This Data Processing Addendum (this “DPA”) is effective as of the Addendum Effective Date and made part of the Neebo Master Subscription Agreement or other written or electronic agreement between Datameer and Customer (the “Agreement”). This DPA governs the Processing of Personal Data by Datameer as a Processor on behalf of Customer under Data Protection Laws in connection with Datameer’s provision of the Services. Unless otherwise defined in this DPA, capitalized terms will have the meaning given to them in the Agreement.
- INTERPRETATION AND APPLICATION.
1.1. In this Data Processing Addendum the following terms shall have the meanings set out in this Paragraph 1.1, unless expressly stated otherwise:
- “Addendum Effective Date” means the effective date of the Agreement.
- “Adequate Country” means a country or territory outside the European Economic Area that the European Commission has deemed to provide an adequate level of protection for Personal Data pursuant to a decision made in accordance Article 45(1) of the GDPR.
- “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interest of the subject entity.
- “Agreement” means the the Neebo Master Subscription Agreement or other written or electronic agreement entered into by and between Datameer and Customer in connection with the Services.
- “Anonymised Data” means any Personal Data (including Customer Personal Data), which has been anonymised such that the Data Subject to whom it relates cannot be identified, directly or indirectly, by Datameer or any other party reasonably likely to receive or access that anonymised Personal Data.
- “Business Day” means any day which is not a Saturday, Sunday or public holiday, and on which the banks are open for business, in the United States.
- “Cessation Date” has the meaning given in Paragraph 9.1.
- “Customer Personal Data” means any Personal Data Processed by Datameer on behalf of Customerunder the Agreement.
- “Data Protection Laws” means the EU General Data Protection Regulation 2016/679 (the “GDPR”) and any implementing legislation or legislation having equivalent effect in the United Kingdom (references to “Articles” or “Chapters” of the GDPR shall be construed accordingly) or any other.
- “Data Subject Request” means the exercise by Data Subjects of their rights under, and in accordance with, Chapter III of the GDPR.
- “Data Subject” means the identified or identifiable natural person located in the European Economic Area to whom Customer Personal Data relates.
- “Delete” means to remove or obliterate Personal Data such that it cannot be recovered or reconstructed, and “Deletion” shall be construed accordingly.
- “Personnel” means a person’s employees, agents, consultants or contractors.
- “Post-cessation Storage Period” has the meaning given in Paragraph 9.2.
- “Restricted Country” means a country or territory outside the European Economic Area that is not an Adequate Country.
- “RestrictedTransfer” means: (i) a transfer of Customer Personal Data from Customer to Datameer in a Restricted Country; or (ii) an onward transfer of Customer Personal Data from Datameer to a Subprocessor in a Restricted Country, (in each case) where such transfer would be prohibited by Data Protection Laws without a legal basis therefor under Chapter V of the GDPR.
- “Services” means those services and activities to be supplied to or carried out by or on behalf of Datameer for Customerpursuant to the Agreement.
- “StandardContractualClauses” means the standard contractual clauses issued by the European Commission (from time-to-time) for the transfer of Personal Data from Data Controllers established inside the European Economic Area to Data Processors established in Restricted Countries.
- “Subprocessor” means any third party appointed by or on behalf of Datameer to Process Customer Personal Data.
1.2. In this Data Processing Addendum:
- the terms, “Data Controller”, “Data Processor”, “Personal Data”, “Personal Data Breach”, “Process” (and its derivatives) and “Supervisory Authority” shall have the meaning ascribed to the corresponding terms in the Data Protection Laws;
- unless otherwise defined in this Data Processing Addendum, all capitalised terms shall have the meaning given to them in the Agreement
1.3. Customer warrants and represents that it is subject to the territorial scope of the Data Protection Laws as determined in accordance therewith (including pursuant to Article 3 of the GDPR). Customer further agrees that to the extent that it is not in fact subject to the territorial scope of the Data Protection Laws, this Data Processing Addendum shall be deemed automatically void with effect from the Addendum Effective Date without requirement of notice.
- PROCESSING OF CUSTOMER PERSONAL DATA.
2.1. In respect of Customer Personal Data, the Parties acknowledge that:
- Datameer acts as a Data Processor; and
- Customer acts as the Data Controller.
2.2. Datameer shall:
- comply with all applicable Data Protection Laws in Processing Customer Personal Data; and
- not Process Customer Personal Data other than:
(i) on Customer’sinstructions (subject always to Paragraph 2.9); and
(ii) as required by applicable laws.
2.3. To the extent permitted by applicable laws, Datameer shall inform Customerof:
- any Processing to be carried out under Paragraph 2.2(b)(ii); and
- the relevant legal requirements that require it to carry out such Processing, before the relevant Processing of that Customer Personal Data.
2.4. Customerinstructs Datameer to Process Customer Personal Data as necessary:
- to provide the Services to Customer; and
- to perform Datameer’s obligations and exercise Datameer’s rights under the Agreement.
2.5. Annex 1 (Data Processing Details) sets out certain information regarding Datameer’s Processing of Customer Personal Data as required by Article 28(3) of the GDPR.
2.6. Customer may amend Annex 1 (Data Processing Details) on written notice to Datameer from time to time as Customer reasonably considers necessary to meet any applicable requirements of Data Protection Laws.
2.7. Nothing in Annex 1 (Data Processing Details) (including as amended pursuant to Paragraph 2.6) confers any right or imposes any obligation on any Party to this Data Processing Addendum.
2.8. Where Datameer receives an instruction from Customer that, in its reasonable opinion, infringes the GDPR, Datameer shall inform Customer.
2.9. Customer acknowledges and agrees that any instructions issued by Customer with regard to the Processing of Customer Personal Data by or on behalf of Datameer pursuant to or in connection with the Agreement:
- shall be strictly required for the sole purpose of ensuring compliance with Data Protection Laws; and
- shall not relate to the scope of, or otherwise materially change, the Services to be provided by Datameer under the Agreement.
2.10. Notwithstanding anything to the contrary herein, Datameer may terminate the Agreement in its entirety upon written notice to Customer with immediate effect if Datameer considers (in its reasonable discretion) that:
- it is unable to adhere to, perform or implement any instructions issued by Customer due to the technical limitations of its systems, equipment and/or facilities; and/or
- to adhere to, perform or implement any such instructions would require disproportionate effort (whether in terms of time, cost, available technology, manpower or otherwise).
2.11. Customer represents and warrants on an ongoing basis that, for the purposes of Article 6 of the GDPR, and (where applicable) Article 9 and/or Article 10 of the GDPR, there is, and will be throughout the term of the Agreement, a valid legal basis for the Processing by Datameer of Customer Personal Data in accordance with this Data Processing Addendum and the Agreement (including, any and all instructions issued by Customer from time to time in respect of such Processing).
- DATAMEER PERSONNEL.
Datameer shall take reasonable steps to ensure the reliability of any Datameer Personnel who Process Customer Personal Data, ensuring:
- that access is strictly limited to those individuals who need to know or access the relevant Customer Personal Data for the purposes described in this Data Processing Addendum; and
- that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
4.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk (which may be of varying likelihood and severity) for the rights and freedoms of natural persons, Datameer shall in relation to Customer Personal Data implement appropriate technical and organisational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
4.2. In assessing the appropriate level of security, Datameer shall take account in particular of the risks presented by the Processing, in particular from a Personal Data Breach.
5.1. Customerauthorizes Datameer to appoint Subprocessors in accordance with this Paragraph 5.
5.2. Datameer may continue to use those Subprocessors already engaged by Datameer as at the date of this Data Processing Addendum, subject to Datameer meeting within a reasonable timeframe (or having already met) the obligations set out in Paragraph 5.4.
5.3. Datameer shall give Customer prior written notice of the appointment of any new Subprocessor, including reasonable details of the Processing to be undertaken by the Subprocessor. If, within ten (10) Business Days of receipt of that notice, Customer notifies Datameer in writing of any objections (on reasonable grounds) to the proposed appointment:
- Datameer shall use reasonable efforts to make available a commercially reasonable change in the provision of the Services which avoids the use of that proposed Subprocessor; and
(i) such a change cannot be made within thirty (30) Business Days from Datameer receipt of Customer’s notice;
(ii) no commercially reasonable change is available; and/or
(iii) Customer declines to bear the cost of the proposed change,
either Party may by written notice to the other Party with immediate effect terminate the applicable Order Form(s) with respect only to those Services which cannot be provided by Datameer without the use of the objected-to new Subprocessor by providing written notice to Datameer.
5.4. With respect to each Subprocessor, Datameer shall ensure that the arrangement between Datameer and the Subprocessor is governed by a written contract including terms which offer at least an equivalent level of protection for Customer Personal Data as those set out in this Data Processing Addendum (including those set out in Paragraph 4).
- DATA SUBJECT.
6.1. Taking into account the nature of the Processing, Datameer shall provide Customer with such assistance as may be reasonably necessary and technically possible in the circumstances, to assist Customer in fulfilling its obligation to respond to Data Subject Requests.
6.2. Datameer shall:
- promptly notify Customer if Datameer receives a Data Subject Request; and
- ensure that Datameer does not respond to any Data Subject Request except on the written instructions of Customer (and in such circumstances, at Customer’s cost) or as required by applicable laws.
- SECURITY BREACH INCIDENT MANAGEMENTA AND NOTIFICATION.
7.1. Datameer shall notify Customer without undue delay upon Datameer becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data transmitted, stored or otherwise Processed by Datameer or its Subprocessors of which Datameer becomes aware (a “Security Incident”). Datameer will take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Incident.
7.2. Customer agrees that: (i) an unsuccessful Security Incident will not be subject to this Section. An unsuccessful Security Incident is one that results in no unauthorized access to Customer Personal Data or to any of Datameer’s equipment or facilities storing Customer Personal Data, and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond IP addresses or headers) or similar incidents; and (ii) Datameer’s obligation to report or respond to a Security Incident under this Section is not and will not be construed as an acknowledgement by Datameer of any fault or liability of Datameer with respect to the Security Incident.
- DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION.
Datameer shall provide reasonable assistance to Customer, at Customer’s cost, with any data protection impact assessments, and prior consultations with Supervisory Authorities, which Customer reasonably considers to be required of Customerby Article 35 or Article 36 of the GDPR, in each case solely in relation to Processing of Customer Personal Data by, and taking into account the nature of the Processing by, and information available to, Datameer.
- DELETION OR RETURN OBLIGATIONS.
9.1 Subject to Paragraphs 9.2 and 9.4, upon the date of cessation of any Services involving the Processing of Customer Personal Data (the “Cessation Date”), Datameer shall immediately cease all Processing of the Customer Personal Data for any purpose other than for storage.
9.2 Subject to Paragraph 9.5, to the extent technically possible in the circumstances (as determined in Datameer’s sole discretion), on written request to Datameer (to be made no later than ten (10) Business Days after the Cessation Date (the “Post-cessation Storage Period”)), Datameer shall:
- return a complete copy of all Customer Personal Data within Datameer’s possession to Customer by secure file transfer, promptly following which Datameer shall Delete all other copies of such Customer Personal Data; or
- Delete all Customer Personal Data then within Datameer’s possession. Datameer shall comply with any written request made pursuant to Paragraph 9.2 within twenty (20) Business Days of the Cessation Date.
9.3 In the event that during the Post-cessation Storage Period, Customer does not instruct Datameer in writing to either Delete or return the Customer Personal Data pursuant to Paragraph 9.2, Datameer shall promptly after the expiry of the Post-cessation Storage Period either (at its option):
- Delete; or
- irreversibly render Anonymised Data,
all Customer Personal Data then within Datameer’s possession to the fullest extent technically possible in the circumstances.
9.4 Datameer and any Subprocessor may retain Customer Personal Data where required by applicable law, for such period as may be required by such applicable law, provided that Datameer and any such Subprocessor shall ensure:
- the confidentiality of all such Customer Personal Data; and
- that such Customer Personal Data is only Processed as necessary for the purpose(s) specified in the applicable law requiring its storage and for no other purpose.
- AUDIT RIGHTS.
10.1. Datameer shall make available to Customeron request such information as Datameer (acting reasonably) considers appropriate in the circumstances to demonstrate its compliance with this Data Processing Addendum.
10.2. Subject to Paragraphs 10.3 and 10.4, in the event that Customer (acting reasonably) is able to provide documentary evidence that the information made available by Datameer pursuant to Paragraph 10.1 is not sufficient in the circumstances to demonstrate Datameer’s compliance with this Data Processing Addendum, Datameer shall allow for and contribute to audits, including on premise inspections, by Customeror an auditor mandated by Customerin relation to the Processing of the Customer Personal Data by Datameer.
10.3. Customer shall give Datameer reasonable notice of any audit or inspection to be conducted under Paragraph 10.1 (which shall in no event be less than forty (40) Business Days’ notice unless required by a Supervisory Authority pursuant to Paragraph 10.4(f)) and shall use its best efforts (and ensure that each of its mandated auditors uses its best efforts) to avoid causing, and hereby indemnifies Datameer in respect of, any damage, injury or disruption to Datameer’s premises, equipment, Personnel, data, and business (including any interference with the confidentiality or security of the data of Datameer’s other customers or the availability of Datameer’s services to such other customers) while its Personnel and/or its auditor’s Personnel (if applicable) are on those premises in the course of any on premise inspection.
10.4. Datameer need not give access to its premises for the purposes of such an audit or inspection:
- to any individual unless he or she produces reasonable evidence of their identity and authority;
- to any auditor whom Datameer has not given its prior written approval (not to be unreasonably withheld);
- unless the auditor enters into a non-disclosure agreement with Datameer on terms acceptable to Datameer;
- where, and to the extent that, Datameer considers, acting reasonably, that to do so would result in interference with the confidentiality or security of the data of Datameer’s other customers or the availability of Datameer’s services to such other customers;
- outside normal business hours at those premises; or
- on more than one occasion in any twelve (12) month period during the term of the Agreement, except for any additional audits or inspections which Customeris required to carry out by Data Protection Law or a Supervisory Authority, where Customer has identified the relevant requirement in its notice to Datameer of the audit or inspection.
10.5. Customer shall bear any third-party costs in connection with such inspection or audit and reimburse Datameer for all costs incurred by Datameer and time spent by Datameer (at Datameer’s then-current professional services rates) in connection with any such inspection or audit.
- RESTRICTED TRANSFERS.
11.1. Subject to Paragraph 11.3, to the extent that any Processing by either Datameer or any Subprocessor of Customer Personal Data involves a Restricted Transfer, the Parties agree that:
- Customer – as “data exporter”; and
- Datameer or Subprocessor (as applicable) – as “data importer”,
shall enter into the Standard Contractual Clauses in respect of that Restricted Transfer and the associatedProcessing in accordance with Paragraph 11.3.
11.2. In respect of any Standard Contractual Clauses entered into pursuant to Paragraph 11:
- Clause 9 of such Standard Contractual Clauses shall be populated as follows:
“The Clauses shall be governed by the law of the Member State in which the data exporter is established.”
- Clause 11(3) of such Standard Contractual Clauses shall be populated as follows:
“The provisions relating to data protection aspects for sub-processing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.”
- Appendix 1 to such Standard Contractual Clausesshall be populated with the corresponding information set out in Annex 1 Data Processing Details); and
- Appendix 2 to such Standard Contractual Clauses shall be populated as follows:
“The technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) are those established and maintained under Paragraph 4 of the Data Processing Addendum.”
11.3. The Standard Contractual Clauses shall be deemed to come into effect under Paragraph 11 automatically upon the commencement of the relevant Restricted Transferprovided that Paragraph 11.1 shall not apply to a Restricted Transferunless its effect is to allow the relevant Restricted Transfer and the associated Processing to take place without breach of applicable Data Protection Laws.
11.4. The Parties acknowledge and agree that to the extent Customer transfers Customer Personal Data to Datameer in the United States, it shall be affecting a Restricted Transfer.
11.5. In respect of such Restricted Transfer, Datameer warrants that:
- the scope of Datameer’s EU-U.S. and Swiss-US. Privacy Shield certification includes Customer Personal Data; and
- Datameer shall maintain such certification and comply with the requirements of the EU U.S. and Swiss-U.S. Privacy Shield for the term of the Agreement (including in respect of onward transfers to any Subprocessor based in a Restricted Country).
- ANONYMOUS DATA.Customer acknowledges and agrees that Datameer shall be freely able to use and disclose Anonymized Data for Datameer’s own business purposes without restriction.
- NO SPECIAL CATEGORIES OF PERSONAL DATA.
13.1 Customer warrants and represents on an ongoing basis, and further undertakes, that it shall not (and shall ensure that its Personnel shall not) cause Datameer or it Subprocessors to Process any:
- Special Categories of Personal Data referred to in Article 9(1) of the GDPR; or
- any Personal Data relating to criminal convictions or offenses.
13.2 Customer will indemnify and hold harmless Datameer and its employees, officers, directors and agents from and against any and all liabilities, losses, damages, costs, fines and other expenses (including legal costs and fees) arising from or relating to any breach by Customer of this Paragraph 13.
- ORDER OF PRECEDENCE.
14.1. This Data Processing Addendum shall be incorporated into and form part of the Agreement.
14.2. In the event of any conflict or inconsistency between:
- this Data Processing Addendum and the Agreement, this Data Processing Addendum shall prevail; or
- any Standard Contractual Clauses entered into pursuant to Paragraph 14 and this Data Processing Addendum, those Standard Contractual Clauses shall prevail.
- LIMITATION OF LIABILITY.
Each party’s (and their Affiliates’) total liability under the Agreement (including this Data Processing Addendum and the Standard Contractual Clauses) shall be subject to, and not exceed, the limitations of liability that have been agreed between Datameer and Customer in the Agreement.
ANNEX 1 TO THE STANDARD CONTRACTUAL CLAUSES
This Annex 1 to the Data Processing Addendum includes certain details of the Processing of Customer Personal Data: as required by Article 28(3)GDPR; and (where applicable in accordance with Paragraph 11) to populate Appendix 1 to the Standard Contractual Clauses.
The Customer Personal Data transferred concern the following categories of data subjects: data subjects include individuals about whom data that originated in the EEA is provided to Datameer via the Services by (or at the direction of) Customer
Subject matter and duration of the Processing of Customer Personal Data
The subject matter and duration of the Processing of the Customer Personal Data are set out in the Agreement and the Data Processing Addendum.
The nature and purpose of the Processing of Customer Personal Data
Datameer will process the personal data for the purposes of providing the Services to Customer in accordance with and as described in the Agreement, the Data Processing Addendum, and these Clauses.
The types of Customer Personal Data to be Processed
Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:
- First and last name
- Contact information (company, email, phone, physical business address)
- ID data
- Professional life data
- Personal Life data
- Connection data
- Localization data
- Any personal data supplied by Users of the Services
Special Categories of Personal Data (if any)
- Datameer does not knowingly collect (and Customer shall not submit) any special categories of data (as defined under the GDPR). Datameer’s service terms under the Agreement do not permit customers or users of the Services to upload any such special categories of data.
The obligations and rights of Customer
The obligations and rights of Customer are set out in the Agreement and the Data Processing Addendum.