Last modified: October 15th, 2020
Please read and make sure you understand this Policy and the Data Protection Addendum attached to the present Policy as Attachment I (hereinafter: “Addendum”) which forms an inseparable part of the present Policy and the Policy shall be construed in a manner of the provisions of the Addendum. If you do not agree with this Policy, the Addendum or our practices, you may not use our Website or our services (the "Services"). This Policy and the Addendum may change from time to time and as an inseparable part, incorporated into our Website Terms and Conditions. Your continued use of our Website and Services constitutes your acceptance of those changes. We encourage you to review this Policy periodically.
Please note that the present Policy only applies to the data processing relationship between Caravel and you either as a natural person, or as a legal entity’s representative. In relation to users as natural person located within the European Union (“EU”) member countries, according to the provisions of the GDPR, Caravel shall be deemed as data controller.
By using the Services of Caravel, you or a legal entity you represent as our user shall be deemed – regarding the personal data of your customers – as a data controller and Caravel shall be considered as a data processor. The rights and obligations regarding to that relationship between you as data controller and Caravel as data processor is governed by the Addendum attached to the present Policy as Annex1.
Caravel may from time to time handle personal data collected from individuals located within the European Union member countries. Consistent with the regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“General Data Protection Regulation” or “GDPR”) Caravel grants the enhanced data protection for the individuals located within the EU. Our adherence to the GDPR regarding the personal data collected from individuals located within the EU is detailed in this Policy.
Furthermore, Caravel complies with the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, onward transfer and retention of personal data transferred from EU member countries and Switzerland to the United States, respectively. Caravel has certified to the U.S. Department of Commerce that it adheres to the Privacy Shield principles (“Privacy Shield Principles”) of:
Our adherence to each of these principles is detailed in this Policy. If there is any conflict between the terms of the Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. If you want to learn more about the Privacy Shield program or view Caravel’s certification, please visit https://www.privacyshield.gov.
Caravel is under the jurisdiction as well as the investigatory and enforcement powers of the US Federal Trade Commission for purposes of the EU-US Privacy Shield framework and the Swiss-US Privacy Shield Framework.
Please note that as of July 16, 2020 the European Court of Justice invalidated the Decision 2016/1250 on the adequacy of the protection provided by the EU-US Privacy Shield, which means that participants of the Privacy Shield Framework are no longer deemed to provide appropriate safeguards for the personal data of European citizens. In line with this judgement the EU and the US is working together to achieve a complete and effective framework guaranteeing that the level of protection granted to personal data in the US is essentially equivalent to that guaranteed within the EU. In the meantime, our Company stays committed to protecting our customers personal data, and as of today we fully comply with the regulations of the GDPR and the Privacy Shield Framework (effective on July 16, 2020).
Caravel also complies with Brazil’s Law No. 13,709, of August 14, 2018 on the Brazilian General Data Protection Act (in Portuguese: Lei Geral de Proteção de Dados, hereinafter: “LGPD”) in respect of Brazilian individuals.
In respect of Californian individuals Caravel complies with the Senate Bill No. 1121 California Consumer Privacy Act of 2018 (hereinafter: “CCPA”). For Californian individuals, this Policy and Caravel’s CCPA Notice shall apply.
This Policy covers Caravel’s treatment of information that Caravel gathers when you are accessing Caravel's Website as a user and when you use Caravel’s Services. Also, this Policy covers Caravel’s treatment of your information that Caravel shares with Caravel’s business partners. This Policy does not apply to the practices of third parties that Caravel does not own or control (such as third-party websites that you may access from the Website), or to individuals that Caravel does not employ or manage.
2. What information does Caravel collect?
The information we gather from users enables Caravel to personalize and improve our Services and to allow our users to set up accounts on the Website. While we are providing our Services, we receive certain data from users or third parties (e.g. helpdesks, survey tools) about the customers of our users. We collect the following types of information from our users and their customers:
2.1 Information You Provide to Us:
We receive and store any information you as our user enter on our Website or provide to us in any other way. The types of information collected include, without limitation, your full name, email address, mailing address, phone number, password, contact information and content consumed on the Website. Some of this information is not mandatory but is necessary to use all of our functions.
In addition, we collect the following financial data: account holder name, bank name, account number, currency of account. For taxation reasons, we need to collect Tax ID (US: tin: SSIN/EIN), citizenship, country of residence. In some cases, we’ll need to ask for a government ID, Green Card, or other proof of address or proof of residency status as regulated by taxation law.
2.2 Information Collected Automatically:
We receive and store certain types of information whenever you as our user interact with our Website or Services. Caravel automatically receives and records information on our server logs from your browser including your IP address, unique device identifier, browser characteristics, domain and other system settings, search queries, device characteristics, operating system type, language preferences, referring URLs, actions taken on our Website, page requested, content consumed (e.g., viewed, uploaded, and shared), dates and times of Website visits, and other information associated with other files stored on your device.
2.3 Information we receive from you regarding your users and from third parties:
By providing our Services we receive and collect certain personal data on the customers of our users that is provided to us by third parties (e.g. Helpdesks, CRMs, Surveys, Email) and we also receive personal data for the purpose of processing directly from our users including, but not limited to the uploaded or shared personal data of our user’s customers, like name, e-mail, phone number, address, gender, age or IP address.
If the provisions of the GDPR shall apply, in that relationship regarding to the personal data of your customers you shall be deemed as data controller, and therefore you as our user are also responsible to comply with the provisions of the GDPR. Please note, that in such case the data processing relationship between the data controller and the data processor shall be governed by a written contract, and such written contract shall satisfy the requirements of Article 28 of the GDPR. In order to facilitate your compliance with the provisions of the GDPR, Caravel provides you a written contract on data processing, therefore, the data processing relationship between you, as a data controller and Caravel, as a data processor shall be governed by the Addendum attached to the present Policy as Attachment I, which shall form an integral part of the present Policy.
3. What About Cookies?
4. How Does Caravel Use My Information?
We may use your information, including your personal information - based on diverse purposes as well as the legal basis of the processing - as follows:
1. We process the following personal data for the purpose and on the legal basis of the performance of the contract, product and service fulfillment:
The information you provide is used for purposes such as responding to your requests for certain products and services, customizing the content you see, communicating with you about specials, sales offers, and new features, and responding to problems with our Services. It is also used to fulfill and manage payments or requests for information, or to otherwise serve you, provide any requested services and administer sweepstakes and contests.
2. We process the following personal information based on your consent (as the legal basis of this processing) for marketing purposes, to deliver coupons, newsletters, receipt messages, and e-mails. We also send marketing communications and other information regarding services and promotions based on your consent and administer promotions:
You shall always have the right to withdraw your consent at any time.
3. We process personal data for the purpose and on the legal basis of compliance with legal obligations to prevent fraudulent transactions, monitor against theft and otherwise protect our customers and our business. We also process personal data for the purpose and on the legal basis of legal compliance and to assist law enforcement and respond to subpoenas.
This means that in some cases the data processing is stipulated by the applicable laws and we have an obligation to process and keep this data for the required time. This includes employment data, billing data, data which is necessary to assist law enforcement etc.
4. We process the following personal data for the purpose and on the legal basis of the legitimate interests of the Company, to improve the effectiveness of the Website, our Services, and marketing efforts, to conduct research and analysis, including focus groups and surveys and to perform other business activities as needed, or as described elsewhere in this Policy:
Where it is feasible, we anonymize personal data or use non-identifiable statistical data. We do not collect personal data in advance and store it for potential future purposes unless required or permitted by the applicable laws.
For collecting anonymously the above-mentioned data and making statistics and analysis we may use the following software and programs:
Google Analytics and Google AdWords (Google LLC.)
1600 Amphitheatre Parkway Mountain View, CA 94043
United States of America
5. Data integrity and purpose limitation: Caravel will only collect and retain personal data which is relevant to the purposes for which the data is collected, and we will not use it in a way that is incompatible with such purposes unless such use has been subsequently authorized by you. We will take reasonable steps to ensure that personal data is reliable for its intended use, accurate, complete and current. We may occasionally contact you to determine that your data is still accurate and current. To secure your personal information processed we save your personal information to backup archives in every 24 hours. The data stored in our backup archives will be deleted in every half a year.
5. How Long We Retain Your Personal Data?
We will retain your personal data for so long as it is needed to fulfill the purposes outlined in this Policy or until you withdraw your consent, unless a longer retention period is required or permitted by law (such as tax, accounting or other legal requirements). When we have no longer or no legal basis to process your personal information, we will either delete or anonymize it, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
6. Will Caravel share any of the information it receives?
Information about our users is an integral part of our business, and we may share such information with our affiliated entities. Except as expressly described below, we neither rent nor sell your information to other people or nonaffiliated companies unless we have your permission.
6.1 Third Party Service Providers:
We may share certain personal information with third party vendors who supply software applications, web hosting and other technologies for the Website and the Services. We will only provide these third parties with access to information that is reasonably necessary to perform their work or comply with the law. Those third parties will never use such information for any other purpose except to provide services in connection with the Website and the Services. We may also share aggregated or de-identified information, which cannot reasonably be used to identify you. We may also request data process service for processing the personal data. During the service of data process, the data processor shall abide under the present Policy, relevant legislations in force, furthermore the provisions of the existing contracts of the Caravel.
6.2 List of Third Party Service Providers:
Google LLC.(Google Analytics, Google Cloud Platform)
1600 Amphitheatre Parkway Mountain View, CA 94043
United States of America
Web analytics service that tracks and reports traffic on the Website.
Cloud services for application hosting, data storage, and text analysis.
Webflow, Inc.398 11th Street, 2nd Floor, San Francisco, CA 94103
United States of America
Marketing website hosting
BB&T Tower271 17th St NW, Atlanta, GA 30363
United States of America
The Rocket Science Group LLC d/b/a MailChimp
675 Ponce de Leon Ave NE, Suite 5000Atlanta, GA 30308
United States of America
251 Little Falls Drive, Wilmington (New Castle) DE 19808
United States of America
25 First Street, 2nd FloorCambridge, MA 02141
United States of America
CRM, marketing automation
Notion Labs, Inc.
548 Market St #74567, San Francisco, CA 94104
United States of America
Slack Technologies, Inc.
500 Howard StreetSan Francisco, CA, 94105
United States of America
510 Townsend StreetSan Francisco, CA 94103
United States of America
375 Beale Street, Suite 300, San Francisco, CA 94105
United States of America
Email distribution services
182 Shipley St, San Francisco, California 94107
United States of America
6.3 Transfer of Personal Data collected from individuals located within the EU:
Our service providers Google LLC., Webflow, Inc., The Rocket Science Group LLC d/b/a MailChimp,LinkedIn Corporation, HubSpot, Inc., Slack Technologies, Inc., Stripe, Twilio Inc. have their registered seat in the United States and they comply with the EU-US and the EU-Swiss Privacy Shield Frameworks, therefore transfer of your personal data to the aforementioned service providers was deemed safe until July 16, 2020. Please note that according to the judgement no. C-311/18 of the Court of Justice of the European Union, these companies no longer considered to provide appropriate safeguards for the personal data of European citizens. For more information, you can read the judgement here.
If we transfer personal data collected from individuals located within the EU to a third-party acting as a data processor, and such third-party agent processes your personal information in a manner inconsistent with the GDPR, we may be responsible under the rules of the GDPR.
We only transfer personal data collected from individuals located within the EU only with the consent of the individuals to a third-party having a registered seat outside the EU or the United States of America acting as a data processor without the appropriate safeguards set out in the GDPR, or when it is necessary for the performance of the contract. Caravel will make every effort to ensure that the personal data transferred is safe and secure and that the personal data is processed in a manner consistent with the GDPR.
Our service providers Google LLC., Webflow, Inc., Calendly, LLC, LinkedIn, Hubspot, Inc., Notion Labs, Inc., Slack Technologies, Inc., Stripe, Inc., Twilio, Inc., and trycourier.com, Inc. have their registered seat in the United States and they are necessary data processors for the performance of the contract between users and Caravel, and data transfer between these companies and Caravel are occasional in line with Article 49, Section 1. (b) of GDPR.
6.4 Caravel may release your information:
6.5 Opt-In for Promotions:
We do not share personally identifiable information with other third-party organizations for their marketing or promotional use without your consent or except as part of a specific program or feature for which you will have the ability to opt-in.
6.6 With Your Consent:
Except as set forth above, you will be notified when your information may be shared with third parties and will have the option of preventing the sharing of this information.
6.7 Data retention and aggregated data processing
Please note that we may retain certain personal information after your account has been terminated. We reserve the right to use your information in any aggregated data collection after you have terminated your account, however we will ensure that the use of such information will not identify you personally.
6.8 Accountability for onward transfer:
Caravel will not transfer personal data originating in the EU or Switzerland to third parties unless such third parties have entered into an agreement in writing with us requiring them to provide at least the same level of privacy protection to your personal data as required by the GDPR and / or Privacy Shield Principles. We acknowledge our liability for such data transfers to third parties.
7. Is information about me secure?
We take commercially reasonable measures to protect all collected information from loss, theft, misuse and unauthorized access, disclosure, alteration and destruction. Please understand that you can help keep your information secure by choosing and protecting your password appropriately, not sharing your password and preventing others from using your computer. Please understand that no security system is perfect and, as such, we cannot guarantee the security of the Website, or that your information won’t be intercepted while being transmitted to us. If we learn of a security systems breach, then we may either post a notice, or attempt to notify you by email and will take reasonable steps to remedy the breach.
8. Children's Privacy
Our Website is not directed to children under 16 and we do not knowingly collect personal information from children under 16. If we learn that we have collected personal information of a child under 16 we will take steps to delete such information from our files as soon as possible. If you are aware of anyone under 16 using the Website, please contact us at email@example.com.
9. Links to Third Party Sites and Services
10. Your Privacy Rights
10.1 Access and Retention:
If you have a Website account, you can log in to view and update your account information. You have the right to obtain confirmation of whether or not we are processing personal data relating to you, have communicated to you such data so that you could verify its accuracy and the lawfulness of the processing and have the data corrected, amended or deleted where it is inaccurate or processed in violation of the Privacy Shield Principles.
We encourage you to contact us at firstname.lastname@example.org with your questions or concerns, or to request edits to your personal information, or to have it removed from our database. Requests to access, change or remove your personal data will be handled within 30 days.
10.2 Additional Rights for EU Territory:
If you are from the territory of the EU, you may have the right to exercise additional rights available to you under applicable laws, including:
If you would like to exercise such rights, please contact us at email@example.com. We will consider your request in accordance with applicable laws. To protect your privacy and security, we may take steps to verify your identity before complying with the request.
For any complaints that we can’t resolve directly, please contact our European Representative Weiszbart and Partners Law Firm (address: 1052 Budapest, Kristóf tér 3. III. flr., Hungary; e-mail: firstname.lastname@example.org).
You also have the right to complain to the EU Data Protection Authority about our collection and use of your personal data. For more information, please contact your local EU Data Protection Authority.
10.3 Additional Rights for Brazilian individuals
If you are a Brazilian individual, you have the following rights in addition to the rights described in section 10.2 of this Policy:
If you would like to exercise such rights, please contact our data protection officer at email@example.com. We will consider your request in accordance with applicable laws. To protect your privacy and security, we may take steps to verify your identity before complying with the request.
11. Recourse, Enforcement and Liability
11.1 Caravel is committed to protecting your personal data as set forth in this Policy. If you think we are not in compliance with our Policy, or if you have any question or if you wish to take any other action concerning this Policy, contact us at firstname.lastname@example.org. You can also contact us at our contact office at Afternoon Inc. DBA Caravel (address: 6421 SW Parkhill Way, Portland OR, 97239). We will investigate your complaint, take the appropriate action and report back to you within 30 days.
In addition, if you are from the territory of the EU, you also have the right to complain to the EU Data Protection Authority about our collection and use of your personal data. For more information, please contact your local EU Data Protection Authority.
If you are Brazilian individual, you have the right to complain to our data protection officer at email@example.com or the ANPD about our collection and use of your personal data. For more information, please contact the ANPD.
11.2 If your personal data in question was transferred from the EU or Switzerland to the United States and you are not satisfied with our response, we have further committed to refer unresolved Privacy Shield complaints to the dispute resolution procedures of the EU Data Protection Authorities. Caravel will cooperate with the appropriate EU Data Protection Authorities during investigation and resolution of complaints concerning personal data that is transferred from the EU to the United States brought under Privacy Shield. For complaints involving personal data transferred from Switzerland, we commit to cooperate with the Swiss Federal Data Protection and Information Commissioner (“FDPIC”) and comply with the advice given by the FDPIC. Complaints regarding processing of personal data pertaining to data subjects located in the EU and Switzerland may be reported by the individual to the relevant Data Protection Authority.
These recourse mechanisms are available at no cost to you. Damages may be awarded in the accordance with the applicable law.
You may be able to invoke binding arbitration under certain conditions with the arbitrational mechanism of the American Arbitration Association if you are not satisfied with the above recourse mechanism. The arbitration is available to you to determine, for residual claims, whether Caravel has violated its obligations under the Principles as to you, and whether any such violation remains fully or partially unremedied.
Your decision to invoke the binding arbitration option is entirely voluntary. The arbitral decisions will be binding on all parties to the arbitration.
12. Modifications to this Policy
We will modify this Policy if our privacy practices change. We will notify you of such changes by posting the modified version on our Website and indicating the date it was last modified, and, if the changes are significant, we will provide a more prominent notice (including by email in certain instances). The date this Policy was last modified is at the top of this page. Please periodically review this Policy so that you are familiar with the current Policy and aware of any changes.
13. For users in California
If you are a user in California, the Company's Privacy Notice for California Consumers at this link applies to you.
We will not share any personal data with third-parties for their direct marketing purposes to the extent prohibited by California Consumer Privacy Act of 2018 (CCPA). If our practices change, we will do so in accordance with applicable laws and will notify you in advance.
If you have any questions concerning this Policy or the Services, please contact us at firstname.lastname@example.org. You can also contact us at our contact office (address: 6421 SW Parkhill Way, Portland OR, 97239).
This Data Processing Addendum (hereinafter: "Addendum") which also serves as Standard Contractual Clauses according to Article 46 section 2. (c) of GDPR forms an integral part of the Terms and Conditions of Afternoon, Inc. DBA Caravel, a Delaware corporation operating under the laws of State of Delaware, having its registered office at 1013 Centre Road Suite 403-B, City of Wilmington, County of New Castle, Delaware 19805, USA (hereinafter: "Data Processor") accepted by its user (hereinafter: "Data Controller") during the registration procedure on the website of the Data Processor (hereinafter: "Principal Agreement") (Data Controller and Data Processor shall collectively be referred to as the: “Parties”).
In connection with the personal data collected from individuals located within the European Union (“EU”) member countries, in accordance with the Article 28 (Processor) of the General Data Protection Regulation 2016/679 of the European Union, the Parties decided to record in writing their rights and obligations regarding their data processing relationship.
The terms used in this Addendum shall have the meanings set forth in this Addendum. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Principal Agreement. Except as modified below, the terms of the Principal Agreement shall remain in full force and effect.
In consideration of the mutual obligations set out herein, the Parties hereby agree that the terms and conditions set out below shall be added as an amendment to the Principal Agreement. Except where the context requires otherwise, references in this Addendum to the Principal Agreement are to the Principal Agreement as amended by, and including, this Addendum.
1.1. In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
1.1.1. "Applicable Laws" means European Union or Member State of the European Union laws with respect to any Data Controller Personal Data in respect of which Data Controller is subject to EU Data Protection Laws;
1.1.2. "Contracted Processor" means Data Processor or a Subprocessor;
1.1.3 "Data Controller Personal Data" means any Personal Data Processed by a Contracted Processor on behalf of Data Controller in connection with the Principal Agreement;
1.1.4. "Data Protection Laws" means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;
1.1.5. "European Representative" means Weiszbart and Partners Law Firm (address: 1052 Budapest, Kristóf tér 3. III. flr., Hungary; e-mail: email@example.com).
1.1.6. "GDPR" means EU General Data Protection Regulation 2016/679;
1.1.7. "Services" means the services and other activities to be supplied to or carried out by or on behalf of Data Processor for Data Controller pursuant to the Principal Agreement;
1.1.8. "Subprocessor" means any person (including any third party, but excluding an employee of Data Processor or any of its sub-contractors) appointed by or on behalf of Data Processor to Process Personal Data in connection with the Principal Agreement.
1.2. The terms, "Data Subject", "Personal Data", "Personal Data Breach", "Processing" and "Supervisory Authority" shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly (Extract of the GDPR – see Annex 2 to this Addendum).
1.3. The word "include" shall be construed to mean include without limitation, and cognate terms shall be construed accordingly.
2. Processing of Data Controller Personal Data
2.1. Data Processor shall:
2.1.1 comply with all applicable Data Protection Laws in the Processing of Data Controller Personal Data; and
2.1.2 not process Data Controller Personal Data other than on the Data Controller’s documented instructions unless Processing is required by Applicable Laws to which the relevant Contracted Processor is subject, in which case Data Processor shall to the extent permitted by Applicable Laws inform the Data Controller of that legal requirement before the relevant Processing of that Personal Data.
2.2. Data Controller shall instruct Data Processor to:
2.2.1. process Data Controller Personal Data and
2.2.2. in particular, transfer Data Controller Personal Data to any country or territory, as reasonably necessary for the provision of the Services and consistent with the Principal Agreement.
2.2.3. Annex 1 to this Addendum sets out certain information regarding the Contracted Processors' Processing of the Data Controller Personal Data as required by Article 28(3) of the GDPR. The Parties may make reasonable amendments to Annex 1 by written notice to the other Party from time to time as Party reasonably considers necessary to meet those requirements. Nothing in Annex 1 confers any right or imposes any obligation on the Parties to this Addendum.
3. Data Processor
3.1. Data Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to the Data Controller Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Data Controller Personal Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with Applicable Laws in the context of that individual's duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
4.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Data Processor shall in relation to the Data Controller Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
4.2. In assessing the appropriate level of security, Data Processor shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.
5.1. Data Controller authorizes Data Processor to appoint Subprocessors in accordance with this section 5 and any restrictions in the Principal Agreement.
5.2. Data Processor may continue to use those Subprocessors already engaged as at the date of the present Addendum, subject to Data Processor in each case as soon as practicable meeting the obligations set out in section 5.4.
5.3. Data Processor shall give Data Controller prior written notice of the appointment of any new Subprocessor, including full details of the Processing to be undertaken by the Subprocessor. If, within 3 (three) calendar days of receipt of that notice, Data Controller notifies Data Processor in writing of any objections to the proposed appointment:
5.3.1. Data Processor shall work with Data Controller in good faith to make available a commercially reasonable change in the provision of the Services which avoids the use of that proposed Subprocessor; and
5.3.2. where such a change cannot be made within 30 (thirty) calendar days from Data Processor’s receipt of Data Controller’s notice, notwithstanding anything in the Principal Agreement, Data Controller may by written notice to Data Processor with immediate effect terminate the Principal Agreement to the extent that it relates to the Services which require the use of the proposed Subprocessor.
5.4. With respect to each Subprocessor, Data Processor shall:
5.4.1. before the Subprocessor first Processes Data Controller Personal Data (or, where relevant), in accordance with section 5.2., shall ascertain that the Subprocessor is capable of providing the level of protection for Data Controller Personal Data required by the Principal Agreement;
5.4.2. ensure that the arrangement between on the one hand (a) Data Processor, or (b) the relevant intermediate Subprocessor; and on the other hand the Subprocessor, is governed by a written contract including terms which offer at least the same level of protection for Data Controller Personal Data as those set out in this Addendum and meet the requirements of Article 28(3) of the GDPR; and
5.4.3. provide to Data Controller for review such copies of the Contracted Processors' agreements with Subprocessors as Data Controller may request from time to time.
5.5. Data Processor shall ensure that each Subprocessor performs the obligations set out in this Addendum, as they apply to Processing of Data Controller Personal Data carried out by that Subprocessor, as if it were party to this Addendum in place of Data Processor.
6. Data Controller Personal Data
6.1. The Parties state that by providing the Services Data Processor uses personal data of the customers of the Data Controller obtained from third parties. According to Article 12, section (1) of the GDPR the Data Controller is obliged to inform its customers that during the data process of the Data Controller certain personal data are being collected from third parties.
6.2. Having regard to the ascertainments under section 6.1 the Parties agree that Data Controller is solely obliged to inform its customers by providing the necessary information prescribed by section 14 of the GDPR.
6.3. DATA PROCESSOR HEREBY EXCLUDES ANY AND ALL LIABILITY REGARDING THE INFORMATION REGULATED BY THE PRESENT SECTION OF THE CUSTOMERS OF THE DATA CONTROLLER AND EXCLUDES ANY LIABILITY FOR ANY FINANCIAL AND/OR NON-MATERIAL LOSS AND/OR DAMAGE, CONSEQUENTUAL LOSS AND/OR DAMAGES, AND LOSS OF PROFIT MAY OCCUR BECAUSE OF THE FAILURE OF THE DATA CONTROLLER TO PERFORM ITS OBLIGATION TO INFORM ITS CUSTOMERS AND/OR FAILED TO PERFORM ITS OBLIGATION AS REQUIRED BY SECTION 14 OF THE GDPR.
6.4. DATA CONTROLLER IS OBLIGED TO REIMBURSE AND INDEMNIFY DATA PROCESSOR IF ANY FINANCIAL AND/OR NON-MATERIAL LOSS AND/OR DAMAGE, CONSEQUENTUAL LOSS AND/OR DAMAGE, AND LOSS OF PROFIT OCCUR AT THE DATA PROCESSOR DUE TO THE INFRINGEMENT OF ANY OF THE OBLIGATION PRESCRIBED IN THE PRESENT SECTION 6.
6.5. IN CASE DATA CONTROLLER INFRINGES ANY OF ITS OBLIGATION PRESCRIBED BY THE PRESENT SECTION, SUCH OMISSION OF THE DATA CONTROLLER SHALL BE DEEMED AS A MATERIAL BREACH AND DATA PROCESSOR HAS THE RIGHT TO TERMINATE THE CONTRACT CONLCUDED BETWEEN THE DATA CONTROLLER AND THE DATA PROCESSOR WITHOUT NOTICE.
7. Data Subject Rights
7.1. Taking into account the nature of the Processing, Data Processor shall assist the Data Controller by implementing appropriate technical and organizational measures prior accepted by the Data Controller, insofar as this is possible, for the fulfilment of the Data Controller’s obligations, to respond to requests to exercise Data Subject rights under the Data Protection Laws.
7.2. Data Processor shall:
7.2.1. promptly notify Data Controller if any Contracted Processor receives a request from a Data Subject under any Data Protection Law in respect of Data Controller Personal Data; and
7.2.2. ensure that the Contracted Processor does not respond to that request except on the documented instructions of Data Controller or as required by Applicable Laws to which the Contracted Processor is subject, in which case Data Processor shall to the extent permitted by Applicable Laws inform Data Controller of that legal requirement before the Contracted Processor responds to the request.
8. Personal Data Breach
8.1. Data Processor shall notify Data Controller without undue delay upon Data Processor or any Subprocessor becoming aware of a Personal Data Breach affecting Data Controller Personal Data, providing Data Controller with sufficient information to allow Data Controller to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
8.2. Such notification shall as a minimum:
8.2.1. describe the nature of the Personal Data Breach, the categories and numbers of Data Subjects concerned, and the categories and numbers of Personal Data records concerned;
8.2.2. communicate the name and contact details of Data Processor’s data protection officer or other relevant contact from whom more information may be obtained;
8.2.3. describe the likely consequences of the Personal Data Breach; and
8.2.4. describe the measures taken or proposed to be taken to address the Personal Data Breach.
8.3. Data Processor shall co-operate with Data Controller and take such reasonable commercial steps as are directed by Data Controller to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
9. Data Protection Impact Assessment and Prior Consultation
9.1. Data Processor shall provide assistance to Data Controller with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Data Controller reasonably considers to be required by Article 35 or 36 of the GDPR, in each case solely in relation to Processing of Data Controller Personal Data by and taking into account the nature of the Processing and information available to, the Contracted Processors. The Data Controller shall ensure that during such data protection impact assessment the usual session at the Data Processor will not cause any unnecessary inconvenience to the Data Processor.
10. Deletion or return of Data Controller Personal Data
10.1. Subject to sections 10.2 and 10.3 Data Processor shall promptly and in any event within 3 (three) calendar days of the date of cessation of any Services involving the Processing of Data Controller Personal Data (the "Cessation Date"), or by anytime upon written request of the Data Controller, delete and procure the deletion of all copies of those Data Controller Personal Data.
10.2. Subject to section 10.3, Data Controller may in its absolute discretion by written notice to Data Processor within 3 (three) calendar days of the Cessation Date, or by anytime upon written request of the Data Controller require Data Processor to (a) return a complete copy of all Data Controller Personal Data to Data Controller by secure file transfer in such format as is reasonably notified by Data Controller to Data Processor; and (b) delete and procure the deletion of all other copies of Data Controller Personal Data Processed by any Contracted Processor. Data Processor shall comply with any such written request within 3 (three) calendar days of the Cessation Date.
10.3. Each Contracted Processor may retain Data Controller Personal Data to the extent required by Applicable Laws and only to the extent and for such period as required by Applicable Laws and always provided that Data Processor shall ensure the confidentiality of all such Data Controller Personal Data and shall ensure that such Data Controller Personal Data is only Processed as necessary for the purposes specified in the Applicable Laws requiring its storage and for no other purpose.
11. Audit rights
11.1. Subject to sections 11.2, Data Processor shall make available to Data Controller on request all information necessary to demonstrate compliance with this Addendum, and shall allow for and contribute to audits, including inspections, by Data Controller or an auditor mandated by Data Controller in relation to the Processing of the Data Controller Personal Data by the Contracted Processors.
11.2. Data Controller undertaking an audit shall give Data Processor reasonable notice of any audit or inspection to be conducted under section 11.1 and shall make reasonable endeavors to avoid causing or, if it cannot avoid, to minimize any damage, injury or disruption to the Contracted Processors' premises, equipment, personnel and business while its personnel are on those premises in the course of such an audit or inspection.
12. Indemnification and penalty
12.1. Data Processor shall indemnify Data Controller for any and all loss, damage, payments, deficiencies, fines, judgements, liabilities, costs and expenses resulting from Data Processor’s or a Subprocessor’s incompliance with or infringement of the provisions of this Addendum or the requirements of the GDPR.
12.2. Data Processor shall within 30 (thirty) calendar days of the written notice of the Data Controller indemnify Data Controller for the losses described in section 12.1.
13. General Terms
13.1. Governing law and jurisdiction
13.1.1. Having regard to Article 27(1) of the GDPR and the European Representative of the Data Controller the Parties to this Addendum hereby stipulate the exclusive competence of the competent Hungarian court regarding any disputes or claims howsoever arising under this Addendum, including disputes regarding its existence, validity or termination or the consequences of its nullity.
13.1.2. This Addendum and all non-contractual or other obligations arising out of or in connection with it are governed by and construed in accordance with the laws of Hungary.
13.2. Order of precedence
13.3. Changes in Data Protection Laws, and modification of the Contract
13.4.1. Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
This Annex 1 includes certain details of the Processing of Data Controller Personal Data as required by Article 28(3) GDPR.
1) Subject matter and duration of the Processing of Data Controller Personal Data
The subject matter of the Processing is the personal data of the Data Controller Processed during the use of the Services of the Data Processor available on the Data Processor’s Site.
Data Processor Processes the personal data until the Data Controller deletes its user profile on the Site.
2) The nature and purpose of the Processing of Data Controller Personal Data
To perform the Data Processor obligations to maintain and provide the Services set forth in the Principal Agreement.
3) The types of Data Controller Personal Data to be Processed
The personal data Processed by the Data Controller.
4) The categories of Data Subject to whom the Data Controller Personal Data relates
The categories of the partners and users of the Data Controller.
5) The obligations and rights of Data Controller
The obligations and rights of Data Controller are set out in the Principal Agreement and in this Addendum.
‘Personal Data’ means any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
‘Personal Data Breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
‘Supervisory Authority’ means an independent public authority which is established by a Member State pursuant to Article 51 of GDPR.