This Data Processing Addendum (“Addendum”), applies to agreements between Dash Hudson Inc., a Canadian corporation (“DashHudson”) and entities who subscribe for Dash Hudson’s services and who are subject to Applicable Law (“Company”, and collectively with Dash Hudson, the “Parties”),and sets forth the terms and conditions relating to the privacy, confidentiality and security of Personal Data (as defined below) associated with services to be rendered by Dash Hudson to Company pursuant to the subscription agreement entered into between the Parties, (the “Master Agreement”).
I. Definitions
(A) “Applicable Law” means all applicable European Union (“EU”) or national laws and regulations relating to the privacy, confidentiality, security and protection of Personal Data, including, without limitation: the California Consumer Privacy Act (“CCPA”), the EuropeanUnion (“EU”) General Data Protection Regulation 2016/679 (“GDPR”), with effect from 25 May 2018, and EU Member State laws supplementing the GDPR; the EUDirective 2002/58/EC (“e-Privacy Directive”), as replaced from time to time, and EU Member State laws implementing the e-Privacy Directive, including laws regulating the use of cookies and other tracking means as well as unsolicited e-mail communications.
(B) “Data Controller” means a person who alone or jointly with others determines the purposes and means of the Processing of Personal Data.
(C) “Data Processor” means a person who Processes Personal Data on behalf of the Data Controller.
(D) “Data Security Measures” means technical and organisational measures that are aimed at ensuring a level of security of Personal Data that is appropriate to the risk of the Processing, including protecting Personal Data against accidental or unlawful loss, misuse, unauthorised access, disclosure, alteration, destruction, and all other forms of unlawful Processing, including measures to ensure the confidentiality of Personal Data.
(E) “Data Subject” means an identified or identifiable natural person to which the Personal Data pertain.
(F) “Instructions” means the Master Agreement, this Addendum and any further written agreement or documentation through which the DataController instructs the Data Processor to perform specific Processing of Personal Data.
(G) “Personal Data” means any information relating to an identified or identifiable natural person Processed by Dash Hudson in accordance withCompany’s Instructions pursuant to this Addendum; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
(H) “Personal Data Breach” a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
(I) "Process", "Processed", or "Processing" means any operation or set of operations performed upon Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
(J) “Services” means the services offered by Dash Hudson and subscribed for by Company under the Master Agreement.
(K) “Sub-Processor” means the entity engaged by the Data Processor or any further Sub-Processor to Process Personal Data on behalf and under the authority of the Data Controller.
II. Roles and Responsibilities of the Parties
(A) The Parties acknowledge and agree that Company is acting as a Data Controller, and has the sole and exclusive authority to determine the purposes and means of the Processing of Personal Data Processed under this Addendum, and Dash Hudson is acting as a Data Processor on behalf and under the Instructions of Company.
(B) Any Personal Data will at all times be and remain the sole property of Company and Dash Hudson will not have or obtain any rights therein.
III. Obligation of the Service Provider
Dash Hudson agrees and warrants to:
(A) Process Personal Data disclosed to it by Company only on behalf of and in accordance with the Instructions of the DataController and Annex 1 of this Addendum, unless Dash Hudson is otherwise required by Applicable Law, in which case Dash Hudson shall inform Company of that legal requirement before Processing the Personal Data, unless informing the Company is prohibited by law. Dash Hudson shall immediately inform Company if, in Dash Hudson’s opinion, an Instruction provided infringes Applicable Law.
(B) Ensure that any person authorised by Dash Hudson to Process Personal Data in the context of the Services is only granted access to Personal Data on a need-to-know basis, is subject to a duly enforceable contractual or statutory confidentiality obligation, and only processes Personal Data in accordance with the Instructions of the Data Controller.
(C) Dash Hudson shall enter into any written agreements as are necessary in Company’s reasonable determination, including without limitation the Standard Contractual Clauses (as issued under the European Commission Decision of 4 June 2021) and the UK Addendum to the European Commission Standard Contractual Clauses (as issued by the Information Commissioner’s Office under or pursuant to section 119A(1) of the Data Protection Act 2018), to comply with Applicable Law concerning any cross-border transfer of Personal Data, whether to or from Dash Hudson.
(D) Inform Company promptly and without undue delay of any formal requests from Data Subjects exercising their rights of access, correction or erasure of their Personal Data, their right to restrict or to object to the Processing as well as their right to data portability, and not respond to such requests, unless instructed by the Company in writing to do so. Taking into account the nature of the Processing of Personal Data, Dash Hudson shall assist Company, by appropriate technical and organisational measures, insofar as possible, in fulfilling Company’s obligations to respond to a Data Subject’s request to exercise their rights with respect to their Personal Data.
(E) Notify Company immediately in writing of any subpoena or other judicial or administrative order by a government authority or proceeding seeking access to or disclosure of Personal Data. Company shall have the right to defend such action in lieu of and on behalf of Dash Hudson. Company may, if it so chooses, seek a protective order.
(F) Maintain internal record(s) of Processing activities, copies of which shall be provided to Company by Dash Hudson or to supervisory authorities upon request. Such records must contain at least: (i) the name and contact details of Dash Hudson; (ii) the categories of Processing activities carried out under this Addendum; (iii) information on data transfers to a third country or a third party, where applicable; and (iv) a general description of the Data Security Measures implemented to protect Personal Data Processed under this Addendum.
IV. Sub-Processing
(A) Dash Hudson shall not share, transfer, disclose, make available or otherwise provide access to any Personal Data to any third party, or contract any of its rights or obligations concerning Personal Data, unless Dash Hudson has entered into a written agreement with each such third party that imposes obligations on the third party that are equivalent to those imposed on Dash Hudson under this Addendum. Dash Hudson shall only retain third parties that are capable of appropriately protecting the privacy, confidentiality and security of the Personal Data. The Subprocessors currently engaged by Dash Hudson which may process Personal Data on Dash Hudson’s behalf are set out in Annex 1. Dash Hudson shall notify Company in writing in the event that Dash Hudson proposes to add any additional Subprocessors.
V. Compliance with Applicable Laws
(A) Each Party covenants and undertakes to the other that it shall comply with all Applicable Laws in the use of the Services.
(B) As between the parties, Subscriber is responsible for the lawfulness of the Processing of the Subscriber Personal Data. Subscriber will not use the Services in conjunction with Personal Data to the extent that doing so would violate applicable Data Protection Laws.
(C) Dash Hudson shall in good faith negotiate any further data Processing agreement reasonably requested by Company for purposes of compliance with the Applicable Law. In case of any conflict between this Addendum and the Master Agreement, this Addendum shall prevail with regard to the Processing of Personal Data covered by it.
VI. Data Security
(A) Dash Hudson shall develop, maintain and implement a written information security program that complies with Applicable Law and good industry practice. Dash Hudson’s information security program shall include appropriate administrative, technical, physical, organizational and operational safeguards and other security measures designed to (i) ensure the security and confidentiality of Personal Data; (ii) protect against any anticipated threats or hazards to the security and integrity of Personal Data; and (iii) protect against any Personal Data Breach, including, as appropriate:
(B) Dash Hudson shall supervise Dash Hudson personnel to the extent required to maintain appropriate privacy, confidentiality and security of Personal Data. Dash Hudson shall provide training, as appropriate, regarding the privacy, confidentiality and information security requirements set forth in this Addendum to all Dash Hudson personnel who have access to Personal Data.
(C) Promptly upon the expiration or earlier termination of the Master Agreement, or such earlier time as Company requests, Dash Hudson shall securely destroy or render unreadable or indecipherable, each and every original and copy in every media of all Personal Data in Dash Hudson’s, its affiliates’ or their respective subcontractors’ possession, custody or control. In the event applicable law does not permit Dash Hudson to comply with the destruction of the Personal Data, Dash Hudson warrants that it shall ensure the confidentiality of the Personal Data and that it shall not use or disclose any Personal Data after termination of this Addendum other than to the extent.
VII. Data Breach Notification
Dash Hudson shall without undue delay inform Company in writing of any Personal Data Breach of which Dash Hudson becomes aware, but in no case longer than seventy-two (72) hours after it becomes aware of the Personal Data Breach. The notification to Company shall include all available information regarding such Personal Data Breach, including information on:
Dash Hudson shall promptly take all necessary and advisable corrective actions, and shall cooperate with Company in reasonable and lawful efforts to prevent, mitigate or rectify such Breach. Dash Hudson shall provide such assistance as required to enable Company to satisfy Company’s obligation to notify the relevant supervisory authority and Data Subjects of a personal data breach under Articles 33 and 34 of the GDPR.
VIII. Audit
Dash Hudson shall on written request (but not more than once per year, other than in the event of a breach) make available to Company all information necessary to demonstrate compliance with the obligations set forth in this Addendum and, at the Company’s expense, allow for and contribute to audits, including inspections, conducted by Company or another auditor mandated by Company. Upon prior written request by Company (provided that it shall be not more than once per year other than in the event of a breach), Dash Hudson agrees to cooperate and, within reasonable time, provide Company with: (a) audit reports and all information necessary to demonstrate Dash Hudson’s compliance with the obligations laid down in this Addendum; and (b) confirmation that the audit has not revealed any material vulnerability in Dash Hudson’s systems, or to the extent that any such vulnerability was detected, that Dash Hudson has fully remedied such vulnerability. Dash Hudson’s failure to comply with this obligation shall entitle Company to suspend the Processing of Personal Data Processed by Dash Hudson, and to terminate any further Processing of Personal Data, this Addendum and/or the Master Agreement, if doing so is required to comply with Applicable Law.
IX. Governing Law
To the extent required by Applicable Law, this Addendum shall be governed by the law of Nova Scotia, Canada. In all other cases, this Addendum shall be governed by the laws of the jurisdiction specified in the Agreement.
ANNEX 1: SCOPE OF THE DATA PROCESSING
SCOPE OF THE DATA PROCESSING
This Annex forms part of the Data Processing Addendum between Company and Dash Hudson.
The Processing of Personal Data concerns the following categories of Data Subjects:
The Processing concerns the following categories of Personal Data:
The Processing concerns the following categories of Sensitive Data:
Sensitive Data means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data, data concerning health, sex life or sexual orientation.
Though it is not mandatory, customer users may provide us with a profile photo for their user profile within the Dash Hudson platform. That may or may not reveal some of the above sensitive data.
Sensitive information contained in or otherwise associated with photos or other content created by Instagram end-users with public profiles who have directly interacted with the Customer’s (brand’s) Instagram handle(s), accessed through the Instagram API
The Processing concerns the following categories of data Processing activities (i.e., purposes of Processing):
Dash Hudson uses the following Sub-Processors: