DATA PROCESSING AGREEMENT (DPA) RELATED TO HIGHER FASTER MSA
This DPA is deemed incorporated into any MASTER SERVICE AGREEMENT (MSA) that has as scope the services provided by Higher Faster BV, having its registered headquarters at 415 Gustav Mahlerlaan, 1082MK, Amsterdam, the Netherlands (hereinafter called the “Company”) and the Company is acting as a data processor. By contracting our services, the Customer agrees to be legally bound by this DPA.
whereas
a) The company using Higher Faster services and products is hereinafter called the Customer.
b) According to the terms and conditions of the MSA, the Customer agrees to buy, and the Company agrees to provide the Services. For the purpose of providing the Services to the Customer, the Company may have access to information and personal data ("Customer Data")
c) The Customer authorizes the Company to purchase or use related services through search engines, social networks, technology providers, publisher websites or automated or similar exchange platforms, cloud providers, including those operated by companies such as Amazon, Google, Facebook or others (collectively or separately referred to as the "Platforms"), these platforms may process the Customer's data and / or the Customer may be subject to certain obligations in accordance with the standard terms and conditions of the platforms (collectively, the "Platform Agreements" ).
Definitions
Applicable Law means, as applicable and binding for the Customer, the Company and/or Services: (a) any law, statute, regulation or subordinate legislation in force from time to time to which a party is subject and/or in any jurisdiction that the Services are provided or in connection with; (b) the common law and laws of equity applicable to the parties from time to time; (c) any binding court order, judgment, decree; or (d) any applicable regulation, policy, rule or order that is binding on a Party and that is issued or given by a regulatory body that has jurisdiction over a Party or any assets, resources or business of that Party;
Customer data means personal data received from or processed in any way on behalf of the Customer, directly or indirectly, by the Company or a sub-Processor, in connection with or as part of the provision of the Services under the MSA;
Data path means the description of the intention (purpose) of the use, processing and transfer paths of the Customer Data during the provision of Services according to the Company's directions;
Personal data protection laws means as applicable and binding for the Customer, Company and/or Services: (a) in the member states of the European Union: GDPR and all relevant laws or regulations of the member states that implement or correspond to one of them; (b) any provisions on data protection in the Applicable Law; or (c) any applicable law of any country that may apply to the provision of the Services which are sent in writing by the Customer to the Company in advance;
Losses in relation to personal data processing refers to all liabilities: (a) costs (including legal costs), claims, actions, settlements, interest, taxes, proceedings, expenses, losses and damages (in relation to physical damages); and (b) to the extent permitted by applicable law: (i) administrative fines, penalties, sanctions, debts or other remedies imposed by a supervisory authority; (ii) compensation that is ordered by a supervisory authority to be paid to a data subject; and (iii) the reasonable costs of complying with investigations by a supervisory authority; but excluding: any current or anticipated loss of income or profits; loss of contracts; loss of customers or reputation; moral damage; any direct or indirect loss or damage, regardless of its origin and whether caused by tort (including negligence), breach of contract or otherwise, regardless of whether such loss or damage is foreseeable, foreseen or known;
Data subject request means a request made by a data subject to exercise any rights belonging to the data subject in accordance with personal data protection laws;
GDPR refers to the general data protection regulation (EU) 2016/679;
Data breach relates to any breach of data security resulting in the destruction, loss, alteration, unauthorized disclosure or access of any Customer Data or any other unlawful processing of Customer Data;
Confidentiality statements means the information and consents obtained in a legally correct manner, from the data subjects, regarding the processing of their personal data by the parties and by any Processor, sub-processor or Controller for the provision of the Services, including in accordance with any data path;
Processing instructions has the meaning given in clause 2.1.1;
Sub-processor means another processor contracted by the Company to carry out the processing activities of the Customer data on behalf of the Customer;
Supervisory authority means any local, national or multinational public authority, regulatory or supervisory authority or other body responsible for approving and managing data protection laws;
Third party means any third party involved in the processing of Customer Data in connection with the Services which does not include the Customer and the Company;
Personal Data, Controller, Processor, Data Subject, Processing have the meaning given to such terms in Personal data protection laws.
1. Data Controller and Data Processor
1.1 The parties agree that, for the Customer's data, the Customer will be the Data Controller and the Company will be the Data Processor, including situations where the Customer's data originates from a third party, like a Platform operator and that platform will act as joint controller with the Customer with respect to such Customer Data. In all cases, the status of the parties will be interpreted in accordance with the Personal data protection laws, but it is acknowledged and agreed that, if processing the Customer's data under this Processing Agreement, the Company will always act as a Data Processor.
1.2 The Company will process the Customer's data in accordance with:
1.2.1 the obligations of the Data Processor under Personal data protection laws regarding the fulfillment of their obligations under this processing agreement; and
1.2.2 the terms of this Data Processing Agreement
1.3 The Customer must comply with:
1.3.1 all Personal data protection laws in relation to the processing of Customer Data, the Services and the exercise and enforcement of Customer rights and obligations under this Data Processing Agreement and any platform agreements, including (without limitation) the retention of all records and notices of relevant regulation according to Personal data protection laws; and;
1.3.2 the terms of this Data Processing Agreement and any applicable Platform Agreements
1.4 The Customer warrants and undertakes that:
1.4.1 all Customer data must comply with Personal data protection laws in all respects, including their collection, storage and processing (this also means that the Customer will provide all correct information necessary for fair processing including obtaining consent necessary, from the Data Subjects), with Personal data protection laws;
1.4.2 all Customer data may be lawfully processed by the Company and any third party used to provide the Services and in accordance with any Data path
1.4.3 in respect of all Customer Data:
(a) where the Customer Data is provided directly by the Customer, the Customer shall implement and present appropriate mechanisms:
(i) to ensure that notifications and confidentiality statements are provided and that they are obtained from the data subjects;
(ii) through which the data subjects can request the modification of their personal data or can request the renunciation of the processing of their personal data;
(iii) to exclude from its own database, the data of the data subjects who opted for the Customer's refusal to process their data, in accordance with point 1.4.3 (a)ii;
(iv) to ensure that the Customer does not issue Processing Instructions for the data subjects who have opted for the Customer's refusal to process their data, in accordance with point 1.4.3 (a) iii;
(v) ensure that the Customer Data is up-to-date and accurate and notify the Company of any changes to the Customer Data; and
(b) where the Customer Data is not provided directly by the Customer, the Customer has ensured that the data providers have complied with the Personal Data Protection Laws and that the data provided by the Customer can be used by the Company for the provision of the Services
1.4.4 Customer Data shall not include:
(a) Personal data belonging to underaged data subjects, as defined by any applicable law;
(b) special categories of personal data; or
(c) location data,
unless the legal basis for processing such data in accordance with Personal data protection laws as part of the Services was first established by the Customer;
and
1.4.5 All instructions that the Customer will give to the Company regarding personal data will always comply with the Personal data protection laws.
1.5 The Customer shall not unreasonably withhold, delay or withhold consent to any change requested by the Company to ensure that the Services and the Company (and each Sub-Processor, including any Platforms) can comply with the Personal Data Protection Laws.
1.6 The Customer agrees to the following:
(a) Where, as part of the services it provides, the Company is required to:
(i) to obtain directly from the data subjects personal data or Personal Data belonging to the Customer;
or
(ii) obtain consent from any data subjects for any use, further use or use for any additional purpose,
It is the Customer's responsibility to provide all necessary forms for any notices regarding privacy statements regarding the lawful acquisition/acquisition of such Customer Data for use by the Company in the delivery of the Services (including but not limited to third-party cookies, tags pixels and other relevant tags used by the Company's suppliers on the Customer's websites) and verify that the privacy notices and statements used by third parties to acquire any Customer Data and for the Customer are satisfactory to ensure compliance with all applicable Personal data protection laws of the Customer's personal data and their subsequent use by the Customer, the Company or any third party;
and
(b) The Company (including any Sub-Processor) shall not be liable for any loss, delay or damage of any kind caused to the Customer, by the Customer's failure to fulfill its obligation to provide the Company with any notification or confidentiality statement, requested in due time.
1.7 The Customer also agrees that, where as part of the Services provided to the Customer, the Customer directly accesses the Platforms by means of any authentication credentials, authentication information and/or any other means, technologies or methods designed to access such Platforms ("Platform Login Credentials") provided to Customer by Company, whether such access is read-only or otherwise, Customer warrants and agrees that access to and use of such Platforms must comply with this Processing Agreement, the available Platform policies and applicable law. Without limiting the foregoing, Customer shall not in any way misappropriate any part of a Platform or any part thereof or may not modify, disassemble, decompile, reprogram, copy, reproduce or create derivative works from or in connection with a Platform or any part thereof, including without limitation, for the purpose of re-identifying any user.
1.8 The Customer undertakes, confirms and guarantees for the following aspects:
1.8.1 the personal data processing operations carried out by the Company and any Platforms, including any data path, are appropriate for the purposes for which the Customer intends to use the Customer's Data;
1.8.2 The Company and any Platforms present sufficient guarantees, expertise and resources to perform the Services in accordance with the requirements of the Personal Data Protection Law.
1.9 It is agreed and acknowledged that the Customer is aware of and fully understands the Company's processing operations described in this Data Processing Agreement and any data path.
2. Instructions and details regarding data processing
2.1 For the situations when the Company processes the Customer's data on behalf of the Customer, the Company:
2.1.1 unless it is obliged to proceed differently by the applicable Law (and will take measures to ensure that each person acting under its authority will proceed in this way), it will process the Customer's data only and only in compliance with the Customer's instructions as set out in this clause 2 and Annex 1 (Data Processing Details).
2.1.2 where applicable laws require it to process Customer data other than in accordance with processing instructions, must notify Customer of any such requirement prior to processing Customer data (unless applicable law prohibits this information for reasons of important public interest);
2.1.3 informs the Customer if the Company becomes aware of a Processing Instruction that, in the Company's opinion, violates Personal data protection laws, noting that:
(a) the provisions of points 1.3 and 1.4 apply accordingly;
(b) to the maximum extent permitted by law, the Company shall have no liability, whether arising in contract or in tort (including negligence) or otherwise, for any losses, costs, expenses or liabilities (including losses of data protection) from or in connection with any processing of personal data carried out in accordance with the Customer's Processing Instructions;
2.1.4 assumes no responsibility to determine the purposes for which and how the Customer's data is processed
3. Technical and organisational measures
3.1 The Company implements and maintains, at its cost and expenses, the technical and organizational measures:
3.1.1 regarding the processing of Customer data by the Company, as provided in annex 2 (Technical and organizational measures); and
3.1.2 taking into account the nature of the processing, to assist the Customer as much as possible in fulfilling the Customer's obligations to respond to requests coming from the persons concerned, requests related to the Customer's Data.
3.2 Considering the state of the art and the cost of their implementation and maintenance, the Customer and the Company agree that the "Technical and Organizational Measures" provided in annex 2 are able to ensure a level of security corresponding and adequate to the risks represented by the processing provided for in annex 1 and the nature of the data to the Customer and any additional technical and organizational measures, will be subject to an additional written agreement between the Customer and the Company and at the cost and expense of the Customer.
4. Using personnel and other sub-processors
4.1. The Company will not employ any Sub-Processor to carry out any activities regarding the processing of the Customer's data without his authorization (the authorization must not be withheld, conditioned or delayed), taking into consideration that the Customer hereby authorizes the appointment:
(a) to all sub-processors identified in any data path; and
(b) to any company acting as Sub-Processor for the purpose of delivering the Services.
With respect to this clause 4.1, the Customer acknowledges and agrees that, given the specific mode of delivery of the Services, an exact list of such Sub-processors, data providers, subcontractors and website publishers used to provide the Services may be provided on the Company website/page and will be provided at the Customer request.
4.2 If the Customer wishes to object to the appointment of any Sub-Processor at any time, the Customer shall notify the Company accordingly within 1 working day, and the Company, in the absence of such notification, may appoint that Sub-Processor. If the Parties, acting reasonably, will not agree to the appointment of the proposed Sub-processor, the Company has the right to unilaterally terminate or terminate the MSA with immediate effect, insofar as it relates to the services that require the use of the proposed sub-processor.
4.3. The Company appoints sub-processors in principle under agreements containing the same obligations as clauses 1-11 (inclusively), except for the situations acknowledged and agreed by the Customer that some operators, agents or sub-agents appointed to provide the Services, including, most of the Platforms and certain multinational service providers will provide their services on non-negotiable terms (collectively called "Providers"), these terms being established, in the agreements published on the Platforms or in the general terms and conditions of data processing, ("Provider Terms" ). In such circumstances:
4.3.1 The Company will notify the Customer of such providers;
4.3.2 in the absence of any objections from the Customer, the Providers can be used to provide their Services;
4.3.3. Subject to the provisions of paragraph 4.3.2, the Providers and Provider Terms shall be deemed to be selected, approved and authorized by the Customer, and the Customer is responsible, as the Data Controller, to determine and be aware of the Provider Terms at all times; and
4.3.4. The Company will make reasonable efforts to assist the Customer in understanding the Providers Terms
4.4 Without prejudice to clause 10.2, if the Services are provided in accordance with the Providers Terms, the Company will not be liable for any loss or damage generated by the processing of personal data, resulting from the actions, omissions or violations direct or indirect of such a provider and that exceed any limit of liability assumed by the Terms and conditions of the respective provider.
4.5 The Customer acknowledges and agrees that these providers may appoint processors and Sub-processor in the delivery of the Services in accordance with the Providers Terms without notice and under obligations substantially different from those set forth in this Agreement and the Company shall have no obligations to the Customer in respect to the processors and Sub-processors appointed by these providers.
4.6 The Company ensures that all Company personnel authorized to process the Customer's data are subject to a contractual obligation with the Company to maintain the confidentiality of the Customer's data (unless disclosure is required under applicable law, in which case the Company, if possible and not (is prohibited by applicable law, shall notify the Customer of any such requirement, prior to such disclosure).
5. Assistance with regard to the support given in order for the Customer to comply with the obligations imposed by the relevant legislation, including with regard to the rights of the data subjects
5.1 The Company sends the Customer all the requests it receives from the data subjects within three working days of receiving the request.
5.2 The Company will provide the Customer with the assistance that the Customer reasonably requests (taking into account the nature of the processing and the information available to the Company) to ensure compliance with the Customer's obligations under the Personal data protection laws regarding:
5.2.1 Data processing security;
5.2.2 data protection impact assessments (as defined in the Data Protection Act);
5.2.3 prior consultation with a supervisory authority regarding high-risk processing; and
5.2.4 notifications addressed to the Supervisory Authority and / or communications to the data subjects by the Customer, in response to any data breach,
provided that the Company has the right to charge appropriate remuneration for such assistance in the event that such involvement would materially exceed what may reasonably be considered by the Company to be part of the services provided by the Company as a professional under the MSA.
6. International data transfers
The Customer agrees that the Company may transfer Customer data to countries outside the European Economic Area (EEA) or any international organization (an International Recipient), provided that all Transfers by the Company of Customer Data to an International Recipient) (in extent required by Personal data protection laws) to be carried out through appropriate security measures and in accordance with Personal data protection laws. The provisions of this Processing Agreement constitute the Customer's instructions regarding transfers in accordance with clause 2.1.
7. Records, information and auditing
7.1 The Company will keep, in accordance with Personal data protection laws binding on the Company, written records of all categories of processing activities carried out on behalf of the Customer.
7.2 In accordance with the Personal data protection laws, the Company makes available to the Customer the information it considers reasonably necessary to demonstrate the Company's compliance with the obligations of the data processors, in accordance with the Personal data protection laws and to allow participation in audits (once a year at the most and subject to Company’s confidentiality undertakings), by Customer (or other auditor mandated by the Customer) for this purpose, subject to the guarantee of the Customer who undertakes:
7.2.1 To give the Company, in advance, a notification regarding the request for information, the audit and / or the inspection requested by the Customer;
7.2.2 Ensure that all information obtained or generated by the Customer or its auditors in connection with requests, inspections and audits of such information is strictly confidential (except as disclosed by the Supervisory Authority or in accordance with applicable law);
7.2.3 Ensuring that this audit or inspection is carried out during normal business hours, with minimal disruption to the Company's business, the Sub-processors’ business and other Company's Customers; and
7.2.4 Pay the Company's reasonable costs of assisting in the provision of information and in permitting and contributing to inspections and audits.
8. Notifications in case of data breaches
8.1 With regard to any security breach regarding the processing of the Customer's personal data, the Company will intervene, without delay:
8.1.1 to notify the Customer about data breaches regarding the processing of personal data; and
8.1.2 to provide the Customer with details regarding the security data breach regarding the processing of personal data.
9. Deletion or returning Customer Data and copies
9.1 The Company:
9.1.1 upon the Customer's written request, return all originals or provide the Customer with a copy of all Customer data in the form the Customer requests;
9.1.2 will delete all copies of the Customer Data (unless applicable law requires the storage of any data, and if so the Company will inform the Customer of any such requirements) except that the Company will not be obliged to delete the copies kept in backup systems used exclusively for disaster recovery systems, given the onerous nature of such deletion exercises, within a reasonable time, at the earliest:
9.1.2.1 after the provision of the relevant services related to the processing has ended; or
9.1.2.2 once the Company's processing of any Customer data is no longer necessary for the Company's fulfillment of its relevant obligations under this data processing agreement and / or MSA and/ or applicable laws.
10. Liability, Indemnities and Claims
10.1 The Company shall be liable and indemnify the Customer for losses arising from the breach of the provisions regarding the processing of Customer Data (however caused, regardless of contract, tort (including negligence) or otherwise) under or in connection with this Data Processing Agreement:
10.1.1 only to the extent that any loss is caused by the processing of Customer data under this Processing Agreement and directly results from the Company's breach of clauses 1-11 (inclusive); and
10.1.2 in no event to the extent that any losses arising from the breach of the Data processing provisions (or the circumstances giving rise to them) are caused by any breach of this Agreement by the Customer (including in accordance with clause 2.1.3(b)).
10.2 The Company makes no statements or guarantees regarding its suppliers, providers or regarding the Personal Data processing activities by the suppliers and will not compensate the Customer for any data processing activities carried out by the suppliers.
10.3 The Customer shall be liable and shall indemnify the Company in respect of all losses arising from the breach of the provisions regarding the processing of personal data suffered by the Company and any Sub-processor in connection with the following:
10.3.1 Non-compliance by the Customer with the Personal data protection laws of this Contract or the Terms and Conditions of the Providers;
10.3.2 processing carried out by the Company or a Sub-processor in accordance with any Processing Instruction in breach of any Personal data protection laws; or
10.3.3 violation of any Personal data protection laws or any contractual obligation by an Operator, Authorized or Sub-authorized third parties, approved by the Customer for the delivery of services.
10.3.4 breach by the Customer of any of its obligations in accordance with clauses 1-11 (inclusive),
except where the Company is liable under clause 10.1.
10.4 If a party receives a claim for indemnification from an individual relating to the processing of Customer Data, it will promptly provide the other party with full notice and particulars of such claim.
The party leading the action must:
10.4.1 not to make any admission of liability and not to accept any settlement agreement or settlement of such claim without the prior written consent of the other party (the answer shall not be unreasonably delayed); and
10.4.2 to consult fully with the other party in connection with any such action, but the terms of any settlement or settlement of the claim shall be solely the decision of the party responsible for paying and supporting the compensation
10.5 The parties agree that the Customer shall not be entitled to claim from the Company any part of any compensation paid by the Customer in relation to such damages to the extent that the Customer is obliged to indemnify the Company in accordance with clause 10.2.
10.6 This clause 10 envisages the sharing of responsibility for the losses generated by non-compliance with the provisions relating to data processing between the parties, including with regard to the compensation of the data subjects, without prejudice to the provisions of the Personal data protection laws, except:
10.6.1 the situation in which it is not permitted by the applicable legislation (including Personal data protection laws) and
10.6.2 the fact that it does not impact the liability of either party in front of the data subject
11. Survival of Personal Data Protection Provisions
11.1 Clauses 1-11 (inclusive) shall survive termination (for any reason) or expiration of this Data Processing Agreement and shall continue:
11.1.1 indefinitely in the case of clauses 9-11 (inclusive); and
11.1.2 up to 12 months from the date before termination or expiry of this Data Processing Agreement in the case of clauses 1-8 (inclusive),
provided that any termination or expiration of clauses 1-8 (inclusive) shall not affect either party's rights and remedies under such clauses at the time of termination or expiration.
11.2 In the event of a conflict between the terms of this Data Processing Agreement and the MSA or any other agreement governing the relationship between the parties, the terms of this Data Processing Agreement shall prevail.
12. Term and Termination of Services
12.1 This Data Processing Agreement expires at the latest on:
12.1.1 Termination or expiration of the MSA or
12.1.2 Cessation of any processing of Customer data by the Company on behalf of the Customer in accordance with the provision of the Services.
12.2 The Customer and the Company have the right to suspend and/or terminate this Data Processing Agreement at any time by giving three months' notice to the other party.
13. Applicable Law
13.1 This Data Processing Agreement and any disputes or claims arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with the choice of law specified in the MSA.
13.2 The parties irrevocably agree that the courts specified in the MSA shall have exclusive jurisdiction to resolve any dispute or claim arising out of or in connection with this Data Processing Agreement or its subject matter or form (including non-contractual disputes or claims).
ANNEX 1 INSTRUCTIONS FOR DATA PROCESSING
Scope of processing: The Company Providing Services to Customer under MSA
Categories of Data Subjects: Current and/or potential clients of the Customer
Categories of personal data: IP addresses, cookies info, mobile ID. Special categories: not applicable
Processing operations: Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
Duration: The data will be processed by the Company for the duration of the Services and according to the requirements of the Applicable Law
ANNEX 2 TECHNICAL AND ORGANISATIONAL MEASURES
Virtual access control
Technical and organizational measures to prevent the use of data processing systems by unauthorized persons:
• User identification and authentication procedures;
• ID / password security procedures (special characters, minimum length, password change);
• automatic blocking (for example, password or time interval);
• Monitoring of termination attempts and automatic termination of the user ID upon multiple incorrect password attempts;
• Creation of a basic record for each user on a data processing medium;
Data access control
Technical and organizational measures to ensure that persons entitled to use a data processing system only obtain access to such personal data in accordance with their access rights and that personal data cannot be read, copied, modified or deleted without authorization:
• Differentiated access rights (profiles, roles, transactions and objects);
• Access monitoring and logging;
• Disciplinary actions against staff who access personal data without authorization;
Information Dissemination Control
Technical and organizational measures to ensure that personal data cannot be read, copied, modified or deleted without authorization during transmission, transport or electronic storage on storage media (manual or electronic) and that they can be verified to the Company:
• Password access;
Instructions control
Technical and organizational measures to ensure that personal data are processed only in accordance with the controller's instructions:
• Clear wording of the contract;
Availability control
Technical and organizational measures to ensure that personal data are protected against accidental (physical / logical) destruction or loss include:
• Backup procedures;
• antivirus / firewall systems;
