Skip to Main Content

Data Protection Agreement EU & UK


FISCALNOTE CUSTOMER DATA PROCESSING AGREEMENT FOR THE PROCESSING OF EU & UK RESIDENTS DATA

PREAMBLE

FiscalNote Inc., having its registered office at 1201 Pennsylvania Avenue NW, 6th Fl. Washington D.C. 20004, U.S.A. ("FiscalNote") provides global policy and market intelligence software as a service solutions to help customers navigate evolving political, corporate and regulatory environments. This Data Processing Agreement ("DPA") covers all services provided in the United States and Europe by FiscalNote and/or its Affiliates (each and together referred to as the “Provider”), including, but not limited to, the software-as-a-service offerings (collectively, the “Services”).

This DPA forms part of the Terms and Conditions referenced in the Order Form between Customer and Provider and sets out the obligations with respect to the  Personal Data processed by Provider when Customer  uses or receives Services from Provider.  Capitalized terms used but not defined in this DPA shall have the meanings assigned to them in the Terms and Conditions.

This DPA contains the clauses required by Article 28(3) of the EU GDPR & UK GDPR for contracts between controllers and processors, and is applicable where Provider is providing Services which involve the processing of EU and UK Residents Data only.

DEFINITIONS

1. Applicable Data Protection Laws means:

(a) the General Data Protection Regulation ((EU) 2016/679), as amended by the Data Protection, Privacy and Electronic Communication (Amendments etc.) (EU Exit) Regulations 2019  (the “UK GDPR”);

(b) the General Data Protection Regulation ((EU) 2016/679) (the “EU GDPR”);

(c) any other secondary legislation implemented in connection with (or replacing) the EU GDPR or the UK GDPR in relation to the protection of personal data.
 

2. Applicable Laws means:

(a)  To the extent the UK GDPR applies, the law of the United Kingdom or of a part of the United Kingdom.

(b) To the extent EU GDPR applies, the law of the European Union or any member state of the European Union to which the is subject.

3. Personal Data: any personal data which the Provider processes in connection with this agreement, in the capacity of a processor on behalf of the Customer.
 

4. Purpose: the purposes for which the Personal Data is processed, as set out in the Terms and Conditions.

5. Sub-Processor: any person or entity appointed by or on behalf of FiscalNote, or by or on behalf of an existing Sub-Processor, to process Personal Data on behalf of the Customer in connection with the Agreement.

6. Standard Contractual Clauses: the European Commission’s 2021 standard contractual clauses for the transfer of personal data to third countries which, as at the date of this Agreement, are available here https://commission.europa.eu/publications/standard-contractual-clauses-international-transfers_en

7. International Data Transfer Addendum: The UK Information Commissioner Office International Data Transfer Addendum to the EU Standard Contractual Clauses, which as at the date of this Agreements, are available here international-data-transfer-addendum.pdf (ico.org.uk)

8. Standard Contractual Clauses: the European Commission’s 2021 standard contractual clauses for the transfer of personal data to third countries which, as at the date of this Agreement, are available here https://commission.europa.eu/publications/standard-contractual-clauses-international-transfers_en
 

9. International Data Transfer Addendum: The UK Information Commissioner Office International Data Transfer Addendum to the EU Standard Contractual Clauses, which as at the date of this Agreements, are available here international-data-transfer-addendum.pdf (ico.org.uk)

 

1. DATA PROTECTION

1.1. For the purposes of this Clause 1, the terms controllerprocessordata subjectpersonal datapersonal data breach and processing shall have the meaning given to them in the UK and EU GDPR.

1.2. Both parties will comply with all applicable requirements of Applicable Data Protection Laws. This clause 1 is in addition to, and does not relieve, remove or replace, a party's individual obligations or rights under Applicable Data Protection Laws.

1.3. The parties have determined that, for the purposes of Applicable Data Protection Laws Provider shall process the Personal Data set out in Appendix 1, as a processor on behalf of the Customer in respect of the processing activities set out in the Terms and Conditions.

1.4. Should the determination in clause 1.3 change, then each party shall work together in good faith to make any changes which are necessary to this clause 1 or the related appendices.

1.5. By entering into this agreement, the Customer acknowledges that Provider will manage all Customer Personal Data in line with the then-current version of the Provider's privacy policy (“Privacy Policy”). The Customer will be responsible for any making any applicable transparency information available to their employees or customer if necessary under relevant Data Protection Laws,

1.6. Without prejudice to the generality of clause 1.2, the Customer will ensure that it has all necessary appropriate lawful basis as required under Applicable Data Protection Law in place to enable lawful transfer of the Personal Data to FiscalNote for the duration and purposes of this DPA.

1.7. In relation to the Personal Data, Appendix 1 sets out the scope, nature and purpose of processing by the Provider, the duration of the processing and the types of personal data and categories of data subject.

1.8. Without prejudice to the generality of clause 1.2 FiscalNote shall, in relation to Customer Personal Data:

(a) process that Personal Data only on the documented instructions of the Customer, which shall be to process the Personal Data for the purposes set out in the Terms and Conditions, unless the Provider is required by Applicable Laws to otherwise process that Personal Data. Where Provider is relying on Applicable Laws as the basis for processing Processor Data, such as legitimate interest grounds, Provider shall notify the Customer of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit Provider from so notifying the Customer. Provider shall inform the Customer if, in the opinion of FiscalNote, the instructions of the Customer infringe Applicable Data Protection Laws;

(b) implement the technical and organisational measures set out in the Annex to Appendix 1 to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, which the Customer has reviewed and confirms are appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures;

( c ) ensure that any personnel engaged and authorised by Provider to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory or common law obligation of confidentiality;

(d) assist the Customer insofar as this is reasonably possible (taking into account the nature of the processing and the information available to Provider), and at the Customer's cost and written request, in responding to any request from a data subject and in ensuring the Customer's compliance with its obligations under Applicable Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;

(e) notify the Customer without undue delay on becoming aware of a personal data breach involving the Personal Data;

(f) at the written direction of the Customer, delete or return Customer's Personal Data and copies thereof to the Customer on termination of the Agreement unless the Provider is required by Applicable Law to continue to process that Personal Data. For the purposes of this clause 1.8(f) Personal Data shall be considered deleted where it is put beyond further use by the Provider; and

(g) maintain records to demonstrate its compliance with this clause 1.
 

2. TRANSFERS TO THE USA

2.1. FiscalNote participates in and certifies compliance with and adherence to the EU-U.S. Data Privacy Framework, the UK Extension to the EU U.S. Data Privacy Framework. FiscalNote will (i) provide at least the same level of privacy protection as is required by the Data Privacy Framework Principles; (ii) notify Customer if FiscalNote makes a determination it can no longer meet its obligation to provide the same level of protection as is required by the Data Privacy Framework Principles, and (iii) upon notice, take reasonable and appropriate steps to remediate unauthorized processing. Customer can view our Certification under the Data Privacy Framework Programme Website here

2.2. In the event that the EU-U.S. Data Privacy Framework being deemed invalid by the European Commission, an applicable regulator or supervisory authority, or the Court of Justice for the European Union for whatever reason, the parties shall agree to fall back upon reliance on the EU SCCs, for all transfers of Personal Data out of the European Economic Area ("EEA") from the Customer (as a Controller) to the FiscalNote (as a Processor), and transfers of Personal Data out of the UK from the Customer (as a controller) to FiscalNote (as a processor) shall in addition to the EU SCC’s also be governed by the ICO International Data Transfer Addendum. 

2.3. In the event that the EU-U.S. Data Privacy Framework is deemed invalid, the Controller to Processor Model Clauses are incorporated into this DPA as if they had been set out in full, and for the purposes of this DPA shall apply only if and to the extent the parties process the Personal Data outside of a territory of adequate protection, such clauses are required by Data Protection Legislation, and no alternative transfer mechanisms have been put in place. Where necessary and addition to the Standard Contractual Clauses the ICO International Data Transfer Addendum (“UK SCCs”) to the EU Commissions Standard Contractual Clauses, version B1.0, in force 21 March 2022 is incorporated into this DPA as if it had been set out in full, and for the purposes of this DPA shall apply only if and to the extent the parties process the Personal Data outside of a Territory of Adequate Protection as defined under Applicable Data Protection Laws.


3. Use of Sub Processors 

3.1. The Customer hereby provides its prior, general authorisation for Provider to:

(a) appoint processors to process the Personal Data, provided that the Provider:

(i) shall ensure that the terms on which it appoints such processors comply with Applicable Data Protection Laws, and are consistent with the obligations imposed on the Provider in this clause 3.1;

(ii) shall remain responsible for the acts and omission of any such processor as if they were the acts and omissions of the Provider; and

(iii) shall inform the Customer of any intended changes concerning the addition or replacement of the processors, via the notification system Provider adopts from time to time, thereby giving the Customer the opportunity to object to such changes, provided that if the Customer objects to the changes and cannot demonstrate, to the Provider's reasonable satisfaction, that the objection is due to an actual or likely breach of Applicable Data Protection Law, the Customer shall indemnify the Provider for any losses, damages, costs (including legal fees) and expenses suffered by the Provider in accommodating the objection.

(b) transfer Customer Personal Data outside of the EU & UK as required for the Purpose, provided that the Provider shall ensure that all such transfers are effected in accordance with Applicable Data Protection Laws. For these purposes, the Customer shall promptly comply with any reasonable request of Provider, including any request to enter into standard data protection clauses adopted by the EU Commission from time to time (where the EU GDPR applies to the transfer) or adopted by the UK Information Commissioner from time to time (where the UK GDPR applies to the transfer).

3.2. Either party may, at any time on not less than 30 days' notice, revise clause 2.2 & 2.3 by replacing it (in whole or part) with any applicable standard clauses approved by the EU Commission or the UK Information Commissioner's Office or forming part of an applicable certification scheme or code of conduct (“Amended Terms”). Such Amended Terms shall apply when replaced by attachment to this DPA, but only in respect of such matters which are within the scope of the Amended Terms.

3.3. The Provider's total aggregate liability in contract, tort (including negligence and breach of statutory duty howsoever arising), misrepresentation (whether innocent or negligent), restitution or otherwise, arising in connection with the performance or contemplated performance of this DPA or any collateral contract insofar as it relates to the obligations set out herein, shall be subject to any limitation of liability set forth in the Terms and Conditions or other agreement between Customer and Provider.
 

APPENDIX 1: DESCRIPTION OF THE PROCESSING ACTIVITIES
Nature and purpose of the processing operations
Relevant Personal Data processed will be subject to the processing activities forming part of the Terms and Conditions. 

Data subjects
Relevant Personal Data processed may concern the following categories of Data Subjects:

  • Customer’s Employees 

Categories of data
Relevant Personal Data processed shall be any category of data processed as part of the Services, which may include the following categories of data:

  • Name
  • Job Role
  • Email address
  • Password
  • IP Address
  • Browser Details
  • Cookies
  • Business Address
     

Special categories of data (if appropriate) and applied safeguards or restrictions

  • None
     

Duration and frequency of Processing
The duration of processing shall be for the duration of the Services set out in the Agreement.

Period of retention of the data (or criteria used to determine the period)
Relevant Personal Data shall be retained for the duration of the Services set out in the Agreement or as determined by the Customer

Transfers to (sub-) processors (if applicable)

  • Heap
  • Tableau
  • Segment.io
  • Stich
  • Snowflake
  • Data Bricks
  • DBT
  • ChurnZero
  • Chameleon
  • Salesforce
  • Google

Specify the subject matter, nature and duration of the processing activities:

  • Data Analytics, Transformation and Tech Services
  • Data Storage
  • CRM

The obligations and rights of the Customer
The obligations and rights of the Customer are set out in the DPA and this Addendum.
 

ANNEX TO APPENDIX 1 
SECURITY MEASURES
This Annex, together with Appendix 1, forms part of the DPA. .

Description of the technical and organizational security measures implemented by the Provider:

  • Training to relevant staff to ensure they are aware of Provider’s privacy obligations when handling Personal Data and disciplinary action in the event of non-compliance;
  • Immediate deletion of Personal Data if not relevant anymore (e.g. because the information is outdated);
  • Termination or suspension of the access to or license of the Services in case of a violation of the Terms and Conditions and/or the Security Policy;
  • Password protection and access control by appropriate Provider personnel;
  • Network security and intrusion detection systems to protect the platform against sophisticated attacked and to minimize vulnerabilities;
  • Cloud computing infrastructure which provides redundancy and high availability at every level, from multiple Tier- ISP connections, redundant networking equipment and servers;
  • Hosting of the platform in secure SOC 2 Type II certified facilities that are protected from physical attacks and from natural disasters. The data centres are monitored on a 7x24 basis and entrance to the data centres is controlled and restricted to a select group of authorized personnel. Multiple forms of authentication must be used in order to enter any such data centres;
  • Security incident management;
  • Recovery, contingency and emergency plan.

 


last updated: 12/18/2024