COMPUTE EXPRESS LINK® CONSORTIUM, INC. GDPR COMPLIANCE POLICY (Version 1.0)
Effective: March 11, 2020
This GDPR Compliance Policy (also referred to as this “Compliance Policy”) represents the policy of Compute Express Link® Consortium, Inc., a Delaware nonprofit corporation (“CXL®”) regarding the treatment of all Personal Data (as defined herein) of any natural person who is a European Union (“EU”) Resident (as defined herein) to the extent the Personal Data of such individual is governed by the European Union’s General Data Protection Regulation (“GDPR”).
1. Background Regarding GDPR:
The GDPR is a regulation adopted by the EU Parliament which applies to any company, whether inside or outside the EU, that gathers, collects, records, organizes, processes, stores, retains and/or otherwise holds any “Personal Data” of any “Data Subject.” Under the GDPR, “Personal Data” is broadly defined to include any information related to that individual which can be used, directly or indirectly, to identify that person, including such information as the person’s name, email address, computer IP address (Internet Protocol address), employer, title/position, country of residence or nationality, home or work address, personal identification number, credit card/bank details, photos of the person, or any posts by that person on webinars, blog posts or social networking websites. Under the GDPR a “Data Subject” is any “natural person” that can claim protection under the GDPR (and is not necessarily limited to EU residents living just inside the geographic boundaries of the EU). The GDPR is a regulation adopted by the EU Parliament which applies to any company, whether inside or outside the EU, that gathers, collects, records, organizes, processes, stores, retains and/or otherwise holds any “Personal Data” of any “Data Subject.” Under the GDPR, “Personal Data” is broadly defined to include any information related to that individual which can be used, directly or indirectly, to identify that person, including such information as the person’s name, email address, computer IP address (Internet Protocol address), employer, title/position, country of residence or nationality, home or work address, personal identification number, credit card/bank details, photos of the person, or any posts by that person on webinars, blog posts or social networking websites. Under the GDPR a “Data Subject” is any “natural person” that can claim protection under the GDPR (and is not necessarily limited to EU residents living just inside the geographic boundaries of the EU).
2. Scope of this Compliance Policy
This Compliance Policy addresses the treatment of Personal Data of any individual Data Subject who is:
(i) participating in, making contributions to, and/or supporting any meetings, work groups, activities, collaborative efforts, other events or work products (including, without limitation, any standards or specifications) sponsored, supported, operated or distributed (in whole or in part) by or on behalf of CXL(“CXL Activities”); and/or
(ii) using any programs, technology platforms, or other benefits of any kind offered by or on behalf of CXL(“CXL Benefits”).
Such Data Subject could include, without limitation, an individual acting as a representative of, or otherwise on behalf of, a CXL Member (as such term is contemplated by CXL’s Bylaws) as part of that CXL Member’s participation in any CXL Activities or use of any CXL Benefits.
For purposes of clarity, this Compliance Policy only addresses Personal Data of the individual Data Subject. Thus, this Compliance Policy is not intended to cover data or information about a corporation that is a CXL Member or any technical information contributed by a CXL Member through any of its representatives as part of that CXL Member’s participation in the design, development or promotion of any CXL standards or specifications.
3. CXL’s Treatment of Personal Data of Natural Persons Participating in CXL Activities or Using CXL Benefits.
3.1 Informed Consent.
CXL intends to seek a GDPR-compliant informed consent from a Data Subject (“Informed Consent”) if CXL either directly, or through the assistance of any association management company acting on behalf of CXL, intends to gather, collect, record, organize, process, store, retain and/or hold any Personal Data of that Data Subject as part of that Data Subject’s participation in any CXL Activities and/or use of any CXL Benefits.
CXL’s Board of Directors (“CXL Board”) may approve the form of Informed Consent to be used by CXL for this purpose. The current form of Informed Consent is attached to this Compliance Policy as Attachment “A” and by this reference incorporated herein. The CXLBoard may amend this form of Informed Consent from time to time, and at any time, as it deems appropriate for compliance with the GDPR.
3.2 Technical and Organizational Measures.
The CXL Board may approve any technical and organizational measures which CXL will take, either directly or through the assistance of any third party (including, without limitation, an association management company engaged by CXL), to assist CXL in its compliance with the GDPR. These measures may include, without limitation, the technical procedures necessary to (i) obtain and demonstrate a Data Subject’s assent to the Informed Consent in compliance with the GDPR; and (ii) carry out a Data Subject’s request to erase (i.e., remove and delete) and/or modify his/her Personal Data pursuant to the GDPR.
4. CXL Member’s Treatment of Personal Data Which They Receive from CXL.
4.1 Treatment of Personal Data Received by CXL Members.
This Compliance Policy governs the GDPR compliance obligations of CXL Members with regard to the treatment of any Personal Data of a Data Subject which a CXL Member may receive as part of that entity’s status or role as a Member of CXL, including, without limitation, any Personal Data received by a CXL Member’s representative (the “CXL Representatives”) as part of such CXL Representative’s duties representing his or her CXLMember on the CXL Board, any CXL Work Group, or any other CXL committee (collectively, “CXL Committees”). For instance, a CXL Member and its CXL Representatives (serving on any CXL Committee) may receive Personal Data of a Data Subject in order to facilitate participation, collaboration and organization of CXL Activities and/or use of CXL Benefits by and amongst CXL, individual Data Subjects and the CXL Members.
A CXL Member may use such Personal Data only in accordance with the following conditions:
(i) such use must be in compliance with the GDPR;
(ii) such use shall be subject to any conditions or limitations imposed on CXL pursuant to the Informed Consent or otherwise under the GDPR; and
(iii) such use must be in compliance with this GDPR Compliance Policy and any other policies and procedures promulgated by CXL at any time.
4.2 Separate Transactions Outside Status as a CXL Member.
As noted above, this Compliance Policy governs a CXL Member’s treatment of any Personal Data of a Data Subject which such CXL Member receives as part of that entity’s status or role as a Member of CXL. Thus, and for purposes of clarity, if CXL and a particular CXL Member desire to enter into any independent business transaction which is outside of the functions or scope of that entity’s status or role as a CXL Member (“Separate Business Transaction”), then the following should apply:
(i) CXL may require that the parties enter into a separate agreement which will govern the treatment of any GDPR-governed Personal Data which is used in, or arises out of, that Separate Business Transaction; and
(ii) Such CXL Member acknowledges that any contract regarding any such Separate Business Transaction should not modify the CXL Member’s obligations under this Compliance Policy regarding the treatment of Personal Data received by such CXL Member as part of that entity’s role or status as a CXL Member.
5. Third Party Treatment of Personal Data Which They Receive from CXL.
CXL may share certain Personal Data of Data Subject with third parties, including without limitation: (i) any association management company engaged by CXL to assist CXL in gathering, collecting, recording, organizing, processing, storing and/or retaining any such Personal Data; and/or (ii) any collaboration partners such as other standards organizations in order to facilitate CXL’s collaborations with these collaboration partners. CXL will attempt to obtain appropriate contractual provisions with these third parties to require them to take steps to be in compliance with the GDPR as applicable to the particular third party.
6. Effect of this Compliance Policy; Amendment.
This Compliance Policy applies to all CXL Members as of the date of adoption set forth above. This Compliance Policy may be amended by the CXL Board at any time, and from time to time, after giving reasonable notice to all CXL Members.