Be part of the new
Digital Era
Lets explore how you can bring more secure and convenient digital interactions to your users and partners.
DATA PROCESSING ADDENDUM FOR LICENSEES SUBJECT TO ALL APPLICABLE PRIVACY AND DATA PROTECTION LAWS, INCLUDING THE EUROPEAN UNION’S GENERAL DATA PROTECTION REGULATION (GDPR) AND OTHER LAWS
This Data Processing Addendum (“Addendum”) forms part of the Blerify Commercial Agreement and is entered by and between the (“Licensee”), and Blerify Inc. (“Licensor”) on the Effective Date of that Agreement. For the avoidance of doubt, this Addendum is not valid or legally binding if there is no agreement in place between the Licensee and the Licensor.
1. DEFINITIONS
1.1. “Agreement(s)” means the agreement entered into between Licensee and Licensor for the provision of Licensor’s Services to the Licensee.
1.2. “Licensee” means the customer as defined in the Agreement(s).
1.3. “EEA” means the European Economic Area.
1.4. “GDPR” means the laws and regulations of the European Union, the European Economic Area, their member states and the United Kingdom, applicable to the processing of Personal Data under the Agreement(s), including (where applicable) the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 also known as the General Data Protection Regulation.
1.5. “Privacy Shield” means the EU-US framework of privacy principles agreed on February 2, 2016 and formally adopted by the European Commission implementing decision C(2016) 4176 final of July 12, 2016, or any other framework for transferring Personal Data from the EEA or Switzerland to the United States that is approved by the European Commission as providing an adequate level of protection pursuant to the GDPR.
1.6. “Services” means the licensed technology and other products, services and activities to be supplied to or carried out by or on behalf of Licensor for the Licensee pursuant to the Agreement(s).
1.7. “Licensor” means the legal entity which is a party to the Agreement(s) and Processes Personal Data on behalf of the Licensee.
1.8. “Non-Personal Data” means data which will be logged for internal system-related and statistical purposes, which cannot be tracked back to a Data Subject, such as the name of the file accessed, date and time of access, data volume transferred, notification of successful access and transfer, Web browser and requesting domain, and any other data collected in anonymized form.
1.9. “Personal Data” as used in this Addendum includes all data relating to Data Subjects located in the EEA, Switzerland, and Latin America and the Carribean (“LATAM”) that is processed by Licensor on behalf of the Licensee within the scope of the Agreement(s).
1.10. “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
1.11. “Standard Contractual Clauses” means the standard contractual clauses for the transfer of Personal Data from a Data Controller in the EEA to Processors established in third countries under the EU Data Protection Directive 95/46/EC (the “Directive”), or any legislation replacing the Directive, in the form set out in the Annex of European Commission Decision 2010/87/EU (or any alternative or successor Decision that approves new standard contractual clauses for transfers to data processors in third countries), as amended by incorporating the description of the Personal Data to be transferred set out in Appendix 1 to this Addendum and the technical and organizational measures to be implemented as set out in Appendix 2 to this Addendum, both of which Appendices are hereby incorporated by reference in this Addendum. The Standard Contractual Clauses are available on the European Commission’s Web site at the following link.
2.1. This Addendum amends and supplements the Agreement(s) between the parties. The terms of this Addendum will apply to all processing of Personal Data in relation to the Services provided under the terms of the Agreement(s). This Addendum will not apply to the Processing of Non-Personal Data, it being expressly understood that Licensor may use Non-Personal Data in any manner permitted by law, including but not limited to statistical analyses.
2.2. Capitalized terms used but not defined in this Addendum have the meanings assigned to them in the Agreement(s) or the GDPR.
2.3. In the context of this Addendum, the Licensee acts as a Data Controller and the Licensor acts as a Data Processor with regard to the Processing of Personal Data.
2.4. Licensor shall carry out the Services and Process the Personal Data received from the Licensee as set out in the Agreement(s) or as otherwise notified in writing by the Licensee to Licensor during the term of the Agreement(s). In the event that in Licensor’s opinion of a Processing instruction given by the Licensee may infringe GDPR, Licensor shall immediately inform the Licensee upon becoming aware of such a Processing instruction.
2.5. Licensor shall undertake at all times to comply with the GDPR and other applicable laws and not to perform its obligations under the Agreement(s) in such way as to cause the Licensee to breach any of its applicable obligations under the GDPR and any existing regulations issued by the relevant data protection authorities.
3.1. All Personal Data provided to Licensor by the Licensee or obtained by Licensor in the course of its work with the Licensee should be protected and may not be copied, disclosed or processed in any way without the written authority of the Licensee. To the extent that the provisions of the Agreement(s) or the instructions of the Licensee necessitate the copying, disclosure or processing of data, this will be deemed to constitute the required authority to do so.
3.2. Licensor agrees to comply from time to time with any reasonable measures required by the Licensee to ensure its obligations under this Addendum are satisfactorily performed in accordance with all applicable legislation. This includes any of Licensee’s best practice guidelines of which the Licensor has actual notice.
4.1. Where Licensor processes Personal Data (whether stored in the form of physical or electronic records) on behalf of the Licensee it shall:
4.1.1. Process the Personal Data only to the extent, and in such manner, as is necessary in order to comply with its obligations under the Agreement(s) or as is required by applicable law including the GDPR and any existing laws, rules or regulations issued by the relevant data protection authorities;
4.1.2. Implement appropriate technical and organizational measures and take the steps necessary to protect the Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure, and promptly supply details of such measures as requested by the Licensee; such security measures are set out in Section 6 of this Addendum; and
4.1.3. At the Licensee’s request, promptly supply the Licensee with details of the technical and organizational systems in place to safeguard the security of the Personal Data held and to prevent unauthorized access.
4.2. Licensee acknowledges and agrees that (a) Licensor’s affiliates may be retained as Sub-processors; and (b) Licensor and Licensor’s affiliates respectively may engage third-party Sub-processors in connection with the provision of the Services. Licensor will ensure that any third party to which it sub-contracts any processing has entered into a written contract with Licensor containing similar provisions to those in this Addendum, to the extent applicable to the nature of the Services provided by such Sub-processor. Upon Licensee’s request, Licensor shall make available to Licensee the current list of sub-processors with their country of location. If Licensor provides hosting services under the Agreement(s), the Licensee agrees and acknowledges that Licensor is allowed to host the Personal Data at a third-party data center provider.
4.3. Unless applicable laws require retention of such Personal Data, Licensor agrees that in the event that it is notified by the Licensee that it is not required to provide any further services to the Licensee under this Addendum, Licensor shall transfer a copy of all information (including Personal Data) held by it in relation to this Addendum to the Licensee in a format chosen by the Licensee (provided that the Licensee pays for the associated costs) and/or, at the Licensee’s request, destroy all such information using a secure method which ensures that it cannot be accessed by any third party and shall issue the Licensee with a written confirmation of secure disposal.
4.4. All copyright, database rights and other intellectual property rights in any Personal Data processed under this Addendum (including but not limited to any updates, amendments or adaptations to the Personal Data by either the Licensee or Licensor) will belong to the Licensee. Licensor is licensed to use such data only for the term of and in accordance with this Addendum.
5.1. Licensor shall, to the extent legally permitted, promptly notify Licensee if it receives a request from a Data Subject to exercise the Data Subject’s right of access, right to rectification, restriction of Processing, erasure, data portability, object to the Processing, or its right not to be subject to an automated individual decision making (each a “Data Subject Request”). Taking into account the nature of the Processing, Licensor shall assist Licensee by appropriate technical and organizational measures, to the extent possible, for the fulfillment of Licensee’s obligation to respond to a Data Subject Request under Chapter III of the GDPR. Except to the extent required by applicable law, Licensor shall not respond to any such Data Subject Request without Licensee’s prior written consent except to confirm that the request relates to Licensee.
5.2. Further, to the extent Licensee, in its use of the Services, does not have the ability to address a Data Subject Request, Licensor shall upon Licensee’s request provide commercially reasonable efforts to assist Licensee in responding to such Data Subject Request, to the extent Licensor is legally permitted to do so and provided that such Data Subject Request is required under applicable law, including the GDPR. Any costs arising from such provision of assistance shall be the responsibility of Licensee, to the extent legally permitted.
6.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Licensor shall ensure that in respect of all Personal Data it receives from or processes on behalf of the Licensee it shall maintain security measures to a standard appropriate to the: (a) harm that might result from unlawful or unauthorized processing or accidental loss, damage or destruction of the Personal Data; and (b) nature of the Personal Data.
6.2. Licensor shall, with regard to Personal Data, implement and maintain appropriate technical and organizational security measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR, and particularly those related to possible Personal Data Breaches. Specifically, Licensor shall:
6.2.1. have in place and comply with a security policy which: (a) defines security needs based on a regular Privacy Impact Assessment (“PIA”); (b) allocates responsibility for implementing the policy to a specific individual or members of a team, including having a Data Protection Officer (“DPO”) in place if required by the GDPR or other applicable law; (c) is disseminated to all relevant members, volunteers and staff; and (d) provides a mechanism for feedback and review;
6.2.2. ensure that appropriate security safeguards and virus protection are in place to protect the hardware and software which is used in processing the Personal Data in accordance with best industry practice;
6.2.3. prevent unauthorized access to the Personal Data;
6.2.4. ensure its storage of Personal Data conforms with the industry practice such that the media on which Personal Data is recorded (including paper records and records stored electronically) are stored in secure locations and access by personnel to Personal Data is strictly monitored and controlled;
6.2.5. have secure methods in place for the transit of Personal Data within the customer support portal (for instance, by using encryption);
6.2.6. use password protection on computer systems on which Personal Data is stored and ensure that only authorized personnel are given details of the password;
6.2.7. take reasonable steps to ensure the reliability of any employee, agent, contractor or other individuals who have access to the Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know or access the relevant Personal Data, as strictly necessary for the purposes of the Agreement(s), and to comply with GDPR in the context of that individual’s duties to the Licensor;
6.2.8. ensure that any employees, agents, contractors or other individuals required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Addendum;
6.2.9. ensure that none of the employees, agents, contractors or other individuals who have access to the Personal Data publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Licensee;
6.2.10. have in place methods for detecting and dealing with breaches of security (including loss, damage or destruction of Personal Data) including: (a) the ability to identify which individuals have worked with specific Personal Data; and (b) having a proper procedure in place for investigating and remedying breaches of the data protection principles contained in the GDPR, including written records;
6.2.11. have a secure procedure for backing up and storing back-ups separately from originals; and
6.2.12. have a secure method of disposal for unwanted Personal Data including back-ups, disks, print outs and redundant equipment.
6.3. Licensor shall provide the Licensee with relevant documentation, such as an audit report (upon a written request and subject to obligations of confidentiality), with regard to any data protection impact assessments, and prior consultations with supervising authorities or other competent data privacy authorities, when the Licensee reasonably considers that such data protection impact assessments or prior consultations are required pursuant to Article 35 or 36 of the GDPR or pursuant to the equivalent provisions of any other applicable Rule, but in each such case solely with regard to Processing of Personal Data by, and taking into account the nature of the Processing and information available to, the Licensor. Such audit will be conducted at the Licensee’s cost and expense, to the extent legally permitted.
7.1. Licensor shall, in accordance with the GDPR, notify the Licensee and/or the supervisory authority as soon as any (the “Personal Data Breach”) with respect to the Personal Data occurs, but no later than 48 hours from the discovery of such a Personal Data Breach. Licensor’s notification of or response to a Personal Data Breach under this Section 7.1 will not be construed as an acknowledgement by Licensor of any fault or liability with respect to the Personal Data Breach.
7.2. Licensor will use reasonable efforts to identify the cause of such Personal Data Breach and shall promptly and without undue delay: (a) investigate the Personal Data Breach and provide Licensee with information about the Personal Data Breach, including if applicable, such information a Data Processor must provide to a Data Controller under Article 33(3) of the GDPR to the extent such information is reasonably available; and (b) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Personal Data Breach to the extent the remediation is within Licensor’s reasonable control. The obligations herein shall not apply to any breach caused by Licensee or its authorized users. Notification will be delivered to Licensee in accordance with Section 7.3 below.
7.3. Notification(s) of Personal Data Breaches, if any, will be delivered to one or more of Licensee’s business, technical or administrative contacts by any means Licensor selects, including via e-mail. It is Licensee’s sole responsibility to ensure it maintains accurate contact information on Licensor’s support systems.
The Licensee is solely responsible for:
8.1. Complying, at all times with the GDPR with respect to the Personal Data processed in connection with the Agreement(s) and the Services;
8.2. Where applicable, ensuring that legally binding consents to the collection, access, use, maintenance, and/or disclosure of the Personal Data in accordance with the GDPR and Licensee policies and procedures have been obtained from each individual and entity (including without limitation donors, consumers, business customers, and/or Licensee employees and contractors) to whom the Personal Data relates;
8.3. Establishing the applicable information security safeguards and associated policies for protecting Personal Data in its facilities. Licensee must communicate the relevant safeguards and policies to Licensor with reasonable advance notice and in writing when Licensor provides Services at a Licensee facility or accesses Licensee’s systems;
8.4. Promptly informing Licensor of any policies it implements with respect to the processing and protection of Personal Data with express instructions as to how these policies should be implemented by Licensor;
8.5. Promptly informing Licensor of any request for erasure with respect to Data Subject’s Personal Data with detailed instructions as to how Licensor should address the request; and
8.6. Providing to Licensor and also promptly update, when necessary, the information indicated below (where applicable): (a) identity and contact information of the Data Protection Officer of the Licensee; (b) identity and contact information of the EU representative of the Licensee; (c) description of the categories of Processing carried out by Licensee with respect to the Services; (d) types of Personal Data to be Processed; and (e) categories of Data Subjects to whom the Personal Data relates.
9.1. Licensor will only transfer Personal Data in compliance with applicable laws. The Licensee authorizes Licensor (and authorizes Licensor to authorize its Sub-processors) to Process Personal Data and to transfer Personal Data to those countries or territories where those Sub-processors are located, consistent with the Agreement(s) and this Addendum.
9.2. Transfers Pursuant to the Standard Contractual Clauses
9.2.1. The Standard Contractual Clauses shall apply to Personal Data that is transferred, either directly or via onward transfer, to any country or recipient: (i) not recognized by the European Commission as providing an adequate level of protection for personal data (as described in the EU Data Protection Directive and any successor legislation thereto), and (ii) not covered by a suitable framework recognized by the relevant authorities or courts as providing an adequate level of protection for personal data, including but not limited to the EU-U.S. Privacy Shield Framework in effect.
9.2.2. Where the Standard Contractual Clauses apply in accordance with Section 9.2.1:
9.2.2.1. Licensor agrees to comply with the terms of the Standard Contractual Clauses, for the purposes of which Licensee and those of its affiliates established in the EEA will be regarded as the Data Exporter(s) and Licensor will be regarded as the Data Importer;
9.2.2.2. the governing law in clause 9 of the Standard Contractual Clauses shall be the law of the Data Exporter;
9.2.2.3. if so required by the laws or regulatory procedures of any jurisdiction, the parties or Licensor and any one or more of its affiliates established in the EEA as required, shall execute or re-execute the Standard Contractual Clauses as separate documents setting out the proposed transfers of Personal Data in such manner as may be required;
9.2.2.4. in the event of inconsistencies between the provisions of the Standard Contractual Clauses and this Addendum, the Agreement or other agreements between the parties as regards the Services, the Standard Contractual Clauses shall take precedence;
9.2.2.5. in the event that the Standard Contractual Clauses are amended, replaced or repealed by the European Commission or under GDPR, the parties shall work together in good faith to enter into any updated version of the Standard Contractual Clauses or negotiate in good faith a solution to enable a transfer of Personal Data to be conducted in compliance with GDPR; and
9.2.2.6. the parties agree that the certification of deletion of Personal Data that is described in Clause 12(1) of the Standard Contractual Clauses shall be provided by the Data Importer to the Data Exporter only upon Data Exporter’s request.
9.3. Transfers Pursuant to the Privacy Shield
9.3.1. In relation to Personal Data which is transferred by Licensee to Licensor pursuant to the EU-U.S. or Switzerland-U.S. Privacy Shield Framework, Licensor shall only process such Personal Data strictly in accordance with the E.U.-U.S. or Switzerland-U.S. Privacy Shield Principles and Supplemental Principles, as now or hereafter in effect.
10.1. Each party’s and all of its affiliates’ liability, taken together in the aggregate, arising out of or related to this Addendum whether in contract, tort or under any other theory of liability, is subject to the limitation of liability section of the Agreement(s), and any reference in such section to the liability of a party means the aggregate liability of that party and all of its affiliates under the Agreement(s) and this Addendum.
10.2. No alteration, amendment, or modification of this Addendum will be valid unless in writing and signed by an authorized representative of both parties.
10.3. Any ambiguity in the terms of this Addendum will be resolved to permit Licensor or Licensee to comply with applicable laws.
10.4. This Addendum is the entire and complete agreement between the parties with respect to the privacy and security of Personal Data and supersedes any other agreements, representations, or understandings whether oral or written. All clauses of the Agreement(s), that are not explicitly amended or supplemented by the clauses of this Addendum, and as long as this does not contradict with compulsory requirements of GDPR, under this Addendum, remain in full force and effect and shall apply, including, but not limited to: Governing Law and Dispute Resolution, Jurisdiction, Limitation of Liability (to the maximum extent permitted by the GDPR).
10.5. Should any provision of this Addendum be found invalid or unenforceable pursuant to any applicable law, then the invalid or unenforceable provision will be deemed superseded by a valid, enforceable provision that most closely matches the intent of the original provision and the remainder of the Addendum will continue in effect.
10.6. If Licensor makes a determination that it can no longer meet its obligations in accordance with this Addendum, it shall promptly notify the Licensee of that determination and cease the Processing or take other reasonable and appropriate steps to remediate.
10.7. Notices required under this Addendum shall be to be sent according to the Agreement(s) with a copy (which shall not constitute notice) via e-mail to: [email protected].
APPENDIX 1 TO THE STANDARD CONTRACTUAL CLAUSES
This Appendix forms part of the Standard Contractual Clauses which may be amended as necessary.
Data Exporter
The Data Exporter is the legal entity that has executed the Agreement(s) with the Data Importer.
Data Importer
The Data Importer is the legal entity that has executed the Agreement(s) with the Data Exporter, which processes Personal Data upon the instruction of the Data Exporter in accordance with the terms of the Agreement(s).
Data Subjects
The personal data transferred concern the following categories of data subjects: Categories of Data Subjects, as determined by the Data Exporter, may include customer representatives and (end) users, such as employees, job applicants, contractors, collaborators, partners, suppliers, donors and customers of the Licensee.
Categories of data
The personal data transferred concern the following categories of data: Categories of Personal Data, as determined by the Data Exporter, may include, among other information, personal contact information such as name, address, telephone or mobile number, fax number, e-mail address, and passwords; employment details including employer name, job title and function, and business contact details.
Special categories of data (if appropriate):
The personal data transferred concern the following special categories of data (please specify): None.
Purposes of the transfer/Processing operations
The personal data transferred will be subject to the following basic processing activities: The objective of Processing of Personal Data by Data Importer is the performance of the Services pursuant to the Agreement(s) in place between the Data Exporter and the Data Importer.
APPENDIX 2 TO THE STANDARD CONTRACTUAL CLAUSES
This Appendix forms part of the Standard Contractual Clauses.
Description of the technical and organizational security measures implemented by the Data Importer in accordance with Clauses 4(d) and 5(c):
The Data Importer will implement reasonable administrative, physical, managerial and technical controls safeguards for protection of the security, confidentiality and integrity of Personal Data with respect to the Services in accordance with applicable legal requirements, and as set forth in Data Importer’s Section 6 of this Addendum, and as otherwise agreed by the parties in writing. Data Importer will not materially decrease the overall security of the Services during the term of the Agreement(s).
Lets explore how you can bring more secure and convenient digital interactions to your users and partners.
