Data Protection Laws covered by the Red Hat Data Processing Addendum
The Red Hat Data Processing Addendum (“DPA”), available at https://www.openshift.com/legal/terms/ or https://www.redhat.com/en/about/agreements, applies to the Processing of Personal Data disclosed to Red Hat by Client as part of Your Content under the Red Hat Online Services Agreement or Appendix 4, as applicable (“Agreement”), if and to the extent i) the European General Data Protection Regulation (EU/2016/679) (“GDPR”); or ii) any other data protection laws identified below apply. The DPA prevails over any conflicting term of the Agreement.
Brazil’s General Data Protection Law, Lei Geral de Proteção de Dados (“LGPD”). For the sake of clarity, Red Hat’s obligations to a Client under the DPA are only those express obligations imposed by LGPD on a "Data Processor (operador)" for the benefit of a "Data Controller (Controlador)" (including new Section 4(j) below), as such terms "Data Controller (controlador)" and "Data Processor (operador)" are defined by the LGPD. A new section 4(j) below to the DPA will apply:
4(j) Each party is responsible to fulfil its respective obligations set out in the LGPD, and Client will only issue Processing instructions, as set forth in Section 4(a) of the DPA, that enable Red Hat to fulfill its LGPD obligations. For the purpose of Section 5 of the DPA, the EU Standard Contractual Clauses will be used for transfers to Non-Adequate Countries as per the GDPR.
European Economic Area:
European Union Regulations and EEA Member State laws, other than GDPR, requiring a contract governing the processing of personal data, identical to or substantially similar to the requirements specified in Art. 28 of the GDPR.
Law on Personal Data Protection (Zakon o zaštiti podataka o ličnosti; Official Gazette of the Republic of Serbia, no 87/2018).
State of California, United States:
The California Consumer Privacy Act of 2018 (“CCPA”). Red Hat’s obligations to Client under the DPA are those that the CCPA requires that a "Business" have in place with a "Service Provider" (including new Section 4(k) below), as "Service Provider" and "Business" are defined by the CCPA:
4(k) Red Hat will not further collect, Sell, retain, disclose or use the Personal Information of the Consumer for any purpose other than to perform the Services specified in the Agreement, or as otherwise permitted by CCPA. Red Hat certifies that it understands and will comply with the restrictions set forth in this Section 4(k).
The terms used in the applicable provisions of the DPA shall be replaced as follows: "Personal Data" shall mean "Personal Information"; "Controller" shall mean "Business"; "Processor" shall mean "Service Provider"; and "Data Subject" shall mean "Consumer".
The Federal Act on Data Protection of 19 June 1992 (Switzerland) (“FADP”).
For the purpose of Section 5 of the DPA (Transfers of Personal Data), the EU Standard Contractual Clauses will be used for transfers to Non-Adequate Countries as per the GDPR. For Personal Data transfers subject exclusively to FADP, the Federal Data Protection and Information Commissioner (FDPIC) shall act as the competent supervisory authority under Clause 13 and as set out in Annex I.C of the EU Standard Contractual Clauses and references to the GDPR in the EU Standard Contractual Clauses are understood to be references to FADP. For transfers of Personal Data subject to the EU Standard Contractual Clauses, Data Subjects in Switzerland are not excluded from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU Standard Contractual Clauses.
The UK General Data Protection Regulation (as incorporated into UK law under the European Union (Withdrawal) Act 2018), and the UK Data Protection Act 2018, both as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019, as amended, superseded or replaced (“UK GDPR”).
For the purpose of Section 5 of the DPA (Transfers of Personal Data), the European Commission decision 2010/87/EU, dated February 5, 2010 (excluding the optional illustrative clauses), will be used for transfers to Non-Adequate Countries in accordance with the UK GDPR (the “Prior SCCs”). By entering into the DPA, Client is entering into the Prior SCCs with each Red Hat entity that is located in a Non-Adequate Country and acting as a data importer. Red Hat shall enter into back-to-back Prior SCCs in accordance with Clause 11 of the Prior SCCs with any Subprocessor that is located in a Non-Adequate Country and is not a Red Hat data importer. The references to “Ireland” in Section 5 of the DPA and the references to the “law of the Member State in which the data exporter is established” in the Prior SCCs shall be replaced with “the laws of England” and “the courts of England and Wales,” respectively, and the references to the “Data Protection Commission of Ireland” in Section 5 and Annex I.C of the DPA shall be replaced with the “Information Commissioner’s Office of the UK.” Annex I and II of the EU Standard Contractual Clauses as set forth in the DPA will serve as Appendix 1 and 2 of the Prior SCCs.
- September 2021: UK section updated to refer to the 2010 version of the EU SCCs; new section on Switzerland added to apply the new EU SCCs
- June 2021: UK, California and Brazil sections updated