NextLot, Inc. / Seller Data Processing Addendum
In consideration of the mutual obligations set forth herein, the parties agree to the terms and conditions of this DPA, effective as of the effective date of the Agreement.
(a) “Controller Personal Data” means any Personal Data processed by Processor on behalf of the Controller pursuant to the Agreement.
(b) "European Data Protection Laws" means data protection laws applicable in Europe, including: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) ("GDPR"); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; and (iii) applicable national implementations of (i) and (ii); or (iii) in respect of the United Kingdom, any applicable national legislation that replaces or converts in domestic law the GDPR or any other law relating to data and privacy as a consequence of the United Kingdom leaving the European Union; and (iv) Swiss Federal Data Protection Act on 19 June 1992 and its Ordinance; in each case, as may be amended, superseded or replaced.
(c) “Personal Data” means any information relating to an identified or identifiable individual where such information is contained within Customer Data and Your Data and is protected similarly as personal data, personal information or personally identifiable information under applicable European Data Protection Laws.
(d) “Restricted Transfer” means a transfer of Controller Personal Data from the Controller to Processor or any onward transfer of Controller Personal Data from Processor to a Subprocessor, in each case where such transfer would be prohibited by the GDPR or as applicable other European Data Protection Laws in the absence of the parties’ agreement to the Standard Contractual Clauses.
(e) “Standard Contractual Clauses” means the contractual clauses set out in Annex 1 as may be amended under Section 13(e).
(f) “Subprocessor” means any person or entity (excluding employees of Processor) appointed by or on behalf of Processor to Process Controller Personal Data on behalf of the Controller in connection with the Agreement.
Additionally, the terms “controller,” “data subject,” “personal data breach,” “process,” “processor,” and “supervisory authorities” shall have the meanings given to such terms in GDPR.
2. Nature of Relationship. The parties acknowledge and agree that the Controller is a controller and Processor is a processor under the European Data Protection Laws.
3. Controller Representations and Warranties. The Controller represents and warrants to Processor that, prior to transferring any Controller Personal Data to Processor for processing, asking Processor to collect Controller Personal Data on the Controller’s behalf in connection with the Services, or otherwise providing any personal data to Processor in connection with Processor’s performance of the Services, the Controller has provided to the applicable data subjects every type of notice and obtained from the applicable data subjects every type of consent in each case as required by the European Data Protection Laws pertaining to such disclosures of personal data to or collection of personal data on the Controller’s behalf by Processor, including, but not limited to, in connection with Processor’s processing of the Special Categories of Personal Data set forth in Appendix 2 to the Standard Contractual Clauses attached hereto. The Controller shall indemnify and hold harmless Processor from and against all claims, liabilities, fines, penalties, costs or other expenses, of any kind or nature whatsoever, arising out of the Controller’s breach of this Section 3.
4. Processing of Personal Data. Processor shall process Controller Personal Data only on documented instructions from Controller (including, for the avoidance of doubt, as described in the Agreement), unless Processor is required to do so by applicable law to which Processor is subject, in which case Processor shall inform the Controller of that legal requirement before processing (unless the applicable law prohibits providing such information to the Controller on important grounds of public interest). The Controller shall ensure that its instructions comply with all laws, rules and regulations applicable in relation to the Controller Personal Data, and that the processing of Controller Personal Data in accordance with the Controller’s instructions will not cause Processor to be in breach of the European Data Protection Laws applicable with respect to the Controller Personal Data.
5. Confidentiality of Personal Data. Processor shall ensure that all persons (including Subprocessors) authorized to process Controller Personal Data have committed to keeping such Controller Personal Data confidential or are under an appropriate statutory obligation of confidentiality with respect to such Controller Personal Data.
6. Security of Personal Data. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Processor shall implement appropriate technical and organizational measures to ensure a level of security for Controller Personal Data appropriate to the risk, including in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Controller Personal Data transmitted, stored or otherwise processed. Such measures shall include, at a minimum, the measures described in Appendix 2 to the Standard Contractual Clauses attached hereto, and shall include inter alia as appropriate: (a) the pseudonymization or encryption of Controller Personal Data, (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of systems and services used to process Controller Personal Data, (c) the ability to restore the availability and access to Controller Personal Data in a timely manner in the event of a physical or technical incident, and (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
7. Assistance and Cooperation.
(a) Processor shall provide, at the Controller’s cost, reasonable assistance to Controller in performing any data protection impact assessments and/or relevant consultations with supervisory authorities or other competent data privacy authorities, which Controller reasonably considers to be required by GDPR Articles 35 or 36 and under other European Data Protection Laws, in each case solely in relation to Processing of Controller Personal Data by, and taking into account the nature of the Processing and information available to, Processor and its Subprocessors.
(b) Taking into account the nature of the Processing and the information available to Processor, Processor shall, at the Controller’s cost, assist Controller as Controller may reasonably require, including by appropriate technical and organizational measures, insofar as this is possible, in ensuring compliance with the Controller’s obligations pursuant to GDPR Article 32.
(c) Taking into account the nature of the Processing, Processor shall, at the Controller’s cost, assist Controller as Controller may reasonably require, including by appropriate technical and organizational measures, insofar as this is possible, to enable the Controller to comply with requests by data subjects to exercise their rights under GDPR. Processor shall: (i) promptly notify the Controller if Processor receives a request from a data subject under GDPR with respect to Controller Personal Data, and (ii) not respond to that request except on the written instructions of the Controller or as required by applicable law to which Processor is subject, in which case Processor shall (to the extent permitted by applicable law) inform Controller of that legal requirement before Processor responds to the request.
8. Information and Audit Rights. To the extent such information is reasonably available to Processor, Processor shall make available to the Controller on the Controller’s reasonable request all information necessary to demonstrate compliance with this DPA, and, at the Controller’s cost, allow for and cooperate with audits, including inspections, by the Controller or an auditor appointed by Controller in relation to the Processing of the Controller Personal Data by Processor, subject to the following:
(a) Information disclosed to the Controller or its auditor or that is otherwise revealed in such audit shall be the Confidential Information of Processor under the confidentiality provisions of the Agreement or nondisclosure agreement between the parties that Processor may require to be executed in connection with such disclosure (“NDA”).
(b) Audits may not be conducted more than once per year or more frequently: (i) to the extent required by a supervisory authority, or (ii) in the event of and in connection with a particular personal data breach.
(c) Audits shall be conducted only during Processor’s normal business hours and only with reasonable advance written notice of not less than 15 business days (except in the event of a personal data breach or if the Controller has a reasonable basis to believe (supported by substantial evidence) that Processor may be in material non-compliance with this DPA, in which case advance notice shall be not less than 72 hours).
(d) No such audit shall include access to Processor’s (or any Subprocessors’) facilities or systems (e.g., computing infrastructure, servers, data storage mechanisms and infrastructure, audit logs, activity reports, system configuration, etc.) without Processor’s prior written consent, except to the extent required by a supervisory authority.
In lieu of an audit, upon reasonable request by the Controller, but no more than once per year, Processor agrees to complete, within thirty (30) days of receipt, an audit questionnaire provided by the Controller regarding Processor’s compliance with this DPA, of reasonable length and required detail (not to exceed a reasonably-estimated five person-hours to complete unless otherwise agreed to and subject to the payment of additional fees set forth in a separate agreement by the parties), provided that any such questionnaire responses shall be the Processor’s Confidential Information under the confidentiality provisions of the Agreement or the NDA.
(a) Processor shall not engage any Subprocessor to provide the Services under the Agreement (or otherwise process Controller Personal Data under the Agreement) without written authorization from the Controller. Processor reserves the right to maintain its Subprocessor list through means such as publication of its Subprocessor list online. The Controller hereby provides written authorization for Processor to engage the sub-processors listed in Appendix 2 to the Standard Contractual Clauses (the “Subprocessor List”). The Controller further acknowledges and agrees that its continued access to the Subprocessor List constitutes notice of on-going intended changes concerning the addition or replacement of Subprocessors, that it is the Controller’s responsibility to check the Subprocessor List frequently to review any such changes, and that access to the Subprocessor List provides the Controller the opportunity to object to any such changes. Controller may object to Processor’s use of a new or replacement Subprocessor by notifying Processor promptly in writing (and in any event within ten business days) after first becoming aware of the new or replacement Subprocessor. In the event Controller reasonably objects to a new or replacement Subprocessor appearing on the Subprocessor List after the date of execution of this DPA by the parties, as permitted in the preceding sentence, Processor will use reasonable efforts to make available to Controller a change in the Services or recommend a commercially reasonable change to Controller’s configuration or use of the Services to avoid processing of Controller Personal Data by the objected-to new or replacement Subprocessor without unreasonably burdening Controller. If Processor is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Controller may terminate the Agreement without liability with respect only to those Services which cannot be provided by Processor without the use of the objected-to new or replacement Subprocessor by providing written notice to Processor and Controller shall have no obligation to make any payment of subscription fees for the remaining portion of the subscription term under the Agreement.
(b) Where Processor engages a Subprocessor for carrying out specific processing activities on behalf of the Controller with respect to Controller Personal Data, Processor shall by contract impose on the Subprocessor substantially the same data protection obligations as set forth in this DPA. Where the Subprocessor fails to fulfil such data protection obligations, Processor shall remain fully liable to the Controller for the performance of that Subprocessor’s obligations.
10. Return or Deletion of Controller Personal Data.
(a) Subject to Sections 10(b), 10(c) and 10(d) below, Processor shall at Controller’s request within thirty (30) days after the date of cessation of Services involving the Processing of Controller Personal Data (the “Cessation Date”), either; (i) return to the Controller the Controller Personal Data in a mutually-agreeable format; or (ii) delete and ensure the deletion of all copies of Controller Personal Data.
(b) Processor (and Processor’s Subprocessors) may retain Controller Personal Data to the extent and for such period as is required by applicable law, rule or regulation, provided that Processor shall ensure the continued confidentiality of all such Controller Personal Data, and shall ensure that the Controller Personal Data are only accessed and used for the purpose(s) specified in the applicable law, rule or regulation requiring its retention.
(c) Processor may retain and use for its business purposes any aggregated or de-identified data (i.e., data that is no longer personal data) created from or using Controller Personal Data, during and after termination of the Agreement.
(d) The Processor’s obligations under this Section 10 shall be subject to any agreed-upon post-termination data retrieval provisions in the Agreement.
11. Restricted Transfers. The Controller (as “Data Exporter”) and Processor (as “Data Importer”) hereby enter into the Standard Contractual Clauses in respect of any Restricted Transfer from Controller to Processor. Processor shall ensure that before it commences any Restricted Transfer to a Subprocessor, the Subprocessor will enter into the Standard Contractual Clauses (or variations of those Standard Contractual Clauses made under Section 13(e) or as otherwise proposed by the Subprocessor or Processor as long as such variations are compliant with GDPR).
12. Personal Data Breach. If any Controller Personal Data is subject to any personal data breach Processor shall, upon becoming aware of the personal data breach, without undue delay notify the Controller take reasonable steps to contain and counteract the personal data breach and minimize any damage resulting from the personal data breach, and provide Controller with sufficient information to allow the Controller to meet any obligations to report to supervising authorities or inform the applicable data subjects of the personal data breach to the extent required under the European Data Protection Laws. Processor shall co-operate, at the Controller’s cost, to assist Controller in the investigation, mitigation and remediation of each such personal data breach.
(a) Subject to the following sentence of this Section 13(a), in the event of inconsistencies between the provisions of this DPA and the Agreement, the provisions of this DPA shall prevail. In any event, Processor’s liability under this DPA, including for breach or other failure under this DPA by Processor or its Subprocessors, shall be subject to the exclusions and limitations of liability provided for in the Agreement.
(b) To the extent this DPA is not governed exclusively by the European Data Protection Laws, it will be governed by and construed in accordance with the laws of the United States and the state in which Processor has its principal place of business.
(c) This DPA constitutes the entire understanding of the parties with respect to the subject matter hereof and supersedes all prior agreements, oral or written.
(d) Except as expressly stated in the European Data Protection Laws or the Standard Contractual Clauses attached hereto, the parties to this DPA do not intend to create any rights in any third parties.
(e) The parties agree that, to the extent required under the European Data Protection Laws, such as due to legislative changes, court decisions, and/or to reflect measures or guidance from supervisory authorities, including, without limitation, the adoption of standards for contracts with processors according to GDPR Article 28(7) or (8) or the invalidation, amendment, replacement or repeal of a decision adopted by the EU Commission in relation to international data transfers on the basis of GDPR Article 45(3) or Article 46(2) GDPR or on the basis of Article 25(6) or 26(4) of EU Directive 95/46/EC, such as, in particular, with respect to the Standard Contractual Clauses or similar transfer mechanisms, the Controller may request reasonable changes or additions to this DPA to reflect applicable requirements. If the Controller makes a request to change or supplement this DPA pursuant to this Section 13(e), the Controller and Processor shall in good faith negotiate such changes and additions (including, where applicable, providing for Controller’s reimbursement of Processor’s costs and expenses for undertaking additional obligations) and the Processor shall not unreasonably withhold or delay agreement to any variations to this DPA.
Standard Contractual Clauses
These Standard Contractual Clauses (the “Clauses”) between Processor (also referred to herein as the “Data Importer”), and the Controller (also referred to herein as the “Data Exporter”), are incorporated into the agreement between Processor and the Controller (the “Agreement”) and the parties’ Data Processing Addendum (“DPA”) to which this Annex 1 is attached. The Clauses shall apply to Restricted Transfers of Personal Data. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement or the DPA. The scope of definitions for terms that are defined in these Clauses shall be limited to this annex. Unless expressly modified below, the terms of the Agreement and DPA shall remain in full force and effect.
The parties hereby agree to the following Clauses in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the Data Exporter to the Data Importer of the Personal Data specified in Appendix 1.
1.1.The terms 'Personal Data', 'Special Categories Of Data', 'Process/Processing', 'Controller', 'Processor', 'Data Subject' and 'Supervisory Authority' shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the Processing of Personal Data, and on the free movement of such data.
1.2.'Data Exporter' means the Controller who transfers the Personal Data;
1.3.'Data Importer' means the Processor who agrees to receive from the Data Exporter Personal Data intended for Processing on Data Exporter’s behalf after the transfer in accordance with Data Exporter’s instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
1.4.‘Sub-Processor’ means any processor engaged by the Data Importer or by any other sub-processor of the Data Importer who agrees to receive from the Data Importer or from any other sub-processor of the Data Importer Personal Data exclusively intended for processing activities to be carried out on behalf of the Data Exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
1.5.‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
1.6.'Technical and Organizational Security Measures' means those measures aimed at protecting Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
2.Details of the Transfer
The details of the transfer and in particular the special categories of Personal Data where applicable are specified in Appendix 1 of this DPA, which forms an integral part of these Clauses.
3.Third-Party Beneficiary Clause
3.1.The Data Subject can enforce against the Data Exporter this Clause, Clauses 4.2 to 4.9, Clauses 5.1 to 5.5, Clauses 5.7 to 5.10, Clauses 6.1 to 6.2, Clause 7, Clause 8.2, and Clauses 9 to 12 as third-party beneficiary.
3.2.The Data Subject can enforce against the Data Importer this Clause, Clauses 5.1 to 5.5, Clause 5.7, Clause 6, Clause 7, Clause 8.2, and Clauses 9 to 12, in cases where the Data Exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the Data Exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the Data Exporter, in which case the Data Subject may enforce them against such entity.
3.3.A Data Subject can enforce against a Sub-Processor this Clause, Clauses 5.1 to 5.5, Clause 5.7, Clause 6, Clause 7, Clause 8.2, and Clauses 9 to 12, in cases where both the Data Exporter and the Data Importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the Data Exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the Data Exporter, in which case the Data Subject can enforce them against such entity. Such third-party liability of the Sub-Processor shall be limited to its own Processing operations under the Clauses.
3.4.The parties do not object to a Data Subject being represented by an association or other body if the Data Subject so expressly wishes and if permitted by national law.
4.Obligations of the Data Exporter
The Data Exporter agrees and warrants:
4.1.that the Processing, including the transfer itself, of the Personal Data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the Data Exporter is established) and does not violate the relevant provisions of that State;
4.2.that it has instructed and throughout the duration of the Personal Data Processing services will instruct the Data Importer to Process the Personal Data transferred only on the Data Exporter's behalf and in accordance with the applicable data protection laws and the Clauses;
4.3.that the Data Importer has provided sufficient guarantees in respect of the Technical and Organizational Security Measures as specified in Appendix 2 of this contract;
4.4.that after assessment of the requirements of the applicable data protection laws, the security measures are appropriate to protect Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the Processing involves the transmission of data over a network, and against all other unlawful forms of Processing, and that these measures ensure a level of security appropriate to the risks presented by the Processing and the nature of the data to be protected having regard to the state of the art and the cost of implementation;
4.5.that it will ensure compliance with the security measures;
4.6.that, if the transfer involves Special Categories Of Data, the Data Subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC.
4.7.to forward any notification received from the Data Importer or any Sub-Processor pursuant to Clause 5.2 and Clause 8.3 to the data protection Supervisory Authority if the Data Exporter decides to continue the transfer or to lift the suspension;
4.8.to make available to the Data Subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for sub-processing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
4.9.that, in the event of sub-processing, the Processing activity is carried out in accordance with Clause 11 by a Sub-Processor providing at least the same level of protection for the Personal Data and the rights of Data Subject as the Data Importer under the Clauses; and
4.10.that it will ensure compliance with Clause 4.1 to 4.9
5.Obligations of the Data Importer
The Data Importer agrees and warrants:
5.1.to Process the Personal Data only on behalf of the Data Exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the Data Exporter of its inability to comply, in which case the Data Exporter is entitled to suspend the transfer of data and/or terminate the contract;
5.2.that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the Data Exporter and its obligations under the contract, and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the Data Exporter as soon as it is aware, in which case the Data Exporter is entitled to suspend the transfer of data and/or terminate the contract;
5.3.that it has implemented the technical and organizational security measures specified in Appendix 2 before Processing the Personal Data transferred;
5.4.that it will promptly notify the Data Exporter about:
5.4.1.any legally binding request for disclosure of the Personal Data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;
5.4.2.any accidental or unauthorized access; and
5.4.3.any request received directly from the Data Subjects without responding to that request, unless it has been otherwise authorized to do so;
5.5.to deal promptly and properly with all inquiries from the Data Exporter relating to the Data Importer’s Processing of the Personal Data subject to the transfer and to abide by the advice of the Supervisory Authority with regard to the Processing of the Personal Data transferred;
5.6.at the request of the Data Exporter to submit its data Processing facilities for audit of the Processing activities covered by the Clauses which shall be carried out by the Data Exporter or by an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the Data Exporter, where applicable, in agreement with the Supervisory Authority;
5.7.to make available to the Data Subject upon request a copy of the Clauses, or any existing contract for sub-processing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the Data Subject is unable to obtain a copy from the Data Exporter;
5.8.that, in the event of sub-processing, it has previously informed the Data Exporter and obtained its prior written consent;
5.9.that the Processing services by the Sub-Processor will be carried out in accordance with Clause 11;
5.10.to send promptly a copy of any Sub-Processor agreement it concludes under the Clauses to the Data Exporter.
6.1.The parties agree that any Data Subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or Sub-Processor is entitled to receive compensation from the Data Exporter for the damage suffered.
6.2.If a Data Subject is not able to bring a claim for compensation in accordance with Clause 6.1 against the Data Exporter, arising out of a breach by the Data Importer or its Sub-Processor, of any of their obligations referred to in Clause 3 or in Clause 11, because the Data Exporter has factually disappeared or ceased to exist in law or has become insolvent, the Data Importer agrees that the Data Subject may issue a claim against the Data Importer as if it were the Data Exporter, unless any successor entity has assumed the entire legal obligations of the Data Exporter by contract of by operation of law, in which case the Data Subject can enforce its rights against such entity.
The Data Importer may not rely on a breach by a Sub-Processor of its obligations in order to avoid its own liabilities.
6.3.If a Data Subject is not able to bring a claim against the Data Exporter or the Data Importer referred to in Clauses 6.1 and 6.2, arising out of a breach by the Sub-Processor of any of their obligations referred to in Clause 3 or in Clause 11 because both the Data Exporter and the Data Importer have factually disappeared or ceased to exist in law or have become insolvent, the Sub-Processor agrees that the Data Subject may issue a claim against the Sub-Processor with regard to its own Processing operations under the Clauses as if it were the Data Exporter or the Data Importer, unless any successor entity has assumed the entire legal obligations of the Data Exporter or Data Importer by contract or by operation of law, in which case the Data Subject can enforce its rights against such entity. The liability of the Sub-Processor shall be limited to its own Processing operations under the Clauses.
7.Mediation and Jurisdiction
7.1.The Data Importer agrees that if the Data Subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the Data Importer will accept the decision of the Data Subject:
7.1.1.to refer the dispute to mediation, by an independent person or, where applicable, by the Supervisory Authority;
7.1.2.to refer the dispute to the courts in the Member State in which the Data Exporter is established.
7.2.The parties agree that the choice made by the Data Subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.
8.Cooperation with Supervisory Authorities
8.1.The Data Exporter agrees to deposit a copy of the contract with the Supervisory Authority if the Supervisory Authority so requests or if such deposit is required under the applicable data protection law.
8.2.The parties agree that the Supervisory Authority has the right to conduct an audit of the Data Importer, and of any Sub-Processor, which has the same scope and is subject to the same conditions as would apply to an audit of the Data Exporter under the applicable data protection law.
8.3.The Data Importer shall promptly inform the Data Exporter about the existence of legislation applicable to it or any Sub-Processor preventing the conduct of an audit of the Data Importer, or any Sub-Processor, pursuant to Clause 8.2. In such a case the Data Exporter shall be entitled to take the measures foreseen in Clause 5.2.
The Clauses (but not the Agreement) shall be governed by the law of the Member State in which the Data Exporter is established.
10.Variation of the Contract
The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.
11.1.The Data Importer shall not subcontract any of its Processing operations performed on behalf of the Data Exporter under the Clauses without the prior written consent of the Data Exporter. Where the Data Importer subcontracts its obligations under the Clauses, with the consent of the Data Exporter, it shall do so only by way of a written agreement with the Sub-Processor which imposes the same obligations on the Sub-Processor as are imposed on the Data Importer under the Clauses. Where the Sub-Processor fails to fulfil its data protection obligations under such written agreement the Data Importer shall remain fully liable to the Data Exporter for the performance of the Sub-Processor's obligations under such agreement.
11.2.The prior written contract between the Data Importer and the Sub-Processor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the Data Subject is not able to bring the claim for compensation referred to in Clause 6.1 against the Data Exporter or the Data Importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the Data Exporter or Data Importer by contract or by operation of law. Such third-party liability of the Sub-Processor shall be limited to its own Processing operations under the Clauses.
11.3.The provisions relating to data protection aspects for sub-processing of the contract referred to in Clause 11.1 shall be governed by the law of the Member State in which the Data Exporter is established.
11.4.The Data Exporter shall keep a list of sub-processing agreements concluded under the Clauses and notified by the Data Importer pursuant to Clause 5.10, which shall be updated at least once a year. The list shall be available to the Data Exporter's data protection Supervisory Authority.
12.Obligation after the Termination of Personal Data Processing Services
12.1.The parties agree that on the termination of the data Processing services, the Data Importer and the Sub-Processor shall, at the choice of the Data Exporter, return all the Personal Data transferred and the copies thereof to the Data Exporter or shall destroy all the Personal Data and certify to the Data Exporter that it has done so, unless legislation imposed upon the Data Importer prevents it from returning or destroying all or part of the Personal Data transferred. In that case, the Data Importer warrants that it will guarantee the confidentiality of the Personal Data transferred and will not actively Process the Personal Data transferred anymore.
12.2.The Data Importer and the Sub-Processor warrant that upon request of the Data Exporter and/or of the Supervisory Authority, it will submit its data Processing facilities for an audit of the measures referred to in Clause 12.1.
TO THE STANDARD CONTRACTUAL CLAUSES
This Appendix 1 forms part of the Clauses as agreed by the parties. The applicable jurisdiction may specify any additional necessary information to be contained in this Appendix 1.
The Data Exporter is: the Controller, in the business of providing goods and/or services and user of the Services provided under the Agreement between Controller and Data Importer.
The Data Importer is: the Processor, in the business of providing Services via its proprietary software-as-a-service platform enabling auctioneers, liquidators, and other merchants like Data Exporter to create private-labeled, auction websites through which they can sell their products and services online by various methods.
3.Categories of Data Subjects.
The Personal Data transferred include the following categories of Data Subjects: Buyers and Seller’s customers as stated in the Agreement.
4.Categories of Personal Data.
The Personal Data transferred include the following categories of Personal Data: as stated in the Agreement and DPA.
5.Special Categories of Data: None.
The Personal Data transferred will be subject to the following basic Processing activities:
The Personal Data will be processed as needed to provide the Services described in the Agreement.
TO THE STANDARD CONTRACTUAL CLAUSES
This Appendix forms part of the Clauses and must be completed and signed by the parties.
Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4.4 and 5.3:
Data Importer stores personally identifiable data with Amazon Web Services ("AWS"). AWS encrypts the data on disk, and Data Exporter's data is only accessible through Data Importer's private network by that Data Exporter and Data Importer within Data Importer’s AWS account. Data Importer also transmits and stores personally identifiable data to Paypal, which is PCI Compliant. Access is only granted to authorized employees and independent contractors of Data Exporter and Data Importer to access the personally identifiable data through Data Exporter's administration panel. Furthermore, access is only granted to authorized employees and independent contractors of Data Exporter to access the personally identifiable data through AWS or Paypal.
Amazon Web Services (“AWS”)