Data Protection Laws covered by the Red Hat Data Processing Addendum
The Red Hat Data Processing Addendum (“DPA”), available at https://www.openshift.com/legal/terms/ or https://www.redhat.com/en/about/agreements, applies to the Processing of Personal Data disclosed to Red Hat by Client as part of Your Content under the Red Hat Online Services Agreement or Appendix 4, as applicable (“Agreement”), if and to the extent i) the European General Data Protection Regulation (EU/2016/679) (“GDPR”); or if and to the extent ii) any other data protection laws identified below apply. The DPA prevails over any conflicting term of the Agreement.
Brazil’s General Data Protection Law, Lei Geral de Proteção de Dados (“LGPD”). For the sake of clarity, Red Hat’s obligations to a Client under the DPA are only those express obligations imposed by LGPD on a "Data Processor (operador)" for the benefit of a "Data Controller (Controlador)" (including new Section 4(j) below), as such terms "Data Controller (controlador)" and "Data Processor (operador)" are defined by the LGPD. In addition, a new section 4(j) to the DPA will apply:
4(j) Each party is responsible to fulfil its respective obligations set out in the LGPD, and Client will only issue Processing instructions, as set forth in Section 4(a) of the DPA, that enable Red Hat to fulfill its LGPD obligations. For the purpose of Section 5 of the DPA, the EU Standard Contractual Clauses will be used for transfers to Non-Adequate Countries as per the LGPD.
European Economic Area:
European Union Regulations and EEA Member State laws, other than GDPR, requiring a contract governing the processing of personal data, identical to or substantially similar to the requirements specified in Art. 28 of the GDPR.
Law on Personal Data Protection (Zakon o zaštiti podataka o ličnosti; Official Gazette of the Republic of Serbia, no 87/2018).
The Personal Data Protection Act 2012 No. 26 of 2012, as amended from time to time, and its accompanying regulations (“PDPA”). For the sake of clarity, Red Hat’s obligations to Client under the DPA are only those express obligations imposed by PDPA on a “Data Processor (data intermediary)” when processing personal data on behalf of “Data Controller (organisation)” pursuant to a contract, as “organisation” and “data intermediary" are defined by the PDPA.
The Protection of Personal Information Act (“POPIA”). For the sake of clarity, Red Hat’s obligations to Client under the DPA are those that POPIA requires that Red Hat as “Operator” have in place with a “Responsible Party”, as “Responsible Party” and “Operator” are referenced in POPIA.
State of California, United States:
The California Consumer Privacy Act of 2018 (“CCPA”). Red Hat’s obligations to Client under the DPA are those that the CCPA requires that a "Business" have in place with a "Service Provider" (including new Section 4(k) below), as "Service Provider" and "Business" are defined by the CCPA:
4(k) Red Hat will not further collect, Sell, retain, disclose or use the Personal Information of the Consumer for any purpose other than to perform the Services specified in the Agreement, or as otherwise permitted by CCPA. Red Hat certifies that it understands and will comply with the restrictions set forth in this Section 4(k).
The terms used in the applicable provisions of the DPA shall be replaced as follows: "Personal Data" shall mean "Personal Information"; "Controller" shall mean "Business"; "Processor" shall mean "Service Provider"; and "Data Subject" shall mean "Consumer".
The Federal Act on Data Protection of 19 June 1992 (Switzerland) (“FADP”).
For the purpose of Section 5 of the DPA (Transfers of Personal Data), the EU Standard Contractual Clauses will be used for transfers to Non-Adequate Countries as per the GDPR. For Personal Data transfers subject exclusively to FADP, the Federal Data Protection and Information Commissioner (FDPIC) shall act as the competent supervisory authority under Clause 13 and as set out in Annex I.C of the EU Standard Contractual Clauses and references to the GDPR in the EU Standard Contractual Clauses are understood to be references to FADP. For transfers of Personal Data subject to the EU Standard Contractual Clauses, Data Subjects in Switzerland are not excluded from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU Standard Contractual Clauses.
The Personal Data Protection Act B.E. 2562 (2019) (“PDPA”).
The UK General Data Protection Regulation (as incorporated into UK law under the European Union (Withdrawal) Act 2018), and the UK Data Protection Act 2018, both as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019, as amended, superseded or replaced (“UK GDPR”).
For the purpose of Section 5 of the DPA (Transfers of Personal Data), the EU Standard Contractual Clauses will be used for transfers to Non-Adequate Countries in accordance with the UK GDPR as further amended and supplemented by Section 5 of the DPA and Part 2: Mandatory Clauses of the template Addendum B.1.0 issued by the UK Information Commissioner’s Office and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 28 January 2022, as it is revised under Section 18 of those Mandatory Clauses and any successor clauses issued from time to time and officially published by the UK Information Commissioner’s Office pursuant to UK GDPR (the “Approved Addendum”). The information required by Part 1 of the Approved Addendum is set out in Annex I and Annex II to the DPA. With respect to Section 19 of the Approved Addendum, in the event the Approved Addendum changes, neither Party may end the Agreement except as provided for in this DPA or the Agreement.
- June 2022: Added Singapore Personal Data Protection (PDPA), South Africa Protection of Personal Information Act (POPIA), and Thailand Personal Data Protection Act (PDPA); UK section updated to add the Approved Addendum
- September 2021: UK section updated to refer to the 2010 version of the EU SCCs; new section on Switzerland added to apply the new EU SCCs
- June 2021: UK, California and Brazil sections updated