Data processing Addendum
TO THE SUBSCRIPTION AGREEMENT TO SIDETRADE NETWORK SERVICE
This Data Processing Addendum is supplemental to the Subscription Agreement to Sidetrade Network Service (the “Subscription Agreement”) and sets out additional terms that apply when personal data is processed by Sidetrade under the Subscription Agreement. The purpose of the Data Processing Addendum is to ensure such processing is conducted in accordance with applicable laws, including after 25 May 2018, Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“General Data Protection Regulation” or GDPR).
In this addendum, “processing”, “controller”, “processor”, “data subject”, “personal data” and “personal data breach” shall have the same meaning as in the GDPR.
I – PERSONAL DATA PROCESSED BY SIDETRADE ON CUSTOMER’S BEHALF
1. PROCESSING OF CUSTOMER PERSONAL DATA
1.1 Role of the Parties – the parties acknowledge and agree that with regard to the processing of personal data, Customer is the data controller and appoints Sidetrade as a data processor to process personal data on Customer’s behalf.
1.2 Duration of processing – Sidetrade will process personal data under the provisions of this Data Processing Addendum until the earliest of (i) termination of the Subscription Agreement or (ii) the date upon which Customer informs Sidetrade that it is no longer necessary in relation to the purposes defined by Customer (such event having no effect on Customer other possible contractual commitments, in particular with regard to financial subscriptions).
1.3 Nature and purpose of processing – Sidetrade will process personal data as necessary to perform the Sidetrade Service pursuant to the Subscription Agreement and as further instructed by Customer in its use of the Sidetrade Service where such instructions are consistent with the terms of the Subscription Agreement. Sidetrade will act only on instructions from Customer and shall comply with such instructions received from Customer from time to time.
1.4 Type of Personal Data – Customer may submit personal data to the Sidetrade Service, the extent of which is determined and controlled by Customer and which may include, but is not limited to the following categories of personal data: First and last name, Title/position, Employer, Contact information (company, e-mail, phone, physical business address, social networking address).
1.5 Categories of data subjects – Customer may submit personal data to the Sidetrade Service, the extend of which is determined and controlled by Customer and which may include, but is not limited to personal data related to the following categories of data subjects: customers, employees, prospects, business partners.
1.6 Record of processing activity – Subject to the applicability of the conditions set forth in article 30 of the GDPR, Sidetrade shall maintain a record of all categories of processing activities carried out on behalf of Customer.
2. SIDETRADE PERSONNEL
2.1 Confidentiality – Sidetrade shall ensure that the members of its personnel engaged in the processing of personal data are informed of the confidential nature of the personal data and have received appropriate training on their responsibilities.
2.2 Reliability – Sidetrade shall take reasonable steps to ensure the reliability of any employee who may have access to Customer personal data and to limit access to those individuals who need to know/access the relevant personal data for the enforcement of the Subscription Agreement.
3.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Sidetrade shall implement technical and organizational measures appropriate to the risks and designed to protect the personal data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, access or use, in accordance with Sidetrade’s security standards.
4. PERSONAL DATA BREACH
4.1 Upon becoming aware of a personal data breach, Sidetrade shall notify Customer without undue delay and within twenty-four (24) hours. Sidetrade shall provide such timely information as Customer may reasonably require to enable Customer to fulfill any data breach reporting obligations under EU data protection legislation.
4.2 Sidetrade shall make reasonable efforts to identify the cause of such personal data incident and take those steps as Sidetrade deems necessary and reasonable in order to remediate the cause of such incident, to the extent the remediation is within Sidetrade’s reasonable control. The obligation herein shall not apply to incidents that are caused by Customer or Customer’s Users.
5. DATA SUBJECT RIGHTS
5.1 Taking into account the nature of the processing, Sidetrade shall assist Customer by implementing appropriate technical and organizational measures, insofar as it is possible, for the fulfilment of Customer’s obligations to respond to requests made by data subjects to exercise their rights.
5.2 To the extent that Customer does not have the ability to address a data subject request, upon Customer’s request, Sidetrade shall provide reasonable assistance to Customer, insofar as it is possible, at Customer’s costs to the extent legally permitted.
6.1 Sidetrade shall provide Customer reasonable assistance in relation to any investigations or enquiries made by any supervisory authority relating to Customer’s obligations under data protection legislation.
6.2 Sidetrade shall provide Customer reasonable assistance in relation to all information necessary to demonstrate compliance with the obligations laid down in article 28 of the GDPR.
7.1 Customer agrees that Sidetrade may engage third party sub-processors in connection with the provision of the Sidetrade Service. Sidetrade shall make available to Customer the current list of sub-processors for the Sidetrade Service. Sidetrade shall impose on such sub-processors data protection terms that protect the personal data to the same standard provided for by Sidetrade.
7.2 Customer may find on the agreed Sidetrade’s on-line page the sub-processor documentation as well as a device to receive notifications of new sub-processors for the relevant services. If Customer subscribes, Sidetrade shall provide Customer a notification for new sub-processors. Customer may object to Sidetrade’s choice by notifying Sidetrade by letter with acknowledgement of receipt within fifteen (15) days after receipt of Sidetrade’s notice, in explaining the detailed reasons of the objection. In such a case, Sidetrade will use reasonable efforts to propose to Customer a commercially rational change to Customer’s configuration or use of the Services.
8. AUDIT RIGHTS
8.1 Subject to the confidentiality obligations set forth in the Subscription Agreement and with a maximum of a yearly frequency, Sidetrade allow Customer or an auditor contractually mandated by Customer to conduct on-site audits or inspections during normal business hours, with fifteen (15) working days-notice, to verify Sidetrade’s compliance with data protection legislation.
8.2 Before the commencement of any such audit, Customer and Sidetrade shall mutually agree upon the scope, timing and duration of the audit. If the auditor’ identity may result in a conflict of interest or a competition trouble, Sidetrade will have the right to ask for the choice of another neutral auditor by Customer.
8.3 Customer will take all necessary measures to ensure that the audit will not cause any damage to Sidetrade’s equipment, data, business, personnel and premises. Customer shall be entitled to have access only to information exclusively related to the Sidetrade Services delivered to the Customer and shall use the information received for no other purpose than for the purpose of the audit.
9. DELETION AND RETURN OF CUSTOMER DATA
9.1 Save to the extent that Sidetrade is required by the applicable law to retain some or all of the personal data, upon termination or expiration of the Subscription Agreement and its related Order Form, Sidetrade shall delete all Customer’s relevant personal data, within forty-five (45) days from the said termination or expiration.
9.2 During the above mentioned forty-five (45) days period, Customer may, by written notice to Sidetrade, ask specifically for a return of a complete copy of all relevant personal data, in a reasonable format. Sidetrade may, in its sole discretion, accept to proceed to such a return, in accordance with conditions to be determined by mutual agreement between the parties.
10. DATA TRANSFERTS
10.1 Customer acknowledges and accepts that the provision of the Sidetrade Service may require the processing of personal data by sub-processors outside the European Economic Area.
10.2 To the extent any processing of personal data by Sidetrade takes place in any country outside the European Economic Area (and outside an “adequate country”), the parties agree that the standard contractual clauses approved by the EU authorities under EU data protection laws for the transfer of personal data to data processors established in third countries which do not ensure an adequate level of data protection will apply in respect of that processing between Sidetrade and the sub-processor. In this case, Sidetrade will be authorized to execute these standard contractual clauses approved by the EU authorities under EU data protection laws in the name and on behalf of Customer.
11. CUSTOMER’S OBLIGATIONS
11.1 Customer will deal with all requests from a data subject relating to his right to access, rectify, erase, oppose, benefit from a data portability or any other right in respect of such personal data.
11.2 Customer shall provide Sidetrade with reasonable information in relation to any processing of personal data and, in the case Customer changes the purposes and means of the processing of personal data, it shall inform Sidetrade accordingly so that the processing continues to take into account the nature, scope, context and purposes of processing. In particular, Customer must not process special categories of personal data covered by article 9 of the GDPR or process data with high likelihood and severity for the rights and freedoms of natural persons, without warning accordingly Sidetrade, in writings and in advance. To the extent legally permitted, Customer shall be responsible for any possible cost arising from such a situation.
12. BUSINESS CONTACT DATA.
Sidetrade processes personal data, as the data controller, for the purpose of managing the contractual and administrative relationships with its clients (invoicing, contractual and pre-sales processes). The data collected are essential for the processing and are intended for the departments concerned of Supplier and, if applicable, for its subcontractors and providers. The data collected may be transferred to Supplier’s parent company or to third companies. Data transfer agreements have been implemented to manage these transborder flows and guarantee a sufficient level of protection. In accordance with the GDPR, the Customer contributors have a right to inquire about, access and rectify all of their data and to object to their processing on legitimate grounds. Customer contributors may exercise these rights by sending an e-mail at email@example.com, together with a copy of an identity document
13. GENERAL TERMS
13.1 Except as amended by this Data Processing Addendum, the Subscription Agreement will remain in full force and effect.
13.2 If there is an express conflict between the Subscription Agreement and this Data Processing Addendum, the term of this Data Processing Addendum shall prevail.
II – PERSONAL DATA CONVEYED BY SIDETRADE TO CUSTOMER
1. For personal data conveyed by Sidetrade, from its own databases, to Customer, Sidetrade will grant Customer a non-exclusive, non-sublicensable, non-assignable, non-transferable right to access personal data for the agreed limited term, for the European Union and for the sole purpose of Customer’s professional direct marketing B2B (business to business) activity for its own products and services.
2. In using the personal data conveyed by Sidetrade, Customer acts as a controller. In consequence, Customer must take every necessary measure and ensure that its use of the personal data will comply with the European data protection laws regarding, in particular, the principles relating to processing of personal data, the information of data subjects and the exercise of their rights by data subjects. In particular, Customer:
a) will not make the personal data available to any unauthorized third party or license, sell, rent, lease, transfer, assign, republish, distribute or display them in any manner not expressly permitted by Sidetrade under the Agreement,
b) has appropriate operational and technical processes in place in line with industry standard practice to safeguard personal data against any unauthorized access, loss, destruction, theft, use or disclosure and will ensure the entire protection and safeguard of the conveyed personal data,
c) will not use the personal data for any purposes or in any manner that is illegal or improper, in particular to illegally spam directly or indirectly anyone,
d) will comply with all relevant direct marketing legislation or regulation and in particular with article 95 of the GDPR and Directive 2002/58/EC of the European Parliament and of the council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector or any future Regulation repealing Directive 2002/58/EC (clear indication of its full identity in any direct marketing message, existence of a direct link with the professional activities of the recipients, information of the recipients that they have the right to object, free of charge and through an easy to use mechanism, …) and any possible subsequent legislation,
e) will immediately stop from using all personal data concerned by an exercised right to object and inform Sidetrade of any objection.
3. Sidetrade may update the personal data, from time to time, depending on exercised right to object, available data sources or obligation to comply with an order, instruction or request of an administrative authority or a court.
4. Customer acknowledges that Sidetrade has no control over the actual use that Customer makes, under its sole responsibility, of the personal data.
5. Sidetrade gives no warranties that the personal data will be complete or will meet Customer’s expectations or requirements. Sidetrade shall not be liable for any claim arising out of inappropriate or unauthorized use of the personal data, including spamming. Customer is liable to Sidetrade for any damage (direct, indirect, material or immaterial) caused to Sidetrade or to any third party resulting from the non-compliance of its legal and contractual obligations relating to its B2B direct marketing activities.
Executed in two original copies on the
President and CEO