Data Protection AddendumRequest
This Data Protection Addendum (the “Addendum”) is entered into by and between CatchID Company (“CatchID”) and You (“Client”) (collectively the “Parties”).
The Parties agree that the terms and conditions set out below are added as an Addendum to the current Terms of Service.
This Addendum, including its attachments shall take effect on the Addendum Effective Date (as defined below).
The following terms have the meanings set out below for this Addendum:
- 1.1 “Addendum Effective Date” means, as applicable, (a) 25 May 2018, if the parties agreed to this Addendum prior to or on such date; or (b) the date on which the parties agreed to this Addendum.
- 1.2 “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity, where “control” refers to the power to direct or cause the direction of the subject entity, whether through ownership of voting securities, by contract or otherwise.
- 1.3 “Client Personal Data” means any Personal Data that CatchID processes on behalf of Client as a Processor in the course of providing the Services.
- 1.4 “Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR.
- 1.5 "GDPR" means EU General Data Protection Regulation 2016/679.
- 1.6 "Services" means the services to be supplied by CatchID to Client or Client Affiliates pursuant to the Terms.
- 1.7 The terms "Controller", "Processing", “Processor", "Personal Data", "Personal Data Breach", "Data Subject" and "Supervisory Authority" shall have the same meaning as in the GDPR, and their cognate terms shall be constructed accordingly.
2. Scope of this Addendum.
This Addendum applies where and only to the extent that:
- 2.1 CatchID processes Personal Data on behalf of Client in the course of providing the Services to the Client pursuant to the Agreement.
- 2.2 The Agreement between CatchID and the Client expressly incorporates this Addendum by reference.
3. Roles of the Parties.
The Parties acknowledge and agree that with regard to the Processing of Client Personal Data, and as more fully described in Attachment 1, Client acts as a Controller, and CatchID acts as a Processor.
The Parties expressly agree that Client shall be solely responsible for ensuring timely communications to Client’s Affiliates or the relevant Controller(s) who receive the Services, insofar as such communications may be required or useful in light of applicable Data Protection Laws to enable Client’s Affiliates or the relevant Controller(s) to comply with such Laws.
4. Description of Personal Data Processing.
- 4.1 Client Processing of Client Personal Data. Client agrees that: (i) it will comply with its obligations as Controller under Data Protection Laws in respect of its processing of Client Personal Data and any processing instructions it issues to CatchID; and (ii) it has provided notice and obtained (or will obtain) all consents and rights necessary under Data Protection Laws for CatchID to process Client Personal Data and provide the Services pursuant to the Agreement and this Addendum.
- 4.2 CatchID Processing of Client Personal Data. CatchID will process Client Personal Data only for the purposes described in the Addendum and only in accordance with Client’s documented lawful instructions. The parties agree that this Addendum and the Agreement set out the Client’s complete and final instructions to CatchID in relation to the processing of Client Personal Data and processing outside the scope of these instructions (if any) will require prior written agreement between Client and CatchID.
5. Data Processing Terms.
- 5.1 Client’s Instructions. By entering into this Addendum, Client shall comply with all applicable Data Protection Laws in connection with the performance of this Addendum and instructs CatchID to process Client Personal Data only in accordance with applicable law: (i) to provide the Services; (ii) as authorized by the Agreement, including this Addendum; and (iii) as further documented in any other written instructions given by Client and acknowledged in writing by CatchID as constituting instructions for purposes of this Addendum.
- 5.2 CatchID’s Compliance with Instructions. CatchID shall comply with all applicable Data Protection
Laws in the
Processing of Client Personal Data and CatchID will:
- 5.2.1 process Client Personal Data in accordance with Client’s instructions described in Section 5.1 (including with regard to data transfers) unless European Data Protection Legislation to which CatchID is subject requires other processing of Client Personal Data by CatchID, in which case CatchID will notify Client (unless that law prohibits CatchID from doing so on important grounds of public interest).
- 5.2.2 ensure that individuals authorized to process the Client Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
- 5.2.3 cease Processing the Client Personal Data upon the termination or expiry of the Terms of Service, and at option of Client, Client’s Affiliates or the relevant Controller(s) either return or delete (including by ensuring such data is in non-readable format) all copies of the Client Personal Data. Notwithstanding the foregoing or anything to the contrary contained herein, CatchID may retain Personal Data and shall have no obligation to return Personal Data to the extent required by applicable laws or regulations obligations. Any such Personal Data retained shall remain subject to the obligations of confidentiality set forth in the Terms of Service;
- 5.2.4 upon CatchID becoming aware of a Personal Data Breach involving Client Personal Data, notify Client without undue delay, of any Personal Data Breach involving Client Personal Data, such notice to include all information reasonably required by Client (or the relevant Controller) to comply with its obligations under the applicable Data Protection Laws;
- 5.2.5 implement and maintain the technical and organizational measures set out in the Terms and, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, implement any further appropriate technical and organizational measures necessary to ensure a level of security appropriate to the risk of the Processing of Client Personal Data in accordance with the GDPR.
6. Data Subject Rights.
- 6.1 Client’s Responsibility for Requests. During the Term, if CatchID receives any request from a data subject in relation to Client Personal Data, CatchID will advise the data subject to submit their request to Client and Client will be responsible for responding to any such request.
- 6.2 CatchID’s Data Subject Request Assistance. CatchID will (taking into account the nature of the processing of Client Personal Data) provide Client with self-service functionality through the Services or other reasonable assistance as necessary for Client to fulfill its obligation under European Data Protection Legislation to respond to requests by data subjects, including if applicable, Client’s obligation to respond to requests for exercising the data subject’s rights set out in the GDPR. Client shall reimburse CatchID for any such assistance beyond providing self-service features included as part of the Services at CatchID’s then-current professional services rates, which shall be made available to Client upon request.
7. Data Transfers.
- 7.1 Processing Locations. CatchID may transfer and process Client Personal Data anywhere in the world where CatchID, its Affiliates or its Sub-processors maintain data processing operations. CatchID will at all times provide an adequate level of protection for the Client Personal Data processed, in accordance with the requirements of Data Protection Laws.
- 7.2 Privacy Shield. To the extent that CatchID processes any Client Personal Data protected by Data Protection Law in a country that has not been designated by the GDRP as providing an adequate level of protection for Personal Data, the parties acknowledge that CatchID will be deemed to provide adequate protection (within the meaning of Data Protection Law) for any such Client Personal Data by virtue of having self-certified its compliance with Privacy Shield. CatchID agrees to protect such Personal Data in accordance with the requirements of the Privacy Shield Principles. If CatchID is unable to comply with this requirement, CatchID will inform Client.
To the extent permissible by law, Client shall indemnify and hold harmless CatchID against all (i) losses, (ii) third party claims, (iii) administrative fines and (iv) costs and expenses (including, without limitation, reasonable legal, investigatory and consultancy fees and expenses) reasonably incurred in relation to (i), (ii) or iii), suffered by CatchID and that arise from any breach by Client of this Addendum or of its obligations under applicable Data Protection Laws.
The Parties agree that, if any section or sub-section of this Addendum is held by any court or competent authority to be unlawful or unenforceable, it shall not invalidate or render unenforceable any other section of this Addendum.
Description and Details of the Data Processing
This attachment includes certain details of the Processing of Client Personal Data as required by Article 28(3) of the GDPR.
Subject matter of the Processing of the Client Personal Data:
CatchID provision of the Services to Client.
Nature and purpose of the Processing of the Personal Data:
CatchID will process Client Personal Data for the purposes of providing the Services to Client in accordance with the Addendum.
Categories of Data Subject to whom the Client Personal Data relates:
- Client current and prospective customers, vendors and business partners
- Client employees who use the Services
The types of Client Personal Data to be processed:
User Name, Related URL, User ID, Email, Phone.
The obligations and rights of Client:
The obligations and rights of Client are set out in the Terms and this Addendum.
The data exporter is: Client that uses the Services.
The data importer is: CatchID Company that provides services to Client, which requires receiving the Client’s query data.
The personal data transferred will be subject to the following basic processing activities: The provision of the Services to Client. In order to provide people data, CatchID receives identifying Personal Data to permit CatchID to query, cleanse, standardize, enrich, (when required) send to additional data to feed providers, and to store the query information.