Dynamic Yield: Data Processing Addendum
Last Updated July, 2020
This Data Processing Addendum ("Addendum") forms an integral part of the Agreement between Customer and the Dynamic Yield entity listed in the applicable Order Form or Agreement ("Dynamic Yield"), which govern Customer's right to use certain services designed to automatically personalize Customer's content through Dynamic Yield's Platform, and applies to the extent that Dynamic Yield or any of its trusted Sub-Processors collect or processes Personal Data, or has access to Personal Data, in the course of Dynamic Yield’s performance under the Agreement, as specified in Exhibit A, which is attached and incorporated hereto by reference.
All capitalized terms not defined herein shall have the meaning set forth in the Agreement.
- "Approved Jurisdiction" means a member state of the EEA, or other jurisdiction as may be approved as having adequate legal protections for data by the European Commission.
- "Breach Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
- "CCPA" means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq.
- "Data Protection Legislation" means all data protection and privacy laws applicable to the processing of Personal Data under the Agreement, including, where applicable, EU Data Protection Law and the CCPA.
- “Data Controller”, “Data Processor”, “data subject”, “process” and “processing” shall have the meanings ascribed to them in the Data Protection Legislation. Where applicable, Data Controller shall be deemed to be a "Business", Data Processor shall be deemed to be the "Service Provider", and "data subject" shall be deemed to be a "Consumer" as these terms are defined under the CCPA.
- "EEA" means those countries that are member of the European Economic Area.
- “EU Data Protection Law” means (i) prior to 25 May 2018, Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of Personal Data and on the free movement of such data ("Directive"); and (ii) on and after 25 May 2018, Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation) ("GDPR").
- "Personal Data" means any information which (i) can be related to an identifiable individual, including any information that can be linked to an individual or used to directly or indirectly identify an individual, and (ii) supplied by Customer to Dynamic Yield pursuant to the Agreement or which Dynamic Yield or any of its Sub-Processors generate, collect, store, transmit, or otherwise process on behalf of Customer in connection with the Agreement. Personal Data may include information which is related to Customer’s users, employees, and other individuals (collectively, "End Users").
- “Security Measures” mean commercially reasonable security-related policies, standards, and practices commensurate with the size and complexity of Dynamic Yield’s business, the level of sensitivity of the data collected, handled and stored, and the nature of Dynamic Yield’s business activities.
- “Sub-Processors” mean any affiliate, agent or assign of Dynamic Yield that may process Personal Data pursuant to the terms of the Agreement, and any unaffiliated processor engaged by Dynamic Yield.
Compliance with Laws
- Each Party shall comply with its respective obligations under the Data Protection Legislation.
- Dynamic Yield shall provide reasonable cooperation and assistance to Customer in relation to Dynamic Yield’s processing of Personal Data in order to allow Customer to comply with its obligations as a Data Controller under Data Protection Legislation.
- Dynamic Yield agrees to notify Customer promptly if it becomes unable to comply with the terms of this Addendum and take reasonable and appropriate measures to remedy such non-compliance.
- Throughout the duration of the Addendum, Customer agrees and warrants that: (a) it has a mechanism in place to ensure that: (i) End Users have been informed of Dynamic Yield’s use of Personal Data as required by Data Protection Legislation; (ii) End Users' consents and permits applicable to Dynamic Yield's Services are properly obtained and recorded; (iii) End Users can withdraw such consent at any time;(b) Personal Data has been and will continue to be collected, processed and transferred by it in accordance with the relevant Data Protection Legislation; (c) it will not share any special categories of Personal Data, as this term is defined in the Data Protection Legislation (including as CRM Data or otherwise) and (d) any instruction to Dynamic Yield in connection with the processing of Personal Data, has been and will continue to be carried out in accordance with the relevant Data Protection Legislation. Customer shall bear sole liability in any case of violation of this section.
Processing Purpose and Instructions
- The duration of the processing under the Agreement is determined by the Parties, as set forth in the Agreement.
- Dynamic Yield shall process Personal Data only to deliver the Services in accordance with Customer’s documented instructions, the Agreement and the Data Protection Legislation. Unless permitted under the Agreement or this Addendum, Dynamic Yield shall not otherwise modify, amend, disclose or permit the disclosure of any Personal Data to any third party unless authorized or directed to do by Customer.
- Dynamic Yield will not use Personal Data for any use other than as expressly provided in the Agreement or this Addendum. Processing any Personal Data outside the scope of the Agreement will require prior written agreement between Dynamic Yield and Customer by way of written amendment to the Agreement, and will include any additional fees that may be payable by Customer to Dynamic Yield for carrying out such instructions.
Reasonable Security and Safeguards
- Dynamic Yield represents, warrants, and agrees to use Security Measures as set out in set out in Exhibit B, to (i) protect the availability, confidentiality, and integrity of any Personal Data collected, accessed, used, or transmitted by Dynamic Yield in connection with this Agreement, and (ii) protect such data from Breach Incidents.
- The Security Measures are subject to technical progress and development and Dynamic Yield may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services purchased by Customer.
- Dynamic Yield shall take reasonable steps to ensure the reliability of its staff and any other person acting under its supervision who have access to and process Personal Data. Dynamic Yield shall ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- Customer is responsible for using and configuring the Services in a manner which enables Customer to comply with Data Protection Legislation, including implementing appropriate technical and organizational measures.
Upon becoming aware of a Breach Incident, Dynamic Yield will notify Customer without undue delay and will provide information relating to the Breach Incident as reasonably requested by Customer. Dynamic Yield will use reasonable endeavors to assist Customer in mitigating, where possible, the adverse effects of any Breach Incident.
Security Assessments and Audits
Dynamic Yield audits its compliance against data protection and information security standards on a regular basis. Such audits are conducted by Dynamic Yield’s internal audit team or by third party auditors engaged by Dynamic Yield.
Dynamic Yield shall, upon reasonable and written notice of at least thirty (30) days in advance and subject to obligations of confidentiality, allow its data processing procedures and documentation to be inspected annually by Customer (or its designee) in order to ascertain compliance with this Addendum. Dynamic Yield shall cooperate in good faith with audit requests by providing access to relevant knowledgeable personnel and documentation during regular business hours.
Cooperation and Assistance
- If Dynamic Yield receives any requests from individuals or applicable data protection authorities relating to the processing of Personal Data under the Agreement, including requests from individuals seeking to exercise their rights under the Data Protection Legislation, Dynamic Yield will promptly redirect the request to Customer. Dynamic Yield will not respond to such communication directly without Customer's prior authorization, unless legally compelled to do so. If Dynamic Yield is required to respond to such a request, Dynamic Yield will promptly notify Customer and provide Customer with a copy of the request, unless legally prohibited from doing so.
- If Dynamic Yield receives a legally binding request for the disclosure of Personal Data which is subject to this Addendum, Dynamic Yield shall (to the extent legally permitted) notify Customer upon receipt of such order, demand, or request. Notwithstanding the foregoing, Dynamic Yield will cooperate with Customer with respect to any action taken pursuant to such order, demand or request, including ensuring that confidential treatment will be accorded to such disclosed Personal Data.
Upon reasonable notice, Dynamic Yield shall provide reasonable assistance to Customer in:
- allowing data subjects to exercise their rights under the Data Protection Legislation;
- ensuring compliance with any notification obligations of Brach Incidents to the supervisory authority and communication obligations to data subjects, as required under Data Protection Legislation;
- Ensuring compliance with its obligation to carry out Data Protection Impact Assessments (“DPIA”) or prior consultations with data protection authorities with respect to the processing of Personal Data. Any assistance to Customer with regard to DPIA or prior consultations will be solely at Customer's expense.
Use of Sub-Processors
- Customer shall be deemed to have consented to the engagement of the Sub-Processors listed in Exhibit C hereto.
- Customer provides a general consent to Dynamic Yield to engage onward Sub-Processors (including for the provision of cloud computing services and for personalized search solutions), provided that Dynamic Yield has entered into an agreement with the Sub-Processor containing data protection obligations that are as restrictive as the obligations under this Addendum (to the extent applicable to the services provided by the Sub-processor). Prior to engaging any new Sub-Processor, Dynamic Yield will notify Customer (email acceptable) and allow Customer thirty (30) days to object. If Customer has legitimate objections to the appointment of any new Sub-Processor(s), the parties will work together in good faith to resolve the grounds for the objection for no less than thirty (30) days.
- Customer acknowledges that as part of the Services which Dynamic Yield provides, it may engage with Sub-Processors which provide additional technological solutions which may be provided as part of Dynamic Yield's services to the Customer. These service providers may also collect End Users’ data (including Personal Data) from Customer’s online platform, such as country of origin, search queries performed by End Users, features of End Users’ browser and the operating system, details about pages visited, etc. The engagement with these service providers will be done in accordance with the provisions of this section.
- Dynamic Yield will be responsible for any acts, errors, or omissions of its Sub-Processors that cause Dynamic Yield to breach any of its obligations under this Addendum.
International Data Transfers
- Dynamic Yield may transfer and process Personal Data to and in other locations around the world where Dynamic Yield or its Sub-processors maintain data processing operations as necessary to provide the Services as set forth in the Agreement.
- If Dynamic Yield (or its Sub-processors) processes Personal Data from the EEA or Switzerland in a jurisdiction that is not an Approved Jurisdiction, Dynamic Yield shall ensure that it (or the relevant Sub-processor) has a legally approved mechanism in place to allow for the international data transfer. If Dynamic Yield intends to rely on the Standard Contractual Clauses, then the following shall apply: The Standard Contractual Clauses set forth in Exhibit D shall apply. If such Standard Contractual Clauses are superseded by new or modified Standard Contractual Clauses, the new or modified Standard Contractual Clauses shall be deemed to be incorporated in this Addendum and the parties will promptly begin to comply with them. Dynamic Yield will abide by the obligations set forth under the Standard Contractual Clauses for data importer.
- It is hereby calrfied that all of Customer’s Personal Data shall be stored by Dynamic Yield within the EU.
Data Retention and Destruction
Dynamic Yield will only retain Personal Data for as long as Services are provided to Customer in accordance with this Agreement . Following expiration or termination of the Agreement, upon Customer’s request Dynamic Yield will delete or return to Customer all Personal Data in its possession as provided in the Agreement except to the extent Dynamic Yield is required by applicable law to retain some or all of the Personal Data (in which case Dynamic Yield will implement reasonable measures to prevent the Personal Data from any further processing). The terms of this Addendum will continue to apply to such Personal Data.
Obligations under the CCPA
- Dynamic Yield shall not Sell the Personal Data (as the term "Sell" is defined under the CCPA).
- Dynamic Yield is prohibited from retaining, using, or disclosing Personal Data for a commercial purpose other than providing the services to Customer under the Agreement and from retaining, using, or disclosing the Personal Data outside of the Agreement.
- Dynamic Yield understands its obligations under this Clause 11 and will comply with them.
Liability and Indemnification
Customer will indemnify, defend, and hold Dynamic Yield harmless against any claim, demand, suit or proceeding (including any damages, costs, reasonable attorney’s fees, and settlement amounts) made or brought against Dynamic Yield by a third party alleging that Personal Data received by Dynamic Yield from Customer or processed by Dynamic Yield in accordance with Customer’s instructions, is in breach of Data Protection Legislation.
- Dynamic Yield acknowledges and agrees that it has no ownership of Personal Data other than as expressly permitted under the Agreement or as authorized by Customer.
- Any claims brought under this Addendum will be subject to the terms and conditions of the Agreement, including the exclusions and limitations set forth in the Agreement, provided however that in no event will any party be deemed to have limited its liability under the Agreement with respect to any individual’s data protection rights under this Addendum or pursuant to applicable law.
- In the event of a conflict between the Agreement (or any document referred to therein) and this Addendum, the provisions of this Addendum shall prevail.
- Dynamic Yield may modify the terms of this Addendum in circumstances such as (i) if required to do so by a supervisory authority or other government or regulatory entity, (ii) if necessary to comply with Data Protection Legislation, or (iii) to implement or adhere to standard contractual clauses, approved codes of conduct or certifications, binding corporate rules, or other compliance mechanisms, which may be permitted under Data Protection Legislation. Dynamic Yield will provide notice of such changes to Customer, and the modified Addendum will become effective, in accordance with the terms of the Agreement.
The information concerns the following categories of Personal Data which relate to End Users:
- Geographical information (City, State, Country);
- Audience membership - based on real time user segmentation and backend historical calculations;
- IP address (however, these are not stored);
- Online Identifiers (i.e. online data collected from End User’s devices, applications and protocols which leave traces which may identify them), such as UDID, cookie identifiers etc. ;
- Device and browser attributes;
- For customers who have enabled certain Dynamic Yield features, search query terms;
- Page views and interactions.
- Customer events set up by Customer fired from the web.
- 3rd party data shared with Dynamic Yield by a Customer.
- CRM data and any other data elected for onboarding by a Customer.
- Online (and, if Customer elects to share with Dynamic Yield, offline) purchase history.
- For customers who have enabled certain Dynamic Yield features, plain text email addresses.
Personal Data shall be processed by Dynamic Yield (or any of its Sub-Processors) for the following purposes:
- Automatically personalize End Users’ interaction with Customers’ online platforms across the web, mobile web, mobile apps and email and other channels.
- Build actionable End Users’ segments in real time, enabling Customer to take instant action via personalization, product/content recommendations, automatic optimization, real-time messaging and other activation modules offered by Dynamic Yield from time to time.
Technical and organizational measures
- This Exhibit B outlines the technical and organizational measures for safeguarding Personal Data undertaken by Dynamic Yield, in support of our global security framework.
- We take a systematic approach to data protection, privacy, and security. We believe a robust security and privacy program requires active involvement of stakeholders, ongoing education, internal and external assessments, and installment and enforcement of best practices within the organization.
- We hold ISO 27001 and 27018 certifications.
Organizational and Personnel Management
- We appointed a Chief Information Security Officer (CISO) who designs, develops, and deploys our technical architectures, security policies, standards, and awareness program along with our Security and IT teams.
- We have also appointed a Data Privacy Officer (DPO), who can be reached at firstname.lastname@example.org, and who oversees our privacy program.
- Annual Risk Assessment includes an Information Security Audit, owned, operated and maintained by the CISO. Its result is presented to the steering committee and afterwards to management during management security reviews
- Dynamic Yield's physical servers are managed by Amazon Web Services (“AWS”) and overseen by Dynamic Yield’s DevOps team. AWS is widely regarded as employing highly protective and industry standard protective measures ensuring the security of physical servers managed by them, relied upon by thousands of technology providers around the world (more on AWS security measures can be found here- https://d0.awsstatic.com/whitepapers/aws-security-whitepaper.pdf).
- Dynamic Yield has implemented suitable measures in order to prevent unauthorized persons from gaining access
to its resources equipment, regardless of whether those resources are directly related to where Personal Data
are processed or used. These measures may include all or a combination of any of the following:
- Maintaining offices which are within facilities requiring registration for entry and accompaniment beyond the front entrance.
- Strict measures to ensure that all visitors are accompanied, and awareness among employees to challenge any exceptions.
- Restricted access to areas including any communications or other technological equipment on an employee role basis
- A high security card key system is utilized to control facility access
- CCTV video surveillance monitoring on all entry and exit points.
- Dynamic Yield personnel is trained and briefed about contractual obligations undertaken by Dynamic Yield towards its clients with respect to data security, and their compliance therewith is monitored by company management.
- All Dynamic Yield employees and contractors are required to sign confidentiality agreements (“NDAs”) that apply during their engagement with Dynamic Yield and post termination.
- New employees go through an on-boarding process that includes security guidelines, expectations, and code of conduct. All Dynamic Yield’s employees undergo annual security awareness training
- The CISO communicate with all employees on a regular basis, covering topics such as emerging threats, phishing awareness campaigns, and other industry-related security topics.
- A formal and communicated disciplinary process is in place against employees who have committed an information security breach.
Third Party Security
- Third parties used by Dynamic Yield are checked by 3rd party questionnaires and a certification review prior to engagement to validate that prospective third parties meet Dynamic Yield’s security standards.
- Once an engagement has been established, an annual review of applicable vendors is being conducted. The annual review is performed by both by the DPO, the legal team and the CISO. The procedure takes into account the type of access and classification of data being accessed (if any), controls necessary to protect data, and legal/regulatory requirements.
Logical Access Control
- Access to the AWS console is managed by personal password-protected user accounts, managed through the AWS Identity and Access Management (IAM) service.
- MFA is enforced while accessing to our production environment
- All users access the Dynamic Yield systems with a unique identifier.
- We have established a password policy that prohibits the sharing of passwords. All passwords must fulfill defined minimum requirements and are stored in encrypted form.
- Automatic lock out of the user ID when several erroneous passwords are entered.
- Automatic time-out of user terminal if left idle; identification and password required to reopen.
- Role-based access controls implemented in a manner consistent with the principle of least privilege.
- Granting of access according to a strict formal procedure and periodic review of the access.
- Employee’s access to production systems that contain personal data is logged, audited and reviewed on a regular basis.
Monitoring & Control
- We utilize a wide range of tools to monitor our environment across data centers on both the server and application level. Security logs are distributed into our main logging aggregation server and continuously reviewed for anomalies by our 24x7 NOC team.
- We Use of AWS config to assess, audit, and evaluate the configurations of our AWS resources.
Security in Development and Support Process
- We use an industry-standard security model in our platform development process.
- We design, review and tests our platform using applicable OWASP Top 10 standards.
- Our developers and project team members receive training at least once a year in application security while focusing on secure software development.
- Our production environment is segregated from our development and staging environments with restricted access controls.
- Periodic penetration testing are carried out by rotating 3rd party companies at least annually.
Privacy by Design
- We incorporate Privacy by Design principles for systems and enhancements at the earliest stage of development as well as educate all employees on security and privacy annually
Workstation and Laptop Protection
- We use up-to-date Anti-Malware / Anti Virus software on all appropriate laptops
- We implement protections on end-user devices and monitor those devices to be in compliance with the security standard requiring password protection, screen saver, and patch management.
- We follow a strict change management process.
- Changes are tracked, reviewed and approved to ensure operational changes are aligned with our business objectives and compliance requirements.
- Our customers’ data is stored separately from all other data, and only accessed as they are required for content sent by the specific component responsible for the content composition.
- Each customer's Personal Data is encrypted with a different key, thus preventing the risk of data corruption and desegregation between Dynamic Yield customers.
Infrastructure & Network Security
- Remote access via SSL VPN using 2 Factor Authentication.
- We review our network architecture schema and data flows, including firewall rules and access restrictions on a regular basis.
- Our WiFi internal corporate LAN is separated from guest Wi-Fi, encrypted by WPA2 – PSK and protected by complex password.
- We establish a vulnerability and patch management process for our systems which includes technical vulnerability assessments, patch testing, patch deployment and verification.
- Data in Transit - Any personal Data is encrypted during transmission using up to date versions of TLS (1.2 or higher).
- Data in Rest - Personal data is stored in encrypted RDS with strong encryption algorithm (RSA 4096 key).
- We implement protections to secure portable storage media from damage, destruction, theft or unauthorized copying.
- All Dynamic Yield data is stored on AWS which is trusted by thousands of businesses to store and serve their data and services. As Dynamic Yield data is all stored on the cloud (AWS) and nowhere on any proprietary physical servers, there is no risk of any disaster affecting Dynamic Yield’s ability to maintain business continuity or data completeness.
- We perform backups, which are tested regularly.
- Architecture which eliminates single points of failure, both with regards to AWS based production and relevant Dynamic Yield critical supporting resources, up to and including full disaster recovery.
- We have sophisticated internal procedures including release control and approvals, following security best practices.
- We established a business continuity plan that enables the company to respond quickly and remain resilient in the event of most failure modes, including natural disasters and system failures
- To ensure effective and orderly response to incidents pertaining personal data, we defined an incident response plan with detailed procedures.
- The incident response plan includes a list of possible mitigation actions and clear assignment of roles.
- In the event of a security breach, Dynamic Yield will notify customers without undue delay after becoming aware of the security breach.
- Emphasis is placed on documentation, to support the processes and procedures noted in this document and to enable audit should the need arise, in keeping with regulatory dictates and best practices.
- Dynamic Yield conducts regular internal and external audits of its security, led by the CISO.
- Dynamic Yield has appointed a Data Privacy Officer responsible for overseeing the implementation of the privacy program at Dynamic Yield.
- We are committed to confidentiality, data privacy and security of our customers and their end-users. We are investing and will continue to invest extensive resources towards maintaining the highest levels of data protection, privacy and security standards. We are compliant with applicable laws and regulations, and are committed to compliance with the EU GDPR, the CCPA and related guidelines.
- We cannot guarantee that your information may not be disclosed, accessed, altered or destroyed by breach of any of our industry standard safeguards. No method of transmission over the Internet or electronic storage is full-proof. We cannot guarantee absolute security.
- Our security measures are constantly evolving to keep up with the changing security landscape, so we may update these measures page from time to time to reflect these technical and organizational changes. If any security measure changes in a manner detrimental to our customers’ interests, we will notify our customers of such changes.
|Company Name||Country in (or from) which processing takes place||Scope of services provided by Subcprocessor||Appropriate safeguard if processing takes places in or from a third country|
|Dynamic Yield Ltd.*||Israel||Provision of services and Internal business processes and management, fraud detection and prevention, and compliance with governmental, legislative and regulatory bodies||Adequacy Decision|
|Dynamic Yield UK*||UK||N/A (after Brexit – Standard Contractual Clauses)|
|Dynamic Yield Inc.*||US||Standard Contractual Clauses|
|Dynamic Yield GmbH*||Germany||N/A|
|Dynamic Yield APAC PTE Ltd.*||Singapore||Standard Contractual Clauses|
|Amazon Web Services (AWS)||US,EU||Cloud computing services||Standard Contractual Clauses|
|ScyllaDB||US,EU||Cloud computing services||Standard Contractual Clauses|
|Redis Labs||US,EU||Cloud computing services||Standard Contractual Clauses|
|Sendgrid Inc.||US||cloud-based transactional and marketing email delivery||Standard Contractual Clauses|
|Akamai Technologies||EU, US||CDN Services||Standard Contractual Clauses|
|Twilio Inc.||US||Cloud-software platform||Standard Contractual Clauses|
* Does not apply if it is the contracting entity listed in the Order Form
Exhibit D -
STANDARD CONTRACTUAL CLAUSES (PROCESSOR)
For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection
For purposes of this Exhibit D:
any reference to “data exporter” means Company, acting as data exporter, and any reference to “data importer” means Partner
each a "party"; together "the parties".
The parties have agreed on the following Standard Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.
For the purpose of the Clauses:
(a) 'personal data', 'special categories of data', 'process/processing', 'controller', 'processor', 'data subject' and 'supervisory authority' shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
(b) 'the data exporter' means the controller who transfers the personal data;
(c) 'the data importer' means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country's system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
(d) 'the subprocessor' means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
(e) 'the applicable data protection law' means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
(f) 'technical and organisational security measures' means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
Details of the transfer
The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.
Third-party beneficiary clause
- The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
- The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
- The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
- The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.
Obligations of the data exporter
The data exporter agrees and warrants:
(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
(b) that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter's behalf and in accordance with the applicable data protection law and the Clauses;
(c) that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;
(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
(e) that it will ensure compliance with the security measures;
(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
(g) to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
(i) that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and
(j) that it will ensure compliance with Clause 4(a) to (i).
Obligations of the data importer
The data importer agrees and warrants:
(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(c) that it has implemented the technical and organizational security measures specified in Appendix 2 before processing the personal data transferred;
(d) that it will promptly notify the data exporter about:
(i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,
(ii) any accidental or unauthorized access, and
(iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorized to do so;
(e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
(f) at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
(g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
(h) that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;
(i) that the processing services by the subprocessor will be carried out in accordance with Clause 11;
(j) to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.
- The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.
If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.
The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.
- If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.
Mediation and jurisdiction
The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
(a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
(b) to refer the dispute to the courts in the Member State in which the data exporter is established.
- The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.
Cooperation with supervisory authorities
- The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
- The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
- The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).
The Clauses shall be governed by the law of the Member State in which the data controller is established.
Variation of the contract
The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.
- The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses. Where the subprocessor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor's obligations under such agreement.
- The prior written contract between the data importer and the subprocessor shall also provide for a third- party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
- The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data controller is established.
- The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter's data protection supervisory authority.
Obligation after the termination of personal data processing services
- The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies t hereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
- The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.
The parties agree that if data exporter is held liable for a violation of the clauses committed by the data importer, the data importer will, to the extent to which it is liable, indemnify the data exporter for any cost, charge, damages, expenses or loss it has incurred.