GDPR Data Processing Addendum
Effective Date: May 25, 2018
This GDPR Data Processing Addendum, including the Standard Contractual Clauses referenced herein (“DPA”), is dated amends and supplements any existing and currently valid service agreement (the “Agreement”) either previously or concurrently made between you (together with subsidiary(ies) and affiliated entities, collectively, “Merchant”) and Cleverific, Inc (together with subsidiary(ies) and affiliated entities, collectively “Processor”) and sets forth other terms that apply to the extent any information you provide to Processor pursuant to the Agreement includes Personal Data (as defined below).
Terms used but not defined in this DPA, such as “personal data breach”, “processing”, “controller”, “processor” and “data subject”, will have the same meaning as set forth in Article 4 of the GDPR. In addition, the following definitions are used in the Addendum:
- “EU Data Protection Laws” means all laws and regulations of the European Union, the European Economic Area, their member states, Switzerland and the United Kingdom, applicable to the processing of Personal Data under the Agreement, including (where applicable) the GDPR.
- “GDPR” means the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data).
- “Personal Data” means any information relating to an identified or identifiable natural person located in the European Economic Area, Switzerland and United Kingdom. An identifiable natural person is one who can be identified, directly or indirectly, in particular by referencing an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
- “Standard Contractual Clauses” means the model clauses for the transfer of personal data to processors established in third countries approved by the European Commission, the approved version of which is set out in the European Commission's Decision 2010/87/EU of 5 February 2010 and at http://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32010D0087, which clauses are incorporated herein by this reference.
This DPA is effective on the later of (a) the start of enforcement of the GDPR or (b) the date Processor begins to process Personal Data on behalf of Merchant.
Data Processing Description
Exhibit A to this DPA describes the data exporter, data importer, data subjects, data categories, special data categories (if appropriate), the processing operations and the technical and organizational measures implemented by Processor to protect the Personal Data. For the purposes of the Standard Contractual Clauses, (a) Merchant is the data exporter, and Merchant’s execution of this DPA shall be treated as Merchant’s execution of the Standard Contractual Clauses and appendices in this DPA; and (b) Processor is the data importer, and Processor’s execution of this DPA shall be treated as Processor’s execution of the Standard Contractual Clauses and appendices in this DPA.
GDPR Contractual Terms
Pursuant to Articles 28, 32 and 33 of the GDPR:
- Merchant grants a general authorization to Processor to appoint its affiliates as sub-processors and a specific authorization to Processor and its affiliates to appoint as sub-processors third parties that provide reasonable technological and organizational safeguards to protect the Personal Data. Please email us at firstname.lastname@example.org at any time to request a list of our sub-processors and/or to subscribe to our sub-processor email updates. [Article 28(2)]
- Processor shall [Article 28(3)]:
- process the Personal Data only on documented instructions from Merchant unless required to do so by European Union or Member State law to which Processor is subject; in such a case, Processor shall inform Merchant of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
- ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- take all applicable and appropriate measures required of processors pursuant to Article 32 of the GDPR.
- taking into account the nature of the processing, assist Merchant by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Merchant’s obligation to respond to requests for exercising the data subject’s rights set forth in Chapter III of the GDPR. Processor may charge a fee (based on Processor’s reasonable costs) for responding to data subject requests under this Section 4(b)(iv).
- assist Merchant in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to Processor.
- at the direction of Merchant, delete or return all the Personal Data to Merchant after the end of the provision of services relating to processing, and delete existing copies unless European Union or Member State or United States law requires storage of the Personal Data; provided, however, that Processor may retain Personal Data for the length of any applicable statutes of limitations for the purposes of bringing or defending claims. Processor may charge a fee (based on Processor’s reasonable costs) for any data deletion under this Section 4(b)(vi).
- make available to Merchant all information necessary to demonstrate compliance with the obligations set forth in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by Merchant and immediately inform Merchant if, in its opinion, an instruction infringes the GDPR or other European Union or Member State data protection provisions. Processor may charge a fee (based on Processor’s reasonable costs) for any audits under this Section 4(b)(vii).
- Where Processor engages another processor for carrying out specific processing activities on behalf of Merchant, the same data protection obligations as set out in this DPA shall be imposed on that other processor by way of a contract or other legal act under European Union or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR. [Article 28(4)]
- Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Merchant and Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. [Article 32(1)]
- In assessing the appropriate level of security, account shall be taken of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise processed. [Article 32(2)]
- Merchant and Processor shall take steps to ensure that any natural person acting under the authority of Merchant or Processor who has access to Personal Data does not process them except on instructions from Merchant, unless he or she is required to do so by European Union or Member State law (or, in the case of Processor, United States law). [Article 32(4)]
- Processor shall notify Merchant without undue delay after becoming aware of a Personal Data breach. [Article 33(2)] Such notice will, at a minimum, (A) describe the nature of the Personal Data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concerned; (B) communicate the name and contact details of the data protection officer or other contact where more information can be obtained; (C) describe the likely consequences of the personal data breach; and (D) describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects. [Article 33(3)] Processor’s notification or response under this Section 4(g) shall not be construed as an acknowledgement by Processor of any fault or liability with respect to such Personal Data breach.
Pursuant to Article 46 of the GDPR:
- Merchant acknowledges and agrees that Processor is located in the United States and that Merchant’s provision of Personal Data to Processor for processing is a transfer of Personal Data to the United States.
- All transfers of Merchant Personal Data out of the European Economic Area, Switzerland and the United Kingdom to countries that do not ensure an adequate level of data protection within the meaning of applicable data protection laws shall be governed by the Standard Contractual Clauses. The Standard Contractual Clauses, and Appendices 1 and 2 to the Standard Contractual Clauses set out in Exhibit A to this Addendum, are incorporated in this DPA by this reference solely as required with respect to Personal Data. Execution of this DPA by both parties includes execution of the Standard Contractual Clauses with respect to the processing of Personal Data.
Processing by Controller
Merchant represents and warrants that the Personal Data provided to Processor for processing under the Agreement and this DPA is collected and/or validly obtained by Merchant in compliance with all applicable laws and regulations, including without limitation the EU Data Protection Laws, including without limitation Chapter II of the GDPR.
Limitation of Liability
Each party’s liability arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to the limitations of liability contained in the Agreement. For the avoidance of doubt, each reference herein to the “DPA” means this DPA including its exhibits and appendices.
To the extent that it is determined by any data protection authority that the Agreement or this DPA is insufficient to comply with the applicable EU Data Protection Laws, or to the extent required otherwise by any changes in the applicable data protection laws, Merchant and Processor agree to cooperate in good faith to amend the Agreement or this DPA or enter into further mutually agreeable data processing agreements in an effort to comply with any EU Data Protection Laws applicable to the Processor and Merchant.
Data Processing Addendum
Exhibit A: Appendices to Standard Contractual Clauses
Appendix 1 to the Standard Contractual Clauses
This Appendix forms part of the Standard Contractual Clauses
The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.
Data exporter is Merchant, a user of services provided by Processor, the entity that has executed an Agreement and assented to the Standard Contractual Clauses as a data exporter.
Cleverific, Inc, a provider of a platform that facilitates the management of customer orders and transactions and processes Personal Data upon the instruction of the data exporter in accordance with the terms of the Agreement and the DPA.
The personal data transferred concern the following categories of data subjects:
Data exporter may submit Personal Data to Cleverific, Inc, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects: the data exporter’s representatives and end-users including employees, contractors, business partners, collaborators, and customers of the data exporter. Data subjects may also include individuals attempting to communicate or transfer Personal Data to users of the services provided by Cleverific, Inc.
Categories of data
Data exporter may submit Personal Data to Cleverific, Inc, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, but is not limited to the following categories of personal data: (a) First and last name; (b) email address; (c) Shipping and Billing Address; (d) Phone number; (e) abridged payment information; (f) Connection data; (g) Localisation data; and (h) other data in an electronic form used by Merchant in the context of the services.
The personal data transferred will be subject to the following processing activities:
The objective of the processing of personal data by data importer is the performance of the contractual services related to the Agreement with the data exporter. The processes may include collection, storage, retrieval, consultation, use, erasure or destruction, disclosure by transmission, dissemination or otherwise making available data exporter’s data as necessary to provide the services in accordance with the data exporter’s instructions, including related legitimate internal purposes (such as quality control, troubleshooting, product development, etc.).
Appendix 2 to the Standard Contractual Clauses
This Appendix forms part of the Standard Contractual Clauses.
Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):