Data Processing Agreement
This Omnisend, Inc. Data Processing Agreement (this “DPA”) reflects the parties’ agreement with respect to the terms governing the Processing of Customer Personal Data subject to Data Protection Laws (each, as defined below) in connection with Omnisend’s provision of the Services, and is subject to the terms and conditions set forth in the agreement, by and between Omnisend and Customer, that, by its terms, expressly governs Customer’s use of the Services (collectively, the “Agreement(s)”). Capitalized terms used and not defined herein have the meanings given to them in the Data Protection Laws (as defined below) or the Agreements, as applicable. In the event of a conflict between the DPA and the data processing provisions of the Agreements, the provisions of this DPA shall prevail solely with respect to the Processing of Customer Personal Data.
For the purposes of this DPA, the following definitions apply:
“Data Protection Laws” means all applicable laws and regulations relating to the processing of Personal Data and privacy that may exist in the relevant jurisdictions, including, where applicable, EU Data Protection Laws and Non-EU Data Protection Laws.
“Customer Personal Data” means any Target Data or Customer Confidential Information other than Target Data that identifies (or can be used to identify) a particular natural person and that is considered “personal data,” “personal information,” or a like characterization under Data Protection Laws.
“Data Subject” means a particular identified or identifiable natural person.
“EEA” means the European Economic Area, or any successor designation thereof.
“EU Data Protection Laws” means all Data Protection Laws and regulations applicable to Europe, including (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (the “GDPR”); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; (iii) applicable national implementations of (i) and (ii); and (iii) in respect of the United Kingdom (the “UK”) any applicable national legislation that replaces or converts in domestic law the GDPR or any other law relating to data and privacy as a consequence of the UK leaving the European Union.
“Non-EU Data Protection Laws” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., and its implementing regulations (“CCPA”) and Canada’s Personal Information Protection and Electronic Documents Act, S.C. 2000, ch. 5 (“PIPEDA”) and any provincial legislation deemed substantially similar to PIPEDA pursuant to the procedures set forth therein, and all amendments to the CCPA, PIPEDA and similar legislation, as they may be enacted, from time to time.
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
“Process,” “Processes,” “Processed” and “Processing” means (performing) any operation or set of operations on Customer Personal Data, whether or not by automated means.
“Standard Contractual Clauses” means the standard contractual clauses for the transfer of Personal Data to Processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (Commission Decision 2010/87/EU of 5 February 2010) as set out in Annex A to this DPA.
“Sub-Processor” means any Processor appointed by Omnisend to assist with Omnisend’s Processing of Customer Personal Data.
“Supervisory Authority” means a government agency responsible for enforcement of the Data Protection Laws, with competent jurisdiction over the parties.
2. Details of the Processing
2.1. Categories of Data Subjects. Customer may submit Customer Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may relate to, but is not limited to, the following categories of Data Subjects: Customer’s end users, employees, contractors, customers, prospective customers, suppliers and subcontractors.
2.2. Types of Customer Personal Data. The Customer Personal Data Processed by Omnisend pursuant to the Agreements consists of contact information (company, email, phone, and physical address), navigational data, purchase data, email data, and Services usage data (to the extent such data is considered “personal data,” “personal information,” or a like characterization under the applicable Data Protection Laws).
2.3. Nature and Purpose of the Processing. Customer Personal Data may be Processed by Omnisend in connection with the provision of the Services in accordance with the Agreements, to communicate with Customer, and/or to otherwise fulfil Omnisend’s obligations under the Agreements.
2.4. Duration of the Processing. Customer Personal Data will be Processed for the duration of the term set forth in the Agreements.
3. Customer Responsibilities
3.1. Customer agrees: (i) it will comply with its obligations under the Data Protection Laws in the performance of its obligations under the Agreements and this DPA, including with respect to any Processing instructions it issues to Omnisend; (ii) it will obtain all consents and rights necessary under the Data Protection Laws for Omnisend to Process Customer Personal Data in the manner contemplated by this Agreement; and (iii) it does not sell Customer Personal Data to Omnisend in connection with the Agreements or this DPA. Customer warrants to Omnisend that Customer’s instructions and actions with respect to the Customer Personal Data, including its appointment of Omnisend as a Processor, have been or will be authorized by the relevant Data Subject to the extent required under applicable law.
3.2. Customer warrants it is the sole Controller of Customer Personal Data, or (without limiting Section 3.1(ii) above) has been instructed by and obtained the authorization of the relevant Controller(s) to agree to the Processing of Customer Personal Data by Omnisend as set out in this DPA. If there are other Controllers, Customer will identify to and inform Omnisend of any such other Controllers prior to providing their personal data.
3.3. Omnisend shall process Customer Personal Data only as permitted under the Agreements, upon the express documented instructions of Customer (including as documented in this DPA, the Agreements, or through use of the Services), or in order to comply with applicable law. Customer shall ensure its instructions are lawful and Omnisend’s processing of Customer Personal Data in accordance with such instructions will not cause Omnisend to violate any applicable law, regulation or rule, including the Data Protection Laws.
3.4. From time to time, Customer may provide additional instructions in writing to Omnisend with regard to Processing of Customer Personal Data in accordance with the Data Protection Laws (such instructions, “Additional Instructions”). Any Additional Instructions must relate to Omnisend’s performance of the Services and both parties must agree to it in writing. Subject to such mutual agreement, Omnisend shall comply with such Additional Instructions to the extent necessary for it to: (i) comply with its obligations as Processor of Customer Personal Data under the applicable Data Protection Laws; and (ii) reasonably assist Customer in complying with Customer’s obligations under the applicable Data Protection Laws.
4. Obligations of Processor
4.1. Compliance with Instructions. The parties acknowledge and agree that Omnisend is the Processor of Customer Personal Data. If Omnisend believes an Additional Instruction infringes any of the applicable Data Protection Laws, it shall inform Customer without undue delay and may suspend Customer’s access to and use of the Services until Customer modifies or confirms the lawfulness of such additional instruction in writing. If Omnisend cannot process Customer Personal Data in accordance with the instructions due to applicable legal requirement, Omnisend will: (i) promptly notify Customer of that legal requirement before the relevant Processing to the extent permitted by the Data Protection Laws; and (ii) cease all Processing (other than merely storing and maintaining the security of the affected Customer Personal Data) until such time as Customer issues new instructions with which Omnisend is able to comply. If this provision is invoked, Omnisend will not be liable to Customer under the Agreements for any failure to perform the Services until such time as Customer issues new instructions in regard to the Processing of Customer Personal Data.
4.2. Security. Omnisend shall take appropriate technical and organizational measures designed to adequately protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure and/or access. Such measures are designed to:
4.2.1. prevent unauthorized persons from gaining access to Processing systems,
4.2.2. prevent Processing systems from being used without authorization,
4.2.3. ensure persons entitled to use a Processing system gain access only to such Customer Personal Data as they are entitled to access in accordance with their access rights,
4.2.4. ensure Customer Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media, and that the target entities for any transfer of Customer Personal Data by means of data transmission facilities can be established and verified,
4.2.5. establish an audit trail to document whether and by whom Customer Personal Data has been accessed,
4.2.6. ensure Customer Personal Data is Processed solely in accordance with Customer’s instructions, and/or
4.2.7. ensure Customer Personal Data is protected against accidental destruction or loss.
4.3. Confidentiality. Omnisend shall ensure any personnel whom Omnisend authorizes to process Customer Personal Data is subject to confidentiality obligations with respect to that Customer Personal Data. The undertaking to confidentiality shall continue after the termination of the above-entitled activities. Omnisend will not disclose Customer Personal Data to any third party, unless authorized by Customer, required by law, or otherwise permitted under the Agreements. If a disclosure Customer Personal Data is required by law, Omnisend will notify Customer prior to such disclosure, unless prohibited by law.
4.4. Personal Data Breaches.
4.4.1. If Omnisend becomes aware of a Persona Data Breach, Omnisend will, without undue delay: (i) notify Customer of the Personal Data Breach; and (ii) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Personal Data Breach.
4.4.2. In the event of a Personal Data Breach, Omnisend shall provide Customer with all reasonable assistance in dealing with the Personal Data Breach, in particular in relation to making any notification to a supervisory authority or any communication to a Data Subject. In order to provide such assistance, and taking into account the nature of the Services and the information available to Omnisend, the notification of the Personal Data Breach shall include, at a minimum, the following:
(i) A description of the nature of the Personal Data Breach including the categories and approximate number of data records concerned;
(ii) The likely consequences of the Personal Data Breach; and
(iii) The measures taken or to be taken by Omnisend to address the Personal Data Breach, including measures to mitigate any possible adverse consequences; and
Where, and insofar as, it is not possible for Omnisend to provide such information at the time of the notice, then such notice shall nevertheless be made, in as complete a form as possible, and the remaining required information may be provided by Omnisend, in phases and as it shall become available, without undue delay.
4.4.3. Customer agrees that:
(i) Any Unsuccessful Data Breach shall not be subject to the obligations imposed on Omnisend under this Section 4. An “Unsuccessful Data Breach” occurs where there has been no unauthorized access to Customer’s Personal Data or to any Omnisend controlled systems used to Process Customer’s Personal Data—which may include, without limitation, pings and other broadcast attacks on firewalls or edge server, port scans, unsuccessful login attempts, denial of service attack, packet sniffing or similar incidents; and
(ii) Omnisend’s obligation to report or respond to a Personal Data Breach under this Section is not and will not be construed as an acknowledgement by Omnisend of any fault or liability of Omnisend with respect to the Personal Data Breach.
4.5. Deletion or Return of Customer Personal Data. Other than to the extent required to comply with applicable law, following termination or expiration of the Agreements, Omnisend will delete or return all Customer Personal Data (including copies thereof) processed pursuant to this DPA. If Omnisend is unable to delete Customer Personal Data for technical or other reasons, Omnisend will apply measures to ensure such Customer Personal Data is blocked from any further Processing.
4.6. Customer may delete certain Customer Personal Data using built-in functionalities of the Services.
4.7. Data Protection Impact Assessments and Consultation with Supervisory Authorities. To the extent the required information is actually available to Omnisend and Customer does not otherwise have access to such information, Omnisend will provide reasonable assistance to Customer with any data protection impact assessments, and prior consultations with Supervisory Authorities, which Customer reasonably considers to be required by the Data Protection Laws, in each case solely in relation to Omnisend’s processing of Customer Personal Data.
5. Data Subject Requests
5.1. To the extent Customer does not have the ability to address a Data Subject request, then upon Customer’s written request Omnisend shall provide reasonable assistance to Customer designed to facilitate such Data Subject request to the extent able and only as required by the applicable Data Protection Laws.
5.2. If a request from a Data Subject exercising their Data Subject rights is made directly to Omnisend, Omnisend will, to the extent permitted by applicable law, inform Customer thereof and will advise Data Subjects to submit their request to Customer. Customer shall be solely responsible for responding to any such Data Subject requests.
5.3. If a Data Subject brings a claim directly against Omnisend for a violation of its Data Subject rights, Customer will indemnify Omnisend for any cost, charge, damages, expenses or loss arising from such a claim, to the extent Omnisend has notified Customer about the claim and given Customer the opportunity to cooperate with Omnisend in the defense and settlement of the claim.
6. Security Measures
6.1. Omnisend shall implement and maintain appropriate technical and organizational security measures that are designed to protect Customer Personal Data from Personal Data Breaches and designed to preserve the security and confidentiality of Customer Data in accordance with Omnisend’s security standards described in Annex B (“Security Measures”).
6.2. Customer acknowledges that the Security Measures are subject to technical progress and development and that Omnisend may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Services provided to Customer.
6.3. Notwithstanding the above, Customer agrees that except as provided by this DPA, Customer is responsible for its secure use of the Services, including securing its account authentication credentials, protecting the security of Customer Personal Data when in transit to and from the Services, and taking any appropriate steps to securely encrypt or backup any Customer Personal Data uploaded to the Services.
7.1. Omnisend will maintain all appropriate records of Processing carried out in respect of Customer Personal Data in accordance with this DPA as well as with the applicable Data Protection Laws (the “Records”). Omnisend shall, in accordance with the Data Protection Laws and in response to a reasonable, lawful written request by Customer, make available to Customer information in Omnisend’s possession or control related to Omnisend’s compliance with the Data Protection Laws in relation to its Processing of Customer Personal Data.
7.2. To the extent required pursuant to GDPR, Customer may, upon 30 days’ prior written request and no more than once per calendar year unless otherwise required by applicable law, during regular business hours, without interrupting Omnisend’s business operations, and subject to Omnisend’s onsite confidentiality and security procedures and policies, conduct an inspection of the relevant portions of the Records for the sole purposes of assessing Customer’s compliance with GDPR and assessing Omnisend’s compliance with its obligations under this DPA. Subject to Processor’s approval, which shall not be unreasonably withheld, the foregoing right may be exercised on Customer’s behalf by a qualified third party auditor. Access by any third party auditor shall be subject to such auditor’s agreement to confidentiality obligations no less restrictive than those set forth in the Agreements with respect to Confidential Information, provided that all such Records and information may be disclosed to Customer.
8.1. Customer acknowledges and agrees that Omnisend may engage Sub-Processors. Customer agrees Omnisend may continue to use those Sub-Processors already engaged by Omnisend as of the date this DPA applies to Customer.
8.2. Omnisend shall maintain an up-to-date list of its Sub-Processors, which is available to Customer upon request. Omnisend shall notify Customer if it adds or removes Sub-Processors at least 10 days prior to any such changes if Customer opts in to receive such notifications by subscribing here. Within such 10-day period, Customer can object to the addition of a proposed Sub-Processor on the basis that such addition would cause Customer to violate applicable legal requirements. Customer’s objection shall be in writing and include Customer’s specific reasons for its objection and options to mitigate, if any. If Customer does not object within such 10-day period, the proposed Sub-Processor may be commissioned to Process Customer Personal Data. If Customer objects to the addition of a Sub-Processor in accordance with this Section 8.2 and Omnisend cannot reasonably accommodate Customer’s objection, Omnisend will notify Customer. Customer may terminate the affected services by providing Omnisend with a written notice within one (1) month of the Omnisend’s notice, which termination will not affect Customer’s obligation to pay amounts accrued to Omnisend prior to, and including, the effective termination date.
8.3. Omnisend shall: (i) enter into a written agreement with each Sub-Processor containing data protection obligations that provide at least the same level of protection for Customer Personal Data as those in this DPA, to the extent applicable to the nature of the service provided by such Sub-Processor; and (ii) remain responsible for such Sub-Processor’s compliance with the obligations of this DPA and for any acts or omissions of such Sub-Processor that cause Omnisend to breach any of its obligations under this DPA.
9. Data Transfers
9.1. Where the performance of the Services involves a transfer of Customer Personal Data outside the EEA, Omnisend will take such steps as may be required to ensure there is adequate protection for such Customer Personal Data in accordance with the applicable Data Protection Laws, which may include entering into the Standard Contractual Clauses. The Standard Contractual Clauses will apply to Customer Personal Data that is transferred outside the EEA, either directly or via onward transfer, to any country not recognized by the European Commission as providing an adequate level of protection for personal data (as described in the GDPR). The Standard Contractual Clauses will not apply to Customer Personal Data that is not transferred, either directly or via onward transfer, outside the EEA. By agreeing to this DPA, Customer is entering into the Standard Contractual Clauses with Omnisend. In addition, by agreeing to this DPA, Customer is entering into the Standard Contractual Clauses with Omnisend’s Sub-Processors established outside either the EEA or countries considered by the European Commission to have adequate protection.
9.2. If Customer notifies Omnisend in writing about another Controller and Omnisend does not object within thirty (30) days after Customer’s notification, Customer agrees on behalf of such other Controller(s), or if unable to agree, will procure agreement of such Controller(s), to be additional data exporter(s) of the Standard Contractual Clauses concluded between Omnisend and Customer. Customer agrees and, if applicable, procures the agreement of other Controllers that the Standard Contractual Clauses, including any claims arising from them, are subject to the terms set forth in the Agreements, including the exclusions and limitations of liability.
9.3. To the extent Customer and Omnisend are relying on a specific statutory mechanism to normalize international data transfers and that mechanism is subsequently revoked, or held in a court of competent jurisdiction to be invalid, Customer and Omnisend agree to cooperate in good faith to pursue a suitable alternate mechanism that can lawfully support the transfer.
10. General Provisions
10.1. Where individual provisions of this DPA are invalid or unenforceable, the validity and enforceability of the other provisions of this DPA shall not be affected.
10.2. Customer will make a written request for any assistance referred to in this DPA. Omnisend will charge Customer no more than a reasonable charge to perform such assistance or Additional Instructions, such charge to be set forth in a quote and agreed in writing by the parties.
Annex A – “Standard Contractual Clauses”. This annex is made available herein, as amended (by law) from time to time.
Annex B – “Security Measures”. This annex is available, as amended from time to time, upon request.
Annex C – “Jurisdiction-Specific Terms”. To the extent Omnisend Processes Customer Personal Data originating from and protected by the Data Protection Laws in one of the jurisdictions listed in Annex C, which may be updated from time to time, then the terms specified in Annex C with respect to the applicable jurisdiction(s) (“Jurisdiction-Specific Terms”) apply in addition to the terms of this DPA. In the event of any conflict or ambiguity between the Jurisdiction-Specific Terms and any other terms of this DPA, the applicable Jurisdiction-Specific Terms will take precedence, but only to the extent of the Jurisdiction-Specific Terms’ applicability to the data in question.
Annex A – Standard Contractual Clauses
Commission Decision C(2010)593
Standard Contractual Clauses (processors)
For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection
Name of the data exporting organisation:
Customer (as defined in the Agreements)
(the data exporter)
Omnisend (as defined in the Agreements)(the data importer)
each a “party”; together “the parties”,
HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.
For the purposes of the Clauses:
(a) ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
(b) ‘the data exporter’ means the controller who transfers the personal data;
(c) ‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
(d) ‘the subprocessor’ means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
(e) ‘the applicable data protection law‘ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
(f) ‘technical and organisational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
Details of the transfer
The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.
Third-party beneficiary clause
- The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
- The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
- The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
- The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.
Obligations of the data exporter
The data exporter agrees and warrants:
(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
(b) that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;
(c) that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;
(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
(e) that it will ensure compliance with the security measures;
(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
(g) to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
(i) that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and
(j) that it will ensure compliance with Clause 4(a) to (i).
Obligations of the data importer
The data importer agrees and warrants:
(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(c) that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;
(d) that it will promptly notify the data exporter about:
(i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,
(ii) any accidental or unauthorised access, and
(iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;
(e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
(f) at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
(g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
(h) that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;
(i) that the processing services by the subprocessor will be carried out in accordance with Clause 11;
(j) to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.
- The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.
- If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.
The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.
- If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.
Mediation and jurisdiction
- The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
(a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
(b) to refer the dispute to the courts in the Member State in which the data exporter is established.
- The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.
Cooperation with supervisory authorities
- The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
- The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
- The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).
The Clauses shall be governed by the law of the Member State in which the data exporter is established.
Variation of the contract
The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.
- The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses. Where the subprocessor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor’s obligations under such agreement.
- The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
- The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.
- The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.
Obligation after the termination of personal data processing services
- The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
- The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.
APPENDIX 1 TO THE STANDARD CONTRACTUAL CLAUSES
This Appendix forms part of the Clauses.
The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.
The data exporter is Customer (as defined in the Agreements).
The data importer is Omnisend (as defined in the Agreements).
The personal data transferred concern the categories of data subjects listed in Section 2 to the DPA.
Categories of data
The personal data transferred concern the categories of data listed in Section 2 to the DPA.
Special categories of data (if appropriate)
The personal data transferred concern the special categories of data (if any) listed in Section 2 to the DPA.
The personal data transferred will be subject to the basic processing activities listed in Section 2 to the DPA.
APPENDIX 2 TO THE STANDARD CONTRACTUAL CLAUSES
The technical and organisational securities measures implemented by the data importer are described in Annex B of this DPA.
Annex B – Security Measures
Annex C – Jurisdiction-Specific Terms
* * *
State of California (US)
1.1. As it relates to the DPA, each of the following defined terms shall be further interpreted to include certain terms as they are defined under the CCPA:
(i) “Controller” shall include “Business”;
(ii) “Processor” shall include “Service Provider”;
(iii) “Data Subject” shall include “Consumer”; and
(iv) “Personal Data” shall include “Personal Information”.
2. Data Processing
2.1. Omnisend shall provide the Services and process Customer Personal Data in accordance with the Agreements. Omnisend certifies that it shall not Process, retain, use, or disclose a Consumer’s Personal Information for any purpose other than for the specific purpose of performing the Services specified in the Agreements.
2.2. Omnisend is expressly prohibited from: (i) selling the Personal Information; (ii) retaining, using, or disclosing the Personal Information for any purpose other than for the specific purpose of performing the Services or as otherwise permitted by the CCPA, including retaining, using, or disclosing the Personal Information for a commercial purpose other than providing the Services, and (iii) retaining, using, or disclosing the Personal Information outside of the direct business relationship between the Omnisend and the Customer.
2.3. Notwithstanding the restrictions contained in Section 2.2, Customer agrees that Omnisend may engage other Service Providers, to assist in providing the Services to the Customer. If Customer authorizes any subcontractor, service provider, or third party to process Personal Information made available by Customer, Omnisend shall enter into contractual provisions so that such subcontractor, service provider, or third party is a “Service Provider” (as defined under the CCPA) and not a third-party (as defined under the CCPA).
2.4. Omnisend hereby certifies that it understands and is willing to abide by the restrictions in CCPA § 1798.140(w)(2)(A).
2.5. Omnisend shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect any Personal Information from unauthorized access, destruction, use, modification, or disclosure.
3. Consumer Rights
3.1. Omnisend shall provide all reasonable assistance to Customer in facilitating compliance with Consumer rights requests.
3.2. If Omnisend, directly or indirectly, receives a request submitted by a Consumer to exercise a right it has under the CCPA in relation to that Consumer’s Customer Personal Data, it will promptly provide a copy of the request to Customer.
3.3. Upon duly received direction by Customer, and within a commercially reasonable amount of time, Omnisend shall delete the Personal Information.
3.4. Omnisend shall not be required to delete any of the Personal Information to comply with a Consumer’s request directed by Customer if it is necessary to maintain such information in accordance with CCPA § 1798.105(d), in which case Omnisend shall promptly inform Customer of the exceptions relied upon under CCPA § 1798.105(d) and Omnisend shall not use the Personal Information retained for any other purpose than provided for by that exception.
4. Changes in the Law
4.1. If any variation is required to this Annex as a result of a change in the CCPA, then either party may provide written notice to the other party of that change, and the same will be considered effective upon the legally effective date of such change to the CCPA. The parties will discuss and negotiate, in good faith, any necessary variations to this Annex to address such changes.
5.1. Should any provision of this Annex be invalid or unenforceable, then the remainder of this Annex shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, (ii) if this is not possible, construed in a manner as if the invalid or unenforceable part had never been contained therein.
* * *
1. Third Parties
1.1. Omnisend takes steps to ensure that Omnisend’s Sub-Processors, as described in Section 8 of the DPA, are third parties under PIPEDA, with whom Omnisend has entered into a written contract that includes terms substantially similar to this DPA. Omnisend conducts appropriate due diligence on its Sub-Processors.
2.1. Omnisend will implement technical and organizational measures as set forth in Section 6 of the DPA.
[End of Annex]
This document constitutes the Security Measures annex (the “Security Annex”) of the Omnisend Data Processing Agreement (the “DPA”). The Security Annex is stated at a relatively high level and Customer recognizes that the Security Annex may be revised by Omnisend from time to time. All terms used and not otherwise defined herein, shall have the meanings ascribed to them in the DPA.
HUMAN RESOURCES SECURITY
Omnisend has implemented and maintains appropriate measures to ensure that authorized employees involved in the processing of Customer Personal Data are authorized with a need to access the data, are bound by appropriate confidentiality obligations and have undergone appropriate training in the protection and handling of Customer Personal Data. Omnisend employees operate primarily “in the cloud” and treat local storage on computing devices as ephemeral.
Omnisend ensures that access to Customer Personal Data is revoked immediately upon termination or when access is no longer required for personnel involved in the processing of Customer Personal Data.
Policies and procedures, and supporting business processes, are in place for maintaining a safe and secure working environment in Omnisend’s offices and controlling physical access, including access provisioning.
The Services rely on the Google Cloud Platform who is responsible for implementing controls for physical security of data center facilities, backup media, and other physical systems, providing comprehensive and state-of-the-art security capabilities (available at https://cloud.google.com/security/infrastructure/design/resources/google_infrastructure_whitepaper_fa.pdf).
Omnisend has implemented and maintains access control processes and mechanisms to prevent unauthorized access to Customer Personal Data and to limit access only to authorized employees with a business need to know.
Upon termination of personnel, whether voluntary or involuntary, the security team will follow Omnisend’s personnel exit procedure, which includes revocation of the associated user account and reclamation of company-owned devices, office keys or access cards, and all other corporate equipment and property prior to the final day of employment.
EVENT LOGGING AND MONITORING
Log files and audit trails will be maintained (for as long as required under applicable law) and regularly reviewed to detect and respond to events concerning activities on the Services.
The Services rely on the Google Cloud Platform who is responsible for implementing data center network security providing comprehensive and state-of-the-art security capabilities (available at https://cloud.google.com/security/infrastructure/design/resources/google_infrastructure_whitepaper_fa.pdf).
Omnisend ensures that firewalls, network routers, switches, load balancers, domain name servers, mail servers, and other network components of the network infrastructures under its control and management responsibility are configured and secured in accordance with commercially reasonable industry standards.
Omnisend has implemented and maintains remote access policies and procedures that meet or exceed industry standards for Omnisend personnel who require remote access to a network or system that protects, processes or stores Customer Personal Data.
PROTECTION FROM DATA LOSS, CORRUPTION
All databases are kept separate and dedicated to prevent corruption and overlap. Omnisend has implemented logic that segregates user accounts from each other.
Omnisend relies on the Google Cloud Platform for data destruction and can only perform logical deletion. Deleted Customer Personal Data is rendered unreadable or disabled by the Google Cloud Platform and the underlying storage areas on the Google Cloud Platform network that were used to store the content are wiped, prior to being reclaimed and overwritten, in accordance with the Google Cloud Platform standard policies and deletion timelines available at: https://cloud.google.com/security/deletion.
BUSINESS CONTINUITY AND DISASTER RECOVERY
Omnisend services hosted in the Google Cloud Platform shall be configured in such a manner so as to withstand long-term outages to a Google Cloud Platform Availability Zone. Controls such as automated replication may be used to achieve this desired level of availability.
[End of Annex B]