Virtual Marketing Services (Gibraltar) Limited or its Affiliate (“Company”) and the legal entity (“Marketing Partner”) that entered into an agreement with the Company for the provision of the services (“Services”) described in the principal agreement entered into between the parties (as amended from time to time, the “Agreement”), are agreeing to these Data Protection Terms (“DPA”). This DPA is entered into by Company and Marketing Partner and supplements the Agreement, and shall be effective, and replace any previously applicable terms relating to their subject matter, during the duration of the Agreement.
If you are accepting this DPA on behalf of Marketing Partner, you warrant that: (a) you have full legal authority to bind Marketing Partner to this DPA; (b) you have read and understand this DPA; and (c) you agree, on behalf of Marketing Partner, to this DPA. If you do not have the legal authority to bind Marketing Partner, please do not accept this DPA.
- 1.1 This DPA reflect the parties’ agreement on the processing of Personal Data in connection with the Data Protection Laws.
- 1.2 Any ambiguity in this DPA shall be resolved to permit the parties to comply with all Data Protection Laws.
- 1.3 In the event and to the extent that the Data Protection Laws impose stricter obligations on the parties than under this DPA, the Data Protection Laws shall prevail
2 DEFINITIONS AND INTERPRETATION
- 2.1 In this DPA:
- 2.1.1 “Affiliate” means any person or entity directly or indirectly controlling, controlled by, or under common control with the Company. For the purpose of this definition, "control" (including, with correlative meanings, the terms "controlling", "controlled by" and "under common control with") means the power to manage or direct the affairs of the person or entity in question, whether by ownership of voting securities, by contract or otherwise.
- (i) “Data Protection Laws” means, as applicable, any and/or all applicable domestic and foreign laws, rules, directives and regulations, on any local, provincial, state or deferral or national level, pertaining to data privacy, data security and/or the protection of Personal Data, including the Data Protection Directive 95/46/EC and the Privacy and Electronic Communications Directive 2002/58/EC (and respective local implementing laws) concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), including any amendments or replacements to them, including the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”).
- (ii) “Standard Contractual Clauses” mean the standard contractual clauses for the transfer of personal data to data controllers established in third countries adopted by the European Commission Decision 2004/915: Commission Decision of 27 December 2004 amending Decision 2001/497/EC as regards the introduction of an alternative set of standard contractual clauses for the transfer of personal data to third countries.
- (iii) The terms “controller”, “data subject”, “personal data”, “processing”, “processor” and “personal data breach” as used in this have the meanings given in the GDPR.
- (iv) Any reference to a legal framework, statute or other legislative enactment is a reference to it as amended or re-enacted from time to time.
3 APPLICATION OF THIS DPA
- 3.1 This DPA will only apply to the extent all of the following conditions are met:
- 3.1.1 Marketing Partner processes Personal Data that is made available by the Company in connection with the Agreement;
- 3.1.2 The Data Protection Laws applies to the processing of Personal Data.
- 3.2 This DPA will only apply to the Services for which the parties agreed to in the Agreement, which incorporates the DPA by reference.
4 ROLES AND RESTRICTIONS ON PROCESSING
- 4.1 Independent Controllers. Each party:
- (i) is an independent controller of personal data under the Data Protection Laws;
- (ii) will individually determine the purposes and means of its processing of Personal Data; and
- (iii) will comply with the obligations applicable to it under the Data Protection Laws with respect to the processing of Personal Data.
- 4.2 Sharing of Personal Data. In performing its obligations under the Agreement, a party may provide Personal Data to the other party. Each party shall process Personal Data only for (i) the purposes set forth in the Agreement or as (ii) otherwise agreed to in writing by the parties, provided such processing strictly complies with (iii) Data Protection Laws, (ii) its obligations under this Agreement (the “Permitted Purposes”). Each Party shall not knowingly share any personal data with the other Party that contains personal data relating to minors under 18 years.
- 4.4 Data Subject Rights. It is agreed that where either party receives a request from a data subject in respect of Personal Data controlled by such Party, then such Party shall be responsible to exercise the request, in accordance with Data Protection Laws.
5 PERSONAL DATA TRANSFERS
- 4.5 Transfers of Personal Data Out of the European Economic Area. Either party may transfer Personal Data outside the European Economic Area if it complies with the provisions on the transfer of personal data to third countries in the Data Protection Laws (such as through the use model clauses or transfer of Personal Data to jurisdictions as may be approved as having adequate legal protections for data by the European Commission).
- 4.6 Subcontracting. Where either Party subcontracts the processing activities of Personal Data contemplated herein to a third party, it shall ensure that the such third party enters into written contractual obligations which are (in the case of a third party controller) no less onerous than those imposed by this DPA or (in the case of a third party processor) compliant with Article 28 of the GDPR. Each Party shall be liable for the acts or omissions of its subcontractors to the same extent it is liable for its own actions or omissions under this DPA.
- 5.1 Standard Contractual Clauses. To the extent that Marketing Partner processes Personal Data outside the EEA and an Approved Jurisdiction, then the Parties shall be deemed to enter into the Standard Contractual Clauses, in which event: (i) the Standard Contractual Clauses are incorporated herein by reference, together with Appendix 1; and (ii) the Company shall be deemed as the data exporter and the Marketing Partner shall be deemed as the data importer (as these terms are defined therein).
6 PROTECTION OF PERSONAL DATA
- 6.1 The parties will provide a level of protection for Personal Data that is at least equivalent to that required under Data Protection Laws. Both parties shall implement appropriate technical and organizational measures to protect the Personal Data.
7 MUTUAL ASSISTANCE
- 7.1 Each Party shall:
- 7.1.1 appoint at least one representative as point of contact and responsible manager for all issues arising out of the Data Protection Laws (a "Designated Representative"); the Designated Representative(s) of both Parties will work together in good faith to reach an agreement with regards to any issues arising from time to time in relation to the processing of personal data in connection with the Agreement and this DPA;
- 7.1.2 use reasonable measures to consult with the other Party about any notices given to data subjects in relation to the processing of Personal Data under the Agreement;
- 7.1.3 inform the other Party (without undue delay) in the event that it receives a data subject request related solely and exclusively to the other Party's respective processing activities and provide all reasonable assistance to ensure data subject request are completed within the timeframe set out in Data Protection Laws;
- 7.1.4 provide the other Party with reasonable assistance (having regard to the data available to it) to enable the other Party to comply with any data subject request received by the other Party and to respond to any other queries or complaints from data subjects;
- 7.1.5 provide the other Party with such assistance as the other Party may reasonably request from time to time to enable the other Party to comply with its obligations under the Data Protection Laws including (without limitation) in respect of security, breach notifications, impact assessments and consultations with supervisory authorities or other regulators;
- 7.1.6 provide the other Party with such information as it may reasonably request in order to: (a) monitor the technical and organizational measures being taken to ensure compliance with the Data Protection Laws, or (b) satisfy any legal or regulatory requirements, including information reporting, disclosure and other related obligations to any regulatory authority from time to time;
- 7.1.7 in the event of an actual or potential personal data breach which does or is reasonably likely to affect the respective processing activities of both Parties, notify the other party without undue delay, and liaise with the other Party in good faith to consider what action is required in order to mitigate or remedy the effects of the personal data breach in accordance with the Data Protection Laws, and provide such reasonable assistance as is necessary to the other Party to facilitate the handling of such personal data breach in an expeditious and compliant manner.
8 DIRECT MARKETING
- 8.1 To the extent that Marketing Partner collects or process personal data for the purpose of carrying out direct marketing activities (including, without limitation, email campaigns or test-message campaigns; collectively “Direct Marketing”), which promote services or products offered by the Company and/or Marketing Partner and/or other third parties ("Communications"), then Marketing Partner shall:
- 8.1.1 Comply with any and all Data Protection Laws that apply to such activity, including without limitation the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) and the e-Privacy Directive;
- 8.1.2 Ensure that is has provided the data subjects with any notice necessary as required under Data Protection Laws, prior to delivering any Communications;
- 8.1.3 Ensure that is has obtained and sufficiently recorded the data subjects’ affirmative consent (including recording of the user ID, timestamp, relevant domain and source, and other relevant data as necessary) prior to delivering any Communications;
- 8.1.4 Upon Company’s request, provide the Company with any and all records relating the data subjects’ affirmative consent and notices provided to the data subjects;
- 8.1.5 Ensure that any and all Communications include a clear and conspicuous notice of the opportunity to opt-out of receiving future Communications, in an easy manner;
- 8.1.6 Record and comply with any request to opt-out or unsubscribe from receiving Communications, as soon as technically feasible, and in any event within no later than twenty four (24) hours as of the receipt of such request;
- 8.1.7 Ensure that the recipient of a Communications shall not be required to pay a fee or provide any other information for the purpose of opting-out of receiving Communications;
- 8.1.8 Ensure that Communications are not delivered to any data subject that were indicated, either by the Company or otherwise, to be excluded from the receipt of Communications, as directed by the Company, from time to time.
- 9.1 Effect of this DPA. If there is any conflict or inconsistency between the terms of this DPA and the remainder of the Agreement then, the terms of this DPA will govern. Subject to the amendments in this DPA, the Agreement remains in full force and effect.
10 RESOLUTION OF DISPUTES WITH DATA SUBJECTS OR SUPERVISORY AUTHORITIES
- 10.1 If either Party is the subject of a claim by a data subject or a supervisory authority or receives a notice or complaint from a supervisory authority relating to its respective processing activities (a "DP Claim"), it shall promptly inform the other Party of the DP Claim and provide the other Party with such information as it may reasonably request regarding the DP Claim.
- 10.2 Where the DP Claim concerns the respective processing activities of one Party only, then that Party shall assume sole responsibility for disputing or settling the DP Claim.
- 10.3 Where the DP Claim concerns the respective processing activities of both Parties, then the Parties shall use all reasonable endeavors to cooperate with a view to disputing or settling the Claim in a timely manner; provided always that neither Party shall make any admission or offer of settlement or compromise without using all reasonable endeavors to consult with the other Party in advance.
11 CHANGES TO THIS DPA
- 11.1 Company may change this DPA if the change is required to comply with Data Protection Laws, a court order or guidance issued by a governmental regulator or agency, provided that such change does not: (i) seek to alter the categorization of the parties as independent controllers of Personal Data under the Data Protection Laws; (ii) expand the scope of, or remove any restrictions on, either party’s rights to use or otherwise process Personal Data; or (iii) have a material adverse impact on Marketing Partner, as reasonably determined by Company.
- 11.2 Notification of Changes. If Company intends to change this DPA under this section, and such change will have a material adverse impact on Marketing Partner, as reasonably determined by Company, then Company will use commercially reasonable efforts to inform Marketing Partner at least 30 days (or such shorter period as may be required to comply with applicable law, applicable regulation, a court order or guidance issued by a governmental regulator or agency) before the change will take effect.
- 11.3 If any of the Data Protection Laws are superseded by new or modified Data Protection Laws (including any decisions or interpretations by a relevant court or governmental authority relating thereto), the new or modified Data Protection Laws shall be deemed to be incorporated into this DPA, and each Party will promptly begin complying with such Data Protection Laws in respect of its respective processing activities.