Sysco Global Data Processing Addendum

Last Updated April 2025

This DPA forms part of and is incorporated into the Services Agreement which has been entered into between the supplier (“Supplier”) and Sysco Corporation and/or any of its Affiliates (“Company”) and shall apply to all Processing by the Supplier of the Company’s Personal Data under the Services Agreement and/or any separate agreements signed by the parties, including any applicable Statement of Work.

(A) The Company uses the Supplier’s services for the purposes set out in and pursuant to the Services Agreement (the “Agreed Purposes”). 

(B) The supply of services pursuant to the Services Agreement may involve the Processing of Personal Data by the Supplier. 

(C) To Process Personal Data in compliance with the provisions of the Applicable Laws, the parties wish to enter into this DPA (including Schedules and Annexes). The parties acknowledge that the terms of this DPA are supplemental to the terms of the Services Agreement, which the parties acknowledge shall remain in full force and effect.

In consideration of the mutual covenants and undertakings stated herein, THE PARTIES AGREE AS FOLLOWS: 

1.1 In this DPA, the following terms shall have the following meanings:

“Affiliate” means in relation to Sysco Corporation, any entity that directly or indirectly controls, is controlled by, or is under common control with Sysco Corporation.

“Applicable Laws” means all applicable worldwide privacy and data protection laws and regulations, including without limitation the General Data Protection Regulation (EU 2016/679) (“GDPR“), Data Protection Act 2018 (“UK GDPR”), all applicable data protection laws in Canada, including but not limited to the Personal Information Protection and Electronic Documents Act (“PIPEDA”), Act Respecting the Protection of Personal Information in the Private Sector as amended by Law 25 (“Quebec Privacy Act”) and provincial legislation deemed substantially similar to PIPEDA, and all applicable data protection laws in the United States, including but not limited to, the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA”), and any other laws and regulations applicable to the Processing of Personal Data under the Services Agreement whether now existing or in the future introduced and in each case as amended or replaced from time to time.

“Business”, “Controller” (as appropriate) means as defined in the Applicable Law relevant to where the Personal Data is being Processed, or in the absence of the term being defined in the Applicable Laws shall mean the natural legal person that determines the means and purpose of processing the Personal Data.

“Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure, acquisition, or access to, Personal Data transmitted, stored or otherwise Processed.

“Data Subject” means a natural person about whom Personal Data is provided in pursuance of the Services Agreement.

“Personal Data” means any information relating to an identified or identifiable person and includes ‘personally identifiable information (PII)’ and ‘personal information’ as defined in the Applicable Laws.

“Process” and “Processing” mean as set out in the Applicable Data Laws or in the absence of the term being defined in the Applicable Laws shall mean any operations or set of operations which is performed on the Personal Data.

“Processor” means as set out in the GDPR/UK GDPR; “service provider”, “contractor” and “third party” as set out in CCPA; or as set out in the Canada/US Applicable Laws or in the absence of the term being defined in the Applicable Laws shall mean the natural legal person that processes the Personal Data on behalf of the Controller.

“Services Agreement” means an agreement entered into between the Supplier and the Company for the supply of goods and/or services by the Supplier to the Company, including without limitation any applicable Statement of Work or other supplemental agreement.

“Standard Contractual Clauses” means the standard contractual clauses set out in the Annex to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council. Where relevant for restricted transfers from the UK, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses ("UK Addendum") shall be incorporated.

“Sub processor” means any third party engaged by the Processor to Process Personal Data on the Company’s behalf in pursuance of the Service Agreement.

“Supervisory Authority” means any regulatory, supervisory, governmental, or other competent authority with jurisdiction or oversight over the Applicable Laws.

2.1 This DPA applies to the extent that the Supplier collects or Processes Personal Data under the Services Agreement on behalf of the Company and to the extent that such Personal Data, the Company, and the Supplier are subject to the relevant Applicable Laws. For the purposes of this DPA the Supplier shall be a Processor, unless expressly agreed with the Company. 

2.2  The parties agree to comply with the relevant Applicable Laws.

2.3  This DPA shall continue until all Personal Data Processed pursuant to this DPA has been either returned or destroyed. 

2.4  In the event of contradictions between this DPA and the Services Agreement, this DPA shall prevail. 

The Personal Data processed by the Supplier on behalf of the Company under the Services Agreement is set out in Schedule 1 of this DPA. 

4.1 Where both parties are Controllers in common (and so independently exercise control over the same Personal Data), each party shall:

   4.1.1 Process the Personal Data lawfully and in accordance with the relevant Applicable Laws;

   4.1.2 cooperate in good faith to provide such assistance as is reasonably required to enable the other party to comply with requests from Data Subjects to exercise their rights under the Applicable Laws in relation to their Personal Data;

   4.1.3 provide such assistance as reasonably necessary with regards to cooperating with the relevant Supervisory Authority and comply with its obligation to report a Data Breach to the appropriate Supervisory Authority.

5.1 The parties agree that where the Supplier Processes Personal Data on behalf of the Company under the Services Agreement, the Company is the Controller, and the Supplier is the Processor.

5.2 The Supplier shall immediately notify the Company if the Supplier is unable to perform their obligations under this DPA or if any instructions received from the Company infringe any relevant Applicable Laws. The Company may take reasonable and appropriate steps to stop any further Processing following notification under this clause 5.2.

5.3 Where GDPR or UK GDPR is applicable to the Personal Data, and the Company has consented to the Processing of the Personal Data by the Supplier outside either the European Union or the United Kingdom, then, where the relevant location does not ensure an adequate level of protection of Personal Data within the meaning of the Applicable Laws, the Standard Contractual Clauses (with the relevant addendum as appropriate) shall apply and are deemed incorporated to this DPA by reference. The following shall apply to the Standard Contractual Clauses and in respect of the UK Addendum (as appropriate):

5.3.1 Module 2 (Controller to Processor) of the Standard Contractual Clauses shall apply.

  5.3.2 Clause 7 (The Docking Clause) of the Standard Contractual Clauses shall apply.

   5.3.3 Option 1 for Clause 9 shall apply.

   5.3.4 The optional wording in Clause 11 shall not be incorporated.

   5.3.5 The governing law in Clause 17 shall be the laws of the country of the data exporter.

   5.3.6 The jurisdiction in Clause 18 shall be the courts of the country of the data exporter.

   5.3.7 In Annex I the Company shall be the “data exporter” and the Supplier shall be the “data importer”.

   5.3.8 In Annex I the Description of Transfer shall be the information in Schedule 1 of this DPA.

   5.3.9 In Annex I the data exporter’s competent supervisory authority will be determined in accordance with the Applicable Law.

   5.3.10 For Annex 2 the required information is set out in Schedule 2 of this DPA.

5.4 The Supplier agrees in relation to the transfer and for the duration of the Processing that the Data Subject shall have enforceable rights and effective legal remedies. Should the Standard Contractual Clauses become invalid for any reason, the Supplier shall provide an alternative transfer mechanism to ensure the Data Subject has the benefit of those rights and remedies.

5.5 The Supplier shall:

   5.5.1 only Process Personal Data on the express written instructions of the Company unless otherwise required by law, in which case the Supplier shall promptly notify the Company;

   5.5.2 only Process Personal Data to the extent reasonably necessary for the Agreed Purposes;

   5.5.3 in the event of any loss or damage to Personal Data, take all reasonable endeavours to restore the lost or damaged Personal Data, having ensured that there are appropriate backup procedures in place to do so;

   5.5.4 not engage any sub-processor of the Personal Data without the prior written consent of the Company (such consent not unreasonably withheld). The Supplier may make a request to the Company to engage a sub-processor of the Personal Data in writing providing full details. If the Company consents to such sub-processing, the Supplier shall enter into an agreement with the sub-processor on terms identical or substantially similar to the terms set out in this DPA. The Supplier shall remain fully liable for all acts and omissions of any sub-processor engaged pursuant to this DPA;

   5.5.5 keep a record of all Processing of Personal Data it carries out on behalf of the Company;

   5.5.6 provide assistance to the Company to enable the Company to carry out data protection impact assessments (including privacy by design) including with the relevant Supervisory Authority in accordance with the relevant Applicable Laws;

   5.5.7 provide assistance to the Company in connection with any investigations or enquiries from a Supervisory Authority or as necessary to ensure the Company’s compliance with the relevant Applicable Laws;

   5.5.8 upon expiry or termination of the Services Agreement or this DPA, or upon earlier request by the Company, at the discretion of the Company, return to the Company or securely delete or destroy all Personal Data and existing copies (including Personal Data) in a manner appropriate to the sensitivity thereof, unless applicable Data Protection Laws require storage of the Personal Data. Supplier shall provide written confirmation to the Company that the deletion process has been completed.

5.6 For the purposes of the Quebec Privacy Act, any Supplier or their sub-processor located outside Quebec, Canada (“Quebec”) which collects and/or Processes Personal Data of Data Subjects located in Quebec on behalf of the Company, that Supplier shall complete a privacy impact assessment (“PIA”), taking into account the following;

 5.6.1 the sensitivity of the Personal Data;

5.6.2 the purpose for which it is to be used;

5.6.3 the protection measures, including those that are contractual, that would apply to it; and

5.6.4 the legal framework applicable to the State in which the Supplier is located or is transferring the Personal Data to, including data protection principles of the relevant State.

The Supplier shall ensure such Processing is subject to a written agreement and such agreement takes into account the results of the PIA and any necessary mitigation steps.

6.1 The Supplier shall disclose to the Company in advance if any products and/or services under the Services Agreement to be provided to the Company will utilise artificial intelligence (including but not limited to a machine-based system that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments) ("Al"). The Company shall determine at its own discretion whether such products and/or services utilise or incorporate AI.

6.2 The Supplier shall not provide products and/or services that utilise Al to Process Personal Data without the Company’s prior written authorisation. The Supplier undertakes that all such products and/or services will comply with the safeguards and requirements set out in this DPA.

6.3 Prior to use, the parties shall agree in writing a governance framework for the use of any AI system or tools, to ensure that AI is only utilised in a way that is responsible and ethical and takes into account the type and nature of the Personal Data. This framework will consider, but is not limited to:

6.3.1 risk assessment;

6.3.2 data source;

6.3.3 record keeping;

6.3.4 transparency;

6.3.5 the rights and freedoms of individuals;

6.3.6 security technical and organisational measures;

6.3.7 consequences of termination or cessation of use;

6.3.8 local requirements of relevant regulatory bodies;

6.3.9 discrimination and/or bias;

6.3.10 notices; and,

6.3.11 reporting of incidents or breach.

6.4 Risk Management – the parties shall complete a risk assessment and take steps to eliminate or mitigate identified risks and set out, where necessary, regular review dates.

6.5 Data Sets – if data sets provided by the Company are used for training, validating and testing, only data that has been agreed and approved in writing by the Company shall be used, and only for the Agreed Purposes. The Supplier warrants it has all permissions and consents for any other data sets used that do not include the Company’s data and will not infringe any third-party rights including (but not limited to) intellectual property rights, confidentiality or Applicable Laws. Unless otherwise stated and agreed in writing, all Company data sets shall be anonymised prior to use and treated in accordance with written instructions from the Company.

6.6 Transparency – the Supplier shall provide sufficient information and transparency around any AI systems or tools to ensure that the Company is able to understand, to a reasonable extent, how the AI system or tool works.

6.7 Human Oversight – the Supplier shall ensure that any AI system or tool has proper and sufficient human oversight to review, intervene or if necessary override.

6.8 Data Privacy – any use or processing by an AI system or tool shall comply with all Applicable Laws and this DPA.

6.9 Compliance with Applicable Laws and relevant Company policies – the Supplier shall ensure that any use of AI is in compliance with all applicable worldwide laws and regulations, including (but not limited to) national or state AI laws, and with any relevant Company mandatory policies from time to time (as advised).

7.1 The Supplier shall assist the Company with any requests from a Data Subject, in fulfilling the Company’s obligations in exercising the Data Subject’s rights under the relevant Applicable Laws including, but not limited to, requests regarding access to Personal Data, or the erasure, correction and rectification of Personal Data. The Supplier agrees to act in a timely manner taking into account the response times and any relevant opportunities to cure under the relevant Applicable Laws. The Supplier shall keep the Company informed following a request for assistance by the Company.

7.2 The Supplier shall inform the Company promptly, and in any case within 3 days, of any request from a Data Subject regarding their rights as Data Subjects.

7.3 For purposes of the CCPA/CPRA, the Supplier (where acting as Processor) agrees it shall not:

   7.3.1 “sell” and/or “share” (as that term is defined in the CCPA/CPRA) Personal Data;

   7.3.2 retain, use, or disclose Personal Data for any purpose other than for the specific Agreed Purposes, including retaining, using, or disclosing the Personal Data for a commercial purpose other than the Agreed Purposes or retaining the Personal Data subsequent to the termination of the Services Agreement;

   7.3.3 retain, use, or disclose the Personal Data outside of the direct business relationship between the Supplier and the Company; or

   7.3.4 combine Personal Data received in connection with the Agreed Purposes with Personal Data (as defined under the CPRA) it receives from another source except to perform Business Purposes (as defined under the CPRA) or as otherwise permitted by the relevant Applicable Laws.

8.1 The Supplier shall immediately notify the Company of any actual or suspected Data Breach involving the Personal Data, and in any event, within 24 hours of becoming aware of the actual or suspected Data Breach, and the Supplier shall:

   8.1.1 assist the Company with its third party notifications;

 8.1.2 provide a description of the Data Breach including the number of affected Data Subjects, the number of data records and whether the Personal Data was encrypted, de-identified or anonymised.

   8.1.3 describe the likely consequences of the Data Breach;

   8.1.4 describe the measures taken to mitigate the effects of the Data Breach;

   8.1.5 fully cooperate in relation to any Data Breach notification to a Supervisory Authority or Data Subjects.

9.1 At the Company's request, the Supplier shall provide all materials, documents and other information necessary to demonstrate compliance with the obligations set out in this DPA and allow for and contribute to audits (no more than once in each 12 month period save for where there has been an actual or suspected Data Breach), including inspections, of the Supplier’s business processes and practices that involve the Processing of Personal Data, to be conducted by the Company or a nominated representative mandated by the Company with reasonable notice and during normal business hours

10.1 Supplier will indemnify, defend and hold the Company, and its Affiliates, successors, officers, directors and employees, harmless, without limitation to liability, from any claim (including but not limited to any direct, indirect or consequential loss, loss of profit, loss of reputation and all interest, regulatory penalty or fine), injury or damage whatsoever incurred or suffered arising out of the breach by Supplier of any of its obligations under this DPA

11.1 The Supplier shall implement all necessary and appropriate technical and organisational measures in accordance with the relevant Applicable Laws to protect against unlawful Processing and against accidental loss, destruction or damage of the Personal Data including no less than those set out in Schedule 2

11.2 The Supplier shall ensure that access is limited to those who need to access the Personal Data to perform the Supplier’s obligations under the Services Agreement and that all such persons are subject to a duty of confidentiality.

11.3 The Supplier shall regularly test and evaluate the effectiveness of their security.

12.1 In the case of conflict or ambiguity between any provision in this DPA and any provision contained in the Services Agreement, the provision in this DPA shall prevail. The Company may update this DPA (including Schedules and Annexes) from time to time.

12.2 This DPA shall be governed by and construed in accordance with the laws of the jurisdiction listed in the Services Agreement and those laws shall have exclusive jurisdiction to determine any disputes which may arise out of, under, or in connection with this DPA.

12.3 Any notice from the Supplier to the Company given under or in connection with this DPA shall be in writing and shall be made to dataprivacy@sysco.com.

Security Addendum Overview