DATA PROCESSING AGREEMENT
This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Publisher (“Company”) and ENHANCE (“Vendor”) effective on the date agreed to by Publisher via online click-through agreement by both parties or on the date the Insertion Order in which the Terms of Service is incorporated is signed by both parties (the “Agreement”), pursuant to which Publisher transfers Personal Data (as defined below) to and shares Personal Data with Vendor, as further described in the Agreement and in this DPA. Each party agrees to comply with the following provisions with respect to Personal Data provided or made available by Publisher to Vendor.
References to the Agreement will be construed as including this DPA, and except, as modified below, the terms of the Agreement shall remain in full force and effect. Any capitalized terms not defined herein shall have the meanings given to them in the Agreement. In the event of a conflict between the Agreement and this DPA, this DPA shall prevail. Reference to the Agreement includes any Additional Terms incorporated into the Agreement.
- Scope. This DPA governs Vendor’s activities in the course of providing the Services (as defined in the Agreement) by which Vendor Processes (as defined below) European Economic Area (“EEA”) Data (as defined below) on behalf of Company. This DPA applies only to the extent that Applicable Data Protection Law applies to the Processing of Personal Data under this DPA, including if (a) the Processing is in the context of the activities of an establishment of either party in the EEA and/or (b) the Personal Data relates to Data Subjects who are in the EEA and the Processing relates to the offering to them of goods or services or the monitoring of their behaviour in the EEA by or on behalf of a party. The parties shall ensure they will Process Personal Data solely for the purposes contemplated in the DPA or as otherwise agreed to in writing by both parties (including in the Agreement and any Additional Terms). For the avoidance of doubt, this DPA and the obligations hereunder do not apply to aggregated reporting or depersonalized statistics a party may provide to the other party in connection with the provision of the Services.
- Data Protection
- Definitions: In this Clause, the following terms shall have the following meanings:
- “Controller”, “Processor”, “Data Subject”, “Personal Data” and “Processing” (and “Process”) shall have the meanings given in Applicable Data Protection Law; and
- “Standard Clauses” in relation to the Processing of Personal Data pursuant to this DPA means the standard clauses for the transfer of Personal Data to Processors established in third countries approved by the European Commission from time to time, the approved version of which in force at present is that set out in the European Commission's Decision 2010/87/EU of 5 February 2010, available at: http://eurlex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32010D0087. Exhibit 1 to this DPA shall apply as Appendix 1 of the Controller to Processor Standard Clauses.
- “EEA Data” means any Personal Data relating to any Company employees physically located in the EEA, any users of Company’s products or services who are physically located in the EEA, and/or any Company commercial partners, vendor, sales leads, or their respective employees, agents or other representatives physically located in the EEA.
- “Applicable Data Protection Law” shall mean the GDPR and to the extent applicable to the Services, (i) any other European Union (“EU”) or EU Member State data protection laws, or (ii) any other applicable law with respect to the Processing of EEA Data under this DPA.
- “GDPR” shall mean the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
- Relationship of the parties: Company (the Controller) appoints Vendor as a Processor to Process the Personal Data that is the subject of this DPA (the "Data"). Each party shall comply with the obligations that apply to it under Applicable Data Protection Law.
- Controller Obligations: Company, as the Controller of Personal Data, shall fulfill all duties required of Controllers under Applicable Data Protection Laws, including, without limitation (as applicable), with regard to determining the legal basis or bases for their collection or Processing of Personal Data, providing sufficient notice to Data Subjects, appointing a data protection officer, managing and reporting Security Incidents, ensuring that rights of Data Subjects are honored, transferring Personal Data, implementing required and appropriate contractual language in agreements with its other Processors and Controllers, maintaining records of Processing, and conducting data protection impact assessments. Company shall have the sole obligation (as between the parties) to receive and manage Data Subject requests regarding its Personal Data, including without limitation any request to access, correct, amend, restrict Processing of, port, object to the Processing of, block, or delete Personal Data.
- Processing of Personal Data: Company shall, in its use of the Services, Process Personal Data in accordance with the requirements of any Applicable Data Protection Laws. Vendor shall Process the Data as a Processor as necessary to perform its obligations under the Agreement and as otherwise permitted in the Agreements, this DPA, and any Additional Terms (the "Permitted Purpose"), except where otherwise restricted by any EU (or any EU Member State) law applicable to Company. Company’s instructions for Processing of Personal Data shall comply with Applicable Data Protection Laws, and Company shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Company acquires or, as applicable, instructs Vendor to acquire Personal Data.
- International transfers: Where Applicable Data Protection Law applies, Vendor shall not transfer the Data (nor permit the Data to be transferred) outside of the EEA unless (i) it has first obtained Company’s prior written consent, including as permitted under the Agreement, this DPA, or any Additional Terms (collectively, the “Contracts”) ; and (ii) it takes such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Law. Such measures may include (without limitation) transferring the Data to a recipient in a country that the European Commission has decided provides adequate protection for Personal Data or to a recipient that has achieved binding corporate rules authorisation in accordance with Applicable Data Protection Law. Unless Vendor transfers Data pursuant to an alternate transfer mechanism permitted by Applicable Data Protection Law, Vendor shall execute and abide by the attached Standard Clauses which shall apply to Processing of Personal Data in countries outside the EEA that do not provide an adequate level of data protection. To the extent that the parties transfer Personal Data in reliance on the Standard Clauses, the Standard Clauses shall be incorporated herein upon execution of this DPA by the parties. Where and to the extent that the Standard Clauses apply pursuant to this Section 2.4, if there is any conflict between the terms of this DPA and the Standard Clauses, the terms of the Standard Clauses shall prevail.
- Term: The term of this DPA will take effect on the Effective Date and will remain in effect until terminated by either party (the “Term”). The parties agree that the Data will be Processed by the Vendor for the duration of the Services under the Agreement. This DPA shall survive termination or expiry of the Agreement. Company may elect to suspend or terminate this DPA/the Agreement without penalty. Upon termination or expiry of the Agreement, Vendor may continue to Process Personal Data provided that such Processing complies with the requirements of this DPA and any Applicable Data Protection Law and provided that such Processing ceases within thirty (30) days, or earlier upon written request by the Company. Notwithstanding the foregoing, if at any time, Vendor refuses to comply with its obligations under this DPA, Company may elect to suspend or terminate this DPA and/or the Agreement without penalty.
- Confidentiality of Processing: Vendor shall ensure that any person that it authorises to Process the Data (including Vendor’s employees, agents and subcontractors) (an "Authorized Person(s)") are informed of the confidential nature of the Data, have received appropriate training on their responsibilities and are bound by a duty of confidentiality. Vendor shall ensure that all Authorized Persons Process the Data within the scope of the Permitted Purpose.
- Security: The Processor shall implement commercially reasonable technical and organizational measures to protect the Data (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorised disclosure of, or access to the Data (a "Security Incident").
- Sub-processing: Vendor shall not sub-contract any Processing of the Data to a third party sub-processor without the prior written consent of Company. Vendor may continue to use any sub-processor already engaged by Vendor prior to the commencement of this DPA as long as such sub-processors have provided sufficient guarantees to implement commercially reasonable technical and organizational requirements and is bound by contract between Vendor and sub-processor, the same data protection obligations outlined in this DPA. Vendor shall provide Company prior written notice of any intended addition or replacement of sub-processors by email to firstname.lastname@example.org. If Company refuses to consent to Vendor’s appointment of a third party sub-processor on reasonable grounds relating to the protection of the Data within ten (10) days of notice, then Vendor will make commercially reasonable efforts to make available to Company a change in Services or configuration of Services to avoid the Processing of Data by the objected-to new sub-processor without unreasonably burdening Company. If Vendor is unable to make such change within a reasonable time, which shall not exceed thirty (30) days, Company may discontinue using the affected Services and terminate any Contracts directly affected by the appointment of such new sub-processors.
- Cooperation and Data Subjects' rights: Vendor shall provide all reasonable and timely assistance including appropriate technical and organisational measures to enable Company to respond to: (i) any request from a Data Subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable); and (ii) any other correspondence, enquiry or complaint received from a Data Subject, regulator or other third party in connection with the Processing of the Data. In the event that any such request, correspondence, enquiry or complaint is made directly to Vendor, Vendor shall promptly inform Company providing full details of the same.
- Data Protection Impact Assessment: If Vendor believes or becomes aware that its Processing of the Data is likely to result in a high risk to the data protection rights and freedoms of Data Subjects, it shall promptly inform Company and provide Company with all such reasonable and timely assistance as Company may require in order to conduct a data protection impact assessment and, if necessary, consult with its relevant data protection authority.
- Security incidents: Upon becoming aware of a Security Incident, Vendor shall inform Company without undue delay and shall provide all such information and cooperation as Company may reasonably require in order for Company to fulfill its data breach reporting obligations under Applicable Data Protection Law. Vendor shall further take all such measures and actions as are possible and necessary to remedy or mitigate the effects of the Security Incident and shall keep Company informed of all developments in connection with the Security Incident. Vendor agrees that it will not communicate with any third party, including not limited to media, vendors, consumers and affected individuals regarding any Security Incident to the Processor’s Services without the express written consent and direction of Company.
- Deletion or return of Data: Upon termination or expiry of this DPA and/or the Agreement, Vendor shall (at Company's election) destroy or return to Company all Data in its possession or control. This requirement shall not apply to the extent that Vendor is required by any applicable laws or regulations to retain some or all of the Data, in which event Vendor shall isolate and protect the Data from any further Processing except to the extent required by such law.
- Audit: Vendor shall permit Company (or its appointed third-party auditors) to audit Vendor's compliance with this DPA at Company’s sole cost, and shall make available to Company all information, systems and staff necessary for Company (or its third-party auditors) to conduct such audit. Vendor acknowledges that Company (or its third-party auditors) may enter its premises for the purposes of conducting this audit, provided that Company gives it reasonable prior notice of its intention to audit, conducts its audit during normal business hours, and takes all reasonable measures to prevent unnecessary disruption to Vendor's operations. Company will not exercise its audit rights more than once in any twelve (12) calendar month period, except (i) if and when required by instruction of a competent data protection authority; or (ii) Company believes a further audit is necessary due to a Security Incident suffered by Vendor.
- Modifications: We may change the terms of this DPA from time to time on a going-forward basis. We will notify you of any such material changes by posting notice of the changes on the ENHANCE website, Platform and/or, in our sole discretion, by email. Any such modifications become effective upon the earlier to occur of: (i) your acknowledgement of such modifications; or (ii) your continued access to and/or use of the Platform and/or Services after we post notice of such modifications. It is your sole responsibility to check the ENHANCE website from time to time to view any such changes to the terms in the Contracts and you agree that posting changes there is sufficient notice to you. If you do not agree to any changes, if and when such changes may be made to the DPA, you must cease access to or use of the Platform and/or Services.
- Entire Agreement: This DPA and any underlying Agreement (and its respective addendums) shall constitute the entire agreement between the parties with respect to the subject matter hereof, and this DPA supersedes all prior agreements or representations, oral or written, regarding such subject matter including any provisions in the Agreement which address the Processing of Personal Data. This DPA and all disputes arising out of or relating to this DPA shall be interpreted, construed and enforced in accordance with the laws of California. Each Party irrevocably consents to the exclusive jurisdiction of the courts situated in Orange County, California over all such disputes and claims under this DPA and all actions to enforce such claims or to recover damages or other relief in connection with such claims under this DPA except to the extent that Applicable Data Protection Law requires otherwise. The parties may execute this DPA in counterparts, including facsimile, PDF, electronic signature (Echosign, DocuSign, etc.) and other electronic copies, which taken together will constitute one instrument.
Effective Date: [March 14, 2019].
Data Processing Description
This Annex A forms part of the Agreement and describes the Processing that the Processor will perform on behalf of the Controller.
The Controller is (please specify briefly the Controller's activities relevant to the Processing):
Company, as defined in this DPA.
The Processor is (please specify briefly the Processor's activities relevant to the Processing):
Vendor, as defined in this DPA.
The Personal Data to be Processed concern the following categories of Data Subjects (please specify):
Data Subjects about whom Vendor collects Personal Data in its provision of the Processor Services; and Data Subjects about whom Personal Data is transferred to Vendor in connection with the Processor Services by, at the direction of, or on behalf of Company.
Categories of data
The Personal Data to be Processed concern the following categories of data (please specify):
The Data provided by Company to Vendor in connection with its use of the Services. The Data may include, but shall not be limited to, the following types of Personal Data depending on the Processor Services: IP addresses and similar unique online identifiers such as cookie IDs and device IDs.
Special categories of data (if appropriate)
The Personal Data to be Processed concern the following special categories of data (please specify):
The Personal Data will be subject to the following basic Processing activities (please specify):
The objective of Processing of Personal Data by Vendor is the performance of its Services under the Agreement.