1. Overview

1.1  This data processing addendum (the "DPA") sets out the terms and conditions applicable to Celsia's Processing of Personal Data on behalf of the Customer under the Agreement. The DPA shall take precedence over the Agreement, including any Appendices thereto and terms incorporated therein for matters pertaining to Celsia's Processing of Personal Data on behalf of the Customer.
1.2 For the purposes of these DPA, the Customer shall hereinafter be referred to as the "Controller", and Celsia shall be referred to as the "Processor".
1.3 This DPA includes the Data Processing Specification attached as Attachment 1 hereto.
1.4 Subject to Clause 15 below, this DPA applies as of the date set out above.

2. Background and purpose

2.1  Under the terms of the Agreement, the Processor performs certain tasks for the Controller that involves the Processing of Personal Data on behalf of the Controller.
2.2 This DPA sets forth the rights and obligations of the Parties pursuant to regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the "GDPR"), and the applicable national data protection legislation implementing the GDPR (jointly, the "Applicable Data Protection Law").

3. Definitions and Interpretation

3.1  For the purposes of these DPA, "Controller", "Data Subject", "Member State(s)", "Processor", "Processing", "Personal Data", "Personal Data Breach", "Third Countries" and "Supervisory Authority" shall have the meanings assigned to them in the Applicable Data Protection Law.
3.2 Other capitalised terms and expressions used in this DPA shall have the meaning set out in the Agreement and as defined herein, including in Clause 17 below.

4. Description and purpose of the Processing

4.1  The Processing carried out by the Processor on behalf of the Controller under this DPA, including its nature and purpose, relevant Processing operations, categories of Personal Data and Data Subjects involved, is further described in the Data Processing Specification.
4.2 The Controller agrees that the Processor may aggregate and anonymize the data Processed in the CaaS Platform for the purpose of performing analyses and gaining general insights aimed at (i) improving the CaaS Platform and other services provided by the Processor; (ii) guiding the Controller and other controllers on how to optimize their service offerings; and (iii) creating new products and services.

5. Requirements for the Processing

5.1 General requirements

5.1.1  The Processor shall only Process the Personal Data in accordance with this DPA, the Agreement, instructions from the Controller and Applicable Data Protection Law, and not process Personal Data for any other purposes.
5.1.2  The restrictions set out in Clause 5.1.1 shall not apply where the Processor is obligated to Process the Personal Data pursuant to Member State or EU/EEA law. In the event of any such obligation, the Processor shall notify the Controller unless prohibited from disclosing this information by the relevant laws.
5.1.3  If, in the Processor's opinion, an instruction from the Controller is in violation of Applicable Data Protection Law or other mandatory national or EU/EEA law, the Processor shall notify the Controller thereof.
5.1.4  The Processor shall ensure that measures are implemented in accordance with the requirements of the Applicable Data Protection Law in order to ensure confidentiality (i.e. that Personal Data are not disclosed to unauthorized persons or parties), integrity (i.e. that the Personal Data is not unintentionally changed in relation to the Processing) and availability (i.e. that the persons that are required have access to the Personal Data, have the necessary access) in relation to the Processing of Personal Data.
5.1.5  Unless otherwise is agreed, the Processor shall treat all Personal Data received in accordance with these DPA as Confidential Information.

5.2 Transfers of Personal Data to Third Countries

5.2.1  The Processor shall (and shall procure that any Processor personnel shall) not Process or cause the Personal Data to be Processed outside the EEA without the Controller's prior written consent, and provided that the necessary measures to ensure an adequate level of protection for the Personal Data in accordance with the Applicable Data Protection Law are in place. In the event that an approved transfer of Personal Data outside the EEA requires that Standard Contractual Clauses ("SCC") pursuant to Commission Implementing Decision 2021/914/EU of 4 June 2021 (or any successor thereto) are entered into with the Third Country recipient of the Personal Data, the Processor shall enter into such SCCs with the Third Country recipient in its own name.
5.2.2  The Controller hereby authorizes the Processor to Process or cause the Personal Data to be Processed outside the EEA to the extent necessary to perform the Services subject to the Processor providing the Controller reasonable written notice informing the Controller of the contemplated transfer of Personal Data to a Third Country, including any information reasonably requested by the Controller concerning how an essentially equivalent level of protection is ensured for the Personal Data and any supplementary measures implemented to this effect. The Controller shall be entitled to object to the transfer if there is reasonable cause to believe that the transfer in question would be detrimental to the data protection requirements set out herein. If the Controller objects to the transfer, the Parties shall negotiate in good faith to find a solution to address the Controller's concerns
5.2.3  The Processor shall ensure and be able to demonstrate that it has (i) conducted a risk assessment associated with the transfer of Personal Data to its sub-processors and (ii) implemented supplementary measurements when required.
5.2.4  By entering into the Agreement, the Controller consents to the transfers of Personal Data identified in Data Processing Specification attached to these DPA.

5.3 Personnel requirements

5.3.1  The Processor shall ensure that the Personal Data are Processed solely by reliable personnel who are:
a) granted access to the Personal Data on a need-to-know basis;
b) familiar with the Applicable Data Protection Law provisions applicable to the Processor's Processing of Personal Data;
c) trained in the care, protection and handling of Personal Data;
d) authorised to Process the Personal Data only as necessary for the purposes set out in these DPA;e) and subject to appropriate confidentiality obligations.

6. Security

6.1 Processing security requirements

6.1.1  The Processor has implemented and maintains appropriate technical and organizational security measures to protect the Personal Data from accidental or unlawful destruction, accidental loss, alteration, unauthorized disclosure or access, and other breaches of security.
6.1.2  The security measures described in Clause 6.1.1 are implemented with regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
6.1.3 The routines and measures applicable to the Processing are further detailed in the Processor's information security policy as updated from time to time, a summary of which is available to the Controller upon request.

6.2 Security incidents and notification (Personal Data Breach)

6.2.1  Upon becoming aware of any Personal Data Breach, the Processor shall, without undue delay, after having become aware of the incident, notify the Controller and provide all information and cooperation that the Controller may reasonably require in order for the Controller to fulfil its Personal Data Breach requirements under the Applicable Data Protection Law. Further, the Processor shall take such measures and actions necessary to remedy and mitigate the effects of the Personal Data Breach.

7. Data protection impact assessment

7.1  The Processor shall upon the Controller's request provide all reasonable and timely assistance as the Controller may require in order to conduct a data protection impact assessment (DPIA) as set out in Article 35 GDPR and, if necessary, consult with its relevant Supervisory Authority.

8. Cooperation with the Controller and the Supervisory Authority

8.1  The Processor shall provide such assistance requested by the Controller as is necessary to enable the Controller to fulfil its obligations pursuant to Articles 32 to 36 of the GDPR, and to enable the Controller to respond to (i) requests from Data Subjects to exercise their rights under Applicable Data Protection Law (including the rights of access, correction, objection, erasure and data portability, as applicable); and (ii) other correspondence, enquiries or complaints received from a Data Subject, Supervisory Authority or other third party in connection with the Processing of the Personal Data.
8.2  In the event that any such request, correspondence, enquiry or complaint is made directly to the Processor, the Processor shall inform the Controller without undue delay, providing the necessary details of the same.

9. Audit and compliance review

9.1  The Processor shall respond to inquiries from the Controller relating to its Processing of Personal Data, including making available all information necessary to demonstrate compliance with these DPA and the Processor's obligations under the Applicable Data Protection Law.
9.2  The Processor shall maintain accountability documentation in relation to the Personal Data Processed under the DPA (as may be defined, described or required under Applicable Data Protection Law), including written records of the Personal Data Processing carried out on behalf of the Controller.
9.3  Unless otherwise is required by the Applicable Data Protection Law, the Controller shall be entitled to perform audits of the Processor's compliance with these DPA and the Applicable Data Protection Law.
9.4  The Controller shall carry all costs associated with its own and the Processor's participation in any audits or inspections carried out under these DPA, as well as the costs associated with its own auditors (if any). Such audits or inspections are limited to one (1) each calendar year of the Term and subject to four (4) weeks written notice to the Processor, unless otherwise required by a governmental authority to which the Customer is subject.

10. Use of Sub-Processors

10.1 General requirements for the use of Sub-Processors

10.1.1  The Processor may not sub-contract any Processing of Personal Data to any subcontractor (“Sub-Processors”), without the prior written authorization of the Controller. The Processor shall impose data protection terms on Sub-Processors it appoints in accordance with the foregoing sentence which are in accordance with the data protection obligations set out in these DPA.
10.1.2  The Processor shall remain responsible for any acts and/or omissions of its Sub-Processors as if they were carried out by the Processor itself.
10.1.3  The Sub-Processors engaged by the Processor, and authorized by the Controller, at the Effective Date are set out in the Data Processing Specification attached hereto.

10.2 Engagement or replacement of Sub-Processors

10.2.1  In the event that the Processor replaces any of the Sub-Processors set out in the Data Processing Specification, or engages a new Sub-Processor, the Controller shall be entitled to thirty (30) calendar days' written notice informing the Controller of the Processor's intentions.
10.2.2  The Controller shall be entitled to object to the Processor's replacement or addition of Sub-Processors if there is reasonable cause to believe that the engagement of the Sub-Processor in question would be detrimental to the data protection requirements set out herein. If the Controller objects to the Sub-Processor, the Parties shall negotiate in good faith to find a solution to address the Controller's concerns. If the Parties fail to agree on a solution, the dispute shall be resolved in accordance with the dispute resolution procedures set out in the Agreement.
10.2.3  The Processor shall keep an updated list of all Sub-Processors engaged in the Processing of Personal Data on behalf of the Controller available at the Controller's request at all times.

11. Term and termination

11.1  These DPA shall remain in effect for as long as the Processor Processes Personal Data on behalf of the Controller for the purposes described in these DPA.

12. Data retention

12.1  Upon the termination of the Agreement and the expiry of these DPA, the Processor shall return to the Controller all of the Personal Data and any copies thereof which the Processor is Processing or has Processed on behalf of the Controller, and/or securely destroy the same.
12.2  Notwithstanding the above, the Processor may retain such Personal Data as the Processor is under a legal obligation to retain under national or EU/EEA law.

13. Notices

13.1  Any notices between the Parties shall follow the applicable procedures agreed under the Agreement.

14. Liability and indemnification

14.1   The liability and indemnification provisions set out in the Agreement shall apply with respect to the obligations of the Parties under these DPA.
14.2  Claims from Data Subjects for material or non-material damage resulting from an infringement of the GDPR, shall be settled in accordance with Article 82 GDPR.

15. Changes to the DPA

15.1   The provisions set out in the DPA may be subject to changes to accommodate changes to the Applicable Data Protection Law. The Customer shall be given written notice of such changes. The changes will be implemented upon the renewal of the then-current term (the Initial Term or a Renewal Term, as the case may be), unless the Applicable Data Protection Law requires such changes to take effect sooner.
15.2  Notwithstanding the above, the Data Processing Specification may be updated from time to time to (a) reflect agreed changes in the Controller's instructions or to accommodate changes to the Services of the Processor; or (b) reflect changes to the Processing carried out in accordance with Clause 10.2 and 5 of these DPA.

16. Consideration

16.1   The Processor shall be entitled to consideration from the Controller on a time and materials basis for its assistance and participation pursuant to Clauses 7 (Data protection impact assessment), 8 (Cooperation with the Controller and the Supervisory Authority) and 9 (Audit and compliance review) above, provided however that if an audit reveals any non-compliance with these DPA, then Processor shall not be entitled to charge Controller for the costs of the audit.

17. Description and purpose of the Processing

17.1 Purposes and nature of the Processing

17.1.1  The overall purpose of the Processing is to provide the Services set out in the Agreement. Specifically, the Processor will perform such Processing as is necessary in order for the Controller to assess its compliance with the EU taxonomy framework.
Further, if the Controller has agreed so, by signing off on it on the customer agreement, the Processor will perform such Processing as is necessary in order for the Controller to access and use the Celsia ESG Portal.

17.2 Processing operations

17.2.1  The Processing of the Personal Data for the purposes described in Clause 1.1 above will involve such Processing operations as are necessary in pursuit of the stated purposes, including, inter alia, the following basic Processing operations such as data entry and collection, storage and structuring, consultation and combination, and transmission and deletion. In addition, the processing of the categories of personal data described below is necessary for authentication purposes and personalisation of the Services.
17.2.2  Some operations may be wholly or partially automated. Additional Processing operations may also be performed subject to the Controller's instructions or be required to accommodate changes to the Services of the Processor from time-to-time.

17.3 Categories of Personal Data

17.3.1  The Processing will involve, inter alia, the following categories of Personal Data: full name, display name, email address, phone number (optional), profile picture (optional), application settings (to the extent these contain personal data) and relevant company memberships (if applicable).
17.3.2  Additional Personal Data may also be Processed subject to the Controller's instructions or to accommodate changes to the Services of the Processor from time-to-time.

17.4 Special categories of Personal Data

17.4.1  No special categories of Personal Data will be involved in the Processing.

17.5 Categories of Data Subjects

17.5.1  The Personal Data being Processed will primarily concern employees of the Partner and End Users.

18. Sub-Processors and Processing locations

18.1  The Sub-Processors using the Processing locations set out in the table below are engaged by the Processor as of the Effective Date of the Agreement and are to be considered approved by the Controller as of the same date.