MasonHub Fulfillment Service Privacy Policy
Last Modified: April 10, 2020
Introduction
We respect the importance of the personal information of our clients and their customers. This Privacy Policy (Privacy Policy) applies to the personal information or personal data (as such terms or similar terms are defined by applicable law, Personal Data) that we collect through or in connection with the operation of the MasonHub fulfillment service for the benefit of our clients (the Service).
We want our clients to understand our Privacy Policy and, specifically, what Personal Data we collect in connection with the Service, how Personal Data is used, with whom Personal Data is shared, and how it is protected. We’re accountable for the protection of your Personal Data under our control and are committed to following this Privacy Policy and complying with applicable law.
In this Privacy Policy, MasonHub, we, us, or our means MasonHub, Inc., based in Rancho Cucamonga, CA, USA and you or your means our clients and their employees or contractors who access or use the Service.
General
Our approach to the protection of Personal Data we collect is based on the following guiding principles:
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimization
- Accuracy
- Storage limitation
- Integrity and confidentiality
- Accountability
Controller
With respect to the Personal Data you provide us with in connection with your use of the Service (your Personal Data), you are the data controller and we are the data processor/service provider. When you provide us with your Personal Data that is from third parties, you confirm you have their informed consent to share their personal data with us for use in accordance with this Privacy Policy and the attached Data Processing Addendum or other data processing agreement that you and we agree to (the DPA).
If you have any questions about this Privacy Policy, including any requests to exercise your legal rights, please contact us at info@masonhub.co.
Categories of Personal Data
Personal Data includes the following, not all of which we collect:
Identifiers | Such as a real name, alias, postal address, unique personal identifier, online identifier, IP address, MAC address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers. We collect some of this type of data. |
Personal information categories listed in the California Client Records statute (Cal. Civ. Code § 1798.80(e)) | Such as a name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. Some Personal Data included in this category may overlap with other categories. We collect some of this type of data. |
“Sensitive Personal Data” under the UK Data Protection Act 2018 | Personal Data consisting of information as to: (a) the racial or ethnic origin of the data subject; (b) their political opinions; (c) their religious beliefs or other beliefs of a similar nature; (d) whether they are a member of a trade union; (e) their physical or mental health or condition; (f) their sexual life; (g) the commission or alleged commission by them of any offence; or (h) any proceedings for any offence committed or alleged to have been committed by them, the disposal of such proceedings or the sentence of any court in such proceedings. We do not knowingly collect this type of data. |
“Sensitive Personal Data” under the GDPR | Data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation. We do not knowingly collect this type of data. |
Protected classification characteristics under California or US federal law | Such as age, race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information). We do not knowingly collect this type of data. |
Commercial information | Such as records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies. We collect some of this type of data. |
Biometric information | Such as genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data. We do not knowingly collect this type of data. |
Network and Device Information | Such as session ID token, source and destination addressing information, IP address, MAC address, the software you are using, and related device and network information. We collect some of this type of data. |
Location data | Information about your location (more specifically, the location of the device that is accessing the Service). We collect some of this type of data. |
Sensory data | Audio, visual, thermal, olfactory, or similar information. We do not knowingly collect this type of data. |
Inferences drawn from other Personal Data | Profile reflecting a person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. We do not knowingly collect this type of data. |
User Data is all information and data that is not Personal Data that you access, send, receive, input, or generate when using the Service.
How do we collect Personal Data?
We may collect Personal Data in different ways, including:
• from you when you use the Service
• what you provide to us in connection with setting up an Account
• from communications between you and us
• from public sources
• automatically in connection with your use of the Service, including through cookies (for more about cookies, see below)
Collection of certain information is essential to the operation of the Service and to respond to you, provide support, and troubleshoot issues.
How do we use Personal Data?
• Your Personal Data. We do not sell your Personal Data to third parties. Your Personal Data is only used in connection with the operation of the Service, including to fulfill orders, provide access to the Service, verify your identity, answer questions about your Account and orders, troubleshoot problems, provide support, customize, measure, and improve the Service, inform you about updates and changes to the Service, seek feedback, compare information for accuracy, process payments. If you are a User, we may share your Personal Data with the client that authorizes your access, and we and/or the client may use your Personal Data to personalize or propose Service and/or for internal purposes, such as auditing, usage analysis, research to improve the Service, and for communications.
When you use the Service, you give us your informed consent to collect, use, and share your Personal Data in accordance with this Privacy Policy. Except where we are not required to do so under applicable law, we will notify you and obtain your consent before we collect, use, or share your Personal Data in other ways.
• Contact Information. Contact Information is used to to operate the Service, including to fulfill orders, verify, process, and charge for the Service, and contact you or end-customers regarding orders or the Service. Contact Information will shared with our affiliates, resellers, channel partners, service providers/data processors, and agents as necessary to operate the Service.
• Payment Information. Payment Information, if provided, is used to verify, process and charge for the Service. Payment Information will be shared with our affiliates, service providers/data processors, and agents as necessary to process payment and operate the Service.
• Network and Device Information. Network and Device Information is used and disclosed in connection with the operation of the Service, including to troubleshoot problems, customize, and data analysis, and research to measure and improve the Service.
• Feedback Information. We can use Feedback Information in any manner and for any purpose without any obligation to account for such use or to compensate you for it. We reserve the right to utilize Feedback Information, on an anonymous basis, for marketing purposes, for instance by displaying selected comments on our website, in marketing materials, or in other communications. We will not disclose any personally identifiable feedback information to third parties (other than to the client or third parties who are involved in providing the Service where such feedback relates to those providers) without your consent.
• Passive Information. Passive Information is information that is automatically generated in connection with your use of the Service. We use Passive Information, on an aggregated basis, to provide you with better service or for statistical purposes.
• Location Data. We may use location data to to troubleshoot problems, customize, seek feedback, data analysis, and research to measure and improve the Service, for communications, and for legal compliance purposes.
• De-Personalized Information. We collect information of any type, anonymize that information, and use alone or with similar anonymized information obtained from others (De-Personalized Information). No Personal Data will be included in any De-Personalized Information. We can disclose De-Personalized Information to any third party and use it for any purpose we deem appropriate in our sole discretion.
You agree that we can, subject to applicable law, use your Personal Data to operate the Service (including sharing your Personal Data with our affiliates, resellers, channel partners, service providers/data processors, and agents; conduct analysis and research; prevent fraud or misuse; protect our rights or property or the safety of you or others; and send you communications regarding events you have signed up for, information you have requested, or other requests you have made, or for reasonably relevant things we believe you might find to be of interest (see Marketing below). We may also disclose Personal Data if we believe in good faith that we are required to do so by law, or that doing so is necessary to comply with legal process, respond to requests from law enforcement or governmental agencies, to respond to claims, or to protect our rights.
You agree that we can, subject to applicable law, use your Personal Data (including, as applicable, sharing relevant Personal Data with our affiliates, resellers, channel partners, service providers/data processors, and agents) to operate and improve the Service; respond to your requests and inquiries; provide support; conduct analysis and research; prevent fraud or misuse; protect our rights or property or the safety of you or others; and send you communications regarding events you have signed up for, information you have requested, or other requests you have made, or for reasonably relevant things we believe you might find to be of interest. We may also disclose Personal Data if we believe in good faith that we are required to do so by law, or that doing so is necessary to comply with legal process, respond to requests from law enforcement or governmental agencies, to respond to claims, or to protect our rights.
Your Personal Data is stored and processed in the countries in which we or our affiliates, resellers, channel partners, service providers/data processors, and agents maintain facilities. We reserve the right to transfer and store your Personal Data outside the country in which you operate or your customers reside.
As we continue to develop our business, we might sell or buy subsidiaries or business units. In such transactions, as well as in the event we or part of our business or assets are acquired by a third party, your Personal Data and other information will generally be one of the transferred business assets. We reserve the right to include your Personal Data and other information, collected as assets, in any such transfer to a third party. Additionally, your Personal Data and other information could be disclosed as part of a bankruptcy involving us.
Persons under 18 years of age
The Service is not directed towards persons under 18 years of age and we do not intentionally or knowingly collect Personal Data from persons under 18 years of age. In the event a person under 18 years of age accesses our Service their Personal Data could be collected. We will delete such Personal Data upon being notified.
Analytics
When you use the Service, we may use one or more third-party services to collect standard internet log information and details of visitor behavior patterns. We do this to find out things such as the number of visitors to the various parts of the Service. We do not make, and do not allow the operators of these services, in their capacity as our service provider/data processor, to make, any attempt to find out the identities of those visiting our website through such analytics information.
Marketing
If you requested, or opted-in to receive, marketing or other communications from us, from time-to-time we may send you information about MasonHub news, events, promotions, services, and other information. You may request us to stop contacting you for marketing purposes. If you no longer wish to be contacted for marketing purposes, please click the unsubscribe link in the email we sent you or send a request to info@masonhub.co asking to be unsubscribed.
Consent for Electronic Communications
We use the contact information you provide us with to communicate with you regarding the Service. By providing this contact information, you consent to receive such communications at such e-mail address, mailing address, and/or telephone number.
What are Cookies and how do we use them?
Cookies are pieces of information that are transferred to your computer or mobile device through a browser. For further information, visit www.allaboutcookies.org. We use cookies to collect and store certain information. We may use both session cookies (which expire when you close your web browser) and persistent cookies (which stay on your device until you delete them).
We use cookies so that we can identify the device being used and to re-establish service (auto-log-in). Cookies also enable us to gain information about your use of the Service and to enhance it to meet your preferences. These cookies persist until you delete them. We do not use web beacons. The Help option on the toolbar of most browsers will tell you how to prevent or limit the browser from accepting cookies, how to have the browser notify you when you receive a cookie, or how to disable cookies altogether.
It is possible that you may be able to access third party websites, online services, or apps from the Service. The use of cookies, web beacons, or similar technologies on such other websites, online services, or apps is subject to any applicable privacy policies that they may have, not this Privacy Policy.
How we treat “Do Not Track” or similar signals?
Some browsers provide you with “do not track” options. Because there is not yet a common understanding of how to interpret the “do not track” signal, we do not currently respond to the browser “do not track” signals when you access our website.
How long is the Personal Data kept?
We retain your Personal Data only for as long as is necessary to fulfill orders; maintain records until they cannot be lawfully challenged, and legal proceedings may no longer be pursued; comply with applicable law, regulatory requests, and relevant orders from government authorities; and fulfill any of the other purposes detailed in this Privacy Policy.
Do we use any service providers/data processors?
Yes, we have service providers/data processors that act on our behalf that process your Personal Data. This would include our cloud providers, AWS and Heroku. These service providers/data processors do not have our permission to extract or use your Personal Data for other purposes.
International processing
We may share your Personal Data with our affiliates, resellers, channel partners, service providers/data processors, and agents who are located, or who process such data, outside of the US. We will take steps to ensure that your Personal Data receives an adequate level of protection in jurisdictions in which it is processed. When we share Personal Data with such third parties, we do so in a manner consistent with our privacy protocols and in compliance with applicable law and the DPA.
Data security
We take commercially reasonable physical, organizational, and technical measures to protect your Personal Data in our possession. We limit access to your Personal Data to those employees, affiliates, resellers, channel partners, service providers/data processors, agents, and other third parties who have a business need to know. They are permitted to only process your Personal Data on our instructions, and they are subject to a duty of confidentiality.
We cannot guarantee the absolute security of our Service and database, nor can we guarantee that any information supplied will not be intercepted while being transmitted over wireless networks or the Internet. We have procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
Legal basis for processing
If you are in the EU or UK, the legal basis we rely on to process your Personal Data is article 6(1)(f) of the GDPR or the UK DPA, as applicable, which allows us to process Personal Data when it is necessary for the purposes of our legitimate interests.
Data rights for EU, EEA, and UK residents:
Your right of access
You have the right to ask us for copies of your Personal Data.
Your right to rectification
You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
Your right to erasure
You have the right to ask us to erase your Personal Data in certain circumstances. This right enables you to ask us to delete or remove Personal Data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your Personal Data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully, or where we are required to erase your Personal Data to comply with applicable law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons, which will be notified to you, if applicable, at the time of your request.
Your right to restriction of processing
You have a limited right to ask us to restrict the processing of your information in certain circumstances. This enables you to ask us to suspend the processing of your Personal Data in the following scenarios: (a) where you have contested the accuracy of your data, processing will be restricted until we have determined the accuracy of the data; (b) where you have objected to processing of your data, processing will be restricted until we have determined the outcome of your objection; (c) where our use of the data is unlawful but you want us to restrict processing rather than erasing the data; or (d) where you require data for the purpose of a legal claim, you can request restriction even when we no longer need the data. Where you have obtained restriction of processing of your data, we will inform you before lifting the restriction.
Your right to object to processing
You have the right to object to certain types of processing of your Personal Data.
You have the right to object to processing of your Personal Data where the processing is carried out in connection with tasks: in the public interest; under official authority; or in the legitimate interests of others.
You also have a right to object to processing of your Personal Data where the processing relates to direct marketing. Where we are using your Personal Data for the purpose of marketing something directly to you, or profiling you for direct marketing purposes, you can object at any time, and we will stop processing as soon as we receive your objection.
You may also object to processing of your Personal Data for research purposes, unless the processing is necessary for the performance of a task carried out in the public interest.
To object to processing, you must contact us and state the grounds for your objection. These grounds must relate to your particular situation. Where you have made a valid objection, we will cease processing your Personal Data, unless we can provide compelling legitimate reasons to continue processing your Personal Data. We can also lawfully continue to process your Personal Data if doing so is necessary for certain types of legal claims.
Your right to data portability
This only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organization to another or give it to you. This right only applies where processing of Personal Data (supplied by you) is carried out by automated means, and where you have either consented to processing, or where processing is conducted in connection with a contract between you and us. This right only applies to the extent that it does not affect the rights and freedoms of others.
Your rights in relation to automated decision making
You have the right to not be subject to a decision based solely on automated processing. Processing is “automated” where it is carried out without human intervention and where it produces legal effects or significantly affects you. Automated processing is permitted only with your express consent, when necessary for the performance of a contract, or when authorized by the EU or Member State law.
Withdraw consent at any time when we are relying on consent to process your Personal Data
This will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain information, materials, goods, or services to you. We will advise you if this is the case at the time you withdraw your consent.
Processing Personal Data for criminal law enforcement purposes
If we are processing your Personal Data for criminal law enforcement purposes, your rights are slightly different.
Exercising your rights
Contact us at info@masonhub.com if you wish to exercise any or your rights. Be as specific as possible in relation to your request and the specific Personal Data involved. You may be asked to provide evidence of your identity.
We generally have one (1) month to respond to you, but this period may be extended in certain circumstances. You are not required to pay any charge for exercising your rights, but where requests from you are considered ‘manifestly unfounded or excessive’ we may either charge a reasonable fee taking into account the administrative costs of providing the information or taking the action requested, or refuse to act on your request.
Data rights for California residents:
The California Consumer Privacy Act (CCPA) provides users who are California residents with specific rights regarding their Personal Data.
If you reside in California, you may exercise the following rights:
- A right to know about the Personal Data we have collected, used, shared, or sold about you, and why we collected, used, shared, or sold it.
- A right to delete your Personal Data collected by us (subject to certain exceptions outlined below).
- A right to receive Personal Data in a format that will allow its transfer to third parties by you.
- A right to opt-out of the sale of Personal Data, where a “sale” under the CCPA means “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s Personal Data to another business or a third party for monetary or other valuable consideration.” We do not sell your Personal Data.
- A right to sue for security breaches of Personal Data.
Access to specific information and data portability rights
You have the right to request that we disclose to you your Personal Data we have collected about you over the past twelve (12) months from the date of your request. Once we receive and confirm your request, we will disclose to you, as applicable:
- The categories of Personal Data we collected about you.
- The categories of sources for the Personal Data we collected about you.
- Our business and commercial purposes for collecting that Personal Data.
- The categories of third parties with whom we shared that Personal Data.
- The specific pieces of Personal Data we collected about you.
- If we “sold” or disclosed your Personal Data for a business purpose, up to two separate lists disclosing:
- if we “sold” your Personal Data, identifying the Personal Data categories that each category of recipient “purchased”; and
- if we disclosed your Personal Data for a business purpose, identifying the Personal Data categories that each category of recipient obtained.
- That we have not “sold” any of your Personal Data.
Deletion request rights
You have the right to request that we delete any of Personal Data that we collected from you and retained, subject to certain Exceptions (listed below). Once we receive and confirm your request, we will delete your Personal Data from our records except to the extent an Exception applies.
We may deny a deletion request if retaining the information is necessary for us or our service providers for the following Exceptions:
- to complete the transaction for which we collected the Personal Data, provide information, materials, goods, or services that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise respond to your requests;
- to detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities;
- to debug products to identify and repair errors that impair existing intended functionality;
- to exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law;
- to comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et. seq.);
- to engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if you previously provided informed consent;
- to enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us;
- to comply with a legal obligation; or
- to make other internal and lawful uses of that information that are compatible with the context in which you provided it.
Non-Discrimination
We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by the CCPA, we will not:
- deny you goods or services;
- charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties;
- provide you a different level or quality of goods or services; or
- suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.
However, we may still offer you certain financial incentives that can result in different prices, rates, or service quality levels as permitted by the CCPA. We do not currently offer such financial incentives.
Exercising access, data portability, and deletion rights
To exercise your rights described above, please submit a request to us that specifies your request type (disclosure, deletion, etc.) as detailed below. Requests may be sent by either:
- emailing us info@masonhub.com; or
- mailing us at: MasonHub Inc., Attn Privacy, 8595 Milliken Avenue, Suite B102, Rancho Cucamonga, CA 91730, USA.
Only you, or someone legally authorized to act on your behalf, may make a request related to your Personal Data. You may also make a request on behalf of your minor child. We cannot respond to your request or provide you with Personal Data if we cannot verify your identity or authority to make the request and confirm the Personal Data relates to you. You may be required to provide additional information necessary to confirm your identity before we can respond to your request. You may only make a request for access or data portability twice within a twelve (12) month period. The request must:
- provide sufficient information that allows us to reasonably verify you are the person about whom we collected Personal Data or an authorized representative; and
- describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.
Making a request does not require you to create an account with us. Also, we will only use Personal Data provided in a request to verify the requestor’s identity or authority to make the request.
Your authorized agent
You have the right to designate an authorized agent to make a request under the CCPA on your behalf.
Response timing and format
We will confirm that we received your request within ten (10) days and will respond within forty-five (45) days of its receipt. If we require more time, we will inform you of the reason and extension period in writing. We will deliver our written response electronically or, at your option, by mail.
Any disclosures we provide will only cover the twelve (12) month period preceding our receipt of the request. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your Personal Data that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.
You will not have to pay a fee to access your Personal Data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
Can this Privacy Policy be modified?
We reserve the right to modify this Privacy Policy at any time. Accessing the Service after we have published a modified Privacy Policy constitutes acceptance of such modified policy.
How we notify you of modifications?
We will publish a link to the modified Privacy Policy on the Service’s landing page. The modified Privacy Policy becomes effective upon publishing. If the modifications are material, we will provide more prominent notice as appropriate under the circumstances (for example, for a period following publication the icon or link to the Privacy Policy may be highlighted or include the word such as “modified,” “revised,” “updated,” or similar).
How can we be contacted?
You can contact us by email at info@masonhub.com or by snail mail at: MasonHub, Inc., Attn Privacy, 8595 Milliken Avenue, Suite B102, Rancho Cucamonga, CA 91730, USA.
Last revised: 23 July 2022 © 2022 MasonHub, Inc. All rights reserved.
Data Protection Addendum
Unless a separate data processing or similar agreement has been entered into between MasonHub and a client that is using MasonHub’s fulfillment service (the Service), this Data Protection Addendum (DPA) shall apply to MasonHub’s provision of the Service to client and client’s use of the Service. References herein to Agreement means the Master Services Agreement or other agreement entered into by the parties with respect to data protection in connection with client’s use of the Service. References to party or parties herein are reference to a party or the parties to the Agreement.
1 DEFINITIONS
In this DPA, the following terms shall have the meanings set out below:
CCPA means California Consumer Privacy Act; and the terms Business, Collecting, Consumer, Processing, Selling, Service Provider, Sharing, Third Party, and Unique Identifier shall have the same meaning as in the CCPA or equivalent term in any Data Protection Laws.
Data Protection Laws means all applicable laws and regulations, including but not limited to laws and regulations of the United States and any US states, including the CCPA (US); the United Kingdom (UK); the European Union and the GDPR (EU), the European Economic Area (EEA) and their Member States and Switzerland, applicable to the Collecting, Processing, Selling of Personal Information under the Agreement.
GDPR means EU General Data Protection Regulation 2016/679 and the terms: Commission, Controller, Data Subject, Member State, Personal Data, Processing, Processor, and Supervisory Authority shall have the same meaning as in the GDPR or equivalent term in any Data Protection Laws.
Independent Auditor means an auditor from a mutually agreeable internationally recognized auditing firm.
Personal Information means any “personal data,” “personal information,” or similar term as defined in any Data Protection Laws.
Sub-processor means any third party appointed to Process Personal Information by a Service Provider.
2 APPOINTMENT OF SERVICE PROVIDER
The parties acknowledge and agree that for the purposes of this DPA and the Agreement, where one party serves as a Service Provider with respect to Personal Information, and the other party acts as a Business that has the exclusive authority to determine the purposes and means of Processing of any Personal Information, Service Provider agrees it shall not Sell, Collect, retain, use, disclose, or otherwise Process Personal Information other than for the purposes of performing or utilizing the Service or as authorized in the Agreement. Service Provider certifies that it understands the obligations and restrictions placed on it as a Service Provider under any Data Protection Laws.
3 COLLECTING, PROCESSING, SELLING, OR TRANSFERRING PERSONAL INFORMATION
3.1 Compliance with Data Protection Laws. The parties acknowledge and agree that when Collecting, Selling, or Processing Personal Information they will comply with their respective obligations under Data Protection Laws.
3.2 Instructions for Collecting, Processing, Selling, or transferring Personal Information. The parties shall, in performing their obligations under the Agreement, Collect, Sell, and/or Process Personal Information in accordance with the requirements of Data Protection Laws. Where either party provides Personal Information (Providing Party) to the other party (Receiving Party), Providing Party shall have sole responsibility for the accuracy and quality of Personal Information, obtaining consent, disclose the categories of Third Parties in its privacy policy, and provide explicit notice before a Third Party sells to others or if applicable, an alternative legal basis for Collecting, Processing, or Selling Personal Information and how the Personal Information was acquired. Receiving Party shall only Collect, Process, or Sell such Personal Information in line with the Providing Party’s written instructions and in line with the agreed obligations under the Agreement. Providing Party instructs Receiving Party (and Receiving Party to instruct each Sub-processor) to transfer Providing Party’s Personal Information to any country or territory, as reasonably necessary for the performance of its obligations under and consistent with the Agreement.
4 RIGHTS OF CONSUMERS/DATA SUBJECTS
4.1 Consumer Request. Each party, shall, to the extent legally permitted, promptly notify the other party (and provide reasonable assistance to the other party where required) if such first party receives a request from a Consumer to exercise any right (each, a DSAR) of: access; rectification; restriction; or prohibition of Collecting, Processing, or Selling, erasure/deletion, data portability, or object to the Collecting, Processing, Selling, equal service, or price; or not to be subject to an automated individual decision making regarding Consumer’s Personal information.
4.2 Assistance. Each party shall assist the other party by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of that party’s obligation to respond to a DSAR under Data Protection Laws. If a party, in performing its obligations under the Agreement, does not have the ability to address a DSAR, the other party shall upon request provide commercially reasonable efforts to assist that party in responding to such DSAR, if that party is legally permitted to do so and the response to such DSAR is required under Data Protection Laws. To the extent legally permitted, each party shall be responsible for its own costs arising from the provision of such assistance. Without limiting the foregoing, each party shall promptly respond to any other query received by one party regarding the privacy practices of the other party.
5 PERSONNEL
5.1 Confidentiality. The parties shall ensure that its personnel engaged in the Collecting, Processing, or Selling of Personal Information are informed of the confidential nature of the Personal Information, have received appropriate training on their responsibilities, and have executed written confidentiality agreements.
5.2 Reliability. The parties shall take commercially reasonable steps to ensure the reliability of any personnel engaged in the Collecting, Processing, or Selling of Personal Information.
5.3 Limitation of Access. The parties shall ensure that access to Personal Information is limited to those personnel performing or using Services in accordance with the Agreement.
5.4 Data Protection Officer. To the extent required by Data Protection Laws, the parties have appointed a data protection officer.
6 SUB-PROCESSORS
A Service Provider appointing a Sub-processor will have entered or will enter into a written agreement with each Sub-processor containing data protection obligations substantially similar to those in this DPA with respect to the protection of Personal Information to the extent applicable to the nature of the Services provided by such Sub-processor.
7 SECURITY
7.1 Controls for the Protection of Personal Information. The parties shall maintain appropriate technical and organizational measures designed to protect the security (including protection against unauthorized or unlawful Collecting, Processing, or Selling and against accidental or unlawful destruction, loss or alteration, unauthorized disclosure of, or access to, Personal Information), confidentiality, and integrity of Personal Information. The parties shall regularly monitor compliance with these measures.
7.2 Audit. The parties shall reasonably cooperate with each other in relation to any audit requests required by Data Protection Laws. Any such audit shall be subject to the confidentiality obligations set forth in the Agreement. Information and audit rights under this Section 7.2 arise only to the extent that the Agreement does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law (including, where applicable, Article 28(3)(h) of the GDPR). The parties shall on request appoint an Independent Auditor, with such access, on reasonable written notice (minimum 30 calendar days) and within normal working hours, to those records pertaining to Personal Information as may be reasonably required by the Providing Party to exercise its rights of audit as set out in this Section 7.2. Providing Party accepts that certain sensitive information in relation to IT and security will be redacted before being audited and may only be audited at the other Party’s premises. With the Receiving Party’s agreement, this audit may cover documents only or may include an onsite audit, subject to Providing Party notifying the Receiving Party of the identity of any onsite Independent Auditors and that any Independent Auditors have entered into appropriate confidentiality agreements, approved by the Receiving Party (such approval not to be unreasonably withheld or delayed). Providing Party shall use reasonable efforts to minimize any disruption caused to the Receiving Party’s business activities because of such audit. No audit shall last more than 5 business days each time unless a longer period is required to fulfil any request or comply with any requirement of any regulator. Audits shall take place no more than once in any rolling 12 month period unless and to the extent that the Providing Party (acting reasonably and in good faith) has reasonable grounds to suspect any material breach of this DPA by the Receiving Party, in which case the parties will agree a timescale for an audit. Costs of the audit, including appointment of the Independent Auditor, will be borne by Providing Party. Receiving Party shall be entitled to reasonable time to review and retain any audit report and to consult the Independent Auditor on the content, prior to the report being submitted to Providing Party. All confidential information of the Receiving Party obtained by Providing Party or an Independent Auditor pursuant to any audit shall be maintained in confidence by Providing Party and its Independent Auditor and may not be disclosed to any third party, including, without limitation, any other agents or representatives of Providing Party, except to the extent necessary to assert or enforce any of Providing Party’s rights under this DPA or is required to be disclosed by Data Protection Laws, by any regulatory or Supervisory Authority or by a court or other authority of competent jurisdiction provided that, to the extent it is legally permitted to do so, it gives Receiving Party as much notice of this disclosure as possible and, where notice of disclosure is not prohibited and is given in accordance with this section, it takes into account the reasonable requests of Receiving Party in relation to the content of this disclosure. Neither the Independent Auditor or Providing Party shall be permitted to perform penetration tests, vulnerability scans, or otherwise interrogate the other Party’s network or information technology systems. In no circumstances shall Providing Party or the Independent Auditor have access to (a) individual payroll and personnel files; (b) individual expenditure or records.
8 DATA INCIDENT MANAGEMENT AND NOTIFICATION
Each party will maintain security incident management policies and procedures and shall notify the other party without undue delay and in line with the timelines required by Data Protection Laws after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the other Party’s Personal Information, transmitted, stored, or otherwise Processed by them or its Sub-processors which results in any actual loss or misuse of Personal Information (a Data Incident). The responsible party shall make reasonable efforts to identify the cause of such Data Incident and take those steps as the other party deems necessary and reasonable in order to remediate the cause of such a Data Incident to the extent the remediation is within that party’s reasonable control. The parties shall have no liability to each other for costs arising from a Data Incident unless caused solely by a breach of their respective security obligations under this Section 8. If there is a Data Incident, Providing Party shall be responsible for notifying Consumers and any relevant regulatory or Supervisory Authorities. Before any such notification is made, Providing Party shall consult with and provide Receiving Party an opportunity to comment on any notification made in connection with a Data Incident.
9 RETURN AND DELETION OF DATA
Receiving Party shall, at any time on the request of Providing Party and upon expiration or termination of the Agreement, return all Personal information to Providing Party or at Providing Party’s request delete the same from its systems, so far as is reasonably practicable and other than any back-up copies which the Parties are required to retain for compliance with applicable laws, provided that such copies are kept confidential and secure in accordance with this DPA and the Agreement and instruct their relevant employees, contractors, and Sub-processors to do the same.
10 DATA PROTECTION IMPACT ASSESSMENT
Upon Providing Party’s request, Receiving Party shall provide Providing Party with reasonable cooperation and assistance, at Providing Party’s cost, needed to fulfill its obligation under Data Protection Laws to carry out a data protection impact assessment related to Providing Party’s use or performance of the Service, to the extent Providing Party does not otherwise have access to the information, and to the extent such information is available to the other party. Receiving Party shall provide reasonable assistance to Providing Party in the cooperation in the performance of its tasks relating to this Section 10, to the extent required under Data Protection Laws.
11 TRANSFER MECHANISMS FOR DATA TRANSFERS
If there are any transfers of Personal Data under this DPA from the European Union, the European Economic Area and/or their Member States, Switzerland, or the United Kingdom to countries that do not ensure an adequate level of data protection within the meaning of Data Protection Laws, then the parties shall execute the Standard Contractual Clauses and append them to the Agreement.