ZaapIT

Scope

1.1

This CSB Privacy Code addresses the Processing of Personal Information of Customers, Suppliers and Business Partners and other Individuals by ZaapIT or a Third Party Processor on behalf of ZaapIT (collectively, CSB Information). This CSB Privacy Code does not address the Processing of Personal Information of Employees in the context of their employment relationship with ZaapIT unless and to the extent such Employee is a Customer of ZaapIT.

Opt-out for Local-for-Local Processing

1.2

A Group Company not established in the EEA and not covered by an Adequacy Decision may opt-out of the applicability of this CSB Privacy Code in respect of Processing of CSB Information collected in connection with the activities of such Group Company, provided such CSB Information is subsequently Processed in the relevant jurisdiction of such Group Company only (Local-for-Local Processing). The opt-out by a Group Company for Local-to-Local Processing requires the prior authorization of the Chief Privacy Officer. Notwithstanding such an authorization, the Local-for-Local Processing shall at least be compliant with applicable local laws and the security and governance requirements of this CSB Privacy Code.

Electronic and paper-based Processing

1.3

This CSB Privacy Code shall apply to the Processing of CSB Information by electronic means and in systematically accessible paper-based filing systems.

Applicability of local law and CSB Privacy Code

1.4

Nothing in this CSB Privacy Code will be construed to take away any rights and remedies that Individuals may have under applicable local law. This CSB Privacy Code provides supplemental rights and remedies to Individuals only.

Sub-policies and notices

1.5

ZaapIT may supplement this CSB Privacy Code through sub-policies, procedures or guidelines that are consistent with this CSB Privacy Code.

Accountability

1.6

This CSB Privacy Code is binding on ZaapIT. The Responsible Executive is accountable for his or her business organization’s compliance with this CSB Privacy Code. ZaapIT Staff must comply with this CSB Privacy Code.

Effective Date

1.7

This CSB Privacy Code will enter into force as of June 11, 2018 (Effective Date) and will be published on the ZaapIT’s website and ZaapIT’s intranet site and shall be made available to Individuals upon request.

CSB Privacy Code supplements prior policies

1.8

This CSB Privacy Code supplements all ZaapIT privacy policies and notices that exist on the Effective Date.

Implementation

1.9

This CSB Privacy Code shall be implemented in the ZaapIT organization based on the timeframes specified in Article 22.

Legitimate Business Purposes

2.1

CSB Information shall be collected, used or otherwise Processed by ZaapIT in the context of the provision of Customer Services, use of Supplier Services, and Business Development with Business Partners for one (or more) of the following purposes (Business Purposes):

i. Assessment and acceptance of a Customer, Supplier, or Business Partner; conclusion and execution of agreements with a Customer, Supplier, or Business Partner and the settlement of payment transactions. This purpose includes Processing of CSB Information that is necessary in connection with the assessment and acceptance of Customers, Suppliers, or Business Partners, including confirming and verifying the identity of relevant Individuals (this may involve the use of a credit reference agency or other Third Party), conducting due diligence, and screening against publicly available government and/or law enforcement agency sanctions lists and other third-party data sources, the use of and participation in ZaapIT’s incident registers and sector warning systems, and/or third party verification services.

This purpose also includes Processing of CSB Information in connection with the execution of agreements, including the delivery of Customer Services and the settlement of payment transactions in the context of which ZaapIT may provide CSB Information to the counterparty or other parties as necessary, e.g., for verification or reconstruction purposes;

ii. Performance of Customer Services. This purpose addresses Processing of CSB Information necessary for the performance of Customer Services;

iii. Use of Supplier Services. This purpose addresses Processing of CSB Information necessary for the use of Supplier Services by ZaapIT;

iv. Business Development with Business Partners. This purpose addresses Processing of CSB Information necessary for Business Development between ZaapIT and Business Partners;

v. Development and improvement of products and/or services. This purpose includes Processing of CSB Information that is necessary for the development and improvement of ZaapIT products and/or services, research and development;

vi. Relationship management and marketing. This purpose includes activities such as maintaining and promoting contact with Customers, Suppliers and Business Partners, account management, customer service, recalls, collection of CSB Information through ZaapIT websites, and the development, execution and analysis of market surveys and marketing strategies;

vii. Business process execution, internal management and management reporting. This purpose includes the management of company assets; credit assessment (including setting credit limits) and risk management, conducting audits and investigations; finance and accounting; implementing business controls; provision of central processing facilities for efficiency purposes; managing mergers, acquisitions and divestitures; Processing CSB Information for management reporting and analysis; archive and insurance purposes; legal or business consulting; and preventing, preparing for or engaging in dispute resolution;

viii. Health, safety, security and integrity, including the safeguarding of the security and integrity of the business sector. This purpose includes the protection of the interests of ZaapIT and its Employees and Customers, including the safeguarding of the security and integrity of their business sector, in particular detecting, preventing, investigating and combating (attempted) criminal or objectionable conduct directed against ZaapIT, its Employees or Customers, including the use of and participation in ZaapIT's incident registers and sector warning systems, and activities such as those involving health and safety, the protection of ZaapIT and Employee assets, and the authentication of Customer, Supplier or Business Partner status and access rights (such as required screening activities for access to ZaapIT’s premises or systems);

ix. Compliance with law. This purpose addresses Processing of CSB Information necessary for the performance of a task carried out to comply with a legal obligation or sectorial recommendation to which ZaapIT is subject, including the disclosure of CSB Information to government institutions or supervisory authorities, including tax authorities, including prevention of money laundering, financing of terrorism and other crimes, customer due diligence and the duty of care towards Customers (e.g., credit monitoring); or

x. Protection of the vital interests of Individuals. This purpose addresses Processing necessary to protect the vital interests of an Individual.

Where there is a question whether a certain Processing of CSB Information can be based on a Business Purpose listed above, the appropriate Privacy Lead should be consulted before the Processing takes place.

Consent

2.2

In addition to the Business Purposes listed in Article 2.1, CSB Information may be Processed if the Individual has given his or her consent to the Processing. If Applicable Data Controller Law requires that ZaapIT requests consent of the Individual for the relevant Processing, ZaapIT shall, in addition to ensuring that a Business Purpose exists for the Processing, also seek consent of the Individual for the Processing.

When seeking consent, ZaapIT must inform the Individual:

i. of the purposes of the Processing for which consent is required;

ii. which Group Company is responsible for the Processing;

iii. the right to withdraw his or her consent at any time;

iv. that withdrawal of consent does not affect the lawfulness of the relevant Processing before such withdrawal.

Where Processing is undertaken at the request of an Individual (e.g., he or she subscribes to a service or seeks a benefit), he or she is deemed to have provided consent to the Processing.

Granting, denial or withdrawal of consent

2.3

The Individual may deny or withdraw consent at any time. Upon withdrawal of consent, ZaapIT will discontinue such Processing as soon as reasonably practical. The withdrawal of consent shall not affect (i) the lawfulness of the Processing based on such consent before its withdrawal; and (ii) the lawfulness of Processing for Business Purposes not based on consent after withdrawal.

Use of CSB Information for Secondary Purposes

3.1

Generally, CSB Information shall be used only for the Business Purposes. CSB Information may be Processed for a business purpose other than the Business Purposes (Secondary Purpose) only if the Secondary Purpose is closely related to the Business Purpose(s). Depending on the sensitivity of the relevant CSB Information and whether use of the CSB Information for the Secondary Purpose has potential negative consequences for the Individual, such use may require additional measures such as:

i. limiting access to the CSB Information;

ii. imposing additional confidentiality requirements;

iii. taking additional security measures, including encryption or pseudonymization;

iv. informing the Individual about the Secondary Purpose;

v. providing an opt-out opportunity to the Individual; or

vi. obtaining an Individual's consent in accordance with Article 2.2 or Article 4.3 (if applicable).

Generallypermitted uses for Secondary

Purposes

3.2

It is generally permissible to Process CSB Information for the following purposes (even if not listed as a Business Purpose), provided appropriate additional measures are taken in accordance with Article 3.1:

i. transfer of the CSB Information to an Archive;

ii. internal audits or investigations;

iii. implementation of business controls and operational efficiency;

iv. statistical, historical or scientific research;

v. dispute resolution;

vi. legal or business consulting; or

vii. insurance purposes.

Specific purposes for Processing Sensitive Information

4.1

This Article sets forth specific rules for Processing Sensitive Information. ZaapIT shall Process Sensitive Information only to the extent necessary to serve the applicable Business Purpose.

The following categories of Sensitive Information may be collected, used or otherwise Processed for one (or more) of the purposes specified below:

i. Racial or ethnic CSB Information: in some countries, photos and video images of Individuals qualify as racial or ethnic information. ZaapIT may process photos (e.g., a copy of a passport containing a photo) and video images for the protection of ZaapIT and Employee assets; site access and security reasons; assessment and acceptance of Customers, including the identification and authentication of Customers (including confirming and verifying the identity of relevant Individuals); Supplier or Business Partner status and access rights; and to verify and confirm advice or record decisions made in the course of business for future reference (e.g. when Individuals participate in video conferencing which is recorded);

ii. Criminal CSB Information (including CSB Information relating to criminal behavior, criminal records or proceedings regarding criminal or unlawful behavior), may be processed as necessary for assessment and acceptance of Customers, including the identification and authentication of Customers (including confirming and verifying the identity of relevant Individuals); the execution of an agreement with Customers; and to protect the interests of ZaapIT, its Employees and Customers and for the use of and the participation in ZaapIT’s incident registers and sector warning systems;

iii. Physical or mental health CSB Information: May be processed as necessary for the assessment and acceptance of a Customer, the execution of an agreement with a Customer, and compliance with ZaapIT’s duty of care towards Customers;

iv. Religion or beliefs: May be processed to accommodate specific products or services for a Customer, such as dietary requirements related to religion or beliefs, or religious holidays;

v. Biometric CSB Information (e.g., fingerprints): for the protection of ZaapIT and its Employees, assets, site access and security reasons.

General Purposes for Processing of Sensitive Information

4.2

In addition to the specific purposes listed in Article 4.1 above, all categories of Sensitive Information may be Processed under (one or more of) the following circumstances:

i. as required or allowed for the performance of a task carried out to comply with a legal obligation or sectorial recommendation to which ZaapIT is subject;

ii. for dispute resolution and/or fraud prevention;

iii. to protect a vital interest of an Individual, but only where it is impossible to obtain the Individual’s consent first;

iv. to the extent necessary to comply with an obligation of international public law (e.g., a treaty); or

v. if the Sensitive Information has been posted or otherwise shared at the Individual’s own initiative on ZaapIT social media or has manifestly been made public by the Individual.

Consent, and the denial or withdrawal thereof

4.3

In addition to the specific purposes listed in Article 4.1 and the general purposes listed in Article 4.2, all categories of Sensitive Information may be Processed if the Individual has given his or her explicit consent to the Processing.

If Applicable Data Controller Law requires that ZaapIT requests consent of the Individual for the relevant Processing, ZaapIT shall, in addition to ensuring that one of the grounds listed in Article 4.1 or 4.2 exists for the Processing, also seek consent of the Individual for the Processing.

The requirements set out in Articles 2.2 and 2.3 apply to the granting, denial or withdrawal of consent.

Prior Authorization of the Chief Privacy Officer

4.4

Where Sensitive Information is Processed based on a requirement of law other than the local law applicable to the Processing, the Processing requires the prior authorization of the appropriate Chief Privacy Officer.

Use of Sensitive Information for Secondary Purposes

4.5

Sensitive Information of Individuals may be Processed for Secondary Purposes in accordance with Article 3.

No Excessive CSB Information

5.1

ZaapIT shall restrict the Processing of CSB Information to CSB Information that is reasonably adequate for and relevant to the applicable Business Purpose. ZaapIT shall take reasonable steps to delete or make unrecoverable CSB Information that is not required for the applicable Business Purpose.

Storage period

5.2

ZaapIT generally shall retain CSB Information only for the period required to serve the applicable Business Purpose, to the extent reasonably necessary to comply with applicable law, or as advisable in light of an applicable statute of limitations. ZaapIT may specify (e.g., in a sub-policy, notice or records retention schedule) a time period for which certain categories of CSB Information may be kept.

Promptly after the applicable storage period has ended, the Privacy Lead shall direct that the CSB Information be:

i. securely deleted or destroyed;

ii. de-identified; or

iii. transferred to an Archive (unless this is prohibited by law or an applicable records retention schedule).

Quality of CSB Information

5.3

CSB Information should be accurate, complete and kept up-to-date to the extent reasonably necessary for the applicable Business Purpose.

‘Privacy by Design’

5.4

ZaapIT shall take commercially reasonable technical and organizational steps to ensure that the requirements of this Article 5 are implemented into the design of new systems and processes that Process CSB Information.

Accurate, complete and up-to-date CSB Information

5.5

It is the responsibility of Individuals to ensure that their CSB Information, as held by ZaapIT, is accurate, complete and up-to-date. Individuals shall inform ZaapIT regarding any changes to their CSB Information in accordance with Article 7.

Information requirements

6.1

ZaapIT shall inform Individuals through a privacy policy or notice about:

i. the Business Purposes (including Secondary Purposes) for which their CSB Information is Processed;

ii. which Group Company is responsible for the Processing as well as the contact information of the Privacy Office;

iii. the categories of Third Parties to which the CSB Information is disclosed (if any), whether any such Third Party is covered by an Adequacy Decision and if not, information on the data transfer mechanism as referred to in Article 11.6 (ii), (iv) or (v) as well as the means to get a copy thereof or access thereto; and

iv. other relevant information, e.g.:

i. the nature and categories of the CSB Information Processed;

ii. the period for which the CSB Information will be stored or (if not possible) the criteria used to determine this period;

iii. an overview of the rights of Individuals under this CSB Privacy Code, how these can be exercised, including the right to obtain compensation;

iv. the existence of automated decision making referred to in Article 10 as well as meaningful information about the logic involved and potential negative consequences thereof for the Individual; or

v. the source of the CSB Information (where the CSB Information has not been obtained from the Individual), including whether the CSB Information came from a public source.

CSB Information not obtained from the Individual

6.2

Where CSB Information has not been obtained directly from the Individual, ZaapIT shall provide the Individual with the information as set out in Article 6.1:

i. within reasonable period after obtaining CSB Information but at least within one month, having regard to specific circumstances of the CSB Information Processed;

ii. if CSB Information is used for communication with the Individual, at the latest at the time of the first communication with the Individual;

iii. if a disclosure to another recipient is envisaged, at the latest when CSB Information is first disclosed.

Exceptions

6.3

The requirements of Article 6.1 and 6.2 may be inapplicable if:

i. the Individual already has the information as set out in Article 6.1;

ii. it would be impossible or would involve a disproportionate effort to provide the information to Individuals, in which case ZaapIT will take additional measures to mitigate potential negative consequences for the Individual, such as those listed in Article 3.1;

iii. obtaining CSB Information is expressly laid down in applicable law; or

iv. the CSB Information must remain confidential subject to an obligation of professional secrecy regulated by applicable local law, including a statutory obligation of secrecy.

These exceptions to the above requirements qualify as Overriding Interests as set out in Article 12.

Right of Access

7.1

Every Individual has the right to request a copy of his or her CSB Information Processed by or on behalf of ZaapIT, and further, where reasonably possible, access to the information listed in Article 6.1 or 6.2.

Right to Rectification, Deletion, and Restriction

7.2

If the CSB Information is incorrect, incomplete, or not Processed in compliance with Applicable Data Controller Law or this CSB Privacy Code, the Individual has the right to have his or her CSB Information rectified, deleted or the Processing thereof restricted (as appropriate). In case the CSB Information has been made public by ZaapIT, and the Individual is entitled to deletion of the CSB Information, in addition to deleting the relevant CSB Information, ZaapIT shall take commercially reasonable steps to inform Third Parties that are Processing the relevant CSB Information or linking to the relevant CSB Information, that the Individual has requested the deletion of the CSB Information by such Third Parties.

Right to Object

7.3

The Individual has the right to object to:

i. the Processing of his or her CSB Information on the basis of compelling grounds related to his or her particular situation, unless ZaapIT can demonstrate a prevailing legitimate interest for the Processing; and

ii. receiving marketing communications on the basis of Article 9 (including any profiling related thereto).

Restrictions to Rights of Individuals

7.4

The rights of Individuals set out in Articles 7.1-7.3 above do not apply in one or more of the following circumstances:

i. the Processing is required or allowed for the performance of a task carried out to comply with a legal obligation of ZaapIT;

ii. the Processing is required by or allowed for a task carried out in the public interest, including in the area of public health and for archiving, scientific or historical research or statistical purposes;

iii. the Processing is necessary for exercising the right of freedom of expression and information;

iv. for dispute resolution purposes;

v. the exercise of the rights by the Individual adversely affects the rights and freedoms of ZaapIT or others; or

vi. in case a specific restriction of the rights of Individuals applies under Applicable Data Controller Law.

Procedure

7.5

The Individual should send his or her request to the contact indicated in the relevant privacy statement or notice. Individuals may also send their request to the office of the Chief Privacy Officer via email to support+privacy@ZaapIT.com.

Prior to fulfilling the request of the Individual, ZaapIT may require the Individual to:

i. specify the categories of CSB Information to which he or she is seeking access;

ii. specify, to the extent reasonably possible, the system in which the CSB Information is likely to be stored;

iii. specify the circumstances in which ZaapIT obtained the CSB Information;

iv. provide proof of his or her identity when ZaapIT has reasonable doubts concerning such identity, or to provide additional information enabling his or her identification;

v. pay a fee to compensate ZaapIT for the reasonable costs relating to fulfilling the request of the Individual provided ZaapIT can reasonably demonstrate that the request is manifestly unfounded or excessive, e.g., because of its repetitive character; and

vi. in case of a request for rectification, deletion, or restriction, specify the reasons why the CSB Information is incorrect, incomplete or not Processed in accordance with Applicable Data Controller Law or this CSB Privacy Code.

Response period

7.6

Within one calendar month of ZaapIT receiving the request, ZaapIT shall inform the Individual in writing or electronically either (i) of ZaapIT’s position with regard to the request and any action ZaapIT has taken or will take in response, or (ii) the ultimate date on which he or she will be informed of ZaapIT’s position and the reasons for the delay, which shall be no later than two calendar months after the original one month period.

Complaint

7. 7

An Individual may file a complaint in accordance with Article 17.3 and/or file a complaint or claim with the authorities or the courts in accordance with Article 18 if:

i. the response to the request is unsatisfactory to the Individual (e.g., the request is denied);

ii. the Individual has not received a response as required by Article 7.6; or

iii. the time period provided to the Individual in accordance with Article 7.6 is, in light of the relevant circumstances, unreasonably long, and the Individual has objected but has not been provided with a shorter, more reasonable time period in which he or she will receive a response.

Denial of requests

7.8

ZaapIT may deny an Individual’s request if:

i. the request does not meet the requirements of Articles 7.1-7.3 or meets the requirements of Article 7.4;

ii. the request is not sufficiently specific;

iii. the identity of the relevant Individual cannot be established by reasonable means, including additional information provided by the Individual;

iv. ZaapIT can reasonably demonstrate that the request is manifestly unfounded or excessive, e.g., because of its repetitive character. A time interval between requests of six months or less shall generally be deemed to be an unreasonable time interval.

No requirement to Process identifying information

7.9

ZaapIT is not obliged to Process additional information in order to be able to identify the Individual for the sole purpose of facilitating the rights of the Individual under this Article 7.

Security requirement

8.1

ZaapIT shall take appropriate commercially reasonable technical, physical and organizational measures to protect CSB Information from misuse or accidental, unlawful, or unauthorized destruction, loss, alteration, disclosure, acquisition or access. To achieve this, ZaapIT has developed and implemented the ZaapIT Information Security Management System and other sub-policies and guidelines relating to the protection of CSB Information.

Data access and confidentiality

8.2

ZaapIT shall provide ZaapIT Staff access to CSB Information only to the extent necessary to serve the applicable Business Purpose and to perform their job. ZaapIT shall impose confidentiality obligations on Staff with access to CSB Information.

Data Security Breach notification requirement

8.3

ZaapIT shall document any Information Security Breaches, comprising the facts relating to the Information Security Breach, its effects and the remedial actions taken, which documentation will be made available to the Israeil DPA and a DPA competent to audit under Article 16.2 upon request. If Applicable Data Controller Law so requires, ZaapIT shall notify Individuals of a Data Security Breach as soon as reasonably possible following its determination that a Data Security Breach has occurred, unless otherwise prohibited such as if a law enforcement official or a supervisory authority determines that notification would impede a (criminal) investigation or cause damage to national security the trust in the relevant industry sector. In this case, notification shall be delayed as instructed by such law enforcement official or supervisory authority. ZaapIT shall respond promptly to inquiries of Individuals relating to such Data Security Breach.

Direct marketing

9.1

This Article sets forth requirements concerning the Processing of CSB Information for direct marketing purposes (e.g., contacting the Individual by email, fax, phone, SMS or otherwise, with a view of solicitation for commercial or charitable purposes).

Consent for direct marketing (opt-in)

9.2

If Applicable Data Controller Law so requires, ZaapIT shall only send to Individuals unsolicited commercial communication by email, fax, sms and mms with the prior consent of the Individual ("opt-in"). If Applicable Data Controller Law does not require prior consent of the Individual, ZaapIT shall offer the Individual the opportunity to opt-out of such unsolicited commercial communication.

Exception (opt-out)

9.3

Prior consent of the Individual for sending unsolicited commercial communication by email, fax, sms and mms is not required under this CSB Privacy Code if:

i. an Individual has provided his or her electronic contact details to a Group Company in the context of a sale of a product or service of such Group Company;

ii. such contact details are used for direct marketing of such Group Company's own similar products or services; and

iii. the Individual clearly and distinctly has been given the opportunity to object free of charge, and in an easy manner, to such use of his or her electronic contact details when they are collected by the Group Company.

Information to be provided in each communication

9.4

In every direct marketing communication that ZaapIT makes to the Individual, ZaapIT shall offer the Individual the opportunity to opt-out of further direct marketing communications from ZaapIT.

Objection to direct marketing

9.5

If an Individual objects to receiving marketing communications from ZaapIT, or withdraws his or her consent to receive such communications, ZaapIT will take steps to refrain from sending further marketing communications as specifically requested by the Individual. ZaapIT will do so within the time period required by Applicable Data Controller Law.

Third Parties and Direct marketing

9.6

If Applicable Data Controller Law so requires, ZaapIT shall only provide CSB Information to, or use CSB Information on behalf of, Third Parties for Third Parties’ own direct marketing purposes with the prior opt-in consent of the Individual. If Applicable Data Controller Law does not require prior consent of the Individual, ZaapIT shall offer the Individual the opportunity to opt-out of such Third Party direct marketing purposes.

Personal Information of Children

9.7

ZaapIT shall not use any Personal Information of Children for direct marketing, without the prior consent of the holders of parental responsibility over the Children. ZaapIT shall make reasonable efforts to verify that consent is given or authorized by the holders of parental responsibility over the Children.

Direct marketing records

9.8

ZaapIT shall keep a record of Individuals that exercised their "opt-in" or "opt-out" right and will regularly check the public opt-out registers in accordance with Applicable Data Controller Law.

Automated decisions

10.1

Automated tools may be used to make decisions about Individuals, but decisions with a significant negative outcome for the Individual may not be based solely on the results provided by the automated tool. This restriction does not apply if:

i. the use of automated tools is necessary for the performance of a task carried out to comply with a legal obligation or sectorial recommendation to which ZaapIT is subject;

ii. the decision is made by ZaapIT for purposes of (a) entering into or performing a contract or (b) managing the contract, provided the underlying request leading to a decision by ZaapIT was made by the Individual (e.g., where automated tools are used to filter promotional game submissions); or

iii. the decision is made based on the explicit consent of the Individual.

Items (i) and (iii) only apply if suitable measures are taken to safeguard the legitimate interests of the Individual (e.g., the Individual has been provided with an opportunity to express his or her point of view).

The requirements set out in Articles 2.2 and 2.3 apply to the requesting, denial or withdrawal of Individual consent.

Transfer to Third Parties

11.1

This Article sets forth requirements concerning the transfer of CSB Information from ZaapIT to a Third Party. Note that a transfer of CSB Information includes situations in which ZaapIT discloses CSB Information to a Third Party (e.g., in the context of corporate due diligence) or where ZaapIT provides remote access to CSB Information to a Third Party.

Third Party Controllers and Third Party Processors

11.2

There are two categories of Third Parties:

i. Third Party Controllers: these are Third Parties that Process CSB Information and determine the purpose and means of the Processing (e.g., ZaapIT Business Partners that provide their own goods or services directly to Customers);

ii. Third Party Processors: these are Third Parties that Process CSB Information solely on behalf of ZaapIT and at its direction (e.g., Third Parties that Process CSB Information in performing service or technical customer support for Customers, or hosting services).

Transfer for applicable Business Purpose only

11.3

ZaapIT shall transfer CSB Information to a Third Party to the extent necessary to serve the applicable Business Purpose (including Secondary Purposes as per Article 3 or purposes for which the Individual has provided consent in accordance with Article 2).

Third Party Controller contracts

11.4

Third Party Controllers (other than government agencies) may Process CSB Information transferred by ZaapIT only if they have a written or electronic contract with ZaapIT. In the contract, ZaapIT shall seek to contractually protect the privacy protection interests of its Individuals when CSB Information is Processed by Third Party Controllers. All such contracts shall be drafted consistent with appropriate contracting guidelines.

Third Party Processor contracts

11.5

Third Party Processors may Process CSB Information only if they have a validly entered into written or electronic agreement with ZaapIT (Processor Contract). The Processor Contract must include the following provisions:

i. the Third Party Processor shall Process CSB Information only for the purposes authorized by ZaapIT and in accordance with ZaapIT's documented instructions including on transfers of CSB Information to any Third Party Processor not covered by an Adequacy Decision, unless the Third Party Processor is required to do so under mandatory requirements applicable to the Third Party Processor and notified to ZaapIT;

ii. the Third Party Processor shall keep the CSB Information confidential and shall impose confidentiality obligations on Staff with access to CSB Information;

iii. the Third Party Processor shall take appropriate technical, physical and organizational security measures to protect the CSB Information;

iv. the Third Party Processor shall only permit subcontractors to Process CSB Information in connection with its obligations to ZaapIT (a) with the prior specific or generic consent of ZaapIT and (b) based on a validly entered into written or electronic agreement with the subcontractor, which imposes similar privacy protection-related Processing terms as those imposed on the Third Party Processor under the Processor Contract and provided that the Third Party Processor remains liable to ZaapIT for the performance of the subcontractor in accordance with the terms of the Processor Contract. In case ZaapIT provides generic consent for involvement of subcontractors, the Third Party Processor shall provide notice to ZaapIT of any changes in its subcontractors and will provide ZaapIT the opportunity to object to such changes based on reasonable grounds;

v. ZaapIT should be able to verify the security measures taken by the Third Party Processor (a) by an obligation of Third Party Processor to submit its relevant information processing facilities to audits and inspections by ZaapIT, a Third Party on behalf of ZaapIT, or any relevant government authority; or (b) by means of a statement issued by a qualified independent third party assessor on behalf of Third Party Processor certifying that the information processing facilities of the Third Party Processor used for the Processing of the CSB Information comply with the requirements of the Processor Contract;

vi. The Third Party Processor shall deal promptly and appropriately with:

i. requests for information necessary to demonstrate compliance of the Third Party Processor with its obligations under the Processor Contract and will inform ZaapIT if any instructions of ZaapIT in this respect violate Applicable Data Controller Law;

ii. requests and complaints of CSB individuals as instructed by ZaapIT; and

iii. requests for assistance of ZaapIT as reasonably required to ensure compliance of the Processing of the CSB Information with Applicable Data Controller Law;

vii. The Third Party Processor shall promptly inform ZaapIT of a Data Security Breach involving CSB Information; and

viii. Upon termination of the Processor Contract, the Third Party Processor shall, at the option of ZaapIT, return the CSB Information and copies thereof to ZaapIT or shall securely delete such CSB Information, except to the extent the Processor Contract or applicable law provides otherwise.

Transfer of CSBInformation to Third Parties outside the EEA that are not covered by Adequacy Decisions

11.6

This Article sets forth additional rules for CSB Information that is (a) collected originally in connection with activities of a Group Company that is located in the EEA or covered by an Adequacy Decision; and (b) transferred to a Third Party that is located outside the EEA and not covered by an Adequacy Decision.

CSB Information may be transferred only if:

i. the transfer is necessary for the performance of a contract with the Individual, for managing a contract with the Individual, or to take necessary steps at the request of the Individual prior to entering into a contract, e.g., for processing orders;

ii. a contract has been concluded between ZaapIT and the relevant Third Party requiring that (a) such Third Party shall be bound by the terms of this CSB Privacy Code as were it a Group Company; (b) provides for safeguards at a similar level of protection as that provided by this CSB Privacy Code; or (c) that is recognized under Data Protection Law as providing an “adequate” level of privacy protection;

iii. the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the Individual between ZaapIT and a Third Party (e.g., in case of recalls);

iv. the Third Party has been certified under a ‘safe harbor’ program that is recognized under Data Protection Law as providing an “adequate” level of privacy protection, such as the EU-U.S. Privacy Shield program;

v. the Third Party has implemented Binding Corporate Rules or a similar transfer control mechanism as providing an “adequate” level of privacy protection;

vi. the transfer is necessary to protect a vital interest of the Individual;

vii. the transfer is necessary for the establishment, exercise or defense of a legal claim;

viii. the transfer is necessary to satisfy a pressing need to protect the public interests of a democratic society; or

ix. the transfer is necessary for the performance of a task carried out to comply with a legal obligation to which the relevant Group Company is subject.

Items (viii) and (ix) above require the prior approval of the Chief Privacy Officer.

Consent for transfer

11.7

In addition to the grounds listed in Article 11.6 ZaapIT may transfer CSB Information to a Third Party located outside the EEA that is not covered by an Adequacy Decision if the Individual has given his or her consent to the transfer. If Applicable Data Controller Law so requires ZaapIT shall, in addition to having one of the grounds listed in Article 11.6, also seek consent of the Individual for the relevant transfer.

Prior to requesting consent, the Individual shall be provided with the following information:

i. the purpose of the transfer;

ii. the identity of the transferring Group Company;

iii. the identity or categories of Third Parties to which the CSB Information will be transferred;

iv. the categories of CSB Information that will be transferred;

v. the country to which the CSB Information will be transferred; and

vi. the fact that the CSB Information will be transferred to a Third Party not covered by an Adequacy Decision.

vii. The requirements set out in Articles 2.2 and 2.3 apply to the granting, denial or withdrawal of Individual consent.

Internal Processors

11.8

Internal Processors may Process CSB Information only if they have a validly entered into written or electronic contract with the Group Company acting as the Data Controller of the relevant CSB Information, which contract must in any event include the provisions set out in Article 11.5.

Overriding Interests

12.1

The obligations of ZaapIT or rights of Individuals as specified in Articles 12.2. and 12.3. may be overridden if, under the specific circumstances at issue, a pressing need exists that outweighs the interest of the Individual (Overriding Interest). An Overriding Interest exists if there is a need to:

i. protect the legitimate business interests of ZaapIT including:

ii. the health, security or safety of Employees or Individuals;

iii. ZaapIT's intellectual property rights, trade secrets or reputation;

iv. the continuity of ZaapIT's business operations;

v. the preservation of confidentiality in a proposed sale, merger or acquisition of a business; or

vi. the involvement of trusted advisors or consultants for business, legal, tax, or insurance purposes;

vii. prevent or investigate (including cooperating with law enforcement) suspected or actual violations of law; or

viii. otherwise protect or defend the rights or freedoms of ZaapIT, its Employees or other persons.

Exceptions in the event of Overriding Interests

12.2

If an Overriding Interest exists, one or more of the following obligations of ZaapIT or rights of the Individual may be set aside:

i. Article 3.1 (the requirement to Process CSB Information for closely related purposes);

ii. Article 5.2 (data storage and deletion);

iii. Articles 6.1 and 6.2 (information provided to Individuals);

iv. Articles 7.1-7.3 (rights of Individuals);

v. Article 8.2 (Staff access limitations and confidentiality requirements); and

vi. Articles 11.4, 11.5 and 11.6 (ii) (contracts with Third Parties).

Sensitive Information

12.3

The requirements of Articles 4.1 and 4.2 (Sensitive Information) may be set aside only for the Overriding Interests listed in Article 12.1 (i) (a), (b), (c) and (e), (ii) and (iii).

Consultation with Chief Privacy Officer

12.4

Setting aside obligations of ZaapIT or rights of Individuals based on an Overriding Interest requires prior consultation of the Chief Privacy Officer. The Chief Privacy Officer shall document his or her advice.

Information to Individual

12.5

Upon request of the Individual, ZaapIT shall inform the Individual of the Overriding Interest for which obligations of ZaapIT or rights of the Individual have been set aside, unless the particular Overriding Interest sets aside the requirements of Articles 6.1 or 7.1 - 7.3, in which case the request shall be denied.

Chief Privacy Officer

13.1

ZaapIT Inc. shall appoint a Chief Privacy Officer who is responsible for:

i. Supervising compliance with this CSB Privacy Code;

ii. Providing periodic reports, as appropriate, to the Chief Executive Officer on data protection risks and compliance issues;

iii. Monitoring the performance and periodic review of a Data Protection Impact Assessment (DPIA) before a new system or a business process involving Processing of CSB Information is implemented as described in Article 14.3;

iv. Deciding on complaints as described in Article 16.3; and

v. Coordinating, in conjunction with the appropriate Privacy Lead, official investigations or inquiries into the Processing of CSB Information by a public authority.

Security & Privacy Council

13.2

The Chief Privacy Officer shall maintain an advisory Security & Privacy Council. The Security & Privacy Council has created and shall maintain a privacy compliance framework for:

i. Developing and maintaining (including monitoring and testing) policies, procedures and system information  (as required by Articles 14 and 15);

ii. Planning training and awareness programs;

iii. Monitoring and reporting on compliance with this CSB Privacy Code;

iv. Overseeing the collection, investigation and resolution of privacy inquiries, concerns and complaints; and

v. Determining and updating appropriate sanctions for violations of this CSB Privacy Code (e.g., disciplinary standards in cooperation with other relevant internal functions, such as HR and Legal).

Privacy Leads

13.3

The Chief Privacy Officer has established and shall maintain a global network of Privacy Leads sufficient to direct compliance with this CSB Privacy Code within their respective regions or organizations.

The Privacy Leads shall perform the following tasks:

i. Regularly advise their respective executive teams and the Chief Privacy Officer on privacy risks and compliance issues, including any new legal requirement that the Privacy Lead believes to interfere with ZaapIT’s ability to comply with this CSB Privacy Code (as required by Article 20.3);

ii. Maintain and ensure that the policies and procedures are implemented, the system information is maintained and Data Protection Impact Assessments (DPIAs) are performed);

iii. Implement the privacy compliance framework as required by the Chief Privacy Officer;

iv. Be available for requests for privacy approvals or advice as described in Article 7;

v. Own and authorize all appropriate privacy sub-policies in their organizations; and

vi. Cooperate with the Chief Privacy Officer, and other Privacy Leads.

Responsible Executive

13.4

The Responsible Executive shall perform at least the following tasks:

i. Ensure that the policies and procedures are implemented, the system information is maintained and DPIAs are performed (as required by Article 14);

ii. Ensure that CSB Information is deleted, destroyed, de-identified or transferred (as required by Article 5.2); and

iii. Determine how to comply with this CSB Privacy Code when there is a conflict with applicable law (as required by Article 20.2).

Privacy Lead with a statutory position

13.5

Where a Privacy Lead holds his or her position pursuant to law, he or she shall carry out his or her job responsibilities to the extent they do not conflict with his or her statutory position.

Policies and procedures

14.1

ZaapIT shall develop and implement policies and procedures to comply with this CSB Privacy Code.

System information

14.2

ZaapIT shall maintain readily available information regarding the structure and functioning of all systems and processes that Process CSB Information (e.g., inventory of systems and processes). A copy of this information will be provided to the Israeil DPA or to a DPA competent to audit under Article 16.2 upon request.

Data Protection Impact Assessment

14.3

ZaapIT shall maintain a procedure to conduct and document a prior assessment of the impact which a given Processing may have on the protection of CSB Information, where such Processing is likely to result in a high risk for the rights and freedoms of Individuals, in particular where new technologies are used (Data Protection Impact Assessment). Where the Data Protection Impact Assessment shows that, despite mitigating measures taken by ZaapIT, the Processing still presents a residual high risk for the rights and freedoms of Customers, the Israeil DPA will be consulted prior to such Processing taking place.

Staff training

15.1

ZaapIT shall provide training on the obligations and principles laid down in this CSB Privacy Code and other privacy and data security obligations to Staff who have access to or responsibilities associated with managing CSB Information.

Audits

16.1

ZaapIT’s internal audit team shall audit business processes and procedures that involve the Processing of CSB Information for compliance with this CSB Privacy Code. The audits shall be carried out in the course of the regular activities of ZaapIT’s internal audit team or at the request of the Chief Privacy Officer. The Chief Privacy Officer may request to have an audit as specified in this Article conducted by an external auditor. Applicable professional standards of independence, integrity and confidentiality shall be observed when conducting an audit. The Chief Privacy Officer and the appropriate Privacy Leads shall be informed of the results of the audits. Any violations of this CSB Privacy Code identified in the audit report will be reported back to the Responsible Executive. A copy of the audit results related to compliance with this CSB Privacy Code will be provided upon request to the Israeil DPA or to any Competent DPA.

DPA audit

16.2

Subject to Article 16.3, the Israeil DPA may request an audit of the facilities used by ZaapIT for the Processing of CSB Information for compliance with this CSB Privacy Code. In addition, a DPA that has the right under Applicable Data Controller Law to audit a Group Company (a “Competent DPA”) will be authorized to audit the relevant data transfer for compliance with this CSB Privacy Code, subject to the same conditions as would apply to an audit by that DPA under Applicable Data Controller Law.

DPA audit procedure

16.3

ZaapIT will facilitate any audit by a DPA under Article 16.2 by undertaking the following actions:

i. Information sharing: ZaapIT will attempt to resolve the request by providing information to the DPA including ZaapIT audit reports, discussion with ZaapIT subject matter experts, and review of security, privacy, and operational controls in place.

ii. Examinations: If the information available through these mechanisms is insufficient to address the DPA’s stated objectives, ZaapIT will provide the DPA with the opportunity to communicate with ZaapIT’s auditor and if required, a direct right to examine ZaapIT’s data processing facilities used to process the CSB Information on giving reasonable prior notice and during business hours, with full respect to the confidentiality of the information obtained and to the trade secrets of ZaapIT

iii. Scope: Nothing in this Article 16.3 will be construed to take away any audit rights that a DPA may have under applicable law. This CSB Privacy Code provides supplemental audit rights to DPAs only. In the event of any conflict between this Article 16.3 and applicable law, the provisions of applicable law shall prevail.

Annual Privacy Report

16.4

The Chief Privacy Officer shall produce an annual CSB Information privacy report for the Chief Executive Officer of ZaapIT Inc. on compliance with this CSB Privacy Code, privacy protection risks and other relevant issues.

Each Privacy Lead shall provide information relevant to the report to the Chief Privacy Officer.

Mitigation

16.5

ZaapIT shall, if so indicated, ensure that adequate steps are taken to address breaches of this CSB Privacy Code identified during the monitoring or auditing of compliance pursuant to this Article 16.

Complaint

17.1

Individuals may file a complaint in respect of any claim they have under Article 18.1 or violations of their rights under Applicable Data Controller Law in accordance with the complaints procedure set forth in the relevant privacy policy or contract. The complaint shall be forwarded to the appropriate Privacy Lead.

The appropriate Privacy Lead shall:

i. notify the Chief Privacy Officer;

ii. analyze the complaint and, initiate an investigation; and

iii. when necessary, advise the business on the appropriate measures for compliance, and monitor, through to completion, the steps designed to achieve compliance.

The appropriate Privacy Lead may consult with any government authority having jurisdiction over a particular matter about the measures to be taken.

Reply to Individual

17.2

ZaapIT will use reasonable efforts to resolve complaints without undue delay, so that a response is given to the Customer Individual within one calendar month of the date that the complaint was filed. The appropriate Privacy Lead shall inform the Individual in writing via the means that the Individual originally used to contact ZaapIT (e.g., via mail or email) either (i) of ZaapIT’s position with regard to the complaint and any action ZaapIT has taken or will take in response or (ii) when he or she will be informed of ZaapIT's position, which shall be no later than two calendar months after the original one month period. The appropriate Privacy Lead shall send a copy of the complaint and his or her written reply to the Chief Privacy Officer.

Complaint to Chief Privacy Officer

17.3

An Individual may file a complaint with the Chief Privacy Officer if:

i. the resolution of the complaint by the appropriate Privacy Lead is unsatisfactory to the Individual (e.g., the complaint is rejected);

ii. the Individual has not received a response as required by Article 17.2;

iii. the time period provided to the Individual pursuant to Article 17.2 is, in light of the relevant circumstances, unreasonably long and the Individual has objected but has not been provided with a shorter, more reasonable time period in which he or she will receive a response; or

iv. in one of the events listed in Article 7.7.

The procedure described in Articles 17.1 through 17.2 shall apply to complaints filed with the Chief Privacy Officer.

If the response of the Chief Privacy Officer to the complaint is unsatisfactory to the Individual (e.g., the request is denied), the Individual can file a complaint or claim with the authorities or the courts in accordance with Article 18.2.

Complaints procedure

18.1

Individuals are encouraged to first follow the complaints procedure set forth in Article 17 of this CSB Privacy Code before filing any complaint or claim with the competent DPAs or the courts.

Rights of Individuals

18.2

If ZaapIT violates the Privacy Code with respect to the CSB Information of an Individual (Affected Individual) covered by this Privacy Code, the Affected Individual can as a third party beneficiary enforce any claim as a result of a breach of Articles 1.6, 2 – 11, 12.5, 16.2, 17, 18 and 20.4 - 20.5 in accordance with Article 18.2.

The rights contained in this Article are in addition to, and shall not prejudice, any other rights or remedies that an Individual may otherwise have by law.

Jurisdiction for claims of Individuals

18.2

In case of a violation of this CSB Privacy Code, the Individual may, at his/her choice, submit a complaint or claim to the Israeli DPA or the court:

Right to claim damages

18.3

In case an Individual has a claim under Article 18.2, and

i. the relevant Processing is governed by Data Protection Law, such Individual shall be entitled to file a lawsuit for damages suffered by an Individual resulting from a violation of this CSB Privacy Code to the extent provided by applicable law; or

ii. the relevant Processing is not governed by Data Protection Law, such Individual shall be entitled to file a lawsuit for the actual direct damages (which exclude, without limitation, lost profits or revenue, lost turnover, cost of capital, and downtime cost), suffered by an Individual resulting from a violation of this CSB Privacy Code, to the extent provided by applicable law.

Burden of proof in respect of claim for damages

18.4

In case an Individual brings a claim for damages under Article 18.2, it will be for the Individual to demonstrate that he or she has suffered the relevant damages and to establish facts which show it is plausible that the damage has occurred because of a violation of the CSB Privacy Code. It will subsequently be for the relevant Group Company to prove that the damages suffered by the Individual due to a violation of this CSB Privacy Code are not attributable to ZaapIT .

Mutual assistance and redress

18.5

All Group Companies shall co-operate and assist each other to the extent reasonably possible to handle:

i. a request, complaint or claim made by an Individual; or

ii. a lawful investigation or inquiry by a competent DPA or government authority.

The Group Company that receives a request, complaint or claim from an Individual is responsible for handling any communication with the Individual regarding his or her request, complaint or claim except where circumstances dictate otherwise.

Advice of the Israeil DPA and Competent DPAs

18.6

ZaapIT Inc shall abide by the advice of the Israeil DPA and Competent DPAs issued on the interpretation and application of this CSB Privacy Code.

Mitigation

18.7

ZaapIT Inc shall ensure that adequate steps are taken to address violations of this CSB Privacy Code by a Group Company.

Law applicable to Code

18.8

This CSB Privacy Code shall be governed by and interpreted in accordance with the Israeli law. Exclusive venue for all disputes arising out of the Agreement shall be in Tel-Aviv Israel.

Non-compliance

19.1

Non-compliance of Employees with this CSB Privacy Code may result in disciplinary action in accordance with ZaapIT policies and local law, up to and including termination of employment.

Conflict of law when transferring CSB Information

20.1

Where a legal requirement to transfer CSB Information conflicts with the laws of the Member States of the EEA / UK, the transfer requires the prior approval of the Chief Privacy Officer. The Chief Privacy Officer may seek the advice of the Israeil DPA or another competent government authority.

Conflict between CSB Privacy Code and law

20.2

In all other cases, where there is a conflict between applicable local law and this CSB Privacy Code, the relevant Responsible Executive shall consult with the Chief Privacy Officer to determine how to comply with this CSB Privacy Code and resolve the conflict to the extent reasonably practicable given the legal requirements applicable to the relevant Group Company.

New conflicting legal requirements

20.3

The relevant Privacy Leads, in consultation with the legal department, shall promptly inform the Responsible Executive of any new legal requirement that may interfere with ZaapIT's ability to comply with this CSB Privacy Code.

Reporting to Lead DPA

20.4

If ZaapIT becomes aware that applicable local law of a non-EEA / non-UK country is likely to have a substantial adverse effect on the protection offered by this Privacy Code, ZaapIT will report this to the Israeil DPA.

Requests for Disclosure of CSB Information

20.5

If ZaapIT receives a request for disclosure of CSB Information from a law enforcement authority or state security body of a non-EEA / non-UK country (Authority), it will first assess on a case-by-case basis whether this request (Disclosure Request) is legally valid and binding on ZaapIT. Any Disclosure Request that is not legally valid and binding on Company will be resisted in accordance with applicable law.

Subject to the following paragraph, ZaapIT shall promptly inform the Israeil DPA of any legally valid and binding Disclosure Requests, and will request the Authority to put such Disclosure Requests on hold for a reasonable delay in order to enable the Israeil DPA to issue an opinion on the validity of the relevant disclosure.

If suspension and/or notification of a Disclosure Request is prohibited, such as in case of a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation, ZaapIT will request the Authority to waive this prohibition and will document that it has made this request. In any event, ZaapIT will on an annual basis provide to the Israeil DPA general information on the number and type of Disclosure Requests it received in the preceding 12 month period, to the fullest extent permitted by applicable law.

In any event, any transfers by ZaapIT of CBS Information to any Authority in response to a Disclosure Request will not be massive, disproportionate or indiscriminate in a manner that would go beyond what is necessary in a democratic society.

Approval for changes

21.1

Any changes to this CSB Privacy Code require the prior approval of the Chief Executive Officer of ZaapIT Inc. and shall thereafter be communicated to the Group Companies. The Chief Privacy Officer shall promptly inform the Israeil DPA of changes to this Privacy Code that have a significant impact on the protection offered by this Privacy Code or the Privacy Code itself and will be responsible for coordinating ZaapIT’s responses to questions of the Israeli DPA in respect thereof. Other changes (if any) will be notified by the Chief Privacy Officer to the Israeil DPA on a yearly basis.

Effective Date of changes

21.2

Any change shall enter into force with immediate effect after it has been approved in accordance with Article 21.1 and is published on the ZaapIT Global Intranet.

Prior versions

21.3

Any request, complaint or claim of an Individual involving this CSB Privacy Code shall be judged against the version of this CSB Privacy Code as it is in force at the time the request, complaint or claim is made.

Transition period for new Group Companies

22.1

Any entity that becomes a Group Company after the Effective Date shall comply with this CSB Privacy Code within one year of becoming a Group Company.

Transition Period for Divested Entities

22.2

A Divested Entity (or specific parts thereof) will remain covered by this CSB Privacy Code after its divestment for such period as is required by ZaapIT to disentangle the Processing of CSB Information relating to such Divested Entity.

Transition period for IT Systems

22.3

Where implementation of this CSB Privacy Code requires updates or changes to information technology systems (including replacement of systems), the transition period shall be two years from the Effective Date or from the date an entity becomes a Group Company, or any longer period as is reasonably necessary to complete the update, change or replacement process.

Transition period for existing agreements

22.4

Where there are existing agreements with Third Parties that are affected by this CSB Privacy Code, the provisions of the agreements will prevail until the agreements are renewed in the normal course of business.

Transitional period for Local-for-Local Processing

22.5

Local-for-Local Processing subject to this CSB Privacy Code shall be brought into compliance with this CSB Privacy Code within five years of the Effective Date.

Compliance during the Transitional Period

22.6

During the transition periods set out in Article 22.1 – 22.5, no CSB Information will be transferred to a Group Company under this CSB Privacy Code until that Group Company is (i) fully compliant or (ii) an alternative data transfer mechanism has been put in place, such as standard contractual clauses.

Contact details

ZaapIT As LTD

Adequacy Decision

A decision issued by the European Commission under Article 25 EC Data Protection Directive that a country or region or a category of recipients in such country or region is deemed to provide an "adequate" level of data protection.

Applicable Data Controller Law

APPLICABLE DATA CONTROLLER LAW means the provisions of mandatory law of a country containing rules for the protection of individuals with regard to the Processing of Personal Information including security requirements for and the free movement of such Personal Information as applicable to ZaapIT in its capacity as the Data Controller of Personal Information.

Archive

ARCHIVE shall mean a collection of CSB Information that is no longer necessary to achieve the purposes for which the CSB Information originally was collected or that is no longer used for general business activities, but is used only for historical, scientific or statistical purposes, dispute resolution, investigations or general archiving purposes. An Archive includes any data set that can no longer be accessed by any Employee other than the system administrator.

Article

ARTICLE shall mean an article in this CSB Privacy Code.

Binding Corporate Rules

BINDING CORPORATE RULES shall mean a privacy policy of a group of undertakings which, under applicable local law (such as Article 25 of the EU Data Protection Directive), is considered to provide an adequate level of protection for the transfer of Personal Information within that group of undertakings.

Business Development

BUSINESS DEVELOPMENT shall mean the tasks and processes aimed at developing and implementing growth opportunities within and between ZaapIT and Business Partners.

Business Partner

BUSINESS PARTNER shall mean any Third Party, other than a Customer or Supplier, that has or has had a business relationship or strategic alliance with ZaapIT (e.g., joint marketing partner, joint venture or joint development partner, investor).

Business Purpose

BUSINESS PURPOSE shall mean a purpose for Processing CSB Information as specified in Article 2 or 3 or for Processing Sensitive Information as specified in Article 4 or 3.

Chief Privacy Officer

CHIEF PRIVACY OFFICER shall mean the officer as referred to in Article 13.1.

Children

CHILDREN shall mean Individuals under thirteen (13) years of age.

Competent DPA

COMPETENT DPA shall have the meaning set forth in Article 16.2 above.

CSB Information

CSB INFORMATION shall have the meaning set forth in Article 1.1 above

CSB Privacy Code

CSB PRIVACY CODE shall mean this Privacy Code for Customer, Supplier and Business Partner Information.

Customer

CUSTOMER shall mean any person, private organisation, or government body that purchases, may purchase or has purchased a ZaapIT product or service.

Customer Services

CUSTOMER SERVICES shall mean the services provided by ZaapIT to Customers to support ZaapIT products and services offered to or in use with their employees or customers (e.g., ZaapIT’s digital transaction management platform and related services). These services may include the maintenance, upgrade, replacement, inspection and related support activities aimed at facilitating continued and sustained use of ZaapIT products and services.

Data Controller

DATA CONTROLLER shall mean the entity or natural person which alone or jointly with others determines the purposes and means of the Processing of Personal Information.

Data Protection Impact Assessment (DPIA)

DATA PROTECTION IMPACT ASSESSMENT (DPIA) shall mean a procedure to conduct and document a prior assessment of the impact which a given Processing may have on the protection of CSB Information, where such Processing is likely to result in a high risk for the rights and freedoms of Individuals, in particular where new technologies are used.

A DPIA shall contain:

i. a description of:

i. the scope and context of the Processing;

ii. the Business Purposes for which CSB Information is Processed;

iii. the specific purposes for which Sensitive Information is Processed;

iv. categories of CSB Information recipients, including recipients not covered by an Adequacy Decision;

v. CSB Information storage periods;

ii. an assessment of:

i. the necessity and proportionality of the Processing;

ii. the risks to the privacy rights of Individuals; and

iii. the measures to mitigate these risks, including safeguards, security measures and other mechanisms (such as privacy-by-design) to ensure the protection of CSB Information.

Data Protection Law

DATA PROTECTION LAW shall mean the provisions of mandatory law of an EEA country / UK country / IL country containing rules for the protection of individuals with regard to the Processing of Personal Information including security requirements for and the free movement of such Personal Information.

Data Security Breach

DATA SECURITY BREACH shall mean the unauthorized acquisition, access, use or disclosure of unencrypted CSB Information that compromises the security or privacy of such information to the extent the compromise poses a high risk of financial, reputational, or other harm to the Individual. A Data Security Breach is deemed not to have occurred where there has been an unintentional acquisition, access or use of unencrypted CSB Information by an employee of ZaapIT or Third Party Processor or an individual acting under their respective authority, if:

i. the acquisition, access, or use of CSB Information was made in good faith and within the course and scope of the employment or professional relationship of such employee or other individual; and

ii. the CSB Information is not further acquired, accessed, used or disclosed by any person.

Divested Entity

DIVESTED ENTITY shall mean the divestment by ZaapIT of a Group Company or business by means of:

i. a sale of shares that results in the divested Group Company no longer qualifying as a Group Company; and/or

ii. a demerger, sale of assets, or any other manner or form.

ZaapIT

ZaapIT shall mean ZaapIT AS LTD. and its Group Companies.

ZaapIT Inc.

ZaapIT, INC. shall mean ZaapIT AS LTD.

DPA

DPA shall mean any data protection authority of one of the countries of the EEA / UK / IL.

EEA

EEA or EUROPEAN ECONOMIC AREA shall mean all Member States of the European Union, plus Norway, Iceland and Liechtenstein, and for purposes of this Privacy Code, Switzerland.

Effective Date

EFFECTIVE DATE shall mean the date on which this CSB Privacy Code becomes effective as set forth in Article 1.7.

Employee

EMPLOYEE shall mean the following individuals:

i. an employee, job applicant or former employee of ZaapIT including temporary workers working under the direct supervision of ZaapIT (e.g., independent contractors and trainees). This term does not include people working at ZaapIT as consultants or employees of Third Parties providing services to ZaapIT;

ii. a (former) executive or non-executive director of ZaapIT or (former) member of the supervisory board or similar body to ZaapIT.

Group Company

GROUP COMPANY shall mean ZaapIT Inc. and any company or legal entity of which ZaapIT Inc., directly or indirectly owns more than 50% of the issued share capital, has 50% or more of the voting power at general meetings of shareholders, has the power to appoint a majority of the directors, or otherwise directs the activities of such other legal entity; however, any such company or legal entity shall be deemed a Group Company only as long as a liaison and/or relationship exists.

Individual

INDIVIDUAL shall mean any individual (employee of or any person working for) Customer, Supplier or Business Partner and any other individual whose CSB Information ZaapIT processes in the context of the provision of its services.

Internal Processor

INTERNAL PROCESSOR shall mean any Group Company that Processes CSB Information as a Data Processor on behalf of another Group Company acting as the Data Controller.

Local-for-Local Processing

LOCAL FOR LOCAL PROCESSING shall have the meaning set forth in Article 1.2 above.

Organizational Unit

ORGANIZATIONAL UNIT shall mean each business unit and staff function of ZaapIT.

Overriding Interest

OVERRIDING INTEREST shall mean the pressing interests set forth in Article 12.1 based on which the obligations of ZaapIT or rights of Individuals set forth in Article 12.2 and 12.3 may, under specific circumstances, be overridden if this pressing interest outweighs the interest of the Individual.

Personal Information

PERSONAL INFORMATION shall mean any information relating to an identified or identifiable Individual.

Privacy Code

PRIVACY CODE shall mean this Privacy Code for CSB Information.

Privacy Lead

PRIVACY LEAD shall mean a Privacy Lead appointed by the Chief Privacy Officer pursuant to Article 13.3.

Processing

Processing shall mean any operation that is performed on CSB Information, whether or not by automatic means, such as collection, recording, storage, organization, alteration, use, disclosure (including the granting of remote access), transmission or deletion of CSB Information.

Processor Contract

PROCESSOR CONTRACT shall mean any contract for the Processing of CSB Information entered into by ZaapIT and a Third Party Processor.

Responsible Executive

RESPONSIBLE EXECUTIVE shall mean the lowest-level ZaapIT business executive or the non-executive general manager of a ZaapIT business function/unit who has primary budgetary ownership of the relevant Processing.

Secondary Purpose

SECONDARY PURPOSE shall have the meaning ascribed to that term in Article 3.1.

Security & Privacy Council

Security & PRIVACY COUNCIL shall mean the council referred to in Article 13.2.

Sensitive Information

SENSITIVE INFORMATION shall mean CSB Information that reveals an Individual's racial or ethnic origin, political opinions or membership in political parties or similar organizations, religious or philosophical beliefs, membership in a professional or trade organization or union, physical or mental health including any opinion thereof, disabilities, genetic CSB Information, biometric CSB Information, addictions, sex life, criminal convictions or offenses, or social security numbers issued by the government.

Staff

STAFF shall mean all Employees and other persons who Process CSB Information as part of their respective duties or responsibilities as employees or individuals under the direct authority of ZaapIT using ZaapIT information technology systems or working primarily from ZaapIT's premises.

Supplier

SUPPLIER shall mean any Third Party that provides goods or services to ZaapIT (e.g., an agent, consultant or vendor), including Third Party Processors.

Supplier Services

SUPPLIER SERVICES shall mean the goods or services provided by Supplier under an agreement with ZaapIT. 

Third Party

THIRD PARTY shall mean any person or entity (e.g., an organization or government authority) outside ZaapIT.

Third Party Controller

THIRD PARTY CONTROLLER shall mean a Third Party that Processes CSB Information and determines the purposes and means of the Processing.

Third Party Processor

THIRD PARTY PROCESSOR shall mean a Third Party that Processes CSB Information on behalf of ZaapIT that is not under the direct authority of ZaapIT.

INTERPRETATION OF THIS CSB PRIVACY CODE:

i. Unless the context requires otherwise, all references to a particular Article or Annex are references to that Article or Annex in or to this document, as they may be amended from time to time;

ii. headings are included for convenience only and are not to be used in construing any provision of this CSB Privacy Code;

iii. a word or phrase is defined, its other grammatical forms have a corresponding meaning;

iv. the male form shall include the female form;

v. the words "include", "includes" and "including" and any words following them shall be construed without limitation to the generality of any preceding words or concepts and vice versa;

vi. a reference to a document (including, without limitation, a reference to this CSB Privacy Code) is to the document as amended, varied, supplemented or replaced, except to the extent prohibited by this CSB Privacy Code or that other document; and

vii. a reference to law or a legal obligation includes any regulatory requirement, sectorial guidance, and best practice issued by relevant national and international supervisory authorities or other bodies.