|
E204 (Products and Services)
<br />REV: 07-22-25 MI
<br />February 14, 2025
<br />iii. If Esri Processes Personal Data provided by Customer that is subject to the GDPR and Esri is established
<br />in, or transfers or makes accessible any Personal Data to any subprocessors in a country that does not
<br />ensure adequate data privacy safeguards are in place within the meaning of GDPR, then Esri will enter into
<br />the standard contractual clauses with Customer as set forth in Attachment 1 of this Addendum ("SCCs") or
<br />ensure that adequate data privacy safeguards are in place, such as binding corporate rules or the Data
<br />Privacy Framework certification. If applicable, each party's signature to this Addendum shall be considered
<br />a signature to the SCCs. If a subprocessor is a Data Importer (as that term is used in such SCCs), Esri
<br />shall either (a) enter into contractual obligations with subprocessor, where such obligations contain
<br />adequate privacy safeguards in accordance with GDPR, or (b) enter into the SCCs with Customer on behalf
<br />of such data importer. In the event the transfer is covered by more than one transfer mechanism, the transfer
<br />of personal data will be subject to a single transfer mechanism, as applicable, and in accordance with the
<br />following order of precedence: (a) the Data Privacy Framework; (b) the SCCs; and if neither of the preceding
<br />is applicable, then (c) other alternative data transfer mechanisms permitted under applicable Privacy Laws
<br />will apply.
<br />iv. Esri will not share, transfer, disclose, or otherwise provide access to any Personal Data to any third party,
<br />or contract any of Esri's rights or obligations concerning Personal Data to a third party, unless Customer
<br />has authorized Esri to do so in writing, except as required by law. Where Esri, with the consent of Customer,
<br />provides to a third party access to Personal Data or contracts such rights or obligations to a third party, Esri
<br />will, with each third party, (a) enter into a written agreement that imposes obligations on the third party that
<br />are consistent with the GDPR, CCPA, and the other Privacy Laws; (b) transfer the Personal Data to the
<br />third party only for the limited and specified purposes as instructed by Customer; (c) require the third party
<br />to notify Esri if the third party determines that it can no longer meet its obligation to provide the same level
<br />of protection as is required by the applicable Privacy Laws; and (d) upon notice, take reasonable and
<br />appropriate steps to stop and remediate unauthorized Processing. Customer hereby provides its consent
<br />for Esri to use subprocessors as necessary to provide the services including, but not limited to, Microsoft
<br />Corporation; Amazon Web Services, Inc.; Salesforce, Inc.; and Akamai Technologies (including their
<br />affiliates) and Esri's technical support vendors. To the extent that Esri makes any changes with regard to
<br />the use of its subprocessors, it shall inform Customer and provide Customer with the right to object to such
<br />change. To the extent Customer has a reasonable objection to such change in subprocessors, the parties
<br />shall cooperate to address the objection in a reasonable manner.
<br />v. Esri will promptly inform Customer in writing of any requests with respect to Personal Data received from
<br />Customer's customers, consumers, employees, or other associates. Customer will be responsible for taking
<br />action on and responding to any such request, but Esri will reasonably cooperate with Customer to address
<br />any such request or a request by an individual about whom Esri holds Personal Data for access,
<br />rectification, objection, portability, restriction, erasure, or export of that individual's Personal Data. For
<br />clarity, Customer is a Controller of Named User Credentials, as defined in the Master Agreement. Customer
<br />is solely responsible for taking action on and responding to any data subject requests associated with
<br />Named User Credentials.
<br />vi. Taking into account the state of the art; the costs of implementation; and the nature, scope, context, and
<br />purposes of Processing, as well as the risk of varying likelihood and severity of the rights and freedoms of
<br />natural persons, Esri will implement appropriate technical and organizational measures to protect the
<br />Personal Data from loss; misuse; and unauthorized access, disclosure, alteration, and destruction. Such
<br />measures are set forth in Annex II of Attachment 1. To this effect, Esri will limit internal access to Personal
<br />Data so that it is only accessible on a need-to-know basis to fulfill Esri's performance of services for or on
<br />behalf of Customer, by personnel who have agreed to comply with privacy and security obligations that are
<br />substantially similar to those required by this Addendum.
<br />vii. Subject to applicable law, Esri will notify Customer immediately in writing of any subpoena or other judicial
<br />or administrative order by a government authority or proceeding seeking access to or disclosure of Personal
<br />Data. Customer may, if it so chooses, seek a protective order, and Esri will reasonably cooperate with
<br />Customer in such action, provided Customer reimburses Esri for all costs, fees, and legal expenses
<br />associated with the action. Esri will have the right to approve or reject any settlements that affect Esri.
<br />ATTY/AGR.2025.178/Environmental Systems Research Institute, Inc.(ESRI Agreement for Services) (Page 25 of 31)
|