User Agreement TERMS OF USE OF THE TOLOKA PLATFORM
Last updated: July 30, 2024
Effective Date: July 30, 2024
Welcome to our platform! This User Agreement (the Terms) is a binding agreement between YOU and Toloka AI AG, a corporation incorporated and existing under the laws of Switzerland, having its registered office at Werftestrasse 4, 6005 Lucerne Switzerland, and identification number CHE- 132.532.069 (“TOLOKA”) as YOU an internet user registering at https://toloka.ai and any other associated mobile or web services or applications made generally available by TOLOKA (collectively, the “Toloka Web Site”).
TOLOKA offers you to provide services in exchange for a fee to TOLOKA with the use of the Toloka Web Site (hereinafter referred to as the “Services”) in accordance with these Terms. These Terms consist of the terms and conditions below, and incorporate and include:
- the TOLOKA Privacy Notice or the Mindrift Privacy Notice;
- the Data Processing Agreement (“DPA”); and
- any other policies, procedures, and other guidelines that TOLOKA posts on the Toloka Web Site or otherwise makes available to you including the terms of the tasks offered to you via the Toloka Web Site (hereinafter referred to as “Tasks”).
BY REGISTERING FOR OR ACCESSING THE TOLOKA WEB SITE, YOU ACCEPT THESE TERMS AND WARRANT AND REPRESENT THAT YOU ARE AT LEAST 18 YEARS OLD OR THE AGE OF LEGAL MAJORITY IN YOUR JURISDICTION ANDYOU HAVE AUTHORITY TO BIND YOURSELF TO THESE TERMS. PLEASE CAREFULLY READ THE TERMS AND THE PRIVACY NOTICE BEFORE USING THETOLOKA WEB SITE.
1. YOUR general obligations
1.1. By registering or using the Toloka Web Site, YOU express your agreement to the terms and conditions of the Terms and represent and warrant that:
- YOU have carefully read and understood the Terms;
- YOU have the right, in accordance with the applicable laws, to enter into contractual relations under the Terms, and nothing restricts YOUR capacity to contract;
- YOU are already 18 years old and YOU are a person of legal majority age in accordance with the laws of the country of YOUR citizenship and the country of YOUR residence and or a tax resident of the Swiss confederation, you may not fulfill the tasks offered via the Toloka Web Site or otherwise use the Toloka Web Site or any of its individual functions;
- To be registered on Toloka Web Site, YOU must be 18 years old or older depending on what is considered the age of majority in YOUR country. WE are entitled to verify YOUR age at any time at OUR discretion. YOU acknowledge that this verification process is a condition of accessing OUR Toloka Web Site.
- YOU are aware that the content of the Toloka Web Site is for persons of legal age only;
- YOU comply with all applicable sanctions laws and regulations administered or imposed by the United States, European Union (“EU”), United Kingdom (“UK”), and Switzerland, including, but not limited to, the US Department of Treasury’s Office of Foreign Assets Control (“OFAC”) regulations (31 C.F.R. Chapter V) (collectively, “Sanctions Laws”).
- YOU represent that neither YOU, nor any other person acting for or on YOUR behalf, is a person that is identified on OFAC’s Specially Designated Nationals and Blocked Persons List, the UK Consolidated List of Financial Sanctions Targets maintained by HM Treasury, the European Union Consolidated Financial Sanctions List maintained by the European Commission, the Swiss sanctions lists, or any other comparable list of persons subject to trade or financial restrictions and/or sanctions imposed or administered by the US, EU, UK, or Switzerland (collectively, “Restricted Persons Lists”). YOU shall immediately notify TOLOKA in writing of any breach of the foregoing representation or any other material change in fact that makes the foregoing representation no longer accurate;
- YOU shall not provide, in violation of Sanctions Laws, any goods or services to TOLOKA under the Terms that are sourced in whole or in part, directly or indirectly, from a country or region embargoed or subject to substantial trade restrictions by the US, EU, UK, or Switzerland. YOU agree not to provide any Services while physically being present in Russia or Belarus. In the event that YOU transact Terms, block YOUR account, and freeze YOUR funds;with an embargoed country or region, a person identified on the Terms, block YOUR account, and freeze YOUR funds;Restricted Persons Lists, or otherwise in violation of Sanctions Laws Terms, block YOUR account, and freeze YOUR funds;while performing Services under these Terms, TOLOKA Terms, block YOUR account, and freeze YOUR funds;may immediately terminate these Terms, block YOUR account, and Terms, block YOUR account, and freeze YOUR funds;freeze YOUR funds;
- YOU are not a citizen and (or) tax resident of the Swiss Confederation and, if YOU become such, YOU undertake to immediately discontinue using the Toloka Web Site and any of its individual functions;
- The Toloka Web Site may not be used available for use in the following certain countries: Iran, Cuba, North Korea, Syria, Sudan, Myanmar, Venezuela, Russia, Belarus and other countries where TOLOKA is not operating in.
1.2. You undertake to:
- abide all applicable laws, codes, regulations, orders, rules, etc.;
- obtain at your expense any authorizations, permits, certificates, licenses, patents, declarations, etc. and go through any registration procedure if such is necessary for YOU to be able to provide services to TOLOKA in accordance with the Terms and to use the Toloka Web Site;
- pay on time your own expenses, including those related with telephone communications, Internet access and telecommunication equipment, incurred by YOU for the purpose of obtaining access to the Toloka Web Site and (or) providing services via the Toloka Web Site and (or) when withdrawing payments from your account.
1.3. If YOU breach the requirements of Clause 1.1 and or 1.2 of the Terms, TOLOKA may refuse to accept the results of the Services deeming the latter as improperly provided, immediately terminate the Terms with YOU, fully refuse to pay YOU for the Services and block YOUR account.
1.4. The Toloka Web Site is designed for inter alia, identifying materials with abusive and (or) pornographic content for the purpose of improving the quality of the search results filtration mechanisms. In this regard, the information reproduced on the Toloka Web Site may contain materials with abusive and (or) pornographic content, and YOU agree that materials with abusive and (or) pornographic content may be demonstrated to YOU from time to time. YOU may limit the demonstration of such materials to YOU (excluding the materials referred to in Clause 1.5. of the Terms) by unflagging the option “I agree to perform tasks with adult content” in the settings of YOUR account on the Toloka Web Site. You may also report the content of a Task YOU believe to be abusive by the way of flagging the respective checkbox on the webpage containing the Task and/or via Feedback section of the Toloka Web Site.
1.5. The Toloka Web Site may contain URL-links to other web sites on the Internet (third parties’ web sites). TOLOKA shall bear no responsibility for any information and (or) materials posted on the third parties’ web sites that YOU may access using the Toloka Web Site, including, but not limited to any opinions or assertions, expressed via the third parties’ web sites, adverts, etc., as well as for availability of these websites or their content, and consequences of YOU using them.
1.6. TOLOKA hereby notifies YOU that parental control protections (such as computer hardware, software, or filtering services) are commercially available, these parental control protections can help in limiting access to materials that is harmful to minors. Information regarding providers of such protections may be found on the Internet by searching “parental control protection” or similar terms.
1.7. YOU agree that TOLOKA is not restricting in any way YOUR right or ability to perform any services for others, including but not limited to, any employer, your own clients, or through any other crowdsourcing service or any other means. YOU will not represent yourself to clients or anyone else as an employee or agent of TOLOKA. YOU agree and acknowledge that YOU are an independent contractor of TOLOKA and will always represent yourself as such. YOU have no authority (and will not hold yourself out as having authority) to bind TOLOKA, and you will not make any agreements or representations on behalf of TOLOKA.
2. Registration and Use of YOUR Account and performing the Tasks
2.1. When registering on the Toloka Web Site, YOU shall create an account. YOU may register only one account throughout the period of use of the Toloka Web Site. If YOU resume using the Toloka Web Site after a period, during which YOU have not used the Toloka Web Site, YOU may not register a new account and shall continue using the previously registered account.
2.2. YOU may not grant access to YOUR account on the Toloka Web Site to third parties, specifically, allow such third parties to provide the Services (fulfill Tasks) on YOUR or their own behalf with the use of YOUR account on the Toloka Web Site.
2.3. The data contained in YOUR account shall not refer to YOUR connection with the TOLOKA and (or) the Toloka Web Site, in particular, they shall not give the impression that the actions performed by YOU in the course of rendering the Services, are made on behalf or under control of TOLOKA and/or administration of the Toloka Web Site.
2.4. YOU agree to be fully liable for ensuring confidentiality and integrity of the password to YOUR account on the Toloka Web Site and its non-disclosure to third parties. YOU also agree to be fully liable for any actions performed on the Toloka Web Site with the use of YOUR account.
2.5. YOU agree and undertake to provide the Services in accordance with the requirements of the applicable laws, the provisions of the Terms, the Privacy Policy and the terms of each individual Task accepted by YOU via the Toloka Web Site.
2.6. YOU agree and undertake to perform the Services, Tasks and any other deliverables YOU provide to TOLOKA or its Clients are of high-quality standards and consistent with any scope of work or other specifications provided by TOLOKA including to be accurate and within the deadlines. It shall be prohibited to provide the Services by using automated methods (scripts, robots, etc.), unless otherwise provided for by the terms of the corresponding Task. YOU understand that your repeated failure to do so constitutes a breach of these Terms. TOLOKA reserves the right to confirm the accuracy of the Services, Tasks and other deliverables, and, in addition to TOLOKA’s right to withhold payment in full or in part, to remove YOU from projects or deactivate your account based on your breach of this section.
2.7. TOLOKA reserves the right to deem the Services provided as unsatisfactory and may, at it sole discretion, decline payment to YOU and or restrict the ability to perform Tasks and or withdraw funds from YOUR account under the following circumstances:
- If YOU provided inaccurate or misleading or unreliable or incomplete data in YOUR account, including situations where the Toloka Web Site is used by minors and/or tax residents of the Swiss Confederation;
- YOU did not provide TOLOKA the requested information and/or documents;
- The Services have been provided under improper conditions (for example, there is a background noise in the record, no audio record is made, low sound quality, no video record is made, low video quality, blocked Web cam);
- TOLOKA concludes that the provided Services (the results of the fulfilled Task) fail to meet the set standards (if applicable) and (or) the terms of the Task, or the Task has been only partially fulfilled (for example, not all of the set problems have been resolved);
- The Task is fulfilled upon the expiration of the term set by TOLOKA in the terms of the Task;
- Any breach of the Terms.
2.8. YOU shall act as an independent contractor with respect to TOLOKA and you are not an employee of TOLOKA or any of TOLOKA Group entities. TOLOKA Group means in relation to Toloka and its subsidiaries or holding companies from time to time: 1) which directly or indirectly hold more than 50% of shares of TOLOKA; 2) where more than 50% of shares in the authorized capital are held, directly or indirectly, by TOLOKA; 3) where more than 50% of shares in the authorized capital or stock are held, directly or indirectly, by a person who directly or indirectly holds more than 50% of shares of TOLOKA; 4) which are entitled to take management decisions with respect to TOLOKA or TOLOKA is entitled to take management decisions. Therefore, YOU may not issue a claim to TOLOKA or any of TOLOKA Group entities in connection with the provision of the Services under the Terms for payment of salary, vacation pay, temporary disability (illness) allowance, pension and (or) social security benefit, medical service and (or) social assistance privilege, retirement pay or any other payments, benefits, guarantees and (or) compensations stipulated by the applicable labour laws.
2.9. YOU hereby acknowledge that YOUR primary or secondary employment is not related to the provision of the Services with the use of the Toloka Web Site and that YOU agree to provide such Services at YOUR own risk. YOU also acknowledge that YOU will arrange an appropriate work place and have all necessary equipment for providing the Services including but not limited to internet access. TOLOKA SHALL not control the time YOU spend on providing the Services, and shall not instruct, supervise or control YOU in any manner.
2.10. YOU represent and warrant that:
- YOU have all the mandatory certificates, licenses and/or registrations that are required to operate as an independent contractor in your applicable jurisdiction; and
- YOU are registered and act as an individual entrepreneur (sole trader, self-employed person) while YOU provide the Services.
- YOU shall pay all applicable social security contributions, insurance contributions and (or) taxes and submit all appropriate reporting forms to competent authorities.
2.11. YOU agree and undertake to reimburse TOLOKA for all losses incurred by TOLOKA as a result of YOUR invalid representations and warranties listed in Clause 2.7-2.10 of the Terms.
2.12. TOLOKA may (but in no case is obligated to) provide monitoring, preliminary moderation, filter, delete any content and (or) results of YOUR Services and (or) investigate into any breach of TOLOKA’s rules applicable to YOU and (or) review complaints from and with respect to YOU and take appropriate measures.
2.13. YOU may use the Toloka Web Site solely for the purposes specified in the Terms.
3. Payment for Tasks and withdrawal
3.1. If YOU have provided the Services in accordance with the specified requirements (covering aspects like requirements, quality, deadlines and terms) outlined in the respective Task and these Terms, and TOLOKA has accepted the result of the Services, the remuneration amount set in the terms of the Task (hereinafter referred to as Payment) shall be transferred to YOUR account on the Toloka Web Site no later than 30 (thirty) days following the successful fulfillment of the corresponding Task and acceptance by TOLOKA. TOLOKA shall assess the Services on the basis of the obtained results, and not on the basis of the time spent and (or) effort made.
3.1.1. If TOLOKA and or the Client rejects your submitted Task, TOLOKA will contact YOU and YOU can only once edit and resubmit the Task, YOU will not receive any additional compensation for this as YOU are an independent contractor and bear the financial risk over YOUR own services. If YOUR submitted tasks are rejected after the first submission, TOLOKA has the right to withhold part or all of YOUR compensation.
- YOU may communicate YOUR objections (specifying the number of the respective Task) via the interface of the Toloka Web Site within 7 calendar days from the date when the respective Services (results of Tasks) have been rejected. YOU agree that any objections communicated after the expiration of the 7 days’ term will not be considered.
- Provided that YOUR objections have been properly communicated, TOLOKA may, but shall not be obliged to, consider the objections within 14 calendar days from the date when YOU have communicated YOUR objections.
- TOLOKA may decide to accept the Services (results of Tasks) or reject them again. YOU can communicate YOUR objections regarding each refusal to accept YOUR Services only once. If TOLOKA decides not to consider YOUR objections, TOLOKA shall not inform YOU thereof.
3.1.2. Where Payment is transferred by the Toloka’s Client to YOUR account on the Toloka Web Site, YOU may withdraw money from YOUR account by using the details of a payment system operator or a credit institution selected by YOU (from among available ones), given YOUR successful identification in the corresponding payment system and (or) credit institution in accordance with the requirements of the operator of such payment system and (or) the credit institution and the applicable laws. TOLOKA shall send a request for withdrawal of money from the account on the Toloka Web Site according to the details of the payment system operator or the credit institution selected by YOU no later than 30 (thirty) calendar days after YOU initiate the withdrawal of the Payment amount.
3.1.3. Payment shall be made in US dollars. If the payment system operator and/or a credit institution selected by YOU do not provide YOU with an opportunity to receive Payment in US dollars (in accordance with the selected terms of use), YOU shall receive an amount in another currency in accordance with the terms of use of the respective payment system operator and (or) the credit institution. YOU may find information on the applied exchange rates and conversion dates in the Help section of the Toloka Web Site. You understand that neither TOLOKA nor any related entity is responsible for any foreign exchange fluctuation between local currency and the US Dollar or any timing issue that may affect the value of payments made to you.
3.1.4. Payment sums will be withdrawn from YOUR account on the Toloka Web Site as per the rules, tariffs and rates set by the payment system operator and (or) the credit institution. TOLOKA bears no liability for complaints regarding actions and (or) omissions of the payment system operator and (or) credit institution that YOU have selected for the withdrawal of money from YOUR account on the Toloka Web Site or other operations.
3.1.5. YOU agree that the payment system operator or credit institution selected by YOU may deduct commission fees and request additional documents when withdrawing Payment sums from YOUR account on the Toloka Web Site.
3.1.6. TOLOKA shall not participate in the communication between YOU and the payment system or the credit institution.
3.2. If YOU believe there's an error in a Payment, promptly email Toloka Support using the published email address on the Toloka Web Site. Failure to notify TOLOKA of errors within 10 calendar days of the transfer to YOUR Toloka Web Site account constitutes a waiver of claims and acceptance of the payment.TOLOKA may choose not to consider inquiries submitted more than 10 calendar days after YOU initiate the Payment withdrawal procedure.
3.3. TOLOKA shall not bear any liability for tax deductions from Payment sums and any other money paid to YOU by TOLOKA and or Toloka’s Client; YOU shall be fully liable for the calculation, deduction, payment and reporting of any taxes and dues to appropriate regulatory and (or) supervisory authorities, including with respect to sales tax, value-added tax, individual income tax and other taxes, dues, duties, insurance contributions and other charges, assessed, accumulated and (or) payable for any reason in connection with any Payment, provision of the Services, use of the Toloka Web Site, any of YOUR actions and (or) omission as well as actions and (or) omission of YOUR affiliates.
3.4. YOU agree that the remuneration specified in the terms of the Task and received by YOU for the provided Services, shall be adequate and sufficient remuneration for the provided Services and any information and (or) exclusive rights to intellectual property provided by YOU. All obligations of TOLOKA to pay YOU any sums in connection with YOUR provision of the Services are fulfilled upon the date that Payment has been made by TOLOKA.
3.5. YOU agree that if the amount of YOUR account in Toloka Web Site is 1 US dollar or less and if YOU do not complete Tasks within 12 (twelve) months in a row, the amount from YOUR account is debited by TOLOKA and the amount of the account remains zero. If the amount is debited from YOUR account under mentioned conditions, you have no claims against TOLOKA.
4. Intellectual Property Rights
4.1. YOU hereby acknowledge and agree that all intellectual rights with respect to the Toloka Web Site and Tasks, including but not limited to patents, designs, copyrights, trademarks and service marks, know-how, trade secrets, and right of a like nature, throughout the world, in any case whether registered or not, as well as any applications for any of these rights, shall belong to TOLOKA.
4.2. YOU also agree and acknowledge that all results of the Tasks/Services fulfilled/provided by YOU shall be created by YOU for TOLOKA (the Result) and that all rights to such Result, including the exclusive right and other intellectual property rights, shall be transferred at no charge by YOU to TOLOKA and that such exclusive right and intellectual rights shall be automatically transferred to TOLOKA each time a corresponding Result is created.
4.3. YOU agree to transfer all rights to the (future) Results as set out in the Terms, each time without any additional fee to YOU such enhancement, modification for such enhancement, modification, or adaptation and regardless of whether or not YOU have received Payment for the provided Services (fulfilled Tasks).
4.4. YOU hereby warrant and represent that the Result does not infringe upon any third party rights and that YOU are the sole right-holder with respect to the Result and are entitled to transfer the rights to the Result as stated in Clauses 4.2 and 4.3 of the Terms, without obtaining consent of third parties, and that such rights to the Result are free from any pledge, arrest, retention, purchase option and other encumbrance.
4.5. On YOUR part, YOU undertake to take all necessary actions (including executing any documents or applications) for all rights to the Result to be transferred to TOLOKA, as stipulated in the Terms.
4.6. YOU hereby agree and acknowledge that TOLOKA can use the Result without any reference to YOU as the author, to make any changes, modifications, adaptations, abridgements and/or additions to the Result, make the Result public, incorporate the Result in complex objects comprising several protected intellectual activity results, to create derivative works based on the Result as well as exercise any other right linked to an intellectual property right or other rights mentioned in this Clause 4.
4.7. In instances where the transfer of certain intellectual property rights to TOLOKA is not possible (e.g., due to mandatory legal restrictions), YOU hereby grant to TOLOKA an exclusive, worldwide, perpetual, irrevocable, royalty-free, transferable license, with the right to sublicense, to use such intellectual property. This license shall include the rights to use, reproduce, modify, display, perform, distribute, and create derivative works from the intellectual property.
4.8. Insofar as allowed by the applicable laws, the CUSTOMER shall bear no responsibility for any wrong that may be inflicted to YOU as a result of providing Services or using the Toloka Web Site or otherwise.
5. Confidentiality
5.1. All information, to which YOU obtain access while providing Services and (or) using the Toloka Web Site (in particular, as terms of a certain Task) shall be deemed confidential, including: scientific and technical, technological, industrial, financial and economic or other information, including, but not limited to, information security tools and identification / authentication, authorization (usernames, passwords, etc.), statistical information, personal data, information about Toloka and or Toloka’s clients, products, services, etc., in any possible form (oral, written, electronic, or other), to which there is no free access on a legal basis, as well as information, explicitly designated as confidential In Tasks on the Toloka Web Site.
5.2. YOU undertake not to disclose such information, i.e. not to transmit, report or grant access to at least one person (who does not have legal access to such information) in any possible form (oral, written, including using technical means, for example, publishing it in whole or in part in Internet: posting videos on youtube, posting information on social networks, etc.) throughout the period of time while YOU have an account on the Toloka Web Site and within five years after YOUR account is deleted. YOUR obligation not to publish and (or) disclose to third parties any Personal Data YOU received access to during YOUR performance of the Services shall remain in force indefinitely. This obligation shall be valid with respect to any information obtained by YOU in the course of YOUR provision of the Services (fulfillment of Tasks) via the Toloka Web Site and (or) during use of the Toloka Web Site, except in cases where YOU are required to disclose such information to public agencies upon request thereof in accordance with the requirements of the applicable laws.
5.3. When performing field tasks, YOU undertake not to take photos and/or video recordings of any individuals and/or license plate numbers of any transport vehicles. "Field tasks" means offline tasks posted on the Toloka Web Site, including, but not limited to, collecting data about organizations (working hours or menus), monitoring pedestrian transport, and checking outdoor advertising.
6. Liabilities
6.1. YOU agree that TOLOKA, TOLOKA Group entities and their affiliates, officers, employees and representatives (hereinafter referred to as the "TOLOKA and related parties" or "TOLOKA Group entities") shall not be liable to YOU under these Terms or any other contract, and on any other grounds, with regard to:
- YOUR direct, indirect, incidental or punitive damages, lost profits, expenses related to the purchase of substitute products and services, whether or not TOLOKA and related parties could or should have foreseen such damages; and
- loss or destruction of data and (or) termination of the ability to use it.
6.2. Insofar as allowed by the applicable laws, the total maximum liability of TOLOKA and Related Parties to YOU shall not exceed the sums actually paid to YOU by TOLOKA for the Services in the 12 months preceding the damaging event.
6.3. YOU hereby undertake to reimburse TOLOKA and Related Parties for losses incurred in connection with any demands, applications, claims or lawsuits of third parties, property liability, damage, penalties, fines and (or) costs of any nature (including reasonable expenses on legal consultants and representatives), as well as for losses incurred due to loss of or damage to any property, during the term of the Terms and upon termination hereof, provided that such losses are incurred due to or in connection with:
- breach by YOU of the Terms;
- the Services provided by YOU in pursuance of the Terms, and also YOUR actions or omission in connection with such Services; and
- infringement of rights of any person or third party, including but not limited to intellectual property rights as defined in Clause 4 of the Terms, personal non-property rights, privacy rights, the right to protect dignity, good name and business reputation and or breach of confidentiality.
If any claims (lawsuits) are filed against TOLOKA and Related Parties, any of the aforementioned parties has the right to demand that YOU present, at YOUR expense, objections to such claims (statement of defense), and act as the defendant in the lawsuit or trial. YOU shall in such situation employ a legal consultant (representative) with the prior approval by TOLOKA and Related Parties.
6.4. If YOU disclose any confidential information contained in the Tasks on the Toloka Web Site, YOU may be held liable in accordance with applicable laws.
6.5. YOU unconditionally agree to the following measures that can be applied to YOU by TOLOKA if YOU breach the terms and conditions of these Terms:
6.5.1. In case of violation of the provisions of these Terms, namely:
- if TOLOKA detects that YOU have registered and/or used two or more accounts on the Toloka Web Site, the second and each subsequent identified account is blocked, the funds of these accounts shall become unavailable for withdrawal and are canceled by TOLOKA in full (i.e. the account balance becomes zero); and
- if YOU use automated methods (scripts, robots, etc.), when it is not explicitly stated in the terms of the corresponding Task, TOLOKA will block YOUR account, and the funds in your account shall become unavailable for withdrawal and will be canceled by TOLOKA in full (i.e. the account balance becomes zero).
6.5.3. TOLOKA reserves the right to block YOUR account;
- In case of violation of the provisions of the Confidentiality Clauses, namely: the presence of images of any individuals and/or license plates of any vehicles in the results of performed field tasks, the results of the above stated field tasks may be considered invalid and not subject to payment. In addition, TOLOKA has the right to take measures, at its sole discretion, to terminate such actions on the part of the User, including, but not limited to, blocking the account, restricting the possibility of withdrawing funds from the account, restricting the use of the Toloka Web Site.
- In case YOU have reported inaccurate and (or) misleading data inYOUR account, including the cases where the Toloka Web Site is used by minors and (or) citizens and (or) tax residents of the Swiss Confederation, YOUR account is blocked in accordance with the Terms, and the funds in your account shall become unavailable for withdrawal and will be canceled by TOLOKA in full;
- If YOU fail to provide information and/or documents within 30 (thirty) calendar days as requested by TOLOKA, then TOLOKA shall reserve the right to block YOUR account, funds in your account shall become unavailable for withdrawal and will be canceled by TOLOKA in full.
6.6. If TOLOKA believes or suspects that any actions by a user while using the Toloka website are in breach of the terms and conditions hereof, including actions aimed at receiving payment(s) for Tasks and/or receiving bonus points in an unfair manner, then TOLOKA shall have the right in its sole discretion to take measures to end such actions by the user, including, but not limited to, blocking the account, restricting the ability to withdraw funds from the account, restricting the use of the Toloka website.
7. Duration of the Terms
7.1. TOLOKA reserves the right to, at any time and with no prior notification, amend and supplement the Terms, the Privacy Policy and any other applicable documents. A notice of such amendments shall be sent to YOU in advance to the e-mail specified by YOU during the registration, except in cases where YOU refused to be notified by e-mail, and or via the interface of YOUR account on the Toloka Web Site. Notifications of amendments to the Terms, the Privacy Policy and other applicable documents shall be also published on the Toloka Web Site.
7.2. By continuing to fulfill the Tasks received via the Toloka Web Site or otherwise use the Toloka Web Site, YOU express YOUR full and unconditional agreement to the terms of the corresponding version of the Terms, the Privacy Policy and (or) other applicable documents. If YOU do not agree to the amendments made, YOU shall not continue using the Toloka Web Site.
7.3. The official text of the Terms is only the English version, versions in different languages are provided exclusively for YOUR information.
7.4. The Terms shall be valid until its termination as per Clause 7.5 of the Terms.
7.5. The Terms may be terminated:
- by YOU when YOU delete YOUR account and terminate these Terms: press «Remove Profile» in «My Profile» - «Edit» and agree to the terms of the deletion of the account by ticking the box and pressing «Remove Profile»; or
- by TOLOKA in case YOU breach any Confidentiality Clauses of the Terms;
- by TOLOKA at any moment in case YOU breach any of the provision of the Terms and at any moment for any reason, with a notice to YOU by e-mail and (or) via the interface of YOUR account on the Toloka Web Site.
7.7. IF THE TERMS ARE TERMINATED AS PER CLAUSE 7.5 HEREOF, YOUMAY NOT CONCLUDE AGAIN TO SUCH TERMS WITH TOLOKA AND OR REGISTER A NEW ACCOUNT ON THE TOLOKA WEB SITE AND (OR) RE-ACTIVATE THE PREVIOUSLY CREATED ACCOUNT.
7.8. If TOLOKA or YOU terminate the Terms in accordance with Clause 7.5., TOLOKA will send YOU a notification and give YOU the option to withdraw the funds in YOUR account within days that is described in such notification by TOLOKA. If the Terms are terminated and YOU do not withdraw YOUR funds after receiving such notification from TOLOKA, then YOU waive YOUR right to receive the funds held in YOUR account and TOLOKA is no longer obliged to make the respective payments
7.9. If the Terms is terminated at the initiative of TOLOKA in connection with YOUR breach of the Terms, TOLOKA may cancel and refrain from paying YOU the funds accumulated on YOUR account on the Toloka Web Site or any other sums in YOUR favor.
8. Personal Data
8.1. By using the Toloka Web Site, YOU agree that YOUR personal data will be processed at in accordance with the Privacy Notice.
8.2. YOU represent and warrant that the personal data provided by YOU are true, accurate, complete and up to date at every moment of YOUR use of the Toloka Web Site. In case of changes in personal data YOU shall immediately update YOUR personal data on the Toloka Web Site or ask TOLOKA’s support team to help with YOUR request.
8.3. In case of performing Tasks with data collection, read all instructions carefully, since they may contain important guidelines on data processing. Please be informed that in case of personal data collection the requestors who placed the relevant Task (hereinafter – the "Requestor") shall act as data controllers. And YOU, as a person acting on behalf, will act as a data processor. YOU can contact the Requestor by using its contact details within the relevant Task.
8.4. In case the Task for which YOU provided (personal) data has been rejected by the Requestor, such (personal) data will be deleted immediately and will not be used for any purposes.
8.5. In case of providing personal data of any third party within the Task YOU represent and warrant that YOU have obtained a legal basis for its processing by the Requestor in accordance with the instructions in the Task, and that the processing of personal data by the Requestor as described in the instructions is permissible under applicable data protection law(s) (e.g., the data subjects have been informed about the processing in accordance with applicable data protection laws).
8.6. In case of performing the Requestors' Tasks which contain personal data of third parties YOU shall comply with obligations specified in the Data processing agreement (the "DPA") which is an integral part of the Terms. DPA is stated in the Appendix 1 hereof.
8.7. In case of non-performing Tasks specified in the Clause 8.4. hereof, the DPA is not applicable to YOU.
8.8. TOLOKA may use contact data YOU provided to TOLOKA at registration and YOUR network activity on Toloka Web Site to send YOU our newsletters, messages, and provide and improve the informational support of Toloka resources ("Messages"). TOLOKA uses an internal tool to deliver Messages. Each message contains an opt-out link for YOU to unsubscribe from our messages at any time or YOU can switch the sliders in inactive mode in YOUR profile. For more information, please see our Privacy Notice.
8.9. YOUR (personal) data may be transferred to third countries, please see our Privacy Notice.
8.10. When YOU process personal data as part of Tasks, YOU must follow the instructions specified in the Tasks and the Data Processing Agreement (DPA) presented in Appendix 1. Unless case when YOU located outside the EU/EEA, Switzerland, UK and in a country that does not benefits from the adequacy decision made by the European Commission/UK Government/Swiss government, in this case, the Standard Contractual Clauses presented in Appendix 2 will apply to you instead of the DPA.
9. Warranties
9.1. YOU hereby acknowledge and agree that YOU are fully liable for using the Toloka Web Site and its content and that the Toloka Web Site and the content published on it are provided ”as is“, without any representations and warranties, to the extent possible in accordance with applicable laws.
9.2. When using the Toloka Web Site, YOU understand and accept that YOU may access content intended for adults only, specifically, materials with abusive and (or) pornographic content. If such content is unacceptable to YOU or if YOU are not a person of legal age, YOU should immediately stop using the Toloka Web Site. TOLOKA bears no responsibility for any content on the Toloka Web Site that appears abusive and (or) unacceptable to YOU.
9.3. TOLOKA shall waive all warranties and or representations to the fullest extent permitted by applicable laws regarding:
- the relevance, validity, completeness, reliability, acceptability and availability of the content of the Toloka Web Site and presence of any abusive content on the Toloka Web Site; and
- third-party products, services and content which YOU access via the Toloka website, this also applies in the event YOU yourself go to third-party webistes via URL links on the Toloka website.
9.4 TOLOKA shall waive any explicit or implicit warranties and representations to the fullest extent permitted by applicable laws, based on TOLOKA’s previous oral or written statements, in connection with YOUR use of the Toloka Website and providing Services. TOLOKA therefore waives, including but not limited to any warranties of the quality of the product, the usability of the product for a particular purpose, the warranty of ownership or title, the warranty that of no one’s intellectual property rights will be infringed and other warranties that are generally associated with the business practice.
9.5. TOLOKA shall waive any warranty regarding continuous availability and performance of the Toloka Web Site and related services to the fullest extent permitted by applicable laws. TOLOKA does not warrant that the Toloka Web Site and related services shall function on a continuous, uninterrupted and secure basis, without faults and errors. TOLOKA does not warrant that the Toloka Web Site and related services shall have a certain set of functions and (or) characteristics.
9.6. TOLOKA does not warrant that the Toloka Web Site or the server securing the functioning of the Toloka Web Site, including URL links on the Toloka Web Site, are free of viruses and (or) other malicious components. YOU agree to use the Toloka Web Site at YOUR own risk and discretion and YOU are fully liable for damage that may be caused to YOUR PC, mobile device or other equipment, as well as for loss and (or) destruction of any data as a result of using of the Toloka Web Site.
9.7. TOLOKA bears no responsibility to the fullest extent permitted by the applicable laws for any damage, and or injustice that may be inflicted to YOU as a result of providing Services or using the Toloka Web Site or otherwise.
9.8. Notwithstanding the foregoing provisions, YOU agree to indemnify TOLOKA and to hold it harmless from and against any and all claims, damages, losses, risks, liabilities, and expenses (including attorneys’ fees and costs) incurred by TOLOKA arising from or related to any breach of the conditions above. These indemnity obligations shall survive the expiration or early termination of the Terms.
10. Governing law and Dispute resolution
10.1. The Terms is subject to and construed in accordance with substantive Swiss law, to the exclusion of its conflict of laws rules and to the exclusion of the UN Convention on the International Sale of Goods (CISG). All disputes arising out of or in connection with the Terms shall be subject to the exclusive jurisdiction of courts of the city of Lucerne. The foregoing shall not restrict the right of TOLOKA to seek injunction and (or) any other remedy in any other judicial authorities.
10.2. Should any of the provisions of the Terms be recognized by a competent court as invalid, such provision is deemed as excluded from this Agreement, with all the other provisions hereof remaining valid in such case. Such provision of the User Agreement, recognized as invalid, shall be replaced with a provision best reflecting the intents pursued by the Parties to the Terms at the time of its conclusion and the practice of their economic relationship.
11. Final Provisions
11.1. TOLOKA shall sent notices to YOU in connection with the Terms on the Toloka Web Site, these notices shall be communicated in a message via the interface of YOUR account on the Toloka Web Site and (or) sent to the e-mail specified by YOU during the registration, except in cases where YOU refused to be notified by e-mail. E-mail notice shall be sufficient in all cases and shall be deemed to be received by YOU on the following day after such notice is forwarded to YOU. YOU must send notices to TOLOKA to mailto:legal@toloka.ai.
11.2. If YOU anticipate that YOU will not be able to fulfil your obligations in connection with the Services, in time or properly, YOU are obligated to inform TOLOKA immediately in writing. YOU shall be free to find a replacement to perform the Services and or the Task for TOLOKA (the Substitute). Prior to the replacement, YOU shall inform TOLOKA in writing as to who will perform the Services and or Task on YOUR behalf. TOLOKA will not be entitled to refuse the replacement(s) other than on the basis of objective qualifications. Prior to accepting the Substitute, TOLOKA shall formulate the objective qualifications that any Substitute(s) must meet. The objective qualifications can be measured and or tested by TOLOKA prior to accepting the Substitute. YOU remain responsible for the quality of the work and for the Substitute to be in compliance with the Terms during the replacement. The Terms shall remain in full force and applicable to YOU.
11.3 YOU may not assign, transfer, delegate, sell, or otherwise dispose of the Terms and/or any rights and obligations under or in relation with the Terms, including, without limitation, by operation of law, without the prior written consent of TOLOKA as described in 11.2 of the Terms. Any purported assignment, transfer, delegation, sale or other disposition in contravention of this Clause including, without limitation, by operation of law, is void. Subject to the foregoing, the Terms will be binding upon and will inure to the benefit of the parties’ permitted successors and assigns. The TOLOKA may freely and at its own discretion assign, transfer, delegate, sell, or otherwise dispose of the Terms and/or of any of its rights and obligations under and in relation with the Terms, including, without limitation, by operation of law, without YOUR prior consent.
11.4 In the event that any provision of the Terms are declared by a court of competent jurisdiction to be illegal, unenforceable or void, the Services and the Terms shall continue in full force and effect to the fullest extent permitted by law without said provision, and the parties shall amend the Services or the Terms as far as legally possible to include the substance of the excluded provision so that the original intent of the Parties are realized.
If YOU have questions with respect to the Terms, please send YOUR questions to tolokercare@toloka.ai.
APPENDIX 1 TO THE USER AGREEMENT ("AGREEMENT")
DATA PROCESSING AGREEMENT
TERMS AND DEFINITIONS
Availability –
Ensuring timely and reliable access to and use of information
Controller –
Person, company, or other body that determines the purpose and means of Personal Data processing (this can be determined alone, or jointly with another person/company/body)
Processor –
Person, company, or other body which processes Personal Data on the Controller's behalf
Data subjects –
Individual persons whose Personal Data is collected, held or processed by an organisation
Customers –
Person or entity that post tasks on the Service
Toloka –
Toloka AI AG (CHE- CHE-132.532.069, Werftestrasse 4, 6005 Luzern, Switzerland)
Tolokers –
Individuals that perform tasks posted by Customers
Personal data –
Any information relating to an identified or identifiable Data subjects
Personal data breach –
Incident wherein information is stolen or taken from a system without the knowledge or authorization of the system's owner
Sub-processors –
Third party processor engaged by a Processor who has or will have access to or process Personal Data from a Controller
This Data Processing Agreement (DPA) is incorporated into the User Agreement between Toloka and Tolokers.
The Parties hereby conclude the EU Standard Contractual Clauses (issued by the EU Commission by the Commission Implementing Decision (EU) 2021/914 of 4 June 2021) between Toloka (Processor) and Toloker (Sub-Processor) (hereinafter – "Clauses").
(a) An entity that is not a Party to these Clauses may, with the agreement of the Parties, accede to these Clauses at any time, either as a data exporter or as a data importer, by adding itself to the Annex I and signing this Data Processing Agreement.
(b) Once it has been added to the Annex I and has signed this Data Processing Agreement, the acceding entity shall become a Party to these Clauses and have the rights and obligations of a data exporter or data importer in accordance with its designation in Annex I.
(c) The acceding entity shall have no rights or obligations arising under these Clauses from the period prior to becoming a Party.
In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties existing at the time when these Clauses are agreed or entered into thereafter, these Clauses shall prevail.
The details of the processing operations, in particular the categories of Personal Data, the purposes for which the Personal Data is processed on behalf of the Controller and duration of the processing, are specified in APPENDIX 3.
In accordance with [For EU customers: article 28(4) of the Regulation (EU) 2016/679 / For UK customers: article 28(4) of the UK GDPR / For Swiss customers: article 9 of the FADP], a sub-processor shall be subject to the same data protection obligations as set out in the contract or other legal act between the controller and the processor, in particular providing sufficient guarantees to implement appropriate technical and organisational data protection measures in such a manner that the processing will meet the requirements of [ For EU customers: the Regulation (EU) 2016/679 / For UK customers: the UK GDPR / For Swiss customers: the FADP].
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Processor (as the owner of the informational system used by Toloker) shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. List of measures used by the Sub-Processor are included in the APPENDIX 3.
Toloker guarantees that they won't process, copy, share or do any other activity with Personal Data to which they have access that was given by the Controller as a part of provision of Services to Toloka within informational systems provided by Processor or Controller except on instructions from the Controller, unless they are required to do so by the competent supervisory authorities. Thus, Sub- Processor must refrain from (including, but not limited to):
- Making photos of the screen with Personal Data provided by the Controller, making screenshots or screen recordings of such data;
- Selling Personal Data provided by the Controller;
- Let third parties complete Tasks that are assigned to Toloker.
Each Party's liability for any breach of this Data Processing Agreement shall be subject to the limitations and exclusions of liability set out in the Agreement, provided that neither Party limits or excludes any liability that cannot be limited or excluded under applicable law. Indemnities in case of Personal Data Breach are regulated in accordance with local legislation and judicial practice (if applicable in accordance with legal requirements). All references of this Data Processing Agreement to requirements of data protection laws shall be read as references to relevant requirements of applicable data protection laws, including, without limitation, data protection law of Switzerland.
APPENDIX 3 is attached to this Data Processing Agreement.
Clause 1
Sub-processor’s rights and obligations
- Sub-processor shall take appropriate personal data measures, including at minimum the following:
- inform the Processor of any anticipated changes in the processing of personal data;
- inform the Processor of the intentions and reasons for the transfer of personal data to third parties and / or international organizations strictly before the transfer of personal data;
- refrain from making screenshots, screen recordings and / or photos or videos of Personal Data provided by the Controller;
- comply with any other rules set out in the preamble of this Data Processing Agreement (DPA).
- The Sub-Processor is prohibited to involve other sub-processors in the personal data processing under this DPA without prior written authorisation of the Processor. The request for permission for the personal data transfer shall be sent to the Processor no later than 72 hours before the start of transfer. The Sub-Processor shall execute written agreements with the sub-processors involved, ensuring that the level of protection of personal data is not lower than that provided for in this DPA. At the same time, the Sub-Processor undertakes to bear responsibility for the observance of the present provisions by the sub-processor as if the corresponding processing was carried out by the Sub-Processor.
- If Sub-Processor plans to transfer personal data received under this DPA to any third party located in a third jurisdiction that does not provide adequate level of personal data protection, the Sub-Processor shall enter into the EU Standard Contractual Clauses (“SCC”) (processor to processor) approved by the European Commission to fulfil the requirements of the [For EU customers: articles 44-50 of GDPR / For UK customers: articles 44-50 of UK GDPR / For Swiss customers: articles 16-17 of FADP]. The provisions of the SCC shall not be modified. In case of a conflict between the SCC and any other provision of this DPA, the provisions of the SCC shall prevail.
Clause 2
Processor’s rights and obligations
- Processor shall ensure that there is an appropriate legal basis for personal data transfer to the Sub-Processor.
- Processor shall instruct Sub-Processor on the conditions of personal data processing in accordance with the controller’s instructions given to the Processor and the requirements of the applicable data processing and protection legislation.
- Processor shall inform the Sub-Processor of any changes made to the controller’s instructions given to the Processor where such changes may affect the processing of personal data performed by the Sub-Processor.
Clause 3
Notification about personal data breach
- The Sub-Processor shall notify the Processor if the Sub-Processor detects a personal data breach or if the Sub-Processor reasonably believes that there has been a personal data breach. The notification should include the following information: (i) the date and time of the personal data breach was detected;
- the date and time of the personal data breach was detected;
- the actual circumstances of the breach;
- the categories and approximate number of the data subjects concerned;
- the categories of personal data and approximate number of personal data records concerned;
- the Sub-Processor’s information systems and personal data processing within the DPA affected by the personal data breach;
- the possible consequences of the personal data breach;
- the measures taken or proposed to be taken by the Sub-Processor to address personal data breach;
- any reports regarding the breach which was provided by the Sub-Processor to law enforcement and other authorized bodies;
- the contact details of a person who can provide detailed information on the personal data breach.
- The initial notification of personal data breach shall be sent to the Processor no later than 24 hours from the time of detection of a personal data breach. Additional notifications containing new and (or) additional information about a personal data breach shall be provided to the Processor as soon as possible as such information becomes available.
- The Sub-Processor shall not notify any individual or any third party of any personal data breach without the Processor’s prior permission except to the extent required by the applicable legislation.
- The Sub-Processor shall immediately take all necessary measures to eliminate the threat to the security of personal data, to prevent any possible negative consequences for the data subjects, the Processor or to minimize the possible negative effects. The Sub-Processor carries out and documents the analysis of the reasons of a personal data breach and provides the Processor with the results of the analysis by request.
Clause 4
Liability
- Responsibility to the data subject for the actions of the Sub-Processor is borne by the Processor.
- Sub-Processor shall be liable to the Processor of personal data.
- The Party that has not fulfilled or improperly fulfilled any of the obligations under the DPA shall be liable in the amount of documented direct damage caused to the other Party in connection with and in the amount of the demands satisfied in accordance with judicial acts and (or) in the amount of the collected administrative and other fines.
Clause 5
Audits
- Based on the Processor prior written notice, the Sub-Processor is obliged to provide all the information necessary to confirm compliance with the conditions set forth in this DPA, as well as to allow the Processor and participate in audits, including inspections conducted by the Processor or other auditor, on behalf of the Processor.
- At the Processor’s choice, the audit can be conducted by means of a questionnaire. If it is the case, the Sub-Processor must provide the Processor with a completed questionnaire no later than 10 business days from the date of receipt of the questionnaire from the Processor.
- If the Sub-Processor involves other sub-processors for processing of personal data, the Processor shall be entitled with the right to audit the sub-processors. The Sub-Processor shall carry out its own audit of the sub-processors specified by the Processor. The results of such audit shall be documented by the Sub-Processor and provided to the Processor not later than 10 business days from the date of completion of the audit.
Clause 6
Final provisions
- After the completion of the provision of the services, the Sub-Processor by Processor’s choice:
- return a full copy of all personal data to the Processor in the format specified by the Processor, using secure channels of information transfer, and destruction all other copies of personal data using means of guaranteed information destruction;
- destroy all copies of personal data using the means of guaranteed destruction of information.
- This DPA is valid until the achievement of the purposes of personal data processing or may be terminated by the Parties on the terms set out in the User Agreement.
Standard Contractual Clauses
These Standard Contractual Clauses (“SCC”) are incorporated into the User Agreement between Toloka and Tolokers.
These SCC apply only to the processing of personal data within the framework of Tasks when the Customer are located in the EU/EEA/Swiss/UK, and only if YOU are located outside the EU/EEA, Switzerland, UK and in a country that does not benefits from the adequacy decision made by the European Commission/UK Government/Swiss government. APPLICABLE LEGISLATION:
- [For EU customers: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)].
- [For Swiss customers: Federal Act on Data Protection (FADP); Ordinance to the Federal Act on Data Protection (DPO); Ordinance on Data Protection Certification (DPCO)].
- [For UK customers: The UK General Data Protection Regulation (UK GDPR); Data Protection Act 2018 (DPA 2018); United Kingdom and laws of England and Wales].
These SCC include provisions that differ based on the jurisdiction of the Customer, such provisions are enclosed in square brackets []. Only the provisions that relate to the jurisdiction of the Customer shall apply to the Personal data transfer.
The Parties hereby conclude the SCC for the transfer of personal data to third countries pursuant to [For EU customers: Regulation (EU) 2016/679 of the European Parliament and of the Council (decision (EU) 2021/914 of 4 June 2021) / For Swiss customers: Federal Act on Data Protection (FADP) / For UK customers: United Kingdom General Data Protection Regulation (UK GDPR)]. These SCC are prepared for the data transfers between processor and sub-processor.
In accordance with [For EU customers: article 28(4) of the Regulation (EU) 2016/679 / For Swiss customers: article 9 of the FADP / For UK customers: article 28 of the UK GDPR], a sub-processor shall be subject to the same data protection obligations as set out in the contract or other legal act between the controller and the processor, in particular providing sufficient guarantees to implement appropriate technical and organisational data protection measures in such a manner that the processing will meet the requirements of the [For EU customers: Regulation (EU) 2016/679 / For Swiss customers: Federal Act on Data Protection (FADP) / For UK customers: UK GDPR].
Each Party’s liability for any breach of these SCC shall be subject to the limitations and exclusions of liability set out in the Agreement, provided that neither Party limits or excludes any liability that cannot be limited or excluded under applicable law.
The Parties agree that other clauses and additional safeguards added to these SCC do not directly or indirectly contradict the SCC or detract from the fundamental rights or freedoms of data subjects. APPENDIX 3 is attached to these SCC.
SECTION I
Clause 1
Purpose and scope
- The purpose of these standard contractual clauses is to ensure compliance with the requirements of , [For EU customers: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation (EU) 2016/679)] / [For Swiss customers: the FDPIC’s instructions for the EU SCCs to comply with Swiss legislation (Federal Act Data Protection 2023 (FADP)] / [For UK customers: UK Data Protection Laws (The UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 (DPA 2018)] for the transfer of personal data to a third country.
- The Parties:
- the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter “entity/ies”) transferring the personal data, as listed in APPENDIX 3.A (hereinafter each “data exporter”), and
- the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in APPENDIX 3.A (hereinafter each “data importer”)
have agreed to these standard contractual clauses (hereinafter: “Clauses”). - These Clauses apply with respect to the transfer of personal data as specified in APPENDIX 3.B.
- The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.
Clause 2
Effect and invariability of the Clauses
- These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to [For EU customers: Article 46(1) and Article 46(2)(c) of Regulation (EU) 2016/679] / [For Swiss customers: to Article 16(1) and Article 16(2)(d) of FADP] / [For UK customers: Article 46(1) and Article 46(2)(d) of UK GDPR and Article 17C of DPA 2018] [For EU, Swiss customers: and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant [For EU customers: to Article 28(7) of Regulation (EU) 2016/679] / [For Swiss customers: to Article 9(1) of FADP] ], provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.
- These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of [For EU customers: Regulation (EU) 2016/679] / [For Swiss customers: FADP] / [For UK customers: UK Data Protection Laws].
Clause 3
Third-party beneficiaries
- Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:
- Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;
- Clause 8 - Clause 8.1(b), 8.9(a), (c), (d) and (e);
- Clause 9 - Clause 9(a), (c), (d) and (e);
- Clause 12 - Clause 12(a), (d) and (f);
- Clause 13;
- Clause 15.1(c), (d) and (e);
- Clause 16(e);
- Clause 18 - Clause 18(a) and (b).
- Paragraph (a) is without prejudice to rights of data subjects under [For EU customers: Regulation (EU) 2016/679] / [For Swiss customers: FADP] / [For UK customers: UK Data Protection Laws].
Clause 4
Interpretation
- Where these Clauses use terms that are defined in [For EU customers: Regulation (EU) 2016/679] / [For Swiss customers: FADP] / [For UK customers: UK Data Protection Laws], those terms shall have the same meaning as in that Regulation.
- These Clauses shall be read and interpreted in the light of the provisions of [For EU customers: Regulation (EU) 2016/679] / [For Swiss customers: FADP] / [For UK customers: UK Data Protection Laws].
- These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in [For EU customers: Regulation (EU) 2016/679] / [For Swiss customers: FADP] / [For UK customers: UK Data Protection Laws].
- [For Swiss customers: Term “Member State” must not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence, meaning Switzerland, in accordance with Clause 18 c.].
- [For Swiss customers: The references to the Regulation (EU) 2016/679 should be understood as references to the FADP insofar as the data transfers are subject to the FADP].
- [For Swiss customers: These Clauses also protect the data of legal entities until the entry into force of the revised FADP].
Clause 5
Hierarchy
[
For EU, Swiss customers: In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail].
Clause 6
Description of the transfer(s)
[
For EU, Swiss customers: The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in APPENDIX 3.B]. / [
For UK customers: The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in APPENDIX 3.B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer].
Clause 7 - Excluded
SECTION II – OBLIGATIONS OF THE PARTIES
Clause 8
Data protection safeguards
The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.
8.1 Instructions- The data exporter has informed the data importer that it acts as processor under the instructions of its controller(s), which the data exporter shall make available to the data importer prior to processing.
- The data importer shall process the personal data only on documented instructions from the controller, as communicated to the data importer by the data exporter, and any additional documented instructions from the data exporter. Such additional instructions shall not conflict with the instructions from the controller. The controller or data exporter may give further documented instructions regarding the data processing throughout the duration of the contract.
- The data importer shall immediately inform the data exporter if it is unable to follow those instructions. Where the data importer is unable to follow the instructions from the controller, the data exporter shall immediately notify the controller.
- The data exporter warrants that it has imposed the same data protection obligations on the data importer as set out in the contract or other legal act under [For EU customers: Union or Member State law] / [For Swiss customers: Swiss Laws] / [For UK customers: UK Laws] between the controller and the data exporter [For EU, Swiss customers: See Article 28(4) of Regulation (EU) 2016/679 and, where the controller is an EU institution or body, Article 29(4) of Regulation (EU) 2018/1725].
8.2 Purpose limitation The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in APPENDIX 3.B., unless on further instructions from the controller, as communicated to the data importer by the data exporter, or from the data exporter.
8.3 Transparency On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including personal data, the data exporter may redact part of the text of the Appendix prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information.
8.4 Accuracy If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to rectify or erase the data.
8.5 Duration of processing and erasure or return of dataProcessing by the data importer shall only take place for the duration specified in APPENDIX 3.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the controller and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).
8.6 Security of processing- The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter ‘personal data breach’). In assessing the appropriate level of security, they shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subject. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter or the controller. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in APPENDIX 3.D. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.
- The data importer shall grant access to the data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify, without undue delay, the data exporter and, where appropriate and feasible, the controller after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the data breach, including measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
- The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under [For EU customers: Regulation (EU) 2016/679] / [For Swiss customers: FADP] / [For UK customers: UK Data Protection Laws], in particular to notify its controller so that the latter may in turn notify the competent [For EU customers: supervisory authority] / [For Swiss customers: Federal Data Protection and Information Commissioner (FDPIC)] / [For UK customers: Information Commissioner] and the affected data subjects, taking into account the nature of processing and the information available to the data importer.
- The data exporter may conduct an inspection at the premises or physical facilities of the data importer only subject to a separate agreement with the data importer specifying conditions of the relevant inspection.
8.7 Sensitive data Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter ‘sensitive data’), the data importer shall apply the specific restrictions and/or additional safeguards set out in APPENDIX 3.B.
8.8 Onward transfers The data importer shall only disclose the personal data to a third party on documented instructions from the controller, as communicated to the data importer by the data exporter. In addition, the data may only be disclosed to a third party located outside [For EU customers: the European Union (The Agreement on the European Economic Area (EEA Agreement) provides for the extension of the European Union’s internal market to the three EEA States Iceland, Liechtenstein and Norway. The Union data protection legislation, including Regulation (EU) 2016/679, is covered by the EEA Agreement and has been incorporated into Annex XI thereto. Therefore, any disclosure by the data importer to a third party located in the EEA does not qualify as an onward transfer for the purposes of these Clauses)] / [
For UK customers: UK] / [
For Swiss customers: Switzerland] (in the same country as the data importer or in another third country, hereinafter ‘onward transfer’) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:
- [For EU customers: the onward transfer is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer] / [For Swiss customers: the onward transfer is to a country benefitting from an adequacy decision pursuant to Article 16(1) of FADP that covers the onward transfer] / [For UK customers: the onward transfer is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer];
- the third party otherwise ensures appropriate safeguards pursuant [For EU customers: to Articles 46 or 47 of Regulation (EU) 2016/679] / [For Swiss customers: to Articles 16(2) or 16(3) of FADP] / [For UK customers: Articles 46 or 47 of UK GDPR and Article 75 DPA 2018];
- the onward transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or
- the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person.
Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.
8.9 Documentation and compliance - The data importer shall promptly and adequately deal with enquiries from the data exporter or the controller that relate to the processing under these Clauses.
- The Parties shall be able to demonstrate compliance with these Clauses. In particular, the data importer shall keep appropriate documentation on the processing activities carried out on behalf of the controller.
- The data importer shall make all information necessary to demonstrate compliance with the obligations set out in these Clauses available to the data exporter, which shall provide it to the controller.
- The data importer shall allow for and contribute to audits by the data exporter of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. The same shall apply where the data exporter requests an audit on instructions of the controller. In deciding on an audit, the data exporter may take into account relevant certifications held by the data importer.
- Where the audit is carried out on the instructions of the controller, the data exporter shall make the results available to the controller.
- The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice.
- The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent [For EU customers: supervisory authority] / [For Swiss customers: FDPIC] / [For UK customers: Information Commissioner] on request.
Clause 9
Use of sub-processors
- The data importer shall not sub-contract any of its processing activities performed on behalf of the data exporter under these Clauses to a sub-processor without the prior specific written authorisation of the controller. The data importer shall submit the request for specific authorisation at least 30 calendar days prior to the engagement of the sub-processor, together with the information necessary to enable the controller to decide on the authorisation. It shall inform the data exporter of such engagement.
- Where the data importer engages a sub-processor to carry out specific processing activities (on behalf of the controller), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those binding the data importer under these Clauses, including in terms of third-party beneficiary rights for data subjects (This requirement may be satisfied by the sub-processor acceding to these Clauses under the appropriate Module, in accordance with Clause 7). The Parties agree that, by complying with this Clause, the data importer fulfils its obligations under Clause 8.8. The data importer shall ensure that the sub-processor complies with the obligations to which the data importer is subject pursuant to these Clauses
- The data importer shall provide, at the data exporter’s or controller’s request, a copy of such a sub-processor agreement and any subsequent amendments. To the extent necessary to protect business secrets or other confidential information, including personal data, the data importer may redact the text of the agreement prior to sharing a copy.
- The data importer shall remain fully responsible to the data exporter for the performance of the sub-processor’s obligations under its contract with the data importer. The data importer shall notify the data exporter of any failure by the sub-processor to fulfil its obligations under that contract.
- The data importer shall agree a third-party beneficiary clause with the sub-processor whereby – in the event the data importer has factually disappeared, ceased to exist in law or has become insolvent – the data exporter shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.
- The data exporter may object to intended changes of the relevant agreed list of sub- processors provided that such objection is based on reasonable grounds relating to data protection by terminating the Agreement immediately upon written notice received by the data importer within 20 days as of the controller is informed of the intended changes.
Clause 10
Use of sub-processors
- The data importer shall promptly notify the data exporter and, where appropriate, the controller of any request it has received from a data subject, without responding to that request unless it has been authorised to do so by the controller.
- The data importer shall assist, where appropriate in cooperation with the data exporter, the controller in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under [For EU customers: Regulation (EU) 2016/679 or Regulation (EU) 2018/1725] / [For Swiss customers: FADP] / [For UK customers: UK Data Protection Laws], as applicable. In this regard, the Parties shall set out in APPENDIX 3.D the appropriate technical and organisational measures, taking into account the nature of the processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required.
- In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions from the controller, as communicated by the data exporter.
Clause 11
Redress
- The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject. The data importer agrees that data subjects may also lodge a complaint with an independent dispute resolution body (The data importer may offer independent dispute resolution through an arbitration body only if it is established in a country that has ratified the New York Convention on Enforcement of Arbitration Awards) at no cost to the data subject. It shall inform the data subjects, in the manner set out in paragraph (a), of such redress mechanism and that they are not required to use it, or follow a particular sequence in seeking redress.[ML3]
- In case of a dispute between a data subject and one of the Parties as regards compliance with these Clauses, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them.
- Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to:
- lodge a complaint with the [For EU, Swiss customers: supervisory authority] / [For UK customers: Information Commissioner] in the [For EU customers: Member State] / [For Swiss customers: Switzerland] / [For UK customers: in UK] of his/her habitual residence or place of work, or the competent [For EU customers: supervisory authority] / [For Swiss customers: FDPIC] / [For UK customers: Information Commissioner] pursuant to Clause 13;
- refer the dispute to the competent courts within the meaning of Clause 18.
- [For EU, UK customers: The Parties accept that the data subject may be represented by a not-for-profit body, organisation or association under the conditions set out [For EU customers: in Article 80(1) of Regulation (EU) 2016/679] / [For UK customers: Article 80(1) of UK GDPR and Article 187 of DPA 2018].][ML4]
- The data importer shall abide by a decision that is binding under the applicable [For EU customers: EU or Member State] / [For Swiss customers: Switzerland] / [For UK customers: UK] law.
- The data importer agrees that the choice made by the data subject will not prejudice his/her substantive and procedural rights to seek remedies in accordance with applicable laws.
Clause 12
Liability
- Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.
- The data importer shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data importer or its sub- processor causes the data subject by breaching the third-party beneficiary rights under these Clauses.
- Notwithstanding paragraph (b), the data exporter shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data exporter or the data importer (or its sub-processor) causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter and, where the data exporter is a processor acting on behalf of a controller, to the liability of the controller under [For EU customers: Regulation (EU) 2016/679 or Regulation (EU) 2018/1725] / [For Swiss customers: FADP] / [For UK customers: UK Data Protection Laws] as applicable.
- The Parties agree that if the data exporter is held liable under paragraph (c) for damages caused by the data importer (or its sub-processor), it shall be entitled to claim back from the data importer that part of the compensation corresponding to the data importer’s responsibility for the damage.
- Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.
- The Parties agree that if one Party is held liable under paragraph (e), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its/their responsibility for the damage.
- The data importer may not invoke the conduct of a sub-processor to avoid its own liability.
Clause 12
Liability
- For EU customers: The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in APPENDIX 3.C, shall act as competent supervisory authority]. /For Swiss customers: FDPIC with responsibility for ensuring compliance by the data exporter with FADP as regards the data transfer, as indicated in APPENDIX 3.C, shall act as competent supervisory authority.
- The data importer agrees to submit itself to the jurisdiction of and cooperate with [For EU customers: the competent supervisory authority] / For Swiss customers: FDPIC] / [For UK customers: Information Commissioner] in any procedures aimed at ensuring compliance with these Clauses. In particular, the data importer agrees to respond to enquiries, submit to audits and comply with the measures adopted by [For EU customers: the supervisory authority / For Swiss customers: FDPIC] / [For UK customers: Information Commissioner], including remedial and compensatory measures. It shall provide [For EU customers: the supervisory authority] / [For Swiss customers: FDPIC] / [For UK customers: Information Commissioner] with written confirmation that the necessary actions have been taken.
SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES
Clause 14
Local laws and practices affecting compliance with the Clauses
- For EU, UK customers: The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed [For EU customers: in article 23(1) of Regulation (EU) 2016/679] / [For UK customers: in article 23(1) of UK GDPR or article 110(1) of DPA 2018], are not in contradiction with these Clauses].
- The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:
- the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;
- the laws and practices of the third country of destination – including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards
- any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.
- The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.
- The Parties agree to document the assessment under paragraph (b) and make it available to the competent [For EU customers: supervisory authority] / [For Swiss customers: FADP] / [For UK customers: Information Commissioner] on request.
- The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a). The data exporter shall forward the notification to the controller.
- Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfill its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation, if appropriate in consultation with the controller. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by the controller or the competent [For EU customers: supervisory authority] / [For Swiss customers: FDPIC] / [For UK customers: Information Commissioner] to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.
Clause 15
Obligations of the data importer in case of access by public authorities
15.1 Notification- The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it:
- receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or
- becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.
- If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.
- Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.). The data exporter shall forward the information to the controller.
- The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent [For EU customers: supervisory authority] / [For Swiss customers: FDPIC] / [For UK customers: Information Commissioner] on request.
- Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses.
15.2 Review of legality and data minimisation- The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).
- The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent [For EU customers: supervisory authority] / [For Swiss customers: FDPIC] / [For UK customers: Information Commissioner] on request. The data exporter shall make the assessment available to the controller.
- The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.
SECTION IV – FINAL PROVISIONS
Clause 16
Non-compliance with the Clauses and termination
- The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.
- In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).
- The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:
- the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;
- the data importer is in substantial or persistent breach of these Clauses; or
- the data importer fails to comply with a binding decision of a competent court or [For EU customers: supervisory authority] / [For Swiss customers: FDPIC] / [For UK customers: Information Commissioner] regarding its obligations under these Clauses.
In these cases, it shall inform the competent [For EU customers: supervisory authority] / [For Swiss customers: FDPIC] / [For UK customers: Information Commissioner] of such non- compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. - Personal data that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall at the choice of the data exporter immediately be returned to the data exporter or deleted in its entirety. The same shall apply to any copies of the data. The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.
- Either Party may revoke its agreement to be bound by these Clauses where (i) [For EU customers: the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply] / [For Swiss customers: the Federal Council adopts a decision pursuant to Article 16(1) of FADP that covers the transfer of personal data to which these Clauses apply] / [For UK customers: the Secretary of State makes regulations pursuant to Section 17A of DPA 2018 that cover the transfer of personal data to which these clauses apply] ; or (ii) [For EU customers: Regulation (EU) 2016/679] / [For Swiss customers: FADP] / [For UK customers: UK Data Protection Laws] becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under [For EU customers: Regulation (EU) 2016/679] / [For Swiss customers: FADP] / [For UK customers: UK Data Protection Laws].
Clause 17
Governing law
[
For EU customers: These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of the Netherlands.
[
For Swiss customers: These Clauses should be governed by the legislation of Switzerland in cases where the transfer is regulated by the FADP].
[
For UK customers: These Clauses are governed by the laws of England and Wales].
Clause 18
Choice of forum and jurisdiction
- [For EU, Swiss customers: Any dispute arising from these Clauses shall be resolved by the courts [For EU customers: an EU Member State] / [For Swiss customers: of Switzerland].] [For UK customers: Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts]
- [For EU customers: The Parties agree that those shall be the courts of the Netherlands].
- A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the state in which he/she has his/her habitual residence.
- The Parties agree to submit themselves to the jurisdiction of such courts.
APPENDIX 3 TO THE USER AGREEMENT ("AGREEMENT")
ANNEX describing data processingA. LIST OF PARTIES
Data exporter(s):
Name: Toloka AI AG
Address: Werftestrasse 4, 6005 Lucerne Switzerland
Contact person’s name, position and contact details: tolokercare@toloka.ai
Activities relevant to the data transferred under these Clauses: operations on personal data required to provide Toloka Services: Collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, alignment or combination, restriction, erasure, and destruction.
Signature and date: specified in the Task(s)
Role (controller/processor): processor
Data importer(s):
Name: Retained Tolokers who will be engaged to perform Controller's tasks via Toloka Web Sites
Address: address is indicated in Toloker’s personal account
Contact person’s name, position and contact details: contact details are indicated in Toloker’s personal account
Activities relevant to the data transferred under these Clauses:
transfer, storage, destruction, deletion, access Signature and date: specified on the logs’ timestamps
Role (controller/processor):
processorB. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred– Natural persons whose personal data are contained in Customer’s dataset and/or are required to perform Tasks.
Categories of personal data transferredAny personal data contained in Customer’s dataset and/or required to perform Tasks, for example:
- e-mail addresses, phone numbers, names
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.Sensitive Personal Data contained in Customer's dataset and/or required to perform tasks. Strict purpose limitation and access restrictions are employed. Transferred personal data may include special categories of personal data. This may include, for example: images of the face of a person with skin diseases
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).The data are transferred continuously / or one-offNature of the processing The Sub-Processor provides the Controller with Services specified in the task provided by Controller. The Sub-Processor performs on behalf of the Controller operations on Personal Data required to provide the service: Collection, organisation, structuring, adaptation or alteration, use, alignment or combination
Purpose(s) of the data transfer and further processing- Execution of tasks by Tolokers;
- Execution of tasks by Tolokers, which, at the request of the Customer, may contain Personal Data;
- Communication between the Customer and the Toloker, when the Toloker performs tasks for this Customer
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that periodDuration of the processing is limited by the period of completion of a specific task.
C. COMPETENT SUPERVISORY AUTHORITY
The Parties agree that competent supervisory authority shall be [For EU customers: public authority of the Dutch Data Protection Authority (Autoriteit Persoonsgegevens)] / [For Swiss customers: FDPIC, insofar as the data transfer is governed by the FADP, and insofar as the data transfer is governed by the Regulation (EU) 2016/679] / [For UK customers: Information Commissioner's Office (ICO)].