DATA PROCESSING ADDENDUM
Last Updated: 04/13/2022
This Data Processing Addendum (“DPA”) is an agreement between Service Provider and Client and supplements the Client Subscription Terms and Order Form(s) (“Agreement”). Capitalized terms not otherwise defined herein will have the meanings given to them in the Agreement.
In this DPA, the following definitions apply:
“Data Protection Law” means all applicable current data protection and privacy legislation to the extent binding on the parties, and as may be updated or amended from time to time, and which may include, without limitation, (i) the General Data Protection Regulation (EU 2016/679) (“EU GDPR”) and the UK GDPR, as that term is defined by section 3(10), and as supplemented by section 205(4)), of the UK Data Protection Act of 2018 ("UK GDPR"); (ii) any national implementing laws (including laws implementing the EU GDPR or UK GDPR), and associated regulations and secondary legislation; and (iii) any other applicable national, provincial, federal, state, and/or local legislation, including, without limitation, the California Consumer Privacy Act (“CCPA”), and any associated regulations and secondary legislation.
“Data Subject” will have the meaning given to it in the Data Protection Law.
“Personal Data” means “personal data”, as that term is defined in the Data Protection Law, that is uploaded to, generated by or transmitted via the Service Provider Solution under Client’s Service Provider accounts for processing as described herein.
“Standard Contractual Clauses” or "SCCs" means, as applicable, either (a) the annex found in the European Commission decision of 4 June 2021 on the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at https://eur-ex.europa.eu/eli/dec_impl/2021/914/oj, specifically Module 2 and Module 3 (as applicable), and/or other standard contractual clauses adopted by the European Commission and entered into by the parties, from time to time ("EU SCCs"); or (b) the annex found in the European Commission decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council, available at https://op.europa.eu/en/publication-detail/-/publication/473b885b-31d6-4f3b-a10f-01152e62be6e/ as adapted for the UK, or such alternative contractual arrangement or clauses approved by the UK Information Commissioner’s Office and entered into by the parties, from time to time ("UK SCCs").
“Sub-processor” means any data processor other than Service Provider who have been instructed to process data on behalf of the Client by Service Provider.
2. DATA PROTECTION
1. Both parties will comply with all applicable requirements of the Data Protection Law. This DPA is in addition to, and does not relieve, remove, or replace, a party’s obligations under the Data Protection Law.
2. This DPA applies to Personal Data processed by Service Provider for Client, if any. In this context, Service Provider may act as “processor” to Client, who may act either as “controller” or “processor” (as those terms are defined in Data Protection Law) with respect to Personal Data.
3. Details of Data Processing (Annex 1 and Annex 2 to the EU SCCs and/or Appendix 1 and Appendix 2 to the UK SCCs, if and as applicable):
Data Exporter: the Client, as the party sending Content, some of which may contain Personal Data, to Service Provider for Service Provider's processing in furtherance of provision of the Service Provider Solution.
Data Importer: Service Provider as a conduit of Content transmitted through the use of the Service Provider Service, some of which may contain Personal Data.
Subject matter: the subject matter of the data processing under this DPA is the data and content as described below.
Purpose: the provision of the Service Provider Solution initiated by Client from time to time.
Nature of the processing: provision of Service Provider Services as described in the Agreement and initiated by Client from time to time.
Categories of Data Subjects: the Data Subjects may include Client's end users, visitors, guests employees and staff, and any others whose Personal Data is captured in Content.
Description of Processing: in addition to Personal Data incidentally captured and processed as Content in the Service Provider Service ("Captured Personal Data"), Service Provider collects and processes the following as a necessary step in providing the Service Provider Service, all or some of which may or may not be personally identifying or identifiable information:
authorized user login credentials
physical and email addresses, phone numbers
social media links/accounts
auto dealer name, contact info, URL
Content transmitted through the use of the Service Provider Service may, unbeknownst to Service Provider, contain Personal Data. Such Personal Data is held only for as long as needed to transmit it (except if and to the extent of such data the Client elects to store, as data controller).
Special Categories of Data: the parties do not anticipate or knowingly enact the transfer of special categories of data, but such data may be included in Captured Personal Data.
Duration of processing: during the term of the Client’s subscription and for 90 days thereafter.
Processing operations: as described in this DPA, including Annex 1.
4. Client will ensure and warrants that it has all necessary and appropriate consents and notices, in any form required by Data Protection Law, in place to enable lawful transfer of the Personal Data to Service Provider for the duration and purposes of the Agreement.
5. Client will ensure and warrants that where Personal Data is transferred outside the European Economic Area (“EEA”) or outside the UK, as part of Client’s use or deployment of the Service Provider Solution, adequate measures will be taken to ensure the Personal Data will be protected to an adequate level and the data subjects’ rights under the Data Protection Law will not be prejudiced by such a transfer. Subject to Service Provider’s obligation in section 9.5 below with respect to Service Provider sub-processors, and section 11 below with respect to the Standard Contractual Clauses if applicable, Client acknowledges that Client is solely responsible for ensuring that Personal Data is transferred out of the EEA or the UK in full compliance with the Data Protection Law.
6. Client will ensure and warrants that Client utilizes appropriate technical and organizational measures to ensure a level of security appropriate to such risks, including, as appropriate, the measures referred to in the Data Protection Law.
7. Client confirms that it has assessed any security measures in place at the time of this Agreement, and that it will continue to do so on an ongoing basis to ensure its obligations under this DPA. Client is solely responsible (as between the parties) if such measures fail to meet the standards required by Data Protection Law.
8. Client undertakes and confirms that any information required to be provided to a Data Subject has been so provided or an applicable exemption is available and is being relied upon by the Client.
9. Service Provider will, in relation to any Personal Data processed in connection with the provision of the Service Provider Service:
9.1. process that Personal Data only on the written instructions of Client and as set forth in the Agreement except to the extent Service Provider is required to process data by applicable law. Where Service Provider is relying on applicable law as the basis for processing Personal Data, Service Provider will without undue delay notify Client unless applicable law prohibits Service Provider from so notifying Client;
9.2. not access or use, or disclose to any third party, any Personal Data, except, in each case, as necessary to maintain or provide the Service Provider Solution, or as necessary to comply with the law or a valid and binding order of a governmental body (such as a subpoena or court order);
9.3. ensure that it has in place appropriate technical and organizational measures designed to protect against unauthorized or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorized or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures;
9.4. ensure that all Service Provider personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential;
9.5. ensure that where Sub-processors are used outside the EEA or the UK such that Personal Data is transferred outside the EEA or the UK, and such transfer is not to a third country that the EU Commission considers to provide an adequate level of protection (in the case of transfers subject to EU GDPR) or that the UK Secretary of State considers to provide an adequate level of protection (in the case of transfers subject to UK GDPR), adequate measures will be taken to ensure the Personal Data will be protected to an adequate level (including without limitation use of the SCCs) and the Data Subjects’ rights under the Data Protection Law will not be prejudiced by such a transfer;
9.6. maintain records of processing activities carried out on behalf of Client as required by Data Protection Law;
9.7. assist the Client in responding to any request from a Data Subject and in ensuring compliance with its obligations under Data Protection Law with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
9.8. notify Client without undue delay on becoming aware of a Personal Data security incident. Service Provider is not obligated to report unsuccessful incidents or incidents that result in no unlawful or accidental destruction, loss, alteration, disclosure of, or unauthorized access to Personal Data or any of Service Provider’s equipment or facilities storing Personal Data. Such incidents may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond headers), or similar incidents. Service Provider’s obligation to report or respond to a security incident under this section is not and will not be construed as an acknowledgement by Service Provider of any fault or liability of Service Provider with respect to the incident; and
9.9. at the written direction of Client, delete Personal Data to the extent Service Provider is capable of doing so via its standard retrieval and delete mechanism, unless required by applicable law to store the Personal Data.
10. Client will immediately notify Service Provider if any necessary appropriate consents and notices required to enable lawful transfer of Personal Data to Service Provider for the duration and purposes of this Agreement have been breached, terminated, withdrawn, or are otherwise no longer valid.
11. The parties agree that (a) the EU SCCs apply if Personal Data from the EEA is transferred via use of the Service Provider Solution to Service Provider in a country that is outside of the EEA, and such transfer is not to a third country that the EU Commission considers to provide an adequate level of protection, and (b) the UK SCCs apply if Personal Data from the UK is transferred via use of the Service Provider Solution to Service Provider in a country that is outside of the UK, and such transfer is not to a country that the UK Secretary of State considers to provide an adequate level of protection (such outbound transfers of Personal Data from the EU or the UK, each an "EU/UK Outbound Transfer"). If no EU/UK Outbound Transfer occurs, the SCCs and this section 11 will not apply. As used in this section, the terms “Data Importer” and “Data Exporter” will have the meanings given to them in the Standard Contractual Clauses. The parties acknowledge that for the purposes of the Standard Contractual Clauses, Service Provider is acting in the capacity of a Data Importer and Client is the Data Exporter (notwithstanding that Client may be located outside of the EEA/UK or is acting as a processor on behalf of third-party controllers). Each party will comply with the applicable obligations of the Standard Contractual Clauses in their respective roles as Data Exporter and Data Importer. The data subjects, categories of data, and processing operations (as required to be disclosed in the Standard Contractual Clauses) are as set forth in this DPA. Annex 1 to this DPA details the technical and security measures Service Provider has implemented, as required to be disclosed in the Standard Contractual Clauses.
12. The parties further agree that for all EU/UK Outbound Transfers, the governing law of the Standard Contractual Clauses entered into by Service Provider and the Client will be: (a) the laws of Ireland, if the Client is established in the EEA, or (b) the laws of the UK, if the Client is located in the UK. If any inconsistency arises between this section 12 and any other provision for the governing law of the Standard Contractual Clauses entered into between Client and Service Provider, this section 12 will take precedence.
13. Client acknowledges and agrees that it shall exercise its audit rights under this DPA (including where applicable, the Standard Contractual Clauses) and any audit rights granted by Data Protection Law, by instructing Service Provider to comply with the audit measures described in Annex 1 to this DPA.
14. Service Provider represents and warrants that it has not received any order, request, or other communication from a governmental body for the disclosure of Personal Data and it shall:
14.1. if it receives such order, request, or other communication, attempt to redirect the governmental body to request that data directly from Client. As part of this effort, Service Provider may provide Client’s basic contact information to the relevant body. If compelled to disclose Client Data to a governmental body, then Service Provider will give Client reasonable notice of the demand to allow Client to seek a protective order or other appropriate remedy unless Service Provider is legally prohibited from doing so;
14.2. publish a transparency report or provide information to Client on request regarding: (a) the number of orders, requests, or other communications from governmental bodies for the disclosure of Personal Data and/or assistance in surveillance processes and the type of information requested, (b) its responses to the foregoing, and (c) its process for challenging such confidential and non-confidential orders, requests, and communications; and
14.3. notify Client if its ability to maintain the confidentiality and security of Personal Data has been compromised for any reason including by orders, requests or communications described above, and cease processing, including receiving such Personal Data.
15. Client agrees that Service Provider may use Sub-processors to fulfill its contractual obligations under this DPA or to provide certain services on its behalf, such as providing support services, and consents to the use of Sub-processors as described in this section. The Service Provider website (LINK) lists Sub-processors that are currently engaged by Service Provider to deliver the Service Provider Service. (Such webpage constitutes Annex III/Appendix 3 to the Standard Contractual Clauses if and as applicable.) At least 10 business days before Service Provider engages any new Sub-processor to carry out processing activities on Personal Data on behalf of Client, Service Provider will endeavor to update the applicable website and provide Client notice of that update as per the means specified for notices in the Agreement. If Client objects to a new Sub-processor, Client must notify Service Provider in writing within ten days of Client’s notice of the change (without prejudice to any termination rights Client has under the Agreement), after which time Client shall be deemed to have consented to the new sub-processor’s appointment in the absence of any such notice. If Client objects to a new Sub-processor, Service Provider may either, in its sole discretion: (a) propose an alternative Sub-processor or remain with the current Sub-processor; or (b) refrain from the use of any Sub-processor; or (c) terminate the Client's subscription on thirty days written notice.
16. Service Provider may propose revisions to this DPA by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an approved code of conduct or applicable certification scheme (which will apply when replaced by attachment to this Agreement). Client and Service Provider will negotiate such changes in good faith as soon as reasonably practicable. The parties agree that if any new versions or revisions to the EU SCCs are approved by the European Commission, or if any new versions or revisions to the UK SCCs are adopted by the UK, such that the implementation of the Standard Contractual Clauses in this DPA no longer applies or is no longer appropriate, the parties shall work together to enter into the new standard contractual clauses as applicable as soon as reasonably practicable.
17. Where the EU SCCs apply to transfers of Personal Data governed by this DPA, the following options shall be deemed to be selected and incorporated, each clause reference in this section being a reference to a clause in the EU SCCs: (a) Clause 7 shall not apply; (b) at Clause 9, option 2 shall apply for both Module 2 and Module 3; and (c) at Clause 11, the optional redress mechanism shall not apply.
18. California Consumer Privacy Act (CCPA) Notice: as a “Service Provider” (as that term is defined in the CCPA), Service Provider will process California personal data that is subject to the CCPA strictly for the purpose of providing to Client the solutions and services described in the Agreement, or as otherwise permitted by the CCPA, and shall not retain, use, or disclose such data for any other purpose.