TASKING Data Processing Addendum

Version 1.0 February 2025

1. DEFINITIONS

“Applicable Data Protection Law” shall mean any and all applicable mandatory data protection and privacy laws.

“Data Controller”, “Data Processor”, “Data Subject”, “Personal Data” shall have the meanings given in Applicable Data Protection Laws.

“EU Data Protection Law” the EU-General Data Protection Regulation (“GDPR”, Regulation 2016/679) as amended or superseded from time to time.

“Swiss Data Protection Law” the Swiss Federal Act on Data Protection (Revised FADP) as amended or superseded from time to time.

“UK Data Protection Law” the data privacy legislation adopted by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019/419 as supplemented by the terms of the Data Protection Act 2018 (UK DPA) and the UK GDPR (Retained Regulation(EU) 2016/679 (UK GDPR) pursuant to section 3 of the European Union (Withdrawal) Act 2018), as amended or superseded from time to time.

“Adequate Country” a country that the European Commission, the United Kingdom’s (“UK”) Information Commissioner’s Office or the Swiss Federal Data Protection and Information Commissioner (as applicable based on respective area of competence) has determined as ensuring an adequate level of data protection.

“Third Country” a country outside of the EU, EEA, the UK or Switzerland (as applicable) which is not an Adequate Country.

“Subprocessor”, means “TASKING Group entity” (a company controlling, controlled by or under common control with TASKING that may assist in the performance of the Services) or a “Third Party Subprocessor” (a third-party subcontractor, other than a TASKING Group entity, engaged by TASKING which, as part of the subcontractor’s role of delivering the Services or parts of the Services, will process Personal Data of the Customer).

“Standard Contractual Clauses” means Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as currently set out at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj as may be amended, superseded or replaced

2. PROCESSING OF PERSONAL DATA

In order to execute the Agreement, and in particular to perform the Services, Customer appoints TASKING as a Data Processor to process the Personal Data specified and for the purposes described in the Terms and Conditions and Annex I. TASKING shall not retain, use or disclose data for any other purpose, including retaining, using or disclosing the Data for a commercial purpose other than the Permitted Purpose. TASKING shall not buy or sell the Data. TASKING will comply with all mandatory Applicable Data Protections Law to the extent that such provisions by their terms impose obligations directly upon TASKING as a Data Processor in connection with the services specified in the Agreement or Terms and Conditions.

If TASKING processes Personal Data for Service availability and security purposes, TASKING is the Data Controller.

Customer will at all times remain the Data Controller for the purposes of the Services, the Agreement, and this Data Processing Agreement. Customer is responsible for compliance with its obligations as a Data Controller under Applicable Data Protection Law, in particular for justification of any transmission of Personal Data to TASKING (including providing any required notices and obtaining any required consents and authorizations), and for its decisions and actions concerning the processing and use of the Personal Data.

3. COOPERATION AND RIGHTS OF DATA SUBJECTS

Taking into account the nature of the processing, TASKING will follow Customer’s detailed written instructions to access, delete, release, correct or block Personal Data held in Services environment if this cannot be done with the Customer himself.

Insofar this is possible, TASKING shall provide reasonable and timely assistance to Customer to enable Customer to respond to a) any request from a data subject to exercise any of its rights under Applicable Data Protection Law and b) any other correspondence, enquiry or complaint received from a data subject, regulator or any other third party in connection with the processing of data.

In the event that any such request, correspondence or complaint is directly made to TASKING, TASKING will promptly inform Customer providing full details of the same. TASKING will not be responsible for responding directly to the request, unless otherwise required by law.

4. DATA PROTECTION IMPACT ASSESSMENT

TASKING shall provide Customer with reasonable cooperation (provide the information necessary) to enable Customer to conduct any mandatory data protection impact assessment that is required to undertake under Applicable Data Protection Law.

5. DATA INCIDENT OR DATA BREACH

If TASKING becomes aware of a data incident or data breach, TASKING shall inform Customer without undue delay and shall provide reasonable information and cooperation to Customer so that Customer can fulfil any data breach reporting obligations it may have under Applicable Data Protection Law. TASKING shall further take such reasonable necessary measures and actions to mitigate the effects of the data incident or data breach and shall keep Customer informed of all material developments in connection with the data incident or data breach.

6. INTERNATIONAL TRANSFERS & DATA LOCALIZATION LAWS

6.1 If any Data is protected under EU Data Protection Law, TASKING shall not transfer the Data to a Third Country without Adequacy Decision unless it has taken such measures as are mandatory and necessary to ensure the transfer is in compliance with EU Data Protection Law. Such measure may include (without limitation) transferring the Data to a recipient a) that has achieved binding corporate rules authorisation in accordance with Applicable Data Protection Law, b) that has executed Standard Contractual Clauses adopted or approved by European Commission or similar.

6.2. If Personal Data protected under “EU Data Protection Law” is transferred to a TASKING entity in a Third Country, the Standard Contractual Clauses, UK addendum and Swiss addendum will be incorporated by reference and form part of the Data Processing Agreement as follows:

(A) The Module Three (Processor to Processor) terms apply to the extent TASKING is a Processor of Customer Personal Data and transfers the Personal Data to another TASKING entity in a Third Country; in Clause 7, the optional docking clause applies; in Clause 9, Option 2 applies and changes to Sub-Processors will be notified in accordance with the ‘Subprocessing’ section of this Data Processing Agreement; in Clause 11, the optional language is deleted; in Clauses 17 and 18, the parties agree that the governing law and forum for disputes for the Standard Contractual Clauses will be determined in accordance with the Agreement or Terms and Conditions; if not specified this will be the law of Germany; the Annexes of the Standard Contractual Clauses will be deemed completed with the information set out in the Annexes of this DPA; and the supervisory authority that will act as competent supervisory authority will be determined in accordance with GDPR.

6.3 For Data originating from the United Kingdom (“UK”) or Switzerland references in this Section 8 to: (a) “EU Data Protection Law” shall be replaced with “UK Data Protection Law” or “Swiss Data Protection Law”, as applicable; and (b) the “European Commission” shall be replaced with the “Information Commissioner’s Office” or the “Federal Data Protection and Information Commissioner”, as applicable.

6.4 If Customer is placed in a third-country the Module Three (Processor to Controller) terms apply to the extent TASKING is a Processor of Customer Personal Data and transfers the Personal Data to Customer in a third-country; in Clauses 17 and 18, the parties agree that the governing law and forum for disputes for the Standard Contractual Clauses will be determined in accordance with the Agreement or Terms and Conditions; if not specified this will be the law of Germany; (vi) the Annexes of the Standard Contractual Clauses will be deemed completed with the information set out in the Annexes of this DPA.

7. SUBPROCESSING

Customer consents to TASKING engaging any TASKING affiliate if relevant for the purposes of this Agreement without specific consent and without prior notification. TASKING may use existing TASKING Intragroup transfer mechanisms for processing activities. Upon request, the customer receives an overview of the affiliates who have received Personal Data. TASKING remains liable for any breach of the Agreement that is caused by an act, error or omission of its affiliate.

Customer consents to TASKING engaging third-party subprocessors as provided in Annex III to process Personal Data for the purposes as defined in Annex I. TASKING shall a) impose data protection terms on any third-party subprocessor it appoints that require it to protect the Personal Data to the standard required by Applicable Data Protection Law, b) remain liable for any breach of the Agreement that is caused by an act, error or omission of its third-party subprocessor and c) update the subprocessor List with details of any change in third-party subprocessors with appropriate advance notice to the Customer. Customer may object to TASKING’s appointment or replacement of a third-party subprocessor prior to its appointment or replacement, provided such objection is based on reasonable ground relating to data protection.

8. SECURITY AND CONFIDENTIALITY

TASKING has implemented and will maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as specified in Article 32 of the GDPR for the processing of Personal Data as set out in Annex II. These measures are intended to protect Personal Data against accidental or unauthorized loss, destruction, alteration, unauthorized disclosure of or access to the Personal Data, and against all other unlawful forms of Processing. TASKING’s Information Security Management System (ISMS) is certified.

The technical and organisational measures are subject to technical progress and further development. In this respect, it is permissible for TASKING to implement alternative adequate measures. In so doing, the security level of the defined measures must not be reduced. Substantial changes must be documented.

TASKING shall process Personal Data as confidential information and shall only share it with authorized individuals who need access to the Personal Data for the purposes and are subject to a statutory or contractual duty of confidentiality or as explicitly permitted under the Agreement.

TASKING has certifications (e.g. information security certificates) in place. If evidence for the certifications is necessary, this can be shared on request.

9. RETURN AND DELETION OF PERSONAL DATA UPON END OF SERVICES

Following termination of the Services, TASKING will return or delete the Customer’s Personal Data as specified in the Agreement or Terms and Conditions. Customer has the possibility to delete data itself as described in Annex I.

Excluded from this is data TASKING has to keep because of legal obligations. In this case this data will be blocked so that processing is restricted.

ANNEX I

LIST OF PARTIES

Data exporter:

Name: The Customer, as defined in the Agreement/Service platform.

Address: The Customer’s address, as set out in the Agreement/Service platform.

Contact person’s name, position, and contact details, including email: The Customer’s contact details, as set out in the Agreement/Service platform.

Activities relevant to the data transferred under these Clauses: As set out in the Agreement or Terms and Conditions and Annex I.

Role (controller/processor): Data Controller

Data Importer:

Name: TASKING Germany GmbH and further TASKING affiliates (if relevant for the activities)

Address: Streitfeldstrasse 19, 81673 Munich, Germany

Contact person’s name, position, and contact details: Privacy contact as mentioned in the website privacy policy https://www.tasking.com/privacy-policy; technical support via the ticketing system.

Activities relevant to the data transferred under these Clauses: As set out in the Agreement or Terms and Conditions and Annex I.

Role (controller/processor): Data Processor

DESCRIPTION OF TRANSFER

Categories of data subjects whose Personal Data is transferred:

Customer employees or third-party employees working for the customer

Categories of Personal Data transferred:

Title
Full name
Corporate e‑mail address
Corporate phone number
Company name
Department
Company address (street, city, ZIP, country)
Timezone
Password (masked)
No sensitive Personal Data is transferred.

The frequency of the transfer:

Continuous data transfer during the contractual relationship/during the use of the services.

Nature of the processing:

Data Collection
Data Storage

Purpose(s) of the data transfer and further processing:

Provision of the TASKING Support ticketing system for support requests and for file exchange.
Set up the authorizations in the platform on behalf of the Customer.

The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period:

The Customer can anonymize Personal Data within tickets himself.
If the contractual relationship ends/the services are not used anymore the Personal Data will be anonymized/deleted.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:

As defined in Annex III.

COMPETENT SUPERVISORY AUTHORITY

The competent Supervisory Authority is the authority within the Member State of the Data Exporter. If the Data Exporter is not located within the EU, the Supervisory Authority of Bavaria (Germany) is defined as the competent Supervisory Authority.

ANNEX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

The TASKING TOMs in accordance with Art. 32 GDPR can be sent to the customer on request. Please contact TASKING as stated in the website privacy policy https://www.tasking.com/privacy-policy or by contacting dataprotection@tasking.com.

ANNEX III

LIST OF SUB-PROCESSORS

Name: Google Cloud EMEA Limited

Address: Velasco Clanwilliam Place Dublin 2 Ireland

Description of processing (including a clear delimitation of responsibilities in case several sub-processors are authorized): Google Cloud Platform (data hosting, Europe West data centers)