GDPR Data Policy for Momentum Factor
RIGHTS OF THE DATA SUBJECT:
- Data Subject Access Requests (DSAR/SAR)
-
-
-
- Subject to the exceptions noted below in this policy, SBDP LLC dba Momentum Factor will comply with any SAR concerning the following rights of the data subject:
- Access (a copy of the personal data undergoing processing)
- Rectification of personal data (correction of data stored or processed)
- Erasure (“right to be forgotten’)
- Restriction of processing
- Notification regarding rectification or erasure
- Data portability (In the event of a Data Portability Request, SBDP LLC dba Momentum Factor will export the customers data in an industry standard format and make it internet accessible for download only by the data subject)
- Objection to processing (withdrawal of consent to processing)
- Automated individual decision-making, including profiling
- Do Not Sell requests under the CCPA
-
-
- SAR when SBDP LLC dba Momentum Factor is the data controller:
-
-
-
- A SAR must be made using the link on SBDP LLC dba Momentum Factor’s privacy page SBDP LLC dba Momentum Factor.com/privacy. SBDP LLC dba Momentum Factor may provide an “interface” or self-service mechanism that the data subject is instructed to use to initiate the SAR process.
- A SAR can also be made using the email address privacy@momofactor.com.
- Where required, the data subject must provide reasonable evidence of their identity in the form of valid identification of identity, for example, email verification.
- When submitting the SAR via the interface, the data subject must identify the SAR type that is being requested, e.g., erasure. If a SAR is submitted by an agent, the submission must include the identification of the data subject.
-
-
- SAR when SBDP LLC dba Momentum Factor is the data processor:
-
-
-
- The SAR must be submitted by the Data Controller in writing to the to the SBDP LLC dba Momentum Factor Data Protection Officer. The controller must identify the SAR that is being requested.
-
-
- SAR requirements:
-
-
-
- The date by which the SAR is submitted, identification is verified, and the specification of the SAR request type must be recorded; SBDP LLC dba Momentum Factor will acknowledge any manual requests within 3 business days.
- SBDP LLC dba Momentum Factor has one month from the initial request date to complete the request. There are very limited
- circumstances in which an extension to that one month will be provided.
- The SAR application will be documented and can be audited using SBDP LLC dba Momentum Factor’s internal processes.
-
-
- SBDP LLC dba Momentum Factor as the data processor
-
-
-
- Customers will be provided instructions on how to access the data through the user interface or APIs.
- To the extent the customer is unable to access the data or has issues with accessing the data, SBDP LLC dba Momentum Factor will assist the customer in accessing their data.
- SBDP LLC dba Momentum Factor will collect the data specified by the data subject and process according to the instructions provided by the data controller.
- SBDP LLC dba Momentum Factor will maintain a record of requests for data and of its receipt, including dates.
-
-
- SBDP LLC dba Momentum Factor as the data controller
-
-
-
- Collect the data specified by the data subject
- Search all databases and all relevant filing systems (manual files) in SBDP LLC dba Momentum Factor, including all back up and archived files, whether computerized or manual, and including all email folders and archives. SBDP LLC dba Momentum Factor maintains a record that identifies where personal data in SBDP LLC dba Momentum Factor is stored.
- SBDP LLC dba Momentum Factor will maintain a record of requests for data and of its receipt accessible by SBDP LLC dba Momentum Factor’s Data Protection Officer, Controller, and/or any other designated SBDP LLC dba Momentum Factor representatives. SBDP LLC dba Momentum Factor will also keep a record of processing to include dates.
- Provide data subjects an online mechanism to making request and all such requests will be logged.
- SBDP LLC dba Momentum Factor will acknowledge the SAR within three (3) days of the initial request and respond to any SAR within 25 days of the initial request.
- SARs from employees or previous employees will be coordinated with HR and the employees’ current or previous departmental leadership.
-
-
- SAR Exemptions
-
-
-
- SBDP LLC dba Momentum Factor may withhold information requested under SAR in accordance with Article 23 of the GDPR or any similar exemption under applicable law. Any such exemption must be reviewed and approved by the Data Protection Officer or Chief Operating Officer.
-
-
- SAR Limits
- Where permitted by law, such as Article 15 of the GDPR, for any further copies of personal data collected by SBDP LLC dba Momentum Factor that are requested by the data subject, SBDP LLC dba Momentum Factor may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic format.
- Compelled Disclosure
-
-
-
- SBDP LLC dba Momentum Factor governs the compelled disclosure of customer Personally Identifiable Information pursuant to valid thirdparty legal demands for such information, such as court orders, search warrants, subpoenas, government investigations, and similar demands, and is incorporated by reference into SBDP LLC dba Momentum Factor’s Privacy Policy.
- Upon receipt of legal demands for information, SBDP LLC dba Momentum Factor will immediately notify the Chief Executive Officer, Controller, and Data Protection Officer. SBDP LLC dba Momentum Factor will investigate the demands, and if it is determined at SBDP LLC dba Momentum Factor’s sole discretion that they are valid, we will search for and disclose the information that is specified and that we are reasonably able to locate and provide. We are unable to process overly broad or vague demands, and we will not disclose information that is not specifically demanded, except in response to follow-up demands.
- SBDP LLC dba Momentum Factor may contact customers if we are compelled to disclose their information pursuant to valid legal demands for such information, but we are not required to do so, and in some instances, we may be legally prohibited from doing so.
- All external communications with customers, regulators and law enforcement shall be approved by SBDP LLC dba Momentum Factor
-
-
- Enforcement
-
-
-
- The Director of Operations is responsible for the enforcement of this policy. Employees who may have questions should contact the Chief Operating Officer or Controller as appropriate.
-
-
- Disciplinary Action Reporting
-
-
-
- Failure to comply with any provision of this policy may result in disciplinary action, including, but not limited to, termination.
- All suspected violations or potential violations of this policy, no matter how seemingly insignificant, must promptly be reported either to <recipient(s) or policy violation reports, e.g., Legal Counsel, or SBDP LLC dba Momentum Factor’s Data Privacy Officer immediately, or via the incident reporting process at incidents@momofactor.com.
- As long as a report is made honestly and in good faith, SBDP LLC dba Momentum Factor will take no adverse action against any person based on the making of such a report. Failure to report known or suspected wrongdoing of which you have knowledge may subject you to disciplinary action up to and including termination of employment.
-
-
HOW WE STORE & PROCESS DATA:
-
- IV. Details of Processing
-
- Exhibit A (Details of Processing) to this DPA is incorporated herein.
-
- Obligation of Momentum Factor
-
- Momentum Factor agrees and warrants to:
-
-
-
-
- (A) Process Personal Data disclosed to it by Customer only on behalf of and in accordance with the Applicable Law, Instructions of the Data Controller and to the extent strictly necessary to provide the Services (as defined in the Agreement), unless Momentum Factor is otherwise permitted by the terms of the Agreement or required by Applicable Law, in which case Momentum Factor shall inform Customer of that legal requirement before Processing the Personal Data, unless informing the Customer is prohibited by law on important grounds of public interest. Momentum Factor shall immediately inform Customer if, in Momentum Factor’s opinion, an Instruction provided infringes Applicable Law. Momentum Factor shall not process Personal Data for its own purposes or those of any third party.
- (B) Ensure that any person authorized by Momentum Factor to Process Personal Data in the context of the Services is only granted access to Personal Data on a need-to-know basis, is subject to a duly enforceable contractual or statutory confidentiality obligation, and only processes Personal Data in accordance with the Applicable Law, Instructions of the Data Controller and Momentum Factor’s rights and obligations pursuant to the Agreement and this DPA.
- (C) Momentum Factor stores and Processes all data, including Personal Data, in the US and/or Canada. Momentum Factor has and shall continue to enter into any written agreements with any of its subcontractors as are necessary (in its reasonable determination) to comply with Applicable Law concerning any cross-border transfer of Personal Data, whether to or from Momentum Factor.
- (D) Inform Customer promptly and without undue delay of any formal requests from Data Subjects afforded to them under Applicable Law related to the exercising their rights including without limitation those for access, correction or erasure of their Personal Data, their right to restrict or to object to the Processing as well as their right to data portability, and not respond to such requests, unless instructed by the Customer in writing to do so. Taking into account the nature of the Processing of Personal Data, Momentum Factor shall provide all information and perform all acts to assist Customer, by reasonable and appropriate technical and organizational measures, insofar as possible, in fulfilling Customer’s obligations to respond to a Data Subject’s request to exercise their rights with respect to their Personal Data and for Customer to comply with applicable legal requirements pursuant to any other Applicable Law. Momentum Factor shall provide the foregoing information, assistance and cooperation within ten (10) calendar days of receiving such request from Customer, at Momentum Factor’s sole cost and expense. Momentum Factor is solely responsible for getting any such information, assistance and cooperation from its Sub-Processors. Momentum Factor will provide Customer written notice, without undue delay, of any request or compliant received by Momentum Factor or its Sub-Processors from a Data Subject relating to their Personal Data and allow Customer to control the response to the same, unless otherwise specifically agreed to in this DPA. Customer will determine whether or not the Data Subject has the right to exercise the specific demand requested.
- (E) Notify Customer promptly in writing of any subpoena or other judicial or administrative order by a government authority or proceeding seeking access to or disclosure of Personal Data. Customer shall have the right to defend such action in lieu of and on behalf of Momentum Factor. Customer may, if it so chooses, seek a protective order. Momentum Factor shall reasonably cooperate with Customer in such defense.
- (F) Provide reasonable assistance to Customer, in complying with Customer’s obligations under Applicable Law available. Customer and Momentum Factor are each responsible for their own costs associated with fulfilling their obligations to respond to or action any formal request under the Applicable Law.
- (G) Maintain internal record(s) of every Processing activity and Personal Data Breach, copies of which shall be provided to Customer by Momentum Factor or to supervisory authorities upon request. (H) Provide such information as Customer may reasonably request regarding the Processing of Personal Data it performs under the Agreement and this DPA, including as necessary to demonstrate its compliance with this DPA and Applicable Laws. Upon request where a supervisory or government authority requires an inspection to take place or Customer can demonstrate a reasonable basis for believing Momentum Factor is in breach of this DPA, Momentum Factor shall permit Customer or its designated agent to inspect, during reasonable business hours, any such internal practices, books and records (including relevant security testing and inspection results) and perform any such other inspections required in order for Customer to establish both Customer’s and Momentum Factor’s compliance with Applicable Laws. Momentum Factor will cooperate reasonably with any such inspection and will grant Customer’s agents reasonable access to any premises, personnel, information, policies, procedures and devices involved with the Processing of the Personal Data. Inspections will: (a) be on no less than fourteen (14) days’ prior written notice unless otherwise agreed; (b) be conducted during normal business hours; (c) not unreasonably interfere with Momentum Factor’s business activities; (d) not take place more than once in any year except where required at law or as agreed between the parties; (e) be subject to Momentum Factor’s reasonable security restrictions (e.g., sign-in requirements, badge requirements, escort requirements); (f) not compromise the security of (or grant access to) any data that is not Personal Data; and (g) be at Customer’s sole cost and expense
- (I) Upon termination of the Agreement and at any time upon Company’s request, shall promptly, but in any event within thirty (30) days after the request, return or delete (at Customer’s direction) all Customer Data in Momentum Factor’s possession or control).
-
-
-
-
- IV. Sub-Processing
-
-
- (A) Momentum Factor shall not share, transfer, disclose, make available or otherwise provide access to any
- Personal Data to any third party, or contract any of its rights or obligations concerning Personal Data, unless
- Momentum Factor has entered into a written agreement with each such third party as Sub-Processor that
- imposes obligations on the third party that are equivalent to those imposed on Momentum Factor under this DPA,
- except to the extent that such third party is independently entitled to access to such Personal Data. Momentum
- Factor shall only retain Sub-Processor that are capable of appropriately protecting the privacy, confidentiality and
- security of the Personal Data. The current Sub-Processor(s) are set out in Exhibit B and Momentum Factor will
- add the names of new and replacement Sub-Processor to the list thirty (30) days prior to them starting subprocessing
- of Customer’s Personal Data. Customer shall have the reasonable right to object to the identity of any
- such alternate Sub-Processor and, in the event that Momentum Factor continues to engage such alternate Sub- Processor despite such objection and there is no option available for Customer to utilize the Services without use of that Sub-Processor, to terminate this Agreement and the Master Agreement immediately on notice without any further liability to Momentum Factor.
- (B) Momentum Factor shall enter into a written agreement with each Sub-Processor that (i) imposes obligations which are substantially similar to those imposed under this DPA on Momentum Factor to Sub-Processor; (ii) describes the Services; (iii) describes the technical and organizational measures that the Sub-Processor must implement to ensure a level of security appropriate to the risk; and (iv) complies with Applicable Laws (“Sub-Processing DPA”).
- (C) Momentum Factor shall promptly report any material noncompliance by a Sub-Processor with this DPA to Customer.
- (D) Momentum Factor shall conduct appropriate due diligence on its Sub-Processors to evaluate and confirm compliance with this DPA. Customer may request that Momentum Factor to provide confirmation that such due diligence has occurred (or, where available, obtain or assist Customer in obtaining a third-party inspection report concerning that Sub-Processor’s operations) to ensure compliance with its obligations hereunder.
- (E)Momentum Factor is fully liable to Customer for Sub-Processor’s failure to comply with or fulfill its obligations under the Sub-Processing DPA or Applicable Laws.
- (F) Customer hereby authorizes Momentum Factor to engage the third parties listed in Exhibit B (Authorized Sub-
- Processors) as Sub-Processors for the Processing activities authorized under this DPA with respect to the
- processing and territories specified in that exhibit.
- V. Compliance with Applicable Laws
- (A) Each party covenants and undertakes to the other that it shall comply with all Applicable Laws in the use of
- the Services.
- (B) Without limiting the above, (i) Customer is responsible for ensuring that it has a lawful basis for the
- processing of Personal Information in the manner contemplated by this DPA and the Agreement, and has adequate record of such basis (whether directly or through another third party provider); and (ii) Momentum Factor is not responsible for determining the requirements of laws applicable to Customer’s business or that Momentum Factor’s provision of the Services meet the requirements of such laws. Customer will not use the Services in conjunction with Personal Data to the extent that doing so would violate Applicable Laws.
-
-
- VI. Data Security
-
-
-
- (A) Momentum Factor shall develop, maintain and implement a written information security program that complies with Applicable Law and industry standard practices for similarly situated providers. Momentum Factor’s information security program shall include appropriate administrative, technical, physical, organizational and operational safeguards and other security measures designed to (i) ensure the security and confidentiality of Personal Data; (ii) protect against any anticipated threats or hazards to the security and integrity of Personal Data; and (iii) protect against any Personal Data Breach, including, as appropriate:
- a) The encryption of the Personal Data;
- b) The ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services;
- c) The ability to restore the availability and access to the Personal Data in a timely manner in the event of a physical or technical incident; and
- d) A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures adopted pursuant to this provision for ensuring the security of the Processing.
- (B) Momentum Factor shall supervise Momentum Factor personnel to the extent required to maintain appropriate privacy, confidentiality and security of Personal Data. Momentum Factor shall provide training, as appropriate, to all Momentum Factor personnel who have access to Personal Data.
- (A) Momentum Factor shall develop, maintain and implement a written information security program that complies with Applicable Law and industry standard practices for similarly situated providers. Momentum Factor’s information security program shall include appropriate administrative, technical, physical, organizational and operational safeguards and other security measures designed to (i) ensure the security and confidentiality of Personal Data; (ii) protect against any anticipated threats or hazards to the security and integrity of Personal Data; and (iii) protect against any Personal Data Breach, including, as appropriate:
-
-
-
- VII. Data Breach Notification
-
-
-
- (A) Momentum Factor shall at its own expense, without undue delay, but in any event, no longer than forty-eight(48) hours promptly inform Customer in writing of any Personal Data Breach of which Momentum Factor becomes aware. The notification to Customer shall include available information regarding such Personal Data Breach, including information on:
- a) The nature of the Personal Data Breach including where possible, a description of the incident, the date and time period of the incident, the categories and approximate number of affected Data Subjects and the categories and approximate number of affected Personal Data records and their location(s);
- b) The likely consequences of the Personal Data Breach; and
- c) The immediate measures taken or proposed to be taken to address the Personal Data Breach, including,
- where appropriate, measures to contain, remediate or mitigate its possible adverse effects and to prevent any further Personal Data Breach, provided Momentum Factor may not contact any third-party individual or agency without consultation with and approval from Customer..
- (B) Momentum Factor shall cooperate with Customer immediately in all reasonable and lawful efforts to investigate, contain, prevent, mitigate or rectify such Personal Data Breach in accordance with Customer’s standard policies and procedures.
- (C) Momentum Factor shall allow Customer to have sole control over the timing, content and method of providing notification to the impacted individuals and governmental authorities, if applicable.
- (D) For any Personal Data Breach resulting or arising from any act or omission of Momentum Factor or its Sub- Processors of this DPA and/or Applicable Laws, Momentum Factor shall: (a) take any corrective actions necessary to remedy the Personal Data Breach; and (b) reimburse Customer for its reasonable out-of-pocket costs and expenses relating to the Personal Data Breach such as: (i) reasonable Customer’s costs incurred in notifying impacted individuals, governmental authorities, and credit bureaus; (ii) Customer’s reasonable attorneys’ and legal fees and public relations’ fees incurred in responding to the Personal Data Breach (iii) Customer’s reasonable costs of obtaining credit monitoring services and identity theft insurance for the benefit of the impacted individuals; (iv) reasonable call center support required by law to notify impacted individuals for ninety (90) days; (v) all reasonable costs incurred by Customer in responding to, and mitigating damages caused by, the Personal Data Breach; and (vi) reasonable forensic IT services used by Customer relating to the Personal Data Breach.
- (E) Other Assistance Required by the GDPR. Without limiting any other clause in this DPA, taking into account the nature of the Processing of European Personal Data, and the information available to Momentum Factor , Momentum Factor shall assist Customer in meeting Customer’s obligations under Articles 32-36 of the GDPR, which include Customer’s obligations to: (a) keep personal data secure; (b) notify Incidents to the Privacy Authority; (c) notify Incidents to Data Subjects; (d) carry out data protection impact assessments (“DPIAs”) when required; and (e) consult with the Privacy Authority where a DPIA indicates there is a high risk that cannot be mitigated.
- (F) Other Assistance Required by the CCPA, VCPDA, Colorado Privacy Act, FIPA and Washington Privacy Act. Without limiting any other clause in the DPA, taking into account the Processing of Personal Data, and the information available to Momentum Factor, Momentum Factor shall assist Customer in meeting Customer’s obligation under the CCPA, VCPDA, Colorado Privacy Act, FIPA and Washington Privacy Act which includes theCustomer’s obligation to: (a) inform Data Subjects of the categories and specific pieces of Customer Data Customer has collected and how the collected Data is to be used; (b) to request Customer to delete any datacollected from the Data Subjects; and (c) the right to opt-out.
- (A) Momentum Factor shall at its own expense, without undue delay, but in any event, no longer than forty-eight(48) hours promptly inform Customer in writing of any Personal Data Breach of which Momentum Factor becomes aware. The notification to Customer shall include available information regarding such Personal Data Breach, including information on:
-
-
-
- VIII. Audit
-
-
-
- Momentum Factor shall on written request (but not more than once per year, other than in the event of a breach) make available to Customer information reasonably necessary to demonstrate compliance with the obligations set forth in this DPA and, at the Customer’s expense, allow for audits, including inspections, conducted by Customer or another auditor mandated by Customer (which such auditor shall be bound by confidentiality protections at least as stringent as those provided for in the Agreement) not more than once per year. Such audits shall last for not more than 2 business days and shall be conducted in accordance with Momentum Factor’s then current security practices and shall avoid disrupting Momentum Factor’s operations. Upon prior written request by Customer (but not more than once per year, other than in the event of a breach) (provided that it shall be not more than once per year other than in the event of a breach, Momentum Factor agrees to cooperate and, within reasonable time, provide Customer with: (a) audit reports (if any) and information reasonably necessary to demonstrate Momentum Factor’s compliance with the obligations laid down in this DPA; and (b) confirmation that no audit, if conducted, has revealed any material vulnerability in Momentum Factor’s systems, or to the extent that any such vulnerability was detected, that Momentum Factor has fully remedied such vulnerability.
-
-
-
- IX. CCPA
-
-
-
- The Parties agree and acknowledge that, as Momentum Factor processes personal information on behalf of Customer solely for Customer’s business purposes, in providing the Services, Momentum Factor is considered be a service provider for Customer under the CCPA. Momentum Factor acknowledges and agrees that it may not retain, use, or disclose personal information made available to it by Customer for any purpose, including commercial purposes, other than in connection with performing the Services or as provided for in the Agreement; and Momentum Factor may not sell such personal information.
-
-
-
- X. Data Transfer
-
-
-
- (A) Data Transfer Generally. Unless Momentum Factor has obtained Customer’s prior written consent, in each instance obtained, Momentum Factor shall not: (i) Process (nor permit to be Processed, including permitting access) Customer’s Personal Data in any territory other than the United States (and for UK Personal Data, other than the UK or Adequate Country for UK purposes, or for EEA Personal Data, other than the EEA or an Adequate Country for EU purposes), (ii) transfer Customer’s Personal Data across country borders; or (iii) permit the access of Customer’s Personal Data from a country outside the United States. Momentum Factor shall execute a data transfer agreement if requested by Customer prior to participating in any of the activities listed in (i)-(iii). Momentum Factor shall not remove Customer’s Personal Data from Customer’s network or premises without Customer’s prior written consent.
- (B) Data Transfer of EEA, Swiss or UK Personal Data. Subject to X(A), if the Services require the international transfer or Processing of EEA (including to any Sub-Processor), Swiss or UK Personal Data outside of the EEA, Switzerland or UK (as applicable), then Momentum Factor shall implement measures which enable a lawful international transfer of such Personal Data; such measures may include that a. the recipient is in an applicable Adequate Country; or b. the recipient has executed the appropriate standard contractual clauses under Applicable Laws.
- (C)I Incorporation of the EU Standard Contractual Clauses. In the event Momentum Factor’s Services require Momentum Factor to Process any EEA or Swiss Personal Data and is in the United States (or any other country or jurisdiction outside the EEA not being an Adequate Country), the EU SCCs, or any Subsequent version approved by the EU Commission shall apply with regard to such Processing between the parties. For the purposes of the descriptions in the EU SCCs and only as between Customer and Momentum Factor, Momentum Factor agrees that it is a “data importer” and Customer is the “data exporter” under the EU SCCs. It is not the intention of either party, nor the effect of this DPA, to contradict or restrict any of the provisions set forth in the EU SCCs. Accordingly, if and to the extent the EU SCC conflict with any provision of this DPA, the EU SCCs will prevail.
- (D) The EU SCCs shall apply as follows:
- a. Clause 7 (Docking Clause) of Section 1 shall apply;
- b. The second paragraph of Clause 11(a) (Redress) of Section II (relating to an independent dispute resolution body) shall not apply;
- c. Option 2 of Clause 9 (general written authorization of sub-processors) shall apply in relation to Customer’s authorization of the use of Sub-Processors and Momentum Factor shall notify theCustomer writing of any intended changes to that list in accordance with this DPA.
- d. Clause 13(a) (Supervision) of Section II shall apply as follows: I. Where the data exporter is established outside of the EU but within the extraterritorial scope of the GDPR and has appointed an EU Representative, clause 13(a) shall apply as follows: “The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in [Annex I.C] shall act as competent supervisory authority”. II. Where the data exporter is established outside of the EU but within the extraterritorial scope of the GDPR, but is not required to appoint an EU Representative , clause 13(a) shall apply as follows: “The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these clauses in relation to the offering of goods or services to them, or whose behavior is monitored, are located, as indicated in [Annex I.C], shall act as competent supervisory authority”. III. In respect of Swiss Personal Data, the Federal Data Protection and Information Commissioner will be the competent supervisory authority, data subjects in Switzerland may enforce their rights in Switzerland under Clause 18c of the EU SCCs, and references in the EU SCCs to the EU GDPR should be understood as references to Swiss Data Protection Law insofar as the data transfers are subject to Swiss Data Protection Law.
- e. Clause 17 (Governing Law) of Section IV shall apply as follows: “These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third party beneficiary rights. The Parties agree that this shall be the law of Ireland”.
- f. Clause 18(b) (Choice of forum and jurisdiction) of Section IV shall be apply as follows: “The Parties agree that those shall be the courts of Ireland”.
- (E) Incorporation of the UK Standard Contractual Clauses. In the event Momentum Factor’s Services require Momentum Factor to Process any UK Personal Data in the United States (or any other country or jurisdiction outside the UK not being an Adequate Country), the UK SCCs attached hereto as Exhibit C, or any subsequent version approved by the UK Secretary of State (or otherwise under UK GDPR) shall apply with regard to such Processing between the parties. For the purposes of the descriptions in the UK SCCs and only as between Customer and Momentum Factor, Momentum Factor agrees that it is a “data importer” and Customer is the “data exporter” under the UK SCCs. It is not the intention of either party, nor the effect of this DPA, to contradict or restrict any of the provisions set forth in the UK SCCs. Accordingly, If and to the extent the SCCs conflict with any provision of this DPA, the UK SCCs will prevail.
-
- a. Annexes 1 & 2 in Exhibit of this DPA contain the information required by Annexes 1 & 2 of the 2010 SCCs;
- b. Momentum Factor may appoint sub-processors under clause 11 of the UK SCCs as set out in, and subject to the requirements of this DPA.
-
- (F) Customer may (i) replace either the EU SCCs or the UK SCCs with any alternative or replacement transfer mechanism in compliance with Applicable Laws, including any standard contractual clauses or addendum to such clauses approved by an applicable Supervisory Authority or under Applicable Laws, and (ii) make reasonably necessary changes to this clause by notifying Momentum Factor of the new transfer mechanism or content of the new standard contractual clauses (provided their content is in compliance with the relevant decision or approval), as applicable.
-
-
DATA RETENTION POLICY:
-
- SBDP LLC dba Momentum Factor shall retain data as long as the company has a need for its use, or to meet regulatory or contractual requirements. Once data is no longer needed, it shall be securely disposed of or archived. Data owners, in consultation with legal counsel, may determine retention periods for their data. Retention periods shall be documented in the Data Retention Matrix in Appendix B to the Data Management Policy.
We keep our privacy notice under regular review to make sure it is up to date and accurate at all times.
If you remain dissatisfied, you can make a complaint about the way we process your personal information to the supervisory authority.
Return to Full Privacy Policy for Momentum Factor by clicking here.