In Sections 1 through 6 of this DPA, The following terms have the meanings given in the General Data Protection Regulation (EU) 2016/679 (“GDPR”): “controller”, “personal data”, “processor”, “data subject” and “process”.
Sections 1 through 6 of this DPA apply to the processing of personal data that is regulated by the GDPR by Traackr solely on behalf of Customer for the purpose of providing the Traackr Service (“Customer Personal Data”). The provision of the Traackr Services shall constitute the subject matter of the processing under this DPA. The categories of the data subjects whose Customer Personal Data are subject to this DPA are (i) the authorized Users of Customer (such Customer Personal Data is referred to in this DPA as “User Data”) and (ii) social media influencers whose Customer Personal Data is entered into Customer’s Traackr account by Customer, excluding that certain publicly available influencer data for which Traackr is the controller (such Customer Personal Data is referred to in this DPA as “CRM-Stored Influencer Data”). As between the parties, (i) Customer is a controller and Traackr a processor on behalf of Customer with regard to Customer Personal Data or (ii) Customer is a processor and Traackr is a subprocessor on behalf of Customer with regard to Customer Personal Data. The type of User Data subject to this DPA consists of first name, last name, email address, password to the Traackr Service, and, at the option of the User, such User’s social media handle(s). The type of CRM-Stored Influencer Data subject to this DPA consists of Customer Personal Data the Customer enters into its account with respect to social media influencers, but excludes that certain publicly available influencer data that Traackr itself has added to the Traackr Service and for which Traackr is the controller. This DPA shall remain in effect, and the duration of the processing under this DPA shall continue, as long as Traackr carries out Customer Personal Data processing operations on behalf of Customer or until the termination of the Agreement (and all Customer Personal Data has been returned or deleted in accordance with Section 3(g)). In connection with the provision of the Traackr Service by Traackr to Customer, the nature of the processing of Customer Personal Data will be as follows: the Customer Personal Data will be subject to basic processing activities, including but not limited to collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction, in accordance with Section 3(a) and in accordance with the Agreement.
In processing the Customer Personal Data hereunder, Traackr shall:
a. process the Customer Personal Data only on documented instructions from Customer, unless otherwise required to do so by applicable law, in which case Traackr will inform Customer of that legal requirement before processing, unless applicable law prohibits Traackr from informing the Customer. For the avoidance of doubt, this DPA shall constitute Customer’s documented instructions to Traackr to process the Customer Personal Data in connection with Traackr’s provision of the Traackr Service to Customer;
b. use commercially reasonable efforts intended to ensure that persons authorized to process the Customer Personal Data hereunder have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality or are subject to ethical rules of responsibility that include confidentiality;
c. taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, implement commercially reasonable technical and organizational measures intended to meet the security requirements described in Article 32 of the GDPR;
d. taking into account the nature of the processing, use commercially reasonable efforts to assist Customer, at Customer’s expense, by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to requests for exercising the data subjects’ rights with respect to their Customer Personal Data under the GDPR and any applicable national implementing legislation, regulations and secondary legislation relating to the processing of Customer Personal Data (the “Data Protection Laws”).
e. taking into account the nature of processing and the information available to Traackr, use commercially reasonable efforts to assist Customer, at Customer’s expense, in ensuring compliance with Customer’s obligations described in Articles 32 through 36 of the GDPR;
f. notify Customer promptly if Traackr becomes actually aware of a breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data (an “Incident”), provided that the provision of such notice by Traackr shall not be construed as an acknowledgement of fault or liability with respect to any such Incident;
g. at the choice of Customer, delete or return all the Customer Personal Data to Customer within thirty (30) days after the end of the provision of the Traackr Service to the Customer, and delete existing copies unless applicable law requires retention of the Customer Personal Data;
h. make available upon Customer’s reasonable request information reasonably necessary to demonstrate material compliance with the obligations laid down in this DPA and allow for and contribute to audits (each, an “Audit”), at Customer’s expense, including inspections of processing facilities under Traackr’s control, conducted by Customer or another auditor chosen by Customer (an “Auditor”), during normal business hours, no more frequently than once during any twelve (12) month period and upon reasonable prior notice, provided that no Auditor shall be a competitor of Traackr, and provided further that in no event shall Customer have access to the information of any other client of Traackr and the disclosures made pursuant to this Section 3(h) (“Audit Information”) shall be held in confidence as Traackr’s confidential information and subject to any confidentiality obligations in the Agreement, including Section 4 thereof, and provided further that no Audit shall be undertaken unless or until Customer has requested, and Traackr has provided, documentation pursuant to this Section 3(h) and Customer reasonably determines that an Audit remains necessary to demonstrate material compliance with the obligations laid down in this DPA. Without limiting the generality of any provision in the Agreement, Customer shall employ the same degree of care to safeguard Audit Information that it uses to protect its own confidential and proprietary information, and in any event not less than a reasonable degree of care under the circumstances, and Customer shall be liable for any improper disclosure or use of Audit Information by Customer or its agents.
Customer hereby grants Traackr general authorization to engage another processor to process Customer Personal Data on behalf of Traackr (each, a “subprocessor”) to assist Traackr in processing the Customer Personal Data as set out in this DPA. Traackr shall enter into contractual arrangements with such subprocessors requiring the same level of data protection compliance and information security to that provided for herein. Customer hereby consents to the processing of Customer Personal Data by, and the disclosure and transfer of Customer Personal Data to, the following subprocessors:
Traackr shall inform Customer of any intended changes concerning the addition or replacement of subprocessors at least ten (10) calendar days before the new subprocessor processes Customer Personal Data. Customer may object to such changes in writing within five (5) calendar days of such notice, provided that such objection is based on reasonable grounds relating to data protection (an “Objection”). In the event of an Objection, the parties will discuss such concerns in good faith with the intention of achieving a resolution. If the parties are not able to achieve a resolution as described in the previous sentence, Customer, as its sole and exclusive remedy, may terminate the Agreement for convenience, on the condition that Customer provides written notice to Traackr within five (5) calendar days of being informed of the engagement of the subprocessor. Customer shall not be entitled to any refund of fees paid prior to the date of any termination pursuant to this Section 4.
Customer represents, warrants and covenants that (i) it shall comply with its obligations as a controller under the GDPR in respect of its processing of Customer Personal Data and any processing instructions it issues to Traackr as referred to in Section 3(a); (ii) it has provided notice and obtained all consents and rights required by the Data Protection Laws to transfer the Customer Personal Data outside the European Economic Area or United Kingdom and for Traackr to process Customer Personal Data pursuant to the Agreement and this DPA; and (iii) the processing of the Customer Personal Data by Traackr upon the documented instructions of Customer under Section 3(a) shall have a lawful basis of processing pursuant to Article 6 of the GDPR. If Customer is a processor, Customer represents and warrants to Traackr that Customer’s instructions and actions with respect to Customer Personal Data, including its appointment of Traackr as another processor, have been duly authorized by the relevant controller.
Customer hereby consents to the transfer of the Customer Personal Data to, and processing of the Customer Personal Data in, the United States of America and/or in any other jurisdiction in which Traackr, its affiliates or its subprocessors have operations. The parties hereby enter into the Standard Contractual Clauses for Processors, as approved by the European Commission under Decision 2010/87/EU, attached hereto as Schedule I and made a part of this DPA in their entirety.
This Section 8 shall apply from and after the CCPA Effective Date (as defined below) and shall not apply before such CCPA Effective Date. As between the parties, Traackr is a service provider to Customer with respect to Consumer Information.
a. In this Section 8:
i. “CCPA” means the California Consumer Privacy Act of 2018.
ii. “CCPA Effective Date” means January 1, 2020 or the date the CCPA becomes enforceable, whichever is later.
iii. “Consumer Information” means any personal information that is processed by Traackr solely on behalf of the Customer.
iv. The following terms have the meanings given in the CCPA: “personal information”, “processing”, “service provider”, “sell”, “selling”, “sale” and “sold”.
b. From and after the CCPA Effective Date, except as otherwise required by applicable law, Traackr shall:
i. implement and maintain commercially reasonable security procedures and practices appropriate to the nature of the Consumer Information intended to protect such Consumer Information from unauthorized access, destruction, use, modification, or disclosure;
ii. not retain, use or disclose Consumer Information for any purpose outside the scope of the business relationship of the parties and other than for the specific purpose of providing the Traackr Service (including retaining, using or disclosing the Consumer Information for a commercial purpose other than providing the Traackr Service) or as otherwise permitted by the CCPA as applicable to service providers
iii. not collect or use Consumer Information except as reasonably necessary to provide the Traackr Service;
iv. not sell Consumer Information;
v. to the extent necessary, use commercially reasonable efforts to assist Customer, at Customer’s expense, in Customer’s fulfilment of Customer’s obligation to respond to California residents’ requests to exercise rights with respect to their Consumer Information under the CCPA; and
Last updated: November 18th, 2019.
For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection
Customer (the ‘data exporter’)
Traackr, Inc. (the ‘data importer’)
each a ‘party’; together ‘the parties’,
HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.
For the purposes of the Clauses:
The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.
The data exporter agrees and warrants:
The data importer agrees and warrants:
1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.
The Clauses shall be governed by the law of the Member State in which the data exporter is established.
The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.
The data importer and the sub-processor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data-processing facilities for an audit of the measures referred to in paragraph 1.
1 Parties may reproduce definitions and meanings contained in Directive 95/46/EC within this Clause if they considered it better for the contract to stand alone.
2 Mandatory requirements of the national legislation applicable to the data importer which do not go beyond what is necessary in a democratic society on the basis of one of the interests listed in Article 13(1) of Directive 95/46/EC, that is, if they constitute a necessary measure to safeguard national security, defence, public security, the prevention, investigation, detection and prosecution of criminal offences or of breaches of ethics for the regulated professions, an important economic or financial interest of the State or the protection of the data subject or the rights and freedoms of others, are not in contradiction with the standard contractual clauses. Some examples of such mandatory requirements which do not go beyond what is necessary in a democratic society are, inter alia, internationally recognised sanctions, tax-reporting requirements or anti-money-laundering reporting requirements.
3 This requirement may be satisfied by the sub-processor co-signing the contract entered into between the data exporter and the data importer under this Decision.
This Appendix forms part of the Clauses and must be completed and signed by the parties
The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix
The data exporter is (please specify briefly your activities relevant to the transfer):
Service recipient of data importer
The data importer is (please specify briefly activities relevant to the transfer):
Service provider for data exporter
The personal data transferred concern the following categories of data subjects (please specify):
Representatives of data exporter and personal data relating to social media influencers that data exporter enters into its account, but excluding publicly available influencer data for which data importer is the controller.
The personal data transferred concern the following categories of data (please specify):
For representatives of data exporter: first and last name, email address, password, and social media handles.
For social media influencers: personal data that data exporter enters into its account, but excluding publicly available influencer data for which data importer is the data controller
The personal data transferred concern the following special categories of data (please specify):
It is not anticipated that special categories of data will be processed in the ordinary course of this arrangement.
The personal data transferred will be subject to the following basic processing activities (please specify):
The personal data will be subject to basic processing, including but not limited to collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction for the purpose of providing services to data exporter in accordance with the terms of the Agreement.
This Appendix forms part of the Clauses and must be completed and signed by the parties.
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the data importer has implemented appropriate technical and organizational measures intended to ensure a level of security appropriate to the risk.