EEA Standard Contractual Clauses
Effective: January 21, 2026
These Standard Contractual Clauses (“Clauses”) are incorporated by reference into and form an integral part of the Data Processing Agreement between the data exporter (as defined below) and B.E.S.A LLC, registered at 1601 Willow Lawn Dr Suite 304, The Shops at Willow Lawn, Richmond, VA 23223, United States (“BESA Coaching”, “B.E.S.A LLC”, “we”, “us”, “our”) (hereafter, the “data importer”).
These Clauses establish appropriate safeguards for the lawful transfer of personal data from the European Economic Area (“EEA”) to a third country in accordance with Regulation (EU) 2016/679 (the General Data Protection Regulation, “GDPR”), and reflect the privacy standards and practices set forth in the BESA Coaching Privacy Policy (Effective January 21, 2026).
SECTION I
Clause 1: Purpose and Scope
(a) The purpose of these Clauses is to ensure that any transfer of personal data from the EEA to countries outside the EEA by or to BESA Coaching is performed in strict compliance with the GDPR, particularly as regards the protection of the fundamental rights and freedoms of individuals whose personal data is processed.
(b) The parties to these Clauses are:
(c) These Clauses apply specifically to the transfer of personal data as described in Annex I.B, and cover all categories of personal data outlined in our Privacy Policy, including, but not limited to:
(d) The Appendix to these Clauses (containing the relevant Annexes) is an integral part of these Clauses, and further details the categories of data, data subjects, and processing purposes.
Clause 2: Effect and Invariability of the Clauses
(a) These Clauses are designed to provide enforceable data subject rights and effective legal remedies, in compliance with Article 46(1) and 46(2)(c) of the GDPR, and the requirements for controller-to-processor or processor-to-processor transfers set out in Article 28(7) GDPR. The wording of these Clauses may not be altered except for the purpose of selecting the appropriate modules or updating information in the Appendix. Additional contractual clauses or safeguards may be included, provided they do not contradict or undermine these Clauses or the fundamental rights of data subjects.
(b) These Clauses operate in addition to, and do not limit, any other data protection obligations imposed on the data exporter by the GDPR or applicable laws.
Clause 3: Third-Party Beneficiaries
(a) Data subjects whose personal data is transferred under these Clauses (including minors and their guardians, coaches, clients, and contractors, as described in the Privacy Policy) may enforce these Clauses as third-party beneficiaries, subject to the limitations specified below:
(b) Rights of data subjects under the GDPR are not affected by these Clauses.
Clause 4: Interpretation
(a) Terms used in these Clauses (such as “personal data,” “processing,” “data subject,” etc.) have the same meaning as in the GDPR and as further clarified in the BESA Coaching Privacy Policy.
(b) These Clauses must be interpreted in light of the GDPR and in a manner that ensures the highest standard of privacy and data protection for all individuals whose data is processed.
(c) These Clauses will not be interpreted in any way that contradicts the GDPR.
Clause 5: Hierarchy
In the event of any conflict between these Clauses and any other agreement between the parties (whether entered into before or after these Clauses), these Clauses shall prevail to the extent of the conflict regarding the protection of personal data transferred from the EEA.
Clause 6: Description of the transfer(s)
The full details of the transfer(s)—including the nature, scope, categories of personal data, data subjects, and specific processing purposes—are described in Annex I.B. These reflect the types of data and processing activities detailed in the BESA Coaching Privacy Policy.
Clause 7: Docking Clause
(a) Additional entities (such as new coaches, contractors, or service providers, as defined in the Privacy Policy) may accede to these Clauses at any time, subject to the agreement of the original parties and completion of the Appendix and Annex I.A.
(b) Upon accession, such an entity will be bound by the rights and obligations of a data exporter or data importer, as specified in Annex I.A.
(c) No rights or obligations under these Clauses shall arise for the acceding entity before the date of its accession.
Integration with BESA Coaching Privacy Policy
These SCCs are designed to fully align with the BESA Coaching Privacy Policy, reflecting our commitment to transparency, security, and legal compliance. All personal data collected, used, and transferred under these Clauses is handled in accordance with the practices described in the Privacy Policy, including the collection of sensitive data (where strictly necessary), the protection of minors, and the exercise of user rights as set out therein.
SECTION II – OBLIGATIONS OF THE PARTIES
Clause 8: Data Protection Safeguards
BESA Coaching (“B.E.S.A LLC”) is committed to ensuring all transfers and processing of personal data from the EEA are conducted in strict accordance with the GDPR and the privacy and security standards set out in our Privacy Policy.
8.1 Instructions
8.2 Purpose Limitation
8.3 Transparency
8.4 Accuracy
8.5 Duration of Processing and Erasure or Return of Data
8.6 Security of Processing
8.7 Sensitive Data
8.8 Onward Transfers
8.9 Documentation and Compliance
Integration with Privacy Policy:
All obligations above are implemented and exercised in line with the detailed data practices set forth in the BESA Coaching Privacy Policy, ensuring transparent, secure, and compliant processing for all users, including minors (with parental consent), coaches, contractors, and other stakeholders.
For questions or to exercise your privacy rights, contact: support@besacoaching.com
Clause 9: Use of Sub-processors
(a) Authorization and Notice
BESA Coaching (“B.E.S.A LLC”) is authorized to engage sub-processors from a pre-agreed list for the purpose of supporting the delivery of our Services (e.g., payment processors, background check agencies, cloud hosting, communications providers). BESA Coaching will inform the data exporter in writing of any intended changes to this list, including the addition or replacement of sub-processors, at least fourteen (14) days in advance. This enables the data exporter to object to such changes before the sub-processor is engaged. BESA Coaching will provide information necessary for the data exporter to exercise this right.
(b) Contractual Safeguards
When BESA Coaching engages a sub-processor for specific processing activities on behalf of the data exporter, BESA Coaching will do so through a written contract that imposes the same data protection obligations as those contained in these Clauses—including all relevant privacy, security, and user rights requirements. This ensures data subjects (including minors with parental consent, clients, coaches, and contractors as defined in our Privacy Policy) retain their third-party beneficiary rights. BESA Coaching will ensure sub-processors comply with all such obligations.
(c) Disclosure of Sub-processor Agreements
Upon request, BESA Coaching will provide the data exporter with a copy of the sub-processor agreement and any amendments, redacting any business secrets or confidential information as necessary.
(d) Responsibility for Sub-processors
BESA Coaching remains fully responsible for the performance of its sub-processors. Any failure by a sub-processor to fulfill its obligations will be treated as a breach by BESA Coaching, and the data exporter will be notified accordingly.
(e) Third-party Beneficiary Rights
BESA Coaching will include a provision in sub-processor contracts allowing the data exporter, in the event that BESA Coaching is unable to meet its obligations (due to insolvency, dissolution, or disappearance), to terminate the contract and instruct the sub-processor to erase or return personal data.
Clause 10: Data Subject Rights
(a) Notification of Requests
BESA Coaching will promptly notify the data exporter of any data subject request (for example, requests to access, correct, delete, or restrict data, or to exercise other privacy rights as outlined in our Privacy Policy) it receives directly. BESA Coaching will not respond directly unless authorized by the data exporter.
(b) Assistance with Requests
BESA Coaching will assist the data exporter, using appropriate technical and organizational measures, to respond to data subjects’ requests to exercise their rights under GDPR. The nature and extent of this assistance (including secure access, correction, or deletion of data) will be set out in Annex II, respecting the relationship and data flows described in our Privacy Policy.
(c) Compliance with Data Exporter Instructions
BESA Coaching will always comply with the data exporter’s instructions when handling data subject rights requests.
Clause 11: Redress
(a) Contact Point and Complaints
BESA Coaching provides an accessible contact point for data subjects to submit complaints regarding their personal data, both through direct notice and via our website (support@besacoaching.com). We commit to dealing promptly and transparently with any complaints received.
(b) Dispute Resolution
In case of a dispute between a data subject and either party concerning these Clauses, both parties will use best efforts to resolve the issue amicably and in a timely manner, keeping each other informed and cooperating as appropriate.
(c) Third-party Beneficiary Redress
Where a data subject invokes third-party beneficiary rights under Clause 3, BESA Coaching will accept their choice to:
(d) Representation
Data subjects may be represented by a not-for-profit body, organization, or association as allowed under Article 80(1) GDPR.
(e) Binding Decisions
BESA Coaching will abide by any decisions that are binding under EU or Member State law.
(f) No Prejudice to Additional Remedies
The choice made by the data subject will not prejudice their rights to seek other legal remedies.
Clause 12: Liability
(a) Party-to-Party Liability
Each party (data exporter and BESA Coaching) is liable to the other for damages caused by any breach of these Clauses.
(b) Data Importer Liability to Data Subjects
BESA Coaching is directly liable to the data subject for any material or non-material damages (as defined by GDPR or local law) caused by breaching third-party beneficiary rights under these Clauses, including by its sub-processors.
(c) Data Exporter Liability to Data Subjects
The data exporter is also liable to the data subject for any damages caused by itself, BESA Coaching, or sub-processors, without prejudice to any additional liability of the data controller under GDPR.
(d) Right to Indemnification
If the data exporter is held liable for damages caused by BESA Coaching (or its sub-processors), the data exporter can claim back compensation from BESA Coaching corresponding to its responsibility for the damage.
(e) Joint and Several Liability
If multiple parties are responsible for damage to the data subject, they are jointly and severally liable; the data subject can seek redress from any of them.
(f) Right to Recover Contribution
Any party held liable for the full amount may recover from the other responsible parties the part of the compensation corresponding to their responsibility.
(g) Sub-processor Conduct
BESA Coaching may not avoid liability by blaming the actions or omissions of its sub-processors.
Clause 13: Supervision
(a) Supervisory Authority
For data transfers under these Clauses, the designated supervisory authority is the Dutch Data Protection Authority (Autoriteit Persoonsgegevens), unless otherwise specified.
(b) Cooperation with Supervisory Authority
BESA Coaching agrees to submit to the jurisdiction of the competent supervisory authority and to cooperate fully in any proceedings or audits related to these Clauses. This includes providing responses, documents, and written confirmation of compliance, as well as adhering to any remedial or compensatory measures required.
Integration with BESA Coaching Privacy Policy:
All sub-processor engagements, data subject rights responses, complaint redress, and liability arrangements are carried out in accordance with BESA Coaching’s Privacy Policy, which sets out our transparent practices for protecting and respecting the rights of all users—including minors (with parental consent), clients, coaches, and contractors.
Contact:
If you have privacy concerns, wish to exercise your rights, or need further information about these Clauses, contact us at:
support@besacoaching.com
SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES
Clause 14: Local Laws and Practices Affecting Compliance with the Clauses
(a) Assurance of Compliance
Both BESA Coaching (“B.E.S.A LLC”, the data importer) and the data exporter warrant that, to the best of their knowledge, the laws and practices in the country where BESA Coaching processes personal data (the United States) do not prevent BESA Coaching from fulfilling its obligations under these Clauses. This includes any requirements for disclosure to, or access by, public authorities. This warranty is based on the understanding that any laws must respect fundamental rights and freedoms and must be necessary and proportionate as required by Article 23(1) of the GDPR.
(b) Assessment of Safeguards
In making this warranty, the Parties have carefully considered:
(c) Ongoing Cooperation
BESA Coaching warrants that it has provided the data exporter all necessary information for this assessment and will continue to cooperate and share relevant details to ensure continued compliance with these Clauses.
(d) Documentation
The Parties will document the legal and risk assessment described above and will provide this documentation to the competent supervisory authority upon request.
(e) Notification of Legal Changes or Concerns
If, during the term of these Clauses, BESA Coaching becomes aware of any law or practice in its country of operation that could prevent it from fulfilling these obligations (including a request for disclosure by authorities), it will promptly notify the data exporter.
(f) Response to Legal Risk
If such notification is made, or if the data exporter otherwise becomes aware that BESA Coaching may no longer be able to comply with these Clauses, the exporter will:
Clause 15: Obligations of the Data Importer in Case of Access by Public Authorities
15.1 Notification
(a) Prompt Notification of Requests
BESA Coaching will promptly notify the data exporter and, where possible, the affected data subject if it:
(b) Efforts to Permit Notification
If BESA Coaching is legally prohibited from notifying the data exporter or data subject, it will use its best efforts to obtain a waiver or other legal means to provide as much information as possible, as soon as possible. BESA Coaching will document these efforts and provide documentation to the data exporter upon request.
(c) Transparency Reports
Where allowed by law, BESA Coaching will provide the data exporter with regular reports summarizing the number and type of disclosure requests received, the authorities involved, and outcomes (including whether requests have been challenged and the results).
(d) Recordkeeping
BESA Coaching will preserve information about any disclosure requests and notifications for the duration of the contract and will make it available to the competent supervisory authority upon request.
(e) Obligation to Inform of Non-compliance
The above obligations are in addition to BESA Coaching’s requirement to inform the data exporter (under Clause 14(e) and Clause 16) if it is unable to comply with these Clauses.
15.2 Review of Legality and Data Minimization
(a) Assessing & Challenging Requests
BESA Coaching will review the legality of any request for disclosure, ensuring it falls within the requesting authority’s powers. If there are reasonable grounds to believe the request is unlawful (under local or international law), BESA Coaching will challenge it, including seeking interim measures to suspend the request until a competent court rules on its validity. Personal data will not be disclosed until legally required, unless such delay would be unlawful.
(b) Documentation of Legal Assessment
BESA Coaching will document its legal assessment and any challenge to a disclosure request and, to the extent allowed by law, will share this documentation with the data exporter and make it available to the supervisory authority upon request.
(c) Data Minimization
BESA Coaching will only disclose the minimum amount of personal data required to comply with a valid legal request, ensuring that any disclosure is strictly limited to what is necessary and proportionate.
Integration with BESA Coaching Privacy Policy
All responses to legal requests for data, as well as the procedures and safeguards described above, are carried out in accordance with BESA Coaching’s Privacy Policy. Our Policy details our commitment to transparency, user rights, minimizing disclosure, and prioritizing the privacy and security of all users—including minors with parental consent, clients, coaches, and contractors.
Contact for inquiries or concerns:
support@besacoaching.com
SECTION IV – FINAL PROVISIONS
Clause 16: Non-Compliance with the Clauses and Termination
(a) Duty to Notify
If BESA Coaching (“B.E.S.A LLC” – data importer) is unable, for any reason, to comply with these Clauses, it must immediately inform the data exporter (the EEA entity or individual providing the data).
(b) Suspension of Transfers
If BESA Coaching is in breach of these Clauses or cannot comply with them, the data exporter must suspend any further transfer of personal data to BESA Coaching until compliance is restored or the agreement is terminated. This is without prejudice to the data exporter’s right to terminate under Clause 14(f).
(c) Right of Termination
The data exporter may terminate the contract (insofar as it relates to the processing of EEA personal data under these Clauses) if:
In these cases, the data exporter will inform the competent supervisory authority of such non-compliance. If more than two parties are involved in the contract, the right to termination may be exercised only with respect to the relevant party, unless otherwise agreed.
(d) Return or Deletion of Data
Upon termination pursuant to paragraph (c), all personal data transferred prior to termination (and any copies thereof) must, at the data exporter’s choice, be immediately returned or deleted in full. BESA Coaching must certify to the data exporter that deletion has occurred. Until the data is deleted or returned, BESA Coaching must continue to comply with these Clauses. If local laws prevent deletion or return, BESA Coaching will continue to protect the data and only process it as strictly required by those laws.
(e) Revocation
Either party may revoke its agreement to be bound by these Clauses if (i) the European Commission adopts an adequacy decision under Article 45(3) GDPR for the United States (or other relevant country); or (ii) the GDPR becomes law in the country where the data is transferred. This does not affect any other legal obligations for personal data processing.
Clause 17: Governing Law
These Clauses are governed by the laws of the EU Member State where the data exporter is established. If that law does not provide for third-party beneficiary rights, then the law of another EU Member State that does provide for such rights shall apply.
Clause 18: Choice of Forum and Jurisdiction
(a) Dispute Resolution
Any disputes arising from these Clauses will be resolved by the courts of the United States.
(b) Agreed Venue
The Parties select the courts of Richmond City County, California, as the competent venue.
(c) Data Subject Rights
Data subjects may also bring proceedings against the data exporter and/or BESA Coaching before the courts of the EU Member State in which they reside.
(d) Submission to Jurisdiction
The Parties agree to submit to the jurisdiction of such courts as described above.
Appendix 1 to BESA Coaching Standard Contractual Clauses
This Appendix forms part of these Clauses.
Appendix 2 to BESA Coaching Standard Contractual Clauses
This Appendix forms part of these Clauses.
Technical and Organizational Security Measures:
B.E.S.A LLC applies the technical and organizational measures described in the Security Standards Schedule of the Data Processing Agreement. These measures may be updated as needed to reflect evolving industry standards and risk. They include, but are not limited to:
Integration with Privacy Policy
All provisions in Section IV reflect BESA Coaching’s public commitment to privacy, security, and transparency as outlined in our Privacy Policy. Data subjects—including clients, minors (with parental consent), coaches, and contractors—may exercise their rights or raise concerns at any time by contacting support@besacoaching.com.
EEA Standard Contractual Clauses
Effective: May 04, 2024
Standard Contractual Clauses (processors)
Data Controller as defined in the Data Processing Agreement (the “data exporter”),
And
B.E.S.A LLC, which is based at 1601 Willow Lawn Dr Suite 304 The Shops at Willow Lawn, Richmond, VA 23223, United States, if the data exporter is transferring personal data to B.E.S.A LLC under the Data Processing Agreement;
(The relevant B.E.S.A LLC entity described above is referred to as the “data importer”),
each a “party”; together “the parties”,
HAVE AGREED on the following Contractual Clauses (the “Clauses”) to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.
(a) The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (1) for the transfer of personal data to a third country.
(b) The Parties:
(i) the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter ‘entity/ies’) transferring the personal data, as listed in Annex I. A (hereinafter each ‘data exporter’), and
(ii) the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I. A (hereinafter each ‘data importer’)
have agreed to these standard contractual clauses (hereinafter: ‘Clauses’).
(c) These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.
(d) The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.
(a) These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46(2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or adding other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.
(b) These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.
(a) Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:
(i) Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;
(ii) Clause 8.1(b), 8.9(a), (c), (d) and (e);
(iii) Clause 9 – Clause 9(a), (c), (d) and (e);
(iv) Clause 12 – Clause 12(a), (d) and (f);
(v) Clause 13;
(vi) Clause 15.1(c), (d) and (e);
(vii) Clause 16(e);
(viii) Clause 18 – Clause 18(a) and (b);
(b) Paragraph (a) is without prejudice to the rights of data subjects under Regulation (EU) 2016/679.
(a) Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.
(b) These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.
(c) These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.
In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.
The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.
(a) An entity that is not a Party to these Clauses may, with the agreement of the Parties, accede to these Clauses at any time, either as a data exporter or as a data importer, by completing the Appendix and signing Annex I.A.
(b) Once it has completed the Appendix and signed Annex I.A, the acceding entity shall become a Party to these Clauses and have the rights and obligations of a data exporter or data importer in accordance with its designation in Annex I.A.
(c) The acceding entity shall have no rights or obligations arising under these Clauses from the period prior to becoming a Party.
The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organizational measures, to satisfy its obligations under these Clauses.
(a) The data importer shall process the personal data only on documented instructions from the data exporter. The data exporter may give such instructions throughout the duration of the contract.
(b) The data importer shall immediately inform the data exporter if it is unable to follow those instructions.
The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B, unless on further instructions from the data exporter.
On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including the measures described in Annex II and personal data, the data exporter may redact part of the text of the Appendix to these Clauses prior to sharing a copy but shall provide a meaningful summary where the data subject would otherwise not be able to understand its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information. This Clause is without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.
If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to erase or rectify the data.
Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the data exporter and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14 the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).
(a) The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access to that data (hereinafter ‘personal data breach’). In assessing the appropriate level of security, the Parties shall take due account the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects. The Parties shall consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In the case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organizational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.
(b) The data importer shall grant access to the personal data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
(c) In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify the data exporter without undue delay after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and an approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the breach including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
(d) The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679 to notify the competent supervisory authority and the affected data subjects, considering the nature of processing and the information available to the data importer.
Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offense (hereinafter ‘sensitive data), the data importer shall apply the specific restrictions and/or additional safeguards described in Annex I.B.
The data importer shall only disclose the personal data to a third party on documented instructions from the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union (4) (in the same country as the data importer or in another third country, hereinafter ‘onward transfer’) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:
(a) the onward transfer is to a country benefiting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;
(b) the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 Regulation of (EU) 2016/679 with respect to the processing in question;
(c) the onward transfer is necessary for the establishment, exercise, or defence of legal claims in the context of specific administrative, regulatory, or judicial proceedings; or
(d) the onward transfer is necessary to protect the vital interests of the data subject or of another natural person.
Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.
(a) The data importer shall promptly and adequately deal with enquiries from the data exporter that relate to the processing under these Clauses.
(b) The Parties shall be able to demonstrate compliance with these Clauses. In particular, the data importer shall keep appropriate documentation on the processing activities carried out on behalf of the data exporter.
(c) The data importer shall make available to the data exporter all information necessary to demonstrate compliance with the obligations set out in these Clauses and at the data exporter’s request, allow for and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or audit, the data exporter may consider relevant certifications held by the data importer.
(d) The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice.
(e) The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request.
(a) The data importer has the data exporter’s general authorization for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least fourteen days in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.
(b) Where the data importer engages a sub-processor to carry out specific processing activities (on behalf of the data exporter), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those binding the data importer under these Clauses, including in terms of third-party beneficiary rights for data subjects. (8) The Parties agree that, by complying with this Clause, the data importer fulfill its obligations under Clause 8.8. The data importer shall ensure that the sub-processor complies with the obligations to which the data importer is subject pursuant to these Clauses.
(c) The data importer shall provide, at the data exporter’s request, a copy of such a sub-processor agreement and any subsequent amendments to the data exporter. To the extent necessary to protect business secrets or other confidential information, including personal data, the data importer may redact the text of the agreement prior to sharing a copy.
(d) The data importer shall remain fully responsible to the data exporter for the performance of the sub-processor’s obligations under its contract with the data importer. The data importer shall notify the data exporter of any failure by the sub-processor to fulfill its obligations under that contract.
(e) The data importer shall agree on a third-party beneficiary clause with the sub-processor whereby – in the event, the data importer has factually disappeared, ceased to exist in law or has become insolvent – the data exporter shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.
(a) The data importer shall promptly notify the data exporter of any request it has received from a data subject. It shall not respond to that request itself unless it has been authorized to do so by the data exporter.
(b) The data importer shall assist the data exporter in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679. In this regard, the Parties shall set out in Annex II the appropriate technical and organizational measures, considering the nature of the processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required.
(c) In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions from the data exporter.
(a) The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorized to handle complaints. It shall deal promptly with any complaints it receives from a data subject.
(b) In case of a dispute between a data subject and one of the Parties as regards compliance with these Clauses, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them.
(c) Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to:
(i) lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work, or the competent supervisory authority pursuant to Clause 13;
(ii) refer the dispute to the competent courts within the meaning of Clause 18.
(d) The Parties accept that the data subject may be represented by a not-for-profit body, organization or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679.
(e) The data importer shall abide by a decision that is binding under the applicable EU or Member State law.
(f) The data importer agrees that the choice made by the data subject will not prejudice his/her substantive and procedural rights to seek remedies in accordance with applicable laws.
(a) Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.
(b) The data importer shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data importer or its sub-processor causes the data subject by breaching the third-party beneficiary rights under these Clauses.
(c) Notwithstanding paragraph (b), the data exporter shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data exporter or the data importer (or its sub-processor) causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter and, where the data exporter is a processor acting on behalf of a controller, to the liability of the controller under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable.
(d) The Parties agree that if the data exporter is held liable under paragraph (c) for damages caused by the data importer (or its sub-processor), it shall be entitled to claim back from the data importer that part of the compensation corresponding to the data importer’s responsibility for the damage.
(e) Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.
(f) The Parties agree that if one Party is held liable under paragraph (e), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its/their responsibility for the damage.
(g) The data importer may not invoke the conduct of a sub-processor to avoid its own liability.
(a) The parties agree that the supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer shall be the Dutch Data Protection Authority (Autoriteit Persoonsgegevens), which shall act as a competent supervisory authority.
(b) The data importer agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Clauses. In particular, the data importer agrees to respond to enquiries, submit to audits and comply with the measures adopted by the supervisory authority, including remedial and compensatory measures. It shall provide the supervisory authority with written confirmation that the necessary actions have been taken.
(a) The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination are applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorizing access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679 are not in contradiction with these Clauses.
(b) The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular the following elements:
(i) the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved, and the transmission channels used; intended onward transfers; the type of recipient; the purpose of the processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;
(ii) the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorizing access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards (12);
(iii) any relevant contractual, technical, or organizational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.
(c) The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.
(d) The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.
(e) The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a).
(f) Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfill its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organizational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.
(a) The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary, with the help of the data exporter) if it:
(i) receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or
(ii) becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.
(b) If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts to be able to demonstrate them at the request of the data exporter.
(c) Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.).
(d) The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.
(e) Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses.
(a) The data importer agrees to review the legality of the request for disclosure whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).
(b) The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request.
(c) The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.
(a) The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.
(b) In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).
(c) The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:
(i) the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;
(ii) the data importer is in substantial or persistent breach of these Clauses; or
(iii) the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.
In these cases, it shall inform the competent supervisory authority of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.
(d) Personal data that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall at the choice of the data exporter immediately be returned to the data exporter or deleted in its entirety. The same shall apply to any copies of the data. The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.
(e) Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.
These Clauses shall be governed by the law of the EU Member State in which the data exporter is established. Where such law does not allow for third-party beneficiary rights, they shall be governed by the law of another EU Member State that does allow for third-party beneficiary rights.
(a) Any dispute arising from these Clauses shall be resolved by the courts of the United States.
(b) The Parties agree that those shall be the courts of Richmond City County, California.
(c) A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence.
(d) The Parties agree to submit themselves to the jurisdiction of such courts.
Appendix 1 to B.E.S.A LLC Standard Contractual Clauses
This Appendix forms part of the Clauses
Data exporter The data exporter is the non- B.E.S.A LLC legal entity that is a party to the Clauses.
Data importer. The data importer is: B.E.S.A LLC
if the data exporter is transferring personal data to B.E.S.A LLC under the Data Processing Agreement; or
Data subjects. The personal data transferred concern the following categories of data subjects: Data subjects include individuals about whom data that originated in the EEA is provided to B.E.S.A LLC via the Business Services by (or at the direction of) the data exporter.
Categories of data. The personal data transferred concerns the following categories of data: Data relating to individuals provided to B.E.S.A LLC via the Business Services by (or at the direction of) data exporter, as specified in Schedule 1: Details of Data Processing of the Data Processing Agreement.
Special categories of data (if appropriate) The personal data transferred concerns the following special categories of data: None
Processing operations B.E.S.A LLC will process the personal data for the purposes of providing the Business Services to the data exporter in accordance with and as described in the Data Processing Agreement, and these Clauses.
Appendix 2 to B.E.S.A LLC Standard Contractual Clauses
This Appendix forms part of the Clauses.
Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(c) and 5(c). The data importer currently abides by the security standards in Schedule 2 – B.E.S.A LLC Security Measures of the Data Processing Agreement. The data importer may update or modify these security standards from time to time.
