This Data Processing Addendum (“DPA”) only applies to the extent that: (i) The EU Data Protection Law applies to the Processing of Personal Data (as such terms are defined below) under the Agreement including in the event that: (a) the Processing is in the context of the activities of an establishment of either party in the European Economic Area (“EEA”); or (b) the Personal Data relates to Data Subjects who are in the EEA and the Processing relates to the offering to them of goods or services or the monitoring of their behavior in the EEA by or on behalf of a party; or (ii) the Personal Data relates to California Consumers, as defined below. Furthermore, this DPA shall only apply to the Processing of Personal Data and shall not apply to information a party may collect or provide to the other party which does not constitute or contain Personal Data, such as anonymized, aggregated or statistic data. Capitalized terms used but not defined herein shall have the meaning ascribed to them in the Agreement.
- “CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et. Seq.
- “Data Protection Law” means any and all applicable privacy and data protection laws and regulations (including, where applicable, EU Data Protection Law) as may be amended or superseded from time to time.
- “Controller“, “Processor“, “Data Subject“, “Personal Data“, “Processing” (and “Process“), “Personal Data Breach” and “Special Categories of Personal Data” shall all have the meanings given to them in EU Data Protection Law. The terms “Business”, “Business Purpose”, “Consumer”, “California Consumer”, “Service Provider” and “Sell” shall have the same meaning as ascribed to them in the CCPA. “Data Subject” shall also mean and refer to “Consumer”, as such terms defined in the CCPA. “Personal Data” shall also mean and refer to “Personal Information”, as such terms defined in the CCPA.
- “EU Data Protection Law” means the (i) EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”); (ii) the EU e-Privacy Directive (Directive 2002/58/EC), as amended (e-Privacy Law); (iii) any national data protection laws made under, pursuant to, replacing or succeeding (i) and (ii); and (iv) any legislation replacing or updating any of the foregoing.
- “Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data of the other party. For the avoidance of doubt, any Personal Data Breach of the other party’s Personal Data will comprise a Security Incident.
- “Users Data” means any and all end users’ Personal Data Processed through the Services by Apester on behalf of Customer.
- RELATIONSHIP OF THE PARTIES
- REPRESENTATIONS AND WARRANTIES
The Customer represents and warrants that: (a) its Processing instructions shall comply with applicable Data Protection Law, and the Customer acknowledges that, taking into account the nature of the Processing, Apester is not in a position to determine whether the Customer’s instructions infringe applicable Data Protection Law; and (b) it will comply with EU Data Protection Law, specifically with regards to the lawful basis principal for Processing Personal Data, as well as the CCPA provisions. Apester represents and warrants that it shall process Personal Data, as set forth under Article 28(3) of the GDPR, on behalf of the Customer, solely for the purpose of providing the Service, and for the pursuit of a Business Purpose as set forth under the CCPA, all in accordance with Customer’s written instructions including the Agreement and this DPA. Notwithstanding the above, in the event Apester is required under applicable laws to Process Users Data other than as instructed by Customer, Apester shall make its best efforts to inform the Customer of such requirement prior to Processing such Company Data, unless prohibited under applicable law.
- PROCESSING OF PERSONAL DATA AND COMPLIANCE WITH DATA PROTECTION LAW
- The Customer represents and warrants that Special Categories of data shall not be Processed or shared in connection with the performance of Apester obligations under the Agreement, unless agreed in writing by Apester and shared in accordance with applicable Data Protection Law.
- Unless otherwise agreed to in writing by the Parties, the Customer shall not share any Personal Data with Apester that contains Personal Data relating to children under 16 years old.
- As between the Parties, the Customer undertakes, accepts and agrees that Apester and the Data Subject do not have a direct relationship. The Customer shall ensure that it obtains a proper affirmative act of consent from Data Subjects in the event required in accordance with applicable Data Protection Law and other relevant notices and privacy requirements in order to Process Personal Data as set out herein and for the transfer of Personal Data, where applicable.
- RIGHTS OF DATA SUBJECT AND PARTIES COOPERATION OBLIGATIONS
It is agreed that where Apester receives a request from a Data Subject or an applicable authority in respect of Personal Data Processed by Apester, where relevant, Apester will direct the Data Subject or the applicable authority to the Customer in order to enable the Customer to respond directly to the Data Subject’s or the applicable authority’s request, unless otherwise required under applicable laws. Both parties shall provide each other with commercially reasonable cooperation and assistance in relation to the handling of a Data Subject’s or applicable authority’s request, to the extent permitted under Data Protection Law.
- NO SALE OF PERSONAL INFORMATION
It is hereby agreed that any share of Personal Data between the parties is made solely for fulfilling a Business Purpose and Apester does not receive or process any Personal Data in consideration for the services. Thus, such Processing of Personal Data shall not be considered as a Sell.
The Customer acknowledges that Apester may transfer Personal Data to and otherwise interact with third party data processors (“Sub-Processor”). The Customer hereby, authorizes Apester to engage and appoint such Sub-Processors to Process Personal Data, as well as permits each Sub-Processor to appoint a Sub-Processor on its behalf. Apester may, continue to use those Sub-Processors already engaged by Apester and Apester may, engage an additional or replace an existing Sub-Processor to process Personal Data provided that it notifies the Customer of its intention to do so. Apester shall, where it engages any Sub-Processor, impose, through a legally binding contract between Apester and the Sub-Processor, data protection obligations no less onerous than those set out in this DPA on the Sub-Processor .Apester shall ensure that such contract will required the Sub-Processor to provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of Data Protection Laws.
- TECHNICAL AND ORGANIZATIONAL MEASURES
Apester hereby confirms that it has implemented and will maintain appropriate physical, technical and organizational measures to protect the Users Data as required under Data Protection Laws to ensure lawful processing of Users Data and safeguard Users Data from unauthorized, unlawful or accidental processing, access, disclosure, loss, alteration or destruction.
- SECURITY INCIDENT
Apester will notify the Customer upon becoming aware of any confirmed Security Incident involving the Users Data in Apester’s possession or control. Apester’s notification regarding or response to a Security Incident under this Section 9 shall not be construed as an acknowledgment by Apester of any fault or liability with respect to the Security Incident. Apester will, in connection with any Security Incident affecting the Users Data: (i) take such steps as are necessary to contain, remediate, minimize any effects of and investigate any Security Incident and to identify its cause; (ii) co-operate with the Customer and provide the Customer with such assistance and information as it may reasonably require in connection with the containment, investigation, remediation or mitigation of the Security Incident; and (iii) notify the Customer in writing of any request, inspection, audit or investigation by a supervisory authority or other authority.
- AUDIT RIGHTS
Apester shall make available, solely upon prior written notice and no more than once per year, to a reputable auditor nominated by the Customer, information necessary to reasonably demonstrate compliance with this DPA, and shall allow for audits, including inspections, by such reputable auditor solely in relation to the Processing of the Users Data (“Audit”) in accordance with the terms and conditions hereunder. The auditor shall be subject to the terms of this DPA and standard confidentiality obligations (including towards third parties). Apester may object to an auditor appointed by the Customer in the event Apester reasonably believes the auditor is not suitably qualified or independent, is a competitor of Apester or otherwise unsuitable (“Objection Notice”). The Customer will appoint a different auditor or conduct the Audit itself upon its receipt of an Objection Notice from Apester. Customer shall bear all expenses related to the Audit and shall (and ensure that each of its auditors shall) over the course of such Audit, avoid causing any damage, injury or disruption to Apester’s premises, equipment, personnel and business while its personnel are on those premises in the course of such Audit. Any and all conclusions of such Audit shall be confidential and reported back to Apester immediately.
- DATA TRANSFER
Where EU Data Protection Law applies, neither party shall transfer Personal Data to a territory outside of the EEA unless it has taken such measures as are necessary to ensure the transfer is in compliance with EU Data Protection Law. Such measures may include (without limitation) transferring the Personal Data to a recipient in a country that the European Commission has decided provides adequate protection for Personal Data.
In the event of a conflict between the terms and conditions of this DPA and the Agreement, this DPA shall prevail. Except as set forth herein all of the terms and conditions of the Agreement shall remain in full force and effect.
- TERM & TERMINATION
This DPA shall be effective as of the Effective Date and shall remain in force until the Agreement