for Compliance with the EU General Data Protection Regulation
PLEASE READ THE FOLLOWING TERMS CAREFULLY. BY ACCESSING OR USING THE SERVICES THAT MAY ENTAIL PROCESSING OF PERSONAL DATA, YOU AGREE TO BE BOUND BY THESE TERMS. IF YOU DO NOT AGREE TO ALL OF THESE TERMS, YOU MAY NOT ACCESS OR USE THE SERVICES PROVIDED BY US.
This is a Data Processing Agreement (“DPA”) between RocketBees LLC dba DataBees (“Processor”) and you and/or your company/companies (“Controller”) (Controller and Processor shall be known as the “Parties”). The Parties do business pursuant to which the Processor provides services to Controller pursuant to Processor’s terms of service (collectively, the “Services”) that may entail the Processing of Personal Data (as defined below). The Parties may have one or more existing agreements (the “Agreements”).
The European General Data Protection Regulation (GDPR) imposes specific obligation on CONTROLLER and other companies (controllers) with regard to their vendor relationships. The GDPR requires companies to conduct appropriate due diligence on processors and to have contracts containing specific provisions relating to data protection.
The Parties are required to comply with all applicable laws. This DPA documents the data protection requirements imposed upon the parties by the GDPR. This DPA is hereby incorporated by reference into any and all Agreements in order to demonstrate the Parties’ compliance with the GDPR. In the absence of any Agreements, this DPA shall stand alone as an agreement between the Parties.
For purposes of this DPA, “GDPR” means Regulation (EU) 2016/679, the General Data Protection Regulation, together with any addition implementing legislation, rules or regulations that are issued by applicable supervisory authorities. Words and phrases in this DPA shall, to the greatest extent possible, have the meanings given to them in Article 4 of the GDPR. In particular:
“Personal Data“ has the meaning given to it in Article 4(1) of the GDPR: “any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person,” but only to the extent such personal data pertain to residents of the European Economic Area (EEA) or are otherwise subject to the GDPR.
“Personal Data Breach” has the meaning given to it in Article 4(12) of the GDPR: “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
“Processing” has the meaning given to it in Article 4(2) of the GDPR: “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;”
“Subprocessor” means any processor as defined in Article 4(8) of the GDPR: “a natural or legal person, public authority, agency or other body which processes personal data” on behalf of the Processor (including any affiliate of the Processor).
“Transfer” means to disclose or otherwise make Personal Data available to a third party (including to any affiliate or Subprocessor), either by physical movement of the Personal Data to such third party or by enabling access to the Personal Data by other means.
The Controller determines the purposes and means of the processing of Personal Data. The Controller shall comply with its obligations pursuant to the GDPR or any other applicable data protection legislation, including the responsibility to ensure the necessary legal basis for collecting, processing and transfer of Personal Data.
In accordance with Article 28(1) of the GDPR, Processor represents that it has implemented appropriate technical and organisational measures in such a manner that its Processing of Personal Data will meet the requirements of the GDPR and ensure the protection of the rights of the data subjects.
In accordance with Article 28(2) of the GDPR, Controller hereby authorizes the Processor to engage its partners and affiliates as Subprocessors to provide the Services without additional written consent of the Controller. Processor shall inform Controller of any intended changes concerning the addition or replacement of Subprocessors and give Controller the opportunity to object to such changes. The Processor shall also comply with the requirements for subprocessing as set forth in Article 28(4) of the GDPR, namely that the data protection obligations set forth herein (and as may otherwise be agreed by the Processor in the Agreements) such be imposed upon the Subprocessor, so that the Processor’s contract with the Subprocessor contains sufficient guarantees that the Processing will meet the requirements of the GDPR.
In accordance with Article 28(3) of the GDPR, the Parties agree to the following:
The Processor to the extent required to perform the Services shall only on behalf of the Controller process the Personal Data received from the Controller or tasked by the Controller to produce, acquire or organize (i) as needed to provide the Services, (ii) strictly in accordance with the express authorization and instructions that it has received from CONTROLLER (which may be specific instructions or instructions of a general nature or as otherwise provided by the Controller to the Processor), including with regard to any Transfers, and (iii) as needed to comply with the law (in which case, the Processor shall provide prior notice to CONTROLLER of such legal requirement, unless that law prohibits this disclosure);
Processor shall ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
Processor shall take all security measures required by Article 32 of the GDPR, namely:
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including for example as appropriate: (a) the pseudonymisation and encryption of Personal Data; (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (c) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed.
The Processor shall take steps to ensure that any natural person acting under the authority of the Processor or the Subprocessor who has access to Personal Data does not process them except on instructions from Controller, unless he or she is required to do so by EEA Member State law.
Taking into account the nature of the processing, Processor shall reasonably assist Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfillment of Controller obligation to respond to requests for exercising the data subject’s rights;
Taking into account the nature of processing and the information available to the Processor, Processor shall comply with (and shall reasonably assist Controller to comply with) the obligations regarding Personal Data Breaches (as set forth in Articles 33 and 34 of the GDPR), data protection impact assessments (as set forth in Article 35 of the GDPR), and prior consultation (as set forth in Article 36 of the GDPR);
At Controller’s discretion, the Processor shall delete or return all the Personal Data to Controller after the end of the provision of services relating to Processing, and delete existing copies unless applicable EEA member state law requires storage of the Personal Data;
The Processor shall provide Controller with all information necessary to demonstrate compliance with the obligations laid down in the GDPR;
Processor shall allow for and contribute to audits, including inspections, conducted by Controller or another auditor mandated by Controller to demonstrate compliance with the obligations laid down in the GDPR, provided that Controller bears all costs associated with such audits and inspections; and
The Processor shall immediately inform Controller if, in its opinion, an instruction infringes the GDPR or other Union or Member State data protection provisions.
The Processor shall not Transfer any Personal Data (and shall not permit its Subprocessors to Transfer any Personal Data) without the prior consent of Controller. The Processor understands that Controller must first approve and document that adequate protection for the Personal Data will exist after the Transfer, using contracts that provide sufficient guarantees (such as standard contractual clauses) unless another legal basis for the Transfer exists (e.g., the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks).
Subject to the obligations set forth in Section 6 above, Controller hereby authorizes Processor to process Personal Data outside the EAA in accordance with Chapter V of the GDPR.
The Processor will promptly and thoroughly investigate all allegations of unauthorized access to, use or disclosure of the Personal Data. Processor will notify Controller without undue delay in the event of any Personal Data Breach. Controller is responsible for notifying any governing supervisory authority of such Personal Data Breach in a timely manner.
The Processor shall maintain all records required by Article 30(2) of the GDPR, and (to the extent they are applicable to Processor’s activities for Controller) Processor shall make them available to Controller upon request.
In case of an audit or any other inspection for compliance by a governing supervisory authority in connection with the processing of Personal Data subject to this DPA, the Processor shall provide reasonable assistance to the Controller, taking into account all relevant information available to the Processor. The Controller shall bear any costs accrued by the Processor related to such assistance.
Controller and Processor undertake for a period of two years after the last exchange of information has occurred, to keep confidential any information which has commercial value and is either (i) technical information, including patent, copyright, trade secret, and other proprietary information, techniques, sketches, drawings, models, inventions, know-how, processes, apparatus, equipment, algorithms, software programs, software source documents, and formulae related to the current, future and proposed products and services of the disclosing Party, or (ii) non-technical information relating to a Party’s products, including without limitation pricing, margins, merchandising plans and strategies, finances, financial and accounting data and information, suppliers, customers, customer lists, purchasing data, sales and marketing plans, future business plans and any other information which is proprietary and confidential to the disclosing Party and other information designated as confidential by either Party (hereinafter referred to as “Confidential Information”), including but not limited to the Processor’s and its Subprocessors’ implemented technical and organizational security measures. and to protect the Confidential Information at least in the same manner as they do with their own trade secrets.
In addition, Controller and Processor undertake to use the Confidential Information only and exclusively to perform the Services and to meet the duties hereunder. Only with written consent of the other Party has any Party the right to disclose the Confidential Information to third parties who are not associated with the disclosing Party, except that Processor may provide Personal Data for processing purposes to its Subprocessors. Information is not considered Confidential Information as defined herein that (a) was generally available to the public without violation of any obligation of confidentiality, (b) that either of the parties can prove to have known prior to the disclosure by the other Party, that (c) is rightfully received from a third party without restriction on disclosure; (d) is independently developed by the receiving Party; or (e) is disclosed pursuant to judicial order, pursuant to requirement of a governmental agency, or by operation of law. If a Party bound by confidentiality discloses such a fact, then that Party shall inform the other Party within a reasonable time so as to allow the latter to take the required action to safeguard confidentiality and/or to reasonably satisfy the information requirement by other means.
Recognizing that improper use or disclosure of Confidential Information may cause the disclosing Party irreparable damage for which other remedies may be inadequate, the nonbreaching Party shall be entitled to equitable relief to protect its interest therein, including but not limited to injunctive relief, as well as money damages notwithstanding anything to the contrary contained herein.
Controller agrees, at its sole expense, to defend, indemnify and hold Processor, and its agents, affiliates, subsidiaries, directors, officers, employees, contractors, suppliers, and their respective directors, employees and agents, harmless from and against any and all actual or threatened suits, actions, proceedings (at law or in equity), claims, damages, payments, deficiencies, fines, judgments, settlements, liabilities, losses, costs and expenses (including, but not limited to, reasonable attorney fees, costs, penalties, interest and disbursements) caused by, arising out of, resulting from, attributable to or in any way incidental to any data processing activities which are subject to this DPA.
TO THE EXTENT NOT PROHIBITED BY LAW, IN NO EVENT SHALL PROCESSOR OR ITS AFFILIATES, OFFICERS, DIRECTORS, EMPLOYEES, CONTRACTORS, AGENTS, SUPPLIERS, SUBPROCESSORS OR LICENSORS BE LIABLE FOR PERSONAL INJURY, OR ANY INCIDENTAL, SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES WHATSOEVER, INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, LOSS OF SALES OR BUSINESS, LOSS OF DATA, BUSINESS INTERRUPTION OR ANY OTHER COMMERCIAL DAMAGES OR LOSSES, ARISING OUT OF OR RELATED TO YOUR USE OF OR INABILITY TO USE THE SERVICES, HOWEVER CAUSED, REGARDLESS OF THE THEORY OF LIABILITY (CONTRACT, TORT OR OTHERWISE) AND EVEN IF PROCESSOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IN NO EVENT SHALL PROCESSOR’S TOTAL LIABILITY TO CONTROLLER FOR ALL DAMAGES (OTHER THAN AS MAY BE REQUIRED BY APPLICABLE LAW IN CASES INVOLVING PERSONAL INJURY) EXCEED THE AMOUNT CONTROLLER HAS PAID FOR PROCESSOR’S SERVICES IN THE LAST SIX (6) MONTHS, OR, IF GREATER, THE AMOUNT OF ONE HUNDRED DOLLARS ($100.00).
SOME JURISDICTIONS DO NOT ALLOW THE LIMITATION OF LIABILITY FOR PERSONAL INJURY, OR OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THIS LIMITATION MAY NOT APPLY. Any controversy or claim arising out of or relating to this DPA, or the breach thereof, shall be settled by arbitration administered by the American Arbitration Association under its Commercial Arbitration Rules, and judgment on the award rendered by the arbitrator(s) may be entered in any court having jurisdiction thereof.
This DPA will be governed by the laws of the State of Delaware without regard to its conflict of law provisions. With respect to any disputes or claims not subject to arbitration, as set forth above, Controller and Processor agree to submit to the personal and exclusive jurisdiction of the state and federal courts located within the State of Delaware.
If any provision of this DPA shall be deemed unlawful, void or for any reason unenforceable, then that provision shall be deemed severable from this DPA and shall not affect the validity and enforceability of any remaining provisions.
With questions about this DPA you may contact Processor at the following email address: [email protected]