Fair Isaac Data Processing Addendum
Last Updated: October 9, 2023
This Fair Isaac Data Processing Addendum (“DPA”) forms part of the Agreement between Fair Isaac and Client under which Fair Isaac provides to Client the services described in the Agreement (the “Services”). This DPA applies to the extent that Fair Isaac Processes Client Personal Data (as defined herein) in connection with providing the Services to Client under the Agreement. In the event of a conflict between the terms of the Agreement (and any attachments thereto) and this DPA, the terms of this DPA shall prevail. Unless defined in this DPA, capitalized terms will have the same meanings stated in the Agreement and except where otherwise indicated, the term “Client” shall include Client and its Authorized Affiliates.
1. Definitions
“Agreement” collectively means the agreement between Client and Fair Isaac that references this DPA and pursuant to which Fair Isaac provides Services to the Client, and all related orders, order forms, subscriptions, statements of work, work orders, purchase orders, amendments and other attachments to such agreement.
“Applicable Data Protection Laws” means the European Union General Data Protection Regulation 2016/679 (“GDPR”), the UK Data Protection Act of 2018 and the UK General Data Protection Act (“UK GDPR”), the Brazil General Data Protection Law, Federal Law #13,709/2018 (“LGPD”), the California Consumer Privacy Act, Cal. Civ. Code § 1798.100, et seq. (“CCPA”) as amended by the California Privacy Rights Act (“CPRA”), and/or such other data protection or privacy laws of other countries or jurisdictions to the extent applicable to the Processing of Personal Data under the Agreement.
“Authorized Affiliate” means a Client Affiliate that is authorized to use the Services under the Agreement and that has not signed its own separate agreement for Services from Fair Isaac.
“Controller” means the entity that determines the purposes and means of the Processing of Personal Data.
“Client Personal Data” means any Personal Data that is submitted by or on behalf of Client under the Agreement in connection with the Services.
“Data Subject” means the identified or identifiable natural person to whom Personal Data relates.
“Deidentified Data” means Personal Data that has been stripped of all direct identifiers or is otherwise in a form that does not identify and cannot be used to identify a natural person.
“Personal Data” means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular natural person, or as otherwise defined under Applicable Data Protection Laws. Personal Data includes, to the extent applicable, “personal data” as defined under the GDPR, the UK GDPR, and the LGPD; “personal information” as defined under the CCPA; “nonpublic personal information” as defined under the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801 et seq.; and “cardholder data” as defined by the Payment Card Industry (PCI) Security Standards Council. Personal Data does not include Deidentified Data.
“Personal Data Breach” means a breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
“Processing” or “Process” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Processor” means the entity that Processes Personal Data on behalf of the Controller and includes a “service provider” as defined under the CCPA.
“Regulatory Authorities” means any government agency or regulatory authority responsible for supervision or enforcement of a law, statute, or regulation applicable to the security or privacy of Client Personal Data.
“Sensitive Personal Data” means Personal Data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation, or other similar Personal Data that is defined as “special personal data” or “sensitive personal data” or an equivalent term under Applicable Data Protection Laws.
“Subprocessor” means any other Processor engaged by Fair Isaac (including any Fair Isaac Affiliate) to Process Client Personal Data.
2. Processing Client Personal Data
2.1. Subject Matter and Nature and Purpose of Processing. In connection with Fair Isaac providing the Services to Client under the Agreement, Client or third parties acting on behalf of Client may submit Personal Data for Processing by Fair Isaac. Fair Isaac may host, store, compute, transmit, or otherwise Process Client Personal Data for the purpose of providing the Services to Client under the Agreement.
2.2. Roles of the Parties. Fair Isaac shall act as Processor and Client shall act as Controller with respect to any Client Personal Data Processed by Fair Isaac.
2.3. Duration of Processing. Fair Isaac will Process Client Personal Data for the duration of the Agreement or as otherwise instructed by Client or agreed in writing by the parties.
2.4. Categories of Data Subjects. The categories of Data Subjects are determined by Client as set out in Section B of Exhibit 1 to this DPA. If the Client has not completed Section B of Exhibit 1 to this DPA then the Client shall be deemed to have declared that the categories of data subjects include: (i) Client’s employees, consumers, customers, and/or end-users; (ii) Client’s Authorized Users; and (iii) other individuals whose Personal Data is included in Client Personal Data consistent with the terms, scope, and purpose of the Agreement.
2.5. Types of Personal Data. The types of Client Personal Data are determined by Client and are set out in more detail in Section B of Exhibit 1 to this DPA. If the Client has not completed Section B of Exhibit 1 to this DPA then the Client shall be deemed to have declared that the types of Personal Data may include, but are not limited to, the following types of Personal Data: (i) name, business address, title, contact details; and (ii) IP address and cookies data; and (iii) any other Personal Data processed in the course of the Services as Client Personal Data consistent with the terms, scope, and purpose of the Agreement.
2.6. Processing Instructions. Fair Isaac will Process Client Personal Data only as instructed by Client as set forth in the Agreement or other written instructions and as permitted under Applicable Data Protection Laws. If Fair Isaac receives Deidentified Data from or on behalf of Client, or creates Deidentified Data at Client’s instruction or with Client’s permission, Fair Isaac will (i) take reasonable measures to ensure the Deidentified Information cannot be associated with a Data Subject or household, (ii) commit to maintain and use the Deidentified Data in deidentified form, and (iii) not attempt to reidentify the Deidentified Data except for the sole purpose of determining whether the Fair Isaac’s deidentification processes (assuming that Fair Isaac was responsible for deidentification) satisfy the requirements of Applicable Data Protection Laws.
3. Obligations of Controller. Client acknowledges that it determines and controls the categories and types of Client Personal Data submitted for Processing by Fair Isaac. Client represents and warrants that (i) Client will only submit for Processing by Fair Isaac Client Personal Data that is consistent with the terms, scope, and purpose of the Agreement, (ii) Client has provided all disclosures and obtained all consents required under Applicable Data Protection Laws, and (iii) Client is authorized and permitted under Applicable Data Protection Laws to submit the Client Personal Data for Processing by Fair Isaac. In no event will Client submit Sensitive Personal Data for Processing by Fair Isaac without prior notice to Fair Isaac and prior authorization from Fair Isaac.
4. Obligations of Processor. Fair Isaac shall comply with Applicable Data Protection Laws and provide the same level of protection to Client Personal Data as is required under Applicable Data Protection Laws. Fair Isaac shall immediately notify Client if Fair Isaac determines that it can no longer meet its obligations to comply with Applicable Data Protection Laws. Fair Isaac will Process Client Personal Data only as permitted under the Agreement, as instructed by Client in accordance with Section 2.6 of this DPA, or as otherwise permitted under Applicable Data Protection Laws. Fair Isaac will not: (i) sell any Client Personal Data; (ii) collect, use, disclose, share, or retain any Client Personal Data for any purpose (including for a commercial purpose) other than for the limited and specific purpose of providing the Services under the Agreement or as otherwise permitted by Applicable Data Protection Laws; (iii) collect, use, disclose, share, or retain any Client Personal Data outside of the direct business relationship with Client other than as permitted under Applicable Data Protection Laws; or (iv) combine any Client Personal Data with any Personal Data that Fair Isaac receives from or on behalf of any person or entity other than Client, or that Fair Isaac collects from its own interactions with Data Subjects, other than as permitted under Applicable Data Protection Laws. Fair Isaac acknowledges and certifies that it understands and shall comply with the restrictions set forth in this Section 4.
5. Confidentiality. Fair Isaac will keep the Client Personal Data confidential and will not disclose it to any third parties without prior notice to and authorization from Client, except as necessary to provide the Services under the Agreement, as otherwise permitted under the Agreement, or as permitted under Applicable Data Protection Laws or other applicable law. Fair Isaac will limit access to Client Personal Data to those Fair Isaac personnel who are necessary for the Processing and will require that such Fair Isaac personnel protect the confidentiality of Client Personal Data pursuant to the terms of this DPA.
6. Security. Fair Isaac will implement and maintain reasonable technical and organizational measures that are designed to provide the level of security for the Processing of Client Personal Data that is appropriate to the general risks involved in the Processing, taking into account the state of the art and the costs of implementation in relation to the risks and the nature of the Client Personal Data. The measures implemented and maintained by Fair Isaac under this Section 6 shall include those measures set forth in the Agreement and the Fair Isaac Information Security Agreement set out in the Agreement.
7. Subprocessing
7.1. Authorization. Client hereby provides general written authorization for Fair Isaac to engage any Subprocessors listed in the Agreement and/or on the list maintained at https://www.fico.com/en/subprocessors (and any successor webpage designated by Fair Isaac with notice to Client) (the “Webpage”). Fair Isaac will enter into written contracts with any Subprocessors that impose obligations that are substantively the same as those required of Fair Isaac under this DPA. Fair Isaac will remain fully responsible to Client for any breach of this DPA that is caused by the act or omission of any Subprocessor, but only to the extent that Fair Isaac would have been liable for such act or omission had it been caused by Fair Isaac.
7.2. Changes and Objections. Fair Isaac may appoint a new or replace an existing Subprocessor by updating the list on the Webpage. The Client will sign up on the Webpage to receive electronic notifications of updates to the list by selecting Subscribe on the Webpage. The Client may object to Fair Isaac’s appointment of a new or replacement Subprocessor on reasonable grounds relating to data protection by notifying Fair Isaac in writing by email to privacyteam@fico.com within ten (10) calendar days after receiving notice pursuant to this Section. In such event, Fair Isaac shall either: (a) work with the Client to address the Client’s objections to its reasonable satisfaction; or (b) instruct the Subprocessor to not process Client Personal Data; or (c) notwithstanding anything to the contrary in the Agreement, notify the Client of its option to terminate this Agreement and this DPA within fourteen (14) calendar days of Fair Isaac’s notification. If the Client does not object within ten (10) calendar days following an update to the list, then the addition of any new or replacement of any Subprocessor shall be deemed accepted by the Client.
8. Data Subject Requests. Client agrees to maintain sufficient resources for Client to independently meet its obligations to respond to: (i) any request from a Data Subject exercising any rights under Applicable Data Protection Laws (including rights of access, correction, objection, erasure, and data portability, as applicable); and (ii) any other correspondence, inquiry, or complaint received from, about, or on behalf of a Data Subject. In the event that Client is unable to respond independently because Fair Isaac is in possession of relevant information that is not also in the possession of Client, Fair Isaac will provide commercially reasonable assistance to Client in connection with Client’s response. In the event that any such request, correspondence, inquiry, or complaint is made directly to Fair Isaac, Fair Isaac will promptly inform Client.
9. Personal Data Breach. Fair Isaac will notify Client within the time period required by applicable law, and in no event more than forty-eight (48) hours, after Fair Isaac becomes aware of any Personal Data Breach affecting Client Personal Data. Fair Isaac will provide reasonable information and cooperation to Client so that Client may fulfill its legal obligations relating to any Personal Data Breach. Fair Isaac will investigate the Personal Data Breach without undue delay and will take all reasonably necessary measures and actions within Fair Isaac’s control to stop and prevent the further effects of such Personal Data Breach, including implementing reasonable additional technical and organizational measures, and will keep Client informed of all material developments relating thereto.
10. Cooperation. Upon reasonable notice from Client, Fair Isaac will provide Client with information in its possession that is reasonably necessary for Client to demonstrate compliance under Applicable Data Protection Laws with respect to Fair Isaac’s Processing of Client Personal Data. The obligations under this Section 10 include, but are not limited to, providing reasonable assistance and cooperation to Client in connection with (i) any data protection impact assessment (DPIA) or similar obligations that may be required under Applicable Data Protection Laws, and (ii) requests from Regulatory Authorities. Client has the right to take reasonable and appropriate steps to help ensure that Fair Isaac Processes Client Personal Data in a manner consistent with Applicable Data Protection Laws, including without limitation, the right, upon notice, to stop and remediate any unauthorized Processing of Client Personal Data.
11. Audits. Upon reasonable notice from Client and subject to an agreed upon non-disclosure agreement between the parties, Fair Isaac will make available (at Client’s sole expense) for inspection or review by Client, and will discuss with Client, summaries of Fair Isaac’s internal audits and testing reports that relate to Fair Isaac’s Processing of Client Personal Data. In addition, upon reasonable notice from Client and upon execution of a written statement of work or other agreement between the parties (including Client’s payment of all fees and expenses incurred by Fair Isaac), Fair Isaac will permit Client’s personnel or third parties acting on Client’s behalf reasonable access to Fair Isaac’s facilities, equipment, processes, and personnel for the purpose of inspecting or auditing the Processing of Client Personal Data by Fair Isaac. Client shall pay for all Fair Isaac’s time spent in connection with these efforts to support Client’s audits contemplated under this DPA at Fair Isaac’s then-current hourly rates, plus any out-of-pocket expenses. In no event shall Client have access to any Personal Data relating to any other Fair Isaac clients.
12. Deletion or Return of Personal Data. To the extent Client Personal Data is within Fair Isaac’s possession and control and Client does not have the ability to retrieve or delete such Client Personal Data, upon termination or expiration of the Agreement, Fair Isaac will (at the election of Client) permanently destroy or return to Client all Client Personal Data in Fair Isaac’s possession or control. Fair Isaac may retain Client Personal Data to the extent permitted by the Agreement or Applicable Data Protection Laws. Any Client Personal Data stored on Fair Isaac backup and archive systems will be destroyed as part of Fair Isaac’s normal data destruction process. If Client requires Fair Isaac to remove specific files from backup systems, Client is responsible for all costs associated with Fair Isaac retrieving, reloading, and deleting such files.
13. International Transfers of Personal Data. The parties will comply with the requirements of Applicable Data Protection Laws with respect to the international transfer of Client Personal Data. To the extent any Client Personal Data is transferred from the country of origination to another country that has not been determined to provide adequate levels of protection of Personal Data by the applicable data protection authority, the parties will enter into and implement appropriate transfer safeguards approved by the applicable data protection authority where required by Applicable Data Protection Laws in accordance with this Section 13.
13.1. International Transfers of EEA Personal Data. For applicable international transfers of Client Personal Data originating in the European Union, European Economic Area and/or their member states (“EEA”) to a third country, the parties agree to implement Module 2 of the Standard Contractual Clauses (“SCCs”) pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, which are set forth in the Commission Implementing Decision (EU) 2021/914 of June 4, 2021 (as may be amended, superseded or replaced by Fair Isaac from time to time). Client will act as “Data Exporter” and Fair Isaac will act as “Data Importer” as those terms are defined in the SCCs. This DPA incorporates the SCCs Module 2 by reference where applicable, and the parties are deemed to have accepted and executed the SCCs Module 2, including the associated annexes. The contents of Annex I of the SCCs Module 2 are included within Exhibit 1 to this DPA. The contents of Annex II of the SCCs are included within Exhibit 2 to this DPA. The parties further agree to the following implementation choices under the SCCs:
(i) Clause 7: The parties choose not to include the optional Docking clause.
(ii) Clause 9(a): The parties choose Option 2, “General Written Authorization” and the process and time period for prior notice of Subprocessor changes shall be as set out in Section 7.2 of this DPA.
(iii) Clause 11(a): The parties choose not to include the optional language relating to the use of an independent dispute resolution body.
(iv) Clause 13: The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority. The contents of Annex I.C to the SCCs are included in Exhibit 1 to this DPA.
(v) Clause 17: The parties select Option 1 and specify the law of Ireland.
(vi) Clause 18(b): The parties specify the courts of Ireland.
13.2. International Transfers of Swiss Personal Data. For applicable international transfers of Client Personal Data originating in Switzerland to a third country, the parties agree to implement Module 2 of SCCs, with Client acting as Data Exporter and Fair Isaac as Data Importer, along with the necessary modifications promulgated by the Swiss Federal Data Protection and Information Commissioner (“FDPIC”). The parties incorporate and adopt the SCCs Module 2 as to applicable international transfers of Swiss Personal Data in exactly the same manner set forth in Section 13.1 above, subject to the following:
(i) Clause 13: The FDPIC shall be the competent supervisory authority.
(ii) Clause 18: The parties’ selection of forum and jurisdiction may not be construed as forbidding Data Subjects in Switzerland from suing for their rights in Switzerland.
13.3. International Transfers of UK Personal Data. For applicable international transfers of Client Personal Data originating in the United Kingdom (“UK”) to a third country, the parties agree to implement Module 2 of SCCs, with Client acting as the Data Exporter and Fair Isaac as the Data Importer, as modified by the mandatory clauses in the addendum (available at https://ico.org.uk/media2/migrated/4019539/international-data-transfer-addendum.pdf and any successor or related locations designated by UK Information Commissioner’s Office (“ICO”)) (“UK Transfer Addendum”), which is incorporated herein by this reference. The information required by Table 1 and Table 3 of the UK Transfer Addendum are included within Exhibit 1 to this DPA. As to Table 4 in the UK Transfer Addendum, the parties select both Importer and Exporter with respect to termination of the UK Transfer Addendum under the conditions set out in Section 19 of the UK Transfer Addendum. The parties adopt the SCCs Module 2, as modified by the UK Transfer Addendum, as to applicable international transfers of UK Personal Data in exactly the same manner set forth in Section 13.1 above, subject to the following:
(i) Clause 13: The ICO shall be the competent supervisory authority.
(ii) Clause 17: The SCCs, as modified by the UK Transfer Addendum, shall be governed by the laws of England and Wales.
(iii) Clause 18: The parties agree that any dispute arising from the SCCs, as modified by the UK Transfer Addendum, shall be resolved by the courts of England and Wales. A UK Data Subject may also bring legal proceedings against the Data Exporter and/or Data Importer before the courts of any country in the UK. The parties agree to submit themselves to the jurisdiction of such courts.
13.4. Where the SCCs apply pursuant to Sections 13.1, 13.2 and 13.3 of this DPA, this Section sets out the parties’ interpretations of their respective obligations under specific provisions of the SCCs, as identified below. Where a party complies with the interpretations set out below, that party shall be deemed by the other party to have complied with its commitments under the SCCs:
(a) where the Client is itself a Processor of Personal Data acting on behalf of a third party controller and Fair Isaac would be otherwise be required to interact directly with such third party controller (including notifying or obtaining authorizations from such third party controller), Fair Isaac may interact solely with the Client and the Client shall be responsible for forwarding any necessary notifications to and obtaining any necessary authorizations from such third party controller;
(b) the certification of deletion described in in Clause 16(d) of the SCCs shall be provided by Fair Isaac to the Client upon Client’s formal written request;
(c) for the purposes of Clause 15(1)(a) of the SCCs, Fair Isaac shall notify the Client and not the relevant Data Subject(s) in case of government access requests, and the Client shall be solely responsible for notifying the relevant Data Subjects as necessary; and
(d) taking into account the nature of the Processing, the Client agrees that it is unlikely that Fair Isaac would become aware of Personal Data processed by Fair Isaac being inaccurate or outdated. To the extent Fair Isaac becomes aware of such inaccurate or outdated Personal Data, Fair Isaac will inform the Client in accordance with Clause 8.4 of the SCCs.
13.5. Alternative Transfer Mechanisms. If and to the extent that a court of competent jurisdiction or a supervisory authority with binding authority orders (for whatever reason) that the measures described in this DPA cannot be relied on to lawfully transfer Client Personal Data to Fair Isaac, then the parties shall reasonably cooperate to agree to take any actions that may be reasonably required to implement additional measures or an alternative transfer mechanism that enables the lawful transfer of such Client Personal Data.
14. General
14.1. This DPA may not be modified except by subsequent written agreement of the parties.
14.2. This DPA will be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by Applicable Data Protection Laws.
14.3. The obligations placed upon each party under this DPA and the SCCs shall survive so long as Fair Isaac Processes Client Personal Data on behalf of the Client.
14.4. If any party of this DPA is held unenforceable, the validity of all remaining parts will not be affected.
14.5. Fair Isaac’s obligations set forth in this DPA shall also extend to Authorized Affiliates, subject to the following conditions: (a) the Client is solely responsible for communicating any processing instructions on behalf of its Authorized Affiliates; (b) the Client shall be responsible for Authorized Affiliates’ compliance with this DPA and all acts and/or omissions by an Authorized Affiliate with respect to the Client’s obligations under this DPA; and (c) if an Authorized Affiliate seeks to assert a legal demand, action, suit, claim, proceeding or otherwise against Fair Isaac (“Authorized Affiliate Claim”), the Client must bring such Authorized Affiliate Claim directly against Fair Isaac on behalf of such Authorized Affiliate, unless Applicable Data Protection Laws require the Authorized Affiliate be a party to such claim, and all Authorized Affiliate Claims shall be considered claims made by Client and shall be subject to any liability restrictions set forth in the Agreement, including any aggregate limitation of liability.
14.6. Notwithstanding anything to the contrary in the Agreement or this DPA and to the maximum extent permitted by law, each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA (including all Exhibits hereto), the SCCs or any data protection agreements in connection with the Agreement (if any), whether in contract, tort or under any other theory of liability, shall remain subject to the limitation of liability Article of the Agreement (without, for the avoidance of doubt, giving effect to any exclusions or exceptions to such Article that would render such limitation inapplicable) and any reference in such Article to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and this DPA, including all Exhibits hereto.
14.7. This DPA is subject to change by Fair Isaac at any time by posting a revised version on the https://www.fico.com/en/legal website (“FICO Website”) or by otherwise providing written notice of such changes to Client. Any changes to this DPA will be in effect as of the “Last Updated” date referenced on the FICO Website or in the written notice, as applicable. Client has reviewed and assents to this DPA, and Client’s continued use of the Services after the “Last Updated” date shall constitute Client’s acceptance of and agreement to all such changes.
Exhibit 1 to Fair Isaac Data Protection Addendum
Details of Processing for International Transfer of Personal Data
A. LIST OF PARTIES:
Data Exporter:
| Name: | The entity noted as the “Client” in the Agreement. |
| Address: | The address associated with the Client’s account, or as otherwise specified in the Order Form or the Agreement. |
| Contact Person: | The contact details associated with the Client’s account, or as otherwise specified in the Order Form or the Agreement. |
| Activities Relevant to Transferred Data: | The receipt of the Services from Data Importer under the Agreement. |
| Role: | Controller and Data Exporter |
Data Importer:
| Name: | The entity defined as “Fair Isaac,” “FICO” or “FIC” in the Agreement. |
| Address: | The address specified for Fair Isaac, FICO or FIC in the Agreement. |
| Contact Person: | Vickie Miller, Data Protection Officer, privacyteam@fico.com |
| Activities Relevant to Transferred Data: | The provision of the Services to Data Exporter under the Agreement. |
| Role: | Processor and Data Importer |
B. DESCRIPTION OF TRANSFER:
| Subject Matter of the Processing: | See Section 2.1 of DPA. |
| Nature and Purpose of Processing: | See Section 2.1 of DPA. |
| Duration of Processing: | See Section 2.3 of DPA. |
| Categories of Data Subjects: | Data Subjects include individuals about whom data is provided to Fair Isaac via the Services (by or at the direction of the Client), which shall include: …………………………………………………………………………………… …………………………………………………………………………………… If the Client has not filled this Section out, then see Section 2.4 of DPA. |
| Categories of Personal Data: | The categories of Personal Data are determined by and controlled by the Client in its sole discretion, and may include, but are not limited to: …………………………………………………………………………………… …………………………………………………………………………………… If the Client has not filled this Section out, then see Section 2.5 of DPA. |
| Special Categories of Personal Data: | It is not expected that the Client will include any ‘Special Categories of Personal Data’ in Client Personal Data, but subject to any applicable restrictions and/or conditions in the Agreement and this DPA (with specific reference to Section 3 DPA), the Client may include ‘Special Categories of Personal Data’ or similarly Sensitive Personal Data in Client Personal Data, the extent of which is determined by and controlled by the Client in its sole discretion. |
| Frequency of the Transfer: | Regular and repeating as determined by Data Exporter for as long as the Data Exporter uses the Services. |
| Retention Criteria: | Data Exporter shall control how long Client Personal Data is retained by Data Importer. Data Importer will retain Client Personal Data only for as long as the Data Exporter uses the Services or as permitted under the Agreement and Applicable Data Protection Laws. |
| Subject Matter, Nature, and Duration of Sub-processor Processing: | Any transfer by Data Importer to approved Subprocessors will be solely for the purpose of Data Importer providing the Services to Data Exporter pursuant to the Agreement and for no other purpose. Approved Subprocessors will Process and retain Client Personal Data only to the extent necessary for Data Importer to provide the Services to Data Exporter and only for as long as necessary for Data Importer to provide the Services to Data Exporter under the Agreement, or as instructed by Data Exporter. |
C. COMPETENT SUPERVISORY AUTHORITY:
The competent supervisory authority is set forth in the relevant subparts of Section 13 of the DPA.
Exhibit 2 to Data Protection Addendum
Technical and Organizational Security Measures for International Transfer of Personal Data
The technical and organizational measures implemented by the Data Importer are set forth in the Agreement and/or the Fair Isaac Information Security Agreement attached to or referenced in the Agreement.