Lorem ipsum dolor sit amet, consectetur adipiscing elit. Morbi non consequat quam. Morbi rutrum ipsum libero, et eleifend nunc semper eu. Suspendisse non urna lorem. Aliquam eu quam mi. Fusce sollicitudin turpis non dolor cursus, volutpat molestie lectus ultrices. Duis pulvinar orci et diam tempor, eu venenatis erat aliquam. In ornare, massa nec tempus placerat, turpis erat dictum diam, sit amet finibus tortor urna quis eros. Etiam fringilla ligula vel varius sagittis. Nullam vitae finibus nunc, vel eleifend massa. Cras ut ullamcorper orci.
1. SCOPE
1.1 The following Data Processing Addendum (“DPA”) applies to all transfers of Personal Information (defined below) by and between Psychological Assessment Resources, Inc., PARiConnect, PAR InVista, and/or the Self-Directed Search (collectively, "PAR," “we,” “us,” or “our”) and any entities that provide the Personal Information of their patients, clients, students, or customers to PAR for PAR’s provision of services (these entities are herein referred to as “Customer”). This DPA is effectively incorporated into the agreement (“Agreement”) entered into between PAR and Customer (each a “Party” and collectively the “Parties”). This DPA is effective as of the date of the Agreement. In the event of a conflict between any provisions of the Agreement and the provisions of this DPA, the provisions of this DPA shall govern and control.
1.2 PAR acknowledges that Customer and/or the data it discloses to PAR may be subject to consumer privacy laws and regulations, as well as common law restrictions and/or obligations (the “Consumer Privacy Laws”). Consumer Privacy Laws may include, but it is not limited to, laws, and associated regulations or guidance, such as pursuant to the Health Insurance Portability and Accountability Act, General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (“GDPR”), U.K. General Data Protection Regulation, California Consumer Privacy Act (the “CCPA”) and California Privacy Rights Act (“CPRA”), as codified in California Civil Code sections 1798.100, et seq. (collectively, “CCPA/CPRA”), and other similar foreign or domestic, federal, state, or local privacy statutes, regulations, rules, or guidance, laws currently in effect or that may come into effect during the term of the Agreement, all as applicable and as may be amended from time to time.
2. DEFINITIONS
2.1 Based on Customer’s relationship with PAR, PAR is considered a “service provider,” “contractor,” or “processor” (collectively, “Processor”) under the Consumer Privacy Laws. As a Processor, PAR may process and/or receive “personal information” or “personal data,” as such terms are defined in applicable Consumer Privacy Laws, from, or on behalf of, Customer (such personal information or personal data is herein referred to as “Personal Information”).
2.2 The term “security incident” means (i) any act or omission that compromises either the security, confidentiality, or integrity of Personal Information or the physical, technical, administrative, or organizational safeguards put in place by PAR that relate to the protection of the security, confidentiality, or integrity of Personal Information, or (ii) receipt of a complaint in relation to the privacy and data security practices of PAR or a breach or alleged breach of this DPA. Without limiting the foregoing, a compromise shall include any unauthorized access to or disclosure or acquisition of Personal Information.
2.3 The term “Model Clauses” means the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
2.4 The term “U.K. Addendum” means the template U.K. Information Commissioner’s Office Addendum to the Model Clauses for international data transfers, issued under Section 119A of the U.K. Data Protection Act 2018, and including both tables and mandatory clauses.
3. PAR COMMITMENTS
3.1 PAR will comply with Customer’s instructions regarding the processing of Personal Information, including but not limited to instructions regarding amending, transferring, or deleting Personal Information.
3.2 PAR shall not “sell” or “share” Personal Information it collects pursuant to the Agreement, as those terms are defined by applicable Consumer Privacy Laws.
3.3 Customer is providing PAR access to Personal Information for the limited and specific purposes provided in the Agreement, as described in section 5 herein, and/or as otherwise expressly permitted by Consumer Privacy Laws. PAR shall not retain, use, or disclose Personal Information for any purpose(s) other than those specified in section 5 herein or otherwise permitted by the Consumer Privacy Laws. Such purposes are incorporated by reference herein.
3.4 PAR shall not retain, use, or disclose Personal Information that it collects pursuant to the Agreement for any “commercial purpose,” as defined by applicable Consumer Privacy Laws, other than the business purposes specified in section 5 herein, including in the servicing of any entity other than Customer.
3.5 PAR shall not retain, use, or disclose Personal Information it collects pursuant to the Agreement outside of the direct business relationship between PAR and Customer.
3.6 PAR shall not combine or update Personal Information with any other information, except to perform a business purpose defined in Consumer Privacy Laws, such as regulations adopted pursuant to Cal. Civ. Code § 1798.185(a)(10), except as provided by Consumer Privacy Laws.
3.7 PAR shall comply with all applicable laws and obligations regarding the use and protection of Personal Information, including all Consumer Privacy Laws, as applicable. PAR certifies that it understands these restrictions, including pursuant to the CCPA/CPRA, and shall comply with them.
3.8 PAR shall provide the same level of privacy protection as required by Customer, and shall assist the Customer in meeting the Customer’s obligations in relation to the Personal Information. These privacy protections and obligations include, but are not limited to:
3.10 PAR shall ensure that each person processing Personal Information is subject to a duty of confidentiality with respect to such Personal Information. The termination or expiration of this DPA shall not discharge PAR from its confidentiality obligations pursuant to the Agreement and this paragraph. PAR shall process Personal Information until the date of expiration or termination of the Agreement, unless instructed otherwise by Customer, or until such data is returned, de-identified, or destroyed on instruction of Customer.
3.11 If PAR engages any other person or entity to assist it in processing Personal Information for purposes of providing the services enumerated in the Agreement, PAR shall:
3.12 To the extent PAR processes or receives any deidentified personal information, as defined by applicable Consumer Privacy Laws, from, or on behalf of, Customer (“Deidentified Information”), PAR shall comply with all Consumer Privacy Laws concerning the Deidentified Information, including maintaining the information as deidentified personal information. PAR shall take reasonable measures to ensure the Deidentified Information cannot be associated with a consumer or household, publicly commit to maintain and use the Deidentified Information in deidentified form, not attempt to reidentify the information unless solely for the purpose of determining whether the data is deidentified, and contractually obligate any recipient of the Deidentified Information to comply with this DPA and all Consumer Privacy Laws regarding the processing of such Deidentified Information.
3.13 Unless PAR is otherwise required by law, or if Customer sooner requests PAR return Personal Information to Customer instead, PAR will delete and destroy Personal Information and all copies of the same once the Personal Information is no longer needed to complete the transaction or services requested.
3.14 Upon the reasonable request of Customer, PAR shall make available to Customer all information in its possession, custody, or control that is necessary to demonstrate PAR's compliance with all Consumer Privacy Laws and the requirements of this DPA or to enable Customer to conduct and document any required data protection assessments.
3.15 PAR shall notify Customer if PAR determines it can no longer meet its Consumer Privacy Laws obligations.
3.16 To the extent PAR processes any Personal Information from the European Economic Area (“EEA”) or United Kingdom (“U.K.”), Customer as “data exporter” and PAR as “data importer” hereby enter into the Model Clauses and U.K. Addendum. If required by law or by any agency or regulatory body with jurisdiction, the Parties agree to re-execute the Model Clauses and U.K. Addendum (including Annexes hereto) as a document separate from this DPA. For purposes of the Model Clauses and U.K. Addendum, the Parties hereby agree that:
4. ADDITIONAL RIGHTS AND OBLIGATIONS
4.1 PAR grants Customer the right to take, and PAR shall allow and contribute to, appropriate and reasonable steps to monitor PAR and ensure PAR’s use of Personal Information is consistent with all applicable privacy rights and obligations, whether statutory, regulatory, based in common law, contractual, or otherwise. These steps may include, but are not limited to, ongoing manual reviews, automated scans, regular assessments, audits, or other policy review or technical and operational testing at least once every 12 months. As an alternative to a Customer-requested review, assessment, audit, or testing, PAR may arrange for a qualified and independent assessor, using an appropriate and accepted control standard or framework and assessment procedure, to conduct such review, scan, assessment, audit, or other policy review and testing of PAR’s policies and technical and organizational measures to satisfy its obligations under this DPA. PAR shall provide a report of all such reviews, scans, assessments, audits, or tests to Customer upon request.
4.2 PAR grants Customer the right, upon notice, to take reasonable and appropriate steps to stop, mitigate, and remediate any and all unauthorized use of Personal Information.
4.3 Customer is responsible for providing any required privacy notice to data subjects and securing any required consent for PAR’s processing of Personal Information in accordance with Customer’s instructions.
4.4 Customer agrees that PAR may aggregate data and use such data for analytical purposes. In those instances, PAR will ensure that the data is effectively anonymized prior to such use and that no individual is reasonably identifiable from the data once anonymized and aggregated.
4.5 PAR shall enable Customer to comply with any consumer privacy request made pursuant to Consumer Privacy Laws.
4.6 The parties will work and communicate with each other in good faith to comply with Consumer Privacy Laws.
4.7 Indemnification.
4.8 Limitation of Liability.
EXCEPT WITH RESPECT TO EACH PARTY’S OBLIGATIONS AS TO CONFIDENTIALITY AND INDEMNIFICATION, OR LOSSES ARISING FROM A PARTY’S GROSS NEGLIGENCE OR WILLFUL MISCONDUCT:
5. DESCRIPTION OF PROCESSING
6. DISPUTES
Any disputes arising from or in connection with this DPA shall be brought as set forth in the Agreement.