This Data Processing Addendum (“Addendum” or "DPA"), applies to agreements between Dash Hudson Inc., a Canadian corporation (“Dash Hudson”) and entities who subscribe for Dash Hudson’s services and who are subject to Applicable Law (“Company”), and collectively with Dash Hudson, the “Parties”), and sets forth the terms and conditions relating to the privacy, confidentiality and security of Company Personal Data (as defined below) associated with services to be rendered by Dash Hudson to Company pursuant to the subscription agreement entered into between the Parties, (the “Master Agreement”).
(A) “Applicable Law” means all applicable laws and regulations relating to the privacy, confidentiality, security and protection of Personal Data, including, the European Data Protection Laws, as applicable.
(B) “Approved UK Addendum” means the template Addendum, version B. 1.0 issued by the UK Information Commissioner under S119A(1) Data Protection Act 2018 and laid before the UK Parliament on 2 February 2022, as it may be revised according to Section 18 of the Mandatory Clauses;
(C) “Adequate Country” means any country or territory recognized as providing adequate protection for Personal Data transfers under an adequacy decision made from time to time by (as applicable): (i) the European Commission under the GDPR; or (ii) the UK's Information Commissioner's Office ("ICO") and /or under applicable UK law.
(D) “Controller” means a natural or legal person who alone or jointly with others determines the purposes and means of the Processing of Personal Data.
(E) “Processor” means a natural or legal person who Processes Personal Data on behalf of the Controller.
(F) “Data Security Measures” means technical and organizational measures that are aimed at ensuring a level of security of Personal Data that is appropriate to the risk of the Processing, including protecting Personal Data against accidental or unlawful loss, misuse, unauthorized access, disclosure, alteration, destruction, and all other forms of unlawful Processing, including measures to ensure the confidentiality of Personal Data.
(G) “Data Subject” means an identified or identifiable natural person to which the Personal Data pertain.
(H) "European Data Protection Laws" means data protection laws applicable in Europe, including: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) ("GDPR"); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; and (iii) applicable national implementations of (i) and (ii); or (iii) GDPR as it forms parts of the United Kingdom domestic law by virtue of Section 3 of the European Union (Withdrawal) Act 2018 ("UK GDPR"); and (iv) Swiss Data Protection Law; in each case, as may be amended, superseded or replaced.
(I) "EEA" means the European Economic Area.
(J) “Instructions” means the Master Agreement, this Addendum and any further written agreement or documentation through which the Data Controller instructs the Data Processor to perform specific Processing of Personal Data.
(K) “Company Personal Data” means Personal Data Processed by Dash Hudson in accordance with Company’s Instructions pursuant to this Addendum;.
(L) "Personal Data" means any information relating to an identified or identifiable natural person.
(M) “Personal Data Breach” a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Company Personal Data transmitted, stored or otherwise Processed.
(N) “Process”, “Processed”, or “Processing” means any operation or set of operations performed upon Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
(O) "Security Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to (including unauthorized internal access to), Company Personal Data.
(P) “Services” means the services offered by Dash Hudson and subscribed for by Company under the Master Agreement.
(Q) “Sub-Processor” means any third party Processor engaged by Dash Hudson to assist in fulfilling Dash Hudson’s obligations under the Maser Agreement. Sub-Processor excludes any Dash Hudson employees.
(R) "Standard Contractual Clauses" or “EU SCCs” means the standard contractual clauses annexed to the European Commission’s Decision (EU) 2021/914 of 4 June 2021 currently found at https://ec.europa.eu/info/system/files/1_en_annexe_acte_autonome_cp_part1_v5_0.pdf %20, as may be amended, superseded or replaced.
(S) "Swiss Data Protection Law" means the Swiss Federal Data Protection Act of 19 June 1992 and, when in force, the Swiss Federal Data Protection Act of 25 September 2020 and its corresponding ordinances as amended, superseded or replaced from time to time.
(T) "UK" means United Kingdom.
II. Roles and Responsibilities of the Parties
(A) The Parties acknowledge and agree that Company is acting as a Controller, and has the sole and exclusive authority to determine the purposes and means of the Processing of Company Personal Data Processed under this Addendum, and Dash Hudson is acting as a Processor on behalf and under the Instructions of Company.
(B) Any Company Personal Data will at all times be and remain the sole property of Company and Dash Hudson will not have or obtain any rights therein.
III. Obligation of the Service Provider
Dash Hudson agrees and warrants to:
(A) Process Company Personal Data only on behalf of and in accordance with the Instructions of the Controller and Annex 1 of this Addendum, unless Dash Hudson is otherwise required by Applicable Law, of the UK or EU member state in which case Dash Hudson shall inform Company of that legal requirement before Processing the Company Personal Data, unless informing the Company is prohibited by such law. Dash Hudson shall immediately inform Company if, in Dash Hudson’s opinion, an Instruction provided infringes Applicable Law of the UK or EU member state.
(B) Ensure that any person authorised by Dash Hudson to Process Company Personal Data in the context of the Services is only granted access to Company Personal Data on a need-to-know basis, is subject to a duly enforceable contractual or statutory confidentiality obligation, and only processes Company Personal Data in accordance with the Instructions of the Controller.
(C) Taking into account the nature of the Processing and the information available to Dash Hudson, Dash Hudson shall provide such assistance as Company reasonably requests in relation to Company's obligations under Applicable Law with respect to: (i) data protection impact assessments; and (ii) security of the Processing of Company Personal Data.
(D) Inform Company promptly of any formal requests from Data Subjects exercising their rights of access, correction or erasure of their Company Personal Data, their right to restrict or to object to the Processing as well as their right to data portability, and not respond to such requests, unless instructed by the Company in writing to do so. Taking into account the nature of the Processing of Company Personal Data, Dash Hudson shall assist Company, by appropriate technical and organisational measures, insofar as possible, in fulfilling Company’s obligations to respond to a Data Subject’s request to exercise their rights with respect to the Company Personal Data.
(E) Notify Company immediately in writing of any subpoena or other judicial or administrative order by a government authority or proceeding seeking access to or disclosure of Company Personal Data. Company shall have the right to defend such action in lieu of and on behalf of Dash Hudson. Company may, if it so chooses, seek a protective order.
(F) Maintain internal record(s) of Processing activities, copies of which shall be provided to Company by Dash Hudson or to supervisory authorities upon request. Such records must contain at least: (i) the name and contact details of Dash Hudson; (ii) the categories of Processing activities carried out under this Addendum; (iii) information on data transfers to a third country or a third party, where applicable; and (iv) a general description of the Data Security Measures implemented to protect Company Personal Data Processed under this Addendum.
(A) Company grants a general authorization to Dash Hudson to appoint its Affiliates or third parties as Sub-Processors to support the performance of the Services. Dash Hudson shall maintain a list of Sub-Processors (as at the date of this Addendum, as provided in Annex 1), and shall provide Company with 30 days prior written notice in the event that Dash Hudson proposed to add any additional Sub-Processors. If Company has a reasonable objection to any new Sub-Processor, it shall notify Dash Hudson in writing within 15 days of the notification and the Parties shall seek to resolve the matter in good faith. If Company is not reasonably satisfied that the Sub-Processor meets the security and privacy protection of Applicable Law then Company as its sole remedy may, within such 15 day period, terminate the Master Agreement.
(B) Dash Hudson shall ensure that any Sub-Processor it engages to provide an aspect of the Services on its behalf in connection with this Addendum does so only on the basis of a written contract which imposes on such Sub-Processor terms substantially no less protective of Personal Data than those imposed on Dash Hudson under this Addendum (the "Sub-Processor Terms"). Dash Hudson be liable to Company for any breach by such Sub-Processor of the Relevant Terms to the extent required under Applicable Law.
V. Compliance with Applicable Laws
(A) Each Party covenants and undertakes to the other that it shall comply with all Applicable Laws in the use of the Services.
(B) As between the parties, Company is responsible for the lawfulness of the Processing of the Company Personal Data. Company will not use the Services in conjunction with Personal Data to the extent that doing so would violate applicable Data Protection Laws.
(C) Dash Hudson shall in good faith negotiate any further data Processing agreement reasonably requested by Company for purposes of compliance with the Applicable Law. In case of any conflict between this Addendum and the Master Agreement, this Addendum shall prevail with regard to the Processing of Personal Data covered by it. In the event of an inconsistency between this Addendum and the EU SCCs and/or UK Addendum, the EU SCCs and/or UK Addendum shall prevail.
VI. Cross-Border Data Transfers
(A) The Company acknowledges and accepts that the provision of the Services may involve the transfer of Company Personal Data to, and processing of Company Personal Data in, locations outside the UK, Switzerland and / or the EEA from time to time, including Processing in the United States and any country in which Dash Hudson, its Affiliates and authorized Sub-Processors perform the Services.
(B) To the extent that Company Personal Data is transferred to Dash Hudson and Processed by Dash Hudson outside of the EEA (except if in an Adequate Country) in circumstances where such transfer or Processing would be prohibited by the EU GDPR in the absence of a transfer mechanism, the Parties agree that the EU SCCs (Module Two) as set out in Exhibit 1 will apply in respect of that Processing and are incorporated into this Addendum.
(C) To the extent that Company Personal Data is transferred to Dash Hudson and Processed by Dash Hudson outside of the UK (except if in an Adequate Country) in circumstances where such transfer or Processing would be prohibited by the UK GDPR in the absence of a transfer mechanism, the Parties agree that the EU SCCs (Module Two) as set out in Exhibit 1, subject to the Approved UK Addendum as set out in Exhibit 2 will apply in respect of that Processing and are incorporated into this Addendum.
(D) To the extent that Company Personal Data is transferred to Dash Hudson and Processing by Dash Hudson outside Switzerland (except if in an Adequate Country) in circumstances where such transfer or Processing would be prohibited by Swiss Data Protection Law in the absence of a transfer mechanism, the Parties agree that the EU SCCs (Module Two) as set out in Exhibit 1, subject to the Swiss Specific Terms set out at Exhibit 3 will apply in respect of that Processing and are incorporated into this Addendum.
(E) To the extent that the performance of this Addendum and/or the Master Agreement involves Dash Hudson transferring any Company Personal Data to a Sub-Processor (which shall include without limitation any Affiliates of Dash Hudson) and, without prejudice to clause IV, where such Sub-Processor will process Company Personal Data outside the UK, Switzerland or the EEA (except if in an Adequate Country), Dash Hudson shall in advance of any such transfer take steps to put in place a legal mechanism to achieve adequacy in respect of that Processing, such as the requirement for Dash Hudson to execute the EU SCCs and/or Approved UK Addendum with the Sub-Processor.
VII. Data Security
(A) Dash Hudson shall develop, maintain and implement a written information security program that complies with Applicable Law and good industry practice. Dash Hudson’s information security program shall include appropriate administrative, technical, physical, organizational and operational safeguards and other security measures designed to (i) ensure the security and confidentiality of Personal Data; (ii) protect against any anticipated threats or hazards to the security and integrity of Personal Data; and (iii) protect against Security Incidents, including, as appropriate:
(B) Dash Hudson shall supervise Dash Hudson personnel to the extent required to maintain appropriate privacy, confidentiality and security of Company Personal Data. Dash Hudson shall provide training, as appropriate, regarding the privacy, confidentiality and information security requirements set forth in this Addendum to all Dash Hudson personnel who have access to Company Personal Data.
(C) Promptly upon the expiration or earlier termination of the Master Agreement, Dash Hudson shall, at the Company's request, return or securely destroy or render unreadable or indecipherable, each and every original and copy in every media of all Company Personal Data in Dash Hudson’s, its affiliates’ or their respective subcontractors’ possession, custody or control. In the event Applicable Law requires Dash Hudson to continue to store Customer Personal data , Dash Hudson warrants that it shall ensure the confidentiality of the Company Personal Data.
VIII. Data Breach Notification
Dash Hudson shall without undue delay inform Company in writing of any Personal Data Breach of which Dash Hudson becomes aware, but in no case longer than seventy-two (72) hours after it becomes aware of the Personal Data Breach. The notification to Company shall include all reasonable information in Dash Hudson's possession regarding such Personal Data Breach, including information on:
Dash Hudson shall promptly take all necessary and advisable corrective actions and shall cooperate with Company in reasonable and lawful efforts to prevent, mitigate or rectify such Personal Data Breach. Dash Hudson shall provide such assistance as reasonably required to enable Company to satisfy Company’s obligation under Applicable Laws to notify the relevant supervisory authority and / or Data Subjects of the Personal Data Breach.
Dash Hudson shall on written request (but not more than once per year, other than in the event of a Personal Data Breach) make available to Company all information in Dash Hudson's possession necessary to demonstrate Dash Hudson's compliance with the obligations set forth in this Addendum and, at the Company’s expense, allow for and contribute to audits, including inspections, conducted by Company or another auditor mandated by Company. Upon prior written request by Company (provided that it shall be not more than once per year other than in the event of a Personal Data Breach), Dash Hudson agrees to cooperate and, within reasonable time, provide Company with: (a) audit reports and all information in Dash Hudson's possession necessary to demonstrate Dash Hudson’s compliance with the obligations laid down in this Addendum; and (b) confirmation that the audit has not revealed any material vulnerability in Dash Hudson’s systems, or to the extent that any such vulnerability was detected, that Dash Hudson has fully remedied such vulnerability. Dash Hudson’s failure to comply with this obligation shall entitle Company to suspend the Processing of Company Personal Data Processed by Dash Hudson, and to terminate any further Processing of Company Personal Data under this Addendum and/or the Master Agreement, if doing so is required to comply with Applicable Law.
X. Governing Law
Addendum shall be governed by the law of Nova Scotia, Canada, unless required otherwise by Applicable Law. In all other cases, this Addendum shall be governed by the laws of the jurisdiction specified in the Master Agreement.
In Witness whereof, the parties, by their authorized representatives, have executed this Agreement as of the date of the Master Agreement.
ANNEX 1: SCOPE OF THE DATA PROCESSING
SCOPE OF THE DATA PROCESSING
This Annex forms part of the Data Processing Addendum between Company and Dash Hudson.
The Processing of Personal Data concerns the following categories of Data Subjects:
The Processing concerns the following categories of Personal Data:
The Processing concerns the following categories of Sensitive Data:
Sensitive Data means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data, data concerning health, sex life or sexual orientation.
Though it is not mandatory, Company users may provide us with a profile photo for their user profile within the Dash Hudson platform. That may or may not reveal some of the above sensitive data.
Sensitive information contained in or otherwise associated with photos or other content created by Social Media end-users with public profiles who have directly interacted with the Company’s (brand’s) Social Media handle(s), accessed through the applicable Social Channel’s API
The subject matter of the Processing is Dash Hudson's provision of the Services to the Company.
The Processing concerns the following categories of data Processing activities (i.e., nature and purposes of Processing):
The duration of the Processing is for the duration of the Master Agreement or until the Processing is no longer necessary for the purposes.
Dash Hudson uses the following Sub-Processors: