Data Processing Addendum
Please download the Data Processing Addendum here.
Definitions
“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
“Authorized Affiliate” means any of Company’s and Vendor’s Affiliate(s) which (a) is subject to the data protection laws and regulations of the European Union, the European Economic Area and/or their member states, Switzerland and/or the United Kingdom, and (b) is permitted to use the Services pursuant to the Agreement between Company and Vendor, but has not signed its own Order with Vendor or Company and is not a “Client” as defined under the Agreement, if and to the extent Vendor processes Personal Data for which such Affiliate(s) qualify as the Controller.
“Consent” of the Data Subject means any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of Personal Data relating to him or her.
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
“Data Protection Laws and Regulations” means all laws and regulations, including local, state, national and/or foreign laws, treaties, and/or regulations, EU Data Protection Laws, and implementations of EU Data Protection Laws into national law.
“Data Subject” means the identified or identifiable person to whom Personal Data relates.
“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
“Personal Data” means any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Processor” means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller, and in this DPA, includes Vendor and its Authorized Affiliates who handle the Processing of Personal Data.
“Standard Contractual Clauses” means the Standard Contractual Clauses for the transfer of Personal Data to processors established in third countries pursuant to Commission Decision (2010/87/EU), available on the European Commission’s website at: https://ec.europa.eu/info/strategy/justice-and-fundamental-rights/data-protection_en.
“Sub-Processor” means any additional Processor engaged by the Processor who agrees to receive from the Processor or from any other Sub-Processor of the Processor Personal Data exclusively intended for Processing activities to be carried out on behalf of the Controller after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract.
“Supervisory Authority” means an independent public authority which is established by an EU Member State pursuant to the GDPR.
“Third Party” means a natural or legal person, public authority, agency or body other than the Data Subject, Controller, processor and persons who, under the direct authority of the Controller or processor, are authorized to process Personal Data.
Rights of Data Subjects
Data Subject Request. Company is responsible for responding to Data Subject requests for access, correction, deletion or restriction of that person’s Personal Data (“Data Subject Request”). If Vendor receives a Data Subject Request, Vendor shall promptly redirect the Data Subject to Company. Vendor shall not take it upon itself to respond to a request of this nature without prior written consent of Company except to inform the Data Subject of the pending support from Company.
- To the extent a Data Subject’s Personal Data is not accessible to Company through the Services or to the extent that Company is unable to meet a Data Subject’s request, Vendor will, to the extent legally permissible and as necessary to enable Company to meet its obligations under applicable Data Protection Laws, provide reasonable assistance to make such Personal Data available to Company.
Data Portability Request. During the term of the Agreement, Vendor will assist Company in providing Personal Data to Data Subjects who make data portability requests with respect to their own respective Data in a portable format.
Processing of Personal Data
Roles. For the purpose of this DPA and the associated Agreement, Vendor is the Processor responsible for the Processing of Personal Data, Company is the Controller, and Vendor may engage Sub-Processors pursuant to the obligations that Vendor has established in Part 4 of this document.
Standard Contractual Clauses. The Standard Contractual Clauses shall be deemed incorporated into this DPA by reference, including, but not limited to, clauses pertaining to data importer or Sub-Processor obligations and governing law and jurisdiction.
Company’s Data Processing. Company shall, in its use of the Services, process Personal Data in accordance with the obligations set forth by Data Protection Laws and Regulations
- Company shall maintain the sole responsibility for the legality of acquisition as well as accuracy of the Personal Data that it acquires. When Processing Personal Data, Company shall do so in compliance with Data Protection Laws and Regulations.
Vendor’s Data Processing. Vendor will only process the Personal Data as stipulated in this Agreement; in accordance with actions initiated by users of the Service; and to comply with requests for support where such direction is consistent with the terms of the Agreement.
- Vendor shall process Personal Data in order to deliver the Services pursuant to the Agreement with Company. The nature and purpose of the Processing, the types of Personal Data, and categories of Data Subjects Processed under this DPA are further specified in Appendix I of the Standard Contractual Clauses.
Vendor Personnel
Confidentiality. Vendor will make reasonable efforts to screen staff who have access to Personal Data and will ensure that such personnel are properly trained in handling Personal Data and are subject to confidentiality obligations beyond the scope of employment at Vendor
Access Limitations. Vendor shall ensure that its employees Process the Personal Data in accordance with the stipulations made in the Agreement and as set forth in this DPA.
Reliability. Vendor will make all reasonable efforts to ensure the reliability of any individual authorized to Process Personal Data.
Sub-Processors
Appointment of Sub-Processors. Company acknowledges and agrees that Vendor may sub-contract Data Processing to its affiliates to enable the provision of the Services. When Vendor subcontracts its obligations it shall do so only by way of a written agreement with the Sub-Processor which imposes the same obligations on the Sub-Processor as are imposed on Vendor in this DPA and consistent with the Agreement between Vendor and Company.
Third-Party Beneficiary Clauses. The Agreement between Vendor and the Sub-Processor shall also provide for a third-party beneficiary clause as laid down in Clause 3 of the Standard Contractual Clauses for cases where the Data Subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against Company or Vendor because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of Company or Vendor by contract or by operation of law. Such third-party liability of the Sub-Processor shall be limited to its own Processing operations under the Clauses.
Governance. The provisions relating to data protection aspects for Sub-Processing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which Company is established.
List of Sub-Processors. Vendor shall present Company with an up-to-date list of its Sub-Processors in this DPA. Vendor shall notify Company of any changes with regards to Sub-Processors as they are laid out in this DPA.
Additional Sub-Processors. Within 30 days of Vendor’s notification of the intended change, Company can object to Vendor’s addition of a Sub-Processor on the basis that such addition would cause Company to violate applicable legal requirements. Company’s objection shall be in writing, and include Company’s specific reasons for objection and options to mitigate. If Company does not object within such period, the Sub-Processor may proceed with Processing of Personal Data.
Objection to the Addition of Sub-Processors. If Company legitimately objects to the addition of a Sub-Processor and Vendor cannot reasonably accommodate Company’s objection, Vendor will notify Company. Company may terminate the services by providing Vendor with a written notice within one month of Vendor’s notice.
Liability. Where the Sub-Processor fails to fulfill its data protection obligations under such written agreement, Vendor shall remain fully liable to Company for the performance of the Sub-Processor’s obligations under such agreement.
Data Security Breach:
In the event of a data breach, Vendor will inform Company without undue delay.
Data Deletion
Vendor will treat data at the conclusion of the Services according to the obligations set out in Clause 12 of the Standard Contractual Clauses.
Authorized Affiliates
Contractual Relationship. In executing this DPA, the Parties do so both on behalf of themselves and as applicable on behalf of their Authorized Affiliates. Vendor shall establish separate DPAs with its Authorized Affiliates. For the avoidance of doubt, an Authorized Affiliate is not and does not become party to the Agreement, Authorized Affiliates are bound by applicable provisions of the Agreement though only bound by the DPA. All Access to and uses of the Services and Content by Authorized Affiliates must comply with the terms and conditions of this Agreement. Violation by an Authorized Affiliate is deemed violation by the relevant Party.
Communication. Company that is the contracting Party to this Agreement shall be responsible for all communication made and received with Vendor on behalf of its Authorized Affiliates.
Rights of Authorized Affiliates. Authorized Affiliates who have become party to this Agreement may seek remedies and exercise rights under this DPA to the extent required under applicable Data Protection Laws and Regulations subject to the following:
- Except where the Data Protection Laws and Regulations require Authorized Affiliates to exercise a right or seek a remedy directly with Vendor, the parties agree that a) Company alone as contracting party to this Agreement shall exercise any such rights and seek any such remedies on behalf of its Authorized Affiliates, and b) Company as contracting party to this Agreement shall exercise any rights and seek any remedies under this DPA in a combined manner for all Authorized Affiliates together and not separately for each Authorized Affiliate
- Company shall, when undertaking an onsite audit of the procedures relating to Processing of Personal Data, take all reasonable measures to mitigate the impact of the audit on Vendor and its Sub-Processors by combining to the extent possible several audit requests posed by different Authorized Affiliates into one.
Limitation of Liability
Company and Vendor agree that any Data Subject who has suffered damage as a result of a breach of the Agreement or this DPA is entitled to receive compensation for the damaged suffered from whichever Party has breached the Agreement or this DPA and, therefore, caused such damage to any Data Subject. In the event both Parties have breached the Agreement or this DPA in a manner that caused a Data Subject to suffer damage, then the Data Subject is entitled to receive compensation from each Party to the extent that Party has caused such damage.
If a Data Subject is not able to bring a claim for compensation in accordance with paragraph 1 against Company, arising out of a breach by Vendor or his Sub-Processor of any of their obligations referred to in Clause 3 or in Clause 11, because Company has factually disappeared or ceased to exist in law or has become insolvent, Vendor agrees that the Data Subject may issue a claim against Vendor as if it were Company, unless any successor entity has assumed the entire legal obligations of Company by contract of by operation of law, in which case the Data Subject can enforce its rights against such entity. Vendor may not rely on a breach by a Sub-Processor of its obligations in order to avoid its own liabilities.
If a Data Subject is not able to bring a claim against Company or Vendor referred to in paragraphs 1 and 2, arising out of a breach by the Sub-Processor of any of their obligations referred to in Clause 3 or in Clause 11 because both Company and Vendor have factually disappeared or ceased to exist in law or have become insolvent, the Sub-Processor agrees that the Data Subject may issue a claim against the data Sub-Processor with regard to its own Processing operations under the Clauses as if it were Company or Vendor, unless any successor entity has assumed the entire legal obligations of Company or Vendor by contract or by operation of law, in which case the Data Subject can enforce its rights against such entity. The liability of the Sub-Processor shall be limited to its own Processing operations under the Clauses.
EU-Specific Clauses
Vendor shall process Personal Data in accordance with the GDPR requirements directly applicable to the provision of its services.
Vendor shall make all reasonable efforts to support Company in its fulfilment of its obligations under the GDPR, including in the event of a request for a data protection impact assessment and otherwise to cooperate with the implicated Supervisory Authority.
EXHIBIT A
Vendor’s List of Current Sub-Processors
Sub-Processor’s Name |
Location |
Service Provided |
Additional Compliance Information (e.g., sub-processor’s GDPR website or direct contact info) |
|
|
|
|
|
|
|
|
|
|
|
|
EXHIBIT B
Details of the Processing
Nature and Purpose of the Processing:
Vendor will Process Personal Data as necessary to perform the Services pursuant to the Agreement, and as further instructed by the Company in its use of the Services. The Personal Data transferred will be processed in accordance with the Agreement and any applicable Order and may be subject to the following processing activities:
- Storage and other processing necessary to provide, maintain, and improve the Services provided to the Company;
- To provide customer and technical support to the Company; and
- Disclosures in accordance with the Agreement, as compelled by law.
Types of Personal Data
Company, its attendees and other Data Subjects as outlined in point 3 (Categories of Data Subjects Processed) may submit Personal Data to the Services, the extent to which is determined by their sole discretion, which may include, but is not limited to, the following types of Personal Data:
- Personal Details: including first and last name, email, phone number, address, language preference, date of birth, gender
- Customer Records: including details of goods and services purchased for which Data Subject is considered a prospect; records of interaction with Data Subject (including customer service records, correspondence, and details of complaints and resolution); customer billing and financial information (including finance and subscription plans, and payment information), account information, communication preferences, content submitted to Company’s and Vendor’s online properties by Data Subject (e.g., comments posted to website forums hosted by Vendor); competition entries; event attendance details; website registration information; personal data collected through the use of cookies set by or on behalf of Company or Vendor
- Employment Details: including title, position, and employer
- Family, Lifestyle, and Social Circumstances
- Electronic Data: including IP address, browser information, device information, operating system, and personal and professional life data collected through the use of cookies
- Special Categories of Data at the discretion of the Data Subject (if appropriate)
Categories of Data Subjects Processed
Company may submit Personal Data to the Services, with due consent from the Data Subjects, and the extent of which is determined and controlled by Company in its sole discretion, which may include, but is not limited to Personal Data within to the following categories of data subjects:
- Registered event attendees
- Employees, contacts, speakers, sponsors or guests of Company
- Company’s users authorized to use the Services