DATA PROCESSING ADDENDUM
Last updated: August 27, 2020
3. The Customer Personal Data Processed by Data Processor includes and shall be limited to the following categories of data: (i) identification and contact information (such as name, email address, address, title and contact details) of Data Controller and Data Controller’s customers and other contacts; (ii) Data Controller’s purchase information, including payment method, products purchased, and billing information; and (iii) information gathered in connection with the provision of services to Data Controller relating to Data Controller’s contacts, including (a) analytics and information about marketing emails and other campaigns sent by Data Processor on behalf of Data Controller (including open rates and similar usage data) and (b) device, browser and information related to Data Controller’s contacts identified through use of the Services.
4. The Customer Personal Data Processed by Data Processor may contain special categories of personal data.
The Addendum is being put in place to ensure that Data Processor processes Data Controller’s personal data on Data Controller’s instructions and in compliance with Applicable Data Protection Laws.
STANDARD TERMS FOR PROCESSING ADDENDUM
For the purposes of this Addendum, the following expressions bear the following meanings unless expressly stated otherwise:
“Applicable Data Protection Laws” means the data protection laws of various jurisdictions that are or may become applicable to the Data Processor, as determined by the Data Processor in its sole discretion, including without limitation, the General Data Protection Regulation 2016/679 (“GDPR”) and any law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding instrument of the Data Controller’s Member State which implements the GDPR, and the e-Privacy Directive 2002/58/EC (in each case as amended, consolidated, re-enacted or replaced from time to time);
““Data Subject” means an identified or identifiable natural person who is in the EEA, the UK and Switzerland (the “GDPR Countries”) or whose behavior is monitored in the GDPR Countries or whose rights are protected by the GDPR;
“Model Clauses” means the standard contractual clauses for the transfer of Personal Data to data processors established in Third Countries set out in the Commission Decision of 5 February 2010 (C(2010) 593), as amended by EU Commission Implementing Decision 2016/2297 of 16 December 2016;
“Process”, “Processed” or “Processing” have the meaning given in the GDPR; and
“Third Countries” means all countries outside of the scope of the data protection laws of the European Economic Area (“EEA”), excluding countries approved as providing adequate protection for Personal Data by the European Commission from time to time.
2. Conditions of Processing
3. Data Processor’s Obligations
3.1 Data Processor shall only Process Customer Personal Data on behalf of Data Controller and in accordance with, and for the purposes set out in, the documented instructions received from Data Controller from time to time. If Data Processor cannot provide such compliance for whatever reason (including if the instruction violates Applicable Data Protection Laws), it agrees to inform Data Controller of its inability to comply as soon as reasonably practicable at the email address provided by Data Controller to Data Processor.
3.2 Data Processor shall ensure that its personnel who are authorized to Process the Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3.3 Data Processor shall implement and hold in force for the term of this Addendum specific technical and organizational security measures as required by the Applicable Data Protection Laws which are further detailed at https://www.endurance.com/privacy/information-security-policy (the “Security Policy”).
3.4 Data Processor shall notify Data Controller promptly upon receipt by Data Processor of a request from an individual seeking to exercise any of their rights under Applicable Data Protection Laws. Taking into account the nature of the processing, Data Processor shall, at Data Controller’s expense, assist Data Controller by appropriate technical and organizational measures, for the fulfillment of Data Controller’s obligation to respond to requests by Data Subjects to exercise their rights under Chapter III of the GDPR (including the right to transparency and information, the data subject access right, the right to rectification and erasure, the right to the restriction of processing, the right to data portability and the right to object to processing) and any other Applicable Data Protection Laws. Data Processor shall carry out a request from Data Controller to amend or correct any of the Customer Personal Data to the extent necessary to allow Data Controller to comply with its responsibilities under Applicable Data Protection Laws. Further, Data Processor shall carry out a request from Data Controller to block, transfer or delete any of the Customer Personal Data to the extent necessary to allow Data Controller to comply with its responsibilities as a data controller under the GDPR.
3.6 Upon termination of the Processing of Personal Data by Data Processor and at the choice of Data Controller, Data Processor shall either (i) delete all Customer Personal Data; or (ii) return all Customer Personal Data to the Data Controller and delete existing copies unless otherwise permitted or required by Applicable Data Protection Laws.
3.7 Data Controller may collect voluntary disclosures from the Data Processor or request the Data Processor to provide an expert opinion that proves compliance with their obligations under this Agreement or Applicable Data Protection Laws. If the voluntary disclosures or the expert opinion are not reasonably sufficient to prove Data Processor’s compliance with Applicable Data Protection Laws, Data Processor shall, subject to reasonable advance notice, permit the Data Controller or a third party authorized by the Data Controller and which is not a competitor of Data Processor to carry out the audits and inspections of the processing of Customer Personal Data by the Data Processor during normal business hours. Data Processor may require a third party auditor to enter into a confidentiality agreement before permitting it to carry out an audit or inspection. The auditing party shall bear its own costs in relation to such audit. The obligations set forth in this Section 3.7 shall only apply to Data Processor to the extent required by Applicable Data Protection Laws.
3.8 Data Controller acknowledges and agrees that Data Processor may, or may appoint an affiliate or third party subcontractor to, Process the Data Controller’s Personal Data in a Third Country, provided that it ensures that such Processing takes place in accordance with the requirements of Applicable Data Protection Laws. Data Controller hereby consents to Data Processor’s access to Data Subject Personal Data from the United States to the extent necessary for Data Processor to provide the Services.
3.9 The Data Controller acknowledges and agrees that the Data Processor may process the Data Subject Personal Data in the United States in accordance with the Data Processor’s Privacy Shield certification where the processor has a current and valid Privacy Shield certification, which can be accessed at https://www.privacyshield.gov/list. In the event the Privacy Shield is invalidated or the Data Processor does not have a current and valid Privacy Shield certification and the Data Processor processes, accesses, and/or stores Data Subject Personal Data in any Third Country, Data Processor shall comply with the data importer’s obligations set out in the Model Clauses, which are hereby incorporated into and form part of this Addendum. The processing details set out at paragraphs a) to d) of the first page of this Addendum shall apply for the purposes of Appendix 1 of the Model Clauses and the terms of the Security Policy apply for the purposes of Appendix 2 of the Model Clauses. Data Controller hereby grants Data Processor a mandate to execute the Model Clauses, for and on behalf of Data Controller, with any relevant subcontractor (including affiliates) it appoints.
3.10 Data Controller acknowledges and agrees that Data Processor relies solely on Data Controller for direction as to the extent to which Data Processor is entitled to access, use, process, and sell Customer Personal Data. Consequently, Data Processor is not liable for any claim brought by Data Controller or a Data Subject arising from any action or omission by Data Processor to the extent that such action or omission resulted from Data Controller’s instructions.
4. Data Controller’s Obligations
4.2 Data Controller agrees that it will indemnify and hold harmless Data Processor on demand from and against all claims, liabilities, costs, expenses, loss or damage (including consequential losses, loss of profit and loss of reputation and all interest, penalties and legal and other professional costs and expenses) incurred by Data Processor arising directly or indirectly from a breach of this Section 4 or any Applicable Data Protection Laws.
Data Controller consents to Data Processor engaging third party subprocessors to process the Customer Personal Data for the Permitted Purpose. Data Processor shall maintain a current list of its subprocessors at https://www.endurance.com/privacy/third-party-data, which will be updated from time to time to reflect any change in subprocessors. Data Processor ensures that it has a written agreement in place with all Subcontractors which contains obligations on the Subcontractor which are no less onerous on the relevant Subcontractor than the obligations on Data Processor under this Addendum.
7. Law and Jurisdiction
This Addendum and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by and construed in all respects in accordance with the laws of the Commonwealth of Massachusetts and each party hereby submits to the jurisdiction of the federal or state courts located in Boston, Massachusetts.
Copyright © 2020, Constant Contact, Inc.
Back to Top