EDITED Data Processing Addendum
|This Data Processing Addendum (“DPA”) forms part of the software as a service agreement between the Client and Company for the provision of certain Services by Company to the Client (“Agreement”), and reflects what the parties have agreed in relation to the Processing of Personal Data. All capitalised terms not defined herein shall have the meaning set forth in the Agreement.|
In the course of providing the Services to the Client pursuant to the Agreement, Company may Process Personal Data on behalf of the Client (as further detailed in Schedule 1) and the parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.
With effect from 12 December 2022, this DPA shall automatically take effect and govern Company’s processing of Personal Data, unless otherwise agreed in writing between the parties.
|DATA PROCESSING TERMS|
means Stylescape Limited, a Company registered in England and Wales, with Company number 06366729.
|“Client”||means the organisation listed on the Order Form only, and does not include any subsidiaries, parent companies or child companies unless otherwise explicitly defined in the Order Form.|
|“Data Controller”||means the entity which determines the purpose and means of Processing of Personal Data.|
|“Data Processor”||means the entity which Processes Personal Data on behalf of the Data Controller.|
|“Data Protection Laws”||means all laws and regulations as applicable: (a) General Data Protection 2016/679 (“GDPR”); (b) Data Protection Act 2018 c.12 (“UK GDPR”) (c) the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et seq. (“CCPA”); and (d) any other applicable data privacy and security laws and regulations.|
|“Data Subject”||means the identified or identifiable natural person to whom Personal Data relates.|
|“Personal Data”||means any information relating to an identified or identifiable natural person which is submitted by the Client in respect of the provision and use of the Services. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.|
|“Processing”||means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.|
|means (i) with respect to Member States of the European Economic Area (“EEA”) and Switzerland, the standard contractual clauses, specifically the (controller to processor) Module II clauses included in the Annex of the adopted Decision by the European Commission as of June 4, 2021, Decision EU 2021/914, on Standard Contractual Clauses (“EU Standard Contractual Clauses”) and (ii) with respect to the United Kingdom, referencing the EU Standard Contractual Clauses supplemented by the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, issued by the UK Information Commissioner’s office under §119A (1) Data Protection Act 2018, effective from the 21st March 2022 (“International Data Transfer Addendum”). (As amended from time to time.)|
|“Sub-processor”||means any Data Processor engaged by Company.|
|2. PROCESSING OF PERSONAL DATA |
2.1 The parties acknowledge and agree that in respect of Processing of Personal Data the Client is the Data Controller, Company is the Data Processor, and Company will only engage Sub-processors pursuant to this DPA.
2.2 The Client shall, in its use of the Services, Process Personal Data in accordance with the requirements of the Data Protection Laws and shall ensure that any instructions provided to Company for the Processing of Personal Data shall comply with Data Protection Laws.
2.3 The Client shall ensure that it informs any Data Subjects whose Personal Data is disclosed to Company pursuant to the Agreement that the Client may use and disclose their personal Data to Company in accordance with this DPA, and that the relevant Data Subjects have, where necessary, consented to such Processing and disclosure. The Client shall be responsible for ensuring the Personal Data provided by the Client to be processed by Company pursuant to the Agreement is Processed on lawful grounds.
2.4 The Client must promptly notify Company in the event of any withdrawal of any relevant consent by any Data Subject whose Personal Data is Processed pursuant to the Agreement, giving sufficient details of the withdrawal to enable Company to comply with its obligations under the Data Protection Laws.
2.5 Each party must immediately notify the other if it becomes aware of a complaint or allegation of breach of the Data Protection Laws by any person or an investigation or enforcement action by a regulatory authority, in connection with the Agreement.
2.6 Company shall, to the extent required by applicable Data Protection Laws:
2.6.1 not access or use the Personal Data except as necessary to provide the Services, and shall only Process such Personal Data in accordance with this DPA and only on the Client’s instructions;
2.6.2 implement appropriate technical and organisational measures to protect any personal Data against unauthorised or unlawful Processing and accidental loss, disclosure, access or damage. Details of such measures are available on request;
2.6.3 cooperate and provide reasonable assistance to the Client in connection with the Client’s compliance with the Data Protection Laws insofar as it relates to the Services. This may include assistance with: (i) responding to requests from individuals or authorities, (ii) notifying data breaches to affected individuals or authorities; and (iii) carrying out data protection impact assessments;
2.6.4 delete or return to the Client all Personal Data upon the Client’s request or in accordance with Schedule 1 on termination or expiry of the Agreement, unless otherwise required under applicable laws;
2.6.5 ensure that persons authorised to access the Personal Data are subject to confidentiality obligations, whether by contract or statute;
2.6.6 as soon as reasonably practicable, promptly notify the Client in writing of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data. The notice will specify: (i) the categories and number of individuals concerned; (ii) the categories and number of records involved; (iii) the likely consequences of the breach; and (iv) any steps taken to mitigate and address the breach;
2.6.7 give the Client access during normal working hours to audit any relevant records and materials held by Company which are necessary to demonstrate compliance by Company with its obligations under this DPA. To the extent permissible under Data Protection Laws, the Client shall: (i) reimburse Company for any reasonable costs incurred in relation to any audit requested by the Client; and (ii) take all steps necessary to minimise the disruption to Company’s business.
2.7 For the avoidance of doubt, Company shall be entitled to collect anonymous and/or aggregated data regarding the Client’s use of the Services, provided that no individual natural person can be identified from such data (“Aggregate Data“). The Aggregate Data will be used to improve and enhance the Services and for other development, diagnostic and corrective purposes in connection with the Services. Company shall own all right, title and interest in and to the Aggregate Data and Company shall not be required to process such data in accordance with this DPA.
3.1 Subject to clause 3.3, the Client hereby provides general authorisation for the Company to engage third party Sub-processors in connection with the provision of the Services. The Client may find a current list of the types of sub-processing undertaken for the Company at www.edited.com/subprocessing (“Sub-processing List”), which the Client acknowledges, accepts and authorises.
3.2 Client may receive notifications of new Sub-processors by emailing email@example.com with the subject “Subscribe”. If a Client contact subscribes, Company shall notify the Client of any material addition to the Sub-processing List before authorising a new Sub-processor to Process Personal Data in connection with the Services provided to the Client. The Client may object to Company’s use of a new Sub-processor in respect of a particular type of sub-processing by notifying Company promptly in writing within five (5) business days after receipt of Company’s notice explaining its legitimate reasons for objecting. In the event the Client reasonably objects to a new Sub processor, Company will take such objections into account and use reasonable efforts to mitigate any negative effects of such a change on the Client.
3.3 Company confirms that it has entered into or (as the case may be) will enter into a written agreement with any Sub-processor incorporating terms which are no less protective than those set out in this Agreement to the extent applicable to the nature of the Services provided by such Sub-processor. Company shall remain liable for the acts and omissions of its Sub-processors to the same extent Company would be liable if performing the services of each Sub-processor directly under the terms of this DPA.
4. INTERNATIONAL TRANSFERS
4.1 Where the Client signing this DPA is based inside the EEA, Company shall not transfer Personal Data to any country outside of the EEA except for transfers to and from: (i) any country which has a valid adequacy decision from the European Commission; or (ii) any organisation which ensures an adequate level of protection in accordance with the applicable Data Protection Laws; or (iii) otherwise in accordance with the Data Protection Laws.
4.2 If any Personal Data transfer from Client to Company occurs where such a transfer would require the parties to have entered into the Standard Contractual Clauses (“SCCs”) in order to comply with the Data Protection Laws, the SCCs shall be deemed incorporated into this DPA as if laid out in full herein and the parties hereby agree to be bound by such SCCs in respect of such transfer; and
4.3 In respect of any transfer of data to non-ECC territories, and to provide further appropriate safeguards and additional measures so as to align with the equivalent level of protection as in the ECC, the Company will, to the reasonable extent that it is able, seek protective injunctions preventing any governmental entity from accessing, in breach of the Data Protection Laws, any Personal Data held by Company in such non-ECC territories upon becoming aware of the same. Further, Company, upon becoming aware of the same, and to the extent permitted by law, will inform Client of any access or attempted access made by governmental entities in breach of the Data Protection Laws in respect of Personal Data.
4.4 If any Personal Data transfer from Company to any non-EEA Sub-processor requires execution of the Standard Contractual Clauses in order to comply with the Data Protection Laws, the Client hereby authorises Company to enter into the Standard Contractual Clauses (“SCCs”) with the Sub-processor for and on behalf of the Client as the relevant data exporter and the details contained in Schedule 1 shall form appendix 1 of the Standard Contractual Clauses (to the extent applicable). Company shall make the executed Standard Contractual Clauses available to the Client on written request. For the avoidance of doubt, this includes transfers of Personal Data to Company’s US affiliate, Stylescape Inc.
5. LIMITATION OF LIABILITY
Each party’s liability arising out of or related to this DPA, whether in contract, tort (including negligence), for breach of statutory duty or otherwise, is subject to the limitations of liability contained within the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party under the Agreement and this DPA together.
SCHEDULE 1 – PROCESSING ACTIVITIES
The Personal Data processed shall concern the following categories of Data Subjects (please specify):
Individual employees of the Client
Categories of data
The Personal Data processed shall concern the following categories of data (please specify):
Job title, organisation, department, office location and time zone
Usage information relating to use of the Software and Application and date of joining
Information submitted as part of any training sessions provided by or on behalf of the Data Subject
Further information submitted by or on behalf of the Data Subject as part of use of the Services
Special categories of data (if appropriate)
The Personal Data processed shall concern the following special categories of data (please specify):
Processing operations and duration of processing
The Personal Data processed will be subject to the following basic processing activities (please specify):
The Personal Data shall be processed for the Client in respect of certain Services provided by Company to the Client pursuant to the Agreement relating to the provision of industry standard tools used by retailers and companies working with retailers.
Company shall process the Personal Data in accordance with the Client’s instructions from time to time and shall not process the Personal Data for any purpose other than those expressly authorised by the Client or as set out in the Agreement.
Unless otherwise agreed in writing, Company shall retain the Personal Data up to twelve months following termination of the Agreement. This period is deemed necessary to reinstate swiftly all existing user dashboards and materials upon renewal of the Agreement and ensure continuity to the provision of the Services, should the Agreement be terminated for a short period of time. Subject to the foregoing, Company shall carry out no further Processing of the Personal Data following termination of the Agreement.