Data Protection Laws covered by the Red Hat Data Processing Addendum
The Red Hat Data Processing Addendum (“DPA”), available at https://www.openshift.com/legal/terms/ or https://www.redhat.com/en/about/agreements, applies to the Processing of Personal Data disclosed to Red Hat by Client as part of Your Content under the Red Hat Online Services Agreement or Appendix 4, as applicable (“Agreement”), if and to the extent i) the European General Data Protection Regulation (EU/2016/679) (“GDPR”); or if and to the extent ii) any other data protection laws identified below apply. The DPA prevails over any conflicting term of the Agreement.
Brazil’s General Data Protection Law, Lei Geral de Proteção de Dados (“LGPD”). For the sake of clarity, Red Hat’s obligations to a Client under the DPA are only those express obligations imposed by LGPD on a "Data Processor (operador)" for the benefit of a "Data Controller (Controlador)" (including new Section 4(j) below), as such terms "Data Controller (controlador)" and "Data Processor (operador)" are defined by the LGPD. In addition, a new section 4(j) to the DPA will apply:
4(j) Each party is responsible to fulfil its respective obligations set out in the LGPD, and Client will only issue Processing instructions, as set forth in Section 4(a) of the DPA, that enable Red Hat to fulfill its LGPD obligations. For the purpose of Section 5 of the DPA, the EU Standard Contractual Clauses will be used for transfers to Non-Adequate Countries as per the LGPD.
European Economic Area:
European Union Regulations and EEA Member State laws, other than GDPR, requiring a contract governing the processing of personal data, identical to or substantially similar to the requirements specified in Art. 28 of the GDPR.
Law on Personal Data Protection (Zakon o zaštiti podataka o ličnosti; Official Gazette of the Republic of Serbia, no 87/2018).
The Japanese Act on the Protection of Personal Information no. 57 of 2003 (“APPI”), as amended and its accompanying regulations.
For the sake of clarity, Red Hat’s obligations to Client under the Addendum shall be those that the APPI requires Client to have in place as “Business Operator”, to entrust the processing of Personal Data to Red Hat as “entrusted Business Operator”, as such terms are used in the APPI.
In case of a transfer of Personal Data from Japan to an overseas country for purposes of the APPI, the Addendum applies and Section 5 “Transfers of Personal Data” is replaced as follows:
5. Transfers of Personal Data. The parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the Client Personal Data by Red Hat prevent them from implementing their obligations under the Addendum. The parties agree to notify the other party if, after having agreed to this Addendum and for the duration of the contract, a party has reason to believe that either party cannot comply with its obligation under the Addendum. In which case, the parties will cooperate in good faith to identify appropriate measures to be adopted to address the situation. If no appropriate measures can be implemented, the parties will evaluate together whether to suspend the transfer of Client Personal Data.
Client acknowledges that Red Hat’s services are not designed to handle Specific Personal Information as defined and subject to the Japanese My Number Act (i.e., the Act on the Use of Numbers to Identify a Specific Individual in the Administrative Procedure (Act No.27 of 2013), as may be amended), unless otherwise agreed between Red Hat and Client in the Agreement.
The Personal Data Protection Act 2012 No. 26 of 2012, as amended from time to time, and its accompanying regulations (“PDPA”). For the sake of clarity, Red Hat’s obligations to Client under the DPA are only those express obligations imposed by PDPA on a “Data Processor (data intermediary)” when processing personal data on behalf of “Data Controller (organisation)” pursuant to a contract, as “organisation” and “data intermediary" are defined by the PDPA.
The Protection of Personal Information Act (“POPIA”). For the sake of clarity, Red Hat’s obligations to Client under the DPA are those that POPIA requires that Red Hat as “Operator” have in place with a “Responsible Party”, as “Responsible Party” and “Operator” are referenced in POPIA.
State of California, United States:
The California Consumer Privacy Act of 2018 (“CCPA”), as amended by the California Privacy Rights Act of 2020 (“CPRA”) and its implementing regulations upon entering into force (referred to together below as “the CCPA/CPRA”). Red Hat’s obligations to Client under the DPA are those that the CCPA/CPRA requires that a "Business" have in place with a "Service Provider" (including amended Section 4(h), and new sections 4(j) and 4(k) below), as "Service Provider" and "Business" are defined by the CCPA/CPRA:
The following wording is added to the end of Section 4(h) of the DPA: Red Hat will notify Client if Red Hat determines that it can no longer meet its obligations under the CCPA/CPRA. In the event of unauthorized use of Client Personal Information, Client has the right, on notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Client Personal Information.
4(j) Red Hat will not further combine Client Personal Information, or use, retain or disclose Client Personal Information outside of the direct business relationship between Red Hat and Client or, for any purpose other than to perform the Services and business purpose(s) specified in the Agreement (including the DPA), or as otherwise permitted by the CCPA/CPRA. Red Hat will not Sell or Share Client Personal Information.
4(k) Unless expressly permitted in the Agreement between the parties, Red Hat commits not to reidentify any data deidentified by Client that Red Hat processes on behalf of Client (Client Deidentified Data), except solely for the purposes of determining whether its deidentification processes satisfy the requirements of the CCPA/CPRA, and to take reasonable measures that are available to Red Hat to avoid Client Deidentified Data being associated with a Consumer or Household, in compliance with its obligations under the CCPA/CPRA. If Red Hat is instructed by Client in the Agreement to reidentify Client Deidentified Data, Red Hat will treat Client Deidentified Data as Client Personal Information subject to the terms of this DPA.
The terms used in the applicable provisions of the DPA shall be replaced as follows: "Personal Data" shall mean "Personal Information"; "Controller" shall mean "Business"; "Processor" shall mean "Service Provider"; "Data Subject" shall mean "Consumer"; “Special or sensitive categories of Personal Data” shall mean “Sensitive Personal Information”; “Deidentified Data” shall mean data that cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable Consumer, or a device linked to such person; and “business purpose”, “Household”, “Sell” and “Share” shall have the meaning given to them by the CCPA/CPRA.
State of Virginia, United States:
The Consumer Data Protection Act (VCDPA). For the sake of clarity, Red Hat's obligations to Client under the DPA are only those express obligations imposed by the VCDPA on a “Processor” when processing Client Personal Data on behalf of a “Controller” (including new Section 4(j) below), as "Processor" and "Controller" are defined by the VCDPA:
4(j) Red Hat will Process any Deidentified Data provided by Client in a deidentified form without attempting to reidentify it and take reasonable measures that are available to Red Hat to avoid Deidentified Data being associated with a natural person. The terms used in the applicable provisions of the DPA shall be replaced as follows: "Subprocessor" shall mean "subcontractor"; "Data Subject" shall mean "Consumer"; "Special or sensitive categories of Personal Data" shall mean "Sensitive data”; "data protection impact assessment" shall mean "data protection assessment"; and “Deidentified Data” shall mean data that cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable natural person, or a device linked to such person.
The Federal Act on Data Protection of 19 June 1992 (Switzerland) (“FADP”).
For the purpose of Section 5 of the DPA (Transfers of Personal Data), the EU Standard Contractual Clauses will be used for transfers to Non-Adequate Countries as per the GDPR. For Personal Data transfers subject exclusively to FADP, the Federal Data Protection and Information Commissioner (FDPIC) shall act as the competent supervisory authority under Clause 13 and as set out in Annex I.C of the EU Standard Contractual Clauses and references to the GDPR in the EU Standard Contractual Clauses are understood to be references to FADP. For transfers of Personal Data subject to the EU Standard Contractual Clauses, Data Subjects in Switzerland are not excluded from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU Standard Contractual Clauses.
The Personal Data Protection Act B.E. 2562 (2019) (“PDPA”).
The UK General Data Protection Regulation (as incorporated into UK law under the European Union (Withdrawal) Act 2018), and the UK Data Protection Act 2018, both as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019, as amended, superseded or replaced (“UK GDPR”).
For the purpose of Section 5 of the DPA (Transfers of Personal Data), the EU Standard Contractual Clauses will be used for transfers to Non-Adequate Countries in accordance with the UK GDPR as further amended and supplemented by Section 5 of the DPA and Part 2: Mandatory Clauses of the template Addendum B.1.0 issued by the UK Information Commissioner’s Office and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 28 January 2022, as it is revised under Section 18 of those Mandatory Clauses and any successor clauses issued from time to time and officially published by the UK Information Commissioner’s Office pursuant to UK GDPR (the “Approved Addendum”). The information required by Part 1 of the Approved Addendum is set out in Annex I and Annex II to the DPA. With respect to Section 19 of the Approved Addendum, in the event the Approved Addendum changes, neither Party may end the Agreement except as provided for in this DPA or the Agreement.
- April 2023: Added Japanese Act on the Protection of Personal Information no. 57 of 2003 (APPI)
- December 2022: Added Virginia Consumer Data Protection Act (VCDPA), and California section updated for California Privacy Rights Act of 2020 (CPRA)
- June 2022: Added Singapore Personal Data Protection (PDPA), South Africa Protection of Personal Information Act (POPIA), and Thailand Personal Data Protection Act (PDPA); UK section updated to add the Approved Addendum
- September 2021: UK section updated to refer to the 2010 version of the EU SCCs; new section on Switzerland added to apply the new EU SCCs
- June 2021: UK, California and Brazil sections updated