Affiliate and/or their subcontractors (as appropriate) may offer to re-employ the Unintended GPI Transfer within 15 business days of the notification by Dell in Section 2.1 or take such other steps as it or they considers appropriate; and |
1.5 | if such offer of employment is accepted, or if the situation has otherwise been resolved, Dell shall (or shall procure that the Dell Affiliate or relevant subcontractor, as appropriate, shall) immediately release the person from his/her purported employment. |
1.6 | In the event that after the 15 day business period specified in Section 2.2 above has elapsed, no offer of employment has been made or such offer has been made but not accepted or the situation has not otherwise been resolved, Dell, the Dell Affiliate or relevant subcontractor (as appropriate) may within five business days give notice to terminate the employment of such Unintended GPI Transfer. |
1.7 | Subject to Sections 2 and 3 above, GPI shall (and shall procure that the relevant GPI Affiliate shall) indemnify Dell, each Affiliate of Dell and all of their subcontractors from and keep them indemnified against: |
1.8 | all losses, liabilities, costs, awards, damages, fines, penalties, sanctions, amounts paid in settlement and expenses (including reasonable legal fees for both internal and external counsel, and reasonable costs of investigation, litigation and settlement) arising in connection with or as a result of any claim or demand by or on behalf of any Unintended GPI Transfer in relation to any act or omission occurring prior to or on the date on which the employment of the Unintended GPI Transfer transferred to Dell, any Affiliate of Dell or any of their sub-contractors, including a failure to inform or consult with its employees or their representatives in accordance with the Transfer Regulations; and |
1.9 | all losses, liabilities, costs, awards, damages (including any statutory redundancy payments, any enhanced redundancy payments, pension and retirement-related liability and any awards made by an employment tribunal for a basic award or compensation for unfair dismissal), fines, penalties, sanctions, amounts paid in settlement or by way of a settlement agreement and expenses (including reasonable legal fees for both internal and external counsel, and reasonable costs of investigation, litigation and settlement) arising in connection with any employment and termination of employment of an Unintended GPI Transfer by Dell, any Affiliate of Dell or any of their sub-contractors, as appropriate, in accordance with Section 3 above. |
10
EXECUTION COPY
CONFIDENTIAL
1.10 | The indemnity in Section 4 above will not apply to any claim by any person in respect of whom the notification given by Dell under Section 2.1 is received by GPI more than six calendar months after the Local Country Agreement Date. |
Application of Transfer Regulations on exit
1.11 | It is not the intention of the Parties that any individual employed or engaged by Dell, any Dell Affiliate and/or any of their subcontractors will transfer to GPI, its Affiliates or any Replacement Service Provider pursuant to Transfer Regulations on the termination or expiry of the Designated Services (in whole or in part) under the Agreement. |
1.12 | If any individual asserts the transfer of his or her employment relationship to GPI or any of GPI's Affiliates or any Replacement Service Provider or makes any claims relating to an employment relationship against any such entity (an “Unintended Dell Transfer”) and GPI, its relevant Affiliate or their subcontractors (as appropriate) in its or their sole discretion does not wish to employ the Unintended Dell Transfer, then: |
1.13 | GPI shall (or shall procure that the GPI Affiliate or Replacement Service Provider shall) notify Dell in writing within five business days after becoming aware of such assertions or claims; |
1.14 | Dell, the relevant Dell Affiliate and/or their subcontractors (as appropriate) may offer to re-employ the Unintended Dell Transfer within 15 business days of the notification in Section 8.1 or take such other steps as it or they considers appropriate; and |
1.15 | if such offer of employment is accepted, or if the situation has otherwise been resolved, GPI shall (or shall procure that the GPI Affiliate or Replacement Service Provider, as appropriate, shall) immediately release the person from his/her purported employment. |
1.16 | In the event that after the 15 day business period specified in Section 8.2 above has elapsed, no offer of employment has been made or such offer has been made but not accepted or the situation has not otherwise been resolved, GPI, the GPI Affiliate or Replacement Service Provider (as appropriate) may within five business days give notice to terminate the employment of such Unintended Dell Transfer. |
1.17 | Subject to Sections 8 and 9 above, Dell shall indemnify GPI, each Affiliate of GPI and any Replacement Service Provider from and keep them indemnified against: |
1.18 | all losses, liabilities, costs, awards, damages, fines, penalties, sanctions, amounts paid in settlement and expenses (including reasonable legal fees for both internal and external counsel, and reasonable costs of investigation, litigation and settlement) arising in connection with or as a result of any claim or demand by or on behalf of any Unintended Dell Transfer in relation to any act or omission occurring prior to or on the date on which the employment of the Unintended Dell Transfer transferred to GPI, any Affiliate of GPI or any Replacement Service Provider, as appropriate, including a failure to inform or consult with its employees or their representatives in accordance with the Transfer Regulations; and |
1.19 | all losses, liabilities, costs, awards, damages (including any statutory redundancy payments, any enhanced redundancy payments, pension and retirement-related liability and any awards made by an employment tribunal for a basic award or compensation for unfair dismissal), fines, penalties, sanctions, amounts paid in settlement or by way of a settlement agreement and expenses (including reasonable legal fees for both internal and external counsel, and reasonable costs of investigation, litigation and settlement) arising in connection with any employment and termination of employment of an Unintended Dell Transfer by GPI, any Affiliate of GPI or any Replacement Service Provider, as appropriate, in accordance with Section 9 above. |
11
EXECUTION COPY
CONFIDENTIAL
1.20 | The indemnity in Section 9 above will not apply to any claim by any person in respect of whom the notification given by GPI under Section 7.1 is received by Dell more than six calendar months after the expiry or termination of the Local Country Agreement. |
General
1.21 | This HR Provisions Schedule shall be governed by and construed in all respects in accordance with the laws of England. Each of the parties hereto hereby irrevocably submits to the non-exclusive jurisdiction of the English Courts in respect of this HR Provisions Schedule only. |
1.22 | In this HR Provisions Schedule, the following expressions have the following meanings: |
“Transfer Regulations” means the Transfer of Undertakings (Protection of Employment) Regulations 2006, as amended or restated from time to time; and
"Replacement Service Provider" means a supplier engaged to provide services in replacement for the Designated Services (in whole or in part).
ANNEX 1 to the LOCAL COUNTRY AGREEMENT: Data Processing Agreement
Controller to Processor or Sub-processor Agreement
For the purposes of accommodating local data protection requirements and the requirements of the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”) and of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection, the Parties have agreed on the following Contractual Clauses (the "Clauses") in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.
Clause 1
Definitions
Definitions
For the purposes of the Clauses:
(a) | "personal data", "special categories of data", "process/processing", "controller", "processor", "data subject" and "supervisory authority" shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data; |
(b) | "the data exporter" shall mean the controller who transfers the personal data; |
(c) | "the data importer" shall mean the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of these Clauses and who is not subject to a third country's system ensuring to adequate protection within the meaning of Article 25(1) of Directive 95/46/EC; |
(d) | "the sub-processor" means any processor engaged by the data importer or by any other sub-processor of the data importer who agrees to receive from the data importer or from any other sub-processor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract; |
(e) | "the applicable data protection law" means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established; and |
(f) | "technical and organisational security measures" means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing. |
Clause 2
Details of the transfer
The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.
Clause 3
Third-party beneficiary clause
1. | The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary. |
2. | The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. |
3. | The data subject can enforce against the sub-processor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the sub-processor shall be limited to outs own processing operations under the Clauses. |
4. | The Parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law. |
Clause 4
Obligations of the data exporter
The data exporter agrees and warrants:
(a) | that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State; |
(b) | that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter's behalf and in accordance with the applicable data protection law and the Clauses; |
(c) | that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this Schedule 4; |
(d) | that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation; |
(e) | that it will ensure compliance with the security measures; |
(f) | that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC; |
(g) | to forward any notification received from the data importer or any sub-processor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension; |
(h) | to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for sub-processing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information; |
(i) | that, in the event of sub-processing, the processing activity is carried out in accordance with Clause 11 by a sub-processor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and |
(j) | that it will ensure compliance with Clause 4(a) to (i). |
Clause 5
Obligations of the data importer
The data importer agrees and warrants:
(a) | to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract; |
(b) | that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract; |
(c) | that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred; |
(d) | that it will promptly notify the data exporter about: |
(i) | any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation; |
(ii) | any accidental or unauthorised access; and |
(iii) | any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so; |
(e) | to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred; |
(f) | at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority; |
(g) | to make available to the data subject upon request a copy of the Clauses, or any existing contract for sub-processing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter; |
(h) | that, in the event of sub-processing, it has previously informed the data exporter and obtained its prior written consent; |
(i) | that the processing services by the sub-processor will be carried out in accordance with Clause 11; and |
(j) | to send promptly a copy of any sub-processor agreement it concludes under the Clauses to the data exporter. |
Clause 6
Liability
Liability
1. | The Parties agree that a data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or sub-processor is entitled to receive compensation from the data exporter for the damage suffered. |
2. | If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his sub-processor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, in which case the data subject can enforce its rights against such entity. |
The data importer may not rely on a breach by a sub-processor of its obligations in order to avoid its own liabilities.
3. | If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the sub-processor of any of their obligations referred to in Clause 3 or in Cause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the sub-processor agrees that the data subject may issue a claim against the data sub-processor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject an enforce its rights against such entity. The liability of the sub-processor shall be limited to its own processing operations under the Clauses. |
Clause 7
Mediation and jurisdiction
1. | The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject: |
(a) | to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority; |
(b) | to refer the dispute to the courts in the Member State in which the data exporter is established. |
2. | The Parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law. |
Clause 8
Cooperation with supervisory authorities
1. | The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law. |
2. | The Parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any sub-processor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law. |
3. | The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any sub-processor preventing the conduct of an audit of the data importer, or any sub-processor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5(b). |
Clause 9
Governing law
The Clauses shall be governed by the law of the Member State in which the data exporter is established.
Clause 10
Variation of the contract
1. | The Parties undertake not to vary or modify the Clauses. This does not preclude the Parties from adding clauses on business related issues where required as long as they do not contradict the Clauses. |
2. | The following commercial clauses have been added as new clauses: |
(a) | Term of the Clauses: The term of these Clauses corresponds to the term of the Local Country Agreement (“LCA”) entered into by Graphic Packaging International Europe S.A. and Dell Corporation Ltd. These Clauses shall automatically terminate upon any termination or expiration of the LCA. |
(b) | Correcting, Blocking, and Deleting Data: Data importer may only correct, delete or block personal data processed within the scope of the LCA and these Clauses in accordance with the instructions of the respective data exporter. Where data exporter so instructs data importer, data importer shall correct, delete or block data in the scope of these Clauses. Alternatively, data importer can provide data exporter with the necessary means to correct, delete or block personal data via the services agreed in the LCA. To the extent data exporter cannot correct, delete or block personal data in its use of the services, data importer shall comply with any such request from data exporter within a reasonable period of time. |
(c) | Serious Interruption of Operations/Data Breaches: Data importer shall, without undue delay, inform data exporter in case of a serious interruption of operations, strong suspicion of breaches of personal data protection (but in any case including all suspicion which may lead to reporting obligations of data exporter under any applicable data protection laws in the jurisdictions in which the Service Recipients under this Local Country Agreement are located or the GDPR when it comes into effect), and any other severe irregularity in processing personal data under these Clauses/the LCA and shall also cooperate and support data exporter to the extent necessary to comply with the data breach information obligations applicable under the relevant EU-law and the respective implementing local data protection laws of the EU-Member States. This means in particular that if data importer becomes aware of any accidental, unauthorised or unlawful destruction, loss, alteration, or disclosure of, or access to the personal data that is processed by data importer in the course of providing the services under these Clauses/the LCA (or any other situation according to the preceding sentence) which is in breach of data importer’s security obligations under this Data Transfer Agreement (a "Security Breach"), it shall: |
(i) | without undue delay (when the GDPR comes into effect, where feasible within 48 hours, if later, it shall be accompanied by reasons for the delay) inform data exporter of the Security Breach; |
(ii) | provide without undue delay (when the GDPR comes into effect, where feasible within 48 hours, if later, it shall be accompanied by reasons for the delay) data exporter with: (a) a detailed description of the Security Breach; (b) the affected systems (as well as periodic updates to this information and any other information data exporter may reasonably request relating to the Security Breach); |
(iii) | take action immediately to investigate the Security Breach and to identify, prevent and mitigate the effects of the Security Breach and, with the prior written approval of data exporter, to carry out any recovery or other action necessary to remedy the Security Breach; and |
(iv) | not release or publish any filing, communication, notice, press release, or report concerning the Security Breach and mentioning the data exporter without data exporter's prior written approval (except where it is required to do so by applicable law). |
(d) | Confidentiality and Data Secrecy: Data importer shall ensure that all personnel required to access/process the personal data are informed of the confidential nature of the personal data and comply with the obligations set out in this section 13.2 of the Master Service Agreement. In case data is processed in Germany, data importer shall ensure that any personnel entrusted with processing data exporter’s data have undertaken to comply with the principle of data secrecy in accordance with section 5 of the German Federal Data Protection Act and have been duly instructed on the protective regulations of the German Federal Data Protection Act. The undertaking to secrecy and confidentiality shall continue after the termination of the above-entitled activities. |
(e) | Adequate Level of Data Protection: Data importer agrees and warrants that data importer and all its affiliates and/or all other third parties which act as subprocessors according to Clause 11 of these Clauses provide for or are subject to an adequate level of data protection according to Art. 25 and Art. 26 of the EU Data Protection Directive 95/46/EC (and the respective successor rules under the General Data Protection Regulation) when personal data is processed, e.g. currently by agreeing to the “EU Standard Contractual Clauses”. |
(f) | Additional Provision on Disclosure: Data importer will not disclose personal data to law enforcement authorities or agencies unless required by law. Should a law enforcement authority or agency contact data importer with a demand for personal data, data importer will attempt to redirect the law enforcement authority or agency to request that data directly from data exporter. As part of this effort, data importer may provide data exporter’s basic contact information to the law enforcement authority or agency. If compelled to disclose personal data to a law enforcement authority or agency, data importer will promptly notify data exporter in advance of a disclosure unless legally prohibited to do so. |
(g) | Additional Provision on Technical and Organisational Measures and Data Security: Data importer will not implement any changes to its security concept/technical and organisational measures that would lower the level of security compared to that described in Appendix 2 to these Clauses. In any case shall data importer notify data exporter with ninety (90) days prior notice of any planned material changes to the technical and organisational measures and/or its security concept as described in Appendix 2. Data exporter shall have the right to terminate these Clauses and the LCA upon thirty (30) calendar days prior written notice, if he – at its sole reasonable discretion – concluded that the modified technical and organisational measures/security concepts would no longer provide for adequate security standards/technical and organisational measures as required by the applicable data protection laws in order to process the personal data covered by the MSA/these Clauses. |
(h) | Additional Provision regarding Audit Rights and Obligations of the Parties: In order to comply with its (statutory) obligations as a data controller, each data exporter needs to, prior to the commencement of processing, and in regular intervals thereafter, audit the technical and organisational measures taken by data importer, and shall document the resulting findings. For such purpose, the data importer agrees (without limiting the rights stipulated under Clause 5 f)) using auditors to verify its compliance with the security obligations under these Clauses and that of its subcontractors, including the security of the physical data centres from which data importer provides the services under this Data Transfer Agreement and the LCA. This audit: (a) will be performed at least annually; (b) will be performed by security professionals at data importer’s selection; and (c) will result in the generation of an audit report which will be provided to data exporter after this report was generated (upon data exporters written request) so that data exporter can reasonably verify data importer’s and its subcontractor’s compliance with the security obligations under these Clauses. |
(i) | Additional Subprocessing Provision: The data exporter agrees within the meaning of Clause 5 paragraph 8 and Clause 11 paragraph 1 of these Clauses that data importer may subcontract the processing operations under these Clauses to the subcontractors named in Appendix 3 to these Clauses subject to the further requirements set out in this Clause and Clause 11 of these Clauses. Such subcontractors shall only be permitted to obtain personal data covered by these Clauses to the extent required to deliver the services data importer has retained them to provide, and subcontractors shall be prohibited from using this personal data for any other purpose. Subcontractors shall only be allowed to store or process data in the territories/locations listed and for the services described in Appendix 3 to these Clauses. |
(j) | Future Changes: If the European Commission lays down, or an applicable supervisory authority adopts, standard contractual clauses for the matters referred to in Article 28(3) and Article 28(4) of the General Data Protection Regulation pursuant to Article 28(7) or Article 28(8) of the General Data Protection Regulation (as appropriate) and data exporter notifies data importer that it wishes to incorporate any element of any such standard contractual clauses into this Annex, the parties will work together to mutually agree on the changes or to implement any additional measures that may be needed. The parties agree that changes affecting the provision of the services may result in price adjustments. |
Clause 11
Sub-processing
1. | The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the sub-processor which imposes the same obligations on the sub-processor as are imposed on the data importer under the Clauses. Where the sub-processor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the sub-processor of the sub-processor’s obligations under such agreement. |
2. | The prior written contract between the data importer and the sub-processor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses. |
3. | The provisions relating to data protection aspects for sub-processing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established. |
4. | The data exporter shall keep a list of sub-processing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5(j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority. |
Clause 12
Obligation after the termination of personal data-processing services
1. | The Parties agree that on the termination of the provision of data processing services, the data importer and the sub-processor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore. |
2. | The data importer and the sub-processor warrant that upon the request of the data exporter and/or of the supervisory authority, it will submit its data-processing facilities for an audit of the measures referred to in paragraph 1. |
[Signatures on following page]
On behalf of the data exporter:
GRAPHIC PACKAGING INTERNATIONAL EUROPE NV
Name (written out in full):
Position:
Address: Fountain Plaza Belgicastraat 7 bus 5, 1930 Zaventem, Belgium
Other information necessary in order for the contract to be binding (if any):
Signature
(stamp of organisation)
(stamp of organisation)
On behalf of the data importer:
DELL CORPORATION LTD.
Name (written out in full):
Position:
Address: Dell House, The Boulevard, Cain Road, Bracknell, Berkshire, RG12 1LF
Other information necessary in order for the contract to be binding (if any):
Signature
(stamp of organisation)
(stamp of organisation)
Appendix 1
Data exporter
The data exporter is the Party which is a signatory to the LCA and its affiliates based in the EEA as specified as Service Recipients in Schedule 1.1 a) of the Master Service Agreement and which are the exporter of personal data.
Data importer
The data importer is a Party which is a signatory to the LCA and which is the recipient of personal data which is exported by the data exporter to it.
Data subjects
The personal data transferred concern the following categories of data subjects:
•Past, present and prospective employees, volunteers, interns and partners.
•Past, present and prospective clients.
•Past, present and potential advisors, consultants, suppliers, contractors, subcontractors and agents.
•Complainants, correspondents, visitors and enquirers.
•Beneficiaries, parents and guardians.
Categories of data
The personal data transferred concern the following categories of data:
•Contact details (which may include name, address, email address, telephone, fax, emergency contact details and associated local time zone information).
•Employment details (which may include company name, job title, grade, demographic, time recording and location data, nationality and export compliance status).
•IT systems and operational information (which may include voice, video and data recordings, user ID and password details, computer name, domain name, IP address, software and hardware inventory, security camera and software usage pattern tracking information, i.e. cookies, and information recorded for operational or training purposes).
•Data subjects' email content, online interactive and voice communications (such as blogs, chat, webcam and networking sessions) and transmission data which is available on an incidental basis for the provision of information technology consultancy, support and services (incidental access may include accessing the content of email communications and data relating to the sending, routing and delivery of emails).
•Details of goods or services provided to or for the benefit of data subjects.
•Financial and government and tax identifier details (e.g. credit, payment, bank details and NI or social security number).
Special categories of data
The personal data transferred concern the following special categories of data:
To the extent permitted by applicable law, the personal data may include information which reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union opinions, memberships or activities, social security files, data concerning health (including physical or mental health or condition), sexual life and information regarding criminal offences or alleged offences and any related court proceedings, any information identified through use of whistle blowing hotlines and shall include special categories of data as defined in Article 8 of Directive 95/46/EC.
Processing operations
The personal data transferred will be subject to the following basic processing activities:
Any operation with regard to personal data irrespective of the means applied and procedures, in particular, the obtaining, collecting, recording, organising, storage, holding, use, amendment, adaptation, alteration, disclosure, dissemination or otherwise making available, aligning, combining, retrieval, consultation, archiving, transmission, blocking, erasing, or destruction of data, the operation and maintenance of systems, management and management reporting, financial reporting, risk management, compliance, legal and audit functions and shall include "processing" which shall have the meaning given to such term in Directive 95/46/EC.
Appendix 2 (to the Controller to Processor/Sub-Processor Model Clauses)
Technical and Organisational Security Measures
This Appendix 2 sets out a description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c).
Data importer takes information security seriously and this approach is followed through in its processing and transfers of personal data. This information security overview applies to data importer’s corporate controls for safeguarding personal data which is processed and transferred amongst the data importer’s group companies. Data importer’s information security program enables the workforce to understand their responsibilities. Some customer solutions may have alternate safeguards outlined in the applicable statement of work as agreed with each customer.
Security Practices
Data importer has implemented corporate information security practices and standards that are designed to safeguard data importer’s corporate environment and to address business objectives across the following areas:
(1) information security
(2) system and asset management
(3) development, and
(4) governance.
These practices and standards are approved by the data importer’s executive management and are periodically reviewed and updated where necessary.
Data importer shall maintain an appropriate data privacy and information security program, including policies and procedures for physical and logical access restrictions, data classification, access rights, credentialing programs, record retention, data privacy, information security and the treatment of personal data and sensitive personal data throughout its lifecycle. Key policies should be reviewed at least annually.
Organizational Security
It is the responsibility of the individuals across the data importer’s organization to comply with these practices and standards. To facilitate the corporate adherence to these practices and standards, data importer’s Information Security (“IS”) function is responsible for the following activities:
1. | Security strategy – the IS function drives data importer’s security direction. The IS function works to ensure compliance with security related policies, standards and regulations, and to raise awareness and provide education to users. The IS function also carries out risk assessments and risk management activities, and manages contract security requirements. |
2. | Security engineering – the IS function manages testing, design and implementation of security solutions to enable adoption of security controls across the environment. |
3. | Security operations – the IS function manages support of implemented security solutions, monitors and scans the environment and assets, and manages incident response. |
4. | Forensic investigations – the IS function works with Security Operations, Legal, Global Privacy Office and Human Resources to carry out investigations, including eDiscovery and eForensics. |
5. | Security consulting and testing – the IS function works with software developers on developing security best practices, consults on application development and architecture for software projects, and carries out assurance testing. |
Asset Classification and Control
Data importer’s practice is to track and manage key information and physical, software and logical assets. Examples of the assets that data importer might track include:
• | information assets, such as identified databases, disaster recovery plans, business continuity plans, data classification, archived information |
• | software assets, such as identified applications and system software |
• | physical assets, such as identified servers, desktops/laptops, backup/archival tapes, printers and communications equipment. |
The assets are classified based on business criticality to determine confidentiality requirements. Industry guidance for handling personal data provides the framework for technical, organizational and physical safeguards. These safeguards may include controls such as access management, encryption, logging and monitoring, and data destruction.
Employee Screening, Training and Security
1. | Screening/background checks: Where reasonably practicable and appropriate, as part of the employment/recruitment process, data importer shall perform screening/background checks on employees (which shall vary from country to country based on local laws and regulations), where such employees will have access to data importer’s networks, systems or facilities. |
2. | Identification: Data importer shall require all employees to provide proof of identification and any additional documentation that may be required based on the country of hire or if required by other data importer entities or customers for whom the employee is providing services. |
3. | Training: Data importer’s annual compliance training program includes a requirement for employees to complete a data protection and information security awareness course and pass an assessment at the end of the course. The security awareness course may also provide materials specific to certain job functions. |
4. | Confidentiality: Data importer shall ensure its employees are legally bound to protect and maintain the confidentiality of any personal data they handle pursuant to standard agreements. |
Physical Access Controls and Environmental Security
1. | Physical Security Program: Data importer shall use a number of technological and operational approaches in its physical security program to mitigate security risks to the extent reasonably practicable. Data importer’s security team works closely with each site to determine appropriate measures are in place to prevent unauthorized persons from gaining access to systems within which personal data is processed and continually monitor any changes to the physical infrastructure, business and known threats. They also monitor best practice measures used by others in the industry and carefully select approaches that meet both uniqueness in business practice and expectations of data importer. Data importer balances its approach towards security by considering elements of control that include architecture, operations and systems. |
2. | Physical Access controls: Physical access controls/security measures at data importer’s facilities/premises are designed to meet the following requirements: |
(a) | access to data importer’s buildings, facilities and other physical premises shall be controlled and based upon business necessity, sensitivity of assets and the individual’s role and relationship to the data importer. Only personnel associated with data importer are provided access to data importer’s facilities and physical resources in a manner consistent with their role and responsibilities in the organization; |
(b) | relevant data importer facilities are secured by an access control system. Access to such facilities is granted with an activated card only; |
(c) | all persons requiring access to facilities and/or resources are issued with appropriate and unique physical access credentials (e.g. a badge or keycard assigned to one individual) by the IS function. Individuals issued with unique physical access credentials are instructed not to allow or enable other individuals to access the data importer’s facilities or resources using their unique credentials (e.g. no “tailgating”). Temporary (up to 14 days) credentials may be issued to individuals who do not have active identities where this is necessary (i) for access to a specific facility and (ii) for valid business needs. Unique credentials are non-transferable and if an individual cannot produce their credentials upon request they may be denied entry to data importer’s facilities or escorted off the premises. At staffed entrances, individuals are required to present a valid photo identification or valid credentials to the security representative upon entering. Individuals who have lost or misplaced their credentials or other identification are required to enter through a staffed entrance and be issued a temporary badge by a security representative; |
(d) | employees are regularly trained and reminded to always carry their credentials, store their laptops, portable devices and documents in a secure location (especially while traveling) and log out or shut down their computers when away from their desk; |
(e) | visitors who require access to data importer’s facilities must enter through a staffed and/or main facility entrance. Visitors must register their date and time of arrival, time of leaving the building and the name of the person they are visiting. Visitors must produce a current, government issued form of identification to validate their identity. To prevent access to, or disclosure of, company proprietary information visitors are not allowed un-escorted access to restricted or controlled areas; |
(f) | select data importer facilities use CCTV monitoring, security guards and other physical measures where appropriate and legally permitted; |
(g) | locked shred bins are provided on most sites to enable secure destruction of confidential information/personal data; |
(h) | for data importer’s major data centres, security guards, UPS and generators, and change control standards are available; |
(i) | for software development and infrastructure deployment projects, the IS function uses a risk evaluation process and a data classification program to manage risk arising from such activities. |
Change Management
The IT organization manages changes to the corporate infrastructure, systems and applications through a centralized change management program, which may include testing, business impact analysis and management approval where appropriate. All relevant application and systems developments adhere to an approved change management process.
Security Incidents and Response Plan
1. | Security incident response plan: Data importer maintains a security incident response policy and related plan and procedures which address the measures that data importer will take in the event of loss of control, theft, unauthorized disclosure, unauthorized access, or unauthorized acquisition of personal data. These measures may include incident analysis, containment, response, remediation, reporting and the return to normal operations. |
2. | Response controls: Controls are in place to protect against, and support the detection of, malicious use of assets and malicious software and to report potential incidents to the data importer’s IS function or Service Desk for appropriate action. Controls may include, but are not limited to: information security policies and standards; restricted access; designated development and test environments; virus detection on servers, desktop and notebooks; virus email attachment scanning; system compliance scans; intrusion prevention monitoring and response; firewall rules; logging and alerting on key events; information handling procedures based on data type; e-commerce application and network security; and system and application vulnerability scanning. Additional controls may be implemented based on risk. |
Data Transmission Control and Encryption
Data importer shall, to the extent it has control over any electronic transmission or transfer of personal data, take all reasonable steps to ensure that such transmission or transfer cannot be read, copied, altered or removed without proper authority during its transmission or transfer. In particular, data importer shall:
1. | implement industry-standard encryption practices in its transmission of personal data. Industry-standard encryption methods used by data importer includes Secure Sockets Layer (SSL), Transport Layer Security (TLS), a secure shell program such as SSH, and/or Internet Protocol Security (IPSec); |
2. | if technically feasible, encrypt all personal data, including, in particular any sensitive personal data or confidential information, when transmitting or transferring that data over any public network, or over any network not owned and maintained by data importer. The data importer’s policy recognizes that encryption is ineffective unless the encryption key is inaccessible to unauthorized individuals and instructs personnel never to provide an encryption key via the same channel as the encrypted document; |
3. | for Internet-facing applications that may handle sensitive personal data and/or provide real-time integration with systems on a network that contains such information (including data importer’s core network), a Web Application Firewall (WAF) may be used to provide an additional layer of input checking and attack mitigation. The WAF will be configured to mitigate potential vulnerabilities such as injection attacks, buffer overflows, cookie manipulation and other common attack methods. |
System Access Controls
Access to data importer’s systems is restricted to authorized users. Access is granted based on formal procedures designed to ensure appropriate approvals are granted so as to prevent access from unauthorised individuals. Such procedures include:
1. | admission controls (i.e. measures to prevent unauthorized persons from using data processing systems): |
(a) | access is provided based on segregation of duties and least privileges in order to reduce the risk of misuse, intention or otherwise; |
(b) | access to IT systems will be granted only when a user is registered under a valid username and password; |
(c) | data importer has a password policy in place which requires strong passwords for user login to issued laptops, prohibits the sharing of passwords, prohibits the use of passwords that are also used for non-work functions, and advises users on what to do in the event their password or other login credentials are lost, stolen or compromised; |
(d) | mandatory password changes on a regular basis; |
(e) | automatic computer lock, renewed access to the PC only after new registration with a valid username and password; |
(f) | data and user classification determines the type of authentication that must be used by each system; |
(g) | remote access and wireless computing capabilities are restricted and require that both user and system safeguards are in place as well as user authentication. |
2. | access controls (i.e. measures to prevent unauthorised access to systems): |
(a) | access authorization is issued in respect of the specific area of work the individual is assigned to (i.e. work role); |
(b) | adjustment of access authorizations in case of changes to the working area, or in case an employee’s employment is terminated for any reason; |
(c) | granting, removing and reviewing administrator privileges with the appropriate additional controls and only as needed to support the system(s) in question; |
(d) | event logs from key devices and systems are centrally collected and reported on an exceptions basis to enable incident response and forensic investigations. |
Data Access Control
Data importer applies the controls set out below regarding the access and use of personal data:
1. | personnel are instructed to only use the minimum amount of personal data necessary in order to achieve the data importer’s relevant business purposes |
2. | personnel are instructed not to read, copy, modify or remove personal data unless necessary in order to carry out their work duties; |
3. | third party use of personal data is governed through contractual terms and conditions between the third party and data importer which impose limits on the third party’s use of personal data and restricts such use to what is necessary for the third party to provide services; |
Separation control
Where legally required, data importer will ensure that personal data collected for different purposes can be processed separately. Data importer shall also ensure there is separation between test and production systems.
Availability Control
Data importer protects personal data against accidental destruction or loss by following these controls:
1. | personal data is retained in accordance with customer contract or, in its absence, data importer’s record management policy and practices, as well as legal retention requirements; |
2. | hardcopy personal data is disposed of in a secure disposal bin or a crosscut shredder such that the information is no longer decipherable; |
3. | electronic personal data is given to data importer’s IT Asset Management team for proper disposal; |
4. | appropriate technical measures are in place, including (without limitation): anti-virus software is installed on all systems; network protection is provided via firewall; network segmentation; user of content filter/proxies; interruption-free power supply; regular generation of back-ups; hard disk mirroring where required; fire safety system; water protection systems where appropriate; emergency plans; and air-conditioned server rooms. |
Data Input Control
Data importer has, where appropriate, measures designed to check whether and by whom personal data have been input into data processing systems, or whether such data has been modified or removed. Access to relevant applications is recorded.
System Development and Maintenance
Publicly released third party vulnerabilities are reviewed for applicability in the data importer environment. Based on risk to data importer’s business and customers, there are pre-determined timeframes for remediation. In addition, vulnerability scanning and assessments are performed on new and key applications and the infrastructure based on risk. Code reviews and scanners are used in the development environment prior to production to proactively detect coding vulnerabilities based on risk. These processes enable proactive identification of vulnerabilities as well as compliance.
Compliance
The information security, legal, privacy and compliance departments work to identify regional laws and regulations that may be applicable to data importer. These requirements cover areas such as, intellectual property of the data importer and its customers, software licenses, protection of employee and customer personal information, data protection and data handling procedures, trans-border data transmission, financial and operational procedures, regulatory export controls around technology, and forensic requirements.
Mechanisms such as the information security program, the executive privacy council, internal and external audits/assessments, internal and external legal counsel consultation, internal controls assessment, internal penetration testing and vulnerability assessments, contract management, security awareness, security consulting, policy exception reviews and risk management combine to drive compliance with these requirements.
ANNEX 2 to the LOCAL COUNTRY AGREEMENT
Form of Invoice
[Attached]
12