Logitech Data Processing Agreement
Effective as of September, 2021 (Version 3)
Logitech and its affiliates and subsidiaries (collectively “Logitech”) requires that service providers, contractors, suppliers, distributors and other business partners and their employees (collectively “You”) comply with the requirements set forth in this Data Processing Agreement (“DPA”) with respect to any information (“Logitech Data”) that Logitech or its employees, representatives, customers, distributors, or other business partners make available to You in the context of Your business relationship with Logitech or a Logitech customer. This DPA is attached to, and incorporated by reference into, the agreements for services (“Agreements”) by and between the Logitech entity named therein and You.
- Use and Transfer Limitations. You must not access, collect, store, retain, transfer, use or otherwise process in any manner any Logitech Data, except: (a) in the interest and on behalf of Logitech; (b) as directed by authorized personnel of Logitech in writing; and (c) in accordance with applicable law. Without limiting the generality of the foregoing, You may not make Logitech Data accessible to any subcontractors or relocate Logitech Data to new locations, except as set forth in written Agreements with, or written instructions from Logitech. You must return or delete any Logitech Data at the end of Your relationship with Logitech and, at any time, at Logitech's request. You must impose contractual obligations on all employees, contractors and onward recipients that are at least as protective of Logitech Data as this DPA.
- Comply with Approved Policies. You must keep Logitech Data secure from unauthorized access and other data processing by using Your best efforts and state-of-the art organizational and technical safeguards. You must comply with Logitech’s Information Security Requirements for Vendors, unless Logitech has expressly approved Your own information security policy in writing as an alternative (in which case You have to comply with the approved version of Your own policy, refrain from making any changes that reduce the level of security provided thereunder, and provide thirty (30) days prior written notice to Logitech of any significant changes to Your own information security policy). If You conduct SSAE 16, SOC or similar or successor audits, You must comply with Your SSAE 16, SOC or similar or successor standards and provide Logitech with thirty (30) prior days' notice of any changes.
- Cooperate with Compliance Obligations. At Logitech’s reasonable request, You must: (a) execute a business associate agreement under the U.S. Health Insurance Portability and Accountability Act of 1996 and related regulations, as amended (“HIPAA”) as well as similar agreements as required under other jurisdictions' laws, (b) contractually agree to comply with laws and industry standards designed to protect Logitech Data, including, without limitation, the Standard Contractual Clauses approved by the European Commission for data transfers to processors, Payment Card Industry Standards (“PCI”), as well as similar and other frameworks, if and to the extent such frameworks apply to any Logitech Data that You come into contact with; or (c) allow Logitech to terminate certain or all contracts with You, subject to (i) a proportionate refund of any prepaid fees, (ii) transition or migration assistance as reasonably required, and (iii) without applying any early termination charges or other extra charges.
- Submit to Audits. You must provide information on Your compliance program and submit to reasonable data security and privacy compliance audits by Logitech or, at Logitech’s request, by an independent third party, or customers of Logitech, to verify compliance with this DPA, applicable law, and any other applicable contractual undertakings.
- Notify Breaches. If You become aware of unauthorized access to Logitech Data, or of any security breach that is reportable under the EU General Data Protection Regulation (GDPR) or laws applicable to You or Logitech, You must immediately notify Logitech, consult and cooperate with investigations and potentially required notices, and provide any information reasonably requested by Logitech. You must also indemnify Logitech from any resulting damages and costs, including, without limitation, identity protection assistance and services procured for data subjects and reasonable attorneys and technical consultant fees for Logitech’s handling of the incident.
- No Information Selling or Sharing for Advertising. You acknowledge and confirm that You do not receive any Logitech Data as consideration for any services or other items that You provide to Logitech. You shall not have, derive or exercise any rights or benefits regarding Logitech Data. You must not sell or share any Logitech Data, as the terms “sell” and “share” are defined in the California Consumer Privacy Act of 2018, as amended, including by the California Privacy Rights Act of 2020 (“CCPA”) or under any other laws. You must not collect, retain, use, or disclose any Logitech Data (a) for targeted or cross‐context behavioral advertising, (b) but for the business purposes specified in a written contract with Logitech, or (c) outside the direct business relationship with Logitech. You must not combine Logitech Data with other data if and to the extent this would be inconsistent with limitations on service providers under the CCPA or other laws. You certify that You understand the rules, requirements and definitions of the CCPA, and all restrictions in the DPA. You agree to refrain from taking any action that would cause any transfers of Logitech Data to or from You to qualify under the CCPA or other laws as “sharing” for advertising purposes or as “selling” personal information.
- EEA/CH Personal Data: With respect to any Logitech Data that is subject to the GDPR and/or the Swiss Data Protection Act as "personal data," You accept the Standard Contractual Clauses 2021 promulgated by Commission implementing decision (EU) 2021/914 of 4 June 2021 with the applicable Module(s), and you will provide completed Annexes, a list of subprocessors and a transfer impact assessment (as required by Clause 14) without undue delay.
- Integration. This DPA applies in addition to, not in lieu of, any other terms and conditions agreed with Logitech, except as specifically and expressly agreed in writing with explicit reference to this DPA. This DPA shall not create any rights for anyone other than Logitech.