Data Processing

  1. 1. BACKGROUND AND PURPOSE
  2. 1.1. The Controller has subscribed to services under the Processor’s subscription terms and conditions (the “Main Agreement”), and the Processor delivers a promotion building service to the Controller by providing lead capture forms (“Wheel of Popups”). When providing these services to the Controller, the Processor processes personal data for which the Controller is responsible, thus the Processor processes personal data on behalf of the Controller.
  3. 1.2. This Agreement constitutes an appendix to the Main Agreement entered into between the Parties. In the event of conflicts between the agreements, this Agreement shall take precedence.
  4. 1.3. The Parties have entered into this Data Processor Agreement (“Agreement”) in order to fulfil the requirement of a written agreement between a data controller and a data pro- cessor of personal data as set out in section 28(3) of the EU General Data Protection Regulation 2016/679 (the “GDPR”).
  1. 2. SCOPE
  2. 2.1. The scope of this Agreement is to govern the relationship between the Controller and the Processor.
  3. 2.2. This Agreement is aimed at the Data Controller as well as the Data Processor, and the fundamental basis for this Agreement is the fact that completion of data processing by a data processor must take place in accordance with an agreement between the Parties.
  1. 3. PROCESSING OF DATA
  2. 3.1. The Processor may only process personal data under the instructions of the Controller. The Controller’s instructions at the time of entry into this Agreement is set forth in Appendix 1, thus the Processor may only process the categories of personal data and data regarding the data subjects as listed in Appendix 1.
  3. 3.2. The Controller is responsible for obtaining the data subject’s consent to the processing of data in question in accordance with article 7 and article 8 of the GDPR.
  4. 3.3. The Processor is not entitled to process the Controller’s personal data for any other purposes than the ones set forth in Appendix 1, as amended from time to time, unless the Controller has given prior written consent to the processing in question.
  5. 3.4. Upon a written request from the Controller, the Processor must correct, block or delete personal data, which is incorrect or incomplete.
  6. 3.5. Upon a written request from the Controller, the Processor must present the necessary doc- umentation proving that the processing of personal data is carried out in accordance with the applicable data protection laws and the GDPR, thus the Processor must keep records of its processing activities.
  7. 3.6. The Processor must assist the Controller in fulfilling its legal obligations under GDPR chapter 3 concerning the rights of the data subject. If the Processor receives a request from a data subject for access to the data subject’s registered personal data, or a data subject objects to the processing of his or her personal data, the Processor must inform the Controller of the request or objection without undue delay.
  8. 3.7. The Processor must delete personal data, copies and records thereof when it is no longer reasonably necessary to perform the Processor’s obligations under the Main Agreement. In any case the Processor deletes the personal data collected on behalf of the Controller when the data has been stored with the Processor for 12 months. If the Controller wishes for the Processor to keep processing the data past these 12 months, it rests with the Controller to provide the Processor with the necessary documentation proving a substantiated purpose for extended processing.
  1. 4. USE OF SUB PROCESSORS
  2. 4.1. The Processor may only use sub processors when this is authorized by the Controller.
  3. 4.2. By signing this Agreement, the Controller authorizes the Processor to use the sub processors listed in Appendix 1.
  4. 4.3. Before the Processor engages a new sub processor, the Processor shall notify the Controller thereof and provide information about the new sub processor’s name and location for processing. If the Controller has a reasonable basis to object to the Processor’s use of a new sub processor and therefore wishes to terminate this Agreement and the Main Agreement, the Controller shall notify the Processor within 10 business days after receipt of the Processor’s notice.
  5. 4.4. The Processor ensures that any sub processor engaged by the Processor to carry out specific processing activities on behalf of the Controller, is bound by data protection obligations no less stringent than the ones set forth in this Agreement. If the sub processor fails to fulfil its data protection obligations, the Processor is liable to the Controller for the performance of the sub processor’s obligations.
  6. 4.5. Upon the Controller’s request, the Processor must provide the Controller with sufficient information to ensure the Controller that the sub processors engaged by the Processor have taken the necessary technical and organizational security measures.
  1. 5. CONFIDENTIALITY
  2. 5.1. All employees employed by the Processors receive appropriate training, adequate instructions and guidelines for processing personal data.
  3. 5.2. The Processor must limit access to personal data to the relevant employees and ensure that these are authorized to process the personal data.
  4. 5.3. The Processor must ensure that the employees of the Processor, who process personal data, are bound by adequate confidentiality obligations. Such obligations shall survive the termination of this Agreement.
  1. 6. AUDITS
  2. 6.1. The Controller is entitled to, at its own cost, take proportionate and commercially reasonable measures to validate the Processor’s compliance with this Agreement, either by itself or by using a third party to conduct the audit.
  3. 6.2. If the Controller takes on a third party to conduct the audit on behalf of the Controller, the Controller must ensure that the third party carrying out the audit enters into a nondisclosure agreement and that such third party takes necessary security measures when conducting the audit.
  4. 6.3. Audits must be conducted during the Processor’s business hours and the Processor must be notified of planned audits within reasonable time prior to the audit. The audit shall not grant the Controller access to the Processor’s trade secrets or proprietary information unless this is required in order for the Controller to comply with the applicable data protection law.
  1. 7. DATA TRANSFER
  2. 7.1. The Processor is not entitled to transfer or hand over data to third parties or sub processors without prior written instruction hereto from the Controller, unless such transfer or handing over is provided by law.
  3. 7.2. The Controller hereby consents to the transfer of EU Personal Data to, and the processing of EU Personal Data in, the United States of America and Serbia. The parties hereby enter into the Standard Contractual Clauses for Processors, as approved by the European Commission under Decision 2010/87/EU, attached hereto as Exhibit C (the “SCCs”) and made a part of this DPA in their entirety.
  4. 8. SECURITY MEASURES
  5. 8.1. The Processor must take the necessary technical and organizational security measures to ensure a level of security in accordance with the GDPR and appropriate to the risk presented to the processing and the nature of the personal data to be protected, having regard to the state of the art and the cost of their implementation. The measures shall take into account the requirements set out in article 32 of the GDPR and include but not be limited to
  1. 8.1.1. safeguarding personal data against being destroyed accidentally or illegally, lost, altered, damaged or made known to unauthorized persons, misused or in any other way illegally processed,
  2. 8.1.2. taking measures to prevent transfers to any unauthorized person or entity,
  3. 8.1.3. ensuring that records are maintained of access to personal data, and
  4. 8.1.4. taking measures to ensure personal data remains available.
  5. 8.2. Security measures taken by the Processor are stated in Appendix 2.
  6. 8.3. The Processor shall periodically assess data security risks related to the provisioning of the services to the Controller.
  7. 8.4. Upon the Controller’s request, the Processor must provide the Controller with sufficient information to ensure the Controller that the Processor has taken the necessary technical and organizational security measures.
  1. 9. BREACH OF DATA SECURITY
  2. 9.1. The Processor must notify the Controller of personal data security breaches, operational malfunctions or suspected security breaches relating to the processing of personal data without undue delay and within 24 hours after the security breach has been discovered, unless the Processor is able to demonstrate that the data security breach is unlikely to result in a risk to the rights and freedoms of data subjects.
  3. 9.2. The notification in clause 9.1 must (if relevant) contain:
  1. 9.2.1. a description of the data security breach including the categories and approximate amount of data and data subjects concerned,
  2. 9.2.2. the name and contact details of the Processor’s data protection officer,
  3. 9.2.3. a description of the likely consequences of the data security breach,
  4. 9.2.4. a description of the measures taken or proposed to be taken by the Controller to address the data security breach, including, where appropriate, measures to mitigate its possible adverse effects.
  5. 9.3. The Processor shall document any data security breaches. The documentation shall only include information necessary for the Controller to verify compliance with the applicable data protection law to the relevant supervisory authority.
  6. 9.4. The Controller is responsible for notifying the relevant supervisory authority about the data security breach.
  1. 10. LIMITATION OF LIABILITY
  2. 10.1. Pursuant to article 82(2) of the GDPR, the Processor shall only be liable for damage caused by processing where the Processor has not complied with obligations of the GDPR specifically directed to processors or where the Processor has acted outside or contrary to this Agreement.
  3. 10.2. The Processor shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage.
  4. 10.3. The Processor’s cumulative liability to the Controller or any other party for any loss or damages resulting from claims, demands or actions arising out of relating to this Agree- ment shall not exceed the total paid-in fee from the Controller to the Processor within the 12 months previous to the date the claim is first brought against the Processor.
  1. 11. INDEMNIFICATION
  2. If the Controller, against the regulations set forth in Appendix 1, collects sensitive personal data and thus makes the Processor process such information, the Controller undertakes to indemnify and hold the Processor harmless for any and all damages and losses incurred by the Processor due to the Controller’s breach of the Agreement.
  1. 12. AMENDMENTS
  2. This DPA is subject to change from time to time, as posted on the Processor’s website. Such changes will be effective upon posting on Processor’s website, and Controller’s continued access to and use of the Licensed Application and Services thereafter shall constitute Controller’s acceptance of the amended DPA.
  1. 13. TERM AND TERMINATION
  2. 13.1. This Agreement shall enter into force on the date of creating an account on the Processor’s website and shall remain in force for as long as the Processor processes personal data on behalf of the Controller.
  3. 13.2. Upon termination of the Main Agreement, this Agreement will be terminated accordingly.
  4. 13.3. If one of the Parties is in breach of this Agreement, the other Party shall be entitled to terminate this Agreement with a written notice of 10 business days. If the Party in breach has not remedied the breach within 10 business days, the Party not in breach is entitled to terminate the Agreement on the date stated in the 10 day-notice.
  5. 13.4. Upon termination of this Agreement, the Controller must notify the Processor to delete or return the personal data. The Processor is obliged to destroy or return the personal data as requested, unless legislation imposed upon the Processor prevents it from destroying or returning all or parts of the personal data. The Controller must allow for a period of 30 days in order for the Processor to complete the full deletion of personal data.
  1. 14. GOVERNING LAW AND DISPUTES
  2. Any disputes arising from this Agreement must be resolved and governed as agreed in section 16 of the Main Agreement, the only amendment being that this Agreement is governed by the GDPR in addition to laws of the State of New York.