GDPR Data Processing Addendum
Effective Date: 25th of May 2018
This Data Processing Addendum (“DPA”) is made as of the Effective Date by and between CELLXPERT and Client, pursuant to the Principal Services Agreement or the License Agreement, Terms of Service, as applicable (“Agreement”).
This DPA overrides any previous CELLXPERT data processing agreement and may only be varied in writing by and at the instigation of CELLXPERT, or by agreement between CELLXPERT and a client, should the performance of the DPA be then operative between CELLXPERT and a particular client.
This DPA amends the Agreement and sets out the terms that apply when Personal Data is processed by CELLXPERT under the Agreement. The purpose of the DPA is to ensure such processing is conducted in accordance with applicable laws and with due respect for the rights and freedoms of individuals whose Personal Data are processed. Other capitalized terms used but not defined in this DPA have the same meanings as set out in the Agreement.
- a) “EEA” means the European Economic Area, which constitutes the member states of the European Union, the United Kingdom, Norway, Iceland and Liechtenstein.
b) “EU Data Protection Legislation” means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (as amended, replaced or superseded) (“GDPR”);
- c) “Controller” shall mean the entity which, alone or jointly with others, determines the purposes and means of the processing of Personal Data – in this case the Client;
d) “Processor” shall mean an entity which processes Personal Data on behalf of the Controller – in this case CELLXPERT;
- e) “Personal Data” means any information relating to an identified or identifiable individual where such information is contained within Client Data and is protected similarly as personal data or personally identifiable information under applicable Data Protection Law.
- f) “Data Subject” means the individual to whom Personal Data relates.
- g) “Instruction” means the written, documented instruction, issued by Controller to Processor, and directing the same to perform a specific action with regard to Personal Data (including, but not limited to, depersonalizing, blocking, deletion, making available).
- h) “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
i) “Processing” means any operation or set of operations which is performed on Personal Data, encompassing the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction or erasure of Personal Data.
1.1 This DPA will apply only to the extent that CELLXPERT processes Personal Data from the EEA on behalf of the Client.
- Details of the Processing
2.1. Categories of Data Subjects.
Controller’s Contacts and other end users including Controller’s employees, contractors, collaborators, customers, prospects, suppliers and subcontractors. Data Subjects also include individuals attempting to communicate with or transfer Personal Data to the Controller’s end users.
2.2. Types of Personal Data
Contact Information, the extent of which is determined and controlled by the Client in its sole discretion, and other Personal Data such as navigational data (including website usage information), email data, system usage data, application integration data, and other electronic data submitted, stored, sent, or received by end users via the Service.
2.3. Subject-Matter and Nature of the Processing
The subject-matter of Processing of Personal Data by Processor is the provision of the services to the Client that involves the Processing of Personal Data. Personal Data will be subject to those Processing activities as may be specified in this DPA.
2.4. Purpose of the Processing
Personal Data will be Processed for purposes of providing the services set out and otherwise agreed to in the Terms of Service and this DPA.
2.5. Duration of the Processing
Personal Data will be Processed for the duration the services are provided by CELLXPERT to the Client.
- Data Protection
3.1. Parties’ Roles. To the extent that CELLXPERT processes Personal Data in the course of providing the Services, it will do so only as a Processor acting on behalf of Client (as Controller) and in accordance with the requirements of the Agreement.
3.2. Purpose Limitation. CELLXPERT will process the Personal Data only for the purpose of providing the Services and in accordance with Controller’s lawful instructions.
3.3. Scope of Processing. The subject matter and duration of processing, nature and purpose of processing, specific types of Personal Data that CELLXPERT will process and categories of Data Subjects whose Personal Data will be processed are set forth in Schedule 1 (Scope of Processing). Within the scope of this DPA and in its use of the services, Controller shall be solely responsible for complying with the statutory requirements relating to data protection and privacy, in particular regarding the disclosure and transfer of Personal Data to the Processor and the Processing of Personal Data. For the avoidance of doubt, Controller’s instructions for the Processing of Personal Data shall comply with the Data Protection Law. This DPA is Client’s complete and final instruction to CELLXPERT in relation to Personal Data and that additional instructions outside the scope of DPA would require prior written agreement between the parties. Instructions shall initially be specified in this DPA and may, from time to time thereafter, be amended, amplified or replaced by Controller in separate written instructions (as individual instructions).
3.4. Compliance. Client, as Controller, shall be responsible for ensuring that: a) it has complied, and will continue to comply, with all applicable laws relating to privacy and data protection, including EU Data Protection Legislation; and b) it has, and will continue to have, the right to transfer, or provide access to, the Personal Data to CELLXPERT for processing in accordance with the terms of the Agreement and this DPA.
3.5. Client Obligations. Without prejudice to the generality of clause 3.1., the Client, as Controller, shall be responsible for ensuring that, in connection with Customer Personal Data and the Services, (i) it has complied, and will continue to comply, with all applicable laws relating to privacy and data protection, including EU Data Protection Legislation; and (ii) it has, and will continue to have, the right to transfer, or provide access to, the Personal Data to CELLXPERT for processing in accordance with the terms of the Principal Services Agreement and this GDPR Addendum. Controller shall also inform Processor without undue delay and comprehensively about any errors or irregularities related to statutory provisions on the Processing of Personal Data.
3.6. Client Instructions. Client instructs CELLXPERT to process Personal Data (a) in accordance with the Agreement and Schedule 1; (b) to provide the Services and any related technical support; (c) as further specified via Client’s use of the Services (including in the settings and other functionality of the Services) and any related technical support; and (d) to comply with other reasonable instructions provided by Client where such instructions are consistent with the terms of the Agreement and this GDPR Addendum. Client will ensure that its instructions for the processing of Personal Data shall comply with the Data Protection Legislation.
CELLXPERT shall, in relation to any Personal Data processed in connection with the performance by CELLXPERT of its obligations under this Agreement:
- implement appropriate technical and organizational measures to safeguard Personal Data, taking into account the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons;
- ensure that any personnel whom Processor authorises to process Personal Data on its behalf is subject to confidentiality obligations with respect to that Personal Data. The undertaking to confidentiality shall continue after the termination of the above-entitled activities;
- comply with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred;
- assist the Client, at the Client’s cost and by appropriate technical and organizational measures considering the nature of processing, in fulfilling Client’s obligations to respond to Data Subject requests under the Data Protection Legislation, to the extent Client does not have access to the Personal Data necessary to respond to such requests through its use or receipt of the Services. For the avoidance of doubt, Client is responsible for responding to Data Subject request for access, correction, restriction, objection, erasure or data portability of that Data Subject’s Personal Data;
- take reasonable measures to cooperate and assist Client in conducting a data protection impact assessment and related consultations with any supervisory authority, if Client is required to do so under the Data Protection Legislation;
- notify the Client without undue delay on becoming aware of a Personal Data breach, provided that such breach is not caused by Client or Client’s personnel or end users;
- make available to Client all information reasonably necessary to demonstrate CELLXPERT’s compliance with this GDPR Addendum. No more than once per year, Client may engage a mutually agreed upon third party to audit CELLXPERT solely for the purposes of meeting its audit requirements pursuant to Article 28, Section 3(h) of the GDPR. To request an audit, Client must submit a detailed audit plan at least four (4) weeks in advance of the proposed audit date describing the proposed scope, duration, and start date of the audit. Audit requests must be sent to [email protected] The auditor must execute a written confidentiality agreement acceptable to CELLXPERT before conducting the audit. The audit must be conducted during regular business hours, subject to CELLXPERT’s policies, and may not unreasonably interfere with CELLXPERT’s business activities. Any audits are at Client’s sole cost and expense;
- upon termination or expiration of the Agreement, in accordance with the terms of the Agreement, cease all processing of Customer Personal Data and delete or make available to Client for retrieval all relevant Customer Personal Data in CELLXPERT’s possession, except as otherwise prohibited or allowed by EU member state laws or as required by any applicable law. CELLXPERT shall extend the protections of the Agreement and this GDPR Addendum to any such Personal Data and limit any further processing of such Personal Data to only those limited purposes that require the retention.
3.7. Sub-processors. To support delivery of our Services, CELLXPERT may engage and use data processors with access to certain Customer Data (each, a “Sub-Processor”). The Client consents to CELLXPERT appointing those companies as third-party processors of Personal Data under this agreement. CELLXPERT will contractually impose data protection obligations on its Sub-processors that are at least equivalent to those data protection obligations imposed on CELLXPERT under this GDPR Addendum.
The provisions of this Section shall mutually apply if the Processor engages a sub-Processor in a country outside the European Economic Area (“EEA”) not recognised by the European Commission as providing an adequate level of protection for personal data. If, in the performance of this DPA, CELLXPERT transfers any Personal Data to a sub-processor located outside of the EEA, CELLXPERT shall, in advance of any such transfer, ensure that a legal mechanism to achieve adequacy in respect of that processing is in place.
Transfers to subsequent third parties are covered by the service agreements with our Clients (the Controller). Furthermore, CELLXPERT supports End Users’ rights to retrieve any information retained on our servers which relates to such End User. CELLXPERT acknowledges that you have the right to access your Personal Information. We have processes in place to accommodate an End User’s rights to delete data, amend erroneous data, access data and receive Personal Data or Sensitive Data in a machine readable commonly used format, all subject to reasonable technical restrains and abilities.
Users are not obligated to provide us with any information by law. However, we require certain information in order to provide our services properly. Under some jurisdictions (such as E.E.A.), a User has a right to withdraw its consent at any time. In such a case, the withdrawal will not affect the lawfulness of processing based on consent before its withdrawal.
Please note that consent for the gathering and processing of data for one Service does not automatically mean that a User consents to the processing of data in connection with other Services. Our Client (Data Controller) should always make sure that the User’s consent is relevant, clear, valid, and to the extent reasonably possible, not “bundled” with any other written agreement (especially if required under applicable laws), unambiguous and if required under applicable law, affirmative and active (meaning not by virtue of any inaction).
CELLXPERT aims to process only adequate, accurate and relevant data limited to the needs and purposes for which it is gathered. It also aims to store data for the time period necessary to fulfill the purpose for which the data is gathered. CELLXPERT only collects data in connection with a specific legitimate purpose.
- Data Transfers
4.1. Controller acknowledges and agrees that, in connection with the performance of the services under this DPA, Personal Data will be transferred to CELLXPERT in Israel. CELLXPERT is compliant with the directives regarding Personal Data protection in the Israel, and is implementing appropriate safeguards for such transfers, pursuant to Article 46 of the GDPR.
- Deletion or Retrieval of Personal Data
5.1. Other than to the extent required to comply with Data Protection Law, following termination or expiry of this DPA, Processor will delete all Personal Data (including copies thereof) processed pursuant to this DPA. If Processor is unable to delete Personal Data for technical or other reasons, Processor will apply measures to ensure that Personal Data is blocked from any further Processing.
5.2. Controller shall, upon termination or expiration of this DPA and by way of issuing an Instruction, stipulate, within a period of time set by Processor, the reasonable measures to return data or to delete stored data. Any additional cost arising in connection with the return or deletion of Personal Data after the termination or expiration of this DPA shall be borne by Controller.
6.1 Except as stated in this GDPR Addendum, the Agreement will remain in full force and effect. If there is a conflict between the Agreement and this GDPR Addendum, the terms of this GDPR Addendum will control as it relates to processing Customer Personal Data.
6.2 Any claims brought under this GDPR Addendum shall be subject to the terms and conditions, including by not limited to, the exclusion and limitations set forth in the Agreement.
Schedule 1 Scope of Processing
Details of Data Processing
- Subject matter: The subject matter of the data processing under this GDPR Addendum is the Data Subject’s Personal Data.
- Duration: As between CELLXPERT and Client, the duration of the data processing under this GDPR Addendum is until the termination of the Agreement in accordance with its terms, except as otherwise required by applicable law.
- Purpose: The purpose of the data processing under this GDPR Addendum is the provision of the Services to the Client and the performance of CELLXPERT’s obligations under the Agreement (including this GDPR Addendum) or as otherwise agreed by the parties in mutually executed written form.
- Nature of the processing: CELLXPERT provides complete solutions for Ad Serving, Tracking and Managing performance systems and other Services as described in the Agreement, which process Customer Personal Data upon the instruction of the Client, in accordance with the terms of the Agreement.
- Categories of data subjects: Client may submit Customer Personal Data to the Services, the extent of which is determined and controlled by Client in its sole discretion, and which may include, but is not limited to, Personal Data relating to the following categories of data subjects:
- Employees, agents, advisors, representatives, consultants, partners of Clients (who are natural persons);
- Client’s end-users authorized by Client to use the Services.
- Types of Personal Data: Customer may submit Client Personal Data to the Services, the extent of which is determined and controlled by Client in its sole discretion, and which may include, but is not limited to, the following types of Personal Data:
- identification and contact data;
- financial information;
- certain information about Clients’s end users (such as IP address and advertising identifier).
- Sensitive Personal Data (if applicable): Customer shall not send CELLXPERT any Sensitive Personal Data (as defined in the Data Protection Legislation).