This Data Processing Addendum (this “DPA”), forms part of the Terms and Conditions (the “Agreement”) between MH Sub I, LLC dba iMatrix (“Vendor”) and Customer (“Customer”) (each a “Party” and collectively, the “Parties”).
WHEREAS, pursuant to the Agreement, the Parties have agreed that it may be necessary for Vendor to Process certain Personal Data on behalf of Customer;
WHEREAS, in light of this Processing, the Parties have agreed to enter into this DPA to address the compliance obligations imposed upon Vendor and Customer by Applicable Data Protection Laws;
NOW, THEREFORE, in consideration of the mutual agreements contained herein, and for other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the parties hereto agree to the following amendments to the Agreement:
- Defined Terms. Capitalized terms used herein but not defined, such as “Controller,” “Data Subject,” “Personal Data,” “Personal Data Breach,” “Processor,” and “Processing,” shall have the same meaning as set forth in Article 4 of the GDPR, and their cognate terms shall be construed accordingly.
1.1 “Customer Personal Data” means any Personal Data Processed by Vendor, or a Subprocessor, on behalf of Customer pursuant to the Agreement.
1.2 “Applicable Data Protection Laws” means laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, Switzerland and the United Kingdom, with respect to the Processing of Personal Data under the Agreement.
1.3 “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
1.4 “Services” means the services and other activities to be provided or carried out by or on behalf of Vendor for Customer pursuant to the Agreement.
1.5 “Subprocessor(s)” means any person or entity appointed or engaged by Vendor to process Customer Personal Data in connection with the Agreement.
1.6 “Supervisory Authority” means an independent public authority which, pursuant to the GDPR, is established and authorized by a member state of the European Union.
1.7 “Transfer” means disclosing, transmitting, or otherwise making available Personal Data to a third party, including to an affiliate or a Subprocessor, either by physical movement of the Personal Data to such third party or by providing such third party access to the Personal Data by other means.
- Roles and Scope.
2.1 The terms in this DPA apply to the Processing of Personal Data, within the scope of the GDPR, by Vendor on behalf of Customer.
2.2 For the purposes of this DPA, the parties hereby agree and acknowledge that with regard to the Processing of Customer Personal Data, Customer is the Controller and Vendor is the Processor, except when Customer acts as a processor of Personal Data, in which case Vendor is a Subprocessor.
- Term. This DPA shall commence on the effective date of the Agreement and shall continue in full force and effect until the later of the (a) termination or expiration of the Agreement; or (b) completion of the last of the Services to be performed pursuant to the Agreement.
- Processing of Customer Personal Data.
4.1 Each Party shall be individually and separately responsible for complying with its obligations under Applicable Data Protection Laws. Customer is solely responsible for the accuracy, quality, and legality of Customer Personal Data and the means by which Customer obtained such Personal Data.
4.2 Vendor shall Process Customer Personal Data only for the purposes of providing the Services and as may subsequently be agreed between the Parties in writing and, in so doing, shall act solely on the reasonable and lawful instructions of Customer, unless Processing is required by Applicable Data Protection Laws to which Vendor is subject to, in which case Vendor shall, to the extent permitted by Applicable Data Protection Laws, inform Customer of the legal requirement before Processing such Personal Data. Customer shall ensure that its instructions for the Processing of Customer Personal Data comply with Applicable Data Protection Laws.
4.3 The details of the Processing, including the subject-matter, duration, nature, and purpose of the Processing, the types of Personal Data Processed, and the categories of Data Subjects Processed, are set forth in the attached Schedule A.
- Vendor Personnel. Vendor shall take reasonable steps to guarantee the reliability of any employee, agent, or contractor who may have access to Customer Personal Data, ensuring that (a) access to Customer Personal Data is strictly limited to personnel who need to access Customer Personal Data for the purposes of the Agreement; (b) such personnel comply with Applicable Data Protection Laws; and (c) such personnel are subject to the appropriate professional or statutory obligations of confidentiality.
- Consent for Processing of Customer Personal Data. Customer represents and warrants that, where required by Applicable Data Protection Laws, it (a) has obtained all necessary and valid consents from the relevant Data Subjects on behalf of Vendor in accordance with Applicable Data Protection Laws to lawfully permit Vendor to Process Customer Personal Data; (b) shall make available and maintain a mechanism for obtaining and withdrawing such consent from Data Subjects in accordance with Applicable Data Protection Laws; (c) shall maintain a record of all consents obtained and withdrawn from Data Subjects as required by Applicable Data Protection Laws; and (e) shall make such record available to Vendor promptly upon request.
7.1 Vendor shall not engage a Subprocessor or disclose any Customer Personal Data to a Subprocessor without prior specific or general written authorization of Customer. Customer specifically authorizes the engagement of Vendor’s subsidiaries and affiliates as Subprocessors. Vendor may continue to use Subprocessors already engaged by Vendor as of the date of this DPA.
7.2 In the case of general written authorization, Vendor shall notify Customer of any intended changes concerning the addition or replacement of other Subprocessors.
7.3 Vendor shall take reasonable steps to ensure that each of its Subprocessors are bound by written agreements that require such Subprocessors to provide the same level of data protection for Customer Personal Data as those set out in this DPA.
- Security of Personal Data.
8.1 Vendor shall, in relation to the Customer Personal Data and during the term of the Agreement, implement and maintain appropriate technical and organizational measures to ensure protection of the security, confidentiality, and integrity of Customer Personal Data, including as appropriate, the measures referred to in Article 32(1) of the GDPR.
8.2 In assessing the appropriate level of security, Vendor shall take account of the risks that are presented by the Processing of Customer Personal Data, in particular from a Personal Data Breach.
8.3 Vendor shall take steps to ensure that any employee or personnel acting under its authority who has access to Customer Personal Data does not process them except upon documented instructions from Customer, unless he or she is required to do so by Applicable Data Protection Laws.
- Personal Data Breach. Vendor shall notify Customer, without undue delay, upon Vendor, or any Subprocessor, becoming aware of a Personal Data Breach affecting Customer Personal Data, providing Customer with sufficient information to allow Customer to meet any obligations to report or inform Supervisory Authority and/or Data Subjects of the Personal Data Breach under Applicable Data Protection Laws. Such notification shall include (a) a detailed description of the Personal Data Breach; (b) the categories and numbers of Personal Data records concerned; and (c) the identity of each affected Data Subject (or, where not possible, the categories and numbers of Data Subjects concerned). In addition, Vendor shall (i) provide the name and contact information of a point of contact from whom more information may be obtained; (ii) describe the likely consequences of the Personal Data Breach; and (iii) describe the measures taken or proposed to be taken to address the Personal Data Breach, including measures to mitigate its possible adverse effects. Further, Vendor shall take reasonable commercial steps, as directed by Customer, to assist in the investigation, notification, mitigation, and remediation of each Personal Data Breach.
- Data Protection Impact Assessment and Prior Consultation. Vendor shall, upon receipt of written request by Customer and at Customer’s cost, provide Customer with reasonable assistance needed to fulfill Customer’s obligation under the GDPR (a) to carry out a data protection impact assessment related to the Services; and (b) to conduct prior consultations with a Supervisory Authority, to the extent that Customer reasonably believes such prior consultation is required under the GDPR as a result of a data protection impact assessment.
- Data Subject Rights.
11.1 Vendor shall, to the extent permitted by law, promptly notify Customer upon receipt of a request by a Data Subject to exercise the Data Subject’s right of access, rectification, erasure, data portability, restriction of Processing, withdrawal of consent, and/or objection to being subject to Processing that constitutes automated decision-making (each a “Data Subject Request”). If Vendor receives a Data Subject Request in relation to Customer Personal Data, Vendor shall advise the Data Subject to submit their request to Customer and Customer shall be responsible for responding to such request.
11.2 Vendor shall, upon request by Customer and taking into account the nature of the Processing applicable to any Data Subject Request, apply appropriate technical and organizational measures to assist Customer in complying with Customer’s obligation to respond to such Data Subject Request, provided that (a) Customer is unable to respond without Vendor’s assistance; and (b) Vendor is able to do so in accordance with all applicable laws, rules, and regulations. Customer shall be responsible, to the extent legally permitted, for any costs and expenses arising from any such assistance by Vendor.
- Return or Deletion of Personal Data. Upon completion or termination of the Services, or at any time Customer shall so request, Vendor shall promptly return or delete all Customer Personal Data (and all copies thereof) in its possession or under its control unless retention of such Customer Personal Data is required by Applicable Data Protection Laws to which Vendor is subject to.
- Transfers of Personal Data Outside the European Economic Area.
13.1 Customer acknowledges and agrees that Vendor may, subject to Section 13.2, store and process Customer Personal Data in the United States and any other country in which Vendor, or any of its Subprocessors, maintains facilities.
13.2 Customer acknowledges and agrees that any transfer of Personal Data under this DPA originating in the European Union, the European Economic Area and/or their member states, Switzerland, and the United Kingdom to a country that does not ensure an adequate level of data protection within the meaning of Applicable Data Protection Laws is necessary for the performance of a contract between Customer and the Data Subject and/or the implementation of pre-contractual measures taken at the Data Subject’s request.
- Limitation of Liability. Vendor’s liability arising out of or related to this DPA, whether in contract, tort, or under any theory of liability, is subject to the “Limitation of Liability” section of the Agreement and any reference in such section to Vendor’s liability means Vendor’s aggregate liability under the Agreement and this DPA.
- Entire Agreement; Other Agreement Provisions. This DPA sets forth the entire understanding of the parties relating to the subject matter addressed and supersedes any prior agreements, arrangements, or understandings relating to the subject matter hereof. In the event of any inconsistency between the terms of this DPA and the Agreement, the terms of this DPA will govern. Except as otherwise expressly provided in this DPA, the provisions of the Agreement remain in full force and effect.
- Binding Effect. This DPA shall inure to the benefit of and shall be binding upon the Parties and their respective successors and assigns.
- Modifications and Supplementations. Vendor may modify or supplement this DPA with notice to Customer if required to do so by a Supervisory Authority or other government or regulatory entity or if necessary to comply with Applicable Data Protection Laws.
- Authority. Each Party represents and warrants that it has full authority to bind itself to this DPA and that its rights hereunder and under the Agreement have not been sold, assigned, gifted, pledged, or otherwise transferred.
- Execution of Counterparts. This DPA may be executed in several counterparts, each of which shall be an original and all of which shall constitute but one and the same instrument.
Last Updated on September 12, 2018
DETAILS OF PROCESSING OF CUSTOMER PERSONAL DATA
This Schedule A includes certain details of the Processing of Customer Personal Data as required by Article 28(3) of the GDPR.
- Subject matter and duration of the Processing of Customer Personal Data
The subject matter and duration of the Processing of Customer Personal Data are set out in the Agreement and this DPA.
- The nature and purpose of the Processing of Customer Personal Data
The nature and purpose of the Processing of Customer Personal Data is the performance of the Services pursuant to the Agreement.
- The types of Customer Personal Data to be Processed
The types of Customer Personal Data to be Processed include Personal Data submitted to the Services, the extent of which is determined and controlled by (or at the direction of) Customer or Customer’s end users.
- The categories of Data Subject to whom the Customer Personal Data relates
The categories of Data Subjects to whom Customer Personal Data relates include individuals about whom Personal Data is provided to Vendor through the Services by (or at the direction of) Customer or Customer’s end users.