DashThis

1. Definitions

Capitalized terms and expressions have the corresponding meanings ascribed to them hereinafter:

1.1. “Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed;

1.2. “Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country

1.3. “Data Transfer” means: (i) a transfer of Personal Data from the Client to a Contracted Processor; or (ii) an onward transfer of Client Personal Data from a Contracted Processor to a Subcontracted Processor, or between two establishments of a Contracted Processor, in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws);

1.4. “Contracted Processor” means a Subprocessor.

1.5. “Controller” means the Client, its Authorized Users, or any other natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data;

1.6. “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (also known as the General Data Protection Regulation);

1.7. “International Organisation” means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries;

1.8. “Member State” means a State that is a member of the European Union;

1.9. “Personal Data” means any information relating to an identified or identifiable natural person (“Individual”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

1.10. “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

1.11. “Processor” means DashThis, or any other natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller;

1.12. “Pseudonymisation” means the Processing of Personal Data in such a manner that the Personal Data can no longer be attributed to a specific Individual without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the Personal Data are not attributed to an identified or identifiable natural person;

1.13. “Representative” means a natural or legal person established in the Union who, designated by the Controller or Processor in writing pursuant to Article 27 of the GDPR, represents the Controller or Processor with regard to their respective obligations under this Regulation;

1.14. “Subprocessor” means any person appointed by or on behalf of the Processor to process Personal Data on behalf of the Client.

1.15. “Supervisory Authority” means an independent public authority which is established by a Member State pursuant to Article 51 of the GDPR.

2. Mutual Acknowledgments and Agreements.

The parties acknowledge and agree as set out in this Section 2 in respect to each of the following:

2.1. DashThis as Processor. DashThis processes Personal Data on behalf of Client, which acts as a Controller by determining, alone or jointly with others, the purposes and means of the Processing of such Personal Data.

2.2. Contract Governing the Carrying-out of Processing. The carrying-out of Processing by Processor is governed by this DPA which sets out the subject-matter and duration of the Processing, the nature and purpose of the Processing, the type of Personal Data and categories of Individuals and the obligations and rights of Client as Controller, and include certain specific terms designed to ensure that Processing carried out by Processor meets all the requirements of the Data Protection Laws when applicable.

3. Obligations and Responsibilities of Controller

3.1. Compliance with Data Protection Laws and Regulations. Controller shall, in its use of the Solution, process Personal Data, and provide instructions for the Processing of Personal Data, in accordance with the requirements of all Personal Data protection laws and regulations.

3.2. Accuracy, Quality, Legality and Means. Controller has sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Controller acquired Personal Data.

3.3. Independent Determination. Controller is solely responsible for making an independent determination as to whether the technical and organizational measures of the Services meet Controller’s requirements (including any security obligations under the GDPR or other applicable Data Protection Laws).

3.4. Security Practices and Policies. Controller acknowledges and agrees that, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of the Processing of its Personal Data as well as the risks to Individuals, the security practices and policies implemented and maintained by Processor provide a level of security appropriate to the risk with respect to Personal Data for which Client is the Controller.

3.5. Privacy Protections and Security Measures. Controller is responsible for implementing and maintaining privacy protections and security measures for components that Controller provides or controls if any.

3.6. Indemnification for Violation of Individual’s Rights. If an Individual brings a claim directly against Processor for a violation of his Individual’s rights, Controller will indemnify Processor for any damages caused to Processor by such a claim, to the extent that Processor has notified Controller about the claim and given Controller the opportunity to cooperate with Processor in the defense and settlement of the claim.

4. Obligations and Responsibilities of Processor

4.1. Documented Instructions. Processor will process the Personal Data only on written instructions from Controller, including with regard to transfers of Personal Data to a third country or an International Organisation, unless required to do so by a law to which Processor is subject; in such a case, Processor shall inform Controller of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.

4.2. Confidentiality. Processor will ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.3. Security. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Processor will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including as appropriate:

       4.3.1. the pseudonymisation and encryption of Personal Data;

       4.3.2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services;

      4.3.3. the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;

       4.3.4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing; and

       4.3.5. steps to ensure that any person acting under the authority of Processor who has access to Personal Data does not process them except on instructions from Controller, unless he or she is required to do so by law.

4.4 Data Transfer. The Processor may not Transfer or authorize the Transfer of Data to countries outside the EU and/or the European Economic Area (EEA) without the prior written consent of the Client. If Personal Data processed under this DPA is transferred from a country within the European Economic Area to a country outside the European Economic Area, the Parties shall ensure that the Personal Data are adequately protected. To achieve this, the Parties shall, unless agreed otherwise, rely on EU approved standard contractual clauses for the transfer of Personal Data.

4.5. Engaging Another Processor. This paragraph 4.4 constitutes a general prior written authorization from Controller allowing Processor to recruit any Subrocessor. Processor will respect the following conditions for engaging another Processor, namely that:

    4.5.1. Processor will inform Controller of any intended changes concerning the addition or replacement of other processors; and

    4.5.2. where Processor engages another Processor for carrying out specific Processing activities on behalf of Controller, the same data protection obligations as set out in this DPA between Controller and Processor will be imposed on that other processor, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the Processing will meet the requirements of the laws and regulations to such Processing.

4.6. Requests for Exercising Individual’s Rights. Taking into account the nature of the Processing, Processor will assist Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the rights granted to Individuals by Data Protection Laws. Processor will make available to Controller (in a manner consistent with the functionality of the Services and DashThis’ role as a Processor) Personal Data of Individuals and the ability to fulfill Individual requests to exercise their rights. If Processor receives a request from Controller’s Individual to exercise one or more of its rights in connection with the Services, Processor will redirect the Individual to make its request directly to Controller. Controller will be responsible for responding to any such request including.

4.7. Personal Data Breach. Processor will notify Controller without undue delay after becoming aware of a Breach. Such notification will at least:

    4.7.1. describe the nature of the Breach including where possible, the categories and approximate number of Individuals concerned and the categories and approximate number of Personal Data records concerned;

    4.7.2. communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;

    4.7.3. describe the likely consequences of the Breach; and

    4.7.4. describe the measures taken or proposed to be taken by the Processor to address the Breach, including, where appropriate, measures to mitigate its possible adverse effects.

    4.7.5. Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.

4.8. Deletion of Personal Data. Processor will delete all the Personal Data after the end of the provision of the Services, and delete existing copies unless applicable laws or regulations require storage of the Personal Data;

    4.8.1. Information to Demonstrate Compliance. Processor will make available to Controller all information necessary to demonstrate compliance with the obligations stemming from the GDPR and applicable to Processor as a Processor under this Section 4 and allow for and contribute to audits, including inspections, conducted by Controller or another auditor mandated by Controller.

4.9. Personal Data Protection Policy. The Personal Data Protection Policy applies only to the Services and does not apply to any third-party website or service linked to the Services or recommended or referred to through the Services.

4.10. Aggregate and Anonymized Data. Notwithstanding the provisions of this DPA, Processor may use, reproduce, sell, publicize, or otherwise exploit Aggregate & Anonymized Data in any way, in its sole discretion.

5. Miscellaneous

5.1. Governing law. Notwithstanding Section 13.9 (Governing Law) of the Subscription Terms and Conditions, this DPA is governed by and made under the laws and regulations of the European Union (the “EU”).

5.2. Conflict of Terms. If there is any inconsistency between the provisions of this DPA and those of the Subscription Terms and Conditions, this DPA shall prevail.

5.3. Duration. The duration of the Processing by Processor on behalf of Controller shall be for the duration of the Client’s right to use the Services and until all Personal Data for which Client is the Controller is deleted or returned in accordance with Controller’s instructions or the conditions of the Subscription Terms and Conditions.