Data Processing Addendum
THIS DATA PROCESSING ADDENDUM reflects the agreement between BRIGHTGAUGE SOFTWARE, INC. (“Supplier”) and its customers (each, a “Customer”) regarding the processing of Customer Personal Data under the Agreement. This Data Processing Addendum is an amendment to the Agreement and is incorporated into the Agreement.
In this Data Processing Addendum the following terms shall have the meanings set out in this Paragraph 1.1, unless expressly stated otherwise:
“Addendum Effective Date” means the effective date of the Agreement.
“Adequate Country” means a country or territory outside the European Economic Area that the European Commission has deemed to provide an adequate level of protection for Personal Data pursuant to a decision made in accordance Article 45(1) of the GDPR.
“Agreement” means the agreement entered into by and between Supplier and Customer.
“Anonymised Data” means any Personal Data (including Customer Personal Data), which has been anonymised such that the Data Subject to whom it relates cannot be identified, directly or indirectly, by Supplier or any other party reasonably likely to receive or access that anonymised Personal Data.
“Business Day” means any day which is not a Saturday, Sunday or public holiday, and on which the banks are open for business, in the United States.
“Cessation Date” has the meaning given in Paragraph 9.1.
“Customer Personal Data” means any Personal Data Processed by or on behalf of Supplier on behalf of Customer under the Agreement.
“Data Protection Laws” means the EU General Data Protection Regulation 2016/679 (the “GDPR”) and to the extent the GDPR is no longer applicable in the United Kingdom, any implementing legislation or legislation having equivalent effect in the United Kingdom (references to “Articles” or “Chapters” of the GDPR shall be construed accordingly).
“Data Subject Request” means the exercise by Data Subjects of their rights under, and in accordance with, Chapter III of the GDPR.
“Data Subject” means the identified or identifiable natural person located in the European Economic Area to whom Customer Personal Data relates.
“Delete” means to remove or obliterate Personal Data such that it cannot be recovered or reconstructed, and “Deletion” shall be construed accordingly.
“Personnel” means a person’s employees, agents, consultants or contractors.
“Restricted Country” means a country or territory outside the European Economic Area that is not an Adequate Country.
“Restricted Transfer” means, where such transfer would be prohibited by Data Protection Laws without a legal basis therefor under Chapter V of the GDPR: (i) a transfer of Customer Personal Data from Customer to Supplier in a Restricted Country; or (ii) an onward transfer of Customer Personal Data from Supplier to a Subprocessor in a Restricted Country.
“Services” means those services and activities to be supplied to or carried out by or on behalf of Supplier for Customer pursuant to the Agreement.
“Standard Contractual Clauses” means the standard contractual clauses issued by the European Commission (from time-to-time) for the transfer of Personal Data from Data Controllers established inside the European Economic Area to Data Processors established in Restricted Countries.
“Subprocessor” means any third party appointed by or on behalf of Supplier to Process Customer Personal Data.
In this Data Processing Addendum:
the terms, “Data Controller”, “Data Processor”, “Personal Data”, “Personal Data Breach”, “Process/Processing/Processed” and “Supervisory Authority” shall have the meaning ascribed to the corresponding terms in the Data Protection Laws; and
unless otherwise defined in this Data Processing Addendum, all capitalised terms shall have the meaning given to them in the Agreement.
Processing of Customer Personal Data
In respect of Customer Personal Data, the Parties acknowledge that:
Supplier acts as a Data Processor; and
Customer acts as the Data Controller.
comply with all applicable Data Protection Laws in Processing Customer Personal Data; and
not Process Customer Personal Data other than:
on Customer’s instructions (subject always to Paragraph 2.8); and
as required by applicable laws.
Customer instructs Supplier to Process Customer Personal Data as necessary:
to provide the Services to Customer; and
to perform Supplier’s obligations and exercise Supplier’s rights under the Agreement.
Annex 1 (Data Processing Details) sets out certain information regarding Supplier’s Processing of Customer Personal Data as required by Article 28(3) of the GDPR.
Customer may amend Annex 1 (Data Processing Details) on written notice to Supplier from time to time as Customer reasonably considers necessary to meet any applicable requirements of Data Protection Laws.
Nothing in Annex 1 (Data Processing Details) (including as amended pursuant to Paragraph 2.5) confers any right or imposes any obligation on any Party to this Data Processing Addendum.
Where Supplier receives an instruction from Customer that, in its reasonable opinion, infringes the GDPR, Supplier shall inform Customer.
Customer acknowledges and agrees that any instructions issued by Customer with regards to the Processing by Supplier of Customer Personal Data pursuant to or in connection with the Agreement:
shall be strictly required for the sole purpose of ensuring compliance with Data Protection Laws; and
(without limitation to the generality of Paragraph 2.6) shall not relate to the scope of, or otherwise materially change, the Services to be provided by Supplier under the Agreement.
Notwithstanding anything to the contrary herein, Supplier may terminate the Agreement in its entirety upon written notice to Customer with immediate effect if Supplier considers (in its reasonable discretion) that:
it is unable to adhere to, perform or implement any instructions issued by Customer due to the technical limitations of its systems, equipment and/or facilities; and/or
to adhere to, perform or implement any such instructions would require disproportionate effort (whether in terms of time, cost, available technology, manpower or otherwise).
- For the avoidance of doubt, this Paragraph 2.9 does not refer to the instructions set out in Paragraph 2.3.
Customer represents and warrants on an ongoing basis that, for the purposes of Article 6 of the GDPR, there is, and will be throughout the term of the Agreement, a valid legal basis for the Processing by Supplier of Customer Personal Data in accordance with this Data Processing Addendum and the Agreement (including, any and all instructions issued by Customer from time to time in respect of such Processing).
Supplier shall take reasonable steps to ensure the reliability of any Supplier Personnel who may Process Customer Personal Data, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk (which may be of varying likelihood and severity) for the rights and freedoms of natural persons, Supplier shall in relation to Customer Personal Data implement appropriate technical and organisational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
In assessing the appropriate level of security, Supplier shall take account in particular of the risks presented by the Processing, in particular from a Personal Data Breach.
Customer authorises Supplier to appoint Subprocessors in accordance with this Paragraph 5.
Supplier may continue to use those Subprocessors already engaged by Supplier as at the date of this Data Processing Addendum, subject to Supplier meeting within a reasonable timeframe (or having already met) the obligations set out in Paragraph 5.4.
Supplier shall give Customer prior written notice of the appointment of any new Subprocessor, including reasonable details of the Processing to be undertaken by the Subprocessor. If, within 5 Business Days of receipt of that notice, Customer notifies Supplier in writing of any objections (on reasonable grounds) to the proposed appointment:
Supplier shall use reasonable efforts to make available a commercially reasonable change in the provision of the Services which avoids the use of that proposed Subprocessor; and
such a change cannot be made within 28 Business Days from Supplier receipt of Customer’s notice;
no commercially reasonable change is available; and/or
Customer declines to bear the cost of the proposed change,
notwithstanding anything in the Agreement, either Party may by written notice to the other Party with immediate effect terminate the Agreement either in whole or to the extent that it relates to the Services which require the use of the proposed Subprocessor.
With respect to each Subprocessor, Supplier shall ensure that the arrangement between Supplier and the Subprocessor is governed by a written contract including terms which offer at least an equivalent level of protection for Customer Personal Data as those set out in this Data Processing Addendum (including those set out in Paragraph 4).
Data Subject Rights
Taking into account the nature of the Processing, Supplier shall provide Customer with such assistance as may be reasonably necessary and technically possible in the circumstances, to assist Customer in fulfilling its obligation to respond to Data Subject Requests.
promptly notify Customer if Supplier receives a Data Subject Request; and
ensure that Supplier does not respond to any Data Subject Request except on the documented instructions of Customer (and in such circumstances, at Customer’s cost) or as required by applicable laws.
Personal Data Breach
Supplier shall notify Customer without undue delay upon Supplier becoming aware of a Personal Data Breach affecting Customer Personal Data, providing Customer with sufficient information (insofar as such information is, at such time, within Supplier’s possession) to allow Customer to meet any obligations under Data Protection Laws to report or inform the Personal Data Breach to:
affected Data Subjects; or
the relevant Supervisory Authority(ies) (as may determined in accordance with the Data Protection Laws).
Supplier shall at Customer’s sole cost and expense co-operate with Customer and take such reasonable commercial steps as may be directed by Customer to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION
Supplier shall provide reasonable assistance to Customer, at Customer’s cost, with any data protection impact assessments, and prior consultations with Supervisory Authorities, which Customer reasonably considers to be required of Customer by Article 35 or Article 36 of the GDPR, in each case solely in relation to Processing of Customer Personal Data by, and taking into account the nature of the Processing by, and information available to, Supplier.
Subject to Paragraph 9.2 and 9.4, upon the date of cessation of any Services involving the Processing of Customer Personal Data (the “Cessation Date”), Supplier shall immediately cease all Processing of the Customer Personal Data for any purpose other than for storage.
Customer hereby acknowledges and agrees that, due to the nature of the Customer Personal Data Processed by Supplier, return (as opposed to Deletion) of Customer Personal Data is not a reasonably practicable option in the circumstances. Having regard to the foregoing, Customer agrees that (for the purposes of Article 28(3)(g) of the GDPR) it is hereby deemed (at the Cessation Date) to have irrevocably selected Deletion, in preference of return, of the Customer Personal Data.
To the fullest extent technically possible in the circumstances, within 28 Business Days after the Cessation Date, Supplier shall either (at its option):
irreversibly render Anonymised Data,
- all Customer Personal Data then within Supplier’s possession.
Supplier and any Subprocessor may retain Customer Personal Data to the extent required by applicable law and only to the extent and for such period as required by applicable law and always provided that Supplier shall ensure:
- the confidentiality of all such Customer Personal Data; and
- that such Customer Personal Data is only Processed as necessary for the purpose(s) specified in the applicable law requiring its storage and for no other purpose.]
Supplier shall make available to Customer on request such information as Supplier considers reasonably appropriate in the circumstances to demonstrate its compliance with this Data Processing Addendum (including any general data protection compliance and/or security audits Supplier may cause to be conducted).
Subject to Paragraphs 10.3 and 10.4, in the event that Customer (acting reasonably) is able to provide documentary evidence that the information made available by Supplier pursuant to Paragraph 10.1 is not sufficient in the circumstances to demonstrate Supplier’s compliance with this Data Processing Addendum, Supplier shall allow for and contribute to audits, including (only where strictly and demonstrably necessary in the circumstances) onpremise inspections, by Customer or an auditor mandated by Customer in relation to the Processing of the Customer Personal Data by Supplier.
Customer shall give Supplier reasonable notice of any audit or inspection to be conducted under Paragraph 10.1 (which shall in no event be less than 14 Business Days’ notice unless required by a Supervisory Authority pursuant to Paragraph 10.4(f)) and shall use its best efforts (and ensure that each of its mandated auditors uses its best efforts) to avoid causing, and hereby indemnifies Supplier in respect of, any damage, injury or disruption to Supplier’s premises, equipment, Personnel, data, and business (including any interference with the confidentiality or security of the data of Supplier’s other customers or the availability of Supplier’s services to such other customers) while its Personnel and/or its auditor’s Personnel (if applicable) are on those premises in the course any onpremise inspection.
Supplier need not give access to its premises for the purposes of such an audit or inspection:
to any individual unless he or she produces reasonable evidence of their identity and authority;
to any auditor whom Supplier has not given its prior written approval (not to be unreasonably withheld);
unless the auditor enters into a non-disclosure agreement with Supplier on terms acceptable to Supplier;
where, and to the extent that, Supplier considers, acting reasonably, that to do so would result in interference with the confidentiality or security of the data of Supplier’s other customers or the availability of Supplier’s services to such other customers;
outside normal business hours at those premises; or
on more than one occasion in any calendar year during the term of the Agreement, except for any additional audits or inspections which Customer is required to carry out by Data Protection Law or a Supervisory Authority, where Customer has identified the relevant requirement in its notice to Supplier of the audit or inspection.
The Parties shall discuss and agree the costs of any inspection or audit to be carried out by or on behalf of Customer pursuant to this Paragraph 10.4 in advance of such inspection or audit and, unless otherwise agreed in writing between the Parties, Customer shall bear any third party costs in connection with such inspection or audit and reimburse Supplier for all costs incurred by Supplier and time spent by Supplier (at Supplier’s then-current professional services rates) in connection with any such inspection or audit.
Subject to Paragraph 11.3, to the extent that any Processing by either Supplier or any Subprocessor of Customer Personal Data involves a Restricted Transfer, the Parties agree that:
Customer – as “data exporter”; and
Supplier or Subprocessor (as applicable) – as “data importer”,
hereby enter into the Standard Contractual Clauses in respect of that Restricted Transfer and the associated Processing.
In respect of any Standard Contractual Clauses entered into pursuant to Paragraph 11.1:
Clause 9 of such Standard Contractual Clauses shall be populated as follows:
“The Clauses shall be governed by the law of the Member State in which the data exporter is established.”
Clause 11(3) of such Standard Contractual Clauses shall be populated as follows:
“The provisions relating to data protection aspects for sub-processing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.”
Appendix 1 to such Standard Contractual Clauses being deemed to have been populated with the corresponding information set out in Annex 1 (Data Processing Details); and
Appendix 2 to such Standard Contractual Clauses being populated as follows:
“The technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) are those established and maintained under Paragraph 4 of the Data Processing Addendum.”
The Standard Contractual Clauses shall come into effect under Paragraph 11.1 automatically upon the commencement of the relevant Restricted Transfer.
Paragraph 11.1 shall not apply to a Restricted Transfer unless its effect is to allow the relevant Restricted Transfer and the associated Processing to take place without breach of applicable Data Protection Laws.
In respect of any Standard Contractual Clauses entered into pursuant to Paragraph 11.1, Appendix 1 to those Standard Contractual Clauses shall be populated with the corresponding information (or subset thereof) from Annex 1 (Data Processing Details).
CHANGE IN LAWS
In the event that there is a change in the Data Protection Laws that Supplier considers (acting reasonably) would mean that Supplier is no longer able to provide the Services (including any Processing and/or Restricted Transfer(s) of Customer Personal Data) in accordance with its obligations under Data Protection Laws, Supplier reserves the right to make such changes to the Services and to amend any part of this Data Processing Addendum as it considers reasonably necessary to ensure that Supplier is able to provide the Services in accordance with Data Protection Laws.
In the event that Customer considers (acting reasonably) that any required changes made either to the Services and/or this Data Processing Addendum pursuant to Paragraph 12.1 will cause material and irreparable harm to Customer may terminate the Agreement in its entirety upon written notice to Customer with immediate effect.]
Customer acknowledges and agrees that Supplier shall be freely able to use and disclose Anonymised Data for Supplier’s own business purposes without restriction.
NO SPECIAL CATEGORIES OF DATA
Customer warrants and represents on an ongoing basis, and further undertakes, that it shall not (and shall ensure that its Personnel shall not) cause Supplier to Process any:
Special Categories of Personal Data referred to in Article 9(1) of the GDPR; or
any Personal Data relating to relating to criminal convictions or offences.
Customer will indemnify and hold harmless Supplier and its employees, officers, directors and agents from and against any and all liabilities, losses, damages, costs, fines and other expenses (including legal costs and fees) arising from or relating to any breach by Customer of this Paragraph 14.
Any and all limitations on liability set out in the Agreement shall not apply to liability arising under or in connection with the indemnity set out in Paragraph 14.1.
ORDER OF PRECEDENCE
This Data Processing Addendum shall be incorporated into and form part of the Agreement.
In the event of any conflict or inconsistency between:
this Data Processing Addendum and the Agreement, this Data Processing Addendum shall prevail; or
any Standard Contractual Clauses entered into pursuant to Paragraph 11 and this Data Processing Addendum, those Standard Contractual Clauses shall prevail.
Data Processing Details
This Annex 1 to the Data Processing Addendum includes certain details of the Processing of Customer Personal Data: as required by Article 28(3) GDPR; and (where applicable in accordance with Paragraph 11) to populate Appendix 1 to the Standard Contractual Clauses.
- Supplier provides a dashboard platform which combines data analytics, goal management and reporting tools (“Service). Supplier Processes Customer Personal Data when providing the Service, to prevent or address technical problems regarding the Service and to provide customer support.
Subject matter and duration of the Processing of Customer Personal Data
The subject matter and duration of the Processing of the Customer Personal Data are set out in the Agreement and the Data Processing Addendum.
The nature and purpose of the Processing of Customer Personal Data
- Provide the Service.
- Provide technical administration and customer support.
- Respond to inquiries.
- Send important notices, such as communications about purchases and changes to terms, conditions, and policies.
- Process payment for purchases made.
- Deliver products and services purchased or requested.
- Make it easier to log back into the BrightGauge website and Service.
- Make contact about specials or new services (including specials and new services from affiliated companies or other third parties).
- Manage use of the Service.
- Verify eligibility and deliver prizes in connection with contests and sweepstakes.
- Enforce BrightGauge’s Terms of Service.
- Protect against or identify fraudulent transactions.
The types of Customer Personal Data to be Processed
- Contact information of customers.
- Data from interactions with customers.
- Personal Data of third parties that customers may upload onto the platform when using the Service.
Special Categories of Data (if any)
The categories of Data Subject to whom the Customer Personal Data relates
- Employees of customers.
- Third parties whose Personal Data customers upload onto the platform when using the Service.
The obligations and rights of Customer
The obligations and rights of Customer are set out in the Agreement and the Data Processing Addendum.