Data processing addendum
This document consists of two parts:
Part I: Data Processing Addendum (DPA) for Processors, and
Part II: Standard Contractual Clauses (SCC)
Both parts contain language required by the General Data Protection Regulation (GDPR).
This Data Processing Addendum (“DPA”) including its appendices forms part of the BlueZoo Customer Agreement entered into by and between Customer and BlueZoo, Inc., pursuant to which Customer has purchased a subscription to BlueZoo’s Services or purchased other Support Services as outlined in the Order Form. By signing the Order Form, Customer enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws and Regulations, in the name and on behalf of its Authorized Affiliates, if and to the extent BlueZoo processes Personal Data for which such Authorized Affiliates qualify as the Controller.
For the purposes of this DPA only, and except where indicated otherwise, the term “Customer” shall include Customer and Authorized Affiliates. In the course of providing the Services to Customer pursuant to the Agreement, BlueZoo may Process Personal Data on behalf of Customer and the Parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.
The purpose of this DPA is to reflect the parties’ agreement with regard to the Processing of Personal Data, in accordance with the requirements of Applicable Data Protection Law. All capitalized terms not defined herein shall have the meaning set forth in the BlueZoo Customer Agreement or the DPA or the SCC, as applicable.
When data are moved from the EU to a geography that has not been certified to be equivalent, BlueZoo contracts include the Standard Contractual Clauses (SCC) presented in Part 2 of this document.
Part I
DATA PROCESSING ADDENDUM (DPA)
This Data Processing Addendum (“DPA”) forms an integral part of the Customer Agreement Terms and Conditions between BlueZoo, the Processor – hereinafter referred to as the Supplier – and its Client, the Controller – hereinafter referred to as the Customer – to reflect the parties’ agreement with regard to the processing of personal data of Customer, in accordance with the requirements of data protection laws.
Definitions
“Customer” means the entity that executed the Agreement together with its Affiliates (for so long as they remain Affiliates) which have signed Order Forms.
“Supplier” means the provider of the Services, BlueZoo, Inc.
“Services” means the services that are ordered by the Customer from Supplier involving the Processing of Personal Data on behalf of the Customer. Only Services with a valid BlueZoo licence and up to date payment are included.
“Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data transmitted, stored or otherwise Processed.
“Data Protection Laws” means all laws and regulations, including laws and binding regulations of the European Union, the European Economic Area (“EEA”) and their member states, Switzerland and the United Kingdom, and any amending or replacement legislation from time to time, applicable to the Processing of Customer Data under the Agreement.
“GDPR” means the General Data Protection Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the Processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC.
“Permitted Purpose” means the use of the Customer Data to the extent necessary for provision of the Services by Supplier to the Customer.
“Customer Data” means any Personal Data that is provided by or on behalf of Customer while located in the and Processed by Supplier pursuant to the Terms and Conditions of the Order Form.
“Regulator” means any supervisory authority with authority under Data Protection Laws over all or any part of the provision or receipt of the Services or the Processing of Personal Data.
“Order Form” means any agreement between Supplier and Customer under which Services are provided by Supplier to Customer.
“Standard Contractual Clauses” means the agreement pursuant to the European Commission decision (C(2010)593) of 5 February 2010 on standard contractual clauses for the transfer of Personal Data to processors established in third countries under Directive 95/46/EC.
“Subprocessor” means any Processor engaged by Supplier to Process Personal Data on behalf of Supplier.
Terms such as “Data Subject”, “Personal Data”, Processing”, “Controller”, “Processor” and “Supervisory Authority” shall have the meaning ascribed to them in the Data Protection Laws.
Specification of the Order or Contract Details
Nature and Purpose of the intended Processing of Data
Nature and Purpose of Processing of personal data by the Supplier for the Customer are precisely defined in the BlueZoo Customer Order Form and Terms of Conditions.
The undertaking of the contractually agreed Processing of Data shall be carried out exclusively within a Member State of the European Union (EU) or within a Member State of the European Economic Area (EEA). Each and every Transfer of Data to a State which is not a Member State of either the EU or the EEA requires the prior agreement of the Customer and shall only occur if the specific Conditions of Article 44 et seq. GDPR have been fulfilled.
Type of Data
The Personal Data transferred concern the following categories of data:
Data exporter may submit personal data to Supplier, which may include and shall be limited to the following categories of Personal Data:
- Customer name, address and other contact information
- Customer Login information
- Customer Data that may be submitted by Customers or end users of the Services.
- MAC addresses of Visitors of locations where Services of Supplier are deployed
No sensitive data is processed by BlueZoo within the terms of this agreement.
Categories of Data Subjects
- Customers, business partners, and vendors of the data exporter (who are natural persons
- Employees or contact persons of data exporter customers, business partners, and vendor
- Employees, agents, advisors, contractors, or any user authorized by the data exporter to use the Services (who are natural persons)
- Visitors of locations where Services of supplier are deployed
Duration
The duration of this Order or Contract corresponds to the duration of the Services as agreed in the Order Form.
Details of Processing Activities
The following table sets out the details of Processing:
| Purposes for which the Personal Data shall be processed |
|
|---|---|
| Description of the categories of the data subjects |
|
| Description of the categories of Personal Data/Sensitive Personal Data |
|
Technical and Organizational Measures
(1) Before the commencement of processing, the Supplier shall document the execution of the necessary Technical and Organizational Measures, set out in advance of the awarding of the Order or Contract, specifically with regard to the detailed execution of the contract, and shall present these documented measures to the Customer for inspection. Upon acceptance by the Customer, the documented measures become the foundation of the contract. Insofar as the inspection/audit by the Customer shows the need for amendments, such amendments shall be implemented by mutual agreement.
(2) The Supplier shall establish the security in accordance with Article 28 Paragraph 3 Point c, and Article 32 GDPR in particular in conjunction with Article 5 Paragraph 1, and Paragraph 2 GDPR. The measures to be taken are measures of data security and measures that guarantee a protection level appropriate to the risk concerning confidentiality, integrity, availability and resilience of the systems. The state of the art, implementation costs, the nature, scope and purposes of processing as well as the probability of occurrence and the severity of the risk to the rights and freedoms of natural persons within the meaning of Article 32 Paragraph 1 GDPR must be taken into account. [Details in Appendix 1 of this DPA]
(3) The Technical and Organizational Measures are subject to technical progress and further development. In this respect, it is permissible for the Supplier to implement alternative adequate measures. In so doing, the security level of the defined measures must not be reduced. Substantial changes must be documented.
Rectification, Restriction, and Erasure of Data
(1) The Supplier may not, on its own authority, rectify, erase or restrict the processing of data that is being processed on behalf of the Customer but only on documented instructions from the Customer.
Supplier shall provide Customer with commercially-reasonable cooperation and assistance in relation to handling an EEA Data Subject’s request for access to that person’s Personal Data, and shall promptly notify Customer if it receives a request from an EEA Data Subject for access to, correction, amendment or deletion of that person’s Personal Data.
(2) Insofar as it is included in the scope of services, the erasure policy, ‘right to be forgotten’, rectification, data portability and access shall be ensured by the Supplier in accordance with documented instructions from the Customer without undue delay.
The execution of these rights is limited to personal Customer and user login data and cannot be executed in regard to the data that is processed while executing the Services of the Processor as the anonymization process deletes all personal data (MAC addresses) within a very short delay. Only the right to oppose the processing can be executed for the Services.
Quality Assurance and Other Duties of the Supplier
In addition to complying with the rules set out in this Order or Contract, the Supplier shall comply with the statutory requirements referred to in Articles 28 to 33 GDPR; accordingly, the Supplier ensures, in particular, compliance with the following requirements:
(1) Appointed Data Protection Officer, who performs his/her duties in compliance with Articles 38 and 39 GDPR. The Customer shall be informed of his/her contact details for the purpose of direct contact. The Customer shall be informed immediately of any change of Data Protection Officer.
(2) The Supplier has appointed ePrivacy GmbH, represented by Prof. Dr. Christoph Bauer , privacy@bluezoo.io, as Data Protection Officer. The Customer shall be informed immediately of any change of Data Protection Officer.
(3) The Supplier entrusts only such employees with the data processing outlined in this contract who have been bound to confidentiality and have previously been familiarized with the data protection provisions relevant to their work. The Supplier and any person acting under its authority who has access to personal data, shall not process that data unless on instructions from the Customer, which includes the powers granted in this contract unless required to do so by law.
(4) Implementation of and compliance with all Technical and Organizational Measures included in Annex 1 of this DPA and necessary for this Order or Contract in accordance with Article 28 Paragraph 3 Sentence 2 Point c, Article 32 GDPR.
(5) The Customer and the Supplier shall cooperate, on request, with the supervisory authority in the performance of its tasks.
(6) The Customer shall be informed immediately of any inspections and measures conducted by the supervisory authority, insofar as they relate to this Order or Contract. This also applies insofar as the Supplier is under investigation or is party to an investigation by a competent authority in connection with infringements to any Civil or Criminal Law, or Administrative Rule or Regulation regarding the processing of personal data in connection with the processing of this Order or Contract.
(7) Insofar as the Customer is subject to an inspection by the supervisory authority, an administrative or summary offense or criminal procedure, a liability claim by a Data Subject or by a third party or any other claim in connection with the Order or Contract data processing by the Supplier, the Supplier shall make every effort to support the Customer.
(8) The Supplier shall periodically monitor the internal processes and the Technical and Organizational Measures to ensure that processing within his area of responsibility is in accordance with the requirements of applicable data protection law and the protection of the rights of the data subject.
(9) Verifiability of the Technical and Organisational Measures conducted by the Customer as part of the Customer’s supervisory powers referred to in item 7 of this contract.
Subcontracting
(1) Subcontracting for the purpose of this Agreement is to be understood as meaning services which relate directly to the provision of the principal service. This does not include ancillary services, such as telecommunication services, postal / transport services, maintenance and user support services or the disposal of data carriers, as well as other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data processing equipment. The Supplier shall, however, be obliged to make appropriate and legally binding contractual arrangements and take appropriate inspection measures to ensure the data protection and the data security of the Customer’s data, even in the case of outsourced ancillary services.
(2) The Supplier may commission subcontractors (additional contract processors) only after prior explicit written or documented consent from the Customer.
The Customer agrees to the commissioning of the following subcontractors on the condition of a contractual agreement in accordance with Article 28 paragraphs 2-4 GDPR:
| Company Subcontractor | Address/Country | Service |
|---|---|---|
| AWS | 410 Terry Avenue North, Seattle, WA 98109, USA | Cloud Services |
| Nexmo | 217 Second Street 4th floor, San Francisco, CA 94105, USA | SMS Text Messaging Services |
| Salesforce | 415 Mission Street 3rd Floor, San Francisco, CA, USA | Customer Relationship Management |
| Stripe | 510 Townsend Street, San Francisco, CA 94103, USA | Platform for credit card payments |
| Mailchimp | 675 Ponce De Leon Ave NE Suite 5000 Atlanta, GA 30308, USA | Newsletter management |
| 1600 Amphitheatre Parkway Mountain View, CA 94043, USA | Email, file storage, collaboration tools | |
| Zendesk | 1019 Market St. San Francisco, CA 94103, USA | Customer service platform that supports customer interactions e.g. via phone, chat or email |
| DocuSign | 221 Main Street, Suite 1550 San Francisco, CA 94105, USA | eSignatures |
Outsourcing to subcontractors or changing the existing subcontractor is permissible when: The Supplier submits such an outsourcing to a subcontractor to the Customer in writing or in text form with appropriate advance notice; and The Customer has not objected to the planned outsourcing in writing or in text form by the date of handing over the data to the Supplier; and The subcontracting is based on a contractual agreement in accordance with Article 28 paragraphs 2-4 GDPR.
(3) The transfer of personal data from the Customer to the subcontractor and the subcontractor’s commencement of the data processing shall only be undertaken after compliance with all requirements has been achieved.
(4) If the subcontractor provides the agreed service outside the EU/EEA, the Supplier shall ensure compliance with the EU Data Protection Regulations by appropriate measures. The same applies if service providers are to be used within the meaning of Paragraph 1 Sentence 2.
Supervisory powers of the Customer
(1) The Customer has the right, after consultation with the Supplier, to carry out inspections or to have them carried out by an auditor to be designated in each individual case. It has the right to convince itself of the compliance with this agreement by the Supplier in his business operations by means of random checks, which are ordinarily to be announced in good time.
(2) The Supplier shall ensure that the Customer is able to verify compliance with the obligations of the Supplier in accordance with Article 28 GDPR. The Supplier undertakes to give the Customer the necessary information on request and, in particular, to demonstrate the execution of the Technical and Organizational Measures.
(3) Evidence of such measures, which concern not only the specific Order or Contract, may be provided by compliance with approved Codes of Conduct pursuant to Article 40 GDPR or certification according to an approved certification procedure in accordance with Article 42 GDPR;
(4) The Supplier may claim remuneration for enabling Customer inspections.
Communication in the case of infringements by the Supplier
(1) The Supplier shall assist the Customer in complying with the obligations concerning the security of personal data, reporting requirements for data breaches, data protection impact assessments and prior consultations, referred to in Articles 32 to 36 of the GDPR. These include:
Ensuring an appropriate level of protection through Technical and Organizational Measures that take into account the circumstances and purposes of the processing as well as the projected probability and severity of a possible infringement of the law as a result of security vulnerabilities and that enable an immediate detection of relevant infringement events.
The obligation to report a personal data breach immediately to the Customer. The duty to assist the Customer with regard to the Customer’s obligation to provide information to the Data Subject concerned and to immediately provide the Customer with all relevant information in this regard.
Supporting the Customer with its data protection impact assessment
Supporting the Customer with regard to prior consultation of the supervisory authority
(2) The Supplier may claim compensation for support services that are not included in the description of the Services and which are not attributable to failures on the part of the Supplier.
Authority of the Customer to issue instructions
(1) The Customer shall immediately confirm oral instructions (at the minimum in text form).
(2) The Supplier shall inform the Customer immediately if he considers that an instruction violates Data Protection Regulations. The Supplier shall then be entitled to suspend the execution of the relevant instructions until the Customer confirms or changes them.
Deletion and return of personal data
(1) Copies or duplicates of the data shall never be created without the knowledge of the Customer, with the exception of backup copies as far as they are necessary to ensure orderly data processing, as well as data required to meet regulatory requirements to retain data.
(2) After conclusion of the contracted work, or earlier upon request by the Customer, at the latest upon termination of the Services as agreed in the Order Form, the Supplier shall hand over to the Customer or – subject to prior consent – destroy all documents, processing and utilization results, and data sets related to the contract that has come into its possession, in a data-protection compliant manner. The same applies to any and all connected test, waste, redundant and discarded material. The log of the destruction or deletion shall be provided on request.
(3) Documentation which is used to demonstrate orderly data processing in accordance with the Order or Contract shall be stored beyond the contract duration by the Supplier in accordance with the respective retention periods. It may hand such documentation over to the Customer at the end of the contract duration to relieve the Supplier of this contractual obligation.
Appendix 1 (to the DPA)
Technical and Organizational Measures
BlueZoo applies technical and organizational measures that include the following
Confidentiality (Article 32 Paragraph 1 Point b GDPR)
- Physical Access Control No unauthorized access to Data Processing Facilities, e.g.: magnetic or chip cards, keys, electronic door openers, facility security services and/or entrance security staff, alarm systems, video/CCTV Systems
- Electronic Access Control No unauthorized use of the Data Processing and Data Storage Systems, e.g.: (secure) passwords, automatic blocking/locking mechanisms, two-factor authentication, encryption of data carriers/storage media
- Internal Access Control (permissions for user rights of access to and amendment of data) No unauthorized Reading, Copying, Changes or Deletions of Data within the system, e.g. rights authorization concept, need-based rights of access, logging of system access events
- Isolation Control The isolated Processing of Data, which is collected for differing purposes, e.g. multiple Customer support, sandboxing;
- Pseudonymization (Article 32 Paragraph 1 Point a GDPR; Article 25 Paragraph 1 GDPR) The processing of personal data in such a method/way, that the data cannot be associated with a specific Data Subject without the assistance of additional Information, provided that this additional information is stored separately, and is subject to appropriate technical and organizational measures.
Integrity (Article 32 Paragraph 1 Point b GDPR)
- Data Transfer Control No unauthorized Reading, Copying, Changes or Deletions of Data with electronic transfer or transport, e.g.: Encryption, Virtual Private Networks (VPN), electronic signature;
- Data Entry Control Verification, whether and by whom personal data is entered into a Data Processing System, is changed or deleted, e.g.: Logging, Document Management
Availability and Resilience (Article 32 Paragraph 1 Point b GDPR)
- Availability Control Prevention of accidental or willful destruction or loss, e.g.: Backup Strategy (online/offline; on-site/off-site), Uninterruptible Power Supply (UPS), virus protection, firewall, reporting procedures and contingency planning
- Rapid Recovery (Article 32 Paragraph 1 Point c GDPR) (Article 32 Paragraph 1 Point c GDPR);
Procedures for regular testing, assessment and evaluation (Article 32 Paragraph 1 Point d GDPR; Article 25 Paragraph 1 GDPR)
- Data Protection Management;
- Incident Response Management;
- Data Protection by Design and Default (Article 25 Paragraph 2 GDPR);
- Order or Contract Control
No third party data processing as per Article 28 GDPR without corresponding instructions from the Customer, e.g.: clear and unambiguous contractual arrangements, formalized Order Management, strict controls on the selection of the Service Provider, duty of pre-evaluation, supervisory follow-up checks.
Part II
Standard Contractual Clauses (SCC) for Processors
For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection.
The data exporting organization is the Customer as identified in the Order Form (the “data exporter”) The data importing organization is BlueZoo Inc, as identified in the Order Form (the “data importer”)
each a ‘party’; together ‘the parties’,
HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.
Clause 1. Definitions
For the purposes of the Clauses:
(a) ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (1);
(b) ‘the data exporter’ means the controller who transfers the personal data;
(c) ‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
(d) ‘the sub-processor’ means any processor engaged by the data importer or by any other sub-processor of the data importer who agrees to receive from the data importer or from any other sub-processor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
(e) ‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
(f) ‘technical and organisational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
Clause 2. Details of the transfer
The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.
Clause 3. Third-party beneficiary clause
The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
The data subject can enforce against the sub-processor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.
The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.
Clause 4. Obligations of the data exporter
The data exporter agrees and warrants:
(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
(b) that it has instructed and throughout the duration of the personal data-processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;
(c) that the data importer will provide sufficient guarantees in respect of the technical and organizational security measures specified in Appendix 2 to this contract;
(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
(e) that it will ensure compliance with the security measures;
(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
(g) to forward any notification received from the data importer or any sub-processor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer, or to lift the suspension;
(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for sub-processing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
(i) that, in the event of sub-processing, the processing activity is carried out in accordance with Clause 11 by a sub-processor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and
(j) that it will ensure compliance with Clause 4(a) to (i).
Clause 5. Obligations of the data importer
The data importer agrees and warrants:
(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(c) that it has implemented the technical and organizational security measures specified in Appendix 2 before processing the personal data transferred;
(d) that it will promptly notify the data exporter about:
(i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;
(ii) any accidental or unauthorized access; and
(iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorized to do so;
(e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
(f) at the request of the data exporter to submit its data-processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
(g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for sub-processing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
(h) that, in the event of sub-processing, it has previously informed the data exporter and obtained its prior written consent;
(i) that the processing services by the sub-processor will be carried out in accordance with Clause 11;
(j) to send promptly a copy of any sub-processor agreement it concludes under the Clauses to the data exporter.
Clause 6. Liability
The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or sub-processor is entitled to receive compensation from the data exporter for the damage suffered.
If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his sub-processor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.
The data importer may not rely on a breach by a sub-processor of its obligations in order to avoid its own liabilities.
If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the sub-processor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the sub-processor agrees that the data subject may issue a claim against the data sub-processor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the sub-processor shall be limited to its own processing operations under the Clauses.
Clause 7. Mediation and jurisdiction
The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
(a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
(b) to refer the dispute to the courts in the Member State in which the data exporter is established.
The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.
Clause 8. Cooperation with supervisory authorities
The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any sub-processor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any sub-processor preventing the conduct of an audit of the data importer, or any sub-processor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5(b).
Clause 9. Governing law
The Clauses shall be governed by the law of the Member State in which the data exporter is established.
Clause 10. Variation of the contract
The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business-related issues where required as long as they do not contradict the Clause.
Clause 11. Sub-processing
The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the sub-processor which imposes the same obligations on the sub-processor as are imposed on the data importer under the Clauses. Where the sub-processor fails to fulfill its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the sub-processor’s obligations under such agreement.
The prior written contract between the data importer and the sub-processor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.
The provisions relating to data protection aspects for sub-processing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.
The data exporter shall keep a list of sub-processing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5(j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.
Clause 12. Obligation after the termination of personal data-processing services
The parties agree that on the termination of the provision of data-processing services, the data importer and the sub-processor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
The data importer and the sub-processor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data-processing facilities for an audit of the measures referred to in paragraph 1.
Appendix 1 (to the SCC)
This Appendix forms part of the Standard Contractual Clauses.
Data exporter
The data exporter is the entity identified as “Customer” in the Data Processing Addendum.
Data importer
The data importer is:
BlueZoo, a US-based solution provider for foot traffic analytics and related services, as identified in the Data Processing Addendum.
Data subjects
The personal data transferred concern the following categories of data subjects (please specify):
- Customers, business partners, and vendors of the data exporter (who are natural persons)
- Employees or contact persons of data exporter customers, business partners, and vendors
- Employees, agents, advisors, contractors, or any user authorized by the data exporter to use the Supplier’s Service(s) (who are natural persons)
- Visitors of locations where Services of the data importer are employed by the data exporter
Categories of data
The personal data transferred concern the following categories of data (please specify):
- Customer name, address, and other contact information
- Customer Login information
- Customer Data that may be submitted by Customers or end-users of the Services.
- MAC addresses of Visitors of locations where Services of Supplier are deployed
Special categories of data (if appropriate)
The personal data transferred concern the following special categories of data (please specify):
- None
Processing operations
The personal data transferred will be subject to the following basic processing activities (please specify):
- The objective of Processing of Personal Data by the data importer is the provision of IT-related services, including customer support services, pursuant to the Order Form and the Customer Agreement.
Appendix 2 (to the SCC)
Technical and Organizational Measures
Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c):
Confidentiality (Article 32 Paragraph 1 Point b GDPR)
- Physical Access Control No unauthorized access to Data Processing Facilities, e.g.: magnetic or chip cards, keys, electronic door openers, facility security services and/or entrance security staff, alarm systems, video/CCTV Systems
- Electronic Access Control No unauthorized use of the Data Processing and Data Storage Systems, e.g.: (secure) passwords, automatic blocking/locking mechanisms, two-factor authentication, encryption of data carriers/storage media
- Internal Access Control (permissions for user rights of access to and amendment of data) No unauthorized Reading, Copying, Changes or Deletions of Data within the system, e.g. rights authorization concept, need-based rights of access, logging of system access events
- Isolation Control The isolated Processing of Data, which is collected for differing purposes, e.g. multiple Customer support, sandboxing;
- Pseudonymization (Article 32 Paragraph 1 Point a GDPR; Article 25 Paragraph 1 GDPR) The processing of personal data in such a method/way, that the data cannot be associated with a specific Data Subject without the assistance of additional Information, provided that this additional information is stored separately, and is subject to appropriate technical and organizational measures.
Integrity (Article 32 Paragraph 1 Point b GDPR)
- Data Transfer Control No unauthorized Reading, Copying, Changes or Deletions of Data with electronic transfer or transport, e.g.: Encryption, Virtual Private Networks (VPN), electronic signature;
- Data Entry Control Verification, whether and by whom personal data is entered into a Data Processing System, is changed or deleted, e.g.: Logging, Document Management
Availability and Resilience (Article 32 Paragraph 1 Point b GDPR)
- Availability Control Prevention of accidental or willful destruction or loss, e.g.: Backup Strategy (online/offline; on-site/off-site), Uninterruptible Power Supply (UPS), virus protection, firewall, reporting procedures and contingency planning
- Rapid Recovery (Article 32 Paragraph 1 Point c GDPR) (Article 32 Paragraph 1 Point c GDPR);
Procedures for regular testing, assessment and evaluation (Article 32 Paragraph 1 Point d GDPR; Article 25 Paragraph 1 GDPR)
- Data Protection Management;
- Incident Response Management;
- Data Protection by Design and Default (Article 25 Paragraph 2 GDPR);
- Order or Contract Control
No third party data processing as per Article 28 GDPR without corresponding instructions from the Customer, e.g.: clear and unambiguous contractual arrangements, formalized Order Management, strict controls on the selection of the Service Provider, duty of pre-evaluation, supervisory follow-up checks.
