About FAO News Multimedia Main topics Statistics Members Publications

FAO Procurement

Data Processing Appendix (DPA)

This Data Processing Appendix (DPA) sets out the terms and conditions under which the Contractor/Service Provider will process Confidential Data or Strictly Confidential Data as defined below under Articles 1 b) and 1 k), on behalf of FAO.

1. Definitions

The following definitions apply for this Data Processing Appendix:

  1. (a) “Authorized Personnel” means the Contractor/Service Provider’s employees, agents, advisors or other authorized persons.

  2. (b) “Confidential Data” means information and/or data that are sensitive in nature and any unauthorized access or inappropriate disclosure would cause harm or damage to the Data Provider or to FAO.

  3. (c) “Data” means any information suitable for processing that: i) originates from FAO or that is disclosed by a Data Provider to FAO; ii) is accessed by the Contractor/Service Provider via FAO platforms or databases; iii) or that is collected or generated by the Contractor/Service Provider on behalf of FAO in connection with the Contract/Agreement. Data includes Personal Data and Non-Personal Data.

  4. (d) “Data Provider” means a legal person or individual that discloses Data to FAO or to the Contractor/Service Provider on behalf of FAO.

  5. (e) “Data Breach” means the accidental or unauthorized loss, destruction, alteration, access, acquisition,or other use for unauthorized purposes of Data, including sensitive Data, which compromises the confidentiality, security, availability, or integrity of the Data.

  6. (f) “Non-Personal Data” means any information of a financial, technical, or operaDonal nature that does not relate to an identified or identifiable individual. Non-Personal Data includes, but is not limited to, financial reports, commercially sensitive data, or Data containing security sensitive information.

  7. (g) “Permitted Purpose” means the processing of FAO Data solely and exclusively to the extent necessary for the Contractor/Service Provider to perform its obligations under the Contract/Agreement.

  8. (h) “Personal Data” means any information relating to an identified or identifiable individual.

  9. (i) “Processing” means any operation, or set of operations, automated or not, which is performed on Data, including, but not limited to, the collection, recording, organization, structuring, storage, adaption or alteration, retrieval, consultation, use, transfer (whether in computerized, oral or written form), dissemination or otherwise making available of, correction, or destruction.

  10. (j) “Security Measures” means any organizational, physical, and technical security measure, procedure or control applied for the purpose of preventing, mitigating, addressing, remedying or responding to a Data Breach.

  11. (k) “Strictly Confidential Data” means information and/or data that are highly sensitive in nature. Any unauthorized access or inappropriate disclosure would cause serious harm or cause exceptionally grave damage to the Data Provider or to FAO. 

2. General Obligations

2.1 Data Protection Principles and Responsibilities. The Contractor/Service Provider recognizes and agrees to comply with the following Data Protection Principles and Responsibilities when Processing Data. The Contractor/Service Provider confirms that it has a data protection policy in place that meets the below principles and that it will apply such a policy to the Data.

  1. a)  Fairness: Processing of Data shall only be carried out on a legitimate basis and for a specified purpose. Only the minimum amount of Data needed to achieve the specific purpose should be collected, and Data can be retained only for as long as needed to achieve the purpose.

  2. b)  Integrity: Data shall be accurate and up to date to achieve the specified purpose. Data that is inaccurate or unreliable should be deleted or rectified.

  3. c)  Responsibility: Data shall be processed with due regard to confidentiality. Adequate and proportionate measures must be adopted and must be regularly reviewed and updated as required, to ensure the protection of the Data during the entire data lifecycle from its collection, storage, transfer and disposal. Adequate policies and mechanisms should be in place to adhere and demonstrate compliance with these Principles.

  4. d)  Security: Appropriate organizational, administrative, physical and technical safeguards and procedures shall be implemented to protect the security of Data, including against Data Breaches.

  5. e)  Transparency: Processing of Data should be carried out with transparency to Data Providers. This entails that Data Providers must be provided with information in clear terms about what data is being processed, why and how the data is being used.

2.2 Applicability of FAO rules and regulations. The Contractor/Service Provider acknowledges that, pursuant to its legal status as a UN specialized agency, FAO enjoys privileges and immunities and is not subject to any national or regional laws, regulations, procedures or processes that may apply to the Contractor/Service Provider or its Subcontractors. The Contractor/Service Provider agrees to inform its Subcontractors about FAO’s legal status and its privileges and immunities.

2.3 Inviolability of Data. The Contractor/Service Provider acknowledges that the archives of FAO, including the Data, are inviolable in accordance with the privileges and immunities enjoyed by FAO. To that eJect, the Contractor/Service Provider agrees to (i) hold the Data for the sole benefit of FAO, (ii) identify the Data in its books and records as the archives of FAO which enjoy the privileges and immunities of FAO, (iii) give FAO sufficient prior notice of any request or order from any governmental authority for the disclosure of Data including when its Subcontractors are required by Law or government authorities to disclose any Data (in such cases the Contractor/Service Provider should ensure that FAO is given sufficient prior notice to have a reasonable opportunity to take protective measures, or any such other action as may be appropriate, before any such disclosure is made), and (iv) take such actions as are requested by FAO from time to time to protect FAO’s archives and to preserve FAO’s privileges and immunities. 

2.4 Location of Data. The Contractor/Service Provider will ensure that the Data are stored or processed only in a country that is a party to the 1947 Convention on the Privileges and Immunities of the Specialized Agencies or that provides for other arrangements that ensure for an adequate legal protection of FAO’s privileges and immunities. The Contractor/Service Provider will provide FAO with prior written notice of the location of any facilities which will be used to store Data. 

2.5 Assessments by FAO. The Contractor/Service Provider will keep a written record of all Processing activities it performs under the Contract/Agreement. The Contractor/Service Provider agrees that throughout the duration of the Contract/Agreement, FAO may conduct assessments on the level of protection granted by the Contractor/Service Provider. The Contractor/Service Provider will provide its full and timely cooperation with any such assessments and will provide all necessary information, records and documentation related to the processing activities and security measures applied by it. If it is determined at any time during the Contract/Agreement that the Contractor/Service Provider cannot afford a level of protection that is satisfactory to FAO, FAO will have the right to suspend or terminate this Contract/Agreement.

3. Processing Obligations

3.1  Processing purpose. The Contractor/Service Provider will process the Data solely for the Permitted Purpose inherent to the scope of work and in accordance with the Data Protection Principles and Responsibilities set out under Article 2.1, and only for as long as is required to fullfill the Permitted Purpose. The Contractor/Service Provider will not process Data for any other purpose and other than on FAO’s written instructions and will not use the Data for its private or corporate advantage.

3.2  The Contractor/Service Provider agrees to (i) attribute, in accordance with its own rules and regulations, the same or a comparable confidentiality level(s) to the Data it processes under the Contract/Agreement, (ii) apply a level of protection to the Data that is the same or comparable to the FAO Data Protection Policy1, and (iii) comply, pursuant to Article 3.9, with adequate Security Measures for specific categories of Data or Processing. 

3.3  Collection of Data. In the event that the Contractor/Service Provider has been instructed by FAO to collect Data, it will:

    1. a)  prior to collecting Data, inform the Data Provider of: i) the specific purpose for processing the Data and how it will be processed, ii) the fact that it is acting on behalf of FAO, and iii) of the possibility to submit requests or complaints to FAO pursuant to Article 3.10 below;

    2. b)  prior to collecting Data, obtain and record the informed consent of the Data Provider, or ensure there is another legal basis, to process such Data;

    3. c)  transfer and provide any Data to FAO promptly after its collection. 

3.4 Data Accuracy. The Contractor/Service Provider will make its best efforts to ensure that the Data processed under the Contract/Agreement is accurate and kept up to date. The Contractor/Service Provider will communicate to FAO any inaccuracy concerning the Data and will immediately update, rectify and/or delete any Data upon instruction from FAO. 

3.5 Records of processing. The Contractor/Service Provider will maintain a written record documenting its Processing of the Data for the Permitted Purpose, including, without limitation, any disclosure to, transmission to, or accessing of, the Personal Data by Authorized Personnel. 

3.6 Access to Data. The Contractor/Service Provider will only grant access to the Data, to its duly Authorized Personnel and its subcontractors on a need-to-know basis.

3.7 Data sharing. The Contractor/Service Provider will not share or make public the Data with any third party without the prior written approval of FAO.

3.8 Data modification and segregation. The Contractor/Service Provider will not modify the Data without the prior written approval of FAO. The Contractor/Service Provider will segregate the Data to the fullest extent possible.

3.9 Data security and Security Measures. When processing Data under the Contract/Agreement, the Contractor/Service Provider shall: 

a) Implement Security Measures to ensure an adequate level of security to prevent accidental or unauthorized access, use, alteration disclosure, destruction, loss of the Data. In particular, the Contractor/Service Provider shall:

  1. only use hardened Information, Communications and Technology (ICT) systems2 located in
    secure facilities that are only accessible to its authorized personnel;
  2. encrypt data at rest and in transit;
  3. maintain security logging and monitoring of data processing activities;
  4. identify personnel responsible for the Processing operation of the Data and implement authorization restrictions regarding access to such Data;
  5. inform the personnel responsible for the Data Processing operation of the confidentiality of the Data and provide them with appropriate training on the proper handling of the Data in its entire data life cycle.

b) Treat any and all information relating to FAO’s remote access and transmission protocols as FAO’s confidential information.

3.10 Requests or complaints from Data Providers. The Contractor/Service Provider recognizes that, under FAO’s rules and policies, a Data Provider can request access, correction, or deletion of its Data, or object to the processing by FAO or by the Contractor/Service Provider on behalf of FAO, or make a complaint. If the Contractor/Service Provider receives any requests or complaints from Data Providers directly, it will promptly notify and pass on such requests or complaints to FAO through FAO’s service management portal ServiceNow by selecting the Data Privacy catalog at: https://fao.service-now.com/csp. The Contractor/Service Provider will not respond to the Data Provider and will comply with instructions from FAO regarding such requests or complaints.

3.11 Data Breach. If the Contractor/Service Provider becomes aware of any actual, threatened or reasonably suspected Data Breach, the Contractor/Service Provider will:

a) notify FAO immediately, but in any event within seventy-two (72) hours;

b) take all necessary steps to restore normal functionality, investigate, contain, mitigate, prevent, address, remedy and respond, as applicable, to the actual, threatened, or reasonably suspected Data Breach;

c) refrain from any communication concerning a Data Breach to (i) any Data Provider, (ii) any data protection authorities it may be subject to, or (iii) to the media or public at large, without having obtained the prior written approval of FAO;

d) cooperate with FAO’s requests for information and assistance, including without limitation, by providing FAO with periodic written updates regarding the Data Breach and the Contractor/Service Provider’s response to the Data Breach. Updates will encompass (i) a description of the nature and likely consequences of the Data Breach; (ii) mitigation measures taken to prevent a recurrence; and (iii) information about the types of Data affected by the Data Breach; and

e) as soon as reasonably practicable, review its response to the Data Breach to identify and address any vulnerabilities, weaknesses or failures in its response processes and report all planned and completed remediations to FAO.

4. Subcontractors

4.1 To the extent that the Contractor/Service Provider engages the Subcontractor, the Contractor/Service Provider should only engage the Subcontractor approved by FAO and should make information about such Subcontractor, including their function and location, available to FAO. Every time the Contractor/Service Provider engages a new Subcontractor or changes the function of an existing Subcontractor (“Subcontractor Change”), it should inform FAO at least thirty (30) days in advance, unless the Subcontractor Change is made to address an imminent or existing risk, in which case the Contractor/Service Provider should inform FAO as soon as reasonably possible. If FAO reasonably determines that a Subcontractor Change would materially increase FAO’s risk, FAO may notify the Contractor/Service Provider and request that the Contractor/Service Provider replace the Subcontractor with a Subcontractor reasonably acceptable to FAO. If the Contractor/Service Provider does not take such action, FAO may terminate the Contract/Agreement.

4.2 The Contractor/Service Provider will ensure that any authorized Subcontractors are bound by data protection  obligations that are substantially equivalent to, or more onerous than, the obligations set out in the Contract/Agreement and in this DPA, including in terms of Data Security and Security Measures (Section 3.9 of the DPA) and that they are contractually engaged by the Contractor/Service Provider.

4.3 The Contractor/Service Provider will remain responsible and liable to FAO for all acts and omissions of any Subcontractors in connection with the Contract/Agreement and this DPA and will ensure that any Subcontractors comply with all terms and conditions of the Contract/Agreement and of this DPA.

4.4 The Contractor/Service Provider shall promptly notify FAO of any breach of its Subcontractor’s data protection obligations under the agreement with the Contractor/Service Provider.

5. Use of Artificial Intelligence and Machine Learning Systems in connection with the provision of services under this agreement

5.1 To the extent that the Contractor/Service Provider is authorized by FAO to use artificial intelligence (including generative artificial intelligence) or machine learning systems in connection with providing services under this agreement or to process FAO Data, the Contractor/Service Provider will use its best eJorts to ensure that (a) the results of any such systems will not be deceptive or misleading; (b) such systems will be free of bias and discrimination, including as defined by industry standards and applicable law; and, (c) such systems will comply with applicable data protection obligations and ethical standards.

5.2 The Contractor/Service Provider agrees that no FAO Data will be used to train the algorithms powering the artificial intelligence or machine learning systems used by the Contractor/Service Provider outside the provision of services under this agreement, including any prompts or responses to prompts which may contain FAO Data.

5.3 The Contractor/Service Provider will periodically review such systems and maintain them in accordance with industry standards and provide updates on such eJort to FAO at FAO’s request.

6. Return or deletion of FAO Data

6.1 Upon termination or expiration of the Contract/Agreement, FAO will instruct the Contractor/Service Provider and the Contractor/Service Provider will promptly: a) return FAO Data to FAO by transmitting FAO Data in a widely supported, commonly used and machine-readable format, and in a secure and encrypted manner, and/or b) destroy and delete from any of its devices, as well from any other sources, all FAO Data processed, including backups, by rendering FAO Data permanently unusable, unreadable, or indecipherable using industry standard measures.

6.2 The Contractor/Service Provider will send FAO a certificate confirming such destruction
and deletion once completed.

 

 

1 FAO Data Protection Policy, https://www.fao.org/contact-us/data-protection-and-privacy/en/

2 Systems are deemed hardened where they:
- Utilize software that is supported by the vendor and maintained with current security updates [patches]
- Configured in accordance with vendor’s recommendations and security best practices
- Is protected by malware prevention software