This Addendum ("Addendum") forms part of the Subscription Agreement between "Hosted Service" and "Customer".
The parties hereby agree that the terms and conditions set out below are part of the Subscription Agreement and that all terms and conditions of the Subscription Agreement shall remain in full force and effect other than those modified in this Addendum.
- Definitions. In this Addendum, the following terms shall have the following meanings:
- "Applicable Laws" means European Union, Member State or any other laws with respect to any Customer Personal Data and data protection, including, but not limited to, EU Data Protection Laws;
- "Customer" also includes any entity that owns or controls, is owned or controlled by, or is or under common control or ownership with Customer, any affiliate, joint-venture or other combination where Customer has control or ownership;
- "Customer Personal Data" means any Personal Data Processed by a Contracted Processor on behalf of a Customer pursuant to or in connection with the Subscription Agreement;
- "Contracted Processor" means Hosted Service or any individual or organization engaged by the Hosted Service, including subprocessors or other contractors, to conduct any processing of Customer Personal Data;
- "GDPR" refers to the EU General Data Protection Regulation 2016/679;
- "Restricted Transfer" means a transfer of Customer Personal Data from the Customer to Hosted Service or an onward transfer of Customer Personal Data from a Contracted Processor, such as the Hosted Service, to a Contracted Processor or between two Contracted Processors. When a transfer would be prohibited by Applicable Laws (or by the terms of data transfer agreements), it will be governed by this Agreement as covered in Clause 8 below; and
- "Services"means the services and other activities to be supplied to or carried out by or on behalf of Hosted Service for Customer pursuant to the Subscription Agreement;
- The terms, "Commission", "Controller", "Data Subject", "Member State", "Personal Data", "Personal Data Breach", "Processing" and "Supervisory Authority" shall have the same meaning as in the GDPR.
- Processing of Customer Personal Data and Roles of Customer and Hosted Service
- Hosted Service, Customer and any Contracted Processor shall:
- comply with all Applicable Laws in the Processing of Customer Personal Data;
- not process Customer Personal Data other than according to Customer instructions unless Processing is required by Applicable Laws to which the Hosted Service or relevant Contracted Processor is subject; and
- not process any Customer Personal Data, beyond the instructions in Clause 2(a)(ii), for data determined to be from the European Economic Area, or any area subject to the GDPR, except for the purposes of complying with Applicable Laws including the GDPR.
- Customer instructs the Hosted Service to Process Customer Personal Data and transfer Customer Personal Data to any country or territory as reasonably necessary for the provision of the Services and consistent with the Subscription Agreement, and Customer warrants and represents that it is, and will remain for the duration of the Subscription Agreement, authorized to give the instructions to Process any Customer Personal Data.
- Customer warrants that it has secured all appropriate consents and permission for any use or processing that it instructs the Hosted Service to conduct, and that, for all purposes and in all situations, the Customer is the Controller of any Customer Personal Data.
- Customer acknowledges that the Hosted Service does not itself collect or process Personal Data as defined under the GDPR except to determine the applicability of the GDPR by identifying the location of the Data Subject, and that any collection or processing of such data is solely the responsibility of the Customer, including securing any necessary consent, providing any necessary disclaimers, and otherwise complying with any obligations under the GDPR.
- The Contracted Processors' Processing of the Customer Personal Data will:
- include the subject matter and duration of the Processing of the Customer Personal Data as set out in the Subscription Agreement and this Addendum;
- include determining specific interests in website resources to allow the personalization of targeted content to improve the user’s experience by reducing the individual need to search for relevant content as part of the nature and purpose of the Processing of Customer Personal Data;
- include on-site behavioral, demographic and firmographic information among the types of Customer Personal Data to be Processed, dependent on specific audience segments and campaigns;
- include Customer Personal Data from individuals who visit Customer websites;
- reflect the obligations and rights of Customers as set out in the Subscription Agreement and this Addendum;
- comport with article 28(3) of the GDPR; and
- allow Customer or Hosted Service to make reasonable amendments to this Addendum, including the coverage of Contracted Processors Processing activities, by written notice to the other party from time to time as Customer or Hosted Service reasonably considers necessary to meet those requirements.
- Hosted Service, Customer and any Contracted Processor shall:
- Security
- Customer, as Controller, is in the best position to determine and implement appropriate security measures relating to Customer Personal Data. Insofar as Hosted Service is acting to complete Processing under the Subscription Agreement, and considering all scope, context and purposes of Processing, and the risks to Customer Personal Data, Hosted Service shall implement reasonable, appropriate technical and organizational measures to ensure a level of security consistent with Article 32(1) of the GDPR.
- Hosted Service and Customer shall take reasonable steps to ensure the reliability of any employee, agent or contractor who may have access to the Customer Personal Data, by limiting access to those individuals who need access necessary for the purposes of the Subscription Agreement, and to comply with Applicable Laws ensuring that all such individuals are subject to confidentiality.
- Customer is solely responsible for management and security of Customer Personal Data when not in possession of the Hosted Service for specific, instructed Processing.
- Subprocessing
- Customer authorizes Hosted Service to appoint Subprocessors in accordance with this addendum and any restrictions in the Subscription Agreement.
- With respect to each Subprocessor, Hosted Service shall carry out adequate due diligence to ensure that the Subprocessor is capable of providing the level of protection for Customer Personal Data required by the Subscription Agreement and ensure that the Subprocessor is governed by a written contract including terms which offer at least the same level of protection for Customer Personal Data as those set out in this Addendum and meet the requirements of article 28(3) of the GDPR.
- Subprocessing will be consistent with the provisions of Clause 2(e) of this Addendum.
- Data Subject Rights
- Customer is responsible for implementing appropriate technical and organizational measures to comply with Applicable Laws including GDPR. Specifically, Customer has the sole responsibility to ensure they are complying with all Applicable Law and that they have in place procedures and methods to properly obtain consent and respond to any requests regarding Personal Data use consistent with GDPR. Customer also is responsible for any obligation to respond to requests exercising Data Subject rights under the Applicable Laws.
- Hosted Service shall promptly notify Customer if Hosted Service receives a request from a Data Subject under any Applicable Law in respect of Customer Personal Data and will not respond to that request except on the documented instructions of Customer, as Controller, and as required by Applicable Laws.
- Personal Data Breach
- Hosted Service shall notify Customer without undue delay upon Hosted Service becoming aware of any potential Personal Data Breach affecting Customer Personal Data, providing Customer with sufficient information to allow Customer to report or inform Data Subjects of the Personal Data Breach under the Applicable Laws.
- Hosted Service shall co-operate with Customer and take such reasonable commercial steps to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
- Deletion or return of Customer Personal Data
- Hosted Service promptly delete or return Customer Personal Data after the date of cessation of any Services involving the Processing of Customer Personal Data.
- Each Contracted Processor may retain Customer Personal Data to the extent required by Applicable Laws and only to the extent and for such period as required by Applicable Laws and always provided that Hosted Service shall ensure the confidentiality of all such Customer Personal Data.
- Restricted Transfers
- Customer (as "data exporter") and each Contracted Processor including the Hosted Service (as "data importer") hereby agree that a Restricted Transfer from the Customer to that Contracted Processor will be governed as follows.
- The Customer ("data exporter") agrees and warrants:
- that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the Applicable Law including processing the personal data transferred only on the data exporter's behalf ;
- that the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
- that it will ensure compliance with the security measures;
- that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Applicable Laws;
- that it will forward any notification received from the data importer or any subprocessor to the Applicable supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
- to make available to the data subjects upon request a summary description of the security measures, as well as a copy of any contract for processing services which has to be made, unless the contract contain commercial information, in which case it may remove such commercial information;
- The Hosted Service ("data importer") agrees and warrants:
- to process the personal data only on behalf of the data exporter and in compliance with its instructions; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply;
- that it has implemented technical and organizational security measures for processing the personal data transferred;
- that it will promptly notify the data exporter about:
- any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,
- any accidental or unauthorized access, and
- any request received directly from the data subjects without responding to that request, unless it has been otherwise authorized to do so;
- to make available to the data subject, upon request, a copy of the existing contract for processing, unless contract contains commercial information, in which case it may remove such commercial information, as well as a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
- Liability
- The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 8 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.
- Cooperation with supervisory authorities
- The data exporter agrees to deposit a copy of this agreement with the supervisory authority if it so requests or if such deposit is required under the Applicable Law.
- Subprocessing
- Where the data importer subcontracts its obligations under the agreement it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the agreement. Where the subprocessor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor's obligations under such agreement.
- The provisions relating to data protection for subprocessing shall be governed by the law of the Member State in which the data exporter is established.
- Obligation after the termination of personal data processing services
- The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
- General Terms
- Governing Law. The parties to this Addendum hereby submit to the choice of jurisdiction stipulated in the Subscription Agreement, the State of Delaware, with respect to any disputes or claims arising under this Addendum, including disputes regarding its existence andvalidity
- In the event of inconsistencies between the provisions of this Addendum and any other agreements between the parties, including the Subscription Agreement, the provisions of this Addendum shall prevail.
- Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.