Teradata Data Processing Addendum

This Data Processing Addendum (“DPA”) forms part of, and is subject to, any written or electronic terms of service or agreement (the “Agreement”) between the Teradata entity that is a party to such Agreement (“Teradata” or “we” or “us”) and you as the legal entity defined as Customer,  together with any of your Permitted Affiliates who are signatories to, or beneficiaries under, the Agreement (collectively, for purposes of this DPA, “Customer” or “you”, and together with Teradata, the “Parties”). All capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement.

1 Definitions

1.1 “Affiliate(s)” means any entity which directly or indirectly controls, is controlled by, or is under common control with, the subject entity.

1.2 “California Personal Information” means Personal Data that is subject to the protection of, and as defined under, the CPRA.

1.3 “Consumer”, “Business”, “Sell”, “Service Provider” and “Share” will have the meanings given to them in the CPRA.

1.4 “Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

1.5 “CPRA” means California Civil Code Sec. 1798.100 et seq. (also known as the California Privacy Rights Act of 2020 or the California Consumer Privacy Act), as may be amended, repealed, consolidated, or replaced from time to time.

1.6 “Customer Confidential Data” all proprietary information disclosed by Customer to Teradata related to this Agreement, Teradata’s products or services, or an Order, including, without limitation, technologies, methodologies, business plans, business records, requests for proposals (“RFPs”), requests for information (“RFIs”), responses to RFPs and/or RFIs, bids, pricing, and discussions regarding potential future business between the parties.

1.7 “Customer Data” means all data uploaded by Customer to the Teradata Vantage Platform.

1.8 “Data Protection Laws” means all applicable worldwide legislation relating to data protection and privacy which applies to the respective party as they relate to Processing Personal Data under the Agreement, including without limitation European Data Protection Laws, US Data Protection Laws, as defined below, and the data protection and privacy laws of Canada, Australia, Brazil, and Singapore; in each case as amended, repealed, consolidated, or replaced from time to time. In no event will Data Protection Laws or this DPA include or cover any industry-specific regulation.

1.9 “Data Subject” means the identified or identifiable natural person to whom Personal Data relates.

1.10 “DPA Effective Date” means the earlier of the (i) effective date of the Agreement; or (ii) the date (x) when Customer clicks a “Create Contract” check box or similar button that includes a link to these terms on the marketplace of a Cloud Platform if applicable; or (y) last signature date of this DPA.

1.11 “Europe” means the European Union, the European Economic Area and/or their member states, Switzerland, and the United Kingdom.

1.12 “European Data” means Personal Data that is subject to the protection of European Data Protection Laws.

1.13 “European Data Protection Laws” means data protection laws applicable in Europe, including: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; (iii) applicable national implementations of (i) and (ii); (iv) Swiss Federal Data Protection Act on 19 June 1992 and its Ordinance (“Swiss DPA”); and (v) the UK GDPR and the Data Protection Act 2018; in each case, as may be amended, superseded or replaced.

1.14 “Instructions” means the written, documented instructions issued by a Controller to a Processor that direct the same to perform a specific or general action regarding Personal Data (including, but not limited to, depersonalizing, blocking, deletion, making available).

1.15 “Permitted Affiliates” means any of your Affiliates that (i) are permitted to use the Services pursuant to the Agreement but have not signed their own separate agreement with Teradata and are not a “Customer”, as defined under the Agreement, and that (ii) qualify as a Controller of Personal Data Processed by Teradata.

1.16 “Personal Data” means any information relating to an identified or identifiable individual where such information is contained within Customer Data, including all “personal data”, “personal information”, or “personally identifiable information” as defined under applicable Data Protection Laws.

1.17 “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed by us and/or our Sub-Processors in connection with the provision of the Services. “Personal Data Breach” will not include unsuccessful attempts or activities that do not lead to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

1.18 “Data Privacy Framework” means the EU-U.S., Swiss-US and UK-US Data Privacy Framework self-certification program operated by the U.S. Department of Commerce and approved by the European Commission, and when approved by the Swiss Federal Council and the UK, respectively; as may be amended, superseded, or replaced.

1.19 “Data Privacy Framework Principles” means the Data Privacy Framework Principles issued by the U.S. Department of Commerce, including Supplemental Principles and Annex 1 of the Principles; as may be amended, superseded, or replaced.

1.20 “Processing” means any operation or set of operations which is performed on Personal Data, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, or erasure of Personal Data, whether or not by automated means. The terms “Process”, “Processes” and “Processed” will be construed accordingly.

1.21 “Processor” means a natural or legal person, public authority, agency, or other body which Processes Personal Data on behalf of the Controller.

1.22 “Purposes” means (i) Teradata’s provision of the Services as described in the Agreement and this DPA; and (ii) further documented, reasonable Instructions, if any, from Customer agreed upon by the Parties.

1.23 “Service(s)” means any Teradata services or products to the extent that they conduct Processing on behalf of Customer, including any services under any master services agreement or cloud services under any cloud service agreement.

1.24 “Standard Contractual Clauses” means the standard contractual clauses annexed to the European Commission’s Decision (EU) 2021/914 of 4 June 2021 Module Two: Transfer Controller to Processor (C2P), found at ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en, as may be amended, superseded, or replaced, as well as the standard contractual clauses required under applicable Data Protection Laws.

1.25 “Sub-Processor” means any Processor engaged by us or Teradata Affiliates to assist in fulfilling our obligations with respect to the provision of the Services under the Agreement. Sub-Processors may include third parties or Teradata Affiliates but will exclude any Teradata employee or consultant.

1.26 “UK Clauses” means the UK International Data Transfer Agreement VERSION A1.0, in force 21 March 2022, as may be amended, superseded or replaced.

1.27 “US Data Protection Laws” means any data protection or data privacy law or regulation of any state in the US applicable to your Customer Data, including: (i) CPRA;(ii) Virginia Consumer Data Privacy Act (iii) Colorado Privacy Act and related regulations; (iv) Connecticut Act Concerning Personal Data Privacy and Online Monitoring and (v) Utah Consumer Privacy Act.

1.28 “Usage Data” means any data that Teradata may collect and use regarding Customer’s use of Teradata’s Services to extent that such Usage Data is used to develop, improve, support, and operate such Services.

2 Scope and Applicability of this DPA

This DPA applies where and only to the extent that Teradata Processes Personal Data on your behalf in the course of providing the Services.

3 Roles and Scope of Data Processing

3.1 Teradata as a Processor. The parties acknowledge and agree that Teradata is conducting such Processing on your behalf, and therefore you are the Controller and Teradata is the Processor as such Processing pertains to Customer Data.

3.2 Teradata as a Controller. To the extent any Customer Confidential Information or Usage Data is considered personal data under applicable Data Protection Laws, Teradata is the Data Controller of such data and shall Process such data in accordance with applicable Data Protection Laws and our Privacy Statement and Privacy Policy.

3.3 Compliance with Laws. The parties shall each comply with their respective obligations under the Data Protection Laws applicable to them or the Services they provide. In your acquisition of the Services, you shall have all necessary rights to Process, and will process, Personal Data only in accordance with Data Protection Laws.

3.4 Compliance with Instructions. The parties agree that the Agreement (including this DPA), together with your use of the Service in accordance with the Agreement, constitute your complete Instructions to us in relation to the Processing of Personal Data, so long as you may provide additional instructions to be agreed upon in writing during the Term that are consistent with the Agreement, the nature and lawful use of the Service. We will only Process Personal Data for the Purposes described in this DPA or as otherwise agreed within the scope of your lawful Instructions, except where and to the extent otherwise required by applicable law. Should we reasonably believe that a specific Processing activity beyond the scope of your Instructions is required to comply with a legal obligation to which we are subject, we will inform you of that legal obligation and seek explicit authorization from you before undertaking such Processing.

3.5 Conflict of Laws. If we become aware that we cannot Process Personal Data in accordance with your Instructions due to a legal requirement under any applicable law, we will (i) promptly notify you of that legal requirement to the extent permitted by the applicable law; and (ii) where necessary, cease all Processing (other than merely storing and maintaining the security of the affected Personal Data) until such time as you issue new Instructions with which we are able to comply.

3.6 Details of Processing. Specific details of Data Processing, including subject-matter, duration nature and purpose of the Processing, Data Subjects and categories of data are defined in principle in the Agreement and in detail in Annex 1. Teradata’s Privacy Statement can be viewed on Teradata’s website www.teradata.com. In the event of any inconsistency or conflict between the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail.

4 Security

We will implement and maintain appropriate technical and organizational measures generally accepted in the IT security industry as adequate given the circumstances to protect Personal Data from Personal Data Breaches, as described under at https://www.teradata.com/Privacy/Data-Processing-Addendum/Security-Measures (“Security Measures”). Notwithstanding any provision to the contrary, we may modify or update the Security Measures at our discretion provided that such modification or update does not result in a material degradation in the protection offered by the Security Measures. You are responsible for determining whether the Security Measures provided for in the Service is appropriate to provide a level of security appropriate to the particular content of the Customer Personal Data, such as pseudonymizing, aggregating, and backing-up Customer Personal Data, and that the Service adequately meets your obligations under applicable Data Protection Laws. You are also responsible for your secure use of the Service, including protecting the security of Personal Data in transit to and from the Service (including to securely backup or encrypt any such Personal Data).

5 Confidentiality

We will ensure that any personnel who Process Personal Data on our behalf are subject to appropriate confidentiality obligations (whether a contractual or statutory duty) with respect to that Personal Data.

6 Personal Data Breaches

6.1 We will notify you without undue delay after we become aware of any Personal Data Breach and will provide timely information relating to the Personal Data Breach as it becomes known or reasonably requested by you. At your request, we will promptly provide you with such reasonable assistance as necessary to enable you to notify relevant Personal Data Breaches to competent authorities and/or affected Data Subjects, if you are required to do so under Data Protection Laws.

6.2 We shall make reasonable efforts to identify the cause of a Personal Data Breach and take those steps as we deem necessary and reasonable in order to remediate the cause of such a Personal Data Breach, to the extent the remediation is within our reasonable control.

6.3 The obligations herein shall not apply to incidents that are caused by Customer.

6.4 Except where such is prohibited or where Teradata has caused the Personal Data Breach, you shall reimburse us for the commercially reasonable costs arising from the provision of such assistance.

7 Deletion or Return of Personal Data

We will, without undue delay, delete or return Customer Data, including Personal Data, upon termination of the Agreement in accordance with the procedure and timeframe specified in the Agreement. We may retain Customer Data, including Personal Data, to the extent and for such period as required by applicable laws and always provided that we will protect the confidentiality of all such Customer Data, including Personal Data, and shall implement technical and operational controls generally accepted in the IT security industry as adequate to ensure that such Personal Data is only Processed as necessary for the purpose(s) specified in the applicable laws requiring its storage and for no other purpose.

8 Data Subject Requests

8.1 Teradata’s on-premises and Cloud Service allows you to retrieve, correct, delete or restrict Personal Data, which you can use to assist you in connection with your obligations under Data Protection Laws, including your obligations relating to responding to requests from Data Subjects to exercise their rights under applicable Data Protection Laws (“Data Subject Requests”).

8.2 To the extent that you are unable to independently address a Data Subject Request through the Service, upon your written request, or as required by law, we will provide reasonable assistance to you to respond to any Data Subject Requests or requests from data protection authorities relating to the Processing of Personal Data under the Agreement. You shall reimburse us for the commercially reasonable costs arising from this assistance.

8.3 To the extent applicable, we shall notify any service providers, contractors or third parties who may have accessed such Personal Data from or through us, unless the information was accessed by another service provider acting upon your instruction, to delete the consumer’s Personal Data, unless this proves impossible, involves disproportionate effort, or is otherwise prohibited or exempt under applicable Data Protection Laws.

8.4 If a Data Subject Request or other communication regarding the Processing of Personal Data under the Agreement is made directly to us, we will promptly inform you and will advise the Data Subject to submit their request to you. You will be solely responsible for responding substantively to any such Data Subject Requests or communications involving Personal Data.

9 Sub-Processors

9.1 Where we engage Sub-Processors, we will impose data protection terms on the Sub-Processors that provide at least the same level of protection for Personal Data as those in this DPA (including, where appropriate, the Standard Contractual Clauses), to the extent applicable to the nature of the services provided by such Sub-Processors. We will remain responsible for each Sub-Processor’s compliance with the obligations of this DPA and for any acts or omissions of such Sub-Processor that cause us to breach any of our obligations under this DPA.

9.2 You provide us with a general authorization to engage Sub-Processors, subject to Section 9.3 (Changes to Sub-Processors), as well as our current Sub-Processors listed at https://www.teradata.com/Privacy/Data-Processing-Addendum/Sub-Processors (Sub-Processor Site).

9.3 Teradata shall make available on its Sub-Processor Site a mechanism to subscribe to notifications of new Sub-Processors. Teradata shall provide such notification to those emails that have subscribed at least thirty (30) days in advance of allowing the new Sub-Processor to Process Customer Personal Data (the “Objection Period”). During the Objection Period, any objections to the new Sub-Processor must be provided in writing. In the event of reasonable objections based on data protection reasons, the Parties will discuss those objections in good faith. If it can be reasonably demonstrated to Teradata that the new Sub-processor is unable to Process Customer Personal Data in compliance with the terms of this DPA and Teradata cannot provide an alternative Sub-processor, or the Parties are not otherwise able to achieve resolution as provided in the preceding sentence, your may be entitled to terminate this DPA. Where you fail to object to such addition within such period of time, you will be deemed to have consented to such addition.

9.4 Data Transfers. You acknowledge and agree that we may access and Process Personal Data on a global basis as necessary to provide the Service in accordance with the Agreement, and in particular that Personal Data may be transferred to and Processed by Teradata Operations, Inc. in the United States and to other Teradata Affiliates in other jurisdictions where Teradata Affiliates and Sub-Processors have operations. Wherever Personal Data is transferred outside its country of origin, each party will ensure such transfers are made in compliance with the requirements of Data Protection Laws.

9.5 Transfers from Europe

9.5.1 Teradata shall not transfer European Data to any country or recipient not recognized as providing an adequate level of protection for Personal Data (within the meaning of applicable European Data Protection Laws) unless it first takes all such measures as are necessary to ensure the transfer is in compliance with applicable European Data Protection Laws. Such measures may include (without limitation) transferring such data to a recipient that is covered by a suitable framework or other legally adequate transfer mechanism recognized by the relevant authorities or courts as providing an adequate level of protection for Personal Data, to a recipient that has achieved binding corporate rules authorization in accordance with European Data Protection Laws, or to a recipient that has executed appropriate standard contractual clauses in each case as adopted or approved in accordance with applicable European Data Protection Laws.

9.5.2 Data Privacy Framework: Teradata has self-certified to the Data Privacy Framework and will process European Data in compliance with the Data Privacy Framework Principles and let you know if it is unable to comply with this requirement. Any new Data Privacy Framework or equivalent agreement that may be reached between the EU and the USA and/or Switzerland and the USA, and/or if applicable the UK and the USA, shall be deemed applicable to this DPA and the Agreement with immediate effect, unless Teradata notifies you to the contrary, and will govern applicable transfers instead of the Standard Contractual Clauses (or if applicable, any UK equivalent).

9.5.3 Standard Contractual Clauses: The Parties, including their respective Affiliates, agree to abide by and process European Data in compliance with the Standard Contractual Clauses. Optional Clause 7 in Section I of the SCCs is incorporated and Permitted Affiliates and/or Teradata Affiliates may accede to this DPA and the SCCs under the same terms and conditions as Customer and/or Teradata, via mutual written agreement of the Parties.

9.5.4 The parties agree that for the purposes of the Standard Contractual Clauses, (i) Teradata Operations, Inc., or the applicable Teradata Affiliate as the case may be, will be the “data importer” and Customer will be the “data exporter” (on behalf of itself and Permitted Affiliates); (ii) the Annexes of the Standard Contractual Clauses shall be deemed populated with the relevant information set out in Annex 1 and the Security Measures, and where applicable other provisions, of this DPA; (iii) where the Teradata contracting entity under the Agreement is not Teradata Operations, Inc., such contracting entity (and not Teradata Operations, Inc.) will remain fully and solely responsible and liable to you for the performance of the Standard Contractual Clauses by Teradata Operations, Inc., and you will direct any instructions, claims or enquiries in relation to the Standard Contractual Clauses to such contracting entity; and (iv) if and to the extent the Standard Contractual Clauses conflict with any provision of this DPA, the Standard Contractual Clauses will prevail to the extent of such conflict.

9.5.5 Transfers out of Switzerland 

a) This Section 9.5.5 amends the Standard Contractual Clauses to the extent necessary so they operate for transfers made by the data exporter to the data importer, to the extent that the Swiss Data Processing Act apply to the data exporter’s processing when making that transfer.

b) The Standard Contractual Clauses shall be amended with the following modifications:

c) references to "Regulation (EU) 2016/679" shall be interpreted as references to the Swiss DPA (as applicable);

d) references to specific Articles of "Regulation (EU) 2016/679" shall be replaced with the equivalent article or section of the Swiss DPA;

e) references to Regulation (EU) 2018/1725 shall be removed;

f) references to "EU", "Union" and "Member State" shall be replaced with references to "Switzerland";

g) Clause 13(a) and Part C of Annex I are not used and the "competent supervisory authority" shall be the Swiss Federal Data Protection Information Commissioner;

h) references to the "competent supervisory authority" and "competent courts" shall be replaced with references to the "Swiss Federal Data Protection Information Commissioner" and "applicable courts of Switzerland";

i) in Clause 17, the Standard Contractual Clauses shall be governed by the laws of Switzerland (as applicable); and

j) to the extent the Swiss DPA applies to the Processing, Clause 18 shall be replaced to state: “Any dispute arising from these Clauses shall be resolved by the competent courts of Switzerland. The Parties agree to submit themselves to the jurisdiction of such courts”.

9.6 Transfers Out of the United Kingdom (“UK”). The UK Clauses, or updated applicable standard data protection clauses issued, adopted or permitted under the UK GDPR from time to time, shall be incorporated by reference, and the annexes, appendices or tables of such clauses shall be deemed populated with the relevant information set out in Annex 1 and the Security Measures, and where applicable other provisions, of this DPA.

9.6.1 If for any reason Teradata cannot comply with its obligations under the Standard Contractual Clauses or UK Clauses or is in breach of any warranties under the Standard Contractual Clauses or UK Clauses, and you intend to suspend the transfer of European Data to Teradata or terminate the Standard Contractual Clauses or UK Clauses, you agree to provide us with reasonable notice to enable us to cure such non-compliance and reasonably cooperate with us to identify what additional safeguards, if any, may be implemented to remedy such non-compliance. If we have not or cannot cure the non-compliance, you may suspend or terminate the affected part of the Service in accordance with the Agreement without liability to either party (but without prejudice to any fees you have incurred prior to such suspension or termination).

9.7 Transfers out of Brazil

9.7.1 If and to the extent the Parties engage in a transfer involving Personal Data originating from Brazil and is subject to the permissible under the applicable Data Protection Law, the Brazilian Standard Contractual Clauses are incorporated by reference.


10 Data Protection Assessments

We will provide reasonable assistance to you with any data protection impact assessments, where required by applicable Data Protection Laws.

11 Additional Provisions for European Data

11.1 Scope. This ‘Additional Provisions for European Data’ section shall apply only with respect to European Data.

11.2 Consultation with Supervisory Authorities. We will provide reasonable assistance to you with prior consultations with supervisory authorities or other competent data privacy authorities to the extent required by European Data Protection Laws. Except where such is prohibited, we may make a reasonable charge for the provision of such assistance.

12 Additional Provisions for California Personal Information

12.1 Scope. The “Additional Provisions for California Personal Information” section of the DPA will apply only with respect to California Personal Information.

12.2 Roles of the Parties. When processing California Personal Information in accordance with your Instructions, the parties acknowledge and agree that you are a Business and we are a Service Provider as those terms are defined in the CPRA.

12.3 Responsibilities under the CPRA. The parties agree that:

12.3.1 You shall only disclose California Personal Information to us for the limited purposes set out in this Agreement, and we will Process California Personal Information as a Service Provider strictly for the purpose of performing the Services under the Agreement or as otherwise permitted by the CPRA, including as described in the Teradata Global Privacy Statement;

12.3.2 we shall comply with the applicable obligations under the CPRA, including providing the same or greater level of privacy protection as is required under the CPRA;

12.3.3 consistent with the terms set out in Section 13, or as otherwise required by law, we grant you rights to take reasonable and appropriate steps to help ensure that we use the California Personal Information transferred in a manner consistent with your obligations under the CPRA;

12.3.4 we shall notify you if we make a determination that we can no longer meet our obligations under the CPRA;

12.3.5 we grant you the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of California Personal Information by us; and

12.3.6 we will not share or sell California Personal Information, as defined in the CPRA, nor will we offer financial incentives in exchange for the collection/retention of California Personal Information.

13 Demonstrating Compliance by Inspection or Audit

13.1 Teradata shall (i) make available to Customer for inspection all necessary information, and (ii) shall allow for and contribute to audits by Customer or a third-party auditor mandated by Customer, to demonstrate compliance with its obligations regarding Processing of Personal Data under this Addendum. Unless applicable law provides otherwise, Customer may only conduct an on-site audit if, and to the extent that, documentation provided by Teradata (such as but not limited to an independent SOC audit report or other documentation detailed under the Agreement) does not contain the information necessary to establish such compliance. Where applicable laws do not require Supplier facilitate such inspections/audits, Customer has no right to inspect/audit.

13.2 Reasonable advance notice of at least 90 days for any inspection or audit will be provided in writing and will only be conducted during normal working hours and at agreed times. Teradata may make reasonable charges for any inspection/audit, including for any follow up requests and information provided. Customer will not exercise this right more than once per calendar year unless there are reasonable grounds to suspect non-compliance with the DPA.

13.3 Unless otherwise agreed, Customer (or its designated auditor) will not be given (i) direct access to any computer system controlled by Teradata or its Sub-Processors, (ii) any information that could plausibly be used to exploit any vulnerabilities in any Teradata computer system or circumvent any Teradata security controls or measures, or (iii) any data received by Teradata from on or behalf of any other customer, supplier or other third party.

13.4 The parties agree that you will, when reviewing Teradata’s compliance with this DPA pursuant to this ‘Demonstration of Compliance’ section, take all reasonable measures to limit any impact on us and our Affiliates by combining several audit requests carried out on behalf of the Customer entity that is the contracting party to the Agreement and all of its Permitted Affiliates in one single audit.

14 Limitation of Liability

14.1 To the extent not already covered in the Agreement, each party and each of their Affiliates' liability, taken in aggregate,  arising out of or related to this DPA (and any other DPAs between the parties) and the Standard Contractual Clauses (only to the extent it is lawful to limit liability under the Standard Contractual Clauses), whether in contract, tort or under any other theory of liability, is limited to i) one million US dollars per occurrence, and subject to an aggregate limit of five million US dollars, or ii) the existing limitation of liability under 'Limitation of Liability' section of the Agreement, whichever is the lower.

14.2 Without prejudice to the Standard Contractual Clauses, neither party will be liable to the other for any indirect, incidental, consequential, special or punitive damages, or for loss of profits or revenue, or loss of time or opportunity, whether in an action in contract, tort, product liability, strict liability, statute, law, equity or otherwise.

14.3 In no event shall either party's liability be limited with respect to any Data Subject's data protection rights under  the Standard Contractual Clauses.

15 Parties to this DPA

15.1 Permitted Affiliates. By signing the Agreement, you enter into this DPA (including, where applicable, the Standard Contractual Clauses) on behalf of yourself and in the name and on behalf of your Permitted Affiliates. For the purposes of this DPA only, and except where indicated otherwise, the terms “Customer”, “you” and “your” will include you and such Permitted Affiliates and you hereby represent that you are entitled to do so.

15.2 Remedies. The parties agree that (i) solely the Customer entity that is the contracting party to the Agreement will exercise any right or seek any remedy any Permitted Affiliate may have under this DPA on behalf of its Affiliates, and (ii) the Customer entity that is the contracting party to the Agreement will exercise any such rights under this DPA not separately for each Permitted Affiliate individually but in a combined manner for itself and all of its Permitted Affiliates together. The Customer entity that is the contracting entity is responsible for coordinating all Instructions, authorizations and communications with us under the DPA and will be entitled to make and receive any communications related to this DPA on behalf of its Permitted Affiliates.

ANNEX 1: DETAILS OF PROCESSING

A. LISTS OF PARTIES

Data Exporter

Name: The Customer, as defined in the Agreement (on behalf of itself and Permitted Affiliates)

Address: The Customer’s address, as set out in the Order Form

Contact person’s name, position and contact details: The Customer's contact details, as set out in the Order Form and/or as set out in the Customer’s Teradata Account

Activities relevant to the data transferred under these Clauses: Processing of Personal Data in connection with Customer's use of the Teradata Services under the Agreement

Role (controller/processor): Controller

Data Importer:

Name: Teradata Operations, Inc.

Address: 17095 Via Del Campo, San Diego, CA 92127 USA

Contact person’s name, position and contact details: Jonathan Steel, Chief Privacy Officer

Activities relevant to the data transferred under these Clauses: Processing of Personal Data in connection with Customer's use of the Teradata Services under the Agreement

Role (controller/processor): Processor

B. DESCRIPTION OF TRANSFER

Categories of Data Subjects whose Personal Data is Transferred

You may submit Personal Data in the course of using the Service, the extent of which is determined and controlled by you in your sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of Data Subjects:

  • customers
  • Your prospects
  • Your website visitors
  • Your employees and contractors
  • Your suppliers
  • [please supplement as necessary]

Categories of Personal Data Transferred

You may submit Personal Data to the Subscription Services, the extent of which is determined and controlled by you in your sole discretion, and which may include but is not limited to the following categories of Personal Data:

  • email addresses
  • mobile number
  • landline number
  • last name, first name
  • postal address
  • date of birth
  • information showing the opening of received emails; clicks of links within the received emails; IP addresses
  • financial information
  • online behaviour
  • marital status and dependents
  • [please supplement as necessary]

Sensitive Data or Special Categories of Data transferred and applied restrictions or safeguards

The parties do [not] anticipate the transfer of sensitive data.

Frequency of the transfer

The parties do [not] anticipate the transfer of data to be continuous.

Nature of the Processing

Personal Data will be Processed as needed for the Purposes in accordance with the Agreement (including this DPA).

Purpose of the transfer and further processing

We will Process Personal Data as necessary to provide the Services pursuant to the Agreement, as further specified in the Order Form, and as further instructed by you in your use of the Services. Such Services may include:

  • Providing, maintaining and supporting the infrastructure of the Teradata data analytics cloud services environment, including support in operations and administration, system performance support and monitoring, system administration, security measures and user security administration and disaster recovery and business continuity services
  • Providing of customer services including support and maintenance of customers’ cloud and on-premise software systems and providing a customer help desk
  • Providing of professional services for the Teradata data analytics customers including consulting, development, implementation, and like tasks

Period for which Personal Data will be retained

Subject to the 'Deletion or Return of Personal Data' section of this DPA, we will Process Personal Data for the duration of the Agreement, unless otherwise agreed in writing.

C. COMPETENT SUPERVISORY AUTHORITY

For the purposes of the Standard Contractual Clauses, the supervisory authority that shall act as competent supervisory authority is either (i) where Customer is established in an EU Member State, the supervisory authority responsible for ensuring Customer's compliance with the GDPR; (ii) where Customer is not established in an EU Member State but falls within the extra-territorial scope of the GDPR and has appointed a representative, the supervisory authority of the EU Member State in which Customer's representative is established; or (iii) where Customer is not established in an EU Member State but falls within the extra-territorial scope of the GDPR without having to appoint a representative, the supervisory authority of the EU Member State in which the Data Subjects are predominantly located. In relation to Personal Data that is subject to the UK GDPR or Swiss DPA, the competent supervisory authority is the UK Information Commissioner or the Swiss Federal Data Protection and Information Commissioner (as applicable).

List of Teradata Sub-Processors