DATA PROCESSING ADDENDUM TO THE TERMS OF SERVICE This data processing addendum (hereinafter the “Addendum”) forms an inseparable part of terms of service of Adact platform (hereinafter the “Services”) by and between the Company and the Client (hereinafter the “Principal Agreement”) as defined in the Principal Agreement.
DEFINITIONS 1.1 For the purposes of this Addendum, unless expressly otherwise stated or evident in the context, the following capitalised terms shall have the following meanings, the singular (where appropriate) shall include the plural and vice versa, and references to Sections shall be references to sections of this Addendum. Capitalised terms not otherwise defined shall heave the meaning given to them in the Principal Agreement. (a) “Controller” means the entity which determines the purposes and means of the Processing of Personal Data; (b) “Data Protection Laws” means applicable data protection legislation, such as the GDPR, and laws implementing or supplementing the GDPR; (c) “Data Subject“ means an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; (d) “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council; (e) “Personal Data Breach” means breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed; (f) “Personal Data” means any information relating to a Data Subject which is sent to the Company, is accessed by the Company or is otherwise Processed by the Company on the Client’s behalf in relation to the Services; (g) “Processing“ means any operation where the Company or its Sub-processors process Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; (h) “Processor” means the entity which Processes Personal Data on behalf of the Controller; (i) “Standard Contractual Clauses” means the standard contractual clauses which are adopted by the European Commission or by a supervisory authority in accordance with Data Protection Laws; (j) “Sub-processor” has the meaning set out in Section 5.1; (k) “Technical and organisational measures” means those measures aimed at protecting Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
BACKGROUND AND PURPOSE 2.1 For the purpose of provision of the Services under the Principal Agreement, the Company will process the Client’s Personal Data. To the extent that such information includes Personal Data in respect to which the Client is the Controller, by this Addendum, the Client appoints the Company as Processor of such Personal Data, subject to the terms and conditions set forth in this Addendum.
PROCESSING OF PERSONAL DATA 3.1 The categories of Data Subjects and the types of Personal Data processed for the purpose of providing Services are stipulated in Appendix 1 to this Addendum. 3.2 The Company agrees to Process Personal Data in accordance with the documented instructions of the Client issued from time to time (including with regard to transfers of Personal Data to a third country or an international organisation), unless required to deviate from such instructions in order to comply with Data Protection Laws to which the Company is subject (in such case, the Company shall inform the Client of such requirement before processing Personal Data, unless the Data Protection Laws prohibit such notification). 3.3 The Company shall notify the Client if it considers that an instruction from the Client under Section 3.2 is in breach of the Data Protection Laws, and the Company shall be entitled, but not obliged to suspend execution of the relevant instruction until the Client confirms such instruction in writing. 3.4 The Client shall be responsible for requests made by Data Subjects seeking to exercise their rights under the Data Protection Laws and shall handle them in accordance with the Data Protection Laws. The Client shall immediately notify the Company of such request if complying with it requires action from the Company. Accordingly, the Company shall immediately notify the Client if it receives such request from a Data Subject under the Data Protection Laws, and shall, at the Client’s request and cost, assist the Client, insofar as this is possible, by providing such information to the Client as the Client may reasonably require, and within the time period reasonably specified by the Client in complying with the rights and rightful requests of the Data Subjects, or with notices served by the relevant supervisory authority or any other law enforcement or regulatory authority. 3.5 Taking into account the nature of the Processing, the Company shall implement and maintain appropriate Technical and organisational measures in order to ensure a level of security appropriate to the risk and protect the Personal Data, and at the Client’s request and cost, assist the Client in ensuring compliance with the obligations pursuant to articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to the Company. 3.6 The Company may transfer Personal Data to a country outside of the European Union or European Economic Area if: (a) the Personal Data is transferred to a country approved by the European Commission as providing an adequate level of protection for the Personal Data; (b) the transfer is made pursuant to Standard Contractual Clauses; or (c) other appropriate legal data transfer mechanisms are used. 3.7 The Company shall inform the Client without undue delay if the Company becomes aware of any Personal Data Breach.
AUDIT RIGHTS 4.1 The Client shall have the right, once in every twelve (12) months upon the provision of twelve (12) business days’ prior written notice to audit the Company’s operations relevant to the performance of this Addendum. If the date proposed by the Client is not suitable for the Company, the Client can appoint another date that cannot be later than five (5) business days from the original date. The Client is responsible for the costs of the audit. However, should the audit reveal any violation or breach of this Addendum by the Company or its Sub-processor, the Company shall compensate the Client for the costs arising from the audit and remedy the breach. 4.2 The audit must be performed on a business day during the working hours of the Company and it must not unreasonably disturb the Company’s course of business or jeopardise the confidentiality of any third party’s information in the Company’s possession. The Company undertakes to cooperate in good faith with the Client and provide the Client with such information relating to this Addendum that the Client may reasonably request in order to demonstrate that it has acted in compliance with the Data Protection Laws.
USE OF SUBCONTRACTORS 5.1 If the Company uses subcontractors for the provision of the Services and such subcontractor is provided by the Company with Personal Data in respect to which the Client is Data Controller (hereinafter the “Sub-processor”), the Company shall ensure that such Sub-processors comply with the terms of this Addendum, inter alia including the obligation to implement Technical and organisational measures in such a manner that the Processing will meet the requirements of the Data Protection Laws. 5.2 The Client hereby authorises the Company to appoint sub-processors in accordance with this Section 5. The Company shall ensure that Sub-processors are bound by written agreements that require them to provide at least the level of data protection required from the Company by this Addendum. The Company shall inform the Client of any intended changes concerning the addition or replacement of Sub-processors, thereby giving the Client the opportunity to object to such changes. If, within 7 (seven) days of receipt of the notice, the Client notifies Company in writing (the notice must be reasoned) of any objections to the proposed appointment, the Company shall not appoint that proposed Sub-processor until reasonable steps have been taken to address the objections raised by the Client and the Client has been informed about taken steps. If the Client and the Company are not able to resolve appointment of a sub processor within a reasonable period, the Company shall have the right to terminate the Addendum and the Principal Agreement without prior notice.
CONFIDENTIALITY 6.1 The Company undertakes that all its personnel processing Personal Data are bound by the duty of confidentiality. 6.2 If the Company engages a Sub-processor to perform its engagement, it shall ensure that the Sub-processor and its personnel are bound by the duty of confidentiality.
TERM AND TERMINATION 7.1 This Addendum shall apply during such time period as the Company Processes Personal Data on behalf of the Client. The termination of Personal Data Processing takes place on the first of the following events taking place: (a) the Client requests the Company to delete or return the Personal Data and stop Processing thereof; (b) the Company’s obligation to provide Services to the Client ceases permanently due to termination or expiration of the Principal Agreement; 7.2 Upon termination of the Personal Data Processing, the Personal Data shall, at the Client’s discretion, either be returned to the Client, to the extent possible, or be deleted unless any applicable law (including EU law or national law) to which the Company is subject requires retention of the Personal Data. 7.3 Obligations which by their nature (e.g. duty of confidentiality) should survive termination or expiration of the Addendum, shall so survive.
CLAIMS AND DAMAGES 8.1 Each Party agrees to give written notice to the other Party, without undue delay, of any claim made against itself in connection with the processing of Personal Data under this Addendum. 8.2 To the extent due to the Company’s or its Sub-processor’s fault, the Company shall be liable for damage caused to the Client as a consequence of Processing contrary to the provisions of this Addendum and in respect of which the Client has had to pay compensation to the Data Subject or pay administrate fines awarded by relevant authorities. Liability of the Company is limited pursuant to Section 10 of the Principal Agreement.
APPLICABLE LAW AND DISPUTES 9.1 The governing law and dispute resolution are regulated in the Principal Agreement.
MISCELLANEOUS 10.1 Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or – should this not be possible – (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein. The foregoing shall also apply if this Addendum contains any omission. 10.2 Any amendments to this Addendum shall be made in writing and be signed by duly authorised representatives of the Parties. 10.3 In case of any conflict between the terms of this Addendum and the Principal Agreement, the provisions of this Addendum shall prevail.
CATEGORIES OF DATA SUBJECTS AND TYPES OF PERSONAL DATA
CATEGORIES OF DATA SUBJECTS AND TYPES OF PERSONAL DATA
Employees of the Client and other individuals who have been granted access to the Platform by the Client.
Data subjects who participate in the marketing campaigns organised by the Client using the Platform.
TYPES OF PERSONAL DATA
Name, surname, email, password
Any personal data collected and processed in connection with the Campaign organized by then Client. Depending on the Campaign, the types of personal data can be, but are not limited to the participant’s name, surname, email, phone number