Connecticut Privacy Addendum
Version 1.1.0
CDCK and Customer agree to add the following terms to their Agreement:
Compliance
Both sides agree to do their respective parts to comply with Connecticut Public Act No. 22-15, the Connecticut Data Privacy Act, consistent with Customer’s role as controller and CDCK’s role as processor.
Cooperation
Whenever it is feasible and legal to do so, each side will give the other prompt Notice of consumer rights requests, regulatory inquiries, and other communications under the Connecticut Data Privacy Act. Both sides agree to cooperate in good faith to respond to and honor such communications.
Security and Breach Response
Taking into account the nature of processing and the information available to CDCK, CDCK will give Customer reasonable assistance in meeting the Customer’s obligations to secure personal data and notify of breaches.
Processor Requirements
CDCK and Customer intend the following terms to meet the requirements of section 7(b) of the Connecticut Data Privacy Act:
Processing
CDCK will process personal data on Customer’s behalf and in accordance with Customer’s instructions in order to provide services under the Agreement, for the duration of the Agreement.
Confidentiality
CDCK will ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data.
Deletion or Return
At Customer’s direction, CDCK will delete or return all personal data to Customer as requested at the end of the provision of services, unless retention of the personal data is required by law.
Make Available
Upon the reasonable request of Customer, CDCK will make available to Customer all information in its possession necessary to demonstrate CDCK’s compliance with the obligations of the Connecticut Data Privacy Act.
Assessments
CDCK will allow, and cooperate with, reasonable assessments of Connecticut Data Privacy Act compliance by Customer or Customer’s designated assessor. Alternatively, CDCK may arrange for a qualified and independent assessor to conduct an assessment of CDCK’s policies and technical and organizational measures in support of the obligations under the Connecticut Data Privacy Act using an appropriate and accepted control standard or framework and assessment procedure for such assessments. CDCK shall provide a report of such independent assessment to Customer upon request.
Subcontractors
CDCK will provide Customer the opportunity to object to the engagement of any subcontractor by giving Customer seven calendar days’ advance Notice. CDCK will engage any subcontractor pursuant to a written contract in accordance with Connecticut Data Privacy Act section 7(b)(4) that requires the subcontractor to meet the obligations of CDCK with respect to the personal data.
De-Identified Data
If CDCK receives de-identified data from Customer, CDCK will comply with sections 1 to 11 of the Connecticut Data Privacy Act, inclusive.
Conflicts
If the terms of this addendum conflict with terms of the Agreement, the terms of this addendum take precedence for personal data subject to the Connecticut Data Privacy Act.
Terminology
-
This addendum uses the terms consumer, de-identified data, processing, processor, and controller as defined by the Connecticut Data Privacy Act.
-
This addendum uses the term personal data as defined by the Connecticut Data Privacy Act, limited to consumer personal data processed by CDCK on behalf of Customer.
-
This addendum uses the term Notice as defined in the Agreement.