This Data Processing Addendum (“DPA”), forms part of the Terms of Service, (the “Agreement”) between Traackr, Inc. (“Traackr”) and you (“Customer”) and shall be effective as of May 25, 2018.
This DPA applies to the processing of personal data relating to data subjects located in the European Economic Area (including the United Kingdom as at the date of this DPA) by Traackr solely on behalf of Customer for the purpose of providing the Traackr Service (“EU Personal Data”). The categories of the data subjects whose EU Personal Data are subject to this DPA are (i) the authorized Users of Customer (such EU Personal Data is referred to in this DPA as “User Data”) and (ii) social media influencers whose EU Personal Data is entered into Customer’s Traackr account by Customer, excluding that certain publicly available influencer data for which Traackr is the controller (such EU Personal Data is referred to in this DPA as “Notes”). As between the parties, (i) Customer is a controller and Traackr a processor on behalf of Customer with regard to EU Personal Data or (ii) Customer is a processor and Traackr is a subprocessor on behalf of Customer with regard to EU Personal Data. User Data consists of first name, last name, email address, password to the Traackr Service, and, at the option of the User, such User’s social media handle(s). Notes consist of EU Personal Data the Customer enters into its account with respect to social media influencers, but excludes that certain publicly available influencer data that Traackr itself has added to the Traackr Service and for which Traackr is the controller. This DPA shall remain in effect as long as Traackr carries out EU Personal Data processing operations on behalf of Customer or until the termination of the Agreement (and all EU Personal Data has been returned or deleted in accordance with Section 3(g)). In connection with the provision of the Traackr Service by Traackr to Customer, the EU Personal Data will be subject to basic processing activities in accordance with Section 3(a) and in accordance with the Agreement.
In processing the EU Personal Data hereunder, Traackr shall:
Customer hereby grants Traackr general authorization to engage subprocessors to assist Traackr in processing the EU Personal Data as set out in this DPA. Traackr shall enter into contractual arrangements with such subprocessors requiring the same level of data protection compliance and information security to that provided for herein. Customer hereby consents to the processing of EU Personal Data by, and the disclosure and transfer of EU Personal Data to, the following subprocessors:
Traackr shall inform Customer of any intended changes concerning the addition or replacement of subprocessors at least ten (10) calendar days before the new subprocessor processes EU Personal Data. Customer may object in writing to such changes within five (5) calendar days of such notice, provided that such objection is based on reasonable grounds relating to data protection (an “Objection”). In the event of an Objection, the parties will discuss such concerns in good faith with the intention of achieving a resolution. If the parties are not able to achieve a resolution as described in the previous sentence, Customer, as its sole and exclusive remedy, may terminate the Agreement for convenience, on the condition that Customer provides written notice to Traackr within five (5) calendar days of being informed of the engagement of the subprocessor. Customer shall not be entitled to any refund of fees paid prior to the date of any termination pursuant to this Section 4.
Customer agrees that (i) it shall comply with its obligations as a controller under the GDPR in respect of its processing of EU Personal Data and any processing instructions it issues to Traackr as referred to in Section 3(a); (ii) it has provided notice and obtained all consents and rights required by the Data Protection Laws for Traackr to process EU Personal Data pursuant to the Agreement and this DPA; and (iii) the processing of the EU Personal Data by Traackr upon the documented instructions of Customer under Section 3(a) shall have a lawful basis of processing pursuant to Article 6 of the GDPR. If Customer is a processor, Customer represents and warrants to Traackr that Customer’s instructions and actions with respect to EU Personal Data, including its appointment of Traackr as another processor, have been duly authorized by the relevant controller. Customer shall indemnify, defend and hold harmless Traackr, its affiliates, officers, directors, employees and agents against any claims, actions, proceedings, expenses, losses, damages and liabilities (including without limitation any governmental investigations, complaints and actions) and reasonable attorneys’ fees relating to or arising out of Customer’s violation of this Section 5. Notwithstanding anything to the contrary in the Agreement, Customer’s indemnification obligations under this Section 5 shall not be subject to any limitations of liability set forth in the Agreement.
Customer hereby consents to the transfer of the EU Personal Data to, and processing of the EU Personal Data in, the United States of America. The parties hereby enter into the Standard Contractual Clauses for Processors, as approved by the European Commission under Decision 2010/87/EU, attached hereto as Exhibit A (the “SCCs”) and made a part of this DPA in their entirety.
This DPA constitutes an amendment to the Agreement. This DPA, including the SCCs, and the Agreement (including the Controller-to-Controller Addendum, incorporated therein by reference) constitute the parties’ entire agreement and understanding with respect to the subject matter hereof. Traackr’s obligations contained in this DPA are subject to any limitations of liability set forth in the Agreement. The obligations contained in this DPA are in addition to the other obligations contained in the Agreement. In the event of a conflict between this DPA and any other terms in the Agreement, the terms of this DPA will govern. For the avoidance of doubt, to the extent that the Agreement excludes any types of information from confidentiality obligations, those exclusions shall not apply to EU Personal Data.
In this DPA, unless a clear contrary intention appears: (a) where not inconsistent with the context, words used in the present tense include the future tense and vice versa and words in the plural number include the singular number and vice versa; (b) reference to any person includes such person’s successors and assigns but, if applicable, only if such successors and assigns are not prohibited by this DPA; (c) reference to any gender includes each other gender; (d) reference to any agreement, document or instrument means such agreement, document or instrument as amended or modified and in effect from time to time in accordance with the terms thereof and includes all addenda, exhibits and schedules thereto; (e) the titles and subtitles used in this DPA are used for convenience only and are not to be considered in construing or interpreting this DPA; (f) “hereunder,” “hereof,” “hereto,” and words of similar import shall be deemed references to this DPA as a whole and not to any particular Section or Subsection of this DPA; and (g) “including” (and with correlative meaning, “include”) means including without limiting the generality of any description preceding such term.
Effective as of May 25, 2018. Last updated on July 11, 2018.
For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection
Customer (the ‘data exporter’)
And
Traackr, Inc. (the ‘data importer’)
each a ‘party’; together ‘the parties’,
HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.
For the purposes of the Clauses:
The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.
The data exporter agrees and warrants:
The data importer agrees and warrants:
1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.
The Clauses shall be governed by the law of the Member State in which the data exporter is established.
The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.
The data importer and the sub-processor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data-processing facilities for an audit of the measures referred to in paragraph 1.
Footnotes:
1 Parties may reproduce definitions and meanings contained in Directive 95/46/EC within this Clause if they considered it better for the contract to stand alone.
2 Mandatory requirements of the national legislation applicable to the data importer which do not go beyond what is necessary in a democratic society on the basis of one of the interests listed in Article 13(1) of Directive 95/46/EC, that is, if they constitute a necessary measure to safeguard national security, defence, public security, the prevention, investigation, detection and prosecution of criminal offences or of breaches of ethics for the regulated professions, an important economic or financial interest of the State or the protection of the data subject or the rights and freedoms of others, are not in contradiction with the standard contractual clauses. Some examples of such mandatory requirements which do not go beyond what is necessary in a democratic society are, inter alia, internationally recognised sanctions, tax-reporting requirements or anti-money-laundering reporting requirements.
3 This requirement may be satisfied by the sub-processor co-signing the contract entered into between the data exporter and the data importer under this Decision.
This Appendix forms part of the Clauses and must be completed and signed by the parties
The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix
The data exporter is (please specify briefly your activities relevant to the transfer):
Service recipient of data importer
The data importer is (please specify briefly activities relevant to the transfer):
Service provider for data exporter
The personal data transferred concern the following categories of data subjects (please specify):
Representatives of data exporter and personal data relating to social media influencers that data exporter enters into its account, but excluding publicly available influencer data for which data importer is the controller.
The personal data transferred concern the following categories of data (please specify):
For representatives of data exporter: first and last name, email address, password, and social media handles.
For social media influencers: personal data that data exporter enters into its account, but excluding publicly available influencer data for which data importer is the data controller
The personal data transferred concern the following special categories of data (please specify):
It is not anticipated that special categories of data will be processed in the ordinary course of this arrangement.
The personal data transferred will be subject to the following basic processing activities (please specify):
The personal data will be subject to basic processing, including but not limited to collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction for the purpose of providing services to data exporter in accordance with the terms of the Agreement.
This Appendix forms part of the Clauses and must be completed and signed by the parties.
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the data importer has implemented appropriate technical and organizational measures intended to ensure a level of security appropriate to the risk.