Landis+Gyr Data Processing Terms

Landis+Gyr
Cloud Data Processing and Security Terms

These Landis+Gyr Cloud Data Processing and Security Terms (the “Terms”) are incorporated into the agreement under which Landis+Gyr has agreed to provide Cloud Software, including HES Emerge, and related technical support to Customer (the “Agreement”).

1 Commencement

These Terms will be effective and replace any previously applicable data processing and security terms from the Terms Effective Date (as defined below).

2 Definitions

2.1 Capitalized terms defined in the Agreement apply to these Terms. In addition, in these Terms:

“Applicable Data Privacy Laws” means all applicable laws including those arising under common law, statutes, codes, rules, regulations, directives, reporting or licensing requirements, decrees, orders, ordinances and other pronouncements having the effect of law with respect to the processing of personal data in order for Landis+Gyr to render the Services for the Customer. For purposes of clarity, this includes but is not limited to Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 (“EU GDPR”); the United Kingdom (“UK”)’s Data Protection Act 2018 and the EU GDPR as transposed into United Kingdom law by virtue of Section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (“UK GDPR”); the Swiss Federal Act on Data Protection ("Swiss DPA"); the Australia Privacy Act No. 119 1988 (as amended) and the Australian Privacy Principles Guidelines; the New Zealand Privacy Act of 2020 (as amended); the Singapore Personal Data Protection Act No. 26 of 2012 (as amended in 2020); the China Personal Information Protection Law (“PIPL”); the Indian Digital Personal Data Protection Act; the Hong Kong Personal Data Privacy Ordinance, Cap. 486 (as amended in 2021); the Brazilian Data Protection Law No.13,709/18 (“LGPD”) (as amended by Law No. 13,853/2019); the California Consumer Privacy Act of 2018 (“CCPA”) (as amended from time to time, including pursuant to the California Privacy Rights Act of 2020 (“CCPA”)); and any law, regulation, act, measure, or guidance implementing Applicable Data Privacy Laws, as well as any other data protection privacy and information security laws and regulations that may apply where the Services are offered.

“Customer End Users” refers to data subjects about whom Personal Data is collected and processed by the Customer and its processors within the scope of Services.

“Customer Personal Data” means the Personal Data as defined in the Agreement, including any special categories of personal data defined under Applicable Data Privacy Laws.

“Data Incident” means a breach of Landis+Gyr’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data on systems managed by or otherwise controlled by Landis+Gyr.

“Landis+Gyr’s Third Party Auditor” means a Landis+Gyr-appointed, qualified and independent third party auditor, whose then-current identity Landis+Gyr will disclose to Customer.

“Instructions” has the meaning given in Section 5.2.1 (Customer’s Instructions).

“SCCs” means the Standard Contractual Clauses (SCCs): EU Controller-to-Processor; EU Processor-to-Processor; EU Processor-to-Controller; UK Controller-to-Processor; or any other equivalent SCCs as applicable according to Applicable Data Privacy Laws..

“Security Measures” has the meaning given in Section 7.1.1 (Landis+Gyr’s Security Measures).

“Subprocessor” means a third party authorized as another processor under these Terms to have logical access to and process Customer Data in order to provide parts of the Services.

“Supervisory Authority” means a government or regulatory body having authority over the collection and processing of Personal Data within the scope of Applicable Data Privacy Laws.

“Term” means the period from the Terms Effective Date until the end of Landis+Gyr ’s provision of the Services, including, if applicable, any period during which provision of the Services may be suspended and any post-termination period during which Landis+Gyr may continue providing the Services for transitional purposes.

“Terms Effective Date” means the date on which Customer accepted, or the parties otherwise agreed to, these Terms.

3 Duration

These Terms are effective as of the Agreement date and shall remain in force during the term of the Agreement. These Terms shall terminate automatically with the termination or expiry of the Agreement.

4 Scope of Data Protection Law

4.1 Except to the extent these Terms state otherwise, these Terms will apply irrespective of whether Applicable Data Privacy Laws apply to the processing of Customer Personal Data.

5 Processing of Data

5.1 Responsibilities of Landis+Gyr and Customer

(a) Both parties agree to the subject matter and details of the processing as described in Appendix 1;

(b) Landis+Gyr is a processor, or its equivalent under Applicable Data Privacy Laws, of Customer Personal Data;

(d) Customer ensures that Customer End Users have been provided with the information related to the processing of their Personal Data, in accordance with Applicable Data Privacy Laws,

(e) Customer ensures that Customer End Users have provided their consent, if required, and have the possibility to exercise their rights as may be relevant under Applicable Data Privacy Laws;

(f) Customer shall provide Landis+Gyr, upon request, with proof of consent, or of any legal basis justifying the lawfulness of the processing; and

(g) each party will comply with the obligations applicable to it under Applicable Data Privacy Laws with respect to the processing of Customer Personal Data.

5.2 Customer as a Processor or its equivalent under Applicable Data Privacy Laws.. If Applicable Data Privacy Laws apply to the processing of Customer Personal Data and if Customer is a processor, or its equivalent according to Applicable Data Privacy Laws:

(a) Customer warrants on an ongoing basis that the relevant controller, or its equivalent under Applicable Data Privacy Laws, has authorized: (i) the Instructions, (ii) Customer’s appointment of Landis+Gyr as another processor, and (iii) Landis+Gyr’s engagement of Subprocessors as described in Section 11 (Subprocessors);

(b) Customer will immediately forward to the relevant controller any notice provided by Landis+Gyr under Sections 5.2.3 (Instruction Notifications), 7.2.1 (Incident Notification), 9.2.1 (Responsibility for Requests), 11.4 (Opportunity to Object to Subprocessor Changes) or that refers to any SCCs; and

(c) Customer may make available to the relevant controller any other information made available by Landis+Gyr under Sections 10.4 (Supplementary Measures and Information), 10.7 (Data Center Information) and 11.2 (Information about Subprocessors).

5.3 Scope of Processing

5.3.1 Customer’s Instructions. Customer instructs Landis+Gyr to process Customer Personal Data only in accordance with applicable law: (a) to provide, secure, and monitor the Services; (b) as documented in the form of the Agreement (including these Terms); and (c) as further documented in any other written instructions given by Customer and acknowledged by Landis+Gyr as constituting instructions for purposes of these Terms (collectively, the “Instructions”). Landis+Gyr shall process the Personal Data solely for the purposes of the performance of this Agreement and within the limits and under the conditions set out in this Agreement.

5.3.2 Landis+Gyr ’s Compliance with Instructions. Landis+Gyr will comply with the Instructions unless prohibited by applicable law.

5.3.3 Instruction Notifications. Landis+Gyr will notify Customer if, in Landis+Gyr’s opinion: (a) applicable law prohibits Landis+Gyr from complying with an Instruction; (b) an Instruction does not comply with applicable law; or (c) Landis+Gyr is otherwise unable to comply with an Instruction, in each case unless such notice is prohibited by applicable law. This Section does not reduce either party’s rights and obligations elsewhere in the Agreement.

6 Data Deletion

6.1 Deletion by Customer. Landis+Gyr will enable Customer to delete Customer Personal Data during the Term in a manner consistent with the functionality of the Services. If Customer uses the Services to delete any Customer Personal Data during the Term and that Customer Personal Data cannot be recovered by Customer, this use will constitute an Instruction to Landis+Gyr to delete the relevant Customer Personal Data from Landis+Gyr’s systems in accordance with applicable law. Landis+Gyr will comply with this Instruction as soon as reasonably practicable and within a maximum period of 180 days, unless applicable law requires a longer storage duration.

6.2 Return or Deletion at the end of the Term. If Customer wishes to retain any Customer Personal Data after the end of the Term, it may instruct Landis+Gyr in accordance with Section 9.1 (Access; Rectification; Restricted Processing; Portability) to return that data during the Term. Customer instructs Landis+Gyr to delete all remaining Customer Personal Data (including existing copies) from Landis+Gyr’s systems at the end of the Term in accordance with applicable law. After a recovery period of up to 30 days from that date, Landis+Gyr will comply with this Instruction as soon as reasonably practicable and within a maximum period of 180 days, unless applicable law requires a longer storage duration.

7 Data Security

7.1 Landis+Gyr’s Security Measures, Controls and Assistance.

7.1.1 Landis+Gyr’s Security Measures. Landis+Gyr will implement and maintain technical and organizational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access as described in Appendix 2 (the “Security Measures”).

7.1.2 Access and Compliance. Landis+Gyr will: (a) authorize its employees, contractors and Subprocessors to access Customer Personal Data only as necessary to comply with Instructions; (b) take appropriate steps to ensure compliance with the Security Measures by its employees, contractors and Subprocessors to the extent applicable to their scope of performance; and (c) ensure that all persons authorized to process Customer Personal Data are under an obligation of confidentiality.

7.1.3 Landis+Gyr’s Security Assistance. Landis+Gyr will (taking into account the nature of the processing of Customer Personal Data and the information available to Landis+Gyr) provide reasonable assistance to Customer in ensuring compliance with its (or, where Customer is a processor, the relevant controller’s) obligations under Applicable Data Privacy Laws by:

(a) implementing and maintaining the Security Measures in accordance with Section 7.1.1 (Landis+Gyr’s Security Measures);

(b) complying with the terms of Section 7.2 (Data Incidents);

(d) if subsections (a)-(d) above are insufficient for Customer (or the relevant controller) to comply with such obligations, upon Customer’s request, providing Customer with additional reasonable cooperation and assistance.

7.2 Data Incidents.

7.2.1 Incident Notification. Landis+Gyr will promptly notify Customer after becoming aware of a confirmed Data Incident, and take reasonable steps to minimize harm and secure Customer Personal Data.

7.2.2 Details of Data Incident. In the event of a confirmed Data Incident, Landis+Gyr’s notification of a Data Incident will describe: the nature of the Data Incident including the Customer resources impacted; the measures Landis+Gyr has taken, or plans to take, to address the Data Incident and mitigate its potential risk; the measures, if any, Landis+Gyr recommends that Customer take to address the Data Incident; and details of a contact point where more information can be obtained. If it is not possible to provide all such information at the same time, Landis+Gyr’s initial notification will contain the information then available and further information will be provided without undue delay as it becomes available.

7.2.3 Delivery of Notification. Notification(s) by Customer to Landis+Gyr of any Data Incident(s) will be delivered to data.privacy@landisgyr.com.

7.2.4 No Assessment of Customer Data by Landis+Gyr. Landis+Gyr has no obligation to assess Customer Personal Data in order to identify information subject to any specific legal requirements.

7.2.5 No Acknowledgement of Fault by Landis+Gyr. Landis+Gyr’s notification of or response to a Data Incident under this Section 7.2 (Data Incidents) will not be construed as an acknowledgement by Landis+Gyr of any fault or liability with respect to the Data Incident.

7.3 Customer’s Security Responsibilities and Assessment.

7.3.1 Customer’s Security Responsibilities. Without prejudice to Landis+Gyr’s obligations under Sections 7.1 (Landis+Gyr’s Security Measures, Controls and Assistance) and 7.2 (Data Incidents), and elsewhere in the Agreement, Customer is responsible for its use of the Services and its storage of any copies of Customer Personal Data outside Landis+Gyr’s or Landis+Gyr’s Subprocessors’ systems, including:

(a) using the Services to ensure a level of security appropriate to the risk to the Customer Personal Data;

(b) securing the account authentication credentials, systems and devices Customer uses to access the Services; and

7.3.2 Customer’s Security Assessment. Customer agrees that the Services, Security Measures implemented and maintained by Landis+Gyr, and Landis+Gyr’s commitments under this Section 7 (Data Security) provide a level of security appropriate to the risk to Customer Personal Data (taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing of Customer Personal Data as well as the risks to individuals).

7.4 Reviews and Audits of Compliance.

7.4.1 Customer’s Audit Rights.

(a) If Applicable Data Privacy Laws apply to the processing of Customer Personal Data, Landis+Gyr will allow Customer or an independent auditor appointed by Customer to conduct audits (including inspections), limited to once per year and conducted in a way that minimizes the impact on Landis+Gyr operations, to verify Landis+Gyr’s compliance with its obligations under these Terms in accordance with Section 7.4.2 (Additional Business Terms for Reviews and Audits). During an audit, Landis+Gyr will make available pertinent information necessary to demonstrate such compliance and contribute to the audit as described in Section 7.4 (Reviews and Audits of Compliance).

(b) Customer may conduct an audit to verify Landis+Gyr’s compliance with its obligations under these Terms by reviewing the Security Documentation (which reflects the outcome of audits conducted by Landis+Gyr’s Third Party Auditor).

7.4.2 Additional Business Terms for Reviews and Audits.

(a) Landis+Gyr may charge a fee (based on Landis+Gyr’s reasonable costs) for any audit under Section 7.4.1(a) or 7.4.1(b). Landis+Gyr will provide Customer with further details of any applicable fee, and the basis of its calculation, in advance of any such audit. Customer will be responsible for any fees charged by any auditor appointed by Customer to execute any such audit.

(b) Landis+Gyr may object in writing to an auditor appointed by Customer to conduct any audit under Section 7.4.1(a) or 7.4.1(b) if the auditor is, in Landis+Gyr’s reasonable opinion, not suitably qualified or independent, a competitor of Landis+Gyr, or otherwise manifestly unsuitable. Any such objection by Landis+Gyr will require Customer to appoint another auditor or conduct the audit itself.

8 Impact Assessments and Consultations

Landis+Gyr will (taking into account the nature of the processing and the information available to Landis+Gyr ) provide reasonable assistance to Customer in ensuring compliance with its (or, where Customer is a processor, the relevant controller’s) obligations under Applicable Data Privacy Laws by:

(a) providing the information contained in the Agreement (including these Terms); and

(b) if subsections (a) and (b) above are insufficient for Customer (or the relevant controller) to comply with such obligations, upon Customer’s request, providing Customer with additional reasonable cooperation and assistance.

9 Data Subject Rights

9.1 Access; Rectification; Restricted Processing; Portability. During the Term, Landis+Gyr will enable Customer, in a manner consistent with the functionality of the Services, to access, rectify and restrict processing of Customer Personal Data, including via the deletion functionality provided by Landis+Gyr as described in Section 6.1 (Deletion by Customer), and to transfer Customer Personal Data. If Customer becomes aware that any Customer Personal Data is inaccurate or outdated, Customer will be responsible for using such functionality to rectify or delete that data if required by Applicable Data Privacy Laws.

9.2 Data Subject Requests.

9.2.1 Responsibility for Requests. During the Term, if Landis+Gyr’s Data Protection Officer receives a request from a data subject that relates to Customer Personal Data and identifies Customer, Landis+Gyr will: (a) advise the data subject to submit their request to Customer; (b) promptly notify Customer; and (c) not otherwise respond to that data subject’s request without authorization from Customer. Customer will be responsible for responding to any such request including, where necessary, by using the functionality of the Services.

9.2.2 Landis+Gyr’s Data Subject Request Assistance. Landis+Gyr will (taking into account the nature of the processing of Customer Personal Data) provide reasonable assistance to Customer in fulfilling its (or, where Customer is a processor, the relevant controller’s) obligations under Applicable Data Privacy Laws to respond to requests for exercising the data subject’s rights by:

(a) complying with Sections 9.1 (Access; Rectification; Restricted Processing; Portability) and 9.2.1 (Responsibility for Requests); and

10 Data Transfers

10.1 Data Storage and Processing Facilities. While Customer Personal Data will be stored in accordance with the Agreement, Customer Personal Data may be processed in any country in which Landis+Gyr, its affiliates or its Subprocessors conduct business.

10.2 Restricted Transfers. If the processing of Customer Personal Data involves any cross-border data transfers that are not permitted under Applicable Data Privacy Laws, then Landis+Gyr will comply with any legal, organizational or technical requirements to conduct necessary cross-border data transfers according to Applicable Data Privacy Laws and within the scope of its Services.

10.3 EU-US Data Privacy Framework: In compliance with EU and US data transfer requirements, Landis+Gyr adheres to the EU-US Data Privacy Framework.

11 Subprocessors

11.1 Consent to Subprocessor Engagement. Customer specifically authorizes the engagement as Subprocessors of those entities listed in Section 2 in Appendix 1 as of the Terms Effective Date at the URLs specified in Section 11.2 (Information about Subprocessors). In addition, without prejudice to Section 11.4 (Opportunity to Object to Subprocessor Changes), Customer generally authorizes the engagement as Subprocessors of any other third parties (“New Subprocessors”).

11.2 Requirements for Subprocessor Engagement. Landis+Gyr’s will ensure that any Subprocessor complies with equivalent provisions of these Terms, and provides the sufficient guarantees that appropriate technical and organizational security measures are implemented. Landis+Gyr shall remain responsible for the processing of Personal Data and for any acts and omissions of its Subprocessors.

11.3

11.4 Opportunity to Object to Subprocessor Changes

(a) When any New Subprocessor is engaged during the Term, Landis+Gyr will, at least 10 days before the New Subprocessor starts processing any Customer Personal Data, notify Customer of the engagement.

(b) Customer may, within 10 days after being notified of the engagement of a New Subprocessor, object by notifying Landis+Gyr while justifying its objections so that both parties can identify an appropriate solution.

12 Data Protection Officer; Processing Records

12.1 Landis+Gyr’s Data Protection Officer. Landis+Gyr’s Data Protection Officer will provide reasonable assistance with any Customer queries related to processing of Customer Personal Data under the Agreement and can be contacted at Data.Privacy@landisgyr.com (and/or via such other means as Landis+Gyr may provide from time to time).

12.2 Landis+Gyr’s Processing Records. Landis+Gyr will keep appropriate documentation of its processing activities as required by Applicable Data Privacy Laws. To the extent the Applicable Data Privacy Lawsrequire Landis+Gyr to collect and maintain records of certain information relating to Customer. Landis+Gyr may make any such information available to a Supervisory Authority if required by Applicable Data Privacy Laws.

13 Interpretation

13.1 Precedence. To the extent of any conflict or inconsistency between:

(a) these Terms and the remainder of the Agreement, these Terms will prevail; and

(b) any SCCs (which are incorporated by reference into these Terms) and the remainder of the Agreement (including these Terms), the SCCs will prevail.

13.2 No Modification of SCCs. Nothing in the Agreement (including these Terms) is intended to modify or contradict any SCCs or prejudice the fundamental rights or freedoms of Customer End Users under Applicable Data Privacy Laws.

13.3 These Terms are subject to the Parties’ choice of law and forum identified in the Agreement, except insofar as such choice conflicts with applicable laws.

APPENDIX 1: Personal Data Processing Characteristics

1. Description of the Processing of Personal Data

Details on the processing of Customer Personal Data are set out in the Agreement. Customer Personal Data is processed to enable the Customer to use the Services. The Processing takes place for the term of the Agreement and as long as Customer uses the Services.

Categories of Customer Personal Data include all data that may be used to identify a data subject, directly or indirectly, as part of the Services provided to Customer. These categories may include the following Customer Personal Data relating to the electrical grid, meters and related Services such as data on metering point data, metering point state, metering data, end device id, end device event, Customer’s end consumer contract data, electricity product, system user details, metering point picture and work order data. Affected data subjects are Customer, its employees, partners, end-customers and other data subjects where their data is processed as part of the Services.

2. List of Landis+Gyr authorized subprocessors

#	Name	Country	Processing carried out
1.	Netapp	USA	Data transfer to secure file transfer protocol for customers
2.	Mong DB Atlas	USA	specific managed database service for AGA
3.	Google Enterprise Cloud	USA	Information about Google’s Subprocessors including their functions and locations, is available at: https://cloud.google.com/terms/subprocessors

APPENDIX 2: technical and organizational measures for data security

See https://landis.com/securityterms/ which sets forth the technical and organizational measures that the Processor will follow with respect to maintaining the security of the Personal Data provided by the Controller, or its equivalent under Applicable Data Privacy Laws, under the SCCs.

Additional information the technical and organizational measures of the subprocessor Google can be found in Appendix 2 to the Data Processing and Security Terms (Customers) available at https://cloud.google.com/terms/data-processing-terms.