DATA PROCESSING AGREEMENT (GLOBAL) for End Users

Last modified: June 2024

This Data Processing Agreement, including the Schedules and Annexes (“DPA”) incorporated herein by reference is between Avigilon Corporation, a wholly-owned subsidiary of Motorola Solutions, Inc., on behalf of itself and its affiliates and subsidiaries (collectively ​“Avigilon”) and the undersigned customer (“Customer”) and reflects the Parties’ agreement with respect to the Processing of Customer Data which may include Personal Data pursuant to Customer’s agreement with Avigilon (the ​“Agreement”). Unless otherwise defined herein, all capitalized terms shall have the meaning set forth in the Agreement. Customer and Avigilon are hereafter referred to collectively as the ​“Parties,” or individually as a ​“Party.”

In the event of a conflict between this DPA, the Agreement or any schedule, annex or other addenda to the Agreement, this DPA will prevail with respect to the handling of Customer and end user data, including but not limited to personally identifiable information.

1. Definitions.

All capitalized terms not defined herein must have the meaning set forth in the Agreement. All lower-case terms not defined in this DPA must have the meaning as set within Article 4 of the GDPR if defined therein, regardless of whether GDPR applies.

“Authorized Users” means Customer’s employees, contractors, agents, customers and end-users who are authorized to use the Services to access or receive Data. Avigilon or Customer (as determined by Avigilon) will be responsible for all User identification and password change management.

“Avigilon Data” means data provided by Avigilon and made available to Customer in connection with the provision of Products and Services.

“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

“Customer Data” means data including images, text, videos, and audio, that are provided to Avigilon by, through, or on behalf of Customer and its Authorized Users or their end users, through the use of the Products and Services. Customer Data does not include Customer Contact Data, Service Use Data other than that portion comprised of Personal Information, or Third Party Data. 

“Customer Contact Data” means data Avigilon collects from Customer for contact purposes, including, without limitation, contract fulfillment, marketing, advertising, licensing, and sales activities.

“Data” means collectively Avigilon Data and Customer Data, including any Personal Data included therein. 

“Data Protection Laws and Policies” means all applicable corporate, state and local, federal and international laws, standards, guidelines, policies, regulations and procedures applicable to Avigilon pertaining to data security, confidentiality, privacy, and breach notification, as amended, including without limitation the European Union General Data Protection Regulation (GDPR), and the UK Data Protection Act 2018.

“Data Subjects” means the identified or identifiable person to whom Personal Data relates.

“GDPR” means European Union General Data Protection Regulation 2016/679.

“Metadata” means data that describes other data.

“Personal Data” or ​“Personal Information” means any information relating to an identified or identifiable natural person transmitted to Avigilon by, through, or on behalf of Customer and its Authorized Users or their end users as part of Customer Data. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. 

“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. Processors act on behalf of the relevant controller and under their authority. In doing so, they serve the controller’s interests rather than their own. 

“Process” or ​“Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, copying, analyzing, caching, organization, structuring, storage, adaptation, or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Security Incident” means an incident that compromises or is suspected to compromise the security, confidentiality, integrity or availability of Avigilon Data, Customer Data or Personal Data. For the avoidance of doubt, ​“suspected to compromise” means a determination by Avigilon based on specific and articulable facts and circumstances, taken together with rational inferences from those facts, that an act or omission may likely result in a breach of security, confidentiality, availability or integrity with respect to the Avigilon Data, Customer Data or Personal Data.

“Service Use Data” means data generated about the use of the Products and Services through Customer’s use or Avigilon’s support of the Products and Services, which may include Metadata, Personal Data, product performance and error information, activity logs, and date and time of use. 

“Standard Contractual Clauses” means the clauses attached hereto as Schedule 1 as established by the European Commission’s decision (C(2021) 3972 of 4 June 2021) on Standard Contractual Clauses for the transfer of personal data to processor established in third countries which do not ensure an adequate level of data protection. 

“Sub-processor” means other processors engaged by Avigilon to Process Customer Data which may include Personal Data, as outlined on the following website: https://​www​.motoro​la​so​lu​tions​.com/​e​n​_​u​s​/​a​b​o​u​t​/​t​r​u​s​t​-​c​e​n​t​e​r​/​p​r​i​v​a​c​y​/​d​a​t​a​-​s​u​b​-​p​r​o​c​e​s​s​o​r​s​.html.

“Third Party Data” means information obtained by Avigilon from publicly available sources or its third party content providers and made available to Customer through the Products or Services.

2. Processing of Customer Data

• 2.1 Roles of the Parties. The Parties agree that with regard to the Processing of Personal Data hereunder, Customer is the Controller and Avigilon is the Processor who may engage Sub-processors pursuant to the requirements of Section 6 entitled ​“Sub-processors” below.
• 2.2 Avigilon’s Processing of Customer Data. Avigilon and Customer agree that Avigilon may only use and Process Customer Data, including the Personal Information embedded in Service Use Data, in accordance with Customer’s documented instructions for the following purposes: (a) to perform Services and provide Products under the Agreement; (b) analyze Customer Data to operate, maintain, manage, and improve Avigilon products and services; and (c) create new products and services. Customer agrees that its Agreement (including this DPA), along with the Product and Service Documentation and Customer’s use and configuration of features in the Products and Services, are Customer’s complete and final documented instructions to Avigilon for the processing of Customer Data. Any additional or alternate instructions must be agreed to according to the process for amending Customer’s Agreement. Customer represents and warrants to Avigilon that Customer’s instructions, including appointment of Avigilon as a Processor or Sub-processor, have been authorized by the relevant Controller. Customer Data may be processed by Avigilon at any of its global locations and/​or disclosed to Sub-processors. It is Customer’s responsibility to notify Authorized Users of Avigilon’s collection and use of Customer Data, and to obtain any required consents, provide all necessary notices, and meet any other applicable legal requirements with respect to such collection and use. Customer represents and warrants to Avigilon that it has complied with the terms of this provision.
  • 2.2.1 Additional Products and Services. In the event, Customer purchases additional Products and Services that integrate with the previously purchased Products and Services, Customer Data may be processed at additional locations around the world and by Sub-processors utilized in connection with the additional Products and Services. Identification of Sub-processors utilized by Avigilon Solutions can be found at Motorola Sub-Processors or Annex III attached hereto.

• 2.3 Details of Processing. The subject matter of Processing of Personal Data by Avigilon hereunder, the duration of the Processing, the categories of Data Subjects and types of Personal Data are set forth on Schedule 2, Annex I to this DPA.
• 2.4 Disclosure of Processed Data. Avigilon must not disclose to or share any Customer Data with any third party except to Avigilon’s Sub-processors, suppliers and channel partners as necessary to provide the Products and Services unless permitted under this Agreement, authorized by Customer or required by law. In the event a government or supervisory authority demands access to Customer Data, to the extent allowable by law, Avigilon must provide Customer with notice of receipt of the demand to provide sufficient time for Customer to seek appropriate relief in the relevant jurisdiction. In all circumstances, Avigilon retains the right to comply with applicable law. Avigilon must ensure that its personnel are subject to a duty of confidentiality, and will contractually obligate its Sub-processors to a duty of confidentiality, with respect to the handling of Customer Data and any Personal Data contained in Service Use Data.
• 2.5 Customer’s Obligations. Customer is solely responsible for its compliance with all Data Protection Laws and establishing and maintaining its own policies and procedures to ensure such compliance. Customer must not use the Products and Services in a manner that would violate applicable Data Protection Laws. Customer must have sole responsibility for (a) the lawfulness of any transfer of Personal Data to Avigilon; (b) the accuracy, quality, and legality of Personal Data provided to Avigilon; (c) the means by which Customer acquired Personal Data; and (d) the provision of any required notices to, and obtaining any necessary acknowledgements, authorizations or consents from Data Subjects. Customer takes full responsibility to keep the amount of Personal Data provided to Avigilon to the minimum necessary for Avigilon to perform in accordance with the Agreement. Customer agrees that it has implemented administrative, physical and technical safeguards for Customer’s environment and operations that are no less rigorous than accepted industry practices and shall ensure that all such safeguards comply with applicable data protection and privacy laws. Customer agrees that Avigilon shall not be liable for any Security Incident arising from Customer’s breach of this requirement.
• 2.6 Customer Indemnity. Customer will defend, indemnify, and hold Avigilon and its subcontractors, subsidiaries and other affiliates harmless from and against any and all damages, losses, liabilities, and expenses (including reasonable fees and expenses of attorneys) arising from any actual or threatened third-party claim, demand, action, or proceeding arising from or related to Customer’s failure to comply with its obligations under this Agreement and/​or applicable Data Protection Laws. Avigilon will give Customer prompt, written notice of any claim subject to the foregoing indemnity. Avigilon will, at its own expense, cooperate with Customer in its defense or settlement of the claim.

3. Service Use Data. Except to the extent that it is Personal Information, Customer understands and agrees that Avigilon may collect and use Service Use Data for its own purposes, provided that such purposes are compliant with applicable Data Protection Laws. Service Use Data may be processed by Avigilon at any of its global locations and/​or disclosed to Sub-processors.

4. Third Party Data and Avigilon Data. Avigilon Data and Third Party Data may be available to Customer through the Products and Services. Customer and its Authorized Users may use the Avigilon Data and Third Party Data as permitted by Avigilon and the applicable Third Party Data provider, as described in the Agreement. Unless expressly permitted in the Agreement, Customer must not, and must ensure its Authorized Users must not: (a) use the Avigilon Data or Third Party Data for any purpose other than Customer’s internal business purposes or disclose the data to third parties; (b) ​“white label” such data or otherwise misrepresent its source or ownership, or resell, distribute, sublicense, or commercially exploit the data in any manner; (c) use such data in violation of applicable laws; (d) use such data for activities or purposes where reliance upon the data could lead to death, injury, or property damage; (e) remove, obscure, alter, or falsify any marks or proprietary rights notices indicating the source, origin, or ownership of the data; or (f) modify such data or combine it with Customer Data or other data or use the data to build databases. Additional restrictions may be set forth in the Agreement. Any rights granted to Customer or Authorized Users with respect to Avigilon Data or Third Party Data must immediately terminate upon termination or expiration of the Agreement. Further, Avigilon or the applicable Third Party Data provider may suspend, change, or terminate Customer’s or any Authorized User’s access to Avigilon Data or Third Party Data if Avigilon or such Third Party Data provider believes Customer’s or the Authorized User’s use of the data violates the Agreement, applicable law or Avigilon’s agreement with the applicable Third Party Data provider. Upon termination of Customer’s rights to use of any Avigilon Data or Third Party Data, Customer and all Authorized Users must immediately discontinue use of such data, delete all copies of such data, and certify such deletion to Avigilon. Notwithstanding any provision of the Agreement to the contrary, Avigilon has no liability for Third Party Data or Avigilon Data available through the Products and Services. Avigilon and its Third Party Data providers reserve all rights in and to Avigilon Data and Third Party Data not expressly granted in the Agreement.

5. Avigilon as a Controller or Joint Controller. In all instances where Avigilon acts as a Controller it must comply with the applicable provisions of the Avigilon Privacy Statement at Avigilon Privacy Statement as may be updated from time to time. Avigilon holds all Customer Contact Data as a Controller and must Process such Customer Contact Data in accordance with the Avigilon Privacy Statement. In instances where Avigilon is acting as a Joint Controller with Customer, the Parties must enter into a separate addendum to the Agreement to allocate the respective roles as joint controllers.

6. Sub-processors.

• 6.1 Use of Sub-processors. Customer agrees that Avigilon may engage Sub-processors who in turn may engage Sub-processors to Process Personal Data in accordance with the DPA. A list of Sub-processors is set forth at Motorola Sub-Processors and Schedule 3. When engaging Sub-processors, Avigilon must enter into agreements with the Sub-processors to bind them to obligations which are substantially similar or more stringent than those set out in this DPA.
• 6.2 Changes to Sub-processing. Customer hereby consents to Avigilon engaging Sub-processors to process Customer Data provided that: (a) Avigilon use its reasonable endeavors to provide at least ten (10) days prior notice of the addition or removal of any Sub-processor, which may be given by posting details of such addition or removal at Motorola Sub-Processors; (b) Avigilon imposes data protection terms on any Sub-processor it appoints that protect the Customer Data to the same standard provided for by this DPA; and (c) Avigilon remains fully liable for any breach of this clause that is caused by an act, error or omission of its Sub-processor(s). Customer may object to Avigilon’s appointment or replacement of a Sub-processor prior to its appointment or replacement, provided such objection is based on reasonable grounds relating to data protection. In such an event, Avigilon will either appoint or replace the Sub-processor or, if in Avigilon’s discretion this is not feasible, Customer may terminate the Agreement and receive a pro-rata refund of any prepaid service or support fees as full satisfaction of any claim arising out of such termination.
• 6.3 Data Subject Requests. Avigilon must, to the extent legally permitted, promptly notify Customer if it receives a request from a Data Subject, including without limitation requests for access to, correction, amendment, transport or deletion of such Data Subject’s Personal Data and, to the extent applicable, Avigilon must provide Customer with commercially reasonable cooperation and assistance in relation to any complaint, notice, or communication from a Data Subject. Customer must respond to and resolve promptly all requests from Data Subjects which Avigilon provides to Customer. Customer must be responsible for any reasonable costs arising from Avigilon’s provision of such assistance under this Section.

7. Data Transfers. Avigilon agrees that it must not make transfers of Personal Data under this Agreement from one jurisdiction to another unless such transfers are performed in compliance with this DPA and applicable Data Protection Laws. Avigilon agrees to enter into appropriate agreements with its affiliates and Sub-processors, which will permit Avigilon to transfer Personal Data to its affiliates and Sub-processors. Avigilon agrees to amend as necessary the Agreement to permit transfer of Personal Data from Avigilon to Customer. Avigilon also agrees to assist the Customer in entering into agreements with its affiliates and Sub-processors if required by applicable Data Protection Laws for necessary transfers.

8. Security. Avigilon must implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk posed by the Processing of Personal Data, taking into account the costs of implementation; the nature, scope, context, and purposes of the Processing; and the risk of varying likelihood and severity of harm to the data subjects. The appropriate technical and organizational measures implemented by Avigilon are set forth in Schedule 3. In assessing the appropriate level of security, Avigilon must weigh the risks presented by Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise Processed.

9. Security Incident Notification. If Avigilon becomes aware of a Security Incident, then Avigilon must (a) notify Customer of the Security Incident without undue delay, (b) investigate the Security Incident and apprise Customer of the details of the Security Incident, and (c) take commercially reasonable steps to stop any ongoing loss of Personal Data due to the Security Incident if in the control of Avigilon. Notification of a Security Incident must not be construed as an acknowledgement or admission by Avigilon of any fault or liability in connection with the Security Incident. Avigilon must make reasonable efforts to assist Customer in fulfilling Customer’s obligations under Data Protection Laws to notify the relevant supervisory authority and Data Subjects about such incident.

10. Data Retention and Deletion. Except for anonymized Customer Data, as described above, or as otherwise provided under the Agreement, Avigilon deletes all Customer Data ninety (90) days following termination or expiration of the Agreement unless otherwise required to comply with applicable law. Notwithstanding the foregoing, Avigilon will retain the Customer Data for at least thirty (30) days following such termination or expiration to accommodate a request by Customer for the Customer Data. If, within such thirty (30) day period, Customer requests (in writing), Avigilon will make Customer Data available to Customer for export or download for a period of thirty (30) days. Avigilon has no obligation to retain such Customer Data beyond such thirty (30) day period. Subject to Section 12.3 regarding CJIS Data, Avigilon may delete any Service Use Data upon termination or expiration of the Agreement.

11. Audit Rights

• 11.1 Periodic Audit. Avigilon will allow Customer to perform an audit of reasonable scope and duration of Avigilon operations relevant to the Products and Services purchased under the Agreement, at Customer’s sole expense, for verification of compliance with the technical and organizational measures set forth in Schedule 3 if (a) Avigilon notifies Customer of a Security Incident that results in actual compromise to the Products and/​or Services purchased; or (b) if Customer reasonably believes Avigilon is not in compliance with its security commitments under this DPA, or (c) if such audit is legally required by the Data Protection Laws. Any audit must be conducted in accordance with the procedures set forth in Section 11.3 of this DPA and may not be conducted more than one time per year. If any such audit requires access to confidential information of Avigilon’s other customers, suppliers or agents, such portion of the audit may only be conducted by Customer’s nationally recognized independent third party auditors in accordance with the procedures set forth in Section 11.3 of this DPA. Unless mandated by GDPR or otherwise mandated by law or court order, no audits are allowed within a data center for security and compliance reasons. Avigilon must, in no circumstances, provide Customer with the ability to audit any portion of its software, products, and services which would be reasonably expected to compromise the confidentiality of any third party’s information or Personal Data.
• 11.2 Satisfaction of Audit Request. Upon receipt of a written request to audit, and subject to Customer’s agreement, Avigilon may satisfy such audit request by providing Customer with a confidential copy of a Avigilon’s applicable most recent third party security review performed by a nationally recognized independent third party auditor, such as a SOC2 Type II report or ISO 27001 certification, in order that Customer may reasonably verify Avigilon’s compliance with industry standards.
• 11.3 Audit Process. Customer must provide at least sixty days (60) days prior written notice to Avigilon of a request to conduct the audit described in Section 11.1. All audits must be conducted during normal business hours, at applicable locations or remotely, as designated by Avigilon. Audit locations, if not remote will generally be those location(s) where Customer Data is accessed, or Processed. The audit must not unreasonably interfere with Avigilon’s day-to-day operations. An audit must be conducted at Customer’s sole cost and expense and subject to the terms of the confidentiality obligations set forth in the Agreement. Before the commencement of any such audit, Avigilon and Customer must mutually agree upon the time, and duration of the audit. Avigilon must provide reasonable cooperation with the audit, including providing the appointed auditor a right to review, but not copy, Avigilon security information or materials provided such auditor has executed an appropriate non-disclosure agreement. Avigilon’s policy is to share methodology and executive summary information, not raw data or private information. Customer must, at no charge, provide to Avigilon a full copy of all findings of the audit.

12. Regulation Specific Terms

• 12.1 HIPAA Business Associate. The parties do not contemplate the processing of Protected Health Information (PHI). However, should that occur and Customer is a ​“covered entity” or a ​“business associate” and includes PHI in Customer Data as those terms are defined in 45 CFR § 160.103, execution of the Agreement includes execution of an incorporated HIPAA Business Associate Agreement Addendum (“BAA”). Customer may opt out of the BAA by sending the following information to Avigilon in a written notice under the terms of the Customer’s Agreement: ​“Customer and Avigilon agree that no Business Associate Agreement is required. Avigilon is not a Business Associate of Customer’s, and Customer agrees that it will not share or provide access to PHI to Avigilon or Avigilon’s sub-processors.”
• 12.2 FERPA. If Customer is an educational agency or institution to which regulations under the Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g (FERPA), apply, Avigilon acknowledges that for the purposes of the DPA, Avigilon is a ​“school official” with ​“legitimate educational interests” in the Customer Data, as those terms have been defined under FERPA and its implementing regulations, and Avigilon agrees to abide by the limitations and requirements imposed by 34 CFR 99.33(a) on school officials. Customer understands that Avigilon may possess limited or no contact information for Customer’s students and students’ parents. Consequently, Customer must be responsible for obtaining any parental consent for any end user’s use of the Online Service that may be required by applicable law and to convey notification on behalf of Avigilon to students (or, with respect to a student under 18 years of age and not in attendance at a post-secondary institution, to the student’s parent) of any judicial order or lawfully-issued subpoena requiring the disclosure of Customer Data in Avigilon’s possession as may be required under applicable law.
• 12.3 CJIS. Avigilon agrees to support the Customer’s obligation to comply with the Federal Bureau of Investigation Criminal Justice Information Services (CJIS) Security Policy and must comply with the terms of the CJIS Security Addendum for the Term of this Agreement and such CJIS Security Addendum is incorporated herein by reference. Customer hereby consents to allow Avigilon ​“screened” personnel as defined by the CJIS Security Policy to serve as an authorized ​“escort” within the meaning of CJIS Security Policy for escorting unscreened Avigilon personnel that require access to unencrypted Criminal Justice Information for purposes of Tier 3 support (e.g. troubleshooting or development resources). In the event Customer requires access to Service Use Data for its compliance with the CJIS Security Policy, Avigilon must make such access available following Customer’s request. Notwithstanding the foregoing, in the event the Agreement terminates, Avigilon must carry out deletion of Customer Data in compliance with Section 10 herein and may likewise delete Service Use Data within the time frame specified therein. To the extent Customer objects to deletion of its Customer Data or Service Use Data and seeks retention for a longer period, it must provide written notice to Avigilon prior to expiration of the 30 day period for data retention to arrange return of the Customer Data and retention of the Service Use Data for a specified longer period of time.
• 12.4 CCPA / CPRA. If Avigilon is Processing Personal Data within the scope of the California Consumer Protection Act (“CCPA”) and/​or the California Privacy Rights Act (“CPRA”) (collectively referred to as the ​“California Privacy Acts”), Customer acknowledges that Avigilon is a ​“Service Provider” within the meaning of California Privacy Acts. Avigilon must process Customer Data and Personal Data on behalf of Customer and, not retain, use, or disclose that data for any purpose other than for the purposes set out in this DPA and as permitted under the California Privacy Acts, including under any ​“sale” exemption. In no event will Avigilon sell any such data. If a California Privacy Act applies, Personal Data must also include any data identified with the California Privacy Act or Act’s definition of personal data. Avigilon shall provide Customer with notice should it determine that it can no longer meet its obligations under the California Privacy Acts, and the parties agree that, if appropriate and reasonable, Customer may take steps necessary to stop and remediate unauthorized use of the impacted Personal Data.
• 12.5 CPA, CTDPA, VCDPA. If Avigilon is Processing Personal Data within the scope of the Colorado Privacy Rights Act (“CPA”), the Connecticut Data Privacy Act (“CTDPA”), or the Virginia Consumer Data Protection Act (“VCDPA”) Avigilon will comply with its obligations under the applicable legislation, and shall make available to Customer all information in its possession necessary to demonstrate compliance with obligations in accordance with such legislation.
• 12.6 GDPR. To the extent Avigilon is a Processor or Sub-processor of Personal Data subject to the GDPR (as defined in Section 7 herein), the Standard Contractual Clauses set forth in Schedule 1 hereto must apply.
• 12.7 UK-GDPR. To the extent Avigilon is a Processor or Sub-processor of Personal Data subject to the UK-GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses Schedule 1 hereto must apply.

13. Avigilon Contact. If Customer believes that Avigilon is not adhering to its privacy or security obligations hereunder, Customer must contact the Motorola Data Protection Officer at Motorola Solutions, Inc., 500 W. Monroe, Chicago, IL USA 90661 – 3618 or at privacy1@​motorolasolutions.​com.

Schedule 1

Cross Border Transfer Mechanisms

1.1 ​“Standard Contractual Clauses” means the Standard Contractual Clauses approved by the European Commission in decision 2021/914.

1.2 ​“UK IDTA” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner, Version B1.0, in force 21 March 2022.

2. Cross Border Data Transfer Mechanisms.

2.1 2021 Standard Contractual Clauses. The parties agree that the 2021 Standard Contractual Clauses will apply to personal data that is transferred via the Services from the European Economic Area or Switzerland, either directly or via onward transfer, to any country or recipient outside the European Economic Area or Switzerland that is not recognized by the European Commission (or, in the case of transfers from Switzerland, the competent authority for Switzerland) as providing an adequate level of protection for personal data. For data transfers from the European Economic Area that are subject to the 2021 Standard Contractual Clauses (https://​com​mis​sion​.europa​.eu/​p​u​b​l​i​c​a​t​i​o​n​s/sta), the 2021 Standard Contractual Clauses will be deemed entered into (and incorporated into this DPA by this reference) and completed as follows:

• (a) Module Two (Controller to Processor) of the Standard Contractual Clauses will apply where Customer is the Controller and Avigilon is the Processor.
• (b) Module Three (Processor to Processor) of the Standard Contractual Clauses will apply where Customer is the Processor and Avigilon is the Sub-Processor.
• (c) For each Module, where applicable:

	Module 2: Controller to Processor	Module 3: Processor to Processor
Clause 7 (Docking Clause)	Intentionally Omitted	Intentionally Omitted
Clause 9 (Use of Sub-processors)	Option 2: General Written Authorisation  30 business days	Option 2: General Written Authorisation  30 business days
Clause 11 (Redress)	Intentionally Omitted	Intentionally Omitted
Clause 13 (Supervision) Option 1: Where the data exporter is established in an EU Member State  Option 2: Where the data exporter is not established in an EU Member State and has appointed a representative  Option 3: Where the data exporter is not established in an EU Member State without having to appoint a representative	Option 1, Option 2 and/​or Option 3 applies in accordance with whether the exporter(s) is/​are established in an EU Member State and has/​have appointed a representative.	Option 1, Option 2 and/​or Option 3 applies in accordance with whether the exporter(s) is/​are established in an EU Member State and has/​have appointed a representative.
Clause 14 (Local laws and practices affecting compliance with the Clauses)	Applicable	Applicable
Clause 15 (Obligations of the data importer in case of access by public authorities)	Applicable	Applicable
Clause 17 (Governing law)	Denmark	Denmark
Clause 18 (Choice of forum and jurisdiction)	Denmark	Denmark
Appendix: Annex I: A	Data Exporter and Data Importer: Avigilon and Supplier, as applicable.  Contact Details: Motorola: privacy1@​motorolasolutions.​com; Supplier: Supplier’s publicly available email address for receiving privacy related notices. The Data Exporter’s role is as set forth in the Agreement.  The Data Importer’s role is as set forth in the Agreement. Signature and Date: By entering into the Agreement, Data Exporter and Data Importer are deemed to have signed these Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date of the Agreement.
Appendix: Annex I: B	The Categories of data subjects are described in Schedule 2 (Details of Processing) of this Addendum.  Sensitive Data transferred is described in Section 2 of Schedule 2 (Details of Processing) of this Addendum The frequency of the transfer is a continuous basis for the duration of the Agreement or as may otherwise be specified in the Agreement, a Work Order or a Purchase Order. The nature of the processing is described in Section 2 of this Addendum The period for which the personal data will be retained is described in Section 2 (Details of Processing) of this Addendum
Appendix: Annex I: C (Competent Supervisory Authority)	Datatilsynet (Danish Data Protection Agency)	Datatilsynet (Danish Data Protection Agency)
Link to Sub-processor list (Optional)	This Annex must be completed for Modules Two and Three, in case of the specific authorisation of sub-processors (Clause 9(a), Option 1). However, MSI requires it to be filled out in either case, with a link to an online subprocessor list being sufficient. Controller shall inform, in writing, of any intended changes to the agreed list of sub-processors. In addition to the sub-processors linked in Annex III, Controller has authorized the use of the following sub-processors:  1. Name: … Address: … Contact person’s name, position and contact details: … Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorized): …
Annex II	Schedule 3 (Technical and Organizational Security Measures) of this Addendum serves as Annex II of the Standard Contractual Clauses.

2.2 Data Transfers From Switzerland. For data transfers from Switzerland that are subject to the Standard Contractual Clauses, the Standard Contractual Clauses will be deemed entered into (and incorporated into this Addendum by this reference) and completed as set out in Section 2.1 of this Schedule 1, subject to the following modifications:

• (i) references to ​“EU Member State” and ​“Member State” will be interpreted to include Switzerland, and
• (ii) insofar as the transfer or onward transfers are subject to the Swiss Federal Act on Data Protection, as revised (FADP):
  • (1) references to ​“Regulation (EU) 2016/679” are to be interpreted as references to the FADP;
  • (2) the ​“competent supervisory authority” in Annex I, Part C will be the Swiss Federal Data Protection and Information Commissioner;
  • (3) in Clause 17 (Option 1), the EU Standard Contractual Clauses will be governed by the laws of Switzerland; and
  • (4) in Clause 18(b) of the EU Standard Contractual Clauses, disputes will be resolved before the courts of Switzerland.

2.3 UK International Data Transfer Agreement. The parties agree that the UK IDTA will apply to personal data that is transferred via the Services from the United Kingdom, either directly or via onward transfer, to any country or recipient outside of the United Kingdom that is not recognized by the competent United Kingdom regulatory authority or governmental body as providing an adequate level of protection for personal data. For data transfers from the United Kingdom that are subject to the UK IDTA, the UK IDTA will be deemed entered into (and incorporated into this Addendum by this reference) and completed as follows:

• (a) In Table 1 of the UK IDTA, the parties’ details and key contact information is located in Section 2.1(d)(vi) of Schedule 2 of this Addendum.
• (b) In Table 2 of the UK IDTA, information about the version of the Approved EU SCCs, modules and selected clauses which this UK International Data Transfer Agreement is appended to is located in Section 2.1 of this Addendum.
• (c) In Table 3 of the UK IDTA:
  • 1. The list of Parties is located in Annex 1 A of the EU SCCs as set forth in this Schedule 1 of the Addendum.
  • 2. The description of the transfer is set forth in Section 1 (Nature and Purpose of the Processing) of Schedule 2 (Details of the Processing) of this Addendum.
  • 3. Annex II is located in Schedule 3 (Technical and Organizational Security Measures) of this Addendum.

• (d) In Table 4 of the UK IDTA, both the Importer and the Exporter may end the UK IDTA in accordance with the terms of the UK IDTA.

SCHEDULE 2

(Annex I of the EU SCC)

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

Data subjects include the data exporter’s representatives and end-users including employees, contractors, collaborators, and customers of the data exporter. Data subjects may also include individuals attempting to communicate or transfer personal information to users of the services provided by data importer. Avigilon acknowledges that, depending on Customer’s use of the Online Service, Customer may elect to include personal data from any of the following types of data subjects in the Customer Data:

• Employees, contractors, and temporary workers (current, former, prospective) of data exporter;

• Dependents of the above;

• Data exporter’s collaborators/​contact persons (natural persons) or employees, contractors or temporary workers of legal entity collaborators/​contact persons (current, prospective, former);

• Users (e.g., customers, clients, patients, visitors, etc.) and other data subjects that are users of data exporter’s services;

• Partners, stakeholders or individuals who actively collaborate, communicate or otherwise interact with employees of the data exporter and/​or use communication tools such as apps and websites provided by the data exporter;

• Stakeholders or individuals who passively interact with data exporter (e.g., because they are the subject of an investigation, research or mentioned in documents or correspondence from or to the data exporter);

• Minors; or

• Professionals with professional privilege (e.g., doctors, lawyers, notaries, religious workers, etc.).

Customer’s use of the Products and Services, Customer may elect to include personal data from any of the following categories in the Customer Data:

• Basic personal data (for example place of birth, street name, and house number (address), postal code, city of residence, country of residence, mobile phone number, first name, last name, initials, email address, gender, date of birth), including basic personal data about family members and children;

• Authentication data (for example user name, password or PIN code, security question, audit trail);

• Contact information (for example addresses, email, phone numbers, social media identifiers; emergency contact details);

• Unique identification numbers and signatures (for example Social Security number, bank account number, passport and ID card number, driver’s license number and vehicle registration data, IP addresses, employee number, student number, patient number, signature, unique identifier in tracking cookies or similar technology)

• Pseudonymous identifiers;

• Financial and insurance information (for example insurance number, bank account name and number, credit card name and number, invoice number, income, type of assurance, payment behavior, creditworthiness);

• Commercial Information (for example history of purchases, special offers, subscription information, payment history);

• Biometric Information (for example DNA, fingerprints and iris scans); 

• Location data (for example, Cell ID, geo-location network data, location by start call/​end of the call. Location data derived from use of wifi access points);

• Photos, video, and audio;

• Internet activity (for example browsing history, search history, reading, television viewing, radio listening activities);

• Device identification (for example IMEI-number, SIM card number, MAC address);

• Profiling (for example based on observed criminal or antisocial behavior or pseudonymous profiles based on visited URLs, click streams, browsing logs, IP-addresses, domains, apps installed, or profiles based on marketing preferences);
  

• HR and recruitment data (for example declaration of employment status, recruitment information (such as curriculum vitae, employment history, education history details), job and position data, including worked hours, assessments and salary, work permit details, availability, terms of employment, tax details, payment details, insurance details and location, and organizations);

• Education data (for example education history, current education, grades and results, highest degree achieved, learning disability);

• Citizenship and residency information (for example citizenship, naturalization status, marital status, nationality, immigration status, passport data, details of residency or work permit); 

• Information processed for the performance of a task carried out in the public interest or in the exercise of an official authority; 

• Special categories of data (for example racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, data concerning a natural person’s sex life or sexual orientation, or data relating to criminal convictions or offenses); or

• Any other personal data identified in Article 4 of the GDPR.