DATA PROCESSING/PROTECTION AGREEMENT (“DPPA”)

Last Modified: Sept 1, 2021

The terms of this DPA shall only apply in respect of the collection and processing of Personal Data of Data Subjects located within the EEA.

In the event of:

(i) any change in DP Laws;

(ii) the issuance of updated guidance by an appropriate Supervisory Authority; or

(iii) any material change in accepted practice in relation to services similar to the Subscription Service or Consulting Services,

either of which affect the contents of this DPA (including in relation to the specified roles of the parties in clause 2.1 below), the parties agree to enter into good faith discussions to make any appropriate consequential updates to this DPA. Such updates may be agreed by the parties in writing (including via email) and shall be deemed incorporated into this DPA. Each party shall bear their own costs in relation to such updates.

1. DEFINITIONS

1.1 For the purposes of this DPA, capitalised terms shall have the meanings given below. Terms not otherwise defined herein shall have the meaning as set forth in the Agreement.

“Collected Personal Data” means the Personal Data collected by Obviyo pursuant to the Agreement during the course of providing the Subscription Service and Consulting Services;

“Complaint” means a complaint or request relating to either party’s obligations under DP Laws relevant to the Agreement including any compensation claim from a Data Subject or any notice, investigation or other action from a Supervisory Authority;

“Data Subject Request” means a request made by a Data Subject to exercise any rights of Data Subjects under DP Laws;

“DP Laws” means any applicable law relating to the processing, privacy, and/or use of Personal Data, as applicable to Obviyo and/or you and/or the sharing of Personal Data as envisaged by the Agreement, including the Data Protection Act 2018 and the Privacy and Electronic Communications (EC Directive) Regulations 2003 and any laws or regulations implementing Council 2002/58/EC (ePrivacy Directive) and the Regulation of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”) and/or any corresponding or equivalent UK laws or regulations and any laws which implement any such laws and any laws that replace, extend, re-enact, consolidate or amend any the foregoing.

“Personal Data Breach” means a breach of security or other action or inaction leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data;

“Supervisory Authority” means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering DP Laws; and where used in the Agreement, the terms “Data Controller” (or Controller), “Data Processor” (or Processor), “Data Subject”, “international organisation”, “Personal Data” and “processing” and “Sensitive Personal Data” (or special categories of Personal Data) all have the meanings given to those terms in DP Laws (and related terms such as “process” shall have corresponding meanings).

2. DATA PROCESSING/PROTECTION OBLIGATIONS

2.1  Each party is a separate and independent Controller of the Personal Data it discloses or makes available to the other party, and processes under the Agreement.

2.2  Obviyo shall:

2.2.1  only use and/or process the Personal Data for lawful purposes as strictly required in order to provide the Subscription Service or Consulting Services to you under the Agreement;

2.2.2  provide to you sufficient information to enable you to comply with Articles 13 and 14 of GDPR; and

2.2.3  be permitted to transfer the Personal Data to a third party in connection with the performance of the Subscription Service or Consulting Services provided that Obviyo ensures that the relevant third party is contractually bound to substantially similar obligations with respect to the processing of Personal Data as to which Obviyo is bound by this DPA.

2.3  Each party shall:

2.3.1  comply with its obligations under DP Laws in connection with the processing of the Personal Data. Nothing in the Agreement shall prohibit or otherwise restrict a party that processes Personal Data from complying with its obligations under applicable DP Laws;

2.3.2  perform its obligations under this DPA at its own cost;

2.3.3  keep Personal Data secure at all times, including by implementing and maintaining at its cost and expense, appropriate technical and organisational measures in relation to its Processing of the Personal Data so as to ensure a level of security appropriate to the risks that are presented by the Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed;

2.3.4  ensure that any individuals authorised to process the Personal Data on behalf of that party have committed themselves to appropriate standards of confidentiality;

2.3.5  provide reasonable assistance, information and co-operation as regards data processing/protection matters where requested by the other party in respect of Personal Data shared or held in common between them pursuant to the Agreement, including:

      1. (a)  in respect of any matter which in the reasonable opinion of the other party is required for ensuring that party’s continued compliance with the DP Laws;
      2. (b)  in respect of any claim and/or exercise or purported exercise of rights by a Data Subject under DP Laws or any investigation or enforcement activity by any lawful data processing/protection supervisory authority, which relates to or is connected with the other party’s Processing of Personal Data pursuant to the Agreement;
      3. (c)  in respect of any Personal Data Breach, promptly providing such information as the other party requires under DP Laws to report such Personal Data Breach to the Supervisory Authority;
      4. (d)  if it is contacted or approached in relation to any claim and/or exercise or purported exercise of rights by a Data Subject under the DP Laws;
      5. (e)  in respect of any data processing/protection impact assessment which either party is required to carry out (or any prior consultation with a Supervisory Authority in respect of the same);
      6. (f)  in the event of any investigation or enforcement activity by the Information Commissioner or any other Supervisory Authority; or
      7. (g)  in the event of any Personal Data Breach; and

2.3.6  provide all information as is reasonably requested by the other party (and, where appropriate, contribute to any audits or inspections where reasonably required) in order to demonstrate compliance with DP Laws.

2.4  In addition to your obligations under clause 2.3 above, you will also ensure that you show any Data Subjects of the Collected Personal Data a privacy notice which: (i) complies with DP Laws; (ii) describes the disclosure of their Personal Data to, and its processing by, Obviyo; and (iii) wherever possible, names Obviyo. You will also ensure that you have a lawful basis for processing the Collected Personal Data under DP Laws and have, where appropriate, obtained any necessary consents from the Data Subjects pursuant to the requirements of such DP Laws for both the processing and collection of the Collected Personal Data by Obviyo and the setting of cookies and other similar technologies by Obviyo.

2.5  To the extent permitted by applicable law, neither party shall:

2.5.1 notify a Supervisory Authority or Data Subject of any Personal Data Breach; or

2.5.2 issue any public statement or otherwise notify any Data Subject of such Personal Data Breach, without first consulting with, and obtaining the consent of, the other party.