Sysco Global Data Processing Addendum

We make it easy for Sysco vendors, suppliers, and partners to sign up to our Data Processing Addendum (DPA) which is incorporated by reference to the majority of our agreements. This DPA helps meet our obligations with regards to the processing of personal data in compliance with global data privacy laws. It also helps us to meet, where applicable, our international personal data transfer requirements, in particular under the General Data Protection Regulation (GDPR). You can request a copy of our DPA by contacting dataprivacy@sysco.com

INTRODUCTION

This DPA forms part of and is incorporated into the Services Agreement which has been entered into between the supplier (“Supplier”) and Sysco Corporation and/or any of its Affiliates (“Company”) and shall apply to all Processing by the Supplier of the Company’s Personal Data under the Services Agreement and/or any separate agreements signed by the parties, including any applicable Statement of Work.

BACKGROUND

(A) The Company uses the Supplier’s services for the purposes set out in and pursuant to the Services Agreement (the “Agreed Purposes”). 

(B) The supply of services pursuant to the Services Agreement may involve the Processing of Personal Data by the Supplier. 

(C) To Process Personal Data in compliance with the provisions of the Applicable Laws, the parties wish to enter into this DPA (including Schedules and Annexes). The parties acknowledge that the terms of this DPA are supplemental to the terms of the Services Agreement, which the parties acknowledge shall remain in full force and effect.

In consideration of the mutual covenants and undertakings stated herein, THE PARTIES AGREE AS FOLLOWS: 

1. DEFINITIONS

1.1 In this DPA, the following terms shall have the following meanings:

Affiliate” means in relation to Sysco Corporation, any entity that directly or indirectly controls, is controlled by, or is under common control with Sysco Corporation.

Applicable Laws” means all applicable worldwide privacy and data protection laws and regulations, including without limitation the General Data Protection Regulation (EU 2016/679) (“GDPR“), Data Protection Act 2018 (“UK GDPR”), all applicable data protection laws in Canada, including but not limited to the Personal Information Protection and Electronic Documents Act (“PIPEDA”), provincial legislation deemed substantially similar to PIPEDA, and all applicable data protection laws in the United States, including but not limited to, the California Consumer Privacy Act as amended (“CCPA”), the California Privacy Rights Act (“CPRA”), the Virginia Consumer Data Protection Act (“VCDPA”), the Colorado Privacy Act (“CPA”), the Connecticut Data Privacy Act (“CDPA”) and the Utah Consumer Privacy Act (“UCPA”) and any other laws and regulations applicable to the Processing of Personal Data under the Services Agreement whether now existing or in the future introduced and in each case as amended or replaced from time to time.

Business”, “Controller” (as appropriate) means as defined in the Applicable Law relevant to where the Personal Data is being Processed, or in the absence of the term being defined in the Applicable Laws shall mean the natural legal person that determines the means and purpose of processing the Personal Data.

Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure, acquisition, or access to, Personal Data transmitted, stored or otherwise Processed.

Data Subject” means a natural person about whom Personal Data is provided in pursuance of the Services Agreement.

Personal Data” means any information relating to an identified or identifiable person and includes ‘personally identifiable information (PII)’ and ‘personal information’ as defined in the Applicable Laws.

Process” and “Processing” mean as set out in the Applicable Data Laws or in the absence of the term being defined in the Applicable Laws shall mean any operations or set of operations which is performed on the Personal Data.

Processor” means as set out in the GDPR/UK GDPR; “service provider”, “contractor” and “third party” as set out in CCPA/CPRA; or as set out in the Canada/US Applicable Laws or in the absence of the term being defined in the Applicable Laws shall mean the natural legal person that processes the Personal Data on behalf of the Controller.

Services Agreement” means an agreement entered into between the Supplier and the Company for the supply of goods and/or services by the Supplier to the Company, including without limitation any applicable Statement of Work or other supplemental agreement.

Standard Contractual Clauses” means the standard contractual clauses set out in the Annex to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council. Where relevant for restricted transfers from the UK, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses shall be incorporated.

Sub processor” means any third party engaged by the Processor to Process Personal Data on the Company’s behalf in pursuance of the Service Agreement.

Supervisory Authority” means any regulatory, supervisory, governmental, or other competent authority with jurisdiction or oversight over the Applicable Laws.

2. SCOPE OF THIS DPA

2.1 This DPA applies to the extent that the Supplier collects or Processes Personal Data under the Services Agreement on behalf of the Company and to the extent that such Personal Data, the Company, and the Supplier are subject to the relevant Applicable Laws. For the purposes of this DPA the Supplier shall be a Processor, unless expressly agreed with the Company. 

2.2  The parties agree to comply with the relevant Applicable Laws.

2.3  This DPA shall continue until all Personal Data Processed pursuant to this DPA has been either returned or destroyed. 

2.4  In the event of contradictions between this DPA and the Services Agreement, this DPA shall prevail. 

3. DETAILS OF PROCESSING

The Personal Data processed by the Supplier on behalf of the Company under the Services Agreement is set out in Schedule 1 of this DPA. 

4. CONTROLLERS IN COMMON

4.1 Where both parties are Controllers in common (and so independently exercise control over the same Personal Data), each party shall:

   4.1.1 Process the Personal Data lawfully and in accordance with the relevant Applicable Laws;

   4.1.2 cooperate in good faith to provide such assistance as is reasonably required to enable the other party to comply with requests from Data Subjects to exercise their rights under the Applicable Laws in relation to their Personal Data;

   4.1.3 provide such assistance as reasonably necessary with regards to cooperating with the relevant Supervisory Authority and comply with its obligation to report a Data Breach to the appropriate Supervisory Authority.

5. SUPPLIER AS PROCESSOR

5.1 The parties agree that where the Supplier Processes Personal Data on behalf of the Company under the Services Agreement, the Company is the Controller, and the Supplier is the Processor.

5.2 The Supplier shall immediately notify the Company if the Supplier is unable to perform their obligations under this DPA or if any instructions received from the Company infringe any relevant Applicable Laws. The Company may take reasonable and appropriate steps to stop any further Processing following notification under this clause 5.2.

5.3 Where GDPR or UK GDPR is applicable to the Personal Data, and the Company has consented to the Processing of the Personal Data by the Supplier outside either the European Union or the United Kingdom, then, where the relevant location does not ensure an adequate level of protection of Personal Data within the meaning of the Applicable Laws, the Standard Contractual Clauses (with the relevant addendum as appropriate) shall apply and are deemed incorporated to this DPA by reference. The following shall apply to the Standard Contractual Clauses:

  5.3.1 Clause 7 (The Docking Clause) of the Standard Contractual Clauses shall apply.

   5.3.2 Option 1 for Clause 9 shall apply.

   5.3.3 The optional wording in Clause 11 shall not be incorporated.

   5.3.4 The governing law in Clause 17 shall be the laws of the country of the data exporter.

   5.3.5 The jurisdiction in Clause 18 shall be the courts of the country of the data exporter.

   5.3.6 In Annex I the Company shall be the “data exporter” and the Supplier shall be the “data importer”.

   5.3.7 In Annex I the Description of Transfer shall be the information in Schedule 1 of this DPA.

   5.3.8 In Annex I the data exporter’s competent supervisory authority will be determined in accordance with the Applicable Law.

   5.3.9 For Annex 2 the required information is set out in Schedule 2 of this DPA.

5.4 The Supplier agrees in relation to the transfer and for the duration of the Processing that the Data Subject shall have enforceable rights and effective legal remedies. Should the Standard Contractual Clauses become invalid for any reason, the Supplier shall provide an alternative transfer mechanism to ensure the Data Subject has the benefit of those rights and remedies.

5.5 The Supplier shall:

   5.5.1 only Process Personal Data on the express written instructions of the Company unless otherwise required by law, in which case the Supplier shall promptly notify the Company;

   5.5.2 only Process Personal Data to the extent reasonably necessary for the Agreed Purposes;

   5.5.3 in the event of any loss or damage to Personal Data, take all reasonable endeavours to restore the lost or damaged Personal Data, having ensured that there are appropriate backup procedures in place to do so;

   5.5.4 not engage any sub-processor of the Personal Data without the prior written consent of the Company (such consent not unreasonably withheld). The Supplier may make a request to the Company to engage a sub-processor of the Personal Data in writing providing full details. If the Company consents to such sub-processing, the Supplier shall enter into an agreement with the sub-processor on terms identical or substantially similar to the terms set out in this DPA. The Supplier shall remain fully liable for all acts and omissions of any sub-processor engaged pursuant to this DPA;

   5.5.5 keep a record of all Processing of Personal Data it carries out on behalf of the Company;

   5.5.6 provide assistance to the Company to enable the Company to carry out data protection impact assessments (including privacy by design) including with the relevant Supervisory Authority in accordance with the relevant Applicable Laws;

   5.5.7 provide assistance to the Company in connection with any investigations or enquiries from a Supervisory Authority or as necessary to ensure the Company’s compliance with the relevant Applicable Laws;

   5.5.8 upon expiry or termination of the Services Agreement or this DPA, or upon earlier request by the Company, at the discretion of the Company, return to the Company or securely delete or destroy all Personal Data and existing copies (including Personal Data) in a manner appropriate to the sensitivity thereof, unless applicable Data Protection Laws require storage of the Personal Data. Supplier shall provide written confirmation to the Company that the deletion process has been completed.

6. RIGHTS OF DATA SUBJECTS

6.1 The Supplier shall assist the Company with any requests from a Data Subject, in fulfilling the Company’s obligations in exercising the Data Subject’s rights under the relevant Applicable Laws including, but not limited to, requests regarding access to Personal Data, or the erasure, correction and rectification of Personal Data. The Supplier agrees to act in a timely manner taking into account the response times and any relevant opportunities to cure under the relevant Applicable Laws. The Supplier shall keep the Company informed following a request for assistance by the Company.

6.2 The Supplier shall inform the Company promptly, and in any case within 3 days, of any request from a Data Subject regarding their rights as Data Subjects.

6.3 For purposes of the CCPA/CPRA, the Supplier (where acting as Processor) agrees it shall not:

   6.3.1 “sell” and/or “share” (as that term is defined in the CCPA/CPRA) Personal Data;

   6.3.2 retain, use, or disclose Personal Data for any purpose other than for the specific Agreed Purposes, including retaining, using, or disclosing the Personal Data for a commercial purpose other than the Agreed Purposes or retaining the Personal Data subsequent to the termination of the Services Agreement;

   6.3.3 retain, use, or disclose the Personal Data outside of the direct business relationship between the Supplier and the Company; or

   6.3.4 combine Personal Data received in connection with the Agreed Purposes with Personal Data (as defined under the CPRA) it receives from another source except to perform Business Purposes (as defined under the CPRA) or as otherwise permitted by the relevant Applicable Laws.

7. DATA BREACH

7.1 The Supplier shall immediately notify the Company of any actual or suspected Data Breach involving the Personal Data, and in any event, within 24 hours of becoming aware of the actual or suspected Data Breach, and the Supplier shall:

   7.1.1 assist the Company with its third party notifications;

 7.1.2 provide a description of the Data Breach including the number of affected Data Subjects, the number of data records and whether the Personal Data was encrypted, de-identified or anonymised.

   7.1.3 describe the likely consequences of the Data Breach;

   7.1.4 describe the measures taken to mitigate the effects of the Data Breach;

   7.1.5 fully cooperate in relation to any Data Breach notification to a Supervisory Authority or Data Subjects.

8. AUDITS

8.1 At the Company's request, the Supplier shall provide all materials, documents and other information necessary to demonstrate compliance with the obligations set out in this DPA and allow for and contribute to audits (no more than once in each 12 month period save for where there has been an actual or suspected Data Breach), including inspections, of the Supplier’s business processes and practices that involve the Processing of Personal Data, to be conducted by the Company or a nominated representative mandated by the Company with reasonable notice and during normal business hours

9. INDEMNITY

9.1 Supplier will indemnify, defend and hold the Company, and its Affiliates, successors, officers, directors and employees, harmless, without limitation to liability, from any claim (including but not limited to any direct, indirect or consequential loss, loss of profit, loss of reputation and all interest, regulatory penalty or fine), injury or damage whatsoever incurred or suffered arising out of the breach by Supplier of any of its obligations under this DPA

10. SECURITY

10.1 The Supplier shall implement all necessary and appropriate technical and organisational measures in accordance with the relevant Applicable Laws to protect against unlawful Processing and against accidental loss, destruction or damage of the Personal Data including no less than those set out in Schedule 2

10.2 The Supplier shall ensure that access is limited to those who need to access the Personal Data to perform the Supplier’s obligations under the Services Agreement and that all such persons are subject to a duty of confidentiality.

10.3 The Supplier shall regularly test and evaluate the effectiveness of their security.

11. GENERAL

11.1 In the case of conflict or ambiguity between any provision in this DPA and any provision contained in the Services Agreement, the provision in this DPA shall prevail. The Company may update this DPA (including Schedules and Annexes) from time to time.

11.2 This DPA shall be governed by and construed in accordance with the laws of the jurisdiction listed in the Services Agreement and those laws shall have exclusive jurisdiction to determine any disputes which may arise out of, under, or in connection with this DPA.

11.3 Any notice from the Supplier to the Company given under or in connection with this DPA shall be in writing and shall be made to dataprivacy@sysco.com.

SCHEDULE 1 – SUBJECT MATTER OF THE PROCESSING

Type of Personal Data

Nature and Purpose of Processing

Categories of Data Subjects

The types of Personal Data Processed by the Supplier shall relate to the nature of the services the Supplier provides and the Agreed Purposes, but may include names, email addresses, and any other Personal Data that the Company may instruct the Supplier to Process.

Personal Data will be subject to the Processing activities that the Supplier needs to perform in order to provide the services pursuant to the Services Agreement.

Depending on the nature of the Services Agreement the Supplier may Process Company Personal Data relating to broad categories of individuals including Company employees, customers, contractors, and other authorized users of the services (where applicable) as well as any individuals to whom the Personal Data relates.

SCHEDULE 2 - SECURITY SCHEDULE

The Supplier shall implement and maintain a comprehensive security policy that satisfies the following requirements:

General

The Supplier shall ensure that an effective Information Security Management System is implemented in line with ISO/IEC 27001 principles, covering the following areas:

  • Security policy management;

  • Corporate security management;

  • Organizational asset management;

  • Human resource security management

  • Physical and environmental security management

  • Communications and operations management

  • Information access control management

  • Information systems security management

  • Information security incident management

  • Business continuity management

  • Compliance management

 

All regulations, legal requirements and industry standards (including SSAE 16 – SOC2, PCI—DSS and Cloud Security Alliance (CSA) where relevant) must be reflected in the Supplier’s Security Policy and Information Security Management System.

Risk Assessment

The Supplier shall perform regular (no less frequently than every twelve months) risk assessments in order to:

  • identify threats that could result in unauthorised access, use, disclosure, loss or destruction of any the Company’s data;

  • assess the likelihood of these threats occurring, and the potential damage that might result, financial and non-financial, taking into consideration the nature and classification of the Company’s data;

  • assess the effectiveness of the security measures that the Supplier has in place to control such risks.

 

The Supplier shall implement appropriate controls to manage the identified risks.  Should the Company determine that the Supplier has not managed identified risks to a satisfactory level the Company reserves the right to commission and conduct its own risk assessment using a mutually agreed independent expert third party.

Access Control

The Supplier shall ensure that appropriate physical access and logical access controls are in place to restrict access to any Supplier premises where equipment or information related to the System or the Company’s data is located.  Access should be provided on the principles of least privilege and segregation of duties.

Physical controls shall include but not be limited to:

  • Monitored electronic access control systems which identify individual access and maintain records of access

  • CCTV surveillance of access with footage retained for a minimum of 30 days;

  • Intrusion alarm systems 24 x7 monitoring.

Logical controls shall include but not be limited to:

  • Two factor authentication

  • Mobile device management or similar solution to validate the devices compliance with policy

  • Access to systems is automatically locked after 5 minutes of inactivity after which re-authentication will be required.

  • Passwords have a minimum length of 12 characters.

  • Access is automatically disabled upon entry 3 incorrect passwords and not re-instated without identity verification

  • Separate credentials are provided to individuals requiring privileged access

  • All privileged access is logged with the logs kept for at least 12 months.

  • All privileged access rights are reviewed and recertified at least every 6 months.

  • All access rights to sensitive or special categories of the Company’s data are reviewed and recertified at least every 6 months.

  • All other access rights are reviewed and recertified at least every 12 months.

  • Users with a development role will not be given access to production systems.

  • Appropriate procedures are implemented to process access rights for Starters, Movers and Leavers

 

Additional controls for suppliers with staff working from home shall include:

  • The use of personal devices must not be allowed.

  • Full disk encryption installed on all corporate devices.

  • The ability to remote wipe corporate devices

  • VPN connectivity must be mandated for remote access to the Supplier network.

  • Creation of a remote working policy

Data Storage

The Supplier shall ensure that all the Company’s data which is electronically processed is encrypted when stored using current industry standard algorithms/protocols and key management practices ensuring compliance with Applicable Laws and any other applicable regulations.

Controls for the separation of data processing and storage

  • The development of new application or system software shall be kept separate from the production environment

  • The Company’s data shall be logically and where possible physically separated from data belonging to the Supplier and other Clients

Security in software development

The Supplier shall ensure that software developed by them is developed using secure coding practices such as OWASP. The software will undergo security testing during the development process to identify vulnerabilities.  Any identified vulnerabilities must be remediated prior to deployment.

Disposal/Destruction

The Supplier shall ensure that any information held is physically destroyed when no longer needed.

The Supplier shall ensure that any information held electronically shall be made unreadable and unrecoverable prior to its destruction and disposal. The Supplier shall maintain the relevant retention periods for the Company’s data.

Records of destruction must be retained and made available to the Company on request.

Data Transfer

The Supplier shall ensure that electronic transfers of the Company’s data are undertaken using secure connections utilising industry standard encryption methods and key management practices.

All the Company’s data stored on portable media/devices must be appropriately encrypted.  The Supplier must have controls in place to prevent unauthorised transfer of data to Portable Media.

Patch Management/Change Management

The Supplier shall implement and maintain process to ensure the regular update and patching of all hardware, software and peripherals to remediate vulnerabilities.

The Supplier shall notify the Company of any significant change to their Systems providing as much advanced notification as possible prior to the planned date of the Change. 

The Supplier shall notify the Company of any hardware, software or peripherals that are nearing end of life/end of vendor support and must provide the Company with a plan to upgrade/replace those assets at least 6 months before the support ends.

Security scanning and testing

The Supplier will undertake monthly vulnerability scanning of all systems which store or provide access to the Company’s data.

All Internet facing applications, APIs and systems storing sensitive Company data or used in in the provision of services to the Company must be penetration tested on an annual basis and before any material change.  Penetration testing shall be undertaken by CREST accredited entities and individuals.

Intrusion Detection / Prevention and Malware

The Supplier shall implement appropriate security measures including:

  • Intrusion Detection and Prevention Systems (IDS/IPS),

  • Firewalls,

  • Network Access Control (NAC),

  • Anti-virus and Anti-malware

  • 24x7 monitoring systems

The Supplier must update these controls regularly. 

Business Continuity, Backup and Recovery

The Supplier shall implement appropriate backup and recovery measures and procedures in order to restore availability in the event of an outage. Recovery point objectives (RPO) and recovery time objectives (RTO) must be agreed and adhered to prior to the engagement. These controls must be tested on at least an annual basis.

All backups must be encrypted using strong industry standard encryption methods and key management practices.

Incident Management / Reporting

The Supplier shall notify the Company in writing immediately after becoming aware of any unauthorised access including near misses involving the Company’s data. Within 24 hours of the initial notification, an incident report must be provided to the Company to comply with the relevant Supervisory Authority’s reporting obligations.

Right of Audit

The Company or a nominated third-party may conduct a review of the Supplier’s control environment and procedures that are involved in providing the service. This can include, but not be limited to:

  • Physical Access security controls;

  • Logical Access security controls;

  • Access provisioning procedure documentation and records;

  • Disposal/Destruction procedure documentation and records;

  • Incident response procedure documentation and records;

  • Monitoring tools;

  • Security Policies

The Company reserves the right to conduct its own forensic investigation using a mutually agreed third party following a security incident.

Company’s Premises and Systems

When working on the Company’s premises or accessing the Company’s systems, the Supplier’s employees must comply promptly with all of the Company’s policies and with all reasonable instructions of the Company.

Vetting/Recruitment

All Supplier employees must have undergone appropriate screening and vetting prior to being given access to the Company’s data.

The Supplier shall ensure that all employees having Physical and/or Logical Access to the Company’s data are under obligations of confidentiality no less stringent than the confidentiality obligations imposed on the Supplier under the Services Agreement.

Sub-Contractors and Agents

Where sub-contractors have been engaged by the Supplier to provide some or all of the services under the Services Agreement, the Supplier must impose contractual obligations on the sub-contractors equivalent to those contained in this DPA.