Mars
DATA PROCESSING POLICY (The "Policy")
1 .OVERVIEW
This document sets forth Mars, Inc. and its subsidiaries, including Mars benefit trustees’ (“Mars”) Policy on the acceptable Processing of Personal Data. In particular, it provides detail on the necessary data privacy and security requirements applicable to all suppliers to the extent that they collect, maintain and Process Personal Data. We refer to people covered by this Policy as “Suppliers.”
2. DEFINITIONS
2.1 In this Policy defined terms shall have the meanings set out in the Agreement or as below:
a) “Data Subject,” “Personal Data,” “Processing,” and “Personal Data Breach” shall have the meanings as defined under the European General Data Protection Regulation 2016/679 (“GDPR”);
b) “Data Privacy Legislation” means all laws and regulations, in any jurisdiction of the world, which protect the security of information or privacy rights of individuals, in so far as those laws and regulations apply to the Processing of Personal Data in connection with this Policy;
c) “SCCs” means the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries;
d) “UK Data Transfer Mechanism” shall mean the International Data Transfer Addendum to the SCCs as of 21 March 22 as issued under Section 119A of the UK Data Protection Act 2018;
e) “we”, “Mars”, “us”, “our” means [the entity disclosing the data];
f) “you”, “Mars Vendor” means [the entity receiving the data];
g) “writing,” “written,” where referring to written authorizations, shall include both written and electronic communications.
h) “Policy,” means this Policy and any Agreement(s) to which it applies.
3. DATA PRIVACY
3.1 You shall:
a) Comply with Data Privacy Legislation and assist us in our compliance with Data Privacy Legislation where reasonably requested, including privacy impact assessments and responses to government authorities. Immediately inform us in writing if one of our instructions or assertion of rights under this Policy infringe applicable Data Privacy Legislation. Certain details regarding the Processing are in the agreed upon exhibit(s) as required by Data Privacy Legislation;
b) Only Process the Personal Data in accordance with our documented instructions and Process Personal Data as set forth in the agreed upon exhibit(s) unless otherwise required by Applicable Law, including not Processing, selling, sharing, or otherwise using Personal Data or aggregate data unless Mars provides explicit consent in writing. The details of Processing shall be as set forth in the agreed upon exhibit(s). You shall inform us of that legal requirement before carrying out the required Processing, unless the Applicable Law prohibits such notice;
c) Put in place measures for appropriate access controls to limit access to Personal Data to those who have committed themselves to confidentiality and have received appropriate training;
d) Where the Processing of Personal Data by you (1) relates to Data Subjects located in the European Union, EEA or Switzerland or is otherwise subject to the GDPR and (2) takes place in a country outside the EEA, you are required to execute the SCCs with Mars it being understood that (1) we shall be the "data exporter" and you shall be the "data importer" (as defined in the SCCs); (2) the general provisions of the SCCs and the relevant provisions relating to Module Two (Controller to Processor personal data transfers) shall be selected as applicable to the parties; (3) in Clause 9 of the SCCs, option 2 (general written authorisation) shall be considered chosen by and applicable to the parties and thirty (30) calendar days shall be the specified time period for changes to the list of subprocessors; (4) in Clause 11 of the SCCs, the optional provision shall not be considered chosen by and applicable to the parties; (5) in Clause 17 of the SCCs, option 2 shall be considered chosen by and applicable to the parties and the governing law shall be the law of the Netherlands; and (6) in Clause 18 of the SCCs, the choice of forum and jurisdiction shall be the law of the Netherlands. The SCCs will not be required if you are located in a country outside the EEA for which the European Commission has decided by means of an adequacy decision that such country, or a territory or specific sector within that country (in case the transfer is made to such territory or specific sector), ensures an adequate level of data protection (as described in Art. 45 GDPR).The details of Processing shall be as set forth in the agreed upon exhibit(s).
e) Where the Processing of Personal Data is subject exclusively to the data protection laws of Switzerland (“Swiss Data Protection Laws”), (1) any general and specific references to the GDPR or European Union or Member State Law in the SCCs shall have the same meaning as the equivalent reference in Swiss Data Protection Laws, as applicable; and (2) any other obligation in the SCCs determined by the Member State in which the data exporter or Data Subject is established shall refer to an obligation under Swiss Data Protection Laws, as applicable.
f) Where the Processing of Personal Data by you relates to Data Subjects located in the United Kingdom, you agree to the UK Data Transfer Mechanism. You are required to execute the UK Data Transfer Mechanism with Mars it being understood that (1) in Table 1 of the UK Data Transfer Mechanism, the names and addresses of the parties as defined in the Policy and agreed upon exhibit(s) shall be incorporated into the UK Data Transfer Mechanism, indicating that we shall be the “data exporter” and Controller, and you shall be the “data importer” and Processor; (2) in Table 2 of the UK Data Transfer Mechanism, Module 2 shall be selected, with the information required to complete Module 2 in the agreed upon exhibit(s); (3) in Table 3 of the UK Data Transfer Mechanism, the information required to complete Table 3 is as listed in the Policy and in the agreed upon exhibit(s); and (4) in Table 4 of the UK Data Transfer Mechanism, “exporter” shall be selected. The details of Processing shall be as set forth in the agreed upon exhibit(s).
g) Not subcontract any of your duties under this Policy unless: (i) The subprocessor is listed in the agreed upon exhibit(s), which contains the list of subprocessors approved by us; (ii) the subprocessor is subject to a written agreement which imposes at least the same obligations that are imposed on you under this Policy and agreed upon exhibit(s); and (iii) you have carefully chosen the subprocessor under consideration of the appropriateness of the technical and organizational security measures taken by the subprocessor;
i) If you wish to replace or appoint an additional subprocessor, you shall inform us with at least ten (10) calendar days' prior written notice. We may object to the engagement of such new subprocessor. If we object, the parties shall work together in good faith to agree on a reasonable solution, which may include termination of this Policy without penalty to Mars; and
ii) You are liable for the subprocessor's compliance with the data protection obligations in this Policy. All actions of subprocessors in connection with this Policy are attributable to you;
h) Promptly notify us if you receive a Data Subject request to exercise Data Subject rights, or if you receive a complaint or request relating to Data Privacy Legislation, and assist us insofar as reasonably possible in responding;
i) Allow for audits conducted by us or another mutually agreed upon auditor, with such audits to occur no more frequently than once per calendar year (except where based upon a reasonable belief that you have failed to comply with the terms of this Policy or applicable Data Privacy Legislation) and subject to reasonable security controls and comply with all reasonable requests or directions by us to enable us to verify and/or procure that you are in full compliance with your obligations under this Policy, including making available to us all information necessary to demonstrate compliance with the obligations set forth in this Policy; and
j) Within a reasonable period of time after termination of your provision of Services, at our choice delete or return all the Personal Data to us and provide a suitable certification of return or destruction. You may only retain copies where you are required to do so by Applicable Law and only for so long as required to do so.
4. SECURITY
4.1 You must implement and maintain appropriate technical and organisational measures, to maintain the security of Personal Data, in compliance with Data Privacy Legislation;
4.2 Without undue delay, notify us at the following email address: [email protected] if you know, discover or reasonably believe that there has been a Personal Data Breach; and
4.3 In the event of a Personal Data Breach, (1) investigate, correct, mitigate, remediate, and otherwise handle the Personal Data Breach, including without limitation, by identifying Personal Data affected by the Personal Data Breach; and (2) provide information and assistance reasonably needed to enable Mars to evaluate the Personal Data Breach and, as applicable, to provide timely notices disclosing a Personal Data Breach and to comply with any obligations to notify relevant regulators and affected individuals. You shall indemnify, defend, and hold harmless Mars against all costs, claims, losses, damages, liabilities and expenses (including but not limited to legal costs and fees) that Mars may incur as a result of such Personal Data Breach caused by your acts or omissions or those of any of your authorized subprocessors, including but not limited to, the expenses incurred in investigating the Personal Data Breach and notifying affected individuals, and providing these individuals with the support necessary under the circumstances and imposed by applicable Data Privacy Legislation, such as credit monitoring.
5. FINAL PROVISIONS
5.1 In case of conflicts between this Policy and other Agreement(s), Purchase Order(s), Statement(s) of Work and other arrangements between the parties, the provisions of this Policy shall prevail.
5.2 We reserve the right at our sole discretion to determine the appropriate action to be taken in the event that you violate this Policy. Such action may include our termination of any existing Agreement that is subject to this Policy.
5.3 We reserve the right to change this Policy at any time and for any reason.
UPDATED: JUNE 16, 2022