SDL Data Processing Agreement for the use of Online Translation Services only (“DPA”)

Online Translation Services are provided “as is” for use by Customers to enter the data of their choice for processing. SDL deploys security for the Translation Services which SDL considers to be appropriate. The Online services are not considered suitable for special categories of data or sensitive data including health and PCI data.

This Privacy Notice explains why and how SDL Limited (“SDL”) will process any Personal Data which users choose to process in the Online Translation Services SDL offers online. 

SDL’s objective when processing any Personal Data is safeguarding the individual’s privacy. This Privacy Notice is designed to provide transparency on how we process your Personal Data and enable you to exercise the control available to you. 

This DPA is between SDL Limited, and/or one of its Subsidiaries, (referred to as “SDL or Processor,” together or individually, as applicable) and Customer (also referred to as “Controller”). This DPA forms part of any agreement or contract whether written or electronic between SDL and Customer for the purchase and provision of Online language translation services (collectively, the “Agreement(s)”). 

In delivering the Services under the Agreement(s), SDL will process Personal Data as a data Processor on behalf of Customer, which is the data Controller. The processing details (the duration, the nature, means and purpose of the processing, the types of Personal Data and categories of Data Subjects) are further specified in Exhibit 1 to this DPA). 

To the extent such processing is taking place, the relevant Data Protection Laws and this DPA will apply.

It is hereby agreed as follows:

DEFINITIONS

1. Definitions

1.1 All capitalized terms not specifically defined in this DPA shall have the same meaning as provided for in the Agreement(s). Terms used but not defined in this Section 1 (Definitions), such as “Personal Data” “Processing”, “Controller”, “Processor”, “Data Subject” or “Personal Data Breach”, will have the same meaning as set forth in Article 4 of the GDPR

1.2 The following definitions are used within this DPA: “Data Protection Laws” means the UK Data Protection Act 2018 and any subsequent amendment, re-enactment, consolidation or replacement thereof and the EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”). 

“Security Incident” means any unauthorized or unlawful breach of security leading to, or reasonably believed to have led to, the accidental or unlawful destruction loss, alteration, unauthorized disclosure or access to Personal Data. 

“Sub-processor” means any third party (including any Processor's Subsidiary) engaged by Processor to process any Personal Data relating to this DPA and/or the Contracts. 

“Subsidiary” means any entity that is controlled (directly or indirectly), where “control” means at least fifty percent (50%) ownership of the outstanding shares of the entity, or the ability to direct the management of the entity by contract or otherwise.

SCOPE OF THE DPA

2. Subject and Scope. 

2.1 SDL shall process Personal Data under the Agreement(s) only as a Processor acting on behalf of Customer (whether as a controller or itself a processor on behalf of third party controllers). SDL’s obligation is to provide the translation services as described in the Agreement(s) and Exhibit 1 and with appropriate technical and organisational security measures. SDL provides the service as a general translation service not specifically designed for processing personal data. It is the Customer’s responsibility to use the provided functionality to comply with appropriate data protection law. SDL provides the service but has no control over the data the customer enters. 

2.2 Customer shall have sole responsibility for the accuracy, quality and legality of Personal Data and the means by which Customer acquired Personal Data. Customers shall process Personal Data in compliance with Data Protection Laws. Customer is solely responsible for obtaining all necessary consents, licenses and approvals for the collection and processing of any Personal Data. Due to the nature of the service offered by SDL, Customer is solely responsible to respond to any subject access requests and cease processing, delete data etc as required. 

2.3 SDL and the Customer shall comply with the Data Protection Laws applicable to it in connection with this DPA and shall not cause the other party to breach any of its obligations under Data Protection Laws.

SECURITY MEASURES

3. Technical, organizational measures and security. 

3.1 SDL is not informed in advance of the Personal Data which will be processed and therefore cannot determine appropriate technical and organisational measures for specific Personal Data. SDL has determined a general appropriate level of technical and organisational measures for Personal Data which it will maintain to ensure a level of security appropriate to the risk. The parties agree that the security measures as described in Exhibit 3 are appropriate to protect Personal Data against a Personal Data Breach, and that these measures ensure a level of security appropriate to the risks presented by the processing having regard to the state of the art and the cost of their implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Such security measures will be updated accordingly in order to protect the Personal Data against any new identified internal and external risks.

SUB-PROCESSORS

4. Sub-processing 

4.1 SDL uses Sub-processors for the purposes of providing the Services to the Customer as described in the Agreement. SDL currently uses the following categories of Sub-processors: data centre hosting providers (detailed in the SaaS Privacy Policy located at https://www.sdl.com/static/corporate/SAAS-Privacy-Policy-Apr-2020.pdf) and sub-processors who provide IT services/applications ancillary to the service which SDL uses in the ordinary course of business. In the case of language services, SDL utilises freelance translators. If further details on sub-processors engaged is required contact privacy@sdl.com

4.2 Customer grants SDL general written authorisation to engage with (i) the categories of Sub-processors as described herein; and (ii) new categories of Sub-processors provided that SDL gives Customer reasonable prior notice. If Customer objects on reasonable data protection grounds to the appointment of any new category of Sub-processor and SDL is unable to provide an alternative within a reasonable period of time, then Customer may elect to suspend or terminate the processing of Personal Data under the Agreements (s) without penalty. 

4.3 In any event SDL must (i) have executed a valid and enforceable written contract with the Sub-processor containing privacy and security provisions substantially similar to those contained in this DPA; (ii) SDL remains fully liable for any breach that is caused by an act, error or omission of such Sub-processor; (iii) have put in place appropriate measures to ensure that international transfers of Personal Data occur in compliance with applicable law.

CROSS-BORDER TRANSFERS

5. Cross-Border transfers. 

5.1 SDL will not process or transfer Personal Data outside of the European Economic Area (“EEA”) unless it is to a country which is considered to ensure an adequate level of protection or SDL has first entered into the Standard Contractual Clauses for controllers where possible on behalf of the Customer annexed to European Commission Decision 2010/87/EU (the “SCC”) which are hereby incorporated into this DPA. In non-European countries which have regulations governing cross-border transfers SDL will comply with the appropriate regulations which apply to the SDL company. 

5.2 Customer hereby provides such consent for such processing or transfer to the Sub-processors described in section 4 of this DPA and all of SDL’s Subsidiaries as necessary provided the necessary measures are in place. Such measures may include SDL’s executing the SCC on behalf of the Customer in which SDL or the Customer is described as “data export” and Processor, Sub-processor or Processor Subsidiary as “data importer”. 

5.3 The Processor subsidiary US company and its affiliates has registered under the EU-US Privacy Shield and/or Swiss-US Privacy Shield. The processing by Processor’s EAA Subsidiaries in the USA will be under the appropriate SCC between SDL and its US Subsidiary(ies).

DELETION OF CUSTOMER DATA

6. Deletion and return. 

6.1 Data deletion takes place automatically within Online translation services as part of the product process. SDL confirms it will destroy subject to its customary processes all electronic Personal Data. This requirement will not apply to the extent that SDL is required by applicable law to retain some or all of the Personal Data, in which event SDL will securely isolate and protect the Personal Data from any further processing except to the extent required by such law.

COOPERATION WITH CUSTOMER

7. Cooperation. 

7.1 To the extent SDL is required under GDPR, SDL will reasonably assist Customer to comply with GDPR; in particular (i) SDL will assist Customer in responding to any request from a Data Subject exercising his or her rights under the GDPR; SDL will not respond to that request except on the documented instructions of Customer or as required by applicable laws, in which case SDL shall to the extent permitted by applicable laws inform the Customer of that legal requirement before responding to that request; (ii) it will assist Customer in responding to any request from regulatory or judicial bodies relating to the processing of Personal Data under the Agreement(s); (iii) it will promptly notify Customer if it believes that its processing of Personal Data is likely to result in a high risk to the privacy rights of Data Subjects, (iv) and upon reasonable request, will assist Customer to carry out data protection impact assessments.

SECURITY INCIDENTS

8. Security Incidents. 

8.1 If SDL has reasonable grounds to believe that a Security Incident has occurred in respect of the Personal Data being processed under the Agreement(s), it will inform Customer without undue delay, and in any event within seventy-two (72) hours after becoming aware of such Security Incident. In such event, SDL will (i) provide reasonable information and cooperation to Customer so that Customer can fulfil any Personal Data Breach reporting obligations it may have under the GDPR; (ii)take appropriate measures to mitigate the effects of the Security Incident; (iii) keep Customer informed of all material developments with the Security Incident; and (iv) co-operate reasonably with the Customer in relation to any investigation that Customer may initiate, or which may be initiated by a Supervisory Authority

SECURITY REPORTS AND AUDITS

9. Security Reports and Inspections. 

9.1 SDL shall maintain records in accordance with its ISO 27001 or SOC 2 certification statement or similar Information Security Management System (“ISMS”) standards. Upon request, Processor shall provide copies of relevant external ISMS certifications, independent audit report summaries and/or other documentation reasonably required by Customer to verify SDL’s compliance with this DPA. Such documentation will be subject to the confidentiality provisions under the Agreement (s). 

9.2 Unless an audit report of an independent competent auditor is provided, such as SOC 2 or ISO27001report, SDL will allow the Customer on at least 30 days written notice to audit SDL’s compliance with this DPA. Such audits will take place during SDL business hours and will be limited to one in any twelve-month period but in the event of a Security Incident an additional audit maybe performed. The parties will agree in advance on reasonable timing, scope, and security controls applicable to the audit (including restricting access to SDL’s trade secrets and data belonging to SDL’s other customers).

GENERAL

10. General 

10.1 The obligations placed under this DPA shall survive so long as SDL and/or its Sub-processors processes Personal Data on behalf of Customer. 

10.2 SDL will have the right to amend this DPA provided that SDL does not reduce the level of its obligations in the DPA. Any changes SDL makes to this DPA will be posted on this page and will become effective 28 days after posting. You should bookmark and periodically review this page to ensure that you are familiar with the most current version of this DPA. 

10.3 If any part of this DPA is held unenforceable, the validity of all remaining clauses will not be affected. 

10.4 SDL does not exclude or limit liability for: (a) death or personal injury caused by its negligence; or (b) any fraudulent misrepresentation on the part of SDL; or (c) any other liability that cannot be excluded by law. Notwithstanding anything in these terms to the contrary the parties agree that SDL’s aggregate liability under these terms shall not exceed, under any circumstances, the amount equal to fifty US dollars ($50). 

10.5 This DPA shall be governed by the laws of England and Wales and the courts of England and Wales shall have exclusive jurisdiction to determine all issues arising under this DPA including non-performance.

CONTACT

11. Contact 

11.1 SDL shall have a data protection officer where required by the Data Protection Laws, and where a data protection officer is not required, all data protection matters are to be raised with the SDL Data Privacy Officer at privacy@sdl.com.

DETAILS OF PROCESSING

Exhibit 1 

Details of Processing 

1. Nature and Purpose of Processing
    SDL is providing Online language translation services. SDL will process Customer data for the provision of the translation services as described in the Agreement. 

2. Categories of Data Subjects
    This information is in the Customer control and for the Customer to determine. 

3. Types of Personal Data
    This information is in the Customer control and for the Customer to determine. 

4. Duration of Processing
    SDL will process Personal Data for the duration of the Agreement(s) unless otherwise agreed in writing by the parties. 

Exhibit 2 

Technical and Organisational Security Measures 

This Exhibit 2 sets out a description of the technical and organisational security measures that must be implemented by Processor. 

Processor takes information security seriously and this approach is followed through in its processing and transfers of Personal Data. This information security overview applies to Processor’s corporate controls for safeguarding Personal Data which is processed and transferred amongst the Processor’s group companies and sub-contractors. Some Processor solutions may have alternate safeguards outlined in the applicable statement of work or similar document as agreed with Controller. 

Access Control to Processing Areas 

Processor implements suitable measures in order to prevent unauthorized persons from gaining access to the data processing equipment where the personal data are processed or used. This is accomplished by: 

  • Using dedicated datacentre facilities for housing data. Maintaining a high standard of physical security in all Data Importer facilities e.g swipe card access, on site guards, locked doors between different parts of the building, zone level access control. Ensuring that application are logically separated in their deployed tiers. 
  • Maintaining an active information security programme which includes ISO 27001 certification and standards. 
  • Internal and external audit programmes. 
  • Security testing both as part of the Data Importer security but also vulnerability scanning within the operational environment. 
  • Regular patching and software updates are applies as required. 

Access Control to Data Processing Systems 

  • Data Importer implements suitable measures to prevent its data processing systems from being used by unauthorized persons. This is accomplished by: 
  • Using dedicated datacentre facilities for housing data. 
  • Maintaining a high standard of physical security in all Data Importer facilities e.g swipe card access, on site guards, locked doors between different parts of the building, zone level access control. Ensuring that application are logically separated in their deployed tiers. 
  • Maintaining an active information security programme which includes ISO 27001 certification and standards. 
  • Internal and external audit programmes. Security testing both as part of the Data Importer security but also vulnerability scanning within the operational environment. 
  • Regular patching and software updates are applies as required 

Access Control to Use Specific Areas of Data Processing Systems 

Data Importer commits that the persons entitled to use its data processing system are only able to access the data within the scope and to the extent covered by its access permission (authorization) and that personal data cannot be read, copied, modified or removed without authorization. This shall be accomplished by: 

  • Appropriate access control is maintained to Data Importer systems and Data Exporter data is highly protected in line with our data classification and treatment policies. Employees who have elevated level of access are required to undertake mandatory information security awareness training. All users are required to use named accounts and access to systems and data is logged. 

Transmission Control 

Data Importer implements suitable measures to prevent the personal data from being read, copied, altered or deleted by unauthorized parties during the transmission thereof or during the transport of the data media. This is accomplished by: 

  • Sensitive Personal Data is encrypted during transmission using up to date versions of TLS or other security protocols using strong encryption algorithms and keys or is transferred over private network connectivity. 

Input Control 

Data Importer implements suitable measures to ensure that it is possible to check and establish whether and by whom personal data have been input into data processing systems or removed. This is accomplished by: 

  • Utilization of user identification credentials, authentication of the authorized personnel, session time outs etc. 

Job Control 

Data Importer ensures that personal data may only be processed in accordance with written instructions issued by exporter. This is accomplished by: 

  • Data Importer does not access personal data, except to provide SaaS services to the Data Exporter which Data Importer is obligated to perform as instructed by Data Exporter. 

Availability Control 

Data Importer implements suitable measures to ensure that personal data are protected from accidental destruction or loss. This is accomplished by: 

  • Global and redundant service infrastructure, resilient backup technology and processes in place to test our capability to restore Data Exporter data. 

Separation of processing for different purposes 

Data Importer implements suitable measures to ensure that data collected for different purposes can be processed separately. This is accomplished by: 

    Data Importer provides workflow capability to our Data Exporters who use our applications. The workflow and required processing steps of different data is within the control of the Data Exporter. Data Importer do not process it differently depending on the intent of collection as processing path is determined by end client.