Data processing agreement

This Data Processing Agreement (this “DPA”) is entered into by and between TM Forum, A New Jersey Non-Profit Corporation, having its registered office at 181 New Road, Suite 304, Parsippany, NJ 07054, United States ("TM Forum" or "Company") and the entity that has entered into one or more commercial agreements with TM Forum that incorporate this DPA by reference ("Member"). Company and Member are each described as a “Party” and, together, as the “Parties.”

This DPA applies to and governs the Processing of Personal Data by either Party under any commercial agreement between Company and Member that incorporates this DPA by reference (each, a "Contract") to the extent that either or both Parties are subject to Data Protection Laws. Company enters into this DPA on behalf of itself and, to the extent applicable, in the name and on behalf of its affiliates. This DPA applies to Company's sharing and Member's receipt of Personal Data for the purpose of providing the Services under the Contract. In the event of any conflict between the terms of this DPA, including any appendices referenced herein, and the Contract, the terms of this DPA shall govern.


ARTICLE 1. DEFINITIONS

Capitalized terms not defined in context or in the Contract shall have the meanings assigned to them below: 

(a) “Appropriate Safeguards” shall have the meaning set forth in Article 46 of the GDPR (defined hereinafter) and other analogous Data Protection Laws, such as legally binding and enforceable instruments between public authorities or bodies, binding corporate rules or standard data protection clauses adopted by the European Commission of the European Union.

(b) “Controller” shall have the meaning set forth in Article 4(7) of the GDPR and other analogous Data Protection Laws and means, within the context of this DPA, Company and/or its Affiliate and Member, inasmuch as each determines the purposes and means of the processing of the Company Personal Data. Both Member and Company are independent Controllers with respect to the Personal Data pursuant to this DPA.

(c) “Data Protection Laws” means, to the extent applicable, all laws and regulations applicable to the Processing of Personal Data, including laws and regulations of the European Union, the European Economic Area (EEA) and their Member States, the United Kingdom, and, as the case may be, of any other country that has implemented data protection principles similar to the GDPR and has been recognized by the European Commission as providing an adequate level of protection, applicable to the processing of Personal Data under this DPA. For the purposes of this DPA, it also includes the California Consumer Privacy Act of 2018 as amended (California Civil Code § 1798.100, hereinafter “CCPA”).

(d) “Data Subject” shall have the meaning set forth in Article 4(1) of the GDPR and other analogous Data Protection Laws and means any natural person to whom Company Personal Data relates and, mutatis mutandis, “consumers” for the purpose of the CCPA.

(e) “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, as may be amended from time to time over the performance of the Contract. 

(f) “Personal Data” shall have the meaning set forth in Article 4(1) of the GDPR and other analogous Data Protection Laws and means any information relating to a Data Subject who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that Data Subject.

(g) “Personal Data Breach” shall have the meaning set forth in Article 4(12) of the GDPR and other analogous Data Protection Laws and means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

(h) “Processing” shall have the meaning set forth in Article 4(2) of the GDPR and other analogous Data Protection Laws and means any operation or set of operations that are performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

(i) “Processor” shall have the meaning set forth in Article 4(8) of the GDPR and other analogous Data Protection Laws and, within the context of this DPA, means a party that Processes Personal Data on behalf and further to instructions of Controller.

(j) “Sell”/“Sale” has the meaning as may be set forth in Data Protection Laws (e.g. CCPA). By example, and not by way of limitation, “Sell” may mean selling, renting, releasing, disclosing, disseminating, making available or transferring Personal Data to a third party for monetary or other valuable consideration. 

(k) “Services” shall mean any services provided by Company to Member under the Contract.

(l) “Share” has the meaning as may be set forth in Data Protection Laws (e.g. CCPA). By example, and not by way of limitation “Share” may mean any disclosure of Personal Data (renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means) to a third party for cross-contextual behavioral advertising.

(m) “Supervisory Authority” shall have the meaning set forth in Article 4(21) of the GDPR and other analogous Data Protection Laws and means an independent public authority established by a European Member State pursuant to Article 51 of the GDPR and, mutatis mutandis, the “California Attorney General” for the purpose of the CCPA.

(n) “UK GDPR” means the Retained Regulation (EU) 2016/679 (UK GDPR) and the Data Protection Act 2018 (DPA 2018). 

ARTICLE 2. CATEGORIES OF PERSONAL DATA AND DATA SUBJECTS

Each Party is authorized to Process the Personal Data for the specific purposes defined in Appendix 1 to this DPA.

ARTICLE 3. MEMBER COMMITMENTS

(a) Member shall not copy, use, reproduce, display, perform, sell, modify, destroy, or transfer any Personal Data, works derived from the Personal Data, or anything that includes any Personal Data, to any third party, except as otherwise expressly set out in the Contract or this DPA.

(b) Member will comply with the Data Protection Laws and will notify Company immediately if it makes a determination that it can no longer meet its obligations under Data Protection Laws.

(c) Member undertakes to keep and maintain adequate and complete documentation of all Processing or use of Personal Data by Member under this DPA. 

ARTICLE 4. COOPERATION 

Each party will assist the other Party by providing the other Party with all necessary cooperation, assistance, and information as may be reasonably required for the purpose of responding to, complying with, and otherwise fulfilling each Party’s obligations in relation to Data Subject requests that are required by Data Protection Laws or other applicable law.

ARTICLE 5. AUDIT RIGHTS

Upon Company’s request and subject to confidentiality obligations of the Contract, if any, Member will make available to Company information necessary to demonstrate its compliance with the obligations laid down in this DPA. Member shall allow for and contribute to audits, including inspections, conducted by Company or another auditor mandated by Company, provided such an auditor is not a competitor of Member and has duly executed a non-disclosure agreement with Member. The Company may contact the Member in accordance with the “Notices” Section of the Contract to request an on-site audit with at least thirty (30) days’ prior written notice. Each audit shall be limited to a review of the architecture, systems, and procedures relevant to the protection of Personal Data at any locations where Personal Data is stored by the Member. Before the commencement of any such on-site audit, the Parties shall mutually agree upon the scope, timing, and duration of the audit, none of which shall adversely impact the Member’s business activities. Company shall promptly notify Member of any non-compliance by Member discovered during the course of an audit. Such an audit will be limited to once in any twelve-month period, except where the Company is able to show that an additional audit over this time period has been mandated by a Supervisory Authority or subsequent to a Data Breach on the Member’s infrastructure. All costs for audits shall be borne by Company, except where such audit is subsequent to a Data Breach on Member’s infrastructure.

ARTICLE 6. DATA TRANSFERS

(a) Where required, international transfers of Personal Data must be supported by an approved adequacy mechanism (e.g. the EU-US Data Privacy Framework (“DPF”)) or appropriate safeguards. Unless the Parties are able to avail themselves of an alternative transfer mechanism based on an adequacy mechanism approved by the EEA, Switzerland and the UK (“Adequacy Mechanism”, e.g. the DPF), the Parties agree that the EU Standard Contractual Clauses, reflecting the roles of the Parties as described in the form approved by the European Commission and currently available at https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_en (as amended or updated from time to time) (“EU SCCs”) and the United Kingdom International Data Transfer Addendum and currently available at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/ (as amended or updated from time to time) (“UK Addendum”) shall be used as the appropriate safeguards for restricted transfers and Processing of Client Personal Data and are incorporated in and form an integral part of this DPA. If the Parties cannot rely on an Adequacy Mechanism, with respect to facilitating international transfers of Personal Data of EEA, Swiss, and United Kingdom residents, the Parties hereby execute and annex to this DPA the EU SCCs, including the UK Addendum as further described in Article 6(b) and 6(c). 

(b) With respect to transfers of Personal Data pursuant to the EU SCCs, the election of specific terms and/or optional clauses is described in more detail below, and any optional clauses not expressly selected are not included:

  • The Module 1 terms apply;
  • The optional Clause 7 in Section I of the EU SCCs is incorporated;
  • The optional paragraph in Clause 11 of the EU SCCs is not incorporated;
  • For purposes of Clause 13 and Annex 1.C of the SCCs, Member shall maintain accurate records of the applicable Member State(s) and competent Supervisory Authorities, which shall be made available to Company on request;
  • For purposes of Clause 17 and Clause 18 of the EU SCCs, Option 1 of Clause 17 is selected and the Member State for purposes of governing law and jurisdiction shall be Ireland;
  • For purposes of Annex 1.A of the Appendix, the “data importer” shall be Member and the “data exporter” shall be Company;
  • For purposes of Annex 1.B of the Appendix, the description of the transfer is as described in Appendix 1 of this DPA;
  • For purposes of Annex 1.C, the competent supervisory authority shall be the Data Protection Commission of Ireland;
  • For purposes of Annex II of the Appendix, the technical and organization measures are those measures implemented by Member as described in Appendix 2 of this DPA; and


(c) With respect to transfers of Personal Data pursuant to the UK Addendum, the election of specific terms and/or optional clauses is described in more detail below, and any optional clauses not expressly selected are not included:

  • Part 1: Tables
  1. Table 1: The Parties: as detailed in Article 8(b)(vi).
  2. Table 2: Selected SCCs, Modules and Selected Clauses: as detailed in Article 8(b)(i)-(iii).
  3. Table 3: Appendix Information: means the information which must be provided for the selected modules as set out in the Appendix of the SCCs (other than the Parties), and which is set out in Article 8(b)(vi), (vii), and (ix).
  4. Table 4: The Exporter may end the UK Addendum as set out in Section 19 of the UK Addendum.
  • Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 28 January 2022, as it is revised under Section 18 of those Mandatory Clauses.

(d) For purposes of any transfers of Company Personal Data also subject to Switzerland’s Federal Act on Data Protection of 19 June 1992 (“FADP”) facilitated by use of the EU SCCs: (i) the term “member state” must not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of bringing legal proceedings to enforce their rights in their place of habitual residence in accordance with Clause 18(c) and (ii) the clauses also protect the data of legal entities until the entry into force of the revised FADP.

(e) In case of conflict, such attachments with EU SCCs or the UK Addendum shall take precedence where applicable over the terms of the DPA.

ARTICLE 7. PERSONAL DATA BREACH NOTIFICATION

Member maintains specific procedures to discover, remedy, investigate, and log any Personal Data Breach and shall notify the Company of all actual or suspected Personal Data Breaches relating to the Personal Data. Taking into account the nature of the processing and the information available to Member, Member shall provide Company with all reasonable assistance and cooperation to Company for the purpose of notification of any such Personal Data Breach to any Supervisory Authority and/or communication thereto to the Data Subjects. In particular, the Member agrees to make good faith efforts to identify the cause of such Personal Data Breach and take such steps as the Member and/or Company deems necessary and reasonable to remediate the cause of the Personal Data Breach. The obligations herein shall not apply to the extent that the Personal Data Breach is caused by Company and/or the Company’s Affiliates.

ARTICLE 8. DATA PROTECTION IMPACT ASSESSMENT

Upon Company’s request, Member shall provide Company with all reasonable cooperation and assistance as needed to fulfill Company’s obligation under Data Protection Laws to carry out a data protection impact assessment, risk assessment, or cybersecurity audits related to the Personal Data, to the extent such information is available to Member. Member shall provide all reasonable assistance to Company in the cooperation or prior consultation with the Supervisory Authority in the performance of its tasks relating to this Article to the extent required under Data Protection Laws.

ARTICLE 9. TECHNICAL AND ORGANIZATIONAL MEASURES; RETENTION OF PERSONAL DATA

The Member will use the appropriate technical and organizational measures set out in Appendix 2 to the DPA in its processing of Personal Data hereunder. Company agrees that Member may modify the measures taken in Appendix 2 in protecting Personal Data so long as it does not diminish the level of data protection provided and upon prior information of Company. Member represents that it has a written data retention and deletion policy which complies with Data Protection Laws and other applicable laws. Member shall retain Personal Data for no longer than as necessary considering the business purposes listed in Appendix 1. Member will adhere to any of Company’s data retention policies as may be communicated to Member by Company in writing.

ARTICLE 10. UNITED STATES OBLIGATIONS

(a) Member is a business and/or a third party pursuant to the CCPA. 

(b) The Parties disclose Personal Data for the specific business purposes set forth in Appendix 1.

(c) Member is prohibited from attempting to identify or re-identify any Data Subject and not associate any personal information with any Data Subject or any Data Subjects’ online activity, other than as strictly required to provide the Services for Company.

(d) Member will permit Company (i) to take reasonable and appropriate steps to ensure Member uses Personal Data in a manner consistent with Data Protection Laws; and (ii) the right, upon notice, to take reasonable and appropriate steps to stop and remediate any unauthorized use of Personal Data by Member.

(e) To the extent any of Company’s disclosures or transfers of Personal Data to Member is considered a Sale or Sharing of Personal Data, Member (i) agrees to comply (and agrees to ensure that downstream third parties in receipt of such Personal Data comply) with any Data Subject request to opt-out of Selling or Sharing forwarded to Member by Company, and (ii) represents and warrants that Member and the downstream third parties in receipt of such Personal Data have the technical capabilities to fulfill any such Data Subject request to opt-out of Selling or Sharing. 

ARTICLE 11. LIABILITY AND INDEMNIFICATION

Each Party represents and warrants that it will indemnify and hold the other Party harmless against any loss and damage to the latter resulting from a breach by said Party, its staff, or Processors of its contractual obligations under this DPA and/or any Data Protection Laws, including, but not limited to, loss of profits, reputation, image or business opportunity, and reasonable attorney's fees.

ARTICLE 12. EFFECTIVE DATE

This DPA shall come into force on the effective date of the Contract that incorporates it by reference. It shall automatically terminate when all Contracts incorporating it have terminated or expired, notwithstanding the survival of relevant provisions for as long as Personal Data related to a Party is retained by the other Party.

ARTICLE 13. GOVERNING LAW AND VENUE

This DPA shall be governed by and constructed in accordance with the laws of the State of New Jersey (excluding its rules on conflict of law).

The Parties irrevocably submit to the exclusive jurisdiction of the competent courts of New Jersey, said courts having jurisdiction to hear and decide any suit, action, or proceedings and/or to settle any disputes that may arise out of or in connection with this DPA.

ARTICLE 14. MISCELLANEOUS

This DPA prevails over any previous agreements with respect to this subject matter and, in particular, cancels and replaces any particular provisions in the Contract that may have been related to the Processing of Personal Data. This DPA may be executed in counterparts, including by electronic signature, each of which, when executed and delivered, shall constitute a duplicate original, but both counterparts shall together constitute one agreement. A signed copy of this DPA delivered by facsimile, email, or other means of electronic transmission has the same legal effect as delivery of an original signed copy of this DPA.

IN WITNESS WHEREOF, the parties have caused this DPA to be signed by their respective duly authorized representatives, all as of the Effective Date.

This DPA is incorporated by reference into and forms part of the Contract between TM Forum and Customer. No signatures on this DPA are required for it to be binding on the Parties.


Appendix 1 to the DPA

Description of the Processing Operations

Controller/Data Exporter:

  • TM Forum

Controller/Data Importer:

  • Member


Categories of Data Subjects:

  • TM Forum event attendees, website users, platform users, employees of Member organizations, and other individuals whose personal data is processed in connection with TM Forum services


Categories of Personal Data:

· Personal identification data (including names, email addresses, telephone numbers), professional information (including job titles, employer names, professional credentials), contact information (including business address, country of residence), event participation data, platform usage data, and any other personal data processed in connection with TM Forum services


Frequency of Transfer

  • Continuous and event-triggered, including real-time transfers during service provision and periodic transfers as required for service delivery

Nature and purpose/Use(s) of Data by Member:

  • To provide the Services described in the Contract.

Duration of the processing:

  • Duration of the Contract


Appendix 2 to the DPA

Technical and Organizational Measures

1. TECHNICAL AND ORGANIZATIONAL MEASURES

This Appendix sets out a description of the technical and organizational security measures currently implemented by the Member. The Member may update these measures as necessary to maintain or enhance security levels, with notification to TM Forum of any material changes that could affect the security of personal data. This may mean that individual measures may be replaced by new measures serving the same purpose without diminishing the security level.

Physical Access Control

Unauthorized persons are prevented from gaining physical access to premises, buildings, or rooms where data processing systems that process and/or use Personal Data are located. In general, buildings are secured through access control systems (e.g., smart card access systems). 

Access Control

  • Data processing systems used to provide the Services must be prevented from being used without authorization.
  • All users access the Member’s systems with a unique identifier (user ID). 
  • The Member has procedures in place to ensure that requested authorization changes are implemented only in accordance with the guidelines (for example, no rights are granted without authorization). If a user leaves the company, his or her access rights are revoked. 
  • The Member’s company network is protected from the public network by firewalls. 
  • The Member uses up-to-date antivirus software at access points to the company network (for e-mail accounts), as well as on all file servers and all workstations. 
  • Security patch management is implemented to ensure regular and periodic deployment of relevant security updates.
  • As part of the Member’s Security Policy, Personal Data requires at least the same protection level as “confidential” information according to the Member Information Classification standard. 
  • Access to personal, confidential, or sensitive information is granted on a need-to-know basis. The Member uses authorization concepts that document how authorizations are assigned and which authorizations are assigned to whom. 

Data Transmission Control

Personal Data transferred over the Member’s internal networks is protected in the same manner as any other confidential data according to the Security Policy. 

Data Input Control

It will be possible to retrospectively examine and establish whether and by whom Personal Data has been entered, modified, or removed from the Member’s data processing systems. The Member has implemented a logging system for input, modification, and deletion, or blocking of Personal Data by the Member or its Processors within the Services to the fullest extent possible.

Job Control

Personal Data is processed solely in accordance with the relevant agreement. All the Member’s employees and contractual Processors or other service providers are contractually bound to respect the confidentiality of all sensitive information of the Member’s customers and partners, including trade secrets.

Availability Control

Personal Data will be protected against accidental or unauthorized destruction or loss. The Member employs backup processes and other measures that ensure rapid restoration of business-critical systems as and when necessary. The Member has defined contingency plans as well as business and disaster recovery strategies for the provided Services.

Data Separation Control

Personal Data collected for different purposes can be processed separately. Customers (including their Affiliates) have access only to their own data.

Data Integrity Control

Personal Data will remain intact, complete, and current during processing activities. In particular, the Member uses the following to implement the control and measure sections described above. In particular: 

  • Firewalls; 
  • Security Monitoring Center; 
  • Antivirus software; 
  • Backup and recovery; 
  • External and internal penetration testing; and
  • Regular external audits to prove security measures.