This Data Processing Agreement (“ DPA ”) forms part of the Software as a Service Agreement between the Customer and Company for the provision of certain Services by Company to the Customer (“ Agreement ”), and reflects what the parties have agreed in relation to the Processing of Personal Data. All capitalised terms not defined herein shall have the meaning set forth in the Agreement.
In the course of providing the Services to the Customer pursuant to the Agreement, Company may Process Personal Data on behalf of the Customer (as further detailed in Schedule 1) and the parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.
Data Processing Terms
means Stylescape Limited, a company registered in England and Wales, with company number 06366729.
means the organisation listed on the Order Form only, and does not include any subsidiaries, parent companies or child companies unless otherwise explicitly defined in the Order Form.
means the entity which determines the purpose and means of Processing of Personal Data.
means the entity which Processes Personal Data on behalf of the Data Controller.
“Data Protection Laws”
means all laws and regulations, including the Regulation (EU) 2016/679 (General Data Protection Regulation) (“ GDPR ”) and any successor legislation, applicable to the Processing of Personal Data under the Agreement, as amended or updated from time to time.
means the identified or identifiable natural person to whom Personal Data relates.
means any information relating to an identified or identifiable natural person which is submitted by the Customer in respect of the provision and use of the Services. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Standard Contractual Clauses”
means the set II controller – processor model clauses approved by the EU Commission Decision 2010/87/EU for transfers from data controllers in the EEA to data processors outside the EEA.
means any Data Processor engaged by Company.
PROCESSING OF PERSONAL DATA
- The parties acknowledge and agree that in respect of Processing of Personal Data the Customer is the Data Controller, Company is the Data Processor, and Company will only engage Sub -processors pursuant to this DPA.
- The Customer shall, in its use of the Services, Process Personal Data in accordance with the requirements of the Data Protection Laws and shall ensure that any instructions provided to Company for the Processing of Personal Data shall comply with Data Protection Laws.
- The Customer shall ensure that it informs any Data Subjects whose Personal Data is disclosed to Company pursuant to the Agreement that the Customer may use and disclose their Personal Data to Company in accordance with this DPA, and that the relevant Data Subjects have, where necessary, consented to such Processing and disclosure. The Customer shall be responsible for ensuring the Personal Data provided by the Customer to be processed by Company pursuant to the Agreement is Processed on lawful grounds.
- The Customer must promptly notify Company in the event of any withdrawal of any relevant consent by any Data Subject whose Personal Data is Processed pursuant to the Agreement, giving sufficient details of the withdrawal to enable Company to comply with its obligations under the Data Protection Laws.
- Each party must immediately notify the other if it becomes aware of a complaint or allegation of breach of the Data Protection Laws by any person or an investigation or enforcement action by a regulatory authority, in connection with the Agreement.
- Company shall, to the extent required by applicable Data Protection Laws:
- not access or use the Personal Data except as necessary to provide the Services, and shall only Process such Personal Data in accordance with this DPA and only on the Customer’s instructions;
- implement appropriate technical and organisational measures to protect any Personal Data against unauthorised or unlawful Processing and accidental loss, disclosure, access or damage. Details of such measures are available on request;
- cooperate and provide reasonable assistance to the Customer in connection with the Customer’s compliance with the Data Protection Laws insofar as it relates to the Services. This may include assistance with: (i) responding to requests from individuals or authorities, (ii) notifying data breaches to affected individuals or authorities; and (iii) carrying out data protection impact assessments;
- delete or return to the Customer all Personal Data upon the Customer’s request or in accordance with Schedule 1 on termination or expiry of the Agreement, unless otherwise required under applicable laws;
- ensure that persons authorised to access the Personal Data are subject to confidentiality obligations, whether by contract or statute;
- as soon as reasonably practicable, promptly notify the Customer in writing of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data. The notice will specify: (i) the categories and number of individuals concerned; (ii) the categories and number of records involved; (iii) the likely consequences of the breach; and (iv) any steps taken to mitigate and address the breach;
- give the Customer access during normal working hours to audit any relevant records and materials held by Company which are necessary to demonstrate compliance by Company with its obligations under this DPA. To the extent permissible under Data Protection Laws, the Customer shall: (i) reimburse Company for any reasonable costs incurred in relation to any audit requested by the Customer; and (ii) take all steps necessary to minimise the disruption to Company’s business.
- For the avoidance of doubt, Company shall be entitled to collect anonymous and/or aggregated data regarding the Customer’s use of the Services, provided that no individual natural person can be identified from such data (“Aggregate Data”). The Aggregate Data will be used to improve and enhance the Services and for other development, diagnostic and corrective purposes in connection with the Services. Company shall own all right, title and interest in and to the Aggregate Data and Company shall not be required to process such data in accordance with this DPA.
- Subject to clause 3.3, the Customer hereby provides general authorisation for the Company to engage third party Sub-processors in connection with the provision of the Services. The Customer may find a current list of the types of sub-processing undertaken for the Company at www.edited.com/subprocessing (“Sub-processing List”), which the Customer acknowledges, accepts and authorises.
- Customer may receive notifications of new Sub-processors by emailing email@example.com with the subject “Subscribe”. If a Customer contact subscribes, Company shall notify the Customer of any material addition to the Sub-processing List before authorising a new Sub-processor to Process Personal Data in connection with the Services provided to the Customer. The Customer may object to Company’s use of a new Sub-processor in respect of a particular type of sub-processing by notifying Company promptly in writing within five (5) business days after receipt of Company’s notice explaining its legitimate reasons for objecting. In the event the Customer reasonably objects to a new Sub-processor, Company will take such objections into account and use reasonable efforts to mitigate any negative effects of such a change on the Customer.
- Company confirms that it has entered into or (as the case may be) will enter into a written agreement with any Sub-processor incorporating terms which are no less protective than those set out in this Agreement to the extent applicable to the nature of the Services provided by such Sub-processor. Company shall remain liable for the acts and omissions of its Sub-processors to the same extent Company would be liable if performing the services of each Sub-processor directly under the terms of this DPA.
- INTERNATIONAL TRANSFERS
- Where the Customer signing this DPA is based inside the EEA, Company shall not transfer Personal Data to any country outside of the EEA except for transfers to and from: (i) any country which has a valid adequacy decision from the European Commission; or (ii) any organisation which ensures an adequate level of protection in accordance with the applicable Data Protection Laws; or (iii) otherwise in accordance with the Data Protection Laws.
- In light of Brexit and the Schrems II case:
- if any Personal Data transfer from Customer to Company occurs where such a transfer would require the parties to have entered into the Standard Contractual Clauses (“SCCs”) in order to comply with the Data Protection Laws, the SCCs shall be deemed incorporated into this DPA as if laid out in full herein and the parties hereby agree to be bound by such SCCs in respect of such transfer; and
- in respect of any transfer of data to non-ECC territories, and to provide further appropriate safeguards and additional measures so as to align with the equivalent level of protection as in the ECC, the Company will, to the reasonable extent that it is able, seek protective injunctions preventing any governmental entity from accessing, in breach of the Data Protection Laws, any Personal Data held by Company in such non-ECC territories upon becoming aware of the same. Further, Company, upon becoming aware of the same, and to the extent permitted by law, will inform Customer of any access or attempted access made by governmental entities in breach of the Data Protection Laws in respect of Personal Data
- If any Personal Data transfer from Company to any non-EEA Sub-processor requires execution of the Standard Contractual Clauses in order to comply with the Data Protection Laws, the Customer hereby authorises Company to enter into the Standard Contractual Clauses with the Sub-processor for and on behalf of the Customer as the relevant data exporter and the details contained in Schedule 1 shall form appendix 1 of the Standard Contractual Clauses (to the extent applicable). Company shall make the executed Standard Contractual Clauses available to the Customer on written request. For the avoidance of doubt, this includes transfers of Personal Data to Company’s US affiliate, Stylescape Inc.
- LIMITATION OF LIABILITY
Each party’s liability arising out of or related to this DPA, whether in contract, tort (including negligence), for breach of statutory duty or otherwise, is subject to the limitations of liability contained within the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party under the Agreement and this DPA together.
SCHEDULE 1 – PROCESSING ACTIVITIES
The Personal Data processed shall concern the following categories of Data Subjects (please specify):
Individual employees of the Customer
Categories of data
The Personal Data processed shall concern the following categories of data (please specify):
Job title, organisation, department, office location and time zone
Usage information relating to use of the Software and Application and date of joining
Information submitted as part of any training sessions provided by or on behalf of the Data Subject
Further information submitted by or on behalf of the Data Subject as part of use of the Services
Special categories of data (if appropriate)
The Personal Data processed shall concern the following special categories of data (please specify):
Processing operations and duration of processing
The Personal Data processed will be subject to the following basic processing activities (please specify):
The Personal Data shall be processed for the Customer in respect of certain Services provided by Company to the Customer pursuant to the Agreement relating to the provision of industry standard tools used by retailers and companies working with retailers.
Company shall process the Personal Data in accordance with the Customer’s instructions from time to time and shall not process the Personal Data for any purpose other than those expressly authorised by the Customer or as set out in the Agreement.
Unless otherwise agreed in writing, Company shall retain the Personal Data up to twelve months following termination of the Agreement. This period is deemed necessary to reinstate swiftly all existing user dashboards and materials upon renewal of the Agreement and ensure continuity to the provision of the Services, should the Agreement be terminated for a short period of time. Subject to the foregoing, Company shall carry out no further Processing of the Personal Data following termination of the Agreement.