Last updated: 11 April 2023
This Data Processing Agreement (the “Agreement”) forms part of the Terms of Service (the “Principal Agreement”), between AskBeat (the “Vendor”) and the AskBeat User (the “Company”) (together as the “Parties”)
(A) Company acts as a Data Controller.
(B) Company wishes to subcontract certain Services, which imply the processing of personal data, to Vendor.
(C) Vendor acts as a Data Processor.
(D) The Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework in relation to data processing and with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
(E) The Parties wish to lay down their rights and obligations.
IT IS AGREED AS FOLLOWS:
For more details on GDPR definitions, please click here and refer to Article 4.
The parties agree that this Agreement and the Principal Agreement, constitute the Company’s complete and final documented instructions to Vendor, in relation to the processing of Company Personal Data.
Vendor shall ensure that all persons (including Employees, Agents or Sub-processors) authorized to process Company Personal Data, as strictly necessary for the purposes of the Principal Agreement, have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
Vendor shall implement appropriate technical and organizational measures to ensure an appropriate level of security for protecting Company Personal Data from unauthorized access, use or disclosure, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
Company authorizes Vendor to appoint (and permit each Sub-processor appointed to appoint) Sub-processors with respect to providing the Services to Company. Sub-processors are available upon request at firstname.lastname@example.org
Vendor shall give Company prior written notice of any intended changes concerning the addition or replacement of Sub-processors, including full details of the processing to be undertaken by each Sub-processor, thereby giving Company the opportunity to object to such changes.
Company shall notify Vendor, in written and within 5 calendar days of receipt of notice, of the objection and provide reasoning for the objection. In the case of an objection, Vendor shall work with Company in good faith to resolve the disagreement. If the parties do not manage to resolve the disagreement within 10 calendar days of objection receipt, both parties retain the right to terminate the Principal Agreement and the provision (by Vendor) or use (by Company) of the Services.
Where a Vendor engages a Sub-processor for carrying out specific processing activities on behalf of Company, the same data protection obligations as set out in this Agreement between Company and Vendor shall apply for Sub-processor, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the General Data Protection Regulation.
Vendor shall assist Company, by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of Company’s obligations to respond to requests to exercise Data Subject rights under the Data Protection Laws.
Vendor shall notify Company without undue delay upon Vendor or any Sub-processor becoming aware of a Personal Data Breach affecting Company Personal Data, providing Company with sufficient information to allow Company to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
Vendor shall cooperate with Company and take reasonable commercial steps as are directed by Company to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
Vendor shall provide reasonable assistance to Company with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Company reasonably considers to be required by Articles 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Company Personal Data by, and taking into account the nature of the Processing and information available to, Vendor.
Vendor shall promptly and in any event within 60 days of the date of cessation of the Services involving the Processing of Company Personal Data (the "Cessation Date"), delete and procure the deletion of all copies of those Company Personal Data. Vendor may optionally provide written notice to Company before and/or upon Company Personal Data deletion is completed.
Company may in its absolute discretion by written notice to Vendor, and prior to Company Personal Data deletion, require Vendor (a) to return a complete copy of all Company Personal Data to Company and (b) delete and procure the deletion of all other copies of Company Personal Data processed by any Processor.
Notwithstanding the foregoing, Processors may retain Company Personal Data to the extent required by Applicable Laws and only to the extent and for such period as required by Applicable Laws and always provided that Processors shall ensure the confidentiality of all such Company Personal Data and that such Company Personal Data is only Processed as necessary for the purpose(s) specified in the Applicable Laws requiring its storage and for no other purpose.
Vendor may retain electronic copies of files containing Company Personal Data created by automatic back-up procedures, that may not be immediately deleted. This Company Personal Data, within the back-up, is not further processed by Vendor and it is held on Vendor’s systems until it is permanently deleted within 30 days of back-up creation. The same applies for the cases of ‘shop/redact’ and/or ‘customers/redact’ requests from Shopify, as outlined in Section 6 of this Agreement.
Vendor shall, in accordance with Article 28 of the GDPR, make available to Company all information necessary to demonstrate compliance with the obligations laid down in this Agreement, and shall allow for and contribute to audits, including inspections, conducted by Company or another auditor mandated by Company.
Vendor shall, upon Company’s written notice to Vendor, made at least 30 days in advance, provide Company with all information necessary for such inspection.
Confidentiality. Each Party must keep this Agreement and information it receives about the other Party and its business in connection with this Agreement (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that: (a) disclosure is required by law; (b) the relevant information is already in the public domain.
Order of precedence. With regard to the subject matter of this Agreement, in the event of inconsistencies between the provisions of this Agreement and any other agreements between the parties, including the Principal Agreement and including (except where explicitly agreed otherwise in writing, signed on behalf of the parties) agreements entered into or purported to be entered into after the date of this Agreement, the provisions of this Agreement shall prevail.
Amendments. Vendor may modify or supplement this Agreement, by written notice to Company: (i) if required to do so by a Supervisory Authority or other government or regulatory entity; and (ii) if necessary to comply with applicable Data Protection Laws.
Severability. Should any provision of this Agreement be invalid or unenforceable, then the remainder of this Agreement shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
Governing law and jurisdiction. This Agreement is governed by the laws of the country stipulated for this purpose in the Principal Agreement. Any dispute arising in connection with this Agreement, which the Parties will not be able to resolve amicably, will be submitted to the choice of jurisdiction stipulated in the Principal Agreement.