Site logo
    Baby Foods
    Beverages
    Breakfast Foods
    Condiments & Sauces
    Frozen Foods
    Snacks
    Supplements
    Natural Foods
    Processed Ingredients
    Processed Foods
    Ultra-Processed Foods
    Added Nutrients

    Last updated February 20, 2025

    Our SCC: [ https://factcheckfood.com/eea-standard-contractual-clauses ]

    Last updated on: February 20, 2025

    This Data Processing Agreement (“Agreement”) forms a legally binding contract between you (“Data Processor”) and Fact Check Food, USA (based in the United States) (“Fact Check Food” or the “Company”), and applies to the extent that Fact Check Food processes Customer Personal Data on your behalf when you are the Data Controller.

    WHEREAS

    1. (A) The Company acts as a Data Controller.

    2. (B) The Company wishes to subcontract certain services (“Services”), which imply the processing of personal data, to the Data Processor.

    3. (C) The Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework regarding data processing, including Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (“GDPR”).

    4. (D) The Parties wish to set forth their respective rights and obligations.

    IT IS AGREED AS FOLLOWS:

    1. DEFINITIONS AND INTERPRETATION

    1.1 Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the following meaning:

    1.1.1 “Agreement” means this Data Processing Agreement and all Schedules;

    1.1.2 “Company Personal Data” means any Personal Data Processed by a Contracted Processor on behalf of the Company pursuant to or in connection with the Principal Agreement;

    1.1.3 “Contracted Processor” means a Subprocessor;

    1.1.4 “Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;

    1.1.5 “EEA” means the European Economic Area;

    1.1.6 “EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced, or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;

    1.1.7 “GDPR” means the EU General Data Protection Regulation 2016/679;

    1.1.8 “Data Transfer” means:

    • 1.1.8.1 a transfer of Company Personal Data from the Company to a Contracted Processor; or

    • 1.1.8.2 an onward transfer of Company Personal Data from a Contracted Processor to a Subprocessor, or between two establishments of a Contracted Processor,

    in each case where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws);

    1.1.9 “Services” means the food product and ingredient analysis, categorization, and informational content that the Company provides to help consumers understand the composition and processing of packaged foods;

    1.1.10 “Subprocessor” means any person appointed by or on behalf of a Processor to process Personal Data on behalf of the Company in connection with the Agreement.

    1.2 The terms “Commission,” “Controller,” “Data Subject,” “Member State,” “Personal Data,” “Personal Data Breach,” “Processing,” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

    2. PROCESSING OF COMPANY PERSONAL DATA

    2.1 Processor shall:

    2.1.1 comply with all applicable Data Protection Laws in the Processing of Company Personal Data; and

    2.1.2 not Process Company Personal Data other than on the Company’s documented instructions.

    2.2 The Company instructs the Processor to process Company Personal Data solely for the purposes of providing the Services as described in this Agreement and any Principal Agreement.

    3. PROCESSOR PERSONNEL

    The Processor shall take reasonable steps to ensure the reliability of any employee, agent, or contractor of any Contracted Processor who may have access to Company Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know/access the relevant Company Personal Data as necessary to fulfill the Processor’s obligations under the Principal Agreement, and to comply with Applicable Laws. The Processor shall ensure all such individuals are subject to confidentiality undertakings, professional obligations, or statutory obligations of confidentiality.

    4. SECURITY

    4.1 Taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including, where relevant, the measures referred to in Article 32(1) of the GDPR.

    4.2 In assessing the appropriate level of security, the Processor shall consider the risks presented by the Processing, particularly those arising from a Personal Data Breach.

    5. SUBPROCESSING

    5.1 The Processor shall not appoint (or disclose any Company Personal Data to) any Subprocessor unless required or authorized in writing by the Company.

    6. DATA SUBJECT RIGHTS

    6.1 Taking into account the nature of the Processing, the Processor shall assist the Company by implementing appropriate technical and organizational measures, insofar as possible, to help fulfill the Company’s obligations to respond to requests from Data Subjects seeking to exercise their rights under Data Protection Laws.

    6.2 The Processor shall:

    6.2.1 promptly notify the Company if it receives a request from a Data Subject under any Data Protection Law in respect of Company Personal Data; and

    6.2.2 ensure that it does not respond to such a request except on the Company’s documented instructions or as required by Applicable Laws to which the Processor is subject, in which case the Processor shall (to the extent permitted by Applicable Laws) inform the Company of that legal requirement before responding.

    7. PERSONAL DATA BREACH

    7.1 The Processor shall notify the Company without undue delay upon becoming aware of a Personal Data Breach affecting Company Personal Data, providing sufficient information to allow the Company to meet any obligations to report or inform Data Subjects of the Personal Data Breach under Data Protection Laws.

    7.2 The Processor shall cooperate with the Company and take reasonable steps as directed by the Company to assist in the investigation, mitigation, and remediation of each such Personal Data Breach.

    8. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION

    The Processor shall provide reasonable assistance to the Company with any data protection impact assessments and prior consultations with Supervisory Authorities or other competent data privacy authorities that the Company reasonably considers necessary under Articles 35 or 36 of the GDPR (or equivalent provisions of any other Data Protection Law), in each case solely in relation to the Processing of Company Personal Data by the Contracted Processors, taking into account the nature of the Processing and information available to the Processor.

    9. DELETION OR RETURN OF COMPANY PERSONAL DATA

    9.1 Subject to this Section 9, the Processor shall promptly, and in any event within ten (10) business days from the date of cessation of any Services involving the Processing of Company Personal Data (“Cessation Date”), delete or procure the deletion of all copies of Company Personal Data.

    10. AUDIT RIGHTS

    10.1 Subject to this Section 10, the Processor shall make available to the Company, upon request, all information necessary to demonstrate compliance with this Agreement, and shall allow for and contribute to audits (including inspections) by the Company or an auditor mandated by the Company in relation to the Processing of Company Personal Data by the Contracted Processors.

    10.2 The Company’s information and audit rights under Section 10.1 apply only to the extent that this Agreement does not otherwise provide information and audit rights meeting the relevant requirements of Data Protection Laws.

    11. DATA TRANSFER

    11.1 The Processor may not transfer or authorize the transfer of Company Personal Data to countries outside the EU and/or the EEA without the prior written consent of the Company. If personal data processed under this Agreement is transferred from a country within the EEA to a country outside the EEA, the Parties shall ensure such personal data is adequately protected. Unless otherwise agreed, the Parties shall rely on EU-approved Standard Contractual Clauses for the transfer of personal data.

    12. GENERAL TERMS

    12.1 Confidentiality. Each Party shall keep this Agreement and any information it receives about the other Party (and its business) in connection with this Agreement (“Confidential Information”) confidential and shall not use or disclose that Confidential Information without the other Party’s prior written consent, except to the extent that:

    • (a) disclosure is required by law; or

    • (b) the information is already in the public domain.

    12.2 Notices. All notices and communications under this Agreement must be in writing and will be delivered personally, sent by post, or sent by email to the address or email address set out in the Agreement (or as otherwise notified in writing by the Parties).

    13. GOVERNING LAW AND JURISDICTION

    13.1 This Agreement is governed by the laws of the United States, specifically the laws of the State of Georgia, without regard to conflicts of law principles.

    13.2 Any dispute arising in connection with this Agreement, which cannot be resolved amicably, shall be submitted to the exclusive jurisdiction of the courts of the State of Georgia.