FTI Consulting Technology Data Protection Addendum
We make it easy for FTI Technology Clients to review and execute our standard US Data Protection Addendum (DPA). Please click the link below to download the DPA and email a signed copy to DpasubmissionTech@fticonsulting.com. A representative from our privacy operations team will review and return the countersigned DPA accordingly. US Processor DPA last updated: March 2023
This Data Protection Addendum ("Addendum" or “DPA”)), forms part of the contract for e-discovery, hosting, information governance and/or document review services ("Principal Agreement,” “Agreement” or “Engagement Contract”) between: (i) [___________] ("Client") acting on its own behalf and in the name and on behalf of each Client Affiliate; and (ii) FTI Consulting Technology LLC ("FTI") collectively the “Parties,” acting on its own behalf and in the name and on behalf of each FTI Affiliate.
The Parties hereby agree that the terms and conditions set out below shall be added as an Addendum to the Agreement. All capitalized terms not defined in this Addendum shall have the meaning set out in the Agreement.
In this Addendum, the following terms shall have the meanings set out below:
- "Addendum Effective Date" has the meaning given to it in section 1;
- "Affiliate" means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with either Client or FTI (as the context allows), where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise;
- “Consumer” has the meaning set forth in the CCPA;
- "Data Protection Laws" means all legislation protecting the personal data of natural persons that is applicable to the Processing of Client Personal Data including (without limitation) the GDPR, UK Data Protection Laws, CCPA, the Swiss Federal Act on Data Protection 2020 (“Swiss FADP”), and any national legislation which implements or supplements the GDPR, the UK Data Protection Laws, the CCPA, and the data protection laws of any other country, state or territory which apply to such Processing;
- “EEA Standard Contractual Clauses” means the Standard Contractual Clauses set out in the European Implementing Decision (EU) 2021/914 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, as updated, amended, replaced or superseded from time to time by the European Commission;
- "GDPR" or “General Data Protection Regulation” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 with any subordinate legislation or regulation implementing the General Data Protection Regulation on the protection of natural persons with regard to the Processing of personal data and on the free movement of such data;
- The terms "Controller", "Processor", "Data Subject", “Personal Data Breach", "Process”, ”Special Categories of Data”, “Supervisory Authority” and “Data Protection Impact Assessment” have the same meaning as described in the Data Protection Laws, and in each case their cognate terms shall be construed accordingly;
- Legal Process" means any criminal, civil, or administrative subpoena, mandatory request, warrant or court order issued by a Public Body, including but not limited to subpoenas, warrants and orders authorized under local, regional, state, national or any federal laws or regulations;
- “Personal Data” means information about an individual that (a) can be used to identify, contact or locate a specific individual; (b) can be combined with other information that can be used to identify, contact or locate a specific individual; or (c) is defined as “Personal Data” or “Personal Information” by Data Protection Laws relating to the collection, use, storage, disclosure or other processing of information about an identifiable individual;
- "Public Body" means any local, regional, state, national or federal law enforcement or intelligence authority, regulator, government department, agency or court in any country or territory that is not part of the European Economic Area (EEA);
- "Restricted Transfer" means a transfer of Personal Data from Client to FTI , where such transfer would be prohibited by Data Protection Laws in the absence of the Standard Contractual Clauses;
- "Services" means the e-discovery, hosting, contract intelligence, information governance, and/or document review services supplied by FTI to Client pursuant to the Agreement;
- “Standard Contractual Clauses” or “SCC’s” means the EEA Contractual Clauses and (where applicable in accordance with clause 12.2) the EEA Contractual Clauses as amended by the UK IDTA;
- “Sub-Processor” means any Processor engaged by FTI, or an FTI Affiliate, to assist in fulfilling its obligations with respect to providing the Services pursuant to the Agreement or this DPA where such entity processes Personal Data. Sub-processors may include third parties or FTI’s Affiliates;
- "UK Data Protection Laws" means the GDPR as transposed into United Kingdom national law by operation of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 ("UK GDPR"), together with the Data Protection Act 2018, the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 and other data protection or privacy legislation in force from time to time in the United Kingdom. In this Addendum (excluding clause 6), in circumstances where and solely to the extent that the UK GDPR applies, references to the GDPR and its provisions shall be construed as references to the UK GDPR and its corresponding provisions, references to "European Union or Member State law" shall be construed as references to UK law and references to the European Commission shall be construed as references to the UK Government; and
- "UK IDTA" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner under section 119A(1) Data Protection Act 2018, as amended or replaced from time to time by a competent authority under the relevant Data Protection Laws, and incorporated by reference into this Addendum and which shall come into effect upon the commencement of a relevant Restricted Transfer.
1. FORMATION OF THIS ADDENDUM
This Addendum is deemed accepted by the Client, and comes into effect on the Addendum Effective Date, which shall be the date of final signature of this Addendum by both FTI and the Client.
2. DESCRIPTION OF THE PERSONAL DATA PROCESSING
In Annex 1 to this DPA, the Parties have set out their understanding of the Personal Data to be Processed by FTI pursuant to this Addendum ("Client Personal Data").
3. DATA PROCESSING TERMS & ROLES OF THE PARTIES
In the course of performing their mutual obligations pursuant to the Agreement, the Parties shall duly observe and comply with their respective obligations under applicable Data Protection Laws. The Parties agree that (subject to clause 3.5 and 11.6) FTI Processes Client Personal Data for Client as a Processor.
In respect of its Processing of Client Personal Data applicable to the provision of the Services, FTI shall:
3.1 Process the Client Personal Data solely on the documented instructions of Client, for the purposes of providing, supporting and managing the Services and as otherwise necessary to perform its obligations under the Agreement, unless required by applicable law (or, where the GDPR applies, European Union or Member State law) to which FTI or any FTI Affiliate is subject, in which case FTI shall inform Client of that legal requirement before such Processing, unless that law prohibits such information on important grounds of public interest;
3.2 Process only the types of Client Personal Data, relating to the categories of Data Subjects, and in the manner and duration required to deliver the Services, as is set out in the Annex 1, or as otherwise agreed in writing by the Parties. The Agreement (including this DPA) constitutes such documented instructions, and each use of the Services then constitutes further instructions;
3.3 take measures reasonably appropriate in accordance with applicable Data Protection Laws to ensure the security of the Client Personal Data;
3.4 ensure that any staff who may have access to the Client Personal Data commit themselves to contractual or statutory obligations of confidentiality, and take reasonable steps to ensure the reliability of such staff;
3.5 where FTI receives a Legal Process requiring disclosure of Client Personal Data to a Public Body, FTI shall (unless prohibited from doing so by applicable laws) notify the Client of the same. Without prejudice to the foregoing, where the Legal Process places a legally binding obligation on FTI to disclose Client Personal Data, or to otherwise respond to the Legal Process, the Client acknowledges that FTI shall be required to Process Client Personal Data as a Controller in determining its response to that Legal Process;
3.6 notify Client promptly if FTI: (i) has reason to believe that it is unable to comply with any of its obligations under this DPA and cannot cure this inability to comply within a reasonable time frame; or (ii) becomes aware of any circumstances or change in applicable law that is likely to prevent it from fulfilling its obligations under this DPA. In the event FTI provides such notice, Client will have the right to temporarily suspend the relevant Processing under this DPA until such time that the Processing is adjusted in such a manner that the noncompliance is remedied. To the extent such adjustment is not possible, Client will have the right to terminate this DPA and/or the Agreement.
FTI engages Sub-processors to provide certain services on its behalf and FTI shall:
4.1 be expressly and specifically authorized by Client to use (i) those Sub-Processors already engaged by FTI or any FTI Affiliate as at the date of this Addendum, and (ii) any FTI Affiliate as a Sub-Processor. The list of Sub-Processors (including FTI Affiliates acting as Sub-Processors) is published on the TRUST site, which includes a Sub-Processor notification mechanism for Client subscription;
4.2 be generally authorized to engage any other Sub-Processor, subject to FTI:
4.2.1 providing a list of Sub-processors made available by FTI on its website referenced in clause 4.1;
4.2.2 not subcontracting its obligations under this Addendum to new Sub-Processor(s) without providing Client with thirty (30) days advanced notice (in accordance with the notification mechanism referenced in clause 4.1), and notification via such notification mechanism shall be deemed sufficient notice;
4.2.3 providing the Client an opportunity to object to the appointment of a new Sub-Processor, provided Client rejects on reasonable grounds;
4.2.4 including terms in its contract with each Sub-Processor which are materially similar and at least as protective, as those set out in this Addendum and the SCCs or other appropriate safeguards as described under applicable Data Protection Laws, as applicable to the Services;
4.2.5 remaining liable to the Client, to the same extent that FTI would itself be liable under this Addendum for its Sub-Processor’s failures, acts, or omissions whenever the Sub-Processor is fulfilling its obligations in relation to the Processing of the Client Personal Data;
4.3 In relation to any notice received or published under clause 4.2.2, and in accordance with clause 4.2.3, the Client shall have a period of 30 (thirty) days from the published date or of the notice to register any reasonable objection to the use of that Sub-Processor by sending an email to Technologysubprocessorobjection@fticonsulting.com . Where the Client registers such an objection, FTI will respond to the Client with any known commercially reasonable solution which avoids the use of the objected to Sub-Processor within 30 (thirty) days from the date when the Client registered the objection. Where no such solution can be found, either party may (notwithstanding anything to the contrary in the Agreement) terminate the relevant Services immediately on notice to the other party. If Client does not register an objection during the thirty (30) day timeframe, such Sub-Processor shall be deemed an authorized Sub-Processor for the purposes of this Addendum.
5.0 PROCESSING OF PERSONAL DATA AS RELATED TO THE CCPA
5.1 To the extent the California Consumer Privacy Act of 2018 (as amended by the California Privacy Rights Act of 2020), codified at Cal. Civ. Code § 1798.100 et seq., and the regulations issued thereunder, in each case, as amended (“CCPA”), applies to FTI’s Processing of Client Personal Data, such Client Personal Data will be disclosed by Client to FTI to perform the Services under the Agreement, including performing the activities set forth in clause 11.6 of this Addendum, and FTI will act as Client’s ‘Service Provider’, as such term is defined under CCPA, with respect to such data.
5.2 FTI will not:
5.2.1 ‘sell’ or ‘share’ Client Personal Data, as ‘sell’ and ‘share’ are defined under the CCPA;
5.2.2 retain, use, or disclose Personal Data (a) for a commercial or any other purpose other than for the specific purpose of providing, managing and/or supporting the Services, as further described in the Agreement, including performing the activities set forth in clause 11.6 of this Addendum, or as otherwise permitted by the CCPA, or (b) outside of the direct business relationship between FTI and Client, unless expressly permitted by CCPA; or
5.2.3 combine Client Personal Data that FTI receives from or on behalf of the Client with Personal Data that FTI receives from or on behalf of another person, or collects from its own interaction with an individual, unless permitted by the CCPA.
5.3 FTI will enable Client to take reasonable and appropriate steps as necessary to help Client ensure that FTI is using Client Personal Data in a manner consistent with the Client’s obligations under the CCPA.
5.4 FTI will enable Client, upon written notice to FTI, to take reasonable and appropriate steps to stop and remediate any of FTI’s use of Client Personal Data pursuant to the Agreement that Client deems in its reasonable opinion is unauthorized.
5.5 Any steps taken by the Client as set out in clauses 5.3 and 5.4 shall be subject to FTI’s commercial practicability and shall not require FTI or its Sub-Processors to provide access to or disclose any intellectual property, confidential information, or could compromise the security, availability, performance or integrity of FTI’s systems, data, premises and/or cause FTI to breach any applicable law, its obligations of confidentiality and/or non-disclosure to its other customers or any other third party.
5.6 FTI may disclose Personal Data to FTI’s service providers in connection with such service providers providing services to FTI, and FTI may permit such service providers to Process Personal Data as necessary for FTI to provide the Services to Client; provided, in each case, that FTI binds its service providers to comply with FTI’s material obligations under this DPA with respect to the Processing of Client Personal Data. To the extent that FTI is deemed to be a ‘Contractor’ (as such term is defined under the CCPA), FTI certifies that it understands the restrictions on its Processing of Personal Data as set forth in this clause 5 and will comply with them.
5.7 Client shall inform FTI of any request from an individual pursuant to the CCPA with which FTI is required to comply, and provide FTI the information necessary for FTI to comply.
6.0 SECURITY MEASURES
FTI shall implement and maintain appropriate technical and organizational measures in order to protect against Personal Data Breaches and to preserve the security and confidentiality of Client Personal Data Processed by FTI in the provision of the Services (“Security Measures”). The Security Measures are subject to technical progress and development. FTI may update or modify the Security Measures from time to time provided that any updates and modifications do not result in material degradation of the overall security of the Services and Client Personal Data.
7.0 PERSONAL DATA BREACH RESPONSE
Upon confirmation of a Personal Data Breach affecting Client Personal Data (“Client Personal Data Breach”), FTI shall:
7.1 notify Client without undue delay and in any event no more than seventy-two (72) hours;
7.2 taking into account the information available and to the extent known, provide all such information and cooperation as Client may reasonably require in order for Client to fulfil its Personal Data Breach reporting obligations under (and in accordance with the timescales required by) Data Protection Laws;
7.3 promptly, commence an investigation and take such measures and actions as it considers necessary or appropriate to remedy or mitigate the effects of the Client Personal Data Breach;
7.4 reasonably cooperate with any post-incident investigation, remediation, and communication efforts;
7.5 except as required by applicable law or contractual obligations, as mandated by a Supervisory Authority or in furtherance of FTI’s efforts to investigate or remediate the Client Personal Data Breach, FTI will not inform any third party (other than a Sub-Processor of Client Personal Data) of a Client Personal Data Breach referencing or identifying the Client, without Client’s prior written consent.
For the sake of clarity, a Personal Data Breach will not include unsuccessful log-in attempts, denial of service attacks, port scans, packet sniffing, pings, exploits and other attacks on firewalls or networked systems, or the disclosure or identification of software or system vulnerabilities or weaknesses which do not result in unauthorized access, alteration, destruction, loss or disclosure of Client Personal Data. Notwithstanding the foregoing, notifications in accordance with clauses 7.1 and 7.2 will not be construed as an acknowledgment by FTI of any fault or liability with respect to the Client Personal Data Breach.
Taking into account the nature and scope of the Processing, FTI shall;
8.1 to the extent permitted by applicable law, promptly notify Client of any communication from a Data Subject or Consumer regarding the Processing of their Personal Data which is comprised in the Client Personal Data, or any communication from a Supervisory Authority relating to either party's obligations under applicable Data Protection Laws in respect of the Client Personal Data;
8.2 not respond to any communication directly from a Data Subject or Consumer without Client’s prior authorization, unless legally compelled to do so;
8.3 reasonably cooperate and provide commercially reasonable assistance to Client in their response to (i) requests from any Data Subject or Consumer exercising his or her rights under Data Protection Laws and (ii) any inquiry made, investigation or assessment of Processing initiated by any Supervisory Authority;
8.4 provide commercially reasonable assistance requested by Client in relation to any Data Protection Impact Assessment which Client is required to perform under Data Protection laws in respect of Processing undertaken by FTI;
8.5 only correct, delete or restrict the Processing of Personal Data in accordance with documented instructions from the Client, unless otherwise required by applicable law. Notwithstanding the foregoing, Client agrees that it is highly unlikely that FTI would independently become aware that Client Personal Data is inaccurate or outdated. Nonetheless, if FTI becomes aware that Client Personal Data is inaccurate or outdated, it will notify Client without undue delay. Accordingly, FTI will cooperate with Client to rectify inaccurate or outdated Client Personal Data to the extent permitted by applicable law. Any assistance provided to the Client as set out in clauses 8.4 and 8.5 shall be subject to practicability and additional fees payable by Client in connection with such assistance.
8.6 Client acknowledges and consents that some technical and data centre support will be supplied by FTI Affiliates located outside of the US and EU depending on the scope of Services and as such, Personal Data may be Processed by those FTI teams or Affiliates in the United States, United Kingdom, and/or Australia.
9.0 AUDITS AND INSPECTIONS
9.1 FTI (or third parties engaged by FTI) audits its compliance against data protection and information security standards on a regular basis. The specific audits, and the data protection and information security certifications FTI has achieved, may vary depending upon the nature of the Services and are described on the TRUST site: https:/ www.FTITechnology.com/trust and in Annex II. As directly related to FTI’s Processing of Client Personal Data, upon written request and subject to obligations of confidentiality, FTI shall:
9.1.1 make available to Client a summary of its most recent relevant audit report so that Client can verify FTI's compliance with this DPA and the audit standards against which it has been assessed;
9.1.2 reasonably cooperate with Client’s efforts to verify FTI’s compliance with its respective obligations pursuant to applicable Data Protection Laws and this DPA and make available to Client all information necessary to demonstrate such compliance.
9.2 To the extent Client cannot reasonably assess FTI’s compliance with it respective obligations pursuant to Data Protection Laws and this DPA through review under clause 9.1, on thirty (30) day advance written notice, FTI shall allow for and contribute to audits, including inspections, conducted by Client, or any competent auditor mandated by Client, provided that any mandated auditor is not a competitor of FTI or any FTI Affiliate, to inspect and audit the relevant and applicable facilities used by FTI to Process Client Personal Data.
9.3 Client agrees that the scope, and duration, of any audit or inspection requested in clauses 9.1 and 9.2 shall be: (i) mutually agreed between the Parties acting reasonably and in good faith, and (ii) subject to additional fees payable by Client. Beyond such restrictions, Client shall use current certifications and documentation FTI makes generally available to avoid or minimize repetitive audits wherever possible. Further, Client understands and agrees that any request for information, audits (or inspections) shall not require FTI or its Sub-Processors to provide access to or disclose any intellectual property, confidential information, or data that could compromise the security, availability, performance or integrity of FTI’s systems, premises and/or cause FTI to breach any applicable law, its obligations of confidentiality and/or non-disclosure to its other customers or any other third party; and unless expressly prohibited by a Supervisory Authority, Client accepts that any on-site audit or inspection at a facility controlled or managed by a third party shall be subject to the security, non-disclosure and access policies set forth by that third party.
9.4 An audit or inspection permitted in compliance with clause 9.2 will be conducted during FTI’s standard business day and shall be limited to once per calendar year, unless (1) FTI has experienced a Client Personal Data Breach within the prior twelve (12) months, or (2) Client is able to evidence an incidence of FTI’s s material noncompliance with this DPA; or (3) as otherwise directed or requested by a Supervisory Authority.
10.0 DELETION OF DATA
Except to the extent required by this Section 10, FTI shall cease Processing the Client Personal Data upon the termination or expiry of the Agreement and:
10.1 subject to clauses 11.5, 11.6 and 10.3 and the terms of the Agreement, delete Client Personal Data in accordance with FTI’s security, retention and disaster recovery policies which require backup and archival copies of Personal Data are retained for ninety one days (91), provided they are protected in accordance herewith;.
10.2 when instructed by Client within thirty-one (31) days of the termination or expiry of the Agreement, return any original Client Personal Data to Client;
10.3 where required by Data Protection Law to which FTI or any FTI Affiliate is subject, retain Client Personal Data to the extent and for the duration reasonably required by that law.
11.0 CLIENT OBLIGATIONS AND CONSENT
11.1 Client shall ensure that, wherever it discloses Client Personal Data to FTI, it is authorized to do so in accordance with the Data Protection Laws for the purposes of FTI Processing that Personal Data to provide the Services and shall notify FTI immediately upon becoming aware of any circumstances in which such disclosure and subsequent Processing by FTI may have become unlawful. Client further agrees it has provided all notices and obtained all relevant authorizations, consents, rights and permissions for the Processing of Personal Data in accordance with this DPA including but not limited to any Special Categories of Data and where applicable, approval by any relevant Controllers to use FTI as a Processor;
11.2 Client shall keep the amount of Personal Data disclosed or transmitted to FTI, Sub-Processor and any FTI Affiliate to the minimum necessary to provide the Services pursuant to the Agreement;
11.3 Client shall serve as a single point of contact for FTI and be solely responsible for internal coordination, review and submission of any Processing instructions in respect of which any Client Affiliate is the Controller;
11.4 Client acknowledges that notification(s) and information pursuant to this DPA will be delivered to one or more of Client’s business, technical or administrative contacts, designated by Client in writing by any means, including email. It is the Client’s sole responsibility to ensure FTI has accurate and current contact information at all times;
11.5 Client acknowledges that FTI’s email and associated collaboration records are Processed through Microsoft 365 which is configured based on the designated location of the FTI personnel the email was addressed to and in accordance with multi-geo locations as published on: https://learn.microsoft.com/en-us/microsoft-365/enterprise/microsoft-365-multi-geo?view=o365-worldwide#microsoft-365-multi-geo-availability. FTI’s global email archiving and spam filtering are provided through Mimecast which is replicated and retained, unless otherwise subject to an applicable Legal Process or litigation hold, for up to three (3) years in Germany. Client consents to any Personal Data provided to FTI by email will be replicated and retained accordingly. To the extent that the Client wishes to transmit certain information or any data to FTI and objects to that data being replicated and retained in accordance with this clause, Client will use a communication or transmission method other than e-mail and agree to not transmit or otherwise disclose Personal Data via email to FTI;
11.6 Client acknowledges and consents that Personal Data Processed for FTI’s (i) compliance with its legal and regulatory obligations, (ii) establishment, exercise and defense of legal claims, and (iii) internal legitimate business purposes of system management and performance, network monitoring, threat monitoring, security processing, invoicing, support ticketing systems, maintaining FTI's relationship with Client; (“Systems Data”) and are Processed by FTI as an independent Controller, and that FTI does not act as Processor in this respect, and as such, FTI shall be responsible for ensuring that such Processing is performed in accordance with applicable Data Protection Laws. For the avoidance of doubt, FTI Processes Personal Data pursuant to clause 11.6(iii) as a ‘service provider’ under CCPA.
12.0 RESTRICTED TRANSFERS
12.1 In respect of any Restricted Transfers subject to the GDPR, the parties hereby enter into Module 2 of the EEA Standard Contractual Clauses (with Client as data exporter and FTI as data importer), which is hereby incorporated by reference into this Addendum and which shall come into effect upon the commencement of a Restricted Transfer. The parties make the following selections for the purposes of Module 2:
12.1.1 Clause 7 – Docking clause shall apply;
12.1.2 Clause 9 - Use of subprocessors Option 2 shall apply and the “time period” shall be 30 days;
12.1.3 Clause 11(a) - Redress the optional language shall not apply;
12.1.4 Clause 13(a) – Supervision
188.8.131.52 Where Client is established in an EU Member State, the following shall apply: “The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer shall be the supervisory authority of the Member State in which Client is established or (if different) the lead supervisory authority of the Client in respect of a cross-border processing activity”. OR
184.108.40.206 Where Client is not established in an EU Member State, but falls within the territorial scope of application of the GDPR in accordance with Article 3(2) and has appointed a representative pursuant to Article 27(1) of the GDPR the following shall apply: “The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, shall act as competent supervisory authority.” OR
220.127.116.11 Where Client is not established in an EU Member State, but falls within the territorial scope of application of the GDPR in accordance with Article 3(2) without however having to appoint a representative the following shall apply: “The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C, shall act as competent supervisory authority.”
12.1.5 Clause 17 – Governing law “Option 1” shall apply and the “Member State” shall be the Republic of Ireland;
12.1.6 Clause 18 – Choice of forum and jurisdiction the Member State shall be the Republic of Ireland;
12.1.7 Annex 1 – the data exporter is Client and the data importer is FTI (in each case as identified, including in relation to their places of establishment, in this Agreement) and the processing operations are deemed to be those described in Annex 1 to this Addendum;
12.1.8 Annex 2 – see Annex 2 to this Addendum; and
12.1.9 Annex 3 – not applicable.
12.2 In respect of any Restricted Transfer subject to the UK GDPR, the EEA Standard Contractual Clauses (incorporated by reference pursuant to clause 12.1) shall be read in accordance with, and deemed amended by, the provisions of Part 2 (Mandatory Clauses) of the UK IDTA, and the parties confirm that the information required for the purposes of Part 1 (Tables) of the UK IDTA is set out in the Principal Agreement.
12.3 In respect of any Restricted Transfer subject to the Swiss FADP, the EEA Standard Contractual Clauses shall be amended as follows: (i) Scope of "personal data" (Clause 1.c / Annex I.B): In addition to Personal Data pertaining to individuals, these amended Standard Contractual Clauses (Clauses) shall be applicable to and protect Personal Data pertaining to legal entities as well, if and to the extent such Personal Data pertaining to legal entities is within the scope of the Swiss FADP; (ii) Competent supervisory authority (Clause 13 / Annex I.C): To the extent the transfer of Personal Data as specified in Annex I.B is subject to the Swiss FADP, the Swiss Federal Data Protection and Information Commissioner (FDPIC) shall act as the competent supervisory authority. To the extent the transfer of Personal Data as specified in Annex I.B is subject to the GDPR, the supervisory authority of the Member State in which the Swiss data exporter's EU representative according to GDPR Article 27(1) is established shall act as competent supervisory authority; and (iii) Data subject jurisdiction (Clause 18.c): The term "Member State" shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of pursuing their rights at their place of habitual residence (Switzerland) in accordance with clause 18.c. Accordingly, data subjects with their place of habitual residence in Switzerland may also bring legal proceedings before the competent courts in Switzerland.
12.4 In respect of any Restricted Transfer between FTI and a Sub-Processor, FTI shall either enter into Module 3 of the EEA Standard Contractual Clauses or shall enter into the UK Standard Contractual Clauses for and on behalf of Client, where doing so is necessary to ensure that the Restricted Transfer complies with Data Protection Laws.
12.5 For the avoidance of doubt, if, and to the extent that, the European Commission or the UK Government issues any amendment to, or replacement of, the EEA or UK Standard Contractual Clauses pursuant to Article 46(5) GDPR or Article 46 of the UK GDPR, the parties acknowledge and agree that such clauses will automatically be deemed to replace all Standard Contractual Clauses then in force between the Client and FTI and the parties shall take such additional steps as necessary to give ensure that such replacement terms are implemented across all transfers.
12.6 If, at any time, a Supervisory Authority or a court with competent jurisdiction over a party mandates that certain cross-border transfers from Controllers to Processors must be subject to specific additional safeguards (including but not limited to specific technical and organisational measures), the parties shall work together in good faith to implement such safeguards and ensure that any transfer of Client Personal Data is conducted with the benefit of such additional safeguards.
13.1 The provisions of this Addendum are supplemental to the provisions of the Agreement. In the event of inconsistencies between the provisions of this Addendum and the privacy provisions of the Agreement, the provisions of this Addendum shall prevail; provided, however, the liability of each party and each party’s affiliates under this Addendum shall be subject to the exclusions and limitations of liability set out in the Agreement. To the extent that there is any conflict or inconsistency between the terms of the Standard Contractual Clauses and the terms of this DPA, the terms of the Standard Contractual Clauses shall take precedence. In no event shall this DPA or any party restrict or limit the rights of any Data Subject or of any competent Supervisory Authority.
14.1 Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible; or (ii) if this is not possible, construed in a manner as if the invalid or unenforceable part had never been contained therein.
Annex 1: Description of Personal Data Processing
This Annex includes certain details of the Processing of the Personal Data as required by Article 28(3) GDPR.
Subject matter and duration of the Processing of the Personal Data
The subject matter and duration of the Processing of the Personal Data are set out in the Principal Agreement and this Addendum.
The nature and purpose of the Processing of the Personal Data
FTI is engaged to provide Services to Client which involve the Processing of Personal Data. The scope of the Services are set out in the Principal Agreement, and the Client Personal Data will be Processed by FTI to deliver those Services and to comply with the terms of the Principal Agreement and this Addendum.
The types of the Personal Data to be Processed
Client customer or employee information which may be collected in the course of delivering consulting and advisory services to Client, including name, title, gender, personal contact details (address, telephone number, email address), work address, work email, work telephone numbers, job title, and other types of Personal Data supplied by the Client to FTI pursuant to the Principal Agreement.
The categories of Data Subject to whom the Personal Data relates
The categories of Data Subjects are determined by the nature of the client engagement, the details of which are covered in the Principal Agreement.
Special Categories of Data (where applicable)
The Client Personal Data transferred to FTI concerns the following category(ies) of Special Categories of Data:
- [Data revealing health or sex life (physical and mental conditions, medical history and procedures, reports, sexual orientation etc.]
- [Data revealing racial or ethnic origin]
- [Data revealing political opinions, religious or philosophical beliefs or trade union membership]
- [Genetic data] / [Biometric data]
- [Criminal Data (i.e. Personal Data relating to criminal convictions and offences, for example, Personal Data relating to criminal allegations and proceedings, driving offences, unspent convictions etc.)]
The obligations and rights of Client
The obligations and rights of Client are set out in the Principal Agreement and this Addendum.
Frequency of Restricted Transfers (where applicable)
As necessary to deliver Services for the duration of the Principal Agreement.
The period for which Personal Data subject to Restricted Transfers will be retained (where applicable)
In accordance with the Client’s instructions (and otherwise for the duration of the Principal Agreement), except where FTI retains Personal Data to comply with applicable laws or to establish, exercise or defend legal rights, in accordance with its data retention policies.
Annex 2: Technical and Organizational Security Measures
FTI Technology shall implement the technical and organizational security measures specified on the TRUST site as a minimum security standard. Client acknowledges and agrees that technical and organizational measures listed may vary based on the scope and nature of Services provisioned by FTI Technology pursuant to an executed agreement. FTI reserves the right to modify the Technical and Organizational Measures provided they do not diminish the security level protecting Personal Data.
We make it easy for FTI Technology Clients to review and execute our standard US Data Protection Addendum (DPA). Please click the link below to download the DPA and email a signed copy to DpasubmissionTech@fticonsulting.com. A representative from our privacy operations team will review and return the countersigned DPA accordingly. US Processor DPA last updated: March 2023
Learn about service offerings and solutions from FTI: