Data Processing Agreement

Effective as of June 11, 2021

This Data Processing Agreement (the "DPA") is made and entered into on March 15, 2021 between Privacy Request, Inc. (“Privacy Request”) and company (“Company”).

1. Definitions

“Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

"Data Protection Laws" means, as applicable, (i) the California Consumer Protection Act of 2018 (“CCPA”), (ii) the Personal Information Protection and Electronic Documents Act (“PIPEDA”), (iii) the General Data Protection Regulation ((EU) 2016/679) (“GDPR”), and (iv) such other applicable data protection laws, rules, or regulations, as may come into effect during the Term, each as amended, modified, and/or supplemented by the guidance or regulatory decisions of the relevant data protection or supervisory authority. 

“Company Data” means all data or information including any Personal Information, Personal Data and Sensitive Personal Data, in whatever form or medium which is (i) supplied directly or indirectly by Company, or (ii) in respect of which access is granted to Company’s Systems by Company or provided to Privacy Request in connection with this Agreement, or (iii) produced or generated by or on behalf of Company in connection with this Agreement.  

“Systems” means all electronic software, devices, means of electronic communication, electronic, analog, and/or physical hard-copy storage used in, or monitored as part of, and/or otherwise involved in providing, the Services, and all devices and applications on which any personal data or Company Data is Processed including third party systems or networks where the parties have shared access to personal data.

Terms such as Personal Information, Personal Data, Sensitive Personal Data, Controller, Privacy Request, Supervisory Authority, processing, data subject, technical and organizational measures shall have the meanings ascribed to them in the Data Protection Laws.

2. Roles Of The Parties

For the purpose of this DPA and Data Protection Law, Privacy Request shall be deemed a Processor and Service Provider, as defined under applicable law. Company shall be deemed the Controller and Business hereunder. 

3. Privacy Request Obligations

Privacy Request shall:

a. process the Company Data only as necessary to perform the Services, to comply with its legal obligations, and/or as directly instructed by Company in writing; 

b. ensure it complies with any obligations of a data processor and service provider under the Data Protection Laws in respect of this processing and otherwise perform the Services as a data processor and service provider in accordance with the Data Protection Laws; and

c. include all appropriate privacy notices including a privacy policy to ensure data subjects are made aware of the nature and purpose of the processing, how to assert their data protection rights under the Data Protection Laws, appropriate cookie policy and cookie banners, and how to contact the Privacy Request regarding the processing of personal data.

4. Audit

In addition to any right of audit that the Company may have under the Agreement, the Company, its designated representatives and any relevant supervisory authority (with the power to carry out an audit of the Privacy Request's processing activities) shall, upon reasonable notice to Privacy Request, have the right, one (1) time in any twelve (12) month period, to have access to Privacy Request personnel and premises to conduct an audit of Privacy Request’s Systems and operations, in order to verify that Privacy Request is operating in accordance with its obligations under this Agreement. 

5. Cooperation

Privacy Request shall provide the Company with such assistance and co-operation as the Company may reasonably request to enable the Company to comply with any obligations imposed on the Company by the Data Protection Laws in relation to Company Data processed by Privacy Request, including, but not limited to providing information, upon request of the Company, regarding its compliance with this DPA and Data Protection Laws. 

6. Back-Up and Retention

Privacy Request shall maintain appropriate backup and retention policies as required by applicable Data Protection Laws and other applicable law in order to provide support for any audits, legal requirements, and/or customer complaints. Such backup and retention policies shall be designed in accordance with data and storage minimization principles and Privacy Request shall ensure that backups are secured and protected using appropriate technical and organizational measures.

7. Subprocessors

Privacy Request may employ subprocessors in order to provide the Services. Privacy Request shall upon request provide to Company a list of all subprocessors who have access to Company Data, and Privacy Request shall enter into a processing agreement with subprocessor which contains substantially terms and conditions as set forth in this DPA, including sufficient guarantees that it will implement appropriate technical and organizational measures to comply with Data Protection Laws.  In addition, any subprocessor must comply with the same or substantially similar confidentiality requirements set out in the Agreement.  Privacy Request will remain liable for any subprocessor’s compliance with its obligations for processing the Company Data.

8. Data Subject Rights

a. With respect to Personal Data for which Company shall be the primary point of contact as the controller and Privacy Request shall act as a processor to assist Company in processing such requests. 

b. Where Privacy Request may act as a controller over Personal Data collected from Company’s personnel, Privacy Request shall be the primary point of contact and shall act in all ways as a controller. 

c. The parties shall communicate any rectification or erasure of personal data requested by data subjects to each other in order to maintain the Personal Information in accordance with the Data Protection Laws.

d. Privacy Request shall maintain a log or similar record of each data rights request and shall provide such log to Company upon request.

9. Liability

a. Privacy Request shall be liable for damages or liability that directly relates to Privacy Request’s breach of the Data Protection Laws for damage caused to data subjects as determined by a Supervisory Authority (or similar regulatory authority) or court of competent jurisdiction resulting in an award of damages to the data subject or fines except where Company has directed Privacy Request to take action (or not to take action) in contradiction of Data Protection Law. 

b. Privacy Request shall, immediately on demand, fully indemnify and hold harmless Company and Company’s Affiliates, their directors, officers, and employees (collectively, the “Indemnified Parties”) from and against all costs, claims, administrative fines, demands, expenses (including legal costs and disbursements on a full indemnity basis), losses (including direct and indirect losses, loss or corruption of data, loss of reputation, goodwill and profits), actions, proceedings and liabilities of whatsoever nature arising from or incurred by the Indemnified Parties, in connection with any failure, whether negligent or otherwise, of the Privacy Request or any subcontractors to comply with the provisions of this DPA and/or Data Protection Law in respect of its processing of Company Data ("Losses").  All or any such Losses suffered by an Indemnified Party, shall, for the purposes of this section, be deemed to have been suffered by the Company. The rights under this section are in addition to any indemnification rights under the Agreement and shall survive termination.

10. Security

Privacy Request shall employ (and shall ensure all subprocessors employ) technical and organisational measures to adequately protect Company Data from loss, destruction, or unauthorised disclosure or access to Company Data taking into account the nature, scope, context and purposes of processing as well as the varying likelihood and severity of risk to the rights and freedoms of data subjects with regard to Privacy Request’s performance of the Services, and shall use best practices to mitigate the risk, including, but not limited to:

a. Privacy Request and any subcontractor personnel will enter into appropriate confidentiality agreements and security measures including applicable IT security policies regarding the processing of the Company Data and provide all reasonable assistance to Company so it can demonstrate compliance with applicable Data Protection Law;

b. Privacy Request will provide a written description of the technical and organisational measures employed by Privacy Request and/or any subprocessor for processing of Company Data;

c. Privacy Request will maintain appropriate access controls, including, but not limited to, limiting access to Personal Data to the minimum number of subprocessor personnel who require such access in order to provide the services to Privacy Request; and

d. Privacy Request will implement appropriate safeguards to protect against unauthorized access, collection, use, copying, modification, disposal or disclosure, unauthorized, unlawful, or accidental loss, destruction, acquisition, or damage or any other unauthorized processing.

11. Breach

In the event of any actual or suspected incident (including a Data Breach) which may involve unauthorised or unlawful access to or Processing, loss, alteration or destruction of or damage to Personal Information, or disclosure of Personal Information in breach of this Agreement or the Data Protection Legislation, the Privacy Request shall:

a. notify Company in writing immediately, and no later than forty eight (48) hours after the Data Breach is identified, providing: (i) all information known about the Data Breach; (ii) any relevant contact point for Company, and (iii) such details of the circumstances as Company may require;

b. describe the nature of the Data Breach (to the extent such information is available), including the possible categories and approximate number of individuals concerned and the categories and approximate number of Personal Information records concerned;

c. describe the likely consequences of the Data Breach, in particular, the likely consequences to impacted individuals;

d. communicate the name and contact details of the Privacy Request’s Data Protection Officer or other contact point where Company can obtain further information;

e. keep Company regularly informed of any further developments or information available in connection with the Data Breach and at Company’s request undertake a full investigation, at Privacy Request’s cost, and provide Company with a full written report on the Data Breach;

f. carry out all mitigating steps reasonably necessary in relation to the Data Breach to prevent future incidents;

g. provide such information as Company may require in order to make any notification or announcement as referred to above; and

h. fully cooperate with Company in Company’s handling of the Data Breach and take all reasonable steps required by the Company to assist the Company to comply with good practice regarding evaluation, containment, notification, and recovery following a Data Breach, including but not limited to assistance with notifications to individuals and regulatory bodies.

12. Return of Company Data

Privacy Request must return or delete all Company Data processed in connection with the Agreement, after completion of the Services or the Agreement, at Company’s election.  In the event that Company requests destruction, Privacy Request shall provide a written certificate to Company within thirty (30) days of such destruction. If Company requires that the Company Data be returned, it must be returned to Company within thirty (30) days of the completion or termination of Services, in a secure manner.

13. International Transfer

a. Privacy Request stores all Customer Data in Ireland and Canada. Privacy Request personnel may access data from Canada and the United States. 

b. Privacy Request shall not physically transfer Company Data from outside of the country in which the Company Data is designated to be hosted under the Agreement without the prior written consent of Company. 

c. In the event the Services provided under the Agreement involve the transfer of Personal Data of European Data Subjects outside of the European Economic Area or Switzerland, the parties agree to enter into the Standard Contractual Clauses attached hereto as Annex 1 and incorporated by this reference. In the event of a conflict between the terms of this DPA and the Annex, the Annex shall control. 

d. To the extent that Privacy Request engages any subprocessors to process the Personal Data of any European Data Subjects, Privacy Request shall ensure that there is an effective method of transfer in place as required by applicable Data Protection Laws.