Data Processing Addendum
Last updated: July 15, 2020
This data processing agreement (the “DPA”) is entered into by and between the 3DIQ, LLC (the “Data Processor” or “3DIQ”) with whom you entered into a Software Service Agreement for the provision of services (the “SSA”) and you (the “Data Controller”) and incorporates the terms and conditions set out in the Schedule hereto. This DPA supplements and forms part of the SSA. Defined terms used in this DPA have the meanings provided in the Schedule.
Under the SSA, Data Controller has appointed 3DIQ to provide certain services (“Services”) to Data Controller. As a result of its providing the Services to Data Controller, 3DIQ will store and process certain personal information of Data
Controller as described below:
1. The Customer Personal Data Processed by 3DIQ will be subject to the following basic Processing activities: operations necessary for the provision of the Services under the SSA by 3DIQ, including the storage, retrieval, use, disclosure, erasure, destruction and access of the Customer Personal Data.
2. This DPA shall apply to all Customer Personal Data provided to 3DIQ for the purposes of the provision of the Services under the SSA (the “Permitted Purpose”).
3. The Customer Personal Data Processed by 3DIQ includes and shall be limited to the following categories of data: (i) identification and contact information (such as name, email address, address, title and contact details) of Data Controller and Data Controller’s customers and other contacts; (ii) Data Controller’s purchase information, including payment method, products purchased, and billing information; and (iii) information gathered in connection with the provision of services to Data Controller, including analytics, social networking information, device information, and browser information of both Data Controller and Data Controller’s customers and other contacts.
4. The Customer Personal Data Processed by 3DIQ may contain special categories of personal data.
The DPA is being put in place to ensure that 3DIQ processes Data Controller’s personal data on Data Controller’s instructions and in compliance with Applicable Data Protection Laws.
The Parties to this DPA hereby agree to be bound by the terms and conditions in the attached Schedule as applicable with effect from July 15, 2020 or the effective date of the SSA (whichever is later) (the “Effective Date”). We may amend this DPA from time to time due to changes in Applicable Data Protection Laws or as otherwise determined by us in our commercially reasonable discretion. Any amendment will only become effective upon notification to you (by email or by posting on our website) and, if you do not agree to any such amendment, you should stop using our Services and contact us to cancel your account.
STANDARD TERMS FOR PROCESSING
For the purposes of this DPA, the following expressions bear the following meanings unless expressly stated otherwise:
“Applicable Data Protection Laws” (or “ADPL”) means the data protection laws of various jurisdictions that are or may become applicable to the 3DIQ, as determined by 3DIQ in its sole discretion, including without limitation, (i) the General Data Protection Regulation 2016/679 (“GDPR”) and any law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding instrument of the Data Controller’s Member State which implements the GDPR, and the e-Privacy Directive 2002/58/EC (in each case as amended, consolidated, re-enacted or replaced from time to time), (ii) United Kingdom General Data Protection Regulation (UK-GDPR) and Data Protection Act 2018, and (iii)
California Civil Code sections 1798.100 –1798.199 (2020), the California Consumer Privacy Act (“CCPA”);
“Consumer” has the meaning given in the CCPA;
“Customer Personal Data” means Personal Data as the term is defined in the GDPR or Personal Information as that term is defined in the CCPA provided by Data Controller to 3DIQ for Processing or Sale on behalf of Data Controller pursuant to the SSA;
“Data Subject” means a Consumer or an EU Data Subject, as applicable;
“EU Data Subject” for purposes of this DPA shall mean an identified or identifiable natural person who is in the EEA, the UK or Switzerland (the “GDPR Countries”) or whose behavior is monitored in the GDPR Countries or whose rights are protected by the GDPR;
“Model Clauses” means the standard contractual clauses for the transfer of Personal Data to 3DIQs established in Third
Countries set out in the Commission Decision of 5 February 2010 (C(2010) 593), as amended by EU Commission Implementing Decision 2016/2297 of 16 December 2016;
“Process”, “Processed” or “Processing” have the meaning given in the ADPL;
“Sell,” “Selling,” “Sale,” or “Sold” have the meaning given in the CCPA; and
“Third Countries” means all countries outside of the scope of the data protection laws of the European Economic Area (“EEA”), excluding countries approved as providing adequate protection for Personal Data by the European Commission from time to time.
2. Conditions of Processing
This DPA governs the terms under which (i) 3DIQ is required to Process Customer Personal Data on behalf of Data Controller and (ii) 3DIQ may Sell Customer Personal Data. In the event of any conflict or discrepancy between the terms of the SSA and this DPA, the terms of this DPA shall prevail, to the extent of the conflict. In the event of any conflict or discrepancy between this DPA and any applicable Model Clauses, the terms of the Model Clauses shall prevail to the extent of the conflict.
3. 3DIQ’s Obligations
3.1 3DIQ shall only Process or Sell Customer Personal Data on behalf of Data Controller and in accordance with, and for the purposes set out in the documented instructions received from Data Controller from time to time. If 3DIQ cannot provide such compliance for whatever reason (including if the instruction violates Applicable Data Protection Laws), it agrees to inform Data Controller of its inability to comply as soon as reasonably practicable at the email address provided by Data Controller to 3DIQ.
3.2 3DIQ shall ensure that its personnel who are authorized to Process or Sell the Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3.3 3DIQ shall implement and hold in force for the term of this DPA specific technical and organizational security measures as required by the Applicable Data Protection (the “Security Policy”).
3.4 3DIQ shall notify Data Controller promptly upon receipt by 3DIQ of a request from an individual seeking to exercise any of their rights under Applicable Data Protection Laws. Taking into account the nature of the processing, 3DIQ shall, at Data Controller’s expense, assist Data Controller by appropriate technical and organizational measures, for the fulfillment
of Data Controller’s obligation to respond to requests by Data Subjects to exercise their rights under Chapter III of the GDPR (including the right to transparency and information, the data subject access right, the right to rectification and erasure, the right to the restriction of processing, the right to data portability and the right to object to processing) and any other Applicable Data Protection Laws. 3DIQ shall carry out a request from Data Controller to amend or correct any of the Customer Personal Data to the extent necessary to allow Data Controller to comply with its responsibilities under Applicable Data Protection Laws. Further, 3DIQ shall carry out a request from Data Controller to block, transfer or delete any of the Customer Personal Data to the extent necessary to allow Data Controller to comply with its responsibilities as a data controller under the ADPL.
3.5 Taking into account the nature of the Processing and/or Sale under the SSA and the information available to 3DIQ, 3DIQ shall, insofar as possible and at Data Controller’s expense, assist Data Controller in carrying out its obligations under Applicable Data Protection Laws, including Articles 32 to 36 of the GDPR, with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators. 3DIQ shall promptly notify Data Controller about any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data or any accidental or unauthorized access or any other event affecting the integrity, availability or confidentiality of Customer Personal Data, as required by Applicable Data Protection Laws.
3.6 Upon termination of the Processing of Personal Data by 3DIQ and at the choice of Data Controller, 3DIQ shall either (i) delete all Customer Personal Data; or (ii) return all Customer Personal Data to the Data Controller and delete existing copies unless otherwise permitted or required by Applicable Data Protection Laws.
3.7 Data Controller may collect voluntary disclosures from 3DIQ or request 3DIQ to provide an expert opinion that proves
compliance with their obligations under this Agreement or Applicable Data Protection Laws. If the voluntary disclosures or
the expert opinion are not reasonably sufficient to prove 3DIQ’s compliance with Applicable Data Protection Laws, 3DIQ shall, subject to reasonable advance notice, permit the Data Controller or a third party authorized by the Data Controller and which is not a competitor of 3DIQ to carry out the audits and inspections of the processing of Customer Personal
Data by 3DIQ during normal business hours. 3DIQ may require a third party auditor to enter into a confidentiality agreement before permitting it to carry out an audit or inspection. The auditing party shall bear its own costs in relation to such audit. The obligations set forth in this Section 3.7 shall only apply to 3DIQ to the extent required by Applicable Data
3.8 Data Controller acknowledges and agrees that 3DIQ may, or may appoint an affiliate or third party subcontractor to, Process the Data Controller’s Personal Data in a Third Country, provided that it ensures that such Processing takes place in accordance with the requirements of Applicable Data Protection Laws. Data Controller hereby consents to 3DIQ’s access to EU Data Subject Personal Data from the United States to the extent necessary for 3DIQ to provide the Services.
3.9 The Data Controller acknowledges and agrees that 3DIQ may process the EU Data Subject Personal Data in the United States in accordance with the data importer’s obligations set out in the Model Clauses, which are hereby
incorporated into and form part of this DPA. The processing details set out at paragraphs a) to d) of the first page of this DPA shall apply for the purposes of Appendix 1 of the Model Clauses and the terms of the Security Policy apply for the purposes of Appendix 2 of the Model Clauses. Data Controller hereby grants 3DIQ a mandate to execute the Model
Clauses, for and on behalf of Data Controller, with any relevant subcontractor (including affiliates) it appoints.
3.10 Data Controller acknowledges and agrees that 3DIQ relies solely on Data Controller for direction as to the extent to which 3DIQ is entitled to access, use process, and sell Customer Personal Data. Consequently, 3DIQ is not liable for any claim brought by Data Controller or a Data Subject arising from any action or omission by 3DIQ to the extent that such action or omission resulted from Data Controller’s instructions.
4. CCPA-Specific Provisions.
This section is effective January 1, 2020. The Parties acknowledge and agree that some information provided to 3DIQ in connection with the Agreement may constitute Personal Information as defined under the CCPA. 3DIQ will process personal information in accordance with the CCPA where applicable, and solely for the purpose of providing the Services as specified in the SSA to Data Controller. 3DIQ will not otherwise (i) process personal information for purposes other than those set forth in this Agreement or as instructed by Data Controller’s documented written instruction, to the extent feasible or required by Applicable Data Protection Laws; (ii) disclose personal information to third parties other than 3DIQ’s affiliates or subsidiaries, for the aforementioned purposes or as required by law; (iii) sell personal information, as the term “sell” is defined in the CCPA; or (iv) retain, use, or disclose personal information outside of the direct business relationship between 3DIQ and Data Controller. 3DIQ certifies that it understands these restrictions and will comply with them. If 3DIQ must process personal information as otherwise required by applicable law, 3DIQ shall inform Data Controller of that legal requirement before processing personal information, unless that law prohibits such disclosure on important grounds of public interest. Notwithstanding the above, to the extent any personal information becomes
“deidentified” or in the “aggregate” as those terms are defined under Applicable Data Protection Laws, 3DIQ may use such information for any commercial purpose in accordance with Applicable Data Protection Laws, including but not limited to developing analytics, and may retain, use and disclose such information for such purpose, without restriction.
5. Data Controller’s Obligations
5.1 Data Controller warrants that it has complied and continues to comply with the Applicable Data Protection Laws, in particular that it has obtained any necessary consents or given any necessary notices, and otherwise has a legitimate ground to disclose the Customer Personal Data to 3DIQ and enable the Processing of the Customer Personal Data by 3DIQ as set out in this DPA and as envisaged by the SSA.
5.2 Data Controller agrees that it will indemnify and hold harmless 3DIQ on demand from and against all claims, liabilities, costs, expenses, loss or damage (including consequential losses, loss of profit and loss of reputation and all interest, penalties and legal and other professional costs and expenses) incurred by 3DIQ arising directly or indirectly from a breach of this Section 5 or any Applicable Data Protection Laws.
Data Controller consents to 3DIQ engaging third party subprocessors to process the Customer Personal Data for the Permitted Purpose. Upon written request from Data Controller, 3DIQ shall provide a current list of its subprocessors. 3DIQ ensures that it has a written agreement in place with all Subcontractors which contains obligations on the Subcontractor which are no less onerous on the relevant Subcontractor than the obligations on 3DIQ under this DPA.
Termination of this DPA shall be governed by the SSA, mutatis mutandis.
8. Law and Jurisdiction
This DPA and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by and construed in all respects in accordance with the laws of the State of Tennessee and each party hereby submits to the jurisdiction of the federal or state courts located in Knoxville, Tennessee.