Join us in Minneapolis for Open Source Summit • May 18–20 • REGISTER NOW

Search

    Join
    Legal

    Data Protection Addendum for Event Sponsorship and/or Education Agreements

    PDF Download Available

     

    The Linux Foundation Data Protection Addendum

    for Event Sponsorship and/or Education Agreements

    (controller to controller)

    Last Revised: April 17, 2026

    Preamble. This Data Protection Addendum (“DPA”) is for use in connection with agreements for sponsorship of events hosted by, or education provided by, The Linux Foundation (“TLF”), an Oregon nonprofit mutual benefit corporation. See https://events.linuxfoundation.org/ and https://training.linuxfoundation.org/ for more context. This online DPA is intended to be incorporated by reference into such agreements, and the agreement that so refers to this document is the “Agreement”. This document may also be incorporated by reference into purchase forms, to ensure that the provision of services is done under up-to-date data processing terms, in which case the Agreement is the agreement governing such purchase form. Capitalized terms not otherwise defined herein will have the meaning given to them in the Agreement. “Education Engagements” are instead defined as “T&C Engagements” (for “Training and Certification”) in some prior Agreements.

    TLF and Company acknowledge that each of them may be a Controller of Personal Data that is Processed in connection with the performance of the Agreement, for the following purposes:

    • For sponsorships of Events (if the Agreement covers sponsorship of Events):
      • TLF, as the operator of Events sponsored by Company, may provide mechanisms for Event attendees to elect to share their contact information with Company, such as by scanning the attendee’s badge or by visiting a Company “sponsor booth” or other similar offering in a virtual event platform.
      • Company, as a sponsor of TLF Events, may receive contact information from TLF on behalf of Event attendees who elect to share their contact details as described above, which Sponsor may only use to contact data subjects via email with its own marketing emails and post-event follow-up communications.
      • Categories of Personal Data: name, company, job function / title, email address, mailing address, and similar contact information
      • Types of Data Subjects: registered attendees at TLF events
    • For purchases of Education Engagements (if the Agreement covers purchases of Education Engagements):
      • TLF, as the provider of Education Engagements to Company’s personnel hereunder, may provide Authorized Participants with access to Training Courses, Certifications Exams, and other materials via TLF’s platform. Authorized Participants will create and control their own user accounts on TLF’s platform pursuant to TLF’s privacy policies.
      • Company, as the employer of Authorized Participants and the sponsor and source of funding for Authorized Participants to participate in Education Engagements, may receive details from TLF regarding Authorized Participants’ enrollment in and completion of Education Engagements in connection with Company’s supervision of the Authorized Participants, and may provide contact details to TLF regarding Authorized Participants to enable TLF to deliver the Education Engagements to them.
      • Categories of Personal Data: name, email address and other contact information, and details of Education Engagement enrollment, participation and completion
      • Types of Data Subjects: Authorized Participants under the Agreement

    TLF and Company desire to set forth their respective responsibilities regarding the Processing of Personal Data relating to the foregoing, and accordingly agree as follows:

    1. Definitions. In this DPA, the following terms will have the meanings set out below:

    1. Controller”, “Data Subject”, “Personal Data Breach”, “Process/Processing”, “Processor”, and “Special Categories of Personal Data,” or their equivalent terms under applicable Data Protection Laws, will have the same meaning as defined under applicable Data Protection Laws;
    2. Affiliate” means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with either TLF or Company (as the context allows), where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise;
    3. CCPA” means the California Consumer Privacy Act and any implementing regulations issued thereto, each as amended (including by the California Privacy Rights Act and any regulations promulgated thereto).
    4. Company Affiliate” means an Affiliate of Company;
    5. Data Subject Request” means a request from a Data Subject to exercise any right under Data Protection Laws;
    6. Data Protection Laws” means all national, federal, state, provincial, local, and international privacy, cybersecurity and data protection laws applicable to the Processing of Personal Data under this DPA, together with any implementing or supplemental rules and regulations, each as amended, including but not limited to, to the extent applicable, the CCPA and GDPR.
    7. Deidentified Data” means data that (i) is not linked or reasonably linkable to, and cannot reasonably be used to infer information about, a particular individual, household, or personal or household device; and (ii) is subject to reasonable measures to ensure that such data cannot be associated with a particular individual or household (including any or personal or household device), including by any recipient of such data.
    8. EEA” means the European Economic Area, and unless otherwise indicated, EEA or Member States of the EEA continues to include the United Kingdom following its exit from the European Union;
    9. “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (known as the General Data Protection Regulation).
    10. “Permitted Purposes” are the purposes set forth in the Preamble to this DPA, as applicable by the nature of the Agreement.
    11. Personal Data” means any information relating to an identified or identifiable natural person, as well as other information defined as “personal data,” “personal information” or equivalent term under Data Protection Laws;
    12. Restricted Transfer” means a transfer of Personal Data from Discloser to Recipient (including any onward transfer between the establishments of such), to the extent such transfer would be prohibited or restricted by Data Protection Laws, or by the terms of data transfer agreements, in the absence of the Standard Contractual Clauses;
    13. Standard Contractual Clauses” means (i) the standard contractual clauses for the transfer of Personal Data to entities established in third countries as set out in Commission Decision C/2021/3972, with selections for Module One (Transfer Controller to Controller), as updated, amended, replaced or superseded from time to time by the European Commission, or (ii) any other contractual clauses or other mechanism approved by a Supervisory Authority or by Data Protection Laws for use in respect of such Restricted Transfer, as updated, amended, replaced or superseded from time to time by such Supervisory Authority or Data Protection Laws;
    14. Supervisory Authority” means (a) an independent public authority which is established by a Member State pursuant to GDPR, Art. 51; and (b) any similar regulatory authority responsible for the enforcement of Data Protection Laws; and
    15. TLF Affiliate” means an Affiliate of TLF.
    16. UK Data Protection Laws” means the GDPR as transposed into United Kingdom national law by operation of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (“UK GDPR”), together with the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003 (as amended) and other data protection or privacy legislation in force from time to time in the United Kingdom. In this DPA, in circumstances where and solely to the extent that the UK GDPR applies, references to the GDPR and its provisions shall be construed as references to the UK GDPR and its corresponding provisions, and references to “EU or Member State laws” shall be construed as references to UK laws.
    17. UK SCC IDTA” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner under section 119A(1) Data Protection Act 2018, version B1.0, as may be amended or replaced from time to time.

    2. Controllers

    1. The parties acknowledge that each will act as a separate Controller in relation to the Personal Data which they Process.
    2. The parties will each comply with their respective obligations under Data Protection Laws in respect of their processing of Personal Data.

    3. Disclosing of Personal Data. Where acting as a Discloser, each party will:

    1. only disclose the Personal Data for the Permitted Purposes;
    2. ensure that a notice has been made available and will continue to be accessible to the relevant Data Subject(s) informing them that their Personal Data will be disclosed to the Recipient or to a category of third party describing the Recipient;
    3. ensure that it has obtained any necessary consents or authorizations required to permit the Recipient to freely Process the Personal Data for the Permitted Purposes;
    4. not disclose any Special Categories of Personal Data to the Recipient; and
    5. be responsible for the security of any Personal Data in transmission from the Discloser to the Recipient (or otherwise in the possession of the Discloser).

    4. Processing of Personal Data. Where acting as a Recipient, each party will:

    1. not Process Personal Data in a way that is incompatible with the Permitted Purposes (other than to comply with a requirement of applicable law to which Recipient is subject);
    2. not Process Personal Data for longer than is necessary to carry out the Permitted Purposes (other than to comply with a requirement of applicable law to which Recipient is subject); and
    3. taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, have in place appropriate technical and organizational security measures to protect the Personal Data against unauthorized or unlawful Processing, or accidental loss or destruction or damage.

    5. CCPA Obligations. As a non-profit corporation, TLF is not a “business” for purposes of the CCPA. To the extent the CCPA applies to the Processing of Personal Data that one Party provides to the other Party, and without limiting other obligations herein, the following shall apply:

    1. The Parties agree that the Parties disclose Personal Data to one another for the Permitted Purposes;
    2. The Parties will (i) comply with all applicable Data Protection Laws in the Processing of Personal Data and shall provide the same level of privacy protection as is required by Data Protection Laws and this DPA; and (ii) only Process Personal Data for the Permitted Purposes or as permitted or required by applicable Data Protection Laws;
    3. If either Party believes it will be unable to comply with Data Protection Laws, such Party will promptly notify the other Party. Without limiting the foregoing, the Parties grant one another the right to take reasonable and appropriate steps: (i) to help ensure the Recipient uses Personal Data transferred in a manner consistent with Disclosing Party’s obligations under Data Protection Laws; and (ii) to, upon notice, stop and remediate any unauthorized use and Processing of Personal Data. Upon request by a Party, the other Party will provide the information necessary to demonstrate compliance with this DPA and the CCPA; and
    4. To the extent the Parties receive or otherwise Processes Deidentified Data associated with, derived from, or otherwise related to Personal Data under the Agreement, the Parties will: (i) take reasonable measures to ensure that the Deidentified Data cannot be associated with an individual, household or device; (ii) publicly commit to maintain and use the information in deidentified form and not attempt to reidentify the information; (iii) otherwise comply with applicable requirements for retention and Processing of Deidentified Data under Data Protection Laws; and (iv) contractually obligate any further recipient to comply with all provisions of this Section 5(d).

    6. Personal Data Breaches

    1. The Recipient will notify the Discloser without undue delay following any Personal Data Breach involving the Personal Data.
    2. Each party will co-operate with the other, to the extent reasonably requested, in relation to any notifications to Supervisory Authorities or to Data Subjects which are required following a Personal Data Breach involving the Personal Data.

    7. Further Co-operation and Assistance. Each party will co-operate with the other, to the extent reasonably requested, in relation to:

    1. any Data Subject Requests;
    2. any other communication from a Data Subject concerning the Processing of their Personal Data; and
    3. any communication from a Supervisory Authority concerning the Processing of Personal Data, or compliance with Data Protection Laws.

    8. Description of Personal Data. The parties acknowledge that the Personal Data (a) may include the categories of personal data specified in the preamble to this DPA, which do not include any Special Categories of Data (sensitive data); (b) are related to the types of Data Subjects specified in the preamble to this DPA; and (c) are disclosed and transferred for the Permitted Purposes.

    9. Restricted Transfers. With respect to any Restricted Transfers, the parties hereby enter into the Standard Contractual Clauses, which are incorporated by reference into this DPA as follows:

    1. Where personal data is disclosed by TLF, TLF for itself and its relevant Affiliates is the “data exporter” and Company and its relevant affiliates are the “data importers.”
    2. Where personal data is disclosed by Company, Company and its relevant Affiliates are the “data exporters” and TLF for itself and its relevant affiliates is the “data importer.”
    3. Both parties have the authority to enter into the Standard Contractual Clauses for themselves and their respective relevant Affiliates.
    4. Clause 7 (Docking) shall apply; the optional text of clause 11(a) (Redress) shall not apply; clauses 17 (Option 1) and 18 of the Standard Contractual Clauses shall specify Belgium as the selected EU Member State.
    5. Annex I to the Standard Contractual Clauses shall be deemed to be prepopulated with the relevant information in Section 8 of this DPA, and the following contact information: (a) data exporter: the relevant data exporter’s mailing address set forth in the Agreement; and (b) data importer: the relevant data importer’s contact information set forth in the Agreement; for each, in the case of TLF, Attn: Legal Department.
    6. Annex II to the Standard Contractual Clauses shall be deemed to be prepopulated with the following:
      1. Data importer has implemented commercially reasonable technical and organizational measures for protecting Personal Data, including with respect to its relevant information processing systems, and reasonable and appropriate technical, physical and administrative measures will be maintained to protect Personal Data under data importer’s possession or control against unauthorized or unlawful Processing or accidental loss, destruction or damage, including:
        1. employees and other personnel that regularly handle Personal Data receive privacy and security appropriate to their responsibilities;
        2. documented policies, procedures and processes for managing the security risks related to Processing of Personal Data;
        3. devices, systems, facilities and assets that Process Personal Data (“assets”), and that are material to the provision of the services, are identified and managed;
        4. security risks are identified, and are assessed regularly;
        5. access to assets is limited to authorized users;
        6. access logs are collected and reviewed as appropriate;
        7. remote access to assets is restricted and securely managed;
        8. Personal Data is physically and logically separate from the Personal Data of other clients/customers/partners;
        9. electronic and paper records containing Personal Data are securely destroyed in accordance with secure destruction policies and procedures;
        10. appropriate technical security solutions are implemented and managed to protect the confidentiality, integrity and availability of Personal Data;
        11. maintenance and repair of information system components is performed in a controlled and secure manner;
        12. incident response processes and procedures are maintained to provide for timely identification of, response to, and mitigation of detected Personal Data Breaches; and
        13. backups and disaster recovery processes are in place.
      2. Reasonable steps will be taken in an effort to ensure the reliability of personnel having access to Personal Data.
      3. Appropriate due diligence will be conducted on subprocessors to ensure that each is capable of providing an appropriate level of protection for Personal Data.
    7. Although Company and TLF intend that this DPA shall be deemed to include the Standard Contractual Clauses as set forth in this Section 9, upon either Party’s request Company and TLF shall execute a separate copy of the Standard Contractual Clauses, with such selections as set forth herein.
    8. To the extent UK Data Protection Laws apply, the parties enter into the UK SCC IDTA, with the following selections:
      1. Table 1: Start Date: the effective date of the Agreement.
      2. Table 1: Parties’ Details: As set forth above in 9(e) of this DPA.
      3. Table 2: Selected SCCs, Modules and Selected Clauses: as set forth in the definition of “Standard Contractual Clauses” in this DPA, and in section 9 of this DPA.
      4. Table 3: Appendix Information: as set forth in section 9 of this DPA.
      5. Table 4: Ending this Addendum when the Approved Addendum Changes: Either the Exporter or the Importer may end this Addendum as set forth in Section 19 of the SCC IDTA.
    9. The parties agree that, with respect to Swiss Personal Data, the Standard Contractual Clauses will apply amended and adapted as follows:
      1. the Swiss Federal Data Protection and Information Commissioner is the exclusive supervisory authority;
      2. the term “member state” must not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18; and
      3. references to the GDPR in the Standard Contractual Clauses shall also include the reference to the equivalent provisions of the Swiss Federal Act on Data Protection (as amended or replaced).

    10. Governing Law and Jurisdiction. Without prejudice to clauses 17 and 18 of the Standard Contractual Clauses:

    1. the parties to this DPA hereby submit to the choice of jurisdiction stipulated in the Agreement with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity; and
    2. this DPA and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Agreement.
    DPA for Event Sponsorship and/or Education Agreements

    Stay Connected with the Linux Foundation