The URL can be used to link to this page

Home My WebLink Aboutvmware-data-processing-addendum Page 1 of 5 DATA PROCESSING ADDENDUM Last updated: 04 January 2023 This Data Processing Addendum (“DPA”) forms part of the Agreement between the party identified in the Agreement (“Customer”) and VMware and applies if VMware processes Personal Data on behalf of Customer while providing Services. This DPA does not apply where VMware is the Controller. All capitalized terms used but not defined in this DPA will have the meanings set forth in the Agreement. 1. PROCESSING 1.1. Role of the Parties. VMware will process Personal Data under the Agreement only as a Processor acting on behalf of Customer. Customer may act either as a Controller or as a Processor of Personal Data. If Customer is acting as a Processor, Customer must communicate with VMware about the Processing on behalf of the Controller, and VMware will direct any inquiries from the Controller to Customer. 1.2. Customer Processing of Personal Data. Customer's use of the Services and processing instructions must comply with Data Protection Law and Customer must obtain all rights and authorizations necessary for VMware to process Personal Data under the Agreement. 1.3. VMware Processing of Personal Data. VMware must comply with Data Protection Laws applicable to its provision of the Services and will process Personal Data in accordance with Customer’s documented instructions. Customer agrees that the Agreement is its complete and final instructions to VMware regarding the processing of Personal Data. Processing any Personal Data outside the scope of the Agreement requires prior written agreement between VMware and Customer and may incur additional fees. Customer may terminate the Agreement upon written notice if VMware declines or is unable to accept any reasonable modification to processing instructions that (a) are necessary to enable Customer to comply with Data Protection Laws, and (b) the parties were unable to agree upon after good faith discussions. 1.4. Processing of Personal Data Details. 1.4.1. Subject matter. The subject matter of the processing under the Agreement is Personal Data. 1.4.2. Duration. The duration of the processing under the Agreement is determined by Customer and as set forth in the Agreement. 1.4.3. Purpose. The purpose of the processing under the Agreement is the provision of the Services by VMware to Customer as specified in the Agreement. 1.4.4. Nature of the processing. VMware and its Sub-processors are providing Services and fulfilling contractual obligations to Customer as described in the Agreement. These Services may include the processing of Personal Data by VMware and its Sub-processors. 1.4.5. Categories of data subjects. Customer determines the data subjects, which may include Customer’s end users and consumers, employees, contractors, suppliers, and other third parties. 1.4.6. Categories of data. Customer controls the categories of Personal Data that it submits to the Services through its use and configuration of the Services. 2. SUBPROCESSING. 2.1. Use of Sub-Processors. Customer authorizes VMware to engage Sub-processors to process Personal Data to provide the Services. VMware is responsible for any acts, errors, or omissions of its Sub-processors to the same extent VMware would be liable if performing the Services directly under the terms of the Agreement. 2.2. Obligations. VMware will enter into an agreement requiring each Sub-processor to process Personal Data in a manner substantially similar to the standards in the DPA, and at a minimum, at the level required by Data Protection Law. 2.3. Notice. VMware’s list of Sub-processors is available at www.vmware.com/agreements/sub- processors.html or upon written request. 2.4. Changes to Sub-processors. VMware will provide prior notice to Customer of any new Sub- processor if Customer has subscribed to receive notification at www.vmware.com/agreements/sub- processors.html. If Customer objects to a new Sub-processor on reasonable data protection grounds v.04 January 2023 Page 2 of 5 within 10 days of receiving notice, VMware will discuss those concerns with Customer in good faith with a view to achieving resolution. 3. SECURITY MEASURES. 3.1. Security Measures by VMware. VMware will implement and maintain appropriate technical and organizational security measures designed to protect against Personal Data Breaches and to preserve the confidentiality, integrity, and availability of Personal Data (“Security Measures”). Security Measures are subject to technical progress and development. VMware may modify Security Measures from time to time, provided that any modifications do not result in material degradation of the overall security of the Services. 3.2. Security Measures by Customer. Customer must implement appropriate technical and organizational measures in its use and configuration of the Services. 3.3. Personnel. VMware restricts its personnel from processing Personal Data without authorization (except as required by applicable law). Any person authorized by VMware to process Personal Data is subject to confidentiality obligations. 4. PERSONAL DATA BREACH RESPONSE. Upon becoming aware of a Personal Data Breach, VMware will notify Customer without undue delay and will provide information relating to the Personal Data Breach as reasonably requested by Customer. VMware will use reasonable endeavors to assist Customer to mitigate, where possible, the adverse effects of any Personal Data Breach. 5. AUDIT REPORTS. VMware (or third parties engaged by VMware) audits its compliance against data protection and information security standards on a regular basis. VMware’s security certifications are published at www.vmware.com/products/trust-center.html. Upon Customer's written request, VMware will provide Customer with a summary of the current audit report or other documentation generally made available by VMware for Customer to verify VMware's compliance with this DPA. 6. PERSONAL DATA TRANSFERS. 6.1. Personal Data Transfers. VMware may transfer and process Personal Data to and in locations around the world where VMware or its Sub-processors maintain data processing operations to provide the Services. 6.2. Personal Data Transfers from the European Economic Area, the United Kingdom, and Switzerland. VMware has achieved Binding Corporate Rules (“BCR”) for Personal Data it processes as a Processor. VMware’s BCR is available at www.vmware.com/help/privacy/binding-corporate- rules.html. VMware will process all European Economic Area, United Kingdom, and Switzerland Personal Data transferred to it for processing under the Agreement in accordance with its BCR, including where Personal Data is processed outside of the European Economic Area by VMware, any member of its group of companies, or any external Sub-processor. 6.3. BCR Enforcement. Customer has the right to enforce the BCR against VMware International Unlimited Company or any member of VMware’s group of companies for breaches of the BCR they caused, subject to the terms of the Agreement (including its exclusions and limitations) for the benefit of the members of VMware's group of companies. Customer is the sole entity responsible for coordinating all communications with and claims against any member of the VMware group of companies. Customer must make and receive any communication on behalf of its affiliates. 7. DELETION OF PERSONAL DATA. Following expiration or termination of the Agreement, VMware will delete or return to Customer all Personal Data as set forth in the Agreement. If VMware is required by applicable law to retain Personal Data, VMware will implement reasonable measures to prevent any further processing. The terms of this DPA will continue to apply to that retained Personal Data. 8. COOPERATION. 8.1. Data Subject Requests. If VMware receives any requests from individuals wishing to exercise their rights in relation to Personal Data processed under the Agreement (a “Request”), VMware will promptly redirect the Request to Customer. VMware will not respond to the Request directly unless authorized by Customer or required by law. Customer may address Requests using the Services. If Customer needs assistance, Customer will request VMware’s reasonable cooperation, which VMware will provide, at Customer’s expense. 8.2. DPIAs and Prior Consultations. If required by Data Protection Law, VMware will, with reasonable notice and at Customer's expense, provide reasonably requested information regarding the Services v.04 January 2023 Page 3 of 5 to enable Customer to carry out data protection impact assessments (“DPIAs”) and prior consultations with data protection authorities. 8.3. Legal Disclosure Requests. If VMware receives a valid request for the disclosure of Personal Data that is subject to this DPA, that request will be addressed in accordance with the Agreement. 9. GENERAL. 9.1. Relationship with Agreement. Any claims brought under this DPA will be subject to the terms of the Agreement (including its exclusions and limitations). 9.2. Conflicts. In the event of any conflict between this DPA and any provisions in the Agreement, the terms of this DPA will prevail. 9.3. DPA Updates. VMware may update this DPA: (a) if required to do so by a data protection authority or other government or regulatory entity; or (b) to comply with Data Protection Law. VMware may further exchange, adopt, or update its data transfer or compliance mechanisms provided they are recognized by Data Protection Law. The modified DPA will become effective when published on VMware’s website or as otherwise provided in the Agreement. 10. DEFINITIONS Agreement means the written or electronic agreement between Customer and VMware for the provision of Services to Customer. Controller means an entity that determines the purposes and means of the processing of Personal Data. Data Protection Law means all data protection and privacy laws applicable to the processing of Personal Data in relation to the Services. Demand means a subpoena, court order, agency action, or any other legal or regulatory requirement to disclose any Customer Content. GDPR means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation). Personal Data means any information relating to an identified or identifiable natural person contained within Customer Content. Personal Data Breach means a breach of security of the Services leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data. Processor means an entity that processes Personal Data on behalf of a Controller. Services means, for the purposes of this DPA, any Cloud Service or Support Services provided by VMware to Customer pursuant to the Agreement. Sub-processor means any Processor engaged by VMware or any member of its group of companies that processes Personal Data pursuant to the Agreement. Sub-processors may include third parties or any member of VMware’s group of companies. [Continued on next page] v.04 January 2023 Page 4 of 5 Supplemental Terms to Data Processing Addendum GDPR Supplemental Measures This GDPR Supplemental Measures Addendum (“Supplemental Measures Addendum”) supplements the DPA and reflects the supplemental measures of VMware if VMware processes Personal Data within the scope of GDPR on Customer’s behalf. Nothing in this Supplemental Measures Addendum is intended to restrict the commitments contained in the DPA. All capitalized terms used but not defined in this Supplemental Measures Addendum will have the meanings set forth in the DPA. 1. Warranty. 1.1. The parties warrant that they have no reason to believe the laws and practices in the third country of destination applicable to the processing of Personal Data by VMware, including any requirements to disclose Personal Data or measures authorizing access by public authorities, prevent VMware from fulfilling its obligations under section 2 (Notification in case of Required Disclosures and direct access). This warranty is based on the understanding that this section 1 (Warranty) is not in contradiction to the laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of the GDPR. 1.2. VMware agrees to notify Customer promptly if VMware has reason to believe that VMware is or has become subject to laws or practices not in line with the requirements under section 1.1, including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in section 1.1. 1.3. Following a notification pursuant to section 1.2, or if Customer otherwise has reason to believe that VMware can no longer fulfil its obligations under section 1, Customer shall promptly identify appropriate measures (e.g., technical or organizational measures to ensure security and confidentiality) to be adopted by Customer or as requested by Customer to be implemented by VMware in accordance with section 1.3.1 of the DPA. Customer shall suspend the data transfer if Customer considers that no appropriate safeguards for such transfer can be ensured, or if instructed by the competent data protection authority to do so, and Customer shall be entitled to terminate the Agreement, insofar as it concerns the processing of Personal Data under this section 1 (Warranty). 2. Notification in case of Required Disclosures and direct access. 2.1. If VMware is required by a Demand or where VMware becomes aware of any direct access by public authorities to Personal Data transferred pursuant to our Agreement, unless legally prohibited from doing so, VMware will: (a) provide Customer with notice and a copy of the Demand as soon as practicable; (b) inform the relevant government authority that VMware is a service provider acting on Customer’s behalf and all requests for access to Customer Content should be directed in writing to the contact person Customer identifies to VMware (or if no contact is timely provided, VMware will direct the relevant governmental authority generally to Customer’s legal department); and (c) only provide access to Customer Content with Customer’s authorization. 2.2. Where permissible under the laws of the country of destination, VMware agrees to provide Customer, at regular intervals for the duration of the Agreement, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority, whether requests have been challenged and the outcome of such challenges). 2.3. VMware will preserve the information pursuant to section 1 (Warranty) for the duration of the Agreement and make it available to the competent data protection authority on request. 2.4. Sections 2.1 and 2.2 are without prejudice to VMware’s obligation under sections 1.1 and 1.2 to inform Customer promptly where VMware is unable to comply with the obligations in these sections. 3. Review of legality and data minimization in case of public authority access requests. 3.1. If VMware is required by a Demand, VMware will review the legality of the request for disclosure (whether it remains within the powers granted to the requesting public authority), and challenge the request if VMware considers that there are reasonable grounds to consider that the request is unlawful. 3.2. When challenging a request, VMware shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on the merits of the case. VMware shall not disclose Personal Data requested until required to do so under the applicable v.04 January 2023 Page 5 of 5 procedural rules. These requirements are without prejudice to VMware’s obligations to notify Customer if VMware has reason to believe that it is or has become subject to laws or practices not in line with the requirements of section 1.1. 3.3. VMware will document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to Customer. VMware shall make its assessment available to the competent data protection authority on request. 3.4. VMware agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request. CCPA Supplemental Terms To the extent that the California Consumer Privacy Act of 2018, as amended, Cal. Civ. Code § 1798.100 et seq. (“CCPA”) applies to Personal Data that Customer discloses to VMware for a ‘business purpose’ and where VMware is acting as Customer’s ‘service provider’ pursuant to the Agreement, as such terms are defined under CCPA, the following supplemental terms apply: 1. VMware is processing the Personal Data for the limited and specific ‘business purpose’ of providing the VMware Cloud Services and/or Support Services purchased pursuant to the Agreement, which may be further detailed in the Cloud Service Guide or Support Terms, as applicable. 2. VMware will comply with the requirements of CCPA that are applicable to VMware as a service provider and will provide the level of privacy protection as further described in the Agreement, including facilitating Customer’s responses to, and compliance with, its consumers’ requests as detailed in Section 8 (Cooperation), and implementing security measures as described in Section 3 (Security Measures). 3. To ensure that VMware uses Personal Data in a manner consistent with Customer’s obligations under the CCPA, Customer may take the reasonable and appropriate steps set forth in Section 5 (Audit Reports). 4. VMware will notify Customer if VMware determines that it can no longer meet its obligations under CCPA. 5. If Customer reasonably believes that VMware is using Personal Data in a manner not authorized by the Agreement or by the CCPA, Customer may take the following reasonable and appropriate steps: (i) notify VMware so that the parties may work together in good faith to resolve the matter, or (ii) exercise any other rights provided in the Agreement. 6. VMware will not ‘sell’ or ‘share’ Personal Data (as those terms are defined under CCPA). 7. VMware will not retain, use, or disclose Personal Data outside of the direct business relationship between VMware and Customer or for commercial or any other purposes other than for the business purpose identified above, except as otherwise permitted by CCPA. 8. VMware will not combine Personal Data with data received from another source or with data collected by VMware from its own interactions with customer’s consumers, except as permitted by CCPA.