* For HubSpot customers who purchase services from March 11, 2020, your data will be automatically stored/processed by our new subcontractor Snowflake. We do not store customer data in Snowflake for HubSpot customers who purchased our services before March 11, 2020 and chose not to store their data in Snowflake. b. If: (a) any of the means referred to in this DTA to legitimise the transfer of personal data outside the EEA or the United Kingdom is no longer valid; or (b) a supervisory authority requires that the transfer of personal data be suspended in this way, the data importer may, by informing the other party, amend or introduce other arrangements in respect of such transfers with effect from the date specified in that notice, as required by the relevant data protection legislation. Countries in the Asia-Pacific region have made no real attempt to harmonize their national data protection laws on a regional basis. Countries that have adopted data protection laws will find that they are significantly different from the laws of their neighbors. But they have been working on solutions for cross-border data transfers, including in the framework of Asia-Pacific Economic Cooperation. To further complicate an already difficult situation, many countries have imposed requirements on companies to impose similar and different contractual clauses to protect the personal data of their residents, most recently several US states. In addition, companies must transmit these other clauses to several levels of service providers.

Meeting these requirements with separate contracts, one country at a time, quickly becomes unmanageable. A medium-sized multinational with subsidiaries, employees and customers in 20 jurisdictions and suppliers in 20 other jurisdictions is expected to implement 400 data transfer and processing agreements. If each of these suppliers has 20 suppliers, we have 8,000 contracts that come from a multinational, and that is before we looked at other levels of suppliers and considered that large companies have thousands of suppliers. 1.1.8.1 a transfer of the Company`s personal data from the Company to a subcontractor; or (b) it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract, and that in the event of a change in that legislation that may significantly affect the safeguards and obligations provided for in the clauses, it will inform the data exporter of the change without undue delay, as soon as it becomes aware of it, in which case the data exporter has the right to suspend the transfer of data and/or to terminate the contract; With the new CLAs, companies will have to agree on instructions for processors that can relate to the service provider`s standard technical specifications. In addition, companies must document “transfer impact assessments” under Clause 14 in order to implement the requirements announced by the Court of Justice of the European Union in its “Schrems II” decision and extended by the European Data Protection Board in its final recommendations of 18 June. Several German data protection authorities have started to audit German companies with questionnaires and ask questions such as: “If you have come to the conclusion that the recipient can indeed ensure compliance with the contractual obligations arising from the CBCs, please describe in detail the reasons for this conclusion and provide appropriate evidence.” Service providers located outside the EEA should proactively prepare information for such assessments in order to make their offers legally usable for EEA customers. `data importer` means the processor who agrees to receive from the data exporter personal data intended after the transfer in accordance with its instructions and the provisions of the clauses relating to processing on its behalf and which is not subject to the system of a third country which ensures adequate protection within the meaning of Article 25, paragraph 1 of Directive 95/46/EC; We have developed this diagram to help you understand these data exchange agreements and when they are necessary for your proposed assignments. Please note that this table is only a guide and may not match all the confidentiality agreements you come across. Before entering into such an agreement, please contact us at privacy@drexel.edu. We`re here to help, and remember, it`s good to ask! b. Accordingly, in accordance with clause 11 of those clauses, the data exporter gives the data importer its general consent to engage other sub-processors.

This consent is subject to the condition that the data importer complies with the requirements set out in the “Notification and objection for new sub-processors” section of the DPA. (d) after examining the requirements of the applicable data protection legislation, security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against any other unlawful form of processing, and that these measures guarantee a level of security; which is proportionate to the risks associated with the processing and the nature of the data to be protected, taking into account the state of the art and the cost of its implementation; If a transfer agreement is performed separately from the main service contract, the interaction with the main agreement must be carefully weighed. .