OpenAI Supplier Data Processing Addendum
This Supplier Data Processing Addendum ("SDPA") governs Supplier’s processing of OpenAI Data (as defined below) that is provided by or collected on behalf of OpenAI by Supplier. This SDPA is hereby incorporated into the agreement between OpenAI and Supplier that govern Supplier’s provision of certain services (“Services”) to OpenAI (the “Agreement”). If and to the extent language in this SDPA conflicts with the Agreement, the conflicting terms in this SDPA shall control. Capitalized terms not defined in this SDPA have the meaning set forth in the Agreement.
In consideration of the mutual promises set out in this SDPA, OpenAI and Supplier agree as follows:
1. Definitions
1.1 "Controller" means a person that alone or jointly determines the purposes and means of Processing Personal Data.
1.2 "Data Breach" means any unauthorized processing of OpenAI Data or compromise of the security, confidentiality, or integrity of OpenAI Data or Systems used to secure, protect, or Process OpenAI Data.
1.3 "Data Protection Laws" means all applicable laws and binding rules or regulations relating to the protection, privacy, security, or Processing of Personal Data applicable to a Party in its use or provision of the Services. These laws may include, for example, the General Data Protection Regulation (EU) 2016/679 ("EU GDPR"), the United Kingdom General Data Protection Regulation, as it forms part of UK law by virtue of section 3 of the EU (Withdrawal) Act 2018, and the UK Data Protection Act 2018 (collectively, “UK Data Protection Laws”), the revised Swiss Federal Act on Data Protection of 25 September 2020 ("FADP"), Personal Information Protection and Electronic Documents Act and applicable Canadian federal, provincial, and territorial (“Canada Data Protection Laws”), Japan’s Act on the Protection of Personal Information (Act No. 57 of 2003, as amended) (“APPI”), South Korea’s Personal Information Protection Act (“PIPA”), and the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., as amended by the California Privacy Rights Act (”CCPA”).
1.4 "Data Subject” means an identified or identifiable natural person.
1.5 "Deidentified Data" means data that cannot reasonably be used to infer information about, or otherwise be linked to, a Data Subject.
1.6 “OpenAI” means OpenAI OpCo, LLC and its affiliates.
1.7 “OpenAI Data” means information that Supplier has received or collected from or on behalf of OpenAI in connection with the Services. OpenAI Data includes but is not limited to Personal Data.
1.8 "Personal Data" means information that relates to an identified or identifiable individual or, where the CCPA applies, household and that is processed in connection with the provision of the Services.
1.9 “Process,” “Processing,” or variations thereof means any operation or set of operations that are performed on OpenAI Data, on or sets of OpenAI Data, whether or not by automated means, including without limitation the access, collection, storage, use, transfer, compilation, organization, classification, deletion, and deidentification of OpenAI Data.
1.10 "Processor" means a person that Processes Personal Data on behalf and at the instruction of a Controller.
1.11 "Subprocessor” means a Processor engaged by a different Processor, including without limitation all third parties or affiliates engaged by Supplier in furtherance of the provision of Services that will have access to OpenAI Data.
1.12 “Supplier” means the entity providing or performing Services for OpenAI pursuant to the Agreement.
1.13 “System” means any file system, computing system, database, device, equipment, server, website, application, software, storage media, network, infrastructure, networked environment or domain, including without limitation all development, quality assurance, staging and production environments.
1.4 "Third Country" means any country or recipient that has not been recognized as offering an adequate level of protection within the meaning of Data Protection Laws applicable to the Processing of Personal Data.
2. General
2.1 Each Party will comply with Data Protection Laws and will not knowingly cause the other Party to violate Data Protection Laws.
2.2 OpenAI is or is acting on behalf of the Controller. Supplier is either a Processor or a Subprocessor.
2.3 The subject matter of the Processing is the provision of the Services and the Processing will be carried out for the duration of the Agreement. The description of the Processing is set forth in Schedule 1.
3. Processing Obligations
3.1 Supplier will only Process OpenAI Data in accordance with OpenAI’s instructions, which include the Agreement, this DPA, and any other documented instructions received from OpenAI. Supplier will promptly inform OpenAI about any instruction from OpenAI which, in its opinion, infringes Data Protection Laws. If Supplier is required by applicable law to Process OpenAI Data otherwise than as instructed by OpenAI, it will notify OpenAI before such Processing occurs, unless the law requiring such Processing prohibits Supplier from notifying OpenAI, in which case it will notify OpenAI as soon as that law permits it to do so.
3.2 Supplier will treat all OpenAI Data as confidential information. Supplier will not disclose OpenAI Data without OpenAI’s prior written consent except: (a) to those of its personnel who need to know or access the OpenAI Data in order to provide the Services; and (b) where it is required by a court to disclose OpenAI Data, or where there is a statutory obligation to do so, but only to the minimum extent necessary to comply with such court order or statutory obligation.
3.3 Supplier warrants that its personnel who have access to OpenAI Data are: (a) informed of the confidential nature of the OpenAI Data and obliged to keep such OpenAI Data confidential; and (b) aware of and comply with Supplier's duties and their individual duties in connection with OpenAI Data Processed under the Agreement.
3.4 Supplier will implement and maintain reasonable and appropriate technical and organizational measures to protect OpenAI Data against a Data Breach or other accidental or unlawful destruction, loss, alteration, disclosure, access, or Processing. Having regard to state of the art technologies and cost of their implementation, Supplier agrees that such measures will provide a level of security appropriate to the risks that are presented by the Processing and the nature of the OpenAI Data to be protected, and will at a minimum include those measures set forth at openai.com/policies/supplier-security-measures.
3.5 Upon written request by OpenAI, or termination or expiration of the Agreement, Supplier will, at OpenAI’s choice, delete, destroy, or return all OpenAI Data (and any copies of it) and certify to OpenAI that it has done so, unless otherwise required by applicable laws, in which case the Supplier will (a) maintain the confidentiality of the OpenAI Data consistent with the terms set forth in this Agreement; (b) no longer actively Process OpenAI Data; and (c) return, destroy, or delete, at OpenAI’s choice, the OpenAI Data when such legal obligation ceases to apply. For clarity, any deletion or destruction elected under this Section 3.5 must render the OpenAI data permanently unreadable and unrecoverable on all media controlled by Supplier and its Subprocessors.
3.6 To the extent OpenAI discloses or otherwise makes available Deidentified Data to Supplier, or to the extent Supplier creates Deidentified Data from Personal Data, Supplier will:
(a) adopt reasonable measures to prevent such Deidentified Data from being used to infer information about, or otherwise being linked to, a particular natural person or household;
(b) publicly commit to maintain and use such Deidentified Data in a deidentified form and to not attempt to re-identify the Deidentified Data, except that Supplier may attempt to re-identify the data solely for the purpose of determining whether its deidentification processes are compliant with Data Protection Laws;
(c) implement business processes to prevent the inadvertent release of such Deidentified Data; and
(d) before sharing Deidentified Data with any other party, including Subprocessors, contractors, or any other persons (“Recipients”), contractually obligate any such Recipients to comply with all requirements of this Section 3.6 (including imposing this requirement on any further Recipients).
3.7 In addition to its obligations under the DPA, Supplier will comply with the applicable jurisdiction-specific provisions in Schedule 2. In the event of any irreconcilable conflict between any applicable provision of Schedule 2 and other provisions in this DPA, Schedule 2 will take precedence.
4. Data Breaches
4.1 In the event of a Data Breach, Supplier will notify OpenAI immediately and in any event no later than 48 hours from becoming aware of it. Such notification will be made to the OpenAI Security Office at vendorsecurity@openai.com.
4.2 After providing notice in accordance with Section 4.1, Supplier will investigate the Data Breach and take necessary steps to contain, eradicate, mitigate, and rectify the Data Breach.
4.3 Supplier will keep OpenAI informed about the status of the Data Breach, including by providing prompt and comprehensive information as OpenAI may reasonably request. Such information will include, at a minimum, which will be supplemented on an ongoing basis: (a) the general circumstances and extent of any known or potential unauthorized Processing of OpenAI Data; (b) the nature and extent of the Data Breach, including as to affected Systems and whether those Systems are used to Process OpenAI Data; (c) the types and volume of OpenAI Data that was or may have been affected; (d) Supplier’s plans for corrective actions to respond to the Data Breach; (e) the identities of all Data Subjects whose Personal Data was or may have been affected; (f) steps taken to secure OpenAI Data and preserve information for any necessary investigation; (g) any other related information reasonably requested by OpenAI; and (h) the status of containment and eradication of the Data Breach. Upon OpenAI’s request, Supplier will make available to OpenAI copies of any reports generated in connection with the investigation of the Data Breach that are relevant to the types of information described above.
4.4 Supplier will not notify any parties other than OpenAI and, to the extent required by applicable law, relevant law enforcement agencies, of any Data Breach: (a) unless such notification is agreed to in advance by OpenAI in writing; or (b) to the extent such notification is provided to another customer of Supplier and the Data Breach relates to proprietary information of such other customer, provided that Supplier will not provide any information or details to such other customer identifying OpenAI or regarding how the Data Breach relates to OpenAI or OpenAI Data.
4.5 OpenAI may, upon providing reasonable notice to Supplier, take reasonable and appropriate steps to stop or remediate any unauthorized Processing of OpenAI Data.
5. Subprocessors
5.1 OpenAI acknowledges that Supplier may engage Subprocessors, subject to the terms of the Agreement and Supplier having conducted appropriate diligence of each such Subprocessor prior to and during the term of engagement to confirm the Subprocessor is capable of complying with its obligations in connection with this DPA. OpenAI provides general written authorization to Supplier to engage Subprocessors as necessary to perform the Services, in accordance with the Agreement.
5.2 Information regarding Supplier’s current Subprocessors, including their location and services provided, will be provided by Supplier to OpenAI (“Subprocessor List”) within thirty (30) days of executing this DPA or otherwise upon OpenAI’s request. The Subprocessor List may be updated by Supplier from time to time in accordance with the Agreement and this DPA. Supplier will provide OpenAI with thirty (30) days advance notice before a new Subprocessor Processes any OpenAI Data. OpenAI may object to the proposed Subprocessor for any reason, including grounds relating to the protection of OpenAI Data. In such case, Supplier will have the right to cure the objection through one of the following options (to be selected at OpenAI’s option): (a) Supplier will cancel its plans to use the Subprocessor with respect to the Processing of OpenAI Data or will offer an alternative to provide the Services without the Subprocessor; (b) Supplier will take the corrective steps requested by OpenAI in its objection notice (and which address OpenAI’s objection(s)) and proceed to use the Subprocessor); or (c) OpenAI may agree not to use (temporarily or permanently) the particular aspect or feature of the Services that would involve the use of such Subprocessor. If none of the above options are commercially feasible, in OpenAI’s reasonable judgement, and the objections have not been resolved to the satisfaction of the Parties, then OpenAI may terminate the Agreement in whole or in part for cause with a pro-rated refund of any pre-paid but unearned fees.
5.3 Supplier will require that each Subprocessor executes a written agreement that imposes substantially the same obligations on the Subprocessor as are imposed on Supplier under this DPA. Supplier remains fully liable to OpenAI for any Subprocessors' Processing of OpenAI Data under the Agreement as if done by Supplier.
6. Assistance to OpenAI
6.1 Supplier will:
(a) reasonably assist OpenAI with the fulfilment of OpenAI’s obligations to respond to requests for exercising a Data Subject's rights as set out in Data Protection Laws or OpenAI’s privacy statements, taking into account the nature of Personal Data;
(b) reasonably assist and cooperate with OpenAI as necessary for OpenAI to comply with its obligations under the Data Protection Laws, including without limitation with OpenAI’s obligations relating to security, investigation, remediation, and notification of Data Breaches to a governmental authority and Data Subjects, as well as data protection impact assessments and prior consultation, taking into account the nature of the Personal Data;
(c) appoint, and identify to OpenAI, an individual to support OpenAI in monitoring compliance with this DPA, and make available to OpenAI information and evidence necessary to demonstrate compliance with this DPA and with Data Protection Laws;
(d) allow for, cooperate with, and contribute to audits, including inspections of its data processing facilities and information requests, pursuant to Section 7.
6.2 Supplier will promptly, and in any event no longer than 72 hours of receipt, notify OpenAI at privacy+suppliers@openai.com about any complaint, communication, or request received directly by Supplier or a Subprocessor from a Data Subject, governmental authority, or other third party pertaining to OpenAI Data. Supplier will not respond to such complaint, communication, or request unless it has been instructed in writing to do so by OpenAI.
7. Audits and Inspections
7.1 Where required by applicable law, regulation, or request from a supervisory authority or where OpenAI reasonably believes a breach of the Agreement or this DPA is occurring or has occurred, OpenAI may audit Supplier’s data processing facilities and documentation covered by this DPA to confirm that Supplier Processes OpenAI Data in a manner consistent with OpenAI’s and Supplier’s obligations under Data Protection Laws and this DPA. Audits and inspections may be carried out by OpenAI or an independent, third-party auditor selected by OpenAI. Supplier will provide OpenAI or third-party auditor all reasonable assistance to conduct such audits at no additional cost to OpenAI. OpenAI will provide Supplier with at least ten (10) business days’ written notice prior to such audit, except where (i) OpenAI reasonably believes that a Data Breach has occurred or is occurring, (ii) the Supplier is in material breach of any of its obligations under this DPA or any Data Protection Laws, or (ii) OpenAI requires information from the Supplier in order to respond to a request from a supervisory authority.
7.2 Notwithstanding Section 7.1, if a Data Breach has occurred, or Supplier becomes aware of a breach of any of its obligations under this DPA or Data Protection Laws, Supplier will: (a) promptly conduct its own audit to determine the cause; (b) produce a written report that includes detailed plans to remedy any deficiencies identified by the audit; (c) provide OpenAI with a copy of the written audit report; and (d) remedy any deficiencies identified by the audit within an appropriate timeframe consistent with industry standards and agreed by the Parties.
7.3 Upon OpenAI’s request, Supplier will make available to OpenAI all information in its possession necessary to demonstrate OpenAI’s or Supplier’s compliance with Data Protection Laws or this DPA.
8. International Data Transfers
8.1 Where Supplier discloses, transfers, or otherwise makes available Personal Data to another party located in a Third Country, either directly or via onward transfer, outside of the country in which Supplier receives such Personal Data:
(a) Supplier shall Process the Personal Data in accordance with all applicable laws including, where required by applicable Data Protection Laws, by implementing a valid and recognized mechanism; and
(b) the Parties agree to comply with the applicable provisions of Schedule 2.
8.2 If, at any time, a governmental authority or Data Protection Laws require any further action to be taken in order to lawfully Process or transfer Personal Data (including entering into additional or alternative valid transfer mechanisms), the Parties will take all steps reasonably necessary to comply with those additional requirements and Data Protection Laws.
Schedule 1: Description of the Processing
Categories of Data Subjects | The specific categories of data subjects depends on the nature of the Services provided for in the Agreement, but may include for example: prospective, current, and former users, customers’ users, employees, applicants, extended workforce, and other data subjects whose Personal Data is contained within content. |
Categories of Personal Data | The specific categories of Personal Data depends on the nature of the Services provided for in the Agreement, but may include for example: contact details, biographical data, employment data, financial data, education and training data, location data, and personal data contained within content. |
Categories of Sensitive Personal Data (if applicable) | The specific categories of Sensitive Personal Data depends on the nature of the Services provided for in the Agreement, but may include for example: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation. |
Frequency of the transfer | On-going basis depending on the use of the Services by OpenAI. |
Nature of the Processing | Personal Data will be subject to the following basic processing activities: 1. Receiving data, including collection, accessing, retrieval, recording, and data entry. 2. Holding data, including storage, organization and structuring. 3. Updating data, including correcting, adaptation, alteration, alignment and combination. 4. Protecting data, including restricting, encrypting, and security testing. 5. Sharing data, including disclosure, dissemination, allowing access or otherwise making available. 6. Returning data to the data exporter or data subject. 7. Erasing data, including destruction and deletion |
Purpose(s) of the transfer and Processing | Supplier will Process Personal Data for the purposes of providing the Services in accordance with the Agreement. |
Duration of Processing | For the duration of the Agreement |
For transfers to Subprocessors - subject matter, nature and duration of the Processing | Subprocessors will Process Personal Data (1) as necessary to perform the Services pursuant to the Agreement and (2) for the duration of the Agreement, unless otherwise agreed in writing. |
Schedule 2: Jurisdiction-Specific Provisions
1. California
To the extent the CCPA applies to the Processing of Personal Data, in addition to the terms of the DPA, Supplier agrees as follows with respect to that Personal Data:
1.1 OpenAI is disclosing Personal Data to Supplier only for the limited and specified purpose of performing the Services, including as described in Schedule 1 to this DPA.
1.2 Supplier will provide at least the same level of protection for Personal Data as required by the CCPA.
1.3 Supplier will not:
(a) retain, use, disclose, or otherwise Process Personal Data except as necessary for the business purposes specified in the Agreement or this DPA;
(b) “sell” or “share” Personal Data (as defined by the CCPA);
(c) retain, use, disclose, or otherwise Process Personal Data in any manner outside of the direct business relationship between OpenAI and Supplier; or
(d) combine any Personal Data with personal data that Supplier receives from or on behalf of any other third party or collects from Supplier’s own interactions with Data Subjects, provided that Supplier may so combine Personal Data for a purpose permitted under the CCPA if directed to do so by OpenAI or as otherwise expressly permitted by the CCPA.
1.4 Supplier will promptly notify OpenAI if Supplier determines it can no longer comply with the CCPA, in which case OpenAI may take all reasonable and appropriate steps to stop or remediate any unauthorized Processing of Personal Data.
2. Canada
To the extent Canada Data Protection Laws apply to the Processing of Personal Data, in addition to the terms of the DPA, Supplier agrees as follows with respect to that Personal Data:
2.1 Each Party will comply with all valid requests made by competent legal authorities.
2.2 Upon request by OpenAI, Supplier will provide OpenAI with the reasonable opportunity to retrieve Personal Data.
2.3 Supplier will create and maintain adequate records of any Data Breach experienced by Supplier or its Subprocessors, and make such records available to OpenAI as necessary for OpenAI to satisfy its legal obligations.
2.4 Prior to transferring any Personal Data outside of Canada, Supplier will enter into agreements with the transferees that include contractual protections to secure and protect such Personal Data to the same extent as required by the obligations imposed on Supplier by this DPA.
3. EEA, Switzerland, and UK
To the extent the EU GDPR, FADP, or UK Data Protection Laws applies to the Processing of Personal Data, in addition to the terms of the DPA, Supplier agrees as follows with respect to that Personal Data:
3.1 For purposes of this Section, "Approved Addendum" means the template Addendum B.1.0 issued by the UK ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022; "C-to-P Transfer Clauses" means Sections I, II, III and IV (as applicable) in so far as they relate to Module Two (Controller to Processor) within the Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021; "ICO" means the Information Commissioner's Office; "P-to-P Transfer Clauses" means Sections I, II, III and IV (as applicable) in so far as they relate to Module Three (Processor to Processor) within the Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021; and “Transfer Clauses” means the C-to-P Transfer Clauses and P-to-P Transfer Clauses, together or separately, as applicable under this DPA.
3.2 To the extent that the provision of the Services involves the transfer of Personal Data from the UK, Switzerland and/or the EEA either directly or via onward transfer to a Third Country, the Parties agree to comply with the Transfer Clauses, which are hereby incorporated into this DPA, as amended by clauses 3.4, 3.5, and 3.6 of this Schedule, as applicable. For purposes of the Transfer Clauses, the Agreement constitutes OpenAI’s written instructions, and OpenAI is the Data Exporter and Supplier is the Data Importer. The address and contact details of the Parties is set forth in the Agreement. The details of Processing and the Technical and Organizational Measures required for the purposes of the Appendix to the Transfer Clauses are set out in Schedules 1 and 2.
3.3 For the avoidance of doubt, to the extent clause 3.2 of this Schedule applies:
(a) The C-to-P Transfer Clauses will apply when OpenAI is the Controller and Supplier is the Processor of Personal Data; or
(b) The P-to-P Transfer Clauses will apply when OpenAI is the Processor and Supplier is the Subprocessor of Personal Data.
3.4 For purposes of the Transfer Clauses, the following additional provisions will apply:
(a) The Party's signature to this DPA will be considered as signature to the Transfer Clauses;
(b) Supplier agrees to observe the terms of the Transfer Clauses without modification;
(c) Neither clause 7 (optional docking clause) nor the optional independent dispute resolution provision within clause 11(a) of the Transfer Clauses are used;
(d) Option 2 (General Written Authorization for Subprocessors) is selected for Clause 9(a) of the Transfer Clauses, with a specific time period of thirty (30) days;
(e) With respect to clause 12(a) of the Transfer Clauses, the Parties agree that (i) liability between the Parties will be determined by any liability and/or indemnification provisions in the Agreement and this DPA; (ii) nothing in Clause 12(a) will change the interpretation of such liability and/or indemnification provisions in the Agreement or this DPA; and (iii) notwithstanding this clause 3.4(c) of Schedule 2, each Party remains liable to the Data Subject as contemplated in clause 12 of the Transfer Clauses;
(f) With respect to Clause 13(a), the competent supervisory authority will be the Irish Data Protection Commission.
(g) With respect to Clause 17 of the Transfer Clauses, if the Agreement is not governed by EU Member State law, the Transfer Clauses will be governed by the laws of the Republic of Ireland;
(h) With respect to Clause 18(b) of the Transfer Clauses, if the Agreement does not designate an EU Member State court as having exclusive jurisdiction to resolve any dispute or lawsuit arising out of or in connection with the Agreement, the Parties agree that the courts of the Republic of Ireland will have exclusive jurisdiction to resolve any dispute arising from the Transfer Clauses;
(i) If so required by the laws or regulatory procedures of any jurisdiction, the Parties will execute or re-execute the Transfer Clauses as separate documents setting out the proposed transfers of Personal Data in such manner as may be required; and
(j) In the event of any irreconcilable conflict between any provision of the Agreement, this DPA, and/or the Transfer Clauses, the Transfer Clauses shall take precedence.
3.5 To the extent the Services involve the transfer of Personal Data subject to UK Data Protection Law and where such Personal Data is transferred either directly or via onward transfer to a Third Country, the Parties agree to comply with the terms of Part 2: Mandatory Clauses of the Approved Addendum, as it is revised under Section 18 of those Mandatory Clauses. The Parties also agree that the information included in Part 1 of the Approved Addendum is set out in Schedule 1 to this DPA. The Parties also agree that OpenAI may end the Addendum as set out in Section 19 of the Addendum.
3.6 To the extent the Services involve the transfer of Personal Data subject to the FADP, and where such Personal Data is transferred either directly or via onward transfer to a Third Country, the Parties agree that: (a) general and specific references in the Transfer Clauses to the “EU GDPR”, “Union”, “EU” or “Member State” Law will hereby be deemed to have the same meaning as the equivalent reference in the FADP; (b) any other obligation in the Transfer Clauses determined by the Member State in which the data exporter or Data Subject is established will hereby be deemed to refer to an obligation under the FADP; and (c) the term "EU Member State" must not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of bringing legal proceedings against the data exporter and/or data importer before the courts of Switzerland.
3.7 The Transfer Clauses will not apply to transfers of Personal Data where Supplier has adopted an alternative recognized compliance mechanism for the lawful transfer of such Personal Data, such as the EU-U.S. Data Privacy Framework, the Swiss-U.S. Data Privacy Framework, or the UK Extension to the EU-U.S. Data Privacy Framework, as applicable and to the extent valid (“Data Privacy Framework”). Where Supplier has a valid certification to the applicable Data Privacy Framework, the Parties agree that such transfer will be made in reliance on the Data Privacy Framework and that Supplier will Process Personal Data in compliance with the Data Privacy Framework principles.
4. Japan
To the extent the APPI applies to the Processing of Personal Data, in addition to the terms of the DPA, Supplier agrees as follows with respect to that Personal Data:
4.1 For purposes of this Section, the term "Personal Data" means information in a searchable form that can identify a specific individual by name, date of birth, or other description contained in such information (including if combining such information with other information enables the identification of a specific individual), as defined under the APPI.
4.2 Supplier will only Process Personal Data for the purposes specified in Schedule 1 (the “Utilization Purposes”).
4.3 Supplier will exercise the necessary and appropriate control and supervision over its officers, employees, contractors, and suppliers to securely manage the Personal Data received.
4.4 Subject to Section 5 of the body of the DPA, where Supplier engages a Subprocessor, it will exercise necessary and appropriate control and supervision over the entrustee, and over all subsequent entrustees, so that the Processing of such Personal Data is undertaken in accordance with Data Protection Laws and this DPA.
4.5 To the extent required by the APPI, and subject to Section 6.2 of the body of the DPA, upon request of a Data Subject, Supplier (or OpenAI on behalf of Supplier, if OpenAI has received the request from the Data Subject) will provide to the Data Subject information about its transfer or other Processing of the Data Subject’s Personal Data as required under the APPI, including the type of Personal Data transferred or Processed, the location of any transferee, and any aspect of the local laws that prevent a transferee from complying with the data protection obligations as set forth in this DPA.
4.6 When handling Personal Data in a foreign country outside of Japan, the EEA, or UK (including the use of offshore cloud services provided by Supplier or a third party), upon OpenAI's request, Supplier will provide the following information to OpenAI, to the extent necessary for OpenAI to comply with the APPI, and to the extent OpenAI does not have reasonable access to the relevant information and Supplier has access to and is not legally or contractually prevented from providing the relevant information to OpenAI: (a) the name of the foreign country; (b) details about the systems used to Process Personal Data offshore and the security systems and safeguards in place to protect such Personal Data; and (c) any circumstances that reasonably would impair Data Subjects’ rights or undermine the OECD’s 8 Principles. In the event any of the information in items (a) or (b) is not reasonably available to either Party, Supplier will, upon OpenAI's request, provide OpenAI with such assistance as may be reasonably necessary to obtain such information.
4.7 When handling Personal Data in a foreign country outside of Japan, Supplier will maintain safeguards to protect such Personal Data, and will notify OpenAI, including upon OpenAI's request, of any circumstance that may render Supplier unable to maintain the same level of protection for Personal Data as required by Data Protection Laws or this DPA, including without limitation a failure of data security safeguards of Supplier or its Subprocessor or changes in Data Protection Laws. Upon receipt of such notification, Supplier agrees that OpenAI may, in OpenAI’s sole discretion, suspend or cease Personal Data transfers to Supplier or require that Supplier cease Personal Data transfers to affected Subprocessors.
4.8 To the extent required by the APPI, if a Data Subject has reasonably shown that (a) Supplier is Processing their Personal Data in violation of the APPI or this DPA, including without limitation Processing outside of the Utilization Purposes or the unlawful provision of Personal Data to a third party, or (b) their Personal Data was acquired by improper means, pursuant to OpenAI’s instructions, each relevant Supplier will delete (in accordance with Section 3.5 of the body of the DPA) or cease Processing such Personal Data; provided, however, that such deletion or cessation is not required where it would be unreasonably expensive or unreasonably difficult to do so, or where the Parties agree that an alternative action may be taken to remedy (a) or (b).
4.9 To the extent required by the APPI, pursuant to the instructions of OpenAI, each relevant Supplier will delete, stop utilizing the Personal Data and stop providing Personal Data to a third party, if the Data Subject has shown that (a) the Personal Data is no longer needed for the Supplier for the purposes of use; (b) data breach incident has occurred; or (c) there is a possibility that the right or legitimate interest of the Data Subject may be harmed.
5. South Korea
To the extent the PIPA applies to the Processing of Personal Data, in addition to the terms of the DPA, Supplier agrees as follows with respect to that Personal Data:
5.1 Notwithstanding Sections 5 and 8 of the body of the DPA, Supplier will not disclose or transfer to any person or entity any Personal Data unless it obtains prior consent to transfer from relevant Data Subjects or otherwise does so in accordance with applicable provisions of the PIPA.
5.2 Subject to Section 6 of the body of the DPA, Supplier will establish and implement appropriate procedures for (a) the handling of complaints regarding invasions of privacy, and (b) the resolution of any disputes with Data Subjects.
5.3 Supplier acknowledges it will be subject to (a) training and supervision by OpenAI with respect to Supplier’s handling of Personal Data, and (b) supervision and audit by relevant governmental authorities.