RWS Data Processing Agreement for the use of Translation on Demand only (“DPA”)
These On-line Translation Services are provided “as is” for use by Customers to enter the data of their choice for processing. RWS deploys security for the On-Line Translation Services which RWS considers to be appropriate. The On-line Translation Services are not considered suitable for special categories of data or sensitive data including health and PCI data.
This DPA is between RWS Holdings Plc for and on behalf of its subsidiaries and affiliates (referred to as “RWS or Processor,” together or individually, as applicable) and Customer (also referred to as “Controller”). This DPA forms part of any agreement or contract whether electronic or written between RWS and Customer for the purchase and provision of On-line Translation Services (collectively, the “Agreement”).
In delivering the Services under the Agreement if the Customer enters any Personal Data into the On-line Translation Services RWS will process Personal Data as a data processor on behalf of Customer, which is the data controller (whether as a controller or itself a processor on behalf of third party controllers). The processing details (the duration, the nature, means and purpose of the processing, the types of personal data and categories of data subjects) are further specified in Exhibit 1 to this DPA). To the extent such processing is taking place, the relevant Data Protection Laws and this DPA will apply.
It is hereby agreed as follows:
1.1 All capitalized terms not specifically defined in this DPA shall have the same meaning as provided for in the Agreement. Terms used but not defined in this Section 1 (Definitions), such as “personal data” “processing”, “controller”, “processor”, “data subject” or “personal data breach”, will have the same meaning as set forth in Article 4 of the GDPR.
1.2 The following definitions are used within this DPA:
“Affiliate” shall mean an entity (a) that directly or indirectly controls, is controlled by, or is under common control with a party under this Agreement, where “control” means ownership of more than fifty percent (50%) of the securities or voting power of the subject entity, and in the context of any other business entity, shall mean the right to exercise similar management and control of such entity, or (b) which is controlled, directly or indirectly, by the ultimate parent company, RWS Holdings Plc.
“Data Protection Laws” means applicable laws relating to the Processing of Personal Data (and any subsequent amendment, re-enactment, consolidation or replacement thereof):
i. As regards the Company so far as applicable to their collection and processing of the Personal Data; and
ii. As regards RWS in effect in the relevant jurisdiction where RWS’s Processing of Personal Data as Processor for Company under the Agreement is to be carried out from time to time, including but not limited to the EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”) and UK Data Protection Act 2018 (“UK DPA”).
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
“Online Translation Services” means the provision of on line translation performed by RWS Holdings Plc for the Customer utilising the technical product named in the heading to this Data Processing Agreement.
“Sub-processor” means any third party (including any Affiliate) engaged by Processor to process any Personal Data relating to this DPA and/or the Agreement.
2. Subject and Scope.
2.1 RWS shall process Personal Data under the Agreement only as a Processor acting on behalf of Customer (whether as a controller or itself a processor on behalf of third party controllers). RWS’s obligation is to provide the On-Line Translation Services, with appropriate technical and organisational security measures, as described in the Agreement and Exhibit 1. RWS provides the service as a general On-Line Translation Services not specifically designed for processing personal data. It is the Customer’s responsibility to use the provided functionality to comply with appropriate data protection law. RWS provides the service but has no control over the data the customer enters.
2.2 Customer shall have sole responsibility for the accuracy, quality and legality of Personal Data and the means by which Customer acquired Personal Data. Customers shall process Personal Data in compliance with Data Protection Laws. Customer is solely responsible for obtaining all necessary consents, licenses and approvals for the collection and processing of any Personal Data. Due to the nature of the service offered by RWS, Customer is solely responsible to respond to any subject access requests and cease processing, delete data etc. as required.
2.3 RWS and the Customer shall comply with the Data Protection Laws applicable to it in connection with this DPA and shall not cause the other party to breach any of its obligations under Data Protection Laws.
2.4 Where the GDPR and or UK DPA apply RWS undertakes to comply with the provisions of GDPR Article 28 assisting the Company as required.
2.5 RWS will not sell the Personal Data. RWS is not permitted to collect, retain, use, or disclose Personal Data for its own purposes or for the purpose of any third party, firm, or enterprise (including Affiliates).
3. Technical, organizational measures and security.
3.1 RWS is not informed in advance of the Personal Data which will be processed and therefore cannot determine appropriate technical and organisational measures for specific Personal Data.
3.2 RWS has determined a general appropriate level of technical and organisational measures for Personal Data which it will maintain to ensure a level of security appropriate to the risk. The parties agree that the security measures as described in Exhibit 2 are appropriate to protect Personal Data against a Personal Data Breach. That these measures ensure a level of security appropriate to the risks presented by the processing having regard to the state of the art and the cost of their implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Such security measures will be updated accordingly in order to protect the Personal Data against any new identified internal and external risks.
3.3 RWS shall ensure that any person authorized to process the Personal Data is subject to a strict duty of confidentiality and that they Process the Personal Data only for the purpose of delivering the Services under the Agreement.
3.4 At a minimum, RWS agrees to maintain a recognised standard of security either certified to ISO27001 or SOC2 the scope of which contains the Security Measures identified at Exhibit 2. The security measures will be reviewed on an annual basis and updated as RWS considers appropriate in order to protect the Personal Data against any new identified internal and external risks. RWS may modify its Security Measures from time to time and at any time, provided, however, that it will not materially reduce the level of protection as provided in this DPA.
3.5 RWS will maintain a Personal Data Breach Incident Response plan which will be reviewed annually.
4.1 RWS uses Sub-processors for the purposes of providing the Services to the Customer as described in the Agreement. RWS currently uses the following categories of Sub-processors:
i. Freelancers (engaged in the delivery of some translation services)
If further details on sub-processors engaged is required contact firstname.lastname@example.org.
4.2 Customer grants RWS general written authorisation to engage with (i) the categories of Sub-processors as described herein; and (ii) new categories of Sub-processors provided that RWS gives Customer reasonable prior notice. If Customer objects on reasonable data protection grounds to the appointment of any new category of Sub-processor and RWS is unable to provide an alternative within a reasonable period of time, then Customer may elect to suspend or terminate the processing of Personal Data under the Agreements without penalty.
4.3 In any event RWS must (i) have executed a valid and enforceable written contract with the Sub-processor containing privacy and security provisions substantially similar to those contained in this DPA; (ii) RWS remains fully liable for any breach that is caused by an act, error or omission of such Sub-processor; and (iii) have put in place appropriate measures to ensure that international transfers of Personal Data occur in compliance with applicable Data Protection Laws.
5. Cross-Border transfers.
5.1 If the RWS contracting entity is located outside of the European Economic Area (“EEA”) or UK the parties will execute the appropriate module of the Standard Contractual Clauses published in the European Commission Implementing Decision on standard contractual clauses for the transfer of personal data to third countries dated 4 June 2021 (“SCC”).
5.2 RWS will not process or transfer Personal Data outside of the EEA or UK unless:
i. it is to a country which is considered to ensure an adequate level of protection as determined by the EU or UK Government as appropriate.
ii. or RWS has first entered into the Module 3 Processor to Sub-Processor of the Standard Contractual Clause (SCC) which are hereby incorporated into this DPA. Until 27 December 2022 RWS can rely upon the Standard Contractual Clauses for controllers annexed to European Commission Decision 2010/87/EU entered into prior to 27 September 2021.
5.3 Customer hereby provides such consent for such processing or transfer to the Sub-processors described in section 4 of this DPA and all of RWS’s Affiliates as necessary provided the necessary measures are in place.
5.4 The RWS Affiliate US companies and their Affiliates are registered under the EU-US Privacy Shield and/or Swiss-US Privacy Shield. The Processing by RWS’s Affiliates in the USA will be under the appropriate SCC between RWS and its US Affiliate(s). The processing by RWS and RWS Affiliates in the USA will be under the Privacy Shield in accordance with the Privacy Shield Principles in addition to obligations under the SCC.
6. Deletion and return.
8. Personal Data Breach.
9. Security Reports and Inspections.
9.1 RWS shall maintain records in accordance with its ISO 27001 or SOC 2 Type II certification statement or similar Information Security Management System (“ISMS”) standards. Upon request, RWS shall provide copies of relevant external ISMS certifications, independent audit report summaries and/or other documentation reasonably required by Customer to verify RWS’s compliance with this DPA. Such documentation will be subject to the confidentiality provisions under the Agreement.
9.2 Unless an audit report of an independent competent auditor is provided, such as a SOC 2 Type II report, RWS will allow the Customer on at least 30 days written notice to audit RWS’s compliance with this DPA. Such audits will take place during RWS business hours and will be limited to one in any twelve-month period but in the event of a Personal Data Breach an additional audit maybe performed. The parties will agree in advance on reasonable timing, scope, and security controls applicable to the audit (including restricting access to RWS’s trade secrets and data belonging to RWS’s other customers).
10.1 The obligations placed under this DPA shall survive so long as RWS and/or its Sub-processors processes Personal Data on behalf of Customer.
10.2 RWS will have the right to amend this DPA provided that RWS does not reduce the level of its obligations in the DPA.
10.3 If any part of this DPA is held unenforceable, the validity of all remaining clauses will not be affected.
10.4 In the event of any conflict between this DPA and the Agreement, the terms of this DPA shall prevail.
10.5 Either party’s liability shall be subject to the terms of the Agreement.
10.6 This DPA shall be governed by the laws of England and Wales and the courts of England and Wales shall have exclusive jurisdiction to determine all issues arising under this DPA including non-performance.
10.7 Any changes RWS makes to this DPA will be posted on this page and will become effective 28 days after posting. You should bookmark and periodically review this page to ensure that you are familiar with the most current version of this DPA.
10.8 Version number appears in heading.
Details of Processing
1. Nature and Purpose of Processing
RWS is providing on-line language translation services. RWS will process Customer data for the provision of the translation services as described in the Agreement.
This information is in the Customer control and for the Customer to determine.
This information is in the Customer control and for the Customer to determine.
RWS will process Personal Data for the duration of the Agreement(s) unless otherwise agreed in writing by the parties.
Technical and Organisational Security Measures
This Exhibit 2 sets out a description of the technical and organizational security measures that must be implemented by RWS.
RWS takes information security seriously and this approach is followed through in its processing and transfers of Personal Data. This information security overview applies to RWS’s corporate controls for safeguarding Personal Data which is processed and transferred amongst RWS’s group companies and sub-contractors.
1.1. Organizational Controls
RWS will maintain an information security and privacy program that includes the implementation and enforcement of policies and procedures, created to (i) Secure Personal Data against accidental or unlawful loss, access or disclosure and (ii) identify reasonably foreseeable risks to security and unauthorised access to the On-line Translation Services. The security program includes the following organizational measures:
- Employment of full-time information security and technology professionals.
- Implementation of policies which prohibit the disclosure of Personal Data and Confidential Information.
- Regular internal security audits and assessments.
- Independent validation of implemented security controls via third-party security assessments.
- Selection of reputable hosting providers that maintain ISO27001 certification or SOC 2 Type II attestation.
1.2. Physical Access Controls
RWS implements suitable measures to prevent unauthorized persons from gaining access to the data processing equipment where the personal data are processed or used. This is accomplished by:
- Applications are hosted inside physical data centers and protected against various threats.
- Access to data centers is controlled via proximity card and/or biometric devices.
- Physical security needs are addressed according to international standards and best practices.
- Theft-protection physical security including, but not limited to:
- Intrusion detection systems (IDS)
- Security guards
- Gates and fences
1.3. Technical and Logical Access Controls
RWS commits that the persons entitled to use its data processing system are only able to access the data within scope and to the extent covered by its access permission (authorization) and that personal data cannot be read, copied, modified, or removed without authorization. This shall be accomplished by:
- Perimeter firewalls and integrated Network Threat Protection (NTP) with anti-virus to monitor network traffic and prevent intrusions.
- Performance of periodic security vulnerability scans on Internet facing web applications and infrastructure, with appropriate mitigation treatment according to defined timelines.
- Multifactor Authentication (MFA) enabled for the management of cloud service infrastructure.
- Only authorized personnel have access to the cloud services management console and tools.
- All actions within the management console are logged and stored centrally.
- Controller’s data is encrypted using up-to-date versions of TLS or other security protocols using strong encryption algorithms and keys or is transferred over private network connectivity.
- Staff monitor security alerts and events from applicable systems to identify and address threats at the earliest opportunity
- Applications are logically separated in their deployed tiers.
- Regular patching and software updates are applied as required and according to defined change management protocol.
- Appropriate access control is maintained to RWS systems and Customer data is protected in line with data classification and handling policies.
- All employees are required to undertake mandatory information security awareness training.
- All users are required to use named accounts and access to systems and data is logged.
- Utilization of user identification credentials, authentication of the authorized personnel, session timeouts etc.
- RWS provides workflow capability to our Customers who use our applications. The workflow and required processing steps of different data is within the control of the Customer. RWS does not process it differently depending on the intent of collection as processing path is determined by end client.
1.4. Environmental and Business Continuity Controls
RWS commits that the hosting environment is protected from environmental factors. This is accomplished by:
- Environmental and operational support systems deployed in the data center include:
- Fire detection and suppression controls.
- Climate and temperature controls.
- Leakage detection.
- Fully redundant power systems.
- Full and differential backups which are exported to alternate data centers.
1.5. Incident Response, Notification, and Remediation
RWS commits to deal with and remediate security events. This is accomplished by:
- Incident response process for security events that may affect the confidentiality, integrity, or availability of systems or data.
- Incident response mitigation timeframes in line with industry best practice.