{{ header.cookieBanner.cookieBannerCopy }}
{{ header.cookieBanner.privacyPolicyLabel }}
globe {{(header.eyebrow.langSelector.label != '') ? header.eyebrow.langSelector.label : 'Choose Language'}}
{{ popupData.primarybody }}
{{ distyMobilePopUpData.title }}
{{ distyMobilePopUpData.primarybody }}
{{ distyMobilePopUpData.secondarybody }}
globe ASEAN, South Asia & Korea | English Find a Partner or Distributor Contact Us

Part List

{{addedBomQuantity}} {{addedBomName}} Added
{{totalQuantityInBom}} item(s) View List >>

Part List

  1. {{product.name}}

    {{product.description}}

    {{product.quantity}} item(s)
View List >>
Panduit SmartZone™ Cloud Data Processing Addendum

 

This Data Processing Addendum (“DPA”) is incorporated into the agreement under which Panduit has agreed to provide Panduit SmartZone Cloud Services (the “Services”) to Customer (the “Agreement”).  The term of this DPA shall run from the Effective Date of the Agreement until the end of Panduit’s provision of the Services to Customer and the relevant Personal Data has been deleted or returned to Customer.  For the purposes of this DPA, Panduit is the Processor and Customer is the Controller of Personal Data.

For the purpose of the Addendum:

-       “Business Purpose” means the provision of the Services.

-       “CCPA” means the California Consumer Privacy Act.

-       “Controller” means the entity which determines the purposes and means of the Processing of the Personal Data.

-       “GDPR” means the General Data Protection Regulation.

-       “UK GDPR” means the UK’s implementation of the GDPR.

-       “Personal Data” means any information relating to an identified or identified natural person (each a “Data Subject”). 

-       “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

-       “Privacy and Data Protection Requirements” means the GDPR, UK GDPR and CCPA.

-        “Process(ing)” means any operation(s) performed on Personal Data, whether or not by automated means, including the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

-       "Processor” means the entity which Processes Personal Data on behalf of the Controller.

-       “Special Categories of Personal Data” means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

-       “Subprocessor” means a third party engaged by Processor (including without limitation an affiliate or subcontractor, but excluding Processor employees) in connection with the Processing of Personal Data pursuant to the Agreement.

 

1.     Appointment, Restriction on Processing, and Certification.

1.1.     Subject to the conditions and limitations set forth herein, Controller hereby appoints Processor to Process the Personal Data set for in Exhibit 1 on behalf of Controller.

1.2.     Processor will Process the Personal Data only as necessary to perform the Business Purpose and only on documented instructions from Controller, unless otherwise required by applicable law.  If such Processing is required by applicable law, Processor will provide prior written notice to Controller of the legal requirement before Processing Personal Data, unless applicable law prohibits such prior notice.

1.3.     For purposes of the CCPA, Controller is a “Business” and Processor is a “Service Provider.” Processor shall not: (a) sell the Personal Data; (b) retain, use or disclose the Personal Data for any purpose other than for the specific purpose of performing the Business Purpose; (c) retain, use, or disclose the Personal Data for a commercial purpose other than providing the Business Purpose; or (d) retain, use, or disclose the Personal Data outside of the direct business relationship between Controller and Processor.

1.4.  Processor represents, warrants, and certifies that:

(a)      Processor understands this Addendum and its restrictions on Processor’s processing of Personal Data;

(b)      Processor will comply with the restrictions in this Addendum and in the Privacy and Data Protection Requirements.

(c)      Processor shall immediately inform Controller if in its opinion an instruction breaches any applicable data protection law.

2.     Confidentiality.  Where Personal Data is processed by the Processor, its agents, sub-contractors or employees, the Processor shall, and shall procure that its agents, sub-contractors and employees taken reasonable steps  to ensure the reliability of any employee, agent or contractor who may have access to the Personal Data, ensuring in each case that access is limited to those individuals who need to access the relevant Personal Data, as necessary to perform the Business Purpose in the context of that individual’s duties to the Processor, ensuring that all such individuals:

2.1.  are informed of the confidential nature of the Personal Data;

2.2.  have undertaken appropriate training in relation to Personal Data protection;

2.3.  are subject to contractual confidentiality obligations, or professional or statutory obligations of confidentiality; and

2.4.  are aware of the Processor’s obligations in relation to data protection under this Addendum.

 

3.     Security.  Where Personal Data is processed by the Processor, its agents, sub-contractors or employees, the Processor shall implement and ensure that its agents, sub-contractors and employees implement appropriate technical and organizational security measures to ensure a level of security commensurate with the risks associated with the Processing, such measures to be appropriate to protect against accidental or unlawful destruction, loss, alteration or unauthorized disclosure of or access to the Personal Data. These measures shall take into account and be appropriate to the state of the art, nature, scope, context and purposes of Processing and risk of harm which might result from unauthorized or unlawful Processing or accidental loss, destruction or damage to Personal Data. The specific measures used by Processor are more fully set forth at https://pages.panduit.com/SmartZone_Cloud.html.

 

4.     Personal Data Breach.  Where Personal Data is processed by the Processor, its agents, sub-contractors or employees, the Processor shall, and shall procure that its agents, sub-contractors and employees to inform the Controller without undue delay upon becoming aware of a Personal Data Breach by sending an email to Customer per the Notice provisions set forth in the Agreement.

 

5.     Data Subjects Rights.  Processor shall provide all reasonable and timely assistance (including by appropriate technical and organizational measures) to Controller to enable Controller to respond to: (i) any request from a Data Subject to exercise its rights under Privacy and Data Protection Requirements and (ii) any other correspondence, inquiry or complaint received from a Data Subject, regulator, or other third party in connection with the Privacy and Data Protection Requirements.  In the event any such request is made directly to Processor, Processor shall promptly notify Controller and provide the full details of such request.

 

6.     Cooperation.  Processor shall cooperate with Controller to ensure compliance with their respective obligations under Privacy and Data Protection Requirements, and cooperate with applicable regulators when requested.

7.     Deletion of Existing Personal Data.  Where Personal Data is processed by the Processor, its agents, sub-contractors or employees, the Processor shall, and shall procure that its agents, sub-contractors and employees:

7.1.     ensure that any information technology systems used in the context of performing the Business Purpose, including any backup systems, allow the erasure or deletion of specific Personal Data, and put in place measures to fully implement any erasure or deletion request within the timeframe required by Controller;

7.2.     upon termination for any reason of the Business Purpose, cease Processing the Personal Data immediately, except for the safe storing. Thereafter, at the Processor’s option, either return, or delete from its systems, the Personal Data and any copies of it or of the information it contains, including any Personal Data in hardcopy format and the Processor shall confirm in writing to the Controller that this clause has been complied with in full.

 

8.     Subprocessing. 

8.1.     Appointment.

(a)      Subprocessors currently used by Processor will be made available to Customer upon request.  Contact SmartZoneCloud@panduit.com.  Controller agrees that Processor may continue to use those Subprocessors already engaged as of the date of this DPA.

(b)      Processor shall provide prompt written notice to Controller of the removal of Subprocessors or proposed addition of new Subprocessors (including details of the Processing to be undertaken by the new Subprocessor).  If, within thirty (30) days of that notice, Controller notifies Processor in writing of any objections (on reasonable grounds) to the proposed addition of a new Subprocessor, Processor shall not disclose any Personal Data to the proposed Subprocessor until: (i) Processor has taken reasonable steps to address such objections and (ii) Controller has been provided with a written explanation of the steps taken.  If Controller’s objections are not satisfied by such explanation, Processor shall work with Controller in good faith to agree upon a commercially reasonable change in the Services which avoids the use of the proposed Subprocessor.  If the parties are unable to reach such agreement, Controller may terminate the Agreement without further liability to Processor, except for fees due at the time of termination.

8.2.       Processor’s Obligations.

(a)      With respect to each Subprocessor, Processor shall (i) before Subprocessor first Processes Personal Data, carry out adequate due diligence to ensure Subprocessor is capable of providing the level of protection for Personal Data required by the Agreement, this Addendum, and Privacy and Data Protection Requirements and (ii) ensure that the contract between Processor and Subprocessor includes the materially same terms as those set out between Controller and Processor in this Addendum.

(b)      Processor shall remain liable to the Controller for any failure by a Subprocessor to fulfill its obligations in relation to the Processing of any Personal Data.

 

9.     International Transfers. 

9.1.  Current international transfers of Personal Data are set forth in Exhibit 1 and to the Subprocessors as set forth in Section 8.1(a) above.  If any Personal Data originates from the European Economic Area (“EEA”) or United Kingdom (“UK”) under this Addendum, Processor shall not transfer the Personal Data to a Subprocessor outside of the EEA or UK, respectively, unless it has taken such measures as are necessary to ensure the transfer is in compliance with, as applicable, the GDPR and UK GDPR. 

9.2.  For Personal Data subject to GDPR, such measures may include transferring the Personal Data to a Subprocessor: (a) in a country that the European Commission has decided provides adequate protection for Personal Data; (b) that has Binding Corporate Rules in place; or (c) that has executed standard contractual clauses approved by the European Commission.  If any of the aforementioned transfer mechanisms is invalidated, Processor will use an alternative lawful mechanism to affect the international transfer of Personal Data.

9.3.  For Personal Data subject to UK GDPR, such measures may include transferring the Personal Data to a Subprocessor: (a) in a country that the UK ICO has decided provides adequate protection for Personal Data; (b) that has Binding Corporate Rules in place; or (c) that has executed standard contractual clauses approved by the UK ICO.  If any of the aforementioned transfer mechanisms is invalidated, Processor will use an alternative lawful mechanism to effect the international transfer of Personal Data.

9.4.  To the extent that Controller transfers Personal Data originating from the EEA to Processor, the parties agree to Module 2 of the Standard Contractual Clauses (“New SCCs”) set forth here: https://ec.europa.eu/info/system/files/1_en_annexe_acte_autonome_cp_part1_v5_0.pdf.  For the purposes of the New SCCs: (i) Controller agrees that it is the “data exporter” and Processor is “data importer”, and the information set forth in Exhibit 1 and Section 3 of this Addendum will supplement the New SCCs as needed.  To the extent that Controller transfers Personal Data originating from the UK to Processor, the aforementioned provisions set forth in this Section 9.4 apply, supplemented by the UK Addendum to the EU Commission Standard Contractual Clauses.

 

Exhibit 1

Processor Privacy Contact: privacy@panduit.com

Processor Personal Data Processing Locations

 

Processor Locations

 Panduit Corp., USA

Description of Processing

Purpose of Processing

 

To perform the Services.

 

Duration of Processing

 

So long as Panduit provides the Services to Customer.

 

Categories of Data Subjects

 

Employees and contractors of Customer.

 

Types of Personal Data Processed

 

Name, Email, Password, Phone Number

 

Special Categories of Personal Data Processed (if applicable)

 

None.

 

Panduit Panduit
globe {{(header.eyebrow.langSelector.label != '') ? header.eyebrow.langSelector.label : 'Choose Language'}}