Data Processing Agreement

• Applicable Data Protection Law: Shall mean all laws and regulations applicable to GANTNER’s processing of Personal Data under the Agreement.
• Client: A legal or natural person who operates as a professional or business (not being a consumer) and who enters into the Agreement with GANTNER for using and having access to the Services.
• Client Account Data: Personal Data that relates to the Client’s relationship with GANTNER, including the names or contact information of employees, representatives or contact people of the Client.
• Controller (also as Data Controller): The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
• Data Processing Agreement (also as DPA): Means this supplementary agreement entered into by GANTNER and the Client (to the extent required by applicable law), on which basis GANTNER shall process Personal Data.
• Data Subject: An identified or identifiable natural person.
• GANTNER: GANTNER Electronic GmbH is an Austrian company, with its corporate registered address located at Bundesstrasse 12, 6714, Nüziders, Vorarlberg, Austria, with VAT No. ATU49378007, telephone number +43 5552 33944 and e-mail address info@gantner.com, registered at the Commercial Registry of the Regional Court of Feldkirch, under the registration No. FN 193360 d. GANTNER is a SALTO group company.
• International Data Transfer: Processing which implies the transfer of the Personal Data outside of the European Economic Area, either by data disclosure or communication or by the processing of the Personal Data by a Processor established outside of the EEA on behalf of a Controller established in the EEA.
• Parties: Means GANTNER and the Client, individually referred to as the “Party”.
• Personal Data: Means all personal data relating to an identified or identifiable natural person that is introduced, collected or gathered through the Platform.
• Privacy Policy: Means GANTNER’s Privacy Policy.
• Processing: Means any operation or set of operations performed on Personal Data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
• Processor (also “Data Processor”): A natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller.
• Security Incident: Unauthorized or unlawful access to, or acquisition, alteration, use, disclosure, or destruction of User Data.
• Standard Contractual Clauses (also as SCC): Shall mean the transfer mechanism approved the European Commission through its Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
• Term: Means the time period the DPA shall be valid, enforceable and in force as set out in Section 3.
• User(s): Natural person(s) authorized by the Client to have access to and use the Services.
• User Data: Personal Data of Users.

Any capitalized term used in this Data Processing Agreement and not included in the list above shall have the meaning provided to it in the Terms of Service, and if not defined therein have the meaning established in Article 4 GDPR.

2.1 This Data Processing Agreement applies when GANTNER processes User Data on behalf of the Client. In this context, GANTNER acts as Processor to these data, whereas the Client may act as Controller or Processor of the User Data. When the Client acts as Processor, GANTNER will be Sub-Processor.

2.2 This Data Processing Agreement is part to the Agreement into which it is incorporated by reference.

This DPA shall be effective during the time necessary to render the Services to the Client pursuant the Agreement. Nonetheless, the Parties agree that all clauses of the present DPA which are expressly or implicitly intended to continue in force after its termination shall continue in force and binding the Parties in accordance with the relevant clause.

Each Party’s liability is subject to the Liability section in GANTNER’s Terms of Service, as permitted by applicable law.

5.1 To the extent GANTNER has access to User Data, GANTNER will process it as Processor, whereas the Client may act as Controller or Processor of the User Data. When the Client acts as Processor, GANTNER will be Sub-Processor.

5.2 Notwithstanding the foregoing, GANTNER will act as Controller with regards to Client Account Data and other specific data as detailed for each type of Service in the Privacy Policy. This Processing shall be done in accordance to and as informed in the Privacy Policy.

6.1 Purpose of the Processing: The Personal Data processed by GANTNER on behalf of the Client shall be processed only to carry out the provision of the Services in accordance with the Agreement, which may entail, where requested by the Client in accordance to the Terms of Service, technical support activities. Where the Processor deems necessary to process Personal Data for a different purpose, it shall obtain the previous written authorization from the Client. Where such authorization is not obtained, the processing shall not take place.

6.2 Description of the Processing: GANTNER will process Personal Data in accordance to the specifications included as Schedule 1, including the nature and purpose of the Processing, the Processing activities, the duration of the Processing, the types of Personal Data and categories of Data Subjects.

6.3 Obligations of the Client: Client is responsible for ensuring that it complies with Applicable Data Protection Law in its use of the Services and its own Processing of Personal Data, and that it has the right to provide access to Personal Data to GANTNER for Processing in accordance with the Agreement and this DPA. Client is responsible for the accuracy of the Personal Data provided to GANTNER.

6.4 Client’s instructions: The Processor undertakes to process User Data in accordance with Client’s instructions as set forth in the Agreement, and as otherwise necessary to provide the Services to Client, and where it is required to do so to comply with applicable law. Additional instructions outside the abovementioned shall be agreed by the Parties in writing. The Client shall ensure GANTNER that any Processing carried out under its instructions is compliant with applicable laws and regulations. GANTNER undertakes to inform Client if it becomes aware or reasonably believes that the instructions given by Client infringe applicable laws.

6.5 Confidentiality: GANTNER ensures that its employees engaged in the Processing of User Data under the Agreement are informed and are bound by confidentiality obligations.

6.6 Security measures: GANTNER guarantees the implementation of appropriate technical and organizational measures in order to achieve a level of security adequate to the risk, taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing.
In assessing the appropriate level of security, GANTNER takes into account the risks that are presented by the Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise processed, or unauthorized communication or access to said data.
Schedule 2 includes additional information about GANTNER’s technical and organizational security measures to protect User Data.

6.7 Subcontracting: The Client expressly authorizes GANTNER to subcontract to companies which are part of SALTO’s Group and in this respect to provide them with access to the Personal Data as needed for the rendering of all or part of the Services, including maintenance and technical support services under Client’s request.

Additionally, the Client expressly authorizes the Processor to engage onward Sub-Processors (hereinafter, “Sub-Processors”), subject to the following provisions:

• (i) The Processor has the Client’s general authorization for the engagement of Sub-Processors from an agreed list available here. The Processor shall keep this list updated, and shall specifically inform the Client in writing via the email address for privacy notifications registered in the Platform of any intended changes of that list through the addition or replacement of Sub-Processors at least thirty (30) days in advance. The Client may reasonably object to any new Sub-Processor in the thirty (30) days period from the update of the list. In the event that the Client reasonably objects to a new Sub-Processor, either Client or GANTNER may terminate the portion of the Agreement related to the Services that are not possibly provided without the objected-to new Sub-Processor.
• (ii) GANTNER undertakes that all Sub-Processors are contractually bound by the same or equivalent data protection obligations as those established in this DPA for the Processor.
• (iii) GANTNER shall remain fully liable to the Client for the performance of the Sub-Processor's obligations.

6.8 Data Subject Rights: Taking into account the nature of the processing, GANTNER will assist the Client by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Client’s obligation to respond to requests for exercising the data subject's data protection rights. In the event that a Data Subject makes a request directly to GANTNER in relation to User Data, GANTNER will forward it without undue delay to the Client to the email address registered in the Platform.

6.9 Assistance: Taking into account the nature of processing and the information available to GANTNER, GANTNER shall provide reasonable cooperation to the Client in relation to related data protection impact assessments, and consultations with Supervisory Authorities required in compliance with data protection regulations.

6.10 Return or deletion of User Data: GANTNER shall delete or return all the Personal Data processed on its behalf to the Client, at the choice of the latter, after the end of the provision of Services, and delete all existing copies unless storage of the personal data is required by law. As part of the Services, once the term of the provision of the services consisting of electronic locking solutions for doors, lockers and access control has elapsed, GANTNER will keep the Personal Data blocked for a period of one (1) month in order to enable reactivation of said services.

6.11 Audits: GANTNER will, upon the Client’s request and at its expense, make available at reasonable intervals and in no event more than once (1) every year, the information necessary to demonstrate compliance with applicable data protection obligations, as well as allow for audits. Client shall provide GANTNER with at least two (2) months’ prior written notice of any intended audit. This audit may be conducted either by Client or by an independent auditor appointed by Client bound by reasonable confidentiality restrictions, which in no event shall be, or shall act on behalf of, a competitor of GANTNER. The scope of the audit shall be limited to GANTNER’s systems, processes, and documentation relevant to the Processing on behalf of the Client, and the reports and results of the audit will be confidential information of GANTNER. Upon the end of the audit, the Client shall inform GANTNER of any perceived non-compliance or security concerns detected in the audit.

6.12 Security Incident: GANTNER undertakes to notify the Client, via the email address registered in the Platform by the Client, without undue delay after becoming aware of any unauthorized or unlawful access to, or acquisition, alteration, use, disclosure, or destruction of User Data (hereinafter, “Security Incident”). GANTNER will provide reasonable assistance to Client in the event that Client is required under Applicable Data Protection Law to notify a regulatory authority or any data subjects impacted by a Security Incident.

6.13 Transfers of Personal Data: In certain cases, the Processing of personal data may be carried out outside the European Economic Area (EEA), in particular:

• (i) When the Client is accessing the Platform from a country located outside the EEA;
• (ii) When the Client is subscribed to 24/7 technical support services, which implies that technicians located in some countries located outside the EEA are involved in the incident resolution; and
• (iii) In relation to the processing carried out by the Sub-Processors identified below.

In the cases mentioned above, transfers of User Data from the EEA to outside the EEA (either directly or via onward transfer) will be done on the basis of adequacy decisions by the European Commission. To the extent that the territories to where the User Data is transferred do not have adequate standards of data protection as determined by the European Commission, the Parties agree that the Standard Contractual Clauses will apply and will be deemed entered into (and incorporated into this DPA by this reference) and completed as indicated hereafter:

• (I) Module Three (Processor to Processor) of the SCC will apply where Client is a processor of User Data outside the EEA, and GANTNER acts as Sub-Processor and processes User Data in the EEA.
• (ii) Module Four (Processor to Controller) of the SCC will apply where Client processes as Controller User Data outside the EEA, and GANTNER is a processor which processes User Data in the EEA.
  
  

In relation to each Module of the Standard Contractual Clauses, where applicable:

• (i) Clause 7: the optional docking clause will not apply.
• (ii) Clause 9: Option 2 shall apply, with the notice period established under Clause 6.7 to this DPA.
• (iii) Clause 11: the optional section regarding the lodging of complaints with independent resolution bodies by data subjects shall not apply;
• (iv) Clause 17: Option 1 will apply, and the Standard Contractual Clauses will be governed by Austrian law;
• (v) Clause 18 (b): any dispute arising from the Standard Contractual Clauses shall be resolved before the courts of Austria;
• (vi) Annex I, Part A:
  • Data Exporter: GANTNER.
  • Contact details: privacy@gantner.com
  • Data Exporter Role: The Data Exporter’s role is set forth in Section 5 (Relationship of the Parties) of this DPA.
  • Signature and Date: By entering into the Agreement, Data Exporter is deemed to have signed these SCC incorporated herein, including their Annexes, as of the date of acceptance of the Agreement.
  • Data Importer: Client
  • Contact details: The email address provided by the Client to sign up to the Service will be considered the contact email to this effect.
  • Data Importer Role: The Data Importer’s role is set forth in Section 2of this DPA.
  • Signature and Date: By entering into the Agreement, Data Importer is deemed to have signed these SCC incorporated herein, including their Annexes, as of the Effective Date of the Agreement.
    
    
• (vii) Annex I, Part B:
• • The categories of data subject, sensitive data transferred, nature of the processing, purpose of the processing, and the period for which the personal data will be retained are described in Schedule 1 of this DPA.
  • The frequency of the transfer is on a continuous basis for the duration of the Agreement for the provision of the services consisting of electronic locking solutions for doors, lockers and access control, whereas the transfer is on a one-off basis for maintenance and technical support services.
  • Transfers to Sub-Processors are listed at https://www.gantner.com/en/legal/list-of-subprocessors-eloxx365.
  • The subject matter, nature, and duration of the processing are described in Schedule 1.
• (viii) Annex I, Part C: The Austrian Data Protection authority (Datenschutzbehörde Österreich) will be the competent supervisory authority.
• (ix) Annex II: Schedule 2 of this DPA.
  
  

The Client agrees to notify GANTNER if it receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to the SCC. Such notification must be done at least 48 hours in advance, and in any event before any disclosure takes place, and it shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided.
In the event of any conflict between the Standard Contractual Clauses, and any other terms in the Agreement, or the Privacy Policy, the provisions of the Standard Contractual Clauses will prevail.

6.14 Jurisdiction Specific Terms: To the extent GANTNER processes Personal Data originating from and protected by Applicable Data Protection Law in one of the jurisdictions listed in Schedule 3 of this DPA, the terms specified in this Schedule 3 with respect to the applicable jurisdiction(s) will apply in addition to the terms of this DPA.

GANTNER will process personal data as necessary to provide the Services under the Agreement. In this sense, GANTNER GANTNER will process personal data as necessary to provide the Services under the Agreement. In this sense, GANTNER

Collection, recording, storage, access, transmission to the Client and erasure or destruction of personal data, to the extent necessary for the adequate provision of the Services

GANTNER will process User Data on behalf of Client for the duration of the Services as established in the Agreement. As part of the Services, once the term of the provision of the service consisting of electronic locking solutions for doors, lockers and access control has elapsed, GANTNER will keep the Personal Data blocked for a period of one (1) month in order to enable reactivation of said services.

With regards to the provision of maintenance and technical support services, the User Data that may be accessed by GANTNER will only be processed for the time necessary to solve the issue.

Once the Agreement has terminated, GANTNER will retain a copy of the Personal Data duly blocked for the period of prescription of related infractions. Once this period has elapsed, GANTNER will erase all copies of the Personal Data.

User Data: Client’s end users of the Services provided by GANTNER. There can be distinguished between Client’s end users that directly use the web application (web application users) and Client’s end users that take advantage of the service managed by the cloud solution (e.g., locker users).

The categories of personal data processed depends on the type of Client’s end users (web application users or locker users) and the specific configuration of the Client.
The personal data processed from web application users may include, but are not limited to the following categories of data:

• Contact details (e.g., name, email address, etc.).
  > Account information (e.g., username, password, user role, account metadata, activity logs, etc.).
• Device identification data (e.g., IP addresses).
  
  

The personal data personal data processed from locker users may include, but are not limited to the following categories of data:

• Contact details (e.g., name, email address, etc.).
• Other user data (e.g., data carrier UID, member number, department, permission rules for locker usage, record of access).

1.1 The definition of Applicable Data Protection Law includes the California Consumer Privacy Act (CCPA).
1.2 The definition of Personal Data includes “Personal Information” as defined under Applicable Data Protection Law.
1.3 The definition of Data Subject includes “Consumer” as defined under Applicable Data Protection Law. Any data subject rights, as described in Section 6.8 (Data Subject Rights) of this DPA, apply to Consumer rights.
1.4 The definition of Controller includes “Business” as defined under Applicable Data Protection Law.
1.5 The definition of Processor includes “Service Provider” as defined under Applicable Data Protection Law.
1.6 GANTNER will process, retain, use, and disclose personal data only as necessary to provide the Services under the Agreement, which constitutes a business purpose.
1.7 GANTNER will not sell User Data.
1.8 GANTNER will not retain, use, or disclose User Data for any commercial purpose other than the provision of the Services.
1.9 GANTNER will not retain, use, or disclose User Data outside of the scope of the Agreement.
1.10 GANTNER certifies that its Sub-Processors, as described in Section 6.7 of this DPA, are Service Providers under Applicable Data Protection Law, and that prior to its contracting they are properly evaluated.

2.1 The definition of Applicable Data Protection Law includes the Federal Act on Data Protection (FADP).

3.1 The definition of Applicable Data Protection Law includes UK General Data Protection Regulation (UK GDPR).
3.2 In relation to Section 6.3 of the DPA, where the Controller is established in the UK and GANTNER transfers User Data from the UK to outside the UK (either directly or via onward transfer) to countries without adequacy regulations, such transfer shall be covered by the SCC together with the being the International Data Transfer Addendum or Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 28 January 2022 (hereinafter, the “IDTA”), which are incorporated to this DPA by reference.
3.3 In relation to the IDTA:
3.3.1 Tables 1 and 2 are completed with clause 6.13 of this DPA.
3.3.2 In relation to Table 2, personal data received from the Importer is not combined with personal data collected by the Exporter
3.3.3 Table 4: The Exporter.

The definition of Applicable Data Protection Law includes the Australian Federal Privacy Act 1988 and Australian Privacy Principles