Data Processing Addendum
This Data Processing Addendum (“Addendum”) forms an integral part of the agreement between the Parties, and is entered into force by and between [___________] (“Merchant”) and Loud Labs Limited., (“Company”). Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement. Company and Merchant may be referred to herein each as a “Party” and collectively as the “Parties”.
Whereas, in connection with the performance of its obligations under the Agreement, Company will Process Personal Data on behalf of Merchant; and
Whereas, the Parties wish to set forth the mutual obligations with respect to the processing of Merchant’s Personal Data by Company.
Now, therefore, intending to be legally bound, the Parties hereby agree as follows:
1. Definitions
-
“Data Protection Law” means the General Data Protection Regulation (“GDPR”) (Regulation (EU) 2016/679) applicable as of 25 May 2018 and any Member State national law supplementing the GDPR; means also the UK’s Data Protection Act 2018.
-
"EEA" means the European Economic Area;
-
"Personal Data" means any personal data Processed by Company, its worldwide affiliates or its sub-processors on behalf of Merchant pursuant to or in connection with the Agreement;
-
"Sub-processor" means any person (including any third party, but excluding an employee of Company or any of its subcontractors) appointed by or on behalf of Company to Process Personal Data on behalf of Merchant in connection with the Agreement or in general; and
-
The terms, "Commission", "Controller", “Processor”, "Data Subject", "Member State", "Personal Data Breach", "Processing" and "Supervisory Authority" shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
This Addendum applies only where Company Processes Personal Data as a Data Processor on behalf of Merchant and under Merchant’s instructions, where Merchant is a Data Controller. This Addendum does not apply to Company’s Processing of Personal Data of Merchant or Merchant’s representatives to market or promote its products, to administer the business or contractual relationship between Company and the Merchant or in other instances Company operates as a Data Controller.
2. Processing of Company Personal Data
-
Merchant commissions, authorizes, and requests that Company shall provide Merchant the services detailed in the Agreement, which involves Processing of Personal Data.
-
Company will Process the Personal Data only on Merchant's behalf and for as long as Merchant instructs Company to do so.
-
The subject matter and purposes of the Processing activities are the provision of the services of the Agreement, including maintenance, support, enhancement and deployment of the same. The Personal Data Processed will include at the minimum: name, address, email address, order history.
-
The Data Subjects about whom Personal Data is Processed are Merchant's customers.
-
Merchant and Company are each responsible for complying with the Data Protection Law applicable to them in their roles as Data Controller and Data Processor, respectively.
-
Without derogating from Merchant’s other obligations as a Data Controller under the GDPR, Merchant shall –
-
Substantiate the legal basis of and legitimize the Processing of Personal Data as part of the Agreement, as necessary under Data Protection Law. Merchant may only use Company’s services to process personal data pursuant to a recognized and applicable lawful basis under Data Protection Law, such as (by way of example only) consent or legitimate interest.
-
Have, properly publish and abide by an appropriate privacy policy that complies with all Data Protection Law relating to Personal Data of Merchant’s customers.
-
-
As a Data Processor, Company will Process the Personal Data only on documented instructions from Merchant, unless Company is otherwise required to do so by law to which it is subject (and in such a case, Company shall inform Merchant of that legal requirement before processing, unless that law prohibits such information to be disclosed).
-
In Processing Personal Data, Company will implement appropriate technical and organizational measures to protect the Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access. Company will ensure that its staff authorized to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3. Data Subjects Rights
-
Company will follow Merchant’s instructions to accommodate and assist Data Subjects’ requests to exercise their rights in relation to their Personal Data, including accessing their data, correcting it, restricting its processing or deleting it. Company will pass on to Merchant requests that it receives from Data Subjects regarding their Personal Data Processed by Company, when explicitly asked to do so by the Data Subject.
4. Sub Processors
-
Merchant acknowledges and agrees that Company uses the Sub-processors listed in Annex A, to process Personal Data.
-
Merchant authorizes Company to engage other Sub-processors for carrying out the services agreed upon in the Agreement. Merchant shall have the right to object, on reasoned grounds, to Company’s use of a Sub-processor. If the Merchant so objects, Company may terminate the Agreement with Merchant for convenience, without liability to Merchant for such premature termination.
-
Company will procure that the Sub-processors Process the Personal Data in a manner consistent with Company’s obligations under this Addendum and Data Protection Law, with such obligations imposed on that Sub-processor by way of law or contract, in particular, providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR.
5. Cross-Border Transfer
-
Company and its Sub-processors will only Process the Personal Data in member states of the EEA, in territories or territorial sectors recognized by an adequacy decision of the Commission as providing an adequate level of protection for Personal Data, or using adequate safeguards as required under Data Protection Law governing cross-border data transfers (e.g., Standard Contractual Clauses). To this end, Merchant authorizes Company to enter on Merchant’s behalf into needed agreements with sub-processors.
-
In the event that the foregoing mechanism for cross-border data transfers is invalidated by a regulatory authority under Applicable Law or any decision of a competent authority under Data Protection Law, Merchant hereby authorizes Company to engage with its sub-processors using a different legal mechanism.
6. Audits
-
Company shall allow for and contribute to audits, including carrying out inspections on Company's business premises conducted by Merchant or another auditor mandated by Merchant during normal business hours and subject to a prior notice to Company of at least 60 days as well as appropriate confidentiality undertakings by Merchant covering such inspections in order to establish Company’s compliance with this Addendum and the provisions of the applicable Data Protection Law as regards the Personal Data that Company processes on behalf of Merchant. If such audits entail material costs or expenses to Company, the parties shall first come to agreement on Merchant reimbursing Company for such costs and expenses.
7. Personal Data Breach
-
Company shall without undue delay notify Merchant of any ‘Personal Data Breach’ (as this term is defined and used in Data Protection Law) that it becomes aware of regarding Personal Data of Data Subjects that Company Processes. Company will use commercial efforts to mitigate the breach and prevent its recurrence.
-
Company shall cooperate with Merchant and take such reasonable commercial steps as are directed by Company to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
-
Company and Merchant will cooperate in good faith on issuing any statements or notices regarding such breaches, to authorities and Data Subjects.
8. Data Protection Impact Assessment
Company will assist Merchant with the eventual preparation of data protection impact assessments and prior consultation as appropriate, provided, however, that if such assistance entails material costs or expenses to Company, the Parties shall first come to agreement on Merchant reimbursing Company for such costs and expenses.
9. Return of Personal Data
-
Subject to sections 10.2 and 10.3 below, Company will delete the Personal Data it has Processed on Merchant's behalf under this Addendum from its own and its sub-processor’s systems in due course following the date of cessation of the provision of the services specified in the Agreement. Upon Merchant's request, Company will furnish written confirmation that the Personal Data has been deleted pursuant to this section.
-
Subject to section 10.3 below, Merchant may, by written notice to Company, require Company to (a) return to Merchant any Personal Data in its possession or control; or (b) delete the Personal Data it has Processed on Merchant's behalf.
-
Notwithstanding the foregoing, Company may retain the Personal Data to the extent required by applicable laws and only to the extent and for such period as required by applicable laws, provided that Company shall ensure the confidentiality of all such Personal Data and shall ensure that such Personal Data is only Processed as necessary for the purposes specified in the applicable laws requiring its storage and for no other purpose.
10. CCPA
-
In the event that Merchant’s Personal Information processed by Company is subject to the California Consumer Privacy Act of 2018 , Cal. Civ. Code §1798.100 et seq. (“CCPA”), and Merchant is a Business under the CCPA, the following will apply (with any capitalized terms in this Section that were not defined in this Addendum shall have the meaning ascribed to them in the CCPA):
-
The Parties acknowledge and agree that Company is a Service Provider.
-
Company is prohibited from retaining, using or disclosing Merchant’s Personal Information for: (a) any purpose other than the purpose of properly performing, or for any commercial purpose other than as reasonably necessary to provide, the technical support for Company’s product and/or services or as otherwise permitted under 11 CCR §999.314(c); (b) Selling the Merchant’s Personal Information; and (c) retaining, using or disclosing the Merchant’s Personal Information outside of the direct business relationship between the parties, except as permitted under 11 CCR §999.314(c).
-
If Company receives a request from a California Consumer of the Merchant about his or her Personal Information, Company shall not comply with the request itself, inform the consumer that Company is merely a Service Provider that follows Merchant’s instruction, and inform the Consumer that they should submit the request directly to the Merchant and provide the Consumer with the Merchant’s contact information. Section 4 of this Addendum shall apply mutatis mutandis to CCPA requests from a California Consumer of the Merchant.
11. Miscellaneous
-
Company will provide Merchant prompt notice of any request it receives from authorities to produce or disclose Personal Data it has Processed on Merchant’s behalf, so that Merchant may contest or attempt to limit the scope of production or disclosure request.
-
All notices required or contemplated under this Addendum to be sent by either Party will be sent by electronic mail to the email address that the other Party has on file as the main contact person.
-
The duration of Processing that Company performs on the Personal Data is for the period set out in the Agreement. This Addendum shall prevail in the event of inconsistencies between it and the Agreement – except where explicitly agreed otherwise in writing.
-
The Parties’ liability under this Addendum shall be pursuant to the liability clause in the Agreement.
Annex A
Sub-Processor
Amazon AWS (Storage Service)
Google Analytics (Tracking Service)
Intercom (Customer Support Service, Marketing Service)
Any questions, please contact us at legal@wrappedgiftcards.com.