DATA PROCESSING AGREEMENT
THIS AGREEMENT is an addendum to a Purchase Order
(1)SaleSpider Media Inc (hereafter referred to as Agency)
(2) [Supplier](hereafter referred to as Supplier)
1.1 The Agency is engaged to provide certain services to a client. Pursuant to a Purchase Order (the “Services Agreement”), the Supplier shall provide services to Agency in support of those services (the “Services”). To the extent that the Supplier is processing Agency Personal Data as part of the Services, the terms contained in this Agreement will apply.
1.2 If the Services are altered during the term of the Services Agreement and the altered Services involve new or amended processing of Agency Personal Data, the parties will ensure that Annex 1 is updated as appropriate before such processing commences.
1.3 If there is any conflict or inconsistency between this Agreement and the Services Agreement, this Agreement will take precedence and apply to the extent of the conflict or inconsistency. The parties hereby agree that the Services Agreement is amended accordingly to give effect to this clause 1.3.
1.4 In respect of all processing of Agency Personal Data carried out pursuant to the Services Agreement, the parties agree that the Advertising Client (also herein referred to as “Client”) is the controller, the Agency is a processor and the Supplier is a sub-processor. As such, the Agency is acting on the instructions of the client and the Supplier agrees to act on instructions provided by the Agency to enable the Agency to provide services to the Client. Supplier hereby acknowledges that Advertising Client is an intended third party beneficiary of these terms and shall be entitled to enforce this Agreement fully as if it were the Agency under the Agreement.
1.5 The parties agree tocomply with Data Protection Legislation.
2.1 For the purposes of this Agreement, capitalised terms shall have the meanings given below:
"Agency Personal Data" means any information (made available to the Supplier) relating to an identified or identifiable natural person (or “Data Subject” as defined herein) who can be identified or authenticated, directly or indirectly, in particular by referencing an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person and includes, but is not limited to, the personal data set out in Annex 1.
"ApplicableLaw" means (i) any and all laws, statutes, regulations, by-laws, orders, ordinances and court decrees that apply to the performance and supply of the Services or the processing of Agency Personal Data, and (ii) the terms and conditions of any applicable approvals, consents, exemptions, filings, licences, authorities, permits, registrations or waivers issued or granted by, or any binding requirement, instruction, direction or order of, any applicable government department, authority or agency having jurisdiction in respect of that matter.
“Complaint” means a complaint relating to either party's obligations under Data Protection Legislation relevant to this Agreement, including any compensation claim from a data subject and any notice, investigation or other action from a regulatory authority.
"DataProtectionLegislation" means all Applicable Laws and codes of practice applicable to the processing of personal data, including the GDPR.
“Data Subject” shall have the meaning set out in GDPR or as otherwise defined under applicable Data Protection Legislation.
“DP Losses” means all liabilities, including all:
(a) costs (including legal costs), claims, demands, actions, settlements, ex-gratia payments, charges, procedures, expenses, losses and damages (including relating to material and non-material damage); and
(b) to the extent permitted by Applicable Law:
(i) administrative fines, penalties, sanctions, liabilities or other remedies imposed by a court or regulatory authority;
(ii) compensation to a data subject ordered by a court or regulatory authority; and
(iii) the costs of compliance with investigations by a regulatory authority.
“Further Sub-Processor” means another processor engaged by the Supplier for carrying out processing activities in respect of the Agency Personal Data on behalf of the Agency and authorised by the Agency in accordance with clause  of this Agreement.
"GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data as applicable as of 25 May 2018, as may be amended from time to time.
“Model Clauses” means the standard contractual clauses for the transfer of Agency Personal Data to Processors established in third countries which do not ensure an adequate level of data protection pursuant to EU Commission Decisions 2010/87/EU.
“Processing” means any operation or set of operations that is performed on Agency Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction. “Process” and “Processed” will have a corresponding meaning.
“ProcessingInstructions” has the meaning set out in clause [3.2.1] of this Agreement.
“Request” means a request from or on behalf of a data subject of Agency Personal Data to exercise any rights of data subjects under Data Protection Legislation.
"SecurityIncident" and “Personal Data Breach” means a reasonably suspected or confirmed incident which resulted in (or which if successful would have resulted in) to the accidental or unlawful destruction, loss, alteration or unauthorised disclosure of, or access to, Agency Personal Datawhile in the custody or control of the Supplier or a Further Sub-Processor, whether transmitted, stored, or otherwise Processed.
“controller”, and “processor” have the meanings set out in the GDPR.
3.1 A description of the subject matter and duration of Processing, nature and purpose of the Processing, the type of Agency Personal Data Processed, and categories of data subjects Processed in connection with the Services Agreement shall be included in any Processing Instructions and set out in Annex 1.
3.2 The Supplier shall:
3.2.1 Process AgencyPersonal Data only on documented instructions from theAgency, as set out in this Agreement (in particular, in Annex 1) or as otherwise provided by the Agency to the Supplier in writing from time to time (“Processing Instructions”), including with regard to transfers of Agency Personal Data to a third country or an international organization, unless required to do so by Data Protection Legislation. In such case, Supplier will cease processing and notify Agency without undue delay, unless otherwise required by Data Protection Legislation.
3.2.2 contact the Agency as soon as reasonably practicable if it is ever unsure as to the parameters of any Processing Instructions;
3.2.3 unless prohibited by Applicable Law, immediately notify the Agency if Applicable Law requires it to process Agency Personal Data other than in accordance with Processing Instructions (such notification to be made before such processing takes place);
3.2.4 not refuse to follow a Processing Instruction; and
3.2.5 immediately notify the Agency, if it becomes aware of a Processing Instruction that infringes Data Protection Legislation. Following such notification, the Agency shall have the right to suspend the Processing Instruction and either amend it (to the extent the Agency considers this is necessary for the purpose of complying with Data Protection Legislation) or terminate that part of the processing by the Supplier. In the event of such suspension or termination, to the extent that any elements of the fees and / or charges under the Services Agreement relate to such Processing Instruction, such fees and / or charges shall not be payable by the Agency and the Supplier waives any right it may have to such amounts; and
3.2.6 keep all AgencyPersonal Data separate from all other data including any data which relates to other clients of Supplier.
4.1 The Supplier has implemented and will maintain throughout the term of the Services Agreement, at its own cost and expense, appropriate technical and organisational measures, internal controls and information security routines to ensure the security of Agency Personal Data, to prevent the accidental, unauthorised or unlawful access, disclosure, alteration, loss, damage or destruction of Agency Personal Data, and to assist the Agency in ensuring compliance with the requirements for the security of processing as set out in Data Protection Legislation. Notwithstanding anything to the contrary, Supplier shall assist Agency in ensuring compliance with data security, Personal Data Breach, and engaging in other consultations, pursuant to Data Protection Legislation (including Articles 32 through 36 of the GDPR taking into account the nature of the processing and the information available to Supplier).
4.2 The measures referred to in clause [4.1] shall at all times:
4.2.1 be of at least the minimum standard required by Data Protection Legislation;
4.2.2 take all measures required in accordance with good industry practice and by Data Protection Legislation relating to the protection of Agency Personal data(including, without limitation, pursuant to Article 32 of GDPR); and
4.2.3 be compliant with any minimum standards and/or requirements that the Agency may provide to the Supplier from time to time in writing.
5.1 If the Supplier becomes aware of, receives a notification regarding, or reasonably suspects a Security Incident it shall (at no cost to the Agency):
5.1.1 without undue delay (and in any event no later than twelve (12) hours after becoming aware of, receiving a notification regarding, or first suspecting the Security Incident) notify the Agency of the Security Incident;
5.1.2 without undue delay (and in any event no later than twenty four (24) hours after becoming aware of, receiving a notification regarding, or first suspecting the Security Incident) provide the Agency with detailed information about:
184.108.40.206 the nature of the Security Incident including the categories and approximate number of data subjects and Agency Personal Data records concerned;
220.127.116.11 the likely consequences of the Security Incident; and
18.104.22.168 the steps the Supplier has taken to address the Security Incident;
5.1.3 take all necessary steps to mitigate the effects and to minimise any damage resulting from the Security Incident and to prevent a recurrence of such Security Incident; and
5.1.4 provide such assistance and cooperation as the Agency requires in responding to the Security Incident including in relation to notifying any relevant regulatory authority and/or data subject of the Security Incident.
Requests and Complaints
5.2 If the Supplier receives a Request it shall (at no cost to the Agency):
5.2.1 record the Request and without undue delay (and in any event within three (3) calendar days of receipt) forward it to the Agency;
5.2.2 taking into account the nature of the Processing, assist the Agency by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Agency's obligation to respond to the Request. and
5.2.3 not respond to the Request without the Agency's prior written approval.
5.3 The Supplier shall promptly (and in any event within forty-eight (48) hours of receipt) inform the Agency if it receives a Complaint and provide the Agency with full details of such Complaint at no cost to the Agency.
6.1 The Supplier shall ensure that its personnel (and shall procure that the personnel of any Further Sub-Processor):
6.1.1 are reliable and receive adequate training on compliance with this Agreement and Data Protection Legislation;
6.1.2 have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, which shall be no less strict than the confidentiality obligations set forth in the Services Agreement;
6.1.3 are obligated to maintain the security of any Agency Personal Data to which they have access even after their engagement ends; and
6.1.4 do not process Agency Personal Data other than in accordance with Processing Instructions except where processing of Agency Personal Data is required by Applicable Law in which case the Supplier shall, where practicable and not prohibited by Applicable Law, notify the Agency of any such requirement before processing.
7. FURTHER SUB-PROCESSORS
7.1 The Supplier shall not permit another processor to process Agency Personal Data without the prior written approval of the Agency. Those processors who are approved by the Agency as Further Sub-Processors as at the date of this Agreement are set out in Annex 1.
7.2 Any authorisation by the Agency to use a Further Sub-Processor is given on the condition that the Supplier shall:
7.2.1 keep a written record containing at least the following information in relation to each Further Sub-Processor: (i) all of the information required by the “Permitted Further-Sub-Processors and Transfers” section of the table in Annex 1; (ii) the date on which the Agency gave the written approval referred to in clause [7.1]; and (iii) the name and job title of the person who gave such written approval on behalf of the Agency. The Supplier shall, on request, make a copy of this record available to the Agency;
7.2.2 ensure, before any processing of Agency Protected Data takes place, that the Further Sub-Processor is contractually bound to substantially similar obligations with respect to the processing of Agency Personal Data as to which the Supplier is bound by this Agreement (including in relation to providing such access and assistance as the Agency requires from time to time). The Supplier shall provide copies of documentation to evidence its compliance with this clause to the Agency promptly on request;
7.2.3 remain fully liable to the Agency for the Further Sub-Processor's performance, as well as for any acts or omissions of the Further Sub-Processor as regards its processing of Agency Personal Data; and
7.2.4 immediately cease using a Further Sub-Processor to process Agency Personal Data upon receiving written notice from the Agency directing the Supplier to do so.
8. EXTRATERRITORIAL PERSONAL DATA TRANSFERS
8.1 The Supplier shall (and shall ensure thatany Further Sub-Processor) only transfer Agency Personal Data to a country outside the territory where it furnishes Services (Including, but not limited to the European Economic Area or Switzerland, Canada, United States, Brazil, and Argentina)in accordance with the Services Agreement and Agency's written instructions as set forth in Annex 1 of this Agreement. Those transfers approved by the Agency as at the date of this Agreement are set out in Annex 1.
8.2 The Supplier shall ensure that any approved transfer is carried out:
8.2.1 In accordance with this Agreement;
8.2.2 in compliance with Data Protection Legislation; and
8.2.3 in accordance with the transfer mechanism agreed with the Agency (as set out in Annex 1 or as otherwise agreed with the Agency in writing pursuant to paragraph 8.3).
8.3 The Supplier shall (i) ensure that Agency Personal Data collected within the European Economic Area (“EEA”) will not be Processed outside of the EEA, and Personal Data collected in any other country (i.e. not within the EEA) will not be Processed outside of that country, unless Agency has given its prior written consent and either (a) Supplier and Agency and/or relevant affiliates have entered into the Model Clauses or an alternative data transfer agreement in a similar form to the Model Clauses as may be approved by Agency from time to time at its discretion or (b) other binding and appropriate transfer mechanisms that comply with Data Protection Legislation, (ii) provide, at Supplier's own cost, reasonable cooperation, assistance, and information to Agency in relation to queries, complaints and other correspondence with any Data Subject or regulatory body (including Data Subject access requests) and as may be reasonably required to enable Agency to comply with its obligations under applicable Data Protection Legislation, and (iii) amend, update, supplement, return or delete any Agency Personal Data as soon as reasonably practicable at Agency's request.
9. COMPLIANCE PROCEDURES AND ASSISTANCE WITH REGULATORS
9.1 The Supplier shall (at no cost to the Agency):
9.1.1 maintain a record of all categories of processing carried out on behalf of the Agency;
9.1.2 make the same available to the Agency and, subject to clause 9.1.3, to any relevant regulatory authority on request;
9.1.3 provide to the Agency a copy of any correspondence with a relevant regulatory authority relating to the Services Agreement or to Agency Personal Data in advance of providing that correspondence to such regulatory authority;
9.1.4 co-operate and assist the Agency with any privacy impact assessments and consultations with (or notifications to) relevant regulatory authorities that the Agency reasonably considers are relevant pursuant to Data Protection Legislation in relation to the Agency Personal Data and the Services; and
9.1.5 comply with all reasonable requests or directions by the Agency to verify and/or procure the Supplier's full compliance with its obligations under Data Protection Legislation and this Agreement.
9.2 In addition to 9.1, Supplier shall make available any other information to Agency any other information that is reasonably required to demonstrate compliance with Data Protection Legislation (including the obligations laid down in Article 28 of the GDPR) and allow for the contribution to audits (as described in Section 10and the Services Agreement).
9.3 Supplier shall provide, in a timely manner, reasonably cooperate with any applicable regulatory bodies or authorities with jurisdiction or oversight over Data Protection Legislation in respect of any investigations or inquiries made pursuant its regulatory authority.
10. AUDIT AND INSPECTION
10.1 During the Term Services Agreement and for four (4) years thereafter, Supplier will keep clear, accurate, complete and up-to-date records in respect of Supplier's performance of its respective obligations under this Agreement. Agency will be entitled to choose any auditor(s) (including an external third party certified public accountant or industry specialist and/or internal auditors) to audit for compliance with privacy and security as required by this Agreement. Subject to 15 days' notice from the Agency (and using its best efforts to avoid disrupting Supplier's operations) the Supplier shall (and shall procure that any Further Sub-Processor shall):
10.1.1 provide reasonable access to the requested records (which may be retained as evidence of such audit) and its facilities;
10.1.2 permit the Agency and/or an auditor of its choosing to conduct audits and inspections of the Supplier's (or any Further Sub-Processor's) systems and processes in relation to the processing of Agency Personal Data;
10.1.3 contribute to such audits and inspections; and
10.1.4 allow the Agency to share the results of any such audit or inspection with the Agency's client or a relevant regulatory authority.
10.2 If any audit or inspection reveals non-compliance by the Supplier (or any Further Sub-Processor) with its obligations under Data Protection Legislation or a breach by the Supplier of its obligations under this Agreement, the Supplier shall promptly at the request of the Agency:
10.2.1 pay the costs of the Agency (or its qualified representative) of the audit or inspection; and
10.2.2 resolve (and shall procure that any Further Sub-Processor resolves), at its own cost and expense all data protection and security issues discovered during the audit or inspection which reveal a breach or potential breach by the Supplier (or any Further Sub-Processor) of its obligations under this Agreement.
11.1 The Supplier shall, at the Agency's option, without undue delay, either delete or return all Agency Personal Data andcease Processing suchAgency Personal Data after the end of the provision of the Servicesrelated to the Processing, required by Applicable Law.
11.2 At the same time as deleting or returning Agency Personal Data underclause [11.1], the Supplier shall also delete any existing copies of Agency Personal Data unless storage of such copies is required by Applicable Law (in which case the Supplier shall notify the Agency of that requirement).
12.1 The Supplier shall indemnify and keep indemnified the Agency in respect of all DP Losses suffered or incurred by, awarded against or agreed to be paid by, the Agency or the Agency's client arising from or in connection with:
12.1.1 any breach by the Supplier of its obligations under this Agreement or Data Protection Legislation; or
12.1.2 the Supplier (or any person acting on its behalf including a Further Sub-Processor) acting outside or contrary to the Processing Instructions of the Agency in respect of the processing of Agency Personal Data
12.2 Supplier agrees that it will promptly provide all materials and information requested by Agency that is relevant to the defence of any claim arising out of or related to the violation of Data Protection Legislation.
13.1 Agency shall be entitled to immediately terminate this Agreement by notice in writing to the Supplier if:
13.1.1 the Supplier is in breach of this Agreement which, in the case of a breach capable of remedy, that has not been remedied within fourteen (14) calendar days from the date of such a breach; or
13.1.2 the other becomes insolvent, has a receiver, administrator, or administrative receiver appointed over the whole or any part of its assets, enters into any compound with creditors, or has an order made or resolution passed for it to be wound up (otherwise than in furtherance of a scheme for solvent amalgamation or reconstruction).
13.2 This Agreement shall commence when signed by the last party and shall continue until:
13.2.1 terminated by either party in accordance with clause [13.1]; or
13.2.2 termination of the Services Agreement.
13.3 Failure by either party to exercise or enforce any rights available to that party or the giving of any forbearance, delay or indulgence shall not be construed as a waiver of that party's rights under this Agreement.
13.4 If any term or provision of this Agreement shall be held to be illegal or unenforceable, in whole or in part, under any enactment or rule of law, such term or provision or part shall to that extent be deemed not to form part of this Agreement but the enforceability of the remainder of this Agreement shall not be affected provided, however, that if any term or provision or part of this Agreement is severed as illegal or unenforceable, the parties shall seek to agree to modify this Agreement to the extent necessary to render it lawful and enforceable and as nearly as possible to reflect the intentions of the parties embodied in this Agreement including, without limitation, the illegal or unenforceable term or provision or part.
13.5 This Agreement and the documents attached to or referred to in this Agreement shall constitute the entire understanding between the parties as to its subject matter and shall supersede all prior agreements, negotiations and discussions between the parties in respect of the same subject matter. In particular, the parties warrant and represent to each other that in entering into this Agreement they have not relied upon any statement of fact or opinion made by the other, its officers, servants or agents which has not been included expressly in this Agreement. Further, each party hereby irrevocably and unconditionally waives any right it may have:
13.5.1 to rescind this Agreement by virtue of any misrepresentation; or
13.5.2 to claim damages for any misrepresentation whether or not contained in this Agreement;
save in each case where such misrepresentation or warranty was made fraudulently.
13.6 Notices shall be in writing and shall be sent to the other party marked for the attention of the person at the address set out below. Notices may be sent by first-class mail or facsimile transmission provided that facsimile transmissions are confirmed within 24 hours by first-class mail confirmation of a copy. Correctly-addressed notices sent by first-class mail shall be deemed to have been delivered 72 hours after posting and correctly directed facsimile transmissions shall be deemed to have been delivered instantaneously on transmission providing that they are confirmed as set out as above.
For the Agency: [email protected]
For the Supplier: [Insert name and address and fax number of someone at the Agency.]
13.7 This Agreement may be executed in any number of counterparts, each of which when executed shall constitute a duplicate original, but all the counterparts shall together constitute the one agreement.
13.8 The parties have signed this Agreement on the date set out above.
[Note: Article 28(3) GDPR.]
Subject Matter, Nature and Purpose of processing
The Supplier is processing Agency Personal Data for the purpose of delivering to the Agency the Services described in the Services Agreement.
-Collection of data
The subject matter of such processing is as indicated below:
The duration of the processing described herein corresponds to the duration of the Agreement.
The subject matter of the processing of Agency Personal Data under the Services Agreement comprises the following data types/categories:
- Biometric information
The Agency Personal Data indicated in the row above relates to the following data subjects:
-Agency client’s personnel or Subprocessor
The processing of Agency Personal Data shall be subject to the restrictions described in the Services Agreement and the Agreement. If there is any conflict or inconsistency between theServices Agreement and Agreement, clause 1.3 of the Agreement shall apply.
Processor Data Protection Officer
[Juvenal Flores, 416-221-0447 ext 224, Joseph Rothstein 416-221-0447 ext 234]
Permitted Sub-Processors and Transfers
Collection, Recording, Organisation, Structuring, Storage, Adaptation, Combining of data
EU, Canada and the US
Any other Sub-Processor must be confirmed and approved by the Processor Data Protection Officer of SaleSpider Media in Writing prior to any Data Processing
Collection, Recording, Organisation, Structuring, Storage, Adaptation, Combining of data
EU, Canada and the US