Data processing agreement
for Nuance Distributors
Last Modified March 1, 2021 / Previous Version
This Data Processing Agreement (“DPA”) is made upon acceptance of the Agreement as defined below, between the entity accepting the terms of the Agreement (“Distributor”) and the Nuance entity entering into the Agreement (“Nuance”),
each a “Party” and together the “Parties”.
RECITALS
(A) Nuance and Distributor have entered into one or more agreements, including a Master Distribution Agreement (referred to collectively as the “Agreement”) under which Nuance has granted Distributor the right to distribute and resell Nuance’s Services, as defined below, to end-customers (each a “Company”), whether directly or through resellers (each a “Reseller”). The Services include hosting, maintenance, support services, and updates for Companies, who are the Data Controllers of the Personal Data.
(B) The Parties have agreed that in order for Nuance and its Affiliates to provide Services to Companies, Nuance will Process Personal Data of Companies to whom Distributor or its Resellers have sold Nuance Services under agreements between Distributor or Reseller and Company (each a “Company Agreement”). Additionally, it will be necessary for Nuance to also Process certain Personal Data in respect of which the Distributor or Resellers will be Data Controllers.
(C) The Parties have agreed to enter into this overarching DPA in order to address the compliance obligations imposed under Data Protection Laws, and to ensure that adequate safeguards are put in place with respect to the protection of such Personal Data.
(D) Except as otherwise expressly set forth in the Agreement, the provision of Services shall be governed by this DPA pursuant to applicable Data Protection Laws and this DPA is hereby incorporated into the Agreement by reference.
1. DEFINITIONS. The following expressions are used in this DPA: In the event the definitions herein differ from the Agreement relating to data protection, this DPA shall prevail as to the specific subject matter of such definition.
(a) “Services” refers to the application, product or services and other activities to be supplied to or carried out on behalf of Company/Company affiliate pursuant to the Agreement.
(b) “Data Subject Request” means a request from or on behalf of a Data Subject relating to access of, or the rectification of, erasure of or data portability of that person’s Personal Data or an objection from or on behalf of a Data Subject to the Processing of his or her Personal Data.
(c) “Data Protection Laws” means all laws and regulations, and amendments thereto, applicable to the Processing of Personal Data under the Agreement, including but not limited to the GDPR.
(d) “GDPR” means Regulation (EU) 2016/79 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of personal data and on the free movement of such data (known as the General Data Protection Regulation).
(e) “EU Standard Contractual Clauses” means the standard data protection clauses for the transfer of Personal Data to Processors established in third countries which do not ensure an adequate level of data protection, as described in Article 46 of the GDPR, pursuant to the European Commission’s decision (C(2010)593) of 5 February 2010, or any European Commission’s decision amending or replacing the decision of 5 February 2010.
(f) “Personal Data” shall have the meaning given to it by Data Protection Laws.
(g) “Personal Data Breach” means a Personal Data Breach as defined under Data Protection Laws that is any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data within Nuance’s scope of responsibility by any of its staff, sub-processors or any other identified or unidentified third party after Nuance becomes aware with a reasonable degree of certainty that such Personal Data Breach has occurred.
(h) “Adequate Country” means a country, territory, or specified sectors within a country and international organization published by the European Commission in the Official Journal of the European Union for which it has decided that an adequate level of protection is ensured.
(i) “Process”, “Processing”, “Controller”, “Data Controller”, “Processor”, “Data Processor”, “Data Subject” and “Supervisory Authority” or “National Authority” shall have the meanings given to them by GDPR.
2. STATUS OF THE PARTIES
2.1 Company is the Data Controller of the Personal Data of customers (e.g. patients, consumers, purchasers and the like), staff, personnel and authorized users of the Services (“Company Data”).
2.2 Distributor is the Processor of Company Data, if no Reseller is used.
2.3 If Distributor uses a Reseller, Reseller is the Processor of Company Data. Distributor is then a sub-processor of Company Data.
2.4 If Distributor does not use a Reseller, Nuance is a sub-processor of Company Data; otherwise Nuance is a sub-sub-processor. Nuance’s Affiliates and service providers as set forth in the Sub‑Processor List are sub-sub-processors or sub-sub-sub-processors respectively of Company Data.
2.5 Under its Agreement with Distributor, Nuance is a Data Processor, through its CRM and support ticketing system, for Distributor.
2.6 As further described in Section 3 below, Distributor grants Nuance the right to Process Personal Data in accordance with this DPA to deliver the Services. Distributor shall ensure that Company and Reseller, respectively, obtain all necessary consents required (if any) under EU Data Protection Laws to allow Nuance to Process the Personal Data as described in this DPA.
3. PROCESSING REQUIREMENTS
3.1 Data Processing Details. Distributor, on behalf of Company, instructs Nuance and its sub-processors to Process the Personal Data, including the transfer by Nuance of Company Personal Data to any country or territory, only under the documented instructions of Distributor, as represented by the Agreement, this DPA, any other instructions of Distributor agreed in writing by Distributor and Nuance and in compliance with Data Protection Laws, and except as required to comply with a legal obligation to which Nuance is subject. Any oral instructions shall be confirmed in writing and agreed by both Parties. If applicable law requires Nuance to Process Personal Data otherwise than in accordance with such instructions, it will give Distributor prior notice of that legal requirement before Processing, unless that law prohibits such notice. To fully optimize the speech recognition, digital dictation and communication abilities of the Services, Company instructs Nuance and its sub-processors and Affiliates to use, compile (including creating statistical and other models), annotate and otherwise analyze the Personal Data to operate, maintain, tune, enhance, improve and provide technical support services for the speech recognition, natural language understanding and other Nuance software and technologies that are embodied in the Services. Personal Data Processing instructions can be modified, amended or replaced through an amendment to this DPA through the established change control process. Instructions not foreseen in or covered by the Agreement or this DPA shall be treated as requests for amendments to this DPA. Nuance shall, immediately upon becoming aware, inform Distributor if, in Nuance’s opinion, an instruction infringes Data Protection Laws. The type of Personal Data Processed pursuant to this DPA as well as the subject matter, nature and purpose of the Processing, the Data Subjects involved, and the location(s) and duration of the Processing (details required by Article 28(3) GDPR) are as described in the Data Processing Details.
3.2 Compliance with Data Protection Laws. Each Party warrants to the other that it will comply with all Data Protection Laws applicable to its performance under the Agreement. As between Nuance and Distributor, Distributor shall obligate each Company, either directly or indirectly through a Reseller, (i) to ensure the accuracy, quality, and legality of the Personal Data to be Processed, (ii) provide a lawful basis upon which to Process Personal Data and (iii) enter into a written agreement with equivalent data protection obligations to those in this DPA.
3.3 Nuance Disclaimer. Nuance Processes Personal Data that may be incorporated by Company into official records. Nuance does not maintain the Company’s system of records, and therefore Nuance does not store or maintain any official records or part thereof for Company. The originals of any records, including medical records, will be maintained by Company or its other contractors. Nuance only has access to parts of the records via remote access over Company’s computer system in connection with the provision of the Services set forth in the Company Agreement. Nuance shall own all intellectual property rights in all enhancements and improvements to its software and Services that result from its Processing of Personal Data.
3.4 Confidentiality. Nuance shall treat all Personal Data as strictly confidential. Nuance shall take appropriate steps so that only authorized personnel who are subject to binding obligations of confidentiality, either contractual or statutory, will have access to the Personal Data. Termination or expiration of this DPA shall not discharge Nuance from its confidentiality obligations.
3.5 Data Protection Officer (DPO). Nuance has appointed a data protection officer, who can be reached at: Privacy@Nuance.com or by mail (Worldwide) at:
Chief Privacy Officer
Nuance Communications, Inc.
1 Wayside Road
Burlington MA 01803
USA
Or by contacting Nuance’s representative in the EU at:
Chief Privacy Officer
Nuance Communications Ireland, Ltd
The Harcourt Building, 4th Floor
57B Harcourt Street
Dublin 2, D02 F721
IRELAND
Any changes to this contact information will be published at https://www.nuance.com/about-us/company-policies/privacy-policies.html.
3.6 Data Subject Notices. For Personal Data that is provided to Nuance and covered by this DPA, Distributor shall ensure that Company will be responsible for providing any notices and information required by Data Protection Laws to be given at the time of collection, including, but not limited to notice with respect to:
i) Sharing of Personal Data with sub-processors as permitted by Section 5 below; and
ii) Transfer of Personal Data to Nuance’s Affiliates and sub-processors as outlined in the Sub‑Processor List, for the purposes as outlined in Section 3.2 above. Nuance shall also comply with the transfer requirements set forth in Section 6 below.
3.7 Data Subject Requests. Nuance shall promptly notify Distributor if it receives a Data Subject Request. As between the Parties, Distributor shall be responsible for addressing all Data Subject Requests and the Parties shall reasonably assist each other in dealing with Data Subject Requests in connection with the Agreement. Taking into account the nature of the Processing and insofar as possible, Nuance shall assist Distributor by appropriate technical and organizational measures in fulfilment of the obligation to respond to said Data Subject Request under Data Protection Laws. To the extent legally permitted, Distributor shall be responsible for any costs arising from Nuance’s provision of such assistance.
3.8 Notice of Personal Data Breach. Nuance maintains an Incident Management Policy and shall notify Distributor of any Personal Data Breach without undue delay. In the event of a Personal Data Breach, Nuance shall make reasonable efforts to identify the cause of such Personal Data Breach and take reasonable steps as Nuance deems necessary and reasonable under industry standards, in order to remediate the cause of such breach to the extent the remediation is within Nuance’s reasonable control, in fulfilling Company’s or Distributor’s obligation under Data Protection Laws. Nuance shall not be responsible for incidents that are caused by Distributor, Reseller, Company or Company’s end users.
3.9 Deletion of Personal Data. Upon Distributor’s written request, or as reasonably practicable following the termination of this DPA or the Agreement, Nuance shall delete all Personal Data, except to the extent applicable law requires Nuance to continue to store the Personal Data. Distributor acknowledges that Nuance’s deletion of Personal Data represents compliance with any legal obligation to return Personal Data to Company.
3.10 Audit and Records. Subject to reasonable prior notice from Distributor, Nuance shall provide Distributor with reasonable evidence to demonstrate Nuance’s compliance with this DPA and Data Protection Laws and shall allow for and contribute to audits, including inspections, conducted by Distributor or another auditor mandated by Distributor. Distributor’s right of audit under Data Protection Laws may be satisfied by Nuance through Nuance providing to Distributor:
(a) an audit report not older than 18 months by a registered and independent external auditor demonstrating that Nuance’s technical and organizational measures described in the Description of Technical and Organizational Measures are sufficient and in accordance with an accepted industry audit standard such as SSAE 18, SOC 1, SOC 2, SOC 3, ISO 27001, ISAE 3402; and/or
(b) additional information in Nuance’s possession or control to a Supervisory Authority when it requests or requires additional information in relation to the data Processing activities carried out by Nuance under this DPA.
(c) If Nuance is unable to provide the information in (a) and (b) above, Distributor may audit Nuance’s control practices, including on-site at Nuance’s facilities. Distributor shall reimburse Nuance for any time expended for any such on-site audit at Nuance’s then-current professional services rates, which shall be made available to Distributor upon request. Before the commencement of any such on-site audit, Distributor and Nuance shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which Distributor shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by Nuance. Distributor shall promptly notify Nuance with information regarding any noncompliance discovered during the course of an audit and allow reasonable time for remediation.
(d) The Parties agree that when carrying out audit procedures relevant to the protection of Personal Data, Distributor shall take all reasonable measures to limit any impact on Nuance and Nuance’s usual course of business operations.
4. SECURITY
Taking into account the most recent available technology, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Nuance will maintain appropriate technical and organizational protections as set forth in the Description of Technical and Organizational Measures.
5. SUB-PROCESSING
5.1 Affiliates as Sub-Processors. Distributor grants a general authorization to Nuance to appoint as sub-processors to support the delivery of the Services any other entities under common ownership and control of Nuance’s parent corporation, Nuance Communications, Inc. (“Affiliates”).
5.2 Other Sub-Processors. Distributor grants Nuance and Affiliates a general authorization to appoint the following types of sub-processors to support the delivery of the Services: Nuance and its Affiliates’ cloud, software engineering, and other firms providing information technology and security advisory and support services; third party data center operators and providers of outsourced technical support services.
5.3 List Available. A list of all sub-processors approved by Distributor above is included in Sub‑Processor List.
5.4 Sub-Processor Changes; Distributor's Right to Object. Nuance will notify Distributor of the names of any new and replacement sub-processors prior to them beginning sub-processing of Personal Data. Within ten (10) business days of receiving notice of a sub-processor change, Distributor may object by providing written notice to Nuance. The notice shall describe the basis for the Distributor’s objection, which must have reasonable grounds. Failure to notify an objection during such time period shall constitute waiver of the right to object. If Distributor gives written notice of objection, Nuance and Distributor will discuss the objection in good faith to seek to resolve it. If no resolution is found within 30 days after initial notice of objection is given, Distributor may terminate the affected Company’s Services on 60 days’ written notice, such notice to be given no later than 45 days after the date of the initial notice of objection.
5.5 Nuance’s Responsibility. Nuance will require all sub-processors to enter into a written agreement with Nuance to protect Personal Data with equivalent data protection obligations to those in this DPA. Nuance shall remain liable to Distributor for any breach by the sub-processor of its agreement with Nuance; Distributor’s authorization of the sub-processor does not remove this responsibility.
5.6 Term “Sub-Processor”. The term “sub-processor” includes, as the case dictates and depending on whether it is Company Data or Distributor data and whether a Reseller is involved or not, sub-sub-processors and sub-sub-sub-processors.
6. DATA TRANSFERS
6.1 Nuance Hosting Location. Nuance provides, operates, and maintains the data centers in the locations described in the Data Processing Details to support the operation of the Services.
6.2 Transfers outside EEA by Nuance. Distributor agrees that Personal Data may be transferred to sub-processors outside of the EEA to provide Services to Company. If Personal Data Processed under this DPA is transferred from a country within the European Economic Area to a country outside the European Economic Area, Nuance shall ensure that a mechanism to achieve adequacy in respect to the Processing is in place, such as:
(a) The requirement for Nuance to execute, for itself and/or on behalf of Company, Reseller and Distributor EU Standard Contractual Clauses. Distributor agrees, and ensures that Company and Reseller agree, that Nuance and its Affiliates may enter into EU Standard Contractual Clauses consistent with this DPA on behalf of Company, Reseller or Distributor;
(i) Additional Safeguards. Nuance applies additional safeguards, where necessary, to ensure that during and after the transfer, the Personal Data is subject to a level of protection equivalent to that of the EU. Such safeguards might include anonymization, pseudonymization and encryption of Personal Data, in each case depending on the level of data protection in the recipient country and the nature of the Personal Data concerned. Further details on the safeguards applied by Nuance are set out in the Description of Technical and Organizational Measures. The additional safeguards applied by Nuance do not release Company from its own data protection obligations.
(b) The compliance with onward transfer principles under EU Standard Contractual Clauses; or
(c) The existence of any other specifically approved safeguard for data transfer under Data Protection Laws or a European Commission finding of adequacy.
6.3 Transfers outside of other jurisdictions by Nuance. If Personal Data Processed under this DPA is transferred outside of the jurisdiction of the country from which the data was initially Processed (the “First Jurisdiction”), Nuance shall ensure compliance with applicable Data Protection Laws within the First Jurisdiction governing such transfer. Specific cross-border data transfer obligations are detailed in Section 8 below.
7. ADDITIONAL PROVISIONS FOR SPECIFIC TYPES OF PERSONAL DATA
7.1 Children Data. Distributor hereby represents and warrants that;
(a) Company’s website, services and products comply with the GDPR, US Children's Online Privacy Protection Act of 1998, (“COPPA”) and other Data Protection Laws protecting Personal Information (as such term is defined by applicable law) from children under 16 (“Child Data”).
(b) Company shall not use Nuance’s Services in connection with an online site, service, or product that targets children under 16 as its primary audience (“Primarily Child-Directed”). Primarily Child Directed is based on empirical evidence regarding audience composition, and evidence regarding the intended audience, such as subject matter, visual content, use of animated characters or child-oriented activities and incentives, music or other audio content, age of models, presence of child celebrities or celebrities who appeal to children, language or other characteristics of the Web site or online service, as well as whether advertising promoting or appearing on the Web site or online service is directed to children.
(c) If Company uses Nuance licensed software for Primarily Child-Directed online sites, services or products, then Company must not send to Nuance (in connection with maintenance, support and tools regarding the Nuance Licensed Software, or otherwise) any Child Data.
(d) If Company uses Services for mixed audience or general audience online sites, services or products which may be accessed by children under 16, but are not Primarily Child-Directed, then Company’s verifiable parental consent mechanism, direct notice, and web notice, as required by Data Protection Laws, shall adequately disclose and sufficiently cover the transfer of Child Data to Nuance and Nuance's collection and Processing of Child Data consistent with this DPA.
The Parties agree and Distributor ensures that Company (and Reseller) understand the following: Nuance is not an operator as that term is defined in COPPA. As between Company, Distributor or Reseller on the one side and Nuance on the other side, Company, Distributor or Reseller respectively is solely responsible for any liability arising from its noncompliance with its responsibilities and obligations under the Data Protection Laws or this DPA.
7.2 CCPA Compliance.
(a) The Parties understand and agree to, and Distributor ensures Company and Reseller understand and agree to, the following:
To the extent Nuance receives from Company (directly or through third parties) any “personal information” of any “consumer” subject to the California Consumer Privacy Act (“CCPA”) for Processing within the scope of this DPA, Nuance, Distributor, Reseller and Company shall each comply with all applicable provisions of the CCPA. To the extent applicable, Nuance shall be considered a “service provider” to Company under the CCPA, and shall not (a) retain, use or disclose such personal information for any purpose other than for the specific purpose of performing Services under this DPA or as otherwise permitted by the CCPA, including for any “business purpose”; (b) retain, use or disclose such personal information for a “commercial purpose” other than providing the Services under this DPA; (c) retain, use or disclose such personal information outside the provision of the Services under this DPA; or (d) “sell” such personal information. For the purposes of this paragraph, the terms “personal information”, “consumer”, “service provider”, “business purpose”, “commercial purpose” and “sell” shall have the meanings set forth in the CCPA.
(b) In case of any amendments to the CCPA, the Parties will agree upon any changes to this DPA which may be necessary to make this DPA compliant with the CCPA as amended.
8. ADDITIONAL PROVISIONS FOR INDIVIDUALS LOCATED IN CERTAIN COUNTRIES.
Each one or more of the following additional provisions apply based on the location of the individual in the respective country whose Personal Data is being Processed.
8.1 ADDITIONAL PROVISIONS FOR ARGENTINA
8.1.1 Data Protection Law. With respect to the Personal Data of individuals in Argentina, the Data Protection Laws defined in Section 1 shall include the Argentinian Privacy Principles, as defined in Argentine Personal Data Protection Law 25 326.
8.1.2 General Processing Obligation. Nuance will Process the Personal Data in a manner consistent with the provisions of the Data Protection Laws.
8.1.3 Adequacy Decisions. “Argentine Adequate Country” means a country, territory, or specified sectors within a country and international organization for which the Argentine Personal Data Protection Authority has decided that an adequate level of protection is ensured.
8.1.4 Transfer outside Argentina by Company. If, in connection with this DPA, any Personal Data is provided by Company, Distributor or Reseller to Nuance outside Argentina and not to an Argentine Adequate Country, such transfer will be governed by the Argentina Standard Contractual Clauses.
8.1.5 Transfers outside Argentina by Nuance. Distributor acknowledges, and ensures that Company and Reseller acknowledge, that Nuance may, in the performance of this DPA, transfer Personal Data to Affiliates and other sub-processors established outside Argentina. Where such sub-processor is located not in an Argentine Adequate Country, Nuance shall ensure that a mechanism to achieve adequacy in respect to the Processing is in place, such as:
(a) The consent of each individual whose Personal Data is transferred to a non-Argentine Adequate Country;
(b) The execution by Nuance, for itself and/or on behalf of Company, Distributor or Reseller, of the Argentina Standard Contractual Clauses. Upon request, Nuance will provide to Company, Reseller or Distributor respectively for review such copies of agreements, subject to redaction for confidential commercial information not relevant to the requirements under this DPA. Distributor authorizes, and ensures that Company and Reseller authorize, Nuance and its Affiliates to enter into Argentina Standard Contractual Clauses consistent with this DPA and the Argentina Standard Contractual Clauses for processors, on behalf of Company, Distributor or Reseller respectively;
(c) The existence of any self-regulation framework or binding corporate rules providing adequate protection to the transferred Personal Data.
8.2 ADDITIONAL PROVISIONS FOR AUSTRALIA
8.2.1 Data Protection Law. With respect to the Personal Data of individuals in Australia, the Data Protection Laws defined in Section 1 shall include the Australian Privacy Principles, as defined in the Australian Privacy Act 1988 (Cth).
8.2.2 General Processing Obligation. Nuance will Process the Personal Data in a manner consistent with Data Protection Laws.
8.2.3 Breach Notification Obligation. If Company, Distributor or Reseller respectively, depending on whose Personal Data is Processed, is located in Australia, the definition of Personal Data Breach set forth in Section 1 shall include any “eligible data breaches” as defined under the Australian Notifiable Data Breach Scheme.
8.2.4 Transfers outside Australia. In addition to the requirements of Section 6.2, in the event that Nuance transfers Personal Data outside Australia, Nuance will enter or have entered into agreements with the transferees that include contractual protections to secure and protect the Personal Data to the same extent as required by the obligations imposed on Nuance by this DPA.
8.3 ADDITIONAL PROVISIONS FOR BRAZIL
8.3.1 Data Protection Law. With respect to the Personal Data of individuals in Brazil, the Data Protection Laws defined in Section 1 shall include the “LGPD” or the Brazilian General Data Protection Regulation, Law Nº 13.709/2018 which regulates the Processing of Personal Data in Brazil.
8.3.2 General Processing Obligation. Nuance will Process the Personal Data in a manner consistent with the Brazilian General Data Protection Regulation, Law Nº 13.709/2018.
8.3.3 Transfers outside Brazil. In the event that Nuance transfers Personal Data outside Brazil, Nuance will enter or have entered into agreements with the transferees that include contractual protections to secure and protect the Personal Data to the same extent as required by the obligations imposed on Nuance by this DPA.
8.4 ADDITIONAL PROVISIONS FOR CANADA
8.4.1 Controller. With respect to the processing of Personal Data of individuals in Canada, the term Controller defined in Section 1 shall include an organization in respect of personal information that the organization collects, uses or discloses in the course of commercial activities; or a health information custodian, custodian, public body, enterprise, trustee, or similar designation under Applicable Data Protection Law.
8.4.2 Data Protection Laws. With respect to the Personal Data of individuals in Canada, the Data Protection Laws defined in Section 1 shall include the applicable federal and provincial privacy legislation.
8.4.3 Personal Data. Personal Data defined in Section 1 shall include personal information and personal health information as those terms are defined in applicable Data Protection Law.
8.4.4 Processor. With respect to the processing of Personal Data of individuals in Canada, the term Processor defined in Section 1 shall include an agent, a provider, service provider or similar designation under Applicable Data Protection Law.
8.4.5 General Processing Obligation. Nuance will Process the Personal Data in a manner consistent with Data Protection Laws. This DPA applies to all Personal Data processed by Nuance on behalf of Company, regardless of whether the Personal Data is received directly or indirectly from Company, including Company Personal Data provided to Nuance by a distributor or reseller in the provision of support services to Company.
8.4.6 Transfers outside Canada. Company acknowledges that Nuance may, in the performance of this DPA, transfer Personal Data outside Canada, and in such event Nuance will enter or have entered into agreements with the transferees that include contractual protections to secure and protect the Personal Data to the same extent as required by the obligations imposed on Nuance by this DPA.
8.4.7 Governing Law. This Agreement will be governed by the laws of the Province where Company is located (“Applicable Province”), and the federal laws of Canada applicable therein, without regard to principles of conflict of laws. The parties hereto agree to submit all disputes related to this Agreement exclusively to the courts in the Applicable Province, to which each party consents to the jurisdiction of such courts and waives any objection it may have with respect to venue.
8.5 ADDITIONAL PROVISIONS FOR CHILE
8.5.1 Data Protection Law. With respect to the Personal Data of individuals in Chile, the Data Protection Laws defined in Section 1 shall include the Chilean Law 19,628 on the Protection of Private Life to existing language.
8.6 ADDITIONAL PROVISIONS FOR COLOMBIA
8.6.1 Data Protection Law. With respect to the Personal Data of individuals in Colombia, the Data Protection Laws defined in Section 1 shall include Colombian Law 1581 of 2012 and Decree 1074 of 2015.
8.6.2 General Processing Obligation. Nuance will Process the Personal Data in a manner consistent with the Colombian Privacy Principles, as defined in article 4 Law 1581 of 2012.
8.6.3 Adequacy Decisions. “Colombian Adequate Country” means a country and international organization published by the Colombian Data Protection Authority (Superintendence of Industry and Commerce).
8.6.4 Transfers outside Colombia. Nuance may transfer or transmit the Personal Data Processed under the scope of this DPA and the Agreement, to any country or territory, even if it is not considered as an Adequate Country under Colombian law, except in cases where Company, Distributor or Reseller respectively, depending on whose Personal Data is Processed, expressly and by writing requires not to transfer or transmit to a particular country. Distributor guarantees that transfers or transmissions by Nuance are allowed under the scope of the consent provided by the Data Subject.
8.6.5 Notice of Personal Data Breach. Distributor and Nuance will work cooperatively to meet their obligation to report to the Superintendence of Industry and Commerce any violation of the security measures and the existence of risks in the administration of the Personal Data, within 15 working days from the date in which the Personal Data Breach is detected.
8.7 ADDITIONAL PROVISIONS FOR MEXICO
8.7.1 Data Protection Law. With respect to the Personal Data of individuals in Mexico, the Data Protection Laws defined in Section 1 shall include Mexican Federal Law on the Protection of Personal Data held by Private Parties.
8.7.2 Transfers outside Mexico. In the event that Nuance transfers Personal Data outside Mexico, Nuance will enter or have entered into agreements with the transferees that include contractual protections to secure and protect the Personal Data to the same extent as required by the obligations imposed on Nuance by this DPA.
8.8 ADDITIONAL PROVISIONS FOR JAPAN
8.8.1 Data Protection Laws. With respect to the Personal Data of individuals in Japan, the Data Protection Laws defined in Section 1 shall include the Japanese Act on Protection of Personal Information and relevant guidelines issued by the Personal Information Protection Commission of Japan.
8.8.2 Transfers outside Japan. With respect to the Personal Data of individuals in Japan, if Nuance transfers such Personal Data outside Japan, Nuance will enter or have entered into agreements with the transferees that include contractual protections to secure and protect the Personal Data to the same extent as required by the obligations imposed on Nuance by this DPA.
8.9 ADDITIONAL PROVISIONS FOR SOUTH KOREA
8.9.1 Data Protection Laws. With respect to the Personal Data of individuals in South Korea, the Data Protection Laws defined in Section 1 shall include the Korean Personal Data Protection Law and Law on Information and Communications Network Utilization and Information Protection.
8.9.2 General Processing Obligation. Nuance will Process the Personal Data in a manner consistent with the Korean Privacy Principles, as defined in the applicable Data Protection Laws.
8.9.3 Breach Notification Obligation. If Company, Distributor or Reseller respectively, depending on whose Personal Data is Processed, is located in South Korea, Nuance shall notify Distributor immediately of any Personal Data Breach after Nuance becomes aware with a reasonable degree of certainty that such Personal Data Breach has occurred.
8.9.4 Liability for Damages to Data Subjects. In the event the Data Subjects incur damages due to breach of this DPA by Nuance, its officers and/or employees or its sub-processors, liability for such damages will be borne by Nuance.
8.9.5 Technical and Organizational Measures. In connection with maintaining appropriate technical and organizational protections as set forth in the Description of Technical and Organizational Measures under Section 4, Nuance will also comply with the requirement to procure data security under the Korean Personal Data Protection Law and Law on Information and Communications Network Utilization and Information Protection and standards announced by the Korean regulators pursuant to such laws.
9. GOVERNING LAW
This DPA shall be governed by the laws of the country indicated below, and the Parties hereby submit to the jurisdiction of the courts located in the jurisdiction below and the applicable service of process. The official text of this DPA or any notices required hereby shall be in English.
| Country of incorporation of Distributor | Governing Law | Jurisdiction |
|---|---|---|
United States, Taiwan, Korea, Japan, Canada or Mexico |
Laws of Commonwealth of Massachusetts, U.S. |
Federal or state courts of Massachusetts |
Colombia |
Laws of Colombia |
Courts of Colombia |
Hong Kong or China |
Laws of Hong Kong Special Administrative Region |
Courts of Hong Kong Special Administrative Region |
India or Singapore |
Singaporean law |
Courts of Singapore |
Australia or New Zealand |
Laws of New South Wales |
Courts in New South Wales, Australia |
Rest of world |
Irish law |
Dublin, Ireland |
Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provisions shall be either (i) amended as necessary to ensure their validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
10. MISCELLANEOUS PROVISIONS
10.1 Limitation of Liability. Distributor’s remedies and Nuance’s liability arising out of or related to this DPA will be subject to those limitations and exclusions of liability that apply to Nuance under the Agreement to which this DPA relates. As between the Parties, in no event shall Nuance be responsible for any liability arising from Nuance’s compliance with Distributor’s instructions.
10.2 Order of Precedence. To the extent that any provisions of this DPA conflict with any provisions in the Agreement, this DPA shall prevail as to the specific subject matter of such provisions; provided, however, that any limitations and exclusions of liability in the Agreement and any indemnification provisions in the Agreement shall in any event prevail over any provision of this DPA. If Nuance provides this DPA in more than one language for the country of Company’s billing address, and there is a discrepancy between the English text and the translated text, the English text will govern.
The following additional terms are part of this DPA and are incorporated herein as stated above.
Previous Version