This Data Processing Addendum (“Addendum”) shall govern the processing of End User Data shared by the Customer by Flock.
1.1 “Controller” shall refer to the Customer;
1.2 “Data Subject” means the identified or identifiable person to whom End User Data relates;
1.3 “Data Breach” or “Breach” means any suspected or actual security breach leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, End User Data transmitted, stored or other-wised Processed.
1.4 “End User Data” shall have the meaning ascribed to it in the Agreement;
1.5 “EU Resident” refers to the individual of the European Union who is governed by the provisions of GDPR;
1.6 “GDPR” shall have the meaning ascribed to it in the Agreement;
1.7 “Parties” shall collectively refer to Flock and the Customer;
1.8 “Process”and “Processing” means any operation or set of operations which is performed upon End User Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
1.9 “Processor” means the Party which Processes End User Data on behalf of the Controller which shall be Flock for the purpose of this Addendum;
1.10 “Sub-Processor” means any entity engaged by the Processor to Process End User Data; and
1.11 “Sub-Processor URL” shall refer to the URL containing the list of Sub-Processors engaged by the Processor which is accessible at (https://support.neo.space/hc/en-us/articles/14464267754393-List-of-Sub-processors).
2. APPLICABILITY OF GDPR
2.1 The Parties agree that the rights and obligations of each Party, as well as the Data Subjects under this Addendum shall only arise if GDPR accords such rights or obligations to such Party or the Data Subjects, as applicable. It is clarified that in the event GDPR does not create an obligation on any Party, then notwithstanding anything else provided this Addendum, such obligation shall not be applicable on such Party.
3. PROCESSING OF DATA
3.1 Processors obligations: By entering into this Addendum, the Parties agree that the Processor shall Process all End User Data in order to perform its obligations set out in the Agreements or in accordance with any other written instructions given by the Controller and acknowledged by the Processor in writing which shall constitute as instructions for purposes of this Addendum. As of the date that the Processor is required to End User Data, the Processor agrees and acknowledges that it shall comply with the instructions described above (including with regard to data transfers) unless GDPR prohibits the same, in which case the Processor will inform the Controller via Email.
3.2 Standard Data Protection Clauses under GDPR : In the event the End User Data is subject to the provisions of the GDPR, and either the Processor or Controller is not subject to the provisions of GDPR, then the Parties acknowledges that the standard data protection clauses prescribed under Article 46 (2)(c) of the GDPR are incorporated herein by reference.
4. RIGHTS OF DATA SUBJECTS
4.1 The Processor shall, to the extent legally permitted, promptly notify the Controller if the Processor receives any requests from a Data Subject to exercise the rights given to a Data Subject as per the provisions of GDPR (“Data Subject Request”).
4.2 Taking into account the nature of the Processing, the Processor shall assist the Controller with appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to a Data Subject Request under GDPR. In addition, to the extent the Controller does not have the ability to address a Data Subject Request, the Processor shall, upon the Controller’s request, provide commercially reasonable efforts to assist the Controller in responding to such Data Subject Request, to the extent the Processor is legally permitted to do so and the response to such Data Subject Request is required under GDPR.
5.1 Consent to sub-processing: The Controller acknowledges and agrees that the Processor may engage third-party Sub-Processors in order to perform its obligations under the Agreements and this Addendum. Further, the Processor will enter into a written agreement with each Sub-Processor containing data protection obligations that provide at least the same level of protection for the End User Data as those in this Addendum, to the extent applicable to the nature of the services provided by such Sub-Processor. In the event the End User Data is subject to the provisions of GDPR, and the Sub-Processor is not subject to the provisions of GDPR, then the Processor acknowledges that the written agreement executed with the Sub-Processors under this Clause 5.1 shall incorporate by reference, the standard data protection clauses prescribed under Article 46 (2)(c) of the GDPR.
5.2 The Parties agree and acknowledge that if GDPR is applicable, then prior to the Processor engaging any Sub-Processor during the term of the Agreements, the Processor will, at least 15 (Fifteen) calendar days before such Sub-Processor processes any End User Data,inform the Controller of the engagement (including the name and location of the relevant Sub-Processor and the activities it will perform) by sending an email to the notified email address of the Controller.
5.3 With respect to End User Data, a current list of Sub-Processors engaged by the Processor, including the identities of this Sub-Processors and their country of location, is accessible at the Sub-Processor URL.
5.4 The Controller may reasonably object to the Processor’s use of a new Sub-Processor under Clause 5.3 above (e.g., if making End User Data available to the Sub-Processor may violate GDPR or weaken the protections for such End User Data) by notifying the Processor promptly in writing within 3 (Three) Business Days after receipt of the Processor’s notice in accordance with the mechanism set out in Clause 5.4 above. Such notice shall explain the reasonable grounds for the objection. In the event the Controller objects to a new Sub-Processor, as permitted in the preceding sentence, the Processor will use commercially reasonable efforts to make available to the Controller, a commercially reasonable change to the Controller’s configuration to avoid Processing of End User Data by the objected new Sub-Processor. If the Processor is unable to make available such change within a reasonable period of time, which shall not exceed 30 (Thirty) Business Days, either party may terminate without penalty as per the procedure stipulated in the Agreements.
6.1 Controls for the Protection of Data: the Processor shall maintain appropriate technical and organizational measures for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, End User Data), confidentiality and integrity of End User Data as is required by GDPR. the Processor shall regularly monitor compliance with these measures. the Processor will not materially decrease its overall security during the term of the Agreements.
6.2 Third-Party Certifications and Audits. The Processor or its Affiliates represent that they have obtained third-party certifications and audits as set forth in GDPR. Upon the Controller’s request, and subject to the confidentiality obligations set forth in the Agreements, the Processor shall make available to the Controller(or the Controller’s independent, third-party auditor) information regarding the Processor’s compliance with the obligations set forth in this Addendum in the form of the third-party certifications and audits. The Controller may contact the Processor to request an on-site audit of the Processor’s procedures relevant to the protection of End User Data, but only to the extent to the application of, and as required under GDPR. The Controller shall reimburse the Processor for any time expended for any such on-site audit at the Processor’s then-current rates, which shall be made available to the Controller upon request. Before the commencement of any such on-site audit, the Controller and the Processor shall mutually agree upon the scope, timing, and duration of the audit, in addition to the reimbursement rate for which the Controller shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by the Processor. The Controller shall promptly notify the Processor with information regarding any non-compliance discovered during the course of an audit, and the Processor shall use commercially reasonable efforts to address any confirmed non-compliance.
6.3 Data Breach: In the event of a Data Breach arising during the performance of the services by Processor , the Processor shall, at its own cost:
- Notify the Controller in writing about the Breach with 3 (Three) days of becoming aware of it, and provide information about:
[A] The nature of the Breach including where possible the categories and approximate number of Data Subjects concerned, and the categories and approximate number of Data records concerned;
[B] The name and contact details of the data protection officer or other contact point where more information can be obtained;
[C] The likely consequences of the Breach; and
[D]The measures taken or proposed to be taken to address the Breach including, where appropriate, measures to mitigate adverse effects.
- After investigating the causes of such a Breach, take such actions as may be necessary or reasonably expected by the Controller to minimize the effects of the Breach.
- Take all actions as may be required by the respective regulator under GDPR and more generally, provide the Controller with reasonable assistance in relation to the Controller’s obligation to notify the Breach to the Governmental Authority.
- Maintain any record of all information relating to the Breach, including the results of its own investigations and authorities’ investigations.
- Take all measures necessary to prevent future Breaches from occurring.
- Where the Controller determines that a Breach notification is required under GDPR, the Processor shall reimburse the Controller for all reasonable costs associated with providing notification to Governmental Authorities, unless the Processor demonstrates that the Breach was caused by the Controller’s negligence or wilful misconduct.
- RETURN AND DELETION OF DATA
- Upon termination/expiry of the Agreements for which the Processor is Processing End User Data, the Processor shall, upon the Controller’s request and only if required under GDPR, and subject to the limitations described in the Agreements, if any, return all End User Data in the Processor’s possession to the Controller or securely destroy such End User Data and demonstrate to the satisfaction of the Controller that it has taken such measures.
- TRANSFER MECHANISMS
- the Processor shall not Process, host or sub-Process End User Data in any third-party country beyond the territorial jurisdiction of GDPR (“Third-Party Country”) and/or have End User Data processed in any Third-Party Country (including through a Sub-Processor ), unless the Processor has the specific prior written consent of the Controller.
- Where such specific prior written approval has been granted, the Processor shall warrant that any duly authorised Sub-Processor processing End User Data in any Third-Party Country shall comply with the same obligations as set forth in this Addendum;
- EFFECT OF THIS ADDENDUM
- To the extent of any conflict or inconsistency between the terms of this Addendum and any other agreement governing the Processing of End User Data executed by and between the Parties, the terms of this Addendum shall prevail.
- Except as agreed upon by the Parties in this Addendum, all other definitions, interpretations, terms and conditions of the Agreements shall continue to be binding and applicable on both Parties.