Data Processing Agreement
Last updated on: September 11, 2020
How This DPA Applies
If the Customer entity signing this DPA is a party to the Agreement, this DPA is an addendum to and forms part of the Agreement. In such case, the Fond entity that is the party to the Agreement is a party to this DPA.
If the Customer entity signing this DPA has executed an Order Form (or similar ordering document) (in either case, an "Order Form") with Fond or its Affiliate pursuant to the Agreement, but is not itself a party to the Agreement, this DPA is an addendum to that Order Form and applicable renewal Order Forms, and the Fond entity that is party to such Order Form is party to this DPA.
If the Customer entity signing this DPA is neither a party to an Order Form nor the Agreement, this DPA is not valid and is not legally binding. Such entity should request that the Customer entity who is a party to the Agreement executes this DPA, and Affiliates of such Customer entity will benefit under this DPA via Section 9.1 (b) below.
If the Customer entity signing the DPA is not a party to an Order Form nor an Agreement directly with Fond, but is instead a Customer indirectly via an authorized reseller of Fond services, this DPA is not valid and is not legally binding. Such entity should contact the authorized reseller to discuss whether any amendment to its agreement with that reseller may be required.
This DPA shall not replace any additional rights relating to Processing of Customer Data previously negotiated by Customer in the Agreement.
Data Processing Terms
In the course of providing services to Customer pursuant to the Agreement ("Services") and only pursuant to Customer’s documented instructions (which, for clarity, shall not conflict with this DPA), Fond may Process Personal Data on behalf of Customer. Fond agrees to comply with the following provisions with respect to any Personal Data submitted by or for Customer to the Services or collected and Processed by or for Customer using the Services.
1.1 "Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. "Control," for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
1.2 "Data Controller " means the entity which determines the purposes and means of the Processing of Personal Data.
1.3 "Data Processor " means the entity which processes personal data on behalf of the Data Controller.
1.4 "Data Protection Laws and Regulations" means all laws and regulations, including but not limited to: (a) laws and regulations of the European Union, the European Economic Area and their member states (in each case, as amended, revised or replaced from time to time (in particular, by operation of the Directive 2009/136/EC, and the General Data Protection Regulation (EU) 2016/679 (the "GDPR")), applicable to the Processing of Personal Data under the Agreement; and (b) the California Consumer Privacy Act of 2018 (Cal. Civ. Code §§ 1798.100 to 1798.199), as amended from time to time, and any related regulations and guidance provided by the California Attorney General pertaining to same (the "CCPA") and (c) any equivalent or similar laws, rules, regulations, directives, and governmental requirements in applicable jurisdictions, and any laws implementing, replacing or supplementing any of them, as amended, consolidated, re-enacted or replaced from time to time.
1.5 "Data Subject" means the individual to whom Personal Data relates.
1.6 "Personal Data" means any information relating to an identified or identifiable person where such data is submitted to the Services as Customer Data.
1.7 "Processing" means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
1.8 "Fond" means the Fond entity which is a party to this DPA, as specified in the section "HOW THIS DPA APPLIES" above, being Fond Technologies, Inc., as well as the Fond Affiliates, as applicable. For clarity, Fond formerly conducted business as AnyPerk, Inc.
1.9 "Fond Group" means Fond and its Affiliates engaged in the Processing of Personal Data.
1.10 "Standard Contractual Clauses" means the agreement executed by and between Customer and Fond Technologies, Inc. and attached hereto as Attachment 1 (including Appendices 1 to 2) pursuant to Decision 2010/87/EU of 5 February 2010 for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection.
1.11 "Sub-processor" means any Data Processor engaged by Fond.
Any terms used in this DPA, and not otherwise defined herein or in the Agreement, and which are defined in the Data Protection Laws and Regulations, shall have the meanings given to them therein.
2. Processing of Personal Data.
2.1 Roles of the Parties. The parties acknowledge and agree that with regard to the processing of Personal Data, Customer is the Data Controller, Fond is a Data Processor and that Fond or members of the Fond Group will engage Sub-processors pursuant to the requirements set forth in section 5 "Sub-processors" below.
2.2 Customer's Processing of Personal Data. Customer shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws and Regulations. For the avoidance of doubt, Customer's instructions for the Processing of Personal Data shall comply with Data Protection Laws and Regulations. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data.
2.3 Fond's Processing of Personal Data. Fond shall only Process Personal Data on behalf of and in accordance with Customer's documented instructions and shall treat Personal Data as Confidential Information. Customer instructs Fond to Process Personal Data for the following purposes: (i) Processing in accordance with the Agreement and applicable Order Form(s); (ii) Processing initiated by Users in their use of the Services; and (iii) Processing to comply with other reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Agreement.
3. Rights of Data Subjects.
3.1 Correction, Blocking and Deletion. To the extent Customer, in its use of the Services, does not have the ability to correct, amend, block or delete Personal Data, as required by Data Protection Laws and Regulations, Fond shall comply with any commercially reasonable request by Customer to facilitate such actions to the extent Fond is legally permitted to do so. To the extent legally permitted, Customer shall be responsible for any costs arising from Fond's provision of such assistance.
3.2 Data Subject Requests. Fond shall, to the extent legally permitted, promptly notify Customer if it receives a request from a Data Subject for access to, correction, amendment or deletion of that person's Personal Data. Fond shall not respond to any such Data Subject request without Customer's prior written consent except to confirm that the request relates to Customer. Fond shall provide Customer with commercially reasonable cooperation and assistance in relation to handling of a Data Subject's request for access to that person's Personal Data, to the extent legally permitted and to the extent Customer does not have access to such Personal Data through its use of the Services. If legally permitted, Customer shall be responsible for any costs arising from Fond's provision of such assistance.
4. Fond Personnel.
4.1 Confidentiality. Fond shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. Fond shall ensure that such confidentiality obligations survive the termination of the personnel engagement. Fond will ensure and remain primarily liable for the compliance of its personnel, affiliates, agents and subcontractors with Data Protection Laws and Regulations and this DPA.
4.2 Reliability. Fond shall take commercially reasonable steps to ensure the reliability of any Fond personnel engaged in the Processing of Personal Data.
4.3 Limitation of Access. Fond shall ensure that Fond's access to Personal Data is limited to those personnel who require such access to perform the Agreement.
4.4 Data Protection Officer. Members of the Fond Group have appointed a data protection officer where such appointment is required by Data Protection Laws and Regulations. The contact information for the appointed person will be made available, upon request.
5.1 Appointment of Sub-processors. Customer acknowledges and agrees that (a) Fond's Affiliates may be retained as Sub-processors; and (b) Fond and Fond's Affiliates respectively may engage third-party Sub-processors in connection with the provision of the Services. Fond enter shall into a contract with each such Sub-processor that includes the same or substantially similar obligations on and commitments by the Sub-processor as apply to Fond under this DPA. Subject to the foregoing, and for the avoidance of doubt, Fond will not otherwise disclose Personal Data to any third parties without the explicit written consent of Customer. For clarity, Fond shall not sell, rent, release, disclose, disseminate, make available, transfer or otherwise communicate Personal Data to another business or third party for monetary or other valuable consideration.
5.2 Liability. Fond shall be liable for the acts and omissions of its Sub-processors to the same extent Fond would be liable if performing the services of each Sub-processor directly under the terms of this DPA, except as otherwise set forth in the Agreement.
6.1 Controls for the Protection of Personal Data. Fond shall maintain administrative, physical and technical safeguards designed to protect of the security, confidentiality and integrity of Customer Data, including Personal Data, as set forth in the Security Privacy and Architecture Documentation. Fond regularly monitors compliance with these safeguards. Fond will not materially decrease the overall security of the Services during the term of the Agreement.
6.2 Third-Party Certifications and Audits. Upon Customer's written request at reasonable intervals, Fond shall provide a copy of Fond's (or its data hosting providers') then most recent third-party audits or certifications, as applicable, or any summaries thereof, that Fond generally makes available to its Customers at the time of such request.
7. Security Breach Management and Notification.
Fond maintains industry standard data security incident management policies and procedures and shall, to the extent permitted by law, promptly notify Customer of any actual or reasonably suspected unauthorized disclosure of Customer Data, including Personal Data, by Fond or its Sub-processors of which Fond becomes aware (a "Security Breach"), which notice shall be provided to Customer within seventy-two (72) hours of Fond becoming aware of and confirming the Security Breach. To the extent such Security Breach is caused by a violation of the requirements of this DPA by Fond, Fond shall make reasonable efforts to identify and remediate the cause of such Security Breach (including without limitation, assisting Customer with any notifications to regulators and/or individuals, if it is determined that the Security Breach occurred as a result of Fond’s breach of this DPA).
8. Return and Deletion of Customer Data.
Fond shall return Customer Data, including Personal Data, to Customer and delete Customer Data, including Personal Data, in accordance with Fond's then current standard procedures and timeframes.
9. Additional Terms.
9.1 Application of Standard Contractual Clauses. The Standard Contractual Clauses and the additional terms in this Section 9 will apply in addition to those obligations contained in Sections 1 - 9 of this DPA. Pursuant to this Section 9, the parties acknowledge and agree commercial clauses which are supplemental to those contained in the Standard Contractual Clauses, and which shall apply:
(a) to the Processing of Personal Data that is transferred from the European Economic Area (EEA) to, either directly or via onward transfer, any country or recipient outside the EEA: (i) that is not recognized by the European Commission as providing an adequate level of protection for personal data (as described in the GDPR); and (ii) is not covered by a suitable framework recognized by the relevant authorities or courts as providing an adequate level of protection for personal data, including but not limited to Binding Corporate Rules for Processors [and Privacy Shield Certification]; and
(b) to: (i) the legal entity that has executed the Standard Contractual Clauses as a Data Exporter; and (ii) all Affiliates (as defined in the Agreement) of Customer established within the EEA and Switzerland that have purchased Services on the basis of an Order Form. For the purpose of the Standard Contractual Clauses and this Section 9, the aforementioned entities shall be deemed "Data Exporters". Notwithstanding the foregoing, the following sections 9.2 – 9.11 shall apply to all Personal Data Processed by Fond on behalf of Customer, and shall not be limited to Personal Data that is subject to the Standard Contractual Clauses.
9.2 Objective and Duration. The objective of Processing of Personal Data by Fond as data importer is the performance of the Services pursuant to the Agreement. The duration of Processing of Personal Data by Fond is co-extensive with such performance pursuant to the Agreement.
9.3 Instructions. This DPA and the Agreement are Data Exporter's complete and final instructions to data importer for the Processing of Personal Data. Any additional or alternate instructions must be agreed upon separately in writing. For the purposes of Clause 5(a) of the Standard Contractual Clauses, the following is deemed an instruction by the Data Exporter to process Personal Data: (a) processing in accordance with the Agreement and applicable Order Form(s); and (b) processing initiated by Users in their use of the Services. Data importer shall only Process the Personal Data in accordance with these written instructions, unless required to do otherwise by law in which case, where legally permitted, data importer shall inform the Data Exporter of such legal requirement before processing. Data importer shall notify the Data Exporter immediately if, in its opinion, an instruction for the Processing of Personal Data given by the Data Exporter infringes the applicable data protection law.
9.4 Security. For the purposes of Clause 5 (c) of the Standard Contractual Clauses, data importer shall also implement the technical and organizational security measures contained in Article 32 of the GDPR.
9.5 Sub-processors. Pursuant to Clause 5(h) of the Standard Contractual Clauses, the Data Exporter acknowledges and expressly agrees that Fond's Affiliates may be retained as Sub-processors; and (b) Fond and Fond's Affiliates respectively may engage third-party Sub-processors in connection with the provision of the Services.
(a) List of Current Sub-processors and Notification of New Sub-processors. Data importer shall make available to Data Exporter a current list of Sub-processors for the respective Services with the identities of those Sub-processors ("Sub-processor List"). Data importer shall provide Data Exporter with a mechanism to subscribe to updates to the relevant Sub-processor List and shall provide such updates before authorizing any new Sub-processor(s) to Process Personal Data in connection with the provision of the Services.
(b) Objection Right for new Sub-processors. If Data Exporter has a reasonable basis to object to data importer's use of a new Sub-processor, Data Exporter shall notify data importer promptly in writing within 10 business days after receipt of data importer's notice. In the event Data Exporter objects to a new Sub-processor(s) and that objection is not unreasonable data importer will use reasonable efforts to make available to Data Exporter a change in the affected Services or recommend a commercially reasonable change to Data Exporter's configuration or use of the affected Services to avoid processing of Personal Data by the objected-to new Sub processor without unreasonably burdening Data Exporter. If data importer is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Data Exporter may terminate the applicable Order Form(s) in respect only to those Services which cannot be provided by data importer without the use of the objected-to new Sub-processor, by providing written notice to data importer. Data Exporter shall receive a refund of any prepaid fees for the period following the effective date of termination in respect of such terminated Services.
(c) The parties agree that the copies of the Sub-processor agreements that must be sent by data importer to the Data Exporter pursuant to Clause 5(j) of the Standard Contractual Clauses may have all commercial information, or clauses unrelated to the Standard Contractual Clauses or their equivalent, removed by data importer beforehand; and, that such copies will be provided by data importer only upon reasonable request by Data Exporter.
9.6 Audits and Certifications. The parties agree that the audits described in Clause 5(f), Clause 11 and Clause 12(2) of the Standard Contractual Clauses shall be carried out in accordance with the following specifications: Upon Data Exporter's request, and subject to the confidentiality obligations set forth in the Agreement, data importer shall make available to Data Exporter (or Data Exporter's independent, third-party auditor that is not a competitor of Fond) information regarding the Fond Group's compliance with the obligations set forth in this DPA in the form of the third-party certifications and audits described herein. Customer may contact data importer in accordance with the "Notices" Section of the Agreement to request an on-site audit of the procedures relevant to the protection of Personal Data. Customer shall reimburse data importer for any time expended for any such on-site audit at the Fond Group's then-current professional services rates, which shall be made available to Data Exporter upon request. Before the commencement of any such on-site audit, Data Exporter and data importer shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which Data Exporter shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by data importer. Data Exporter shall promptly notify data importer with information regarding any non- compliance discovered during the course of an audit.
9.7 Rights of Data Subjects. Taking into account the nature of the Processing, data importer shall assist the Data Exporter by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Data Exporter's obligation to respond to requests for exercising the Data Subjects' rights laid down in Chapter III of the GDPR;
9.8 Data Exporter Assistance. Data importer shall assist Data Exporter in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR (including the obligations to conduct data protection impact assessments, and to consult with supervisory authorities in relation to the processing of personal data) taking into account the nature of processing and the information available to Data importer.
9.9 Information Provision. On prior written notice by Data Exporter, data importer shall make available to Data Exporter all information necessary to demonstrate compliance with the obligations laid down in GDPR; provided, however, that Fond shall immediately inform Customer if, in Fond’s opinion, an obligation of this DPA or an instruction of Customer violates Data Protection Laws and Regulations.
9.10 Certification of Deletion. The parties agree that the certification of deletion of Personal Data that is described in Clause 12(1) shall be provided by Data importer to the Data Exporter only upon Data Exporter's request.
9.11 Conflict. In the event of any conflict or inconsistency between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
10. Additional Terms Applicable to CCPA.
10.1 Additional Definitions.
(a) "Contracted Business Purposes" means the Services described in the Agreement.
(b) Terms defined in the CCPA, including "personal information" and "business purposes" carry the same meaning in this DPA. Fond is a "service provider" under the CCPA.
10.2 Fond's CCPA Obligations.
(a) Fond will only collect, use, retain, or disclose personal information for the Contracted Business Purposes as set forth in the Agreement.
(b) Fond will not retain, use or disclose personal information outside of the direct business relationship between Customer and Fond, except as authorized in the Agreement or under the CCPA.
(c) Fond will not collect, use, retain, disclose, sell, or otherwise make personal information available or process personal information (or allow any third party to process or access personal information) for Fond's own commercial purposes or in a way that does not comply with the CCPA.
(d) Fond will limit personal information collection, use, retention, processing and disclosure (including through its service providers, suppliers, contractors or subcontractors) to activities reasonably necessary and proportionate to achieve the Contracted Business Purposes.
(e) Fond shall not engage in any activity that may be considered a sale of personal information pursuant to the CCPA.
10.3 Assistance with Customer's CCPA Obligations.
(a) Fond will reasonably cooperate and assist Customer with meeting its CCPA compliance obligations and responding to CCPA-related inquiries, including responding to verifiable consumer requests.
(b) Both parties will comply with all applicable requirements of the CCPA when collecting, using, retaining, sharing or disclosing personal information.
(a) Fond may use subcontractors to provide the Contracted Business Services as set forth in the Agreement and subject to the terms of this DPA. Any such subcontractor used must qualify as a "service
provider" under the CCPA and Fond will not make any disclosures to the subcontractor that the CCPA would treat as a sale.
(b) Fond remains fully liable to the Customer for the subcontractor's actions or inactions.
10.5 Processing Purposes and Details.
(a) The Contracted Business Purposes are providing the Services and processing the Customer Data as set forth in the Agreement.
(b) The Agreement involves the following types of Personal Information as defined and classified in CCPA Cal. Civ. Code § 1798.140(o).
(i) Identifiers: First name, last name, email address, telephone number, email data, system usage data, location data (IP address), and other electronic data/UGC (reviews, photos) submitted, stored, sent, or received by or from Data Subjects.
(ii) Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)): same as in subsection (i), above.
(iii) Protected classification characteristics under California or federal law: None.
(iv) Commercial information: Purchased products and/or services.
(v) Biometric information: None.
(vi) Internet or other similar network activity: IP Address. Fond also collects the activity of the consumers on Fond's website.
(vii) Geolocation data: Extracted from IP address.
(viii) Sensory data: None.
(ix) Professional or employment-related information: Affiliation between the consumer and his/her employer, if and to the extent that the employer is a Fond customer.
(x) Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)): None.
(xi) Inferences drawn from other personal information: None.
(c) Types of Consumers: End users of Fond's website.
(d) List of subcontractors: Please contact Fond for updated information.
11. Indemnification and Limitation of Liability
(a) Fond agrees that a breach or threatened breach of this DPA by Fond or its personnel, agents, or subcontractors, may cause irreparable harm to Customer such that monetary damages may not provide an adequate remedy. Fond accordingly agrees that Customer may seek injunctive or other equitable relief to prevent or remedy such breach or threatened breach without requirement of bond or notice.
(b) Fond agrees to defend, indemnify, and hold harmless Customer and its directors, officers, affiliates, employees, subcontractors, and agents from and against all claims, suits, causes of action, damages, costs (including the costs of remediation efforts and reasonable attorneys' fees), judgments and other expenses with respect to any third party claim and arising out of or related to Fond (or Fond’s agents’ or subcontractors’): (i) breach or threatened breach of this DPA (including any purpose or use restrictions relating to Personal Data as may be contained in the Agreement); or (ii) violation of Data Protection Laws and Regulations. Fond may not settle any indemnified claim without the written consent of Customer. Customer may participate in the defense of an indemnified claim, at Customer’s expense, with counsel of its choosing.
(c) There will be no limitations or exclusions on Fond’s liability arising under this DPA or otherwise relating to claims pertaining to the privacy, security, confidentiality, or unauthorized use of Personal Data by Fond (or by Fond’s employees, agents, or subcontractors). Fond will be liable for all obligations under this DPA and for the reimbursement of costs and expenses for remediation efforts regardless of whether such amounts are characterized by any person, court or other third party as direct, indirect, consequential, special, or punitive damages.
12. Parties to This DPA
The Section "HOW THIS DPA APPLIES" specified which Fond entity is party to this DPA (Fond). In addition, Fond Technologies, Inc. is a party to the Standard Contractual Clauses in Attachment 1. [Notwithstanding the signatures below of any other Fond entity, such other Fond entities are not a party to this DPA or the Standard Contractual Clauses.]
If Fond Technologies, Inc. is not a party to the Agreement, the section of the Agreement 'Limitation of Liability' shall apply as between Customer and Fond Technologies, Inc., and in such respect any reference to 'Fond' shall include both Fond Technologies, Inc. and the Fond entity who is a party to the Agreement.
DPA SIGNATURE PAGE
Customer Entity Legal Name:
FOND Technologies, INC.
Print Name: Francois Thrower
Title: Chief Operating Officer
Date: January 27, 2020
Standard Contractual Clauses (processors)
For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection
Name of the data exporting organisation:
Other information needed to identify the organisation:
....................... (the data exporter) And
Name of the data importing organisation: Fond Technologies, Inc. Address:
Tel.: + 1 415 969-6563; fax: + 1 415 969-6570; e-mail: firstname.lastname@example.org;
Other information needed to identify the organisation: Not applicable (the data importer)
each a "party"; together "the parties",
HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.
For the purposes of the Clauses:
(a) 'personal data', 'special categories of data', 'process/processing', 'controller', 'processor', 'data subject' and 'supervisory authority' shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
(b) 'the data exporter' means the controller who transfers the personal data;
(c) 'the data importer' means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country's system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
(d) the subprocessor' means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
(e) 'the applicable data protection law' means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
(f) 'technical and organisational security measures' means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
Details of the Transfer
The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.
Third-Party Beneficiary Clause
1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
2. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
3. The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third- party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
4. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.
Obligations of the Data Exporter
The data exporter agrees and warrants:
(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
(b) that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter's behalf and in accordance with the applicable data protection law and the Clauses;
(c) that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;
(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
(e) that it will ensure compliance with the security measures;
(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
(g) to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
(i) that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and
(j) that it will ensure compliance with Clause 4(a) to (i).
Obligations of the Data Importer
The data importer agrees and warrants:
(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(c) that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;
(d) that it will promptly notify the data exporter about:
(i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,
(ii) any accidental or unauthorised access, and
(iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;
(e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
(f) at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
(g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
(h) that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;
(i) that the processing services by the subprocessor will be carried out in accordance with Clause 11;
(j) to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.
1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.
2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity. The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.
3. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.
Mediation and Jurisdiction
1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
(a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
(b) to refer the dispute to the courts in the Member State in which the data exporter is established.
2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.
Cooperation with Supervisory Authorities
1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).
The Clauses shall be governed by the law of the Member State in which the data exporter is established.
Variation of the Contract
The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.
1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses. Where the subprocessor fails to fulfill its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor's obligations under such agreement.
2. The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
3. The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.
4. The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5(j), which shall be updated at least once a year. The list shall be available to the data exporter's data protection supervisory authority.
Obligation After the Termination of Personal Data Processing Services
1.The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
2.The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.
On behalf of the data exporter:
Name (written out in full):
Other information necessary in order for the contract to be binding (if any): Other information necessary in order for the contract to be binding (if any):
(stamp of organisation)
On behalf of the data importer:
Name (written out in full): Francois Thrower
Position: Chief Operating Officer
Address: 115 SW Ash Street, Suite #500, Portland, OR 97204
APPENDIX 1 TO THE STANDARD CONTRACTUAL CLAUSES
This Appendix forms part of the Clauses and must be completed and signed by the parties.
The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.
The data exporter is (please specify briefly your activities relevant to the transfer):
Data Exporter is (i) the legal entity that has executed the Standard Contractual Clauses as a Data Exporter and, (ii) all Affiliates (as defined in the Agreement) of Customer established within the European Economic Area (EEA) and Switzerland that have purchased Services on the basis of one or more Order Form(s).
The data importer is (please specify briefly activities relevant to the transfer):
Fond Technologies, Inc. is a provider of a SaaS solution for employee recognition and rewards.
The personal data transferred concern the following categories of data subjects (please specify):
Data exporter may submit Personal Data to Fond's hosted, web-based employee recognition and rewards solution by which users can review and redeem various offers, discounts, products, services and other benefits provided by third party merchants and vendors (the "Services"), the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:
- Employees, agents, advisors, freelancers of data exporter (who are natural persons)
- Data exporter's Users authorized by data exporter to use the Services
Categories of Data
The personal data transferred concern the following categories of data (please specify):
Data exporter may submit Personal Data to the Services, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:
- First and last name
- Contact information (company, email, phone, physical business address)
- localization data
(stamp of organisation)
Special Categories of Data (If Appropriate)
The personal data transferred will be subject to the following basic processing activities (please specify):
The objective of Processing of Personal Data by data importer is the performance of the Services pursuant to each Agreement.
Name: Francois Thrower
APPENDIX 2 TO THE STANDARD CONTRACTUAL CLAUSES
This Appendix forms part of the Clauses
Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):
Data importer will maintain industry standard administrative, physical, and technical safeguards designed for the protection of the security, confidentiality and integrity of Personal Data uploaded to the Services.