Log in

Skip to content
Schedule a Meeting

Service Provider Data Protection Addendum

This Service Provider Data Protection Addendum (“Addendum”) forms part of, and is incorporated into, the Agreement (defined below) by and between Contact Center Compliance Corporation (“CCC”), and the party as identified in the Agreement (“Client”). In the course of providing the Services (defined below), CCC may Process Personal Data on behalf of Client and CCC and Client agree that the terms of this Addendum shall govern such Processing. All capitalized terms not otherwise defined in this Addendum will have the meaning given to them in the Agreement. In the event of any inconsistency or conflict between this Addendum and the Agreement, this Addendum will govern. This Addendum will survive termination or expiration of the Agreement for so long as CCC possesses or controls Personal Data (as defined below).

 

  1. Definitions. The following definitions shall apply in this Addendum:

"Agreement” means the agreement between CCC and Client that governs CCC’s provision of the Services to Client.

"Applicable Privacy Laws” means all applicable current and future federal, state, and local laws, ordinances, regulations, and orders relating to privacy, data security, and the processing, storage, protection, and disclosure of Personal Data, including, but not limited to, the California Consumer Privacy Act (“CCPA”), California Privacy Rights Act (“CPRA”), Connecticut’s Act Concerning Personal Data Privacy and Online Monitoring, Colorado Privacy Act, Utah Consumer Privacy Act, Virginia Consumer Data Protection Act, and the Gramm-Leach-Bliley Act and its implementing regulations (collectively, “GLBA”).

“Data Subject” means a natural person about whom Personal Data relates and includes, without limitation, a “consumer” as defined under CCPA/CPRA.

“Data Subject Rights Request” means a request by a natural person to exercise one or more rights provided to such person under Applicable Privacy Laws.

“Personal Data” means any data provided by or on behalf of Client that CCC Processes in connection with the services it provides to Client under the Agreement that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with an identified or identifiable person or household. The specific categories of Personal Data Processed by CCC are set forth in Attachment A (“Scope of Processing”).

“Process” or “Processing” means any operation or set of operations that are performed upon Personal Data or on sets of Personal Data, whether or not by automatic means, such as access, collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Sale” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, Personal Data to a third party for monetary or other valuable consideration. A “sale” does not include disclosure of Personal Data to a third party when the applicable Data Subject uses or directs Client, or CCC, as applicable, to (i) intentionally disclose their Personal Data or (ii) intentionally interact with one or more third parties. “Sale” and its variants may be used uncapitalized in this Addendum for ease of reading.

“Share” means sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, Personal Data to a third party for cross-context behavioral advertising or targeted advertising (as defined under Applicable Privacy Laws), whether or not for monetary or other valuable consideration. “Share” does not include disclosure of Personal Data to a third party when the applicable Data Subject uses or directs Client, or CCC, as applicable, to (i) intentionally disclose their Personal Data or (ii) intentionally interact with one or more third parties. “Share” and its variants may be used uncapitalized in this Addendum for ease of reading.

“Services” means the provision of products and services to Client pursuant to the Agreement.

  1. CCC Obligations.

CCC represents, warrants, and covenants that:

a. CCC will Process Personal Data on behalf of Client and in accordance with Client’s written instructions for the following purposes: (i) Processing in accordance with the Agreement; (ii) Processing for CCC to fulfill its obligations under this Addendum; (iii) Processing initiated by Client; and (iv) Processing in accordance with other reasonable instructions provided by Client. Notwithstanding the foregoing, CCC may also Process Personal Data as necessary for CCC to comply with law and ensure the security and integrity of its service offerings.

b.  CCC will not (i) sell or share Personal Data; (ii) retain, use, or disclose Personal Data for any purpose other than the specific purpose of performing its obligations under the Agreement, including retaining, using, or disclosing the Personal Data for a commercial purpose other than fulfilling its obligations under the Agreement; or (iii) retain, use, or disclose Personal Data outside of the direct business relationship between Client and CCC.

c.  CCC will Process Personal Data in accordance with all Applicable Privacy Laws and will provide the same level of privacy protection to Personal Data as required under the relevant Applicable Privacy Laws.

d.  CCC and all CCC personnel and permitted subprocessors that Process Personal Data are under a binding obligation to protect the confidentiality and integrity of such Personal Data.

e.  Upon Client’s request not more than once per twelve-month period, CCC will reasonably cooperate with auditing by Client or any independent auditor selected by Client to ascertain compliance with this Addendum upon the request of Client. Client will provide at least thirty (30) days advance written notice of such audit and will reasonably cooperate with CCC to schedule such audit as to minimize its impact on CCC’s day-to-day business operations. Client will promptly, upon demand, reimburse CCC for CCC’s costs and expenses associated with such audit including reimbursement for staff time incurred.  If such audit concludes that CCC has not or is not Processing Personal Data in compliance with Applicable Privacy Laws or this Addendum, Client may take actions upon reasonable notice to CCC that are appropriate to stop and/or remediate CCC’s noncompliant Processing of Personal Data.

f. CCC will implement reasonable and appropriate technical, administrative, organizational, and physical safeguards to protect Personal Data against unauthorized or unlawful access, use, disclosure, alteration, loss, or destruction of Personal Data (each, a “Security Incident”).

g. CCC shall notify Client promptly in writing: within seventy-two (72) hours in the event that CCC discovers that a Security Incident has occurred. Such notice must include, to the extent known: (a) a description of the Security Incident, a summary of the event(s) that caused the Security Incident, and the date and time of the relevant event(s); (b) the categories and approximate numbers of individuals and Personal Data records impacted; (c) the nature and content of the Personal Data affected; (d) contact information of the data protection officer or other contact point where more information can be obtained; and (e) any measures taken to address the Security Incident. CCC shall reasonably cooperate in the investigation of the Security Incident. Client will not provide notification to public authorities, impacted Data Subjects, or other persons regarding the Security Incident that identifies CCC or refers to CCC without obtaining CCC’s prior written consent to the content and timing of such notification, which will not be unreasonably withheld. 

h.  CCC will notify Client promptly in writing in the event that it determines it is no longer able to meet its obligations under Applicable Privacy Laws or this Addendum. Upon receipt of such notice, Client may take actions upon reasonable notice to CCC that are appropriate to stop and/or remediate CCC’s noncompliant Processing of Personal Data.

 

i. CCC may disclose Personal Data to third party subprocessors with whom CCC has entered into a written contract with containing data protection obligations no less protective than those in this Addendum. Client consents to CCC’s disclosure of Personal Data to the subprocessors identified and available on our Subprocessors page. CCC will notify Client of any proposed additions to the subprocessors that it uses to Process Personal Data by updating the list at the foregoing website and give Client at least ten (10) calendar days from the date of the update to object to such additions based on reasonable data security or privacy concerns prior to disclosing Personal Data to the new subprocessors (the “Objection Period”). If Client does not object to the new subprocessors within the Objection Period based on reasonable data security or privacy concerns, Client will be deemed to have approved the new subprocessors. If Client objects based on reasonable data security or privacy concerns, the parties will negotiate in good faith to resolve Client’s concerns or develop a reasonable work around plan. If after at least thirty (30) days of good faith negotiations the parties are unable to resolve Client’s concerns of develop a reasonable work around plan, either party may terminate the Agreement upon written notice to the other party.  

j.   CCC will promptly notify Client of any Data Subject Rights Requests it receives and will reasonably cooperate with Client in providing information or taking actions needed to resolve the Data Subject Rights Request subject to any exemptions or exceptions available under Applicable Privacy Laws. CCC will not respond to any Data Subject Rights Request unless directed to do so by Client. Notwithstanding the foregoing, CCC may inform the Data Subject that they should direct their request to Client and provide Client’s contact information. Client will promptly notify CCC of Data Subject Rights Requests received by Client to which CCC must comply and provide information reasonably necessary for CCC to comply with such Data Subject Rights Requests.

k.  At the direction of Client, CCC will reasonably assist Client in conducting a data protection impact assessment, risk assessment, cybersecurity audit, and/or consultations with any governmental authority. Client will promptly, upon demand, reimburse CCC for CCC’s costs and expenses associated with such assistance including reimbursement for staff time incurred.

l.  To the extent prohibited by Applicable Privacy Laws, CCC will not combine Personal Data it Processes on behalf of Client with personal data it Processes on behalf of third parties or itself.

m.  Upon termination of the Agreement or upon Client’s request, CCC will return or destroy, at Client’s option, any or all Personal Data in its possession or control unless retention of such Personal Data is (i) required by laws or regulations applicable to CCC, (ii) determined by CCC to be reasonably necessary to defend against or prosecute legal claims or to preserve the security and integrity of its service offerings, or (iii) consented to by Client. Notwithstanding the foregoing, if return of the Personal Data is impractical, CCC may destroy such Personal Data.

Limitation of Liability. The liability of the parties under this Addendum shall be subject to the limitations and exclusions set forth in the Agreement.

 

Attachment A
Scope of Processing

 

1.  Subject Matter: The context for the Processing of Client Personal Data is CCC’s provision of the Services under the Agreement.

2.  Duration of Processing: CCC will Process Client Personal Data until expiration or termination of the Agreement, or until earlier directed by Client to cease Processing Client Personal Data.

3.  Nature and Purpose of Processing: CCC will Process Client Personal Data to provide the Services identified in the Agreement, namely to scrub Client Personal Data against select regulatory and private databases.

4.  Categories of Data Subjects:  CCC will Process Personal Data that relates to any and all Data Subjects about whom Client transfers Personal Data to CCC or authorizes CCC to collect Personal Data regarding, to provide Services under the Agreement.

5.  Categories of Personal Data Processed: Client may submit Personal Data to CCC as determined by Client in its sole discretion and which may include:

  • Identifiers
    • First and last name
    • Alias
    • Postal address
    • Email address
    • Telephone number

6. Categories of Sensitive Personal Data Processed: CCC does not process Personal Data that may be considered sensitive. If CCC receives sensitive Personal Data, CCC will delete it.