Data Protection Laws covered by the Red Hat Data Processing Addendum

 

The Red Hat Data Processing Addendum (“DPA”), available at https://www.openshift.com/legal/terms/ or https://www.redhat.com/en/about/agreements, applies to the Processing of Personal Data disclosed to Red Hat by Client as part of Your Content under the Red Hat Online Services Agreement or Appendix 4, as applicable (“Agreement”), if and to the extent i) the European General Data Protection Regulation (EU/2016/679) (“GDPR”); or if and to the extent ii) any other data protection laws identified below apply. The DPA prevails over any conflicting term of the Agreement.

 

United Kingdom:

The UK General Data Protection Regulation (as incorporated into UK law under the European Union (Withdrawal) Act 2018), and the UK Data Protection Act 2018, both as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019, as amended, superseded or replaced (“UK GDPR”).

For the purpose of Section 5 of the DPA (Transfers of Personal Data), the EU Standard Contractual Clauses will be used for transfers to Non-Adequate Countries in accordance with the UK GDPR as further amended and supplemented by Section 5 of the DPA and Part 2: Mandatory Clauses of the template Addendum B.1.0 issued by the UK Information Commissioner’s Office and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 28 January 2022, as it is revised under Section 18 of those Mandatory Clauses and any successor clauses issued from time to time and officially published by the UK Information Commissioner’s Office pursuant to UK GDPR (the “Approved Addendum”). The information required by Part 1 of the Approved Addendum is set out in Annex I and Annex II to the DPA. With respect to Section 19 of the Approved Addendum, in the event the Approved Addendum changes, neither Party may end the Agreement except as provided for in this DPA or the Agreement.

 

Switzerland:

The Federal Act on Data Protection of 19 June 1992 (Switzerland) (“FADP”).
For the purpose of Section 5 of the DPA (Transfers of Personal Data), the EU Standard Contractual Clauses will be used for transfers to Non-Adequate Countries as per the GDPR. For Personal Data transfers subject exclusively to FADP, the Federal Data Protection and Information Commissioner (FDPIC) shall act as the competent supervisory authority under Clause 13 and as set out in Annex I.C of the EU Standard Contractual Clauses and references to the GDPR in the EU Standard Contractual Clauses are understood to be references to FADP. For transfers of Personal Data subject to the EU Standard Contractual Clauses, Data Subjects in Switzerland are not excluded from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU Standard Contractual Clauses.

 

European Economic Area:

European Union Regulations and EEA Member State laws, other than GDPR, requiring a contract governing the processing of personal data, identical to or substantially similar to the requirements specified in Art. 28 of the GDPR.

 

Applicability of the EU SCC to other Data Protection Laws:

The EU Standard Contractual Clauses apply to the Processing of Client Personal Data subject to any other Data Protection Laws endorsing the EU Standard Contractual Clauses as a transfer mechanism, or allowing the use of the EU Standard Contractual Clauses to the extent not in conflict with the respective model clauses requirements, where Client, Red Hat, or both are located in Non-Adequate Countries. In this case, the The EU Standard Contractual Clauses apply, with the following amendments:

  1. The supervisory authority in accordance with Clause 13 and Annex I.C of the EU Standard Contractual Clauses shall be the competent supervisory authority as stated in the applicable Data Protection Laws;
  2. The governing law in accordance with Clause 17 of the EU Standard Contractual Clauses shall be the applicable Data Protection Laws;
  3. The choice of forum and jurisdiction in accordance with Clause 18 of the EU Standard Contractual Clauses shall be the one applicable under the applicable Data Protection Laws; and
  4. Any references to the GDPR in the EU Standard Contractual Clauses shall also include the reference to the equivalent provisions of the applicable Data Protection Laws.

 

Additional Transborder Data Processing:

  1. The Red Hat Data Privacy Framework Policy available at: https://www.redhat.com/en/about/dpf-notice (Policy), applies to the Online Services, where Personal Data is transferred to the United States from countries whose data protection laws recognize the Data Privacy Framework as a valid mechanism for cross-border transfers.
  2. This Policy does not apply when Client chooses to have its offering Content processed in countries other than the United States.

 

Brazil:

Brazil’s General Data Protection Law, Lei Geral de Proteção de Dados (“LGPD”). For the sake of clarity, Red Hat’s obligations to a Client under the DPA are only those express obligations imposed by LGPD on a "Data Processor (operador)" for the benefit of a "Data Controller (Controlador)" (including new Section 4(j) below), as such terms "Data Controller (controlador)" and "Data Processor (operador)" are defined by the LGPD. 

In addition, a new section 4(j) to the DPA will apply:

4(j) Each party is responsible to fulfil its respective obligations set out in the LGPD, and Client will only issue Processing instructions, as set forth in Section 4(a) of the DPA, that enable Red Hat to fulfill its LGPD obligations.  

For the purpose of Section 5 of the DPA, the following applies: 

  1. The Brazilian standard contractual clauses, as adopted by the National Data Protection Authority under Resolution n. 19/2024 and its Annex II of August 23, 2024 (Brazilian SCC), apply to the Processing of Client Personal Data subject to the Brazil General Data Protection Law (Federal Law n. 13.709/2018 – Lei Geral de Proteção de Dados Pessoais – (LGPD)) where Client, Red Hat, or both are located in Non-Adequate Countries. The parties acknowledge that their respective roles as Controller and/or Processor will be determined based on the circumstances of each transfer.
  2. Information required to complete Clauses 1. (Identification of the Parties) and 2. (Object) of the Brazilian SCC is provided in the Annexes of the EU Standard Contractual Clauses. The designated contact for data subjects is the contact person specified in Annex I of the EU Standard Contractual Clauses. For the purposes of Clause 3 (Onward Transfers) of the Brazilian SCC, Option B applies and is completed in accordance with the details set out in Annex IB of the Appendix of the EU Standard Contractual Clauses.
  3. For the purposes of Clause 4 (Responsibilities of the Parties) of the Brazilian SCC, where Client acts as a Controller of Client Personal Data, it shall be the Designated Party (as defined in the Brazilian SCC) for the purposes of Clause 14 (Transparency), Clause 15 (Data Subject Rights), and Clause 16 (Incident Reporting). In cases where Client acts as a Processor on behalf of other Controllers, option B applies and the relevant Third-Party Controller (as defined in the Brazilian SCC) is identified based on the information provided pursuant to the DPA.
  4. Information required to complete Section 3 (Security Measures) of the Brazilian SCC is set forth in the Annex II of the DPA.

 

Serbia:

For the purpose of Section 5 of the DPA, the following applies:

  1. The Serbian SCC apply to the Processing of Client Personal Data (Zakon o zaštiti podataka o ličnosti; Official Gazette of the Republic of Serbia, no 87/2018) subject to the Law on Personal Data Protection where Client, Red Hat, or both are located in Non-Adequate Countries.
  2. By entering into the Agreement, Client is entering into the Serbian SCC as adopted by the “Serbian Commissioner for Information of Public Importance and Personal Data Protection”, published at https://www.poverenik.rs/images/stories/dokumentacija-nova/podzakonski-akti/Klauzulelat.docx to provide an adequate level of protection.
  3. Information required to complete Appendices 1 to 8 of the Serbian SCC for the purpose of governing the transfer of Personal Data to a Non-Adequate Country can be found in the DPA.
  4. Upon request, Red Hat will provide a copy of the Serbian SCCs in the Serbian language signed by the Red Hat Data Importers and a courtesy translation in English. Please submit requests to privacy@redhat.com.

 

Turkey:

For the purpose of section 5 of the DPA, the following applies: 

  1. The Turkish standard contractual clauses (as approved by the Turkish Personal Data Protection Board and published at https://www.kvkk.gov.tr (Turkish SCC)) apply to the Processing of Client Personal Data subject to the Law on the Protection of Personal Data no 6698 dated April 7, 2016, and its implementing regulations (Turkish Data Protection Law), where Client, Red Hat, or both are located in Non-Adequate Countries. The parties acknowledge that the applicable module of the Turkish SCC will be determined by their respective role(s) as Controller and/or Processor under the circumstances of each transfer and are responsible for determining the correct role(s) undertaken to fulfil the appropriate obligations under the applicable module.
  2. For the purposes of Clauses 8 (Sub-Processors) and 10 (Redress) of the Turkish SCC, the options set forth under Section 1.1. d., Clause 9 and Clause 11 of the EU Standard Contractual Clauses apply respectively. Information required to complete the Appendix, Annexes I to III of the Turkish SCC can be found in the Section 3 (Subprocessors) of the DPA.


Saudi Arabia:

For the purpose of section 5 of the DPA, the following applies: 

  1. The Saudi Arabia standard contractual clauses (as approved by the Saudi Data and AI Authority (SDAIA) and published at https://sdaia.gov.sa/en/SDAIA/about/Pages/RegulationsAndPolicies.aspx (SA SCC)) apply to the Processing of Client Personal Data subject to the Saudi Arabia Data Protection Law (meaning the Saudi Arabia Personal Data Protection Law issued pursuant to Royal Decree No. (M/19) dated 9/2/1443 AH, as amended from time to time, and its implementing regulations), where Client, Red Hat, or both are located in Non-Adequate Countries. The parties acknowledge that the applicable module of the SA SCC will be determined by their respective role(s) as Controller and/or Processor under the circumstances of each transfer and are responsible for determining the correct role(s) undertaken to fulfil the appropriate obligations under the applicable module.
  2. Information required to complete the Appendices 1 to 3 of the SA SCC can be found in the Appendix of the EU Standard Contractual Clauses.

 

Japan:

The Japanese Act on the Protection of Personal Information no. 57 of 2003 (“APPI”), as amended and its accompanying regulations.


For the sake of clarity, Red Hat’s obligations to Client under the DPA shall be those that the APPI requires Client to have in place as “Business Operator”, to entrust the processing of Personal Data to Red Hat as “entrusted Business Operator”, as such terms are used in the APPI.


In case of a transfer of Personal Data from Japan to an overseas country for purposes of the APPI, the DPA applies and Section 5 “Transfers of Personal Data” is replaced as follows:


5. Transfers of Personal Data. In case of a transfer of Client Personal Data that is subject to APPI to a Non-Adequate Country, the parties agree that the DPA applies as legitimate measures required for such transfer. The parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the Client Personal Data by Red Hat prevent them from implementing their obligations under the DPA. The parties agree to notify the other party if, after having agreed to this DPA and for the duration of the contract, a party has reason to believe that either party cannot comply with its obligation under the DPA. In which case, the parties will cooperate in good faith to identify appropriate measures to be adopted to address the situation. If no appropriate measures can be implemented, the parties will evaluate together whether to suspend the transfer of Client Personal Data. 


Client acknowledges that Red Hat’s services are not designed to handle Specific Personal Information as defined and subject to the Japanese My Number Act (i.e., the Act on the Use of Numbers to Identify a Specific Individual in the Administrative Procedure (Act No.27 of 2013), as may be amended), unless otherwise agreed between Red Hat and Client in the Agreement.

 

Singapore:

The Personal Data Protection Act 2012 No. 26 of 2012, as amended from time to time, and its accompanying regulations (“PDPA”). For the sake of clarity, Red Hat’s obligations to Client under the DPA are only those express obligations imposed by PDPA on a “Data Processor (data intermediary)” when processing personal data on behalf of “Data Controller (organisation)” pursuant to a contract, as “organisation” and “data intermediary" are defined by the PDPA.

 

South Africa:

The Protection of Personal Information Act (“POPIA”). For the sake of clarity, Red Hat’s obligations to Client under the DPA are those that POPIA requires that Red Hat as “Operator” have in place with a “Responsible Party”, as “Responsible Party” and “Operator” are referenced in POPIA.

 

State of California, United States:

The California Consumer Privacy Act of 2018 (“CCPA”), as amended by the California Privacy Rights Act of 2020 (“CPRA”) and its implementing regulations upon entering into force (referred to together below as “the CCPA/CPRA”). Red Hat’s obligations to Client under the DPA are those that the CCPA/CPRA requires that a "Business" have in place with a "Service Provider" (including amended Section 4(h), and new sections 4(j) and 4(k) below), as "Service Provider" and "Business" are defined by the CCPA/CPRA:

The following wording is added to the end of Section 4(h) of the DPA: Red Hat will notify Client if Red Hat determines that it can no longer meet its obligations under the CCPA/CPRA. In the event of unauthorized use of Client Personal Information, Client has the right, on notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Client Personal Information.

4(j) Red Hat will not further combine Client Personal Information, or use, retain or disclose Client Personal Information outside of the direct business relationship between Red Hat and Client or, for any purpose other than to perform the Services and business purpose(s) specified in the Agreement (including the DPA), or as otherwise permitted by the CCPA/CPRA. Red Hat will not Sell or Share Client Personal Information.

4(k) Unless expressly permitted in the Agreement between the parties, Red Hat commits not to reidentify any data deidentified by Client that Red Hat processes on behalf of Client (Client Deidentified Data), except solely for the purposes of determining whether its deidentification processes satisfy the requirements of the CCPA/CPRA, and to take reasonable measures that are available to Red Hat to avoid Client Deidentified Data being associated with a Consumer or Household, in compliance with its obligations under the CCPA/CPRA. If Red Hat is instructed by Client in the Agreement to reidentify Client Deidentified Data, Red Hat will treat Client Deidentified Data as Client Personal Information subject to the terms of this DPA.

The terms used in the applicable provisions of the DPA shall be replaced as follows: "Personal Data" shall mean "Personal Information"; "Controller" shall mean "Business"; "Processor" shall mean "Service Provider"; "Data Subject" shall mean "Consumer"; “Special or sensitive categories of Personal Data” shall mean “Sensitive Personal Information”; “Deidentified Data” shall mean data that cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable Consumer, or a device linked to such person; and “business purpose”, “Household”, “Sell” and “Share” shall have the meaning given to them by the CCPA/CPRA.

 

United States - De-identified Data provisions under U.S. Privacy Laws:

For the purposes of this Section, the term “U.S. Privacy Laws” means all federal or state laws, treaties, conventions, directives and regulations, currently in effect and as they become effective in the United States of America, its territories and possessions, any State of the United States, and the District of Columbia, related to the protection, security and/or privacy of Personal Data or Personal Information, including, without limitation the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), the Connecticut  Public Act no. 22-15 (CTDPA), and any laws having similar requirements. . For the sake of clarity, Red Hat's obligations to Client under the DPA are only those express obligations imposed by the U.S. Privacy Laws on a “Processor” when processing Client Personal Data on behalf of a “Controller” (including new Section 4(j) below), as "Processor" and "Controller" are defined by the U.S. Privacy Laws :

4(j) Unless expressly permitted in the Agreement, Red Hat commits not to re-identify  any Deidentified Data provided by Client in a deidentified form for Red Hat to process on behalf of Client and take reasonable measures that are available to Red Hat to avoid Deidentified Data being associated with a natural person, in compliance with its obligations under the U.S. Privacy Laws. If Red Hat is instructed by Client in the Agreement to reidentify Deidentified Data, Red Hat will treat Deidentified Data as Client Personal Data subject to the terms of this DPA. The terms used in the applicable provisions of the DPA shall be replaced as follows: "Subprocessor" shall mean "subcontractor"; "Data Subject" shall mean "Consumer"; "Special or sensitive categories of Personal Data" shall mean "Sensitive data”; "data protection impact assessment" shall mean "data protection assessment"; and “Deidentified Data” shall mean data that cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable natural person, or a device linked to such person in accordance with the U.S. Privacy Laws.

 

Thailand

The Personal Data Protection Act B.E. 2562 (2019) (“PDPA”).

 

Change Information:

  • December 2025: Added transborder processing requirements for Brazil (Brazilian SCC), Serbia (Serbian SCC), Saudi Arabia (SA SCC), and Turkey (Turkish SCC). Added definition of U.S. Privacy Laws
  • July 2023: Added Colorado Privacy Act (CPA), and Connecticut Data Privacy Act (CTDPA)
  • April 2023: Added Japanese Act on the Protection of Personal Information no. 57 of 2003 (APPI)
  • December 2022: Added Virginia Consumer Data Protection Act (VCDPA), and California section updated for California Privacy Rights Act of 2020 (CPRA)
  • June 2022: Added Singapore Personal Data Protection (PDPA), South Africa Protection of Personal Information Act (POPIA), and Thailand Personal Data Protection Act (PDPA); UK section updated to add the Approved Addendum
  • September 2021: UK section updated to refer to the 2010 version of the EU SCCs; new section on Switzerland added to apply the new EU SCCs
  • June 2021: UK, California and Brazil sections updated