Data Protection Laws covered by the Red Hat Data Processing Addendum
The Red Hat Data Processing Addendum (“DPA”), available at https://www.openshift.com/legal/terms/ or https://www.redhat.com/en/about/agreements, applies to the Processing of Personal Data disclosed to Red Hat by Customer as part of Your Content under the Red Hat Online Services Agreement or Appendix 4, as applicable (“Agreement”), if and to the extent i) the European General Data Protection Regulation (EU/2016/679) (“GDPR”); or ii) any other data protection laws identified below apply. The DPA prevails over any conflicting term of the Agreement
European Economic Area:
European Union Regulations and EEA Member State laws, other than GDPR, requiring a contract governing the processing of personal data, identical to or substantially similar to the requirements specified in Art. 28 of the GDPR.
The UK General Data Protection Regulation (as incorporated into UK law under the European Union (Withdrawal) Act 2018), and the UK Data Protection Act 2018, both as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019, as amended, superseded or replaced.
Law on Personal Data Protection (Zakon o zaštiti podataka o ličnosti; Official Gazette of the Republic of Serbia, no 87/2018).
State of California, United States:
The California Consumer Privacy Act of 2018 (“CCPA”). Red Hat’s obligations to Customer under the DPA are those that the CCPA requires that a "Business" have in place with a "Service Provider" (including new Section 4(i) below), as "Service Provider" and "Business" are defined by the CCPA:
4(i) Red Hat will not further collect, Sell, retain, disclose or use the Personal Information of the Consumer for any purpose other than to perform the Services specified in the Agreement, or as otherwise permitted by CCPA. Red Hat certifies that it understands and will comply with the restrictions set forth in this Section 4(i).
The terms used in the applicable provisions of the DPA shall be replaced as follows: "Personal Data" shall mean "Personal Information"; "Controller" shall mean "Business"; "Processor" shall mean "Service Provider"; and "Data Subject" shall mean "Consumer".
Brazil’s General Data Protection Law, Lei Geral de Proteção de Dados (“LGPD”). For the sake of clarity, Red Hat’s obligations to a Customer under the DPA are only those express obligations imposed by LGPD on a "Data Processor (operador)" for the benefit of a "Data Controller (Controlador)" (including new Section 4(j) below), as such terms "Data Controller (controlador)" and "Data Processor (operador)" are defined by the LGPD. A new section 4(j) below to the DPA will apply:
4(j) Each party is responsible to fulfil its respective obligations set out in the LGPD, and Customer will only issue Processing instructions, as set forth in Section 4(a) of the DPA, that enable Red Hat to fulfill its LGPD obligations. For the purpose of Section 5, the Standard Contractual Clauses will be used for transfers to Non-Adequate Countries as per the GDPR.
June 2021: UK, California, and Brazil sections updated