Data Processing Agreement
version 2.0, updated on January 9, 2025
THIS DATA PROCESSING AGREEMENT (the “Agreement“) is entered into by and between:
the “Client”, whereas the Client may be a Data Controller or may act on behalf of the Data Controller,
and
PERIOD TRACKER & PREGNANCY AND BABY CALENDAR LIMITED, a private company limited by shares organized and existing under the laws of SAR Hong Kong, having its principal place of business located at: 2301, Bayfield Building, 99 Hennessy Road, Wanchai, Hong Kong, Business Registration No.(BRN): 70409838 (the “Company”),
jointly referred to as the “Parties”,
This Agreement is an integral part of the TERMS AND CONDITIONS FOR ADVERTISING in Pregnancy Tracker Mobile Application[OT1] (the “Terms”). This Agreement is applied unless another document governing personal data issues (including any other Data Processing Agreement) is concluded between the Company and the Data Controller (or the Client acting on behalf of the Data Contoller) in writing, in which case the latter prevails.
WHEREAS:
(A) The Company owns, controls, and operates the App that helps women, including but not limited to pregnant women track their pregnancy and parents capture their newborns’ milestones and the Data Controller wishes to expand its audience and target its promotional activities on the App Users.
(B) In order to achieve the above goal the Parties have entered into an advertising agreement based on the Terms and a corresponding Advertising Order(s) thereto (the “Principal Agreement”). According to the Principal Agreement, the Company shall provide advertising Services whether for own use of the Client (in this case, the Client is an Advertiser) or in favor of another Advertiser. The provision of the services requires the certain User Data to be collected and processed by the Company (a Data Processor) on behalf of the Data Controller.
(С) The Client may be a Data Controller or may act on behalf of the Data Controller.
(D) The Parties seek to implement an agreement that complies with the requirements of the current legal framework in relation to Personal Data Processing.
(E) The Parties wish to lay down their rights and obligations in that regard.
IT IS AGREED AS FOLLOWS:
1.1.1. “Agreement” means this Agreement and all Annexes thereto.
1.1.2. “Applicable Data Protection Law” means (a) all applicable laws pertaining to Processing Personal Data in any part of the world; and (b) all formal guidance and codes issued by any data protection authority, or equivalent regulator, applicable in any part of the world, each as amended from time to time.
1.1.3. “Application” or “Pregnancy Tracker Mobile Application” or “App” is the mobile application that is published in online stores:
• iTunes/App Store (https://apps.apple.com/us/app/pregnancy-app-and-baby-tracker/id990178211);
• Google Play (https://play.google.com/store/apps/details?id=ru.mobiledimension.kbr&hl=en).
1.1.4. “App Users” – users of the App.
1.1.5. “Data Controller’s Privacy Policy” – the Data Controller’s Processing Policy that pertains to Processing Personal Data, as may from time to time be revised by the Data Controller to comply with the Data Protection Laws.
1.1.6. “Registration Field Placement” or “Co-registration” means placing the Advertiser’s subscription box on the registration screen of the App where App Users are given an opportunity to sign up for the Advertiser’s promotional program by way of checking the appropriate box confirming the consent of the App Users to the Processing of their Personal Data in accordance with the Data Controller's Privacy Policy for the purpose of receiving marketing communications through different channels such as email and other digital channels.
Usually, the Advertiser and/or its affiliate(s) is a Data Controller(s) as stated in the Advertiser`s Privacy Policy.
1.1.7. “User Data” means any App Users’ information Processed by the Company on behalf of the Data Controller pursuant to or in connection with this Agreement that may include Personal Data.
“Data Controller”, “Data Processor”, “Data Subject”, “Subprocessor”, “Data Transfer”, “Personal Data”, “Process/Processing” and “Privacy Policy” or “Privacy Notice” have the meanings set out in the Applicable Data Protection Laws.
1.2. All other capitalized words and expressions in the Agreement shall, unless explicitly stated otherwise or the context otherwise requires, have the same respective meanings as in the Principal Agreement.
2.2. Categories of Data Subjects, the list of actions (operations) for Processing Personal Data, duration of the Processing, purposes of the Processing, the description of the technical and organizational measures are laid out in Annex 1 hereto.
2.3. The User Data to be Processed, as well as the timeframe of Processing and any additional terms shall be laid out in the Advertising Order(s).
2.4. If the Client acts on behalf of the Data Controller: when this Agreement refers to the obligation of the Company to inform the Data Controller of vice versa, then the communication between the Company and the Data Controller shall be done through the Client, unless otherwise is expressly stated in the Principal Agreement or otherwise agreed by the Parties or required by the Data Controller.
3.1.1. Process User Data: (i) in accordance with the documented (including through digital channels) instructions from the Data Controller, including with regard to cross-border (international) Data Transfer; and (ii) to the extent necessary to perform its obligations under the Principal Agreement, except to the extent the Company is required to do otherwise by the Applicable Data Protection Laws, in which case the Company will inform the Data Controller of the Applicable Data Protection Laws before Processing (unless the Applicable Data Protection Laws prohibits such information on important grounds of public interest).
3.1.2. ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
3.1.3. implement appropriate technical and organizational measures in such a manner that Processing will meet the requirements of the Applicable Data Protection Laws and ensure the protection of the rights of the Data Subject.
3.1.4. assist the Data Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Data Controller’s obligation to respond to requests for exercising the Data Subject’s rights.
3.1.5. notify the Data Controller without undue delay after becoming aware of a Personal Data breach, enabling the Data Controller to take necessary and appropriate measures to mitigate damages.
3.1.6. assist the Data Controller in ensuring compliance with other obligations pursuant to the Applicable Data Protection Laws, including in particular with respect to (a) giving effect to the rights of Data Subjects (such as under Chapter III of the GDPR), (b) notifying governmental authorities and/or Data Subjects of Personal Data breach (such as under Articles 33 and 34 of the GDPR) and (c) conducting data protection impact assessments, reviewing associated Processing to ensure it is performed in accordance with such assessments, and consulting with and obtaining any necessary authorizations from governmental authorities to Process Personal Data (such as under Articles 35 and 36 of the GDPR).
3.1.7. make available to the Data Controller all information necessary to demonstrate compliance with the obligations laid down in the Applicable Data Protection Laws and allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller.
3.1.8. procure API (Application Programming Interface) integration with the help of which the User Data will be transmitted to the Data Controller and/or any third party designated by the Data Controller, unless the other way of transfer is agreed by the Parties.
3.1.9. If the Company receives any communication from a Data Subject, governmental authority, or any other third party, which relates to the Processing of Personal Data by the Data Controller, the Company will notify the Data Controller (directly or through the Client) and provide a copy of such communication within 5 (five) business days of receipt of the communication. The Company will provide the Data Controller with full cooperation and assistance in relation to any such communication. The Company will provide any relevant Personal Data to the requestor and/or fulfill the request in relation to Personal Data (including the rectification, the erasure, the restriction of processing, etc.) only in accordance with the Data Controller’s explicit prior written instructions. The Data Controller is solely responsible for compliance with Data Subject’s rights fulfillment.
3.2. If the Client is a Data Controller, the Client undertakes to do the following, and if the Client is acting on behalf of the Data Controller, the Client warrants and represents that:
3.2.1. The Data Controller shall ensure that the Processing operations assigned to the Company through this Agreement are lawful and that the purposes are in accordance with the legal bases that authorize the Processing, as stipulated in the Applicable Data Protection Laws;
3.2.2. The Data Controller shall comply with the principle of transparency and inform the Data Subjects about the purposes and other terms of the Processing, as well as provide a channel through which they can exercise the rights, as required by the Applicable Data Protection Laws;
3.2.3. When processing data of children and adolescents, the Data Controller shall ensure that the Processing is carried out in the best interest of the minor, as well as obtaining the consent of the holder of parental responsibility, as required by the Applicable Data Protection Laws.
3.2.4. When processing special categories of Personal Data, the Data Controller shall ensure that the consent of Data Subjects is explicit, as required by the Applicable Data Protection Laws (e.g., article 9 of the GDPR).
3.2.5. The Client shall provide that the Company receives instructions from the Data Controller on Processing Personal Data, including on implementing appropriate technical and organizational measures.
3.2.6. If required by the Applicable Data Protection Laws, the Data Controller shall directly name the Company as a Data Processor, with all the rights and obligations as such, in the Data Controller’s Privacy Policy, including cross-border Data Transfer provisions if applicable.
3.2.7. If the Data Controller has instructed the Company to post the Data Controller’s Privacy Policy in the App or link to it, then the Data Controller shall timely provide revised versions of the Data Controller’s Privacy Policy to be posted in the App.
3.2.8. If the Data Controller has instructed the Company to transfer the user Data through API integration, then the Data Controller shall ensure that the Company has all the information and access status necessary for the API integration.
3.2.9. The Data Controller at its own discretion identifies the purposes, period and other terms of Processing Personal Data, reflects such information in its Privacy Policy or another applicable document.
3.3. The Parties undertake to:
3.3.1. take reasonable steps to ensure the reliability of any employee, agent or contractor or any other Subprocessor who may have access to the User Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant User Data, and to comply with Applicable Data Protection Laws in the context of that individual’s duties in relation to Personal Data, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
3.3.2. The Parties agree to cooperate and assist each other in complying with the obligations set out by the Applicable Data Protection Laws including the cooperation in terms of data breaches.
· The term of providing information shall not exceed 5 (five) business days.
· The assistance shall, in each case, be limited to processing Personal Data under this Agreement.
3.3.3. The Data Controller and the Company (a Data Processor) shall take steps to ensure that any natural person acting under the authority of the Data Controller and the Company (a Data Processor) who has access to Personal Data does not process them except on instructions from the Controller, unless he or she is required to do so by the Applicable Data Protection Laws.
3.4. Either Party warrants and represents that it complies with all Applicable Data Protection Laws in Processing User Data throughout the term of the Agreement. If the Client acts on behalf of the Data Controller, the Client warrants and represents that the Data Controller complies with all Applicable Data Protection Laws in Processing User Data throughout the term of the Agreement.
4.2.1. Unless otherwise agreed by the Parties in writing, if Personal Data is transferred from any European Economic Area (EEA) Member State or Switzerland to any country or recipient not recognized by the European Commission as providing an adequate level of protection, the applicable standard contractual clauses for the Transfers of Personal Data to Processors Established in Third Countries dated 4 June 2021 (2021/914/EU) (https://commission.europa.eu/publications/standard-contractual-clauses-international-transfers_en), as amended or replaced from time to time (the “Standard Clauses”) will apply and are hereby incorporated by reference into this Agreement:
- if the Company (acting as a data exporter) transfers Personal Data to the Data Controller (acting as a data importer), then MODULE FOUR: Transfer processor to controller applies;
- if the Company (acting as a data exporter) transfers Personal Data to the Client or another third party designated by the Data Controller, then MODULE THREE: Transfer processor to processor (acting as a data importer) applies.
For purposes of the Standard Clauses:
(a) clause 7 (Docking Clause) of the Standard Clauses may apply accordingly;
(b) any Subprocessors will be subject to Clause 9 (Sub-processing) of the Standard Clauses Option 1 (SPECIFIC PRIOR AUTHORISATION);
(c) under Clause 11 (redress), the optional language requiring that data subjects be permitted to lodge a complaint with an independent dispute resolution body shall not be deemed to be included;
(d) Under Clause 17 (governing law), module 3, OPTION 1 is selected. The parties select the laws of Spain. Under Clause 17 (governing law), module 4, the parties select the laws of Spain.
(e) Under Clause 18, (choice of forum and jurisdiction), the parties select the courts of Spain.
(f) Annex I and Annex III of the Standard Clauses will be populated with the information set forth herein;
(g) Annex II of the Standard Clauses will be populated with standard security requirements necessary to be compliant with the applicable law but no less than those stipulated herein.
If the Standard Clauses are amended or replaced from time to time, then the foregoing Clause and Appendix references will be deemed updated as appropriate effective from the date of invalidity of the then current Standard Clauses. To the extent that there is a conflict between this Agreement and the Standard Clauses, the Standard Clauses will prevail. If the Standard Clauses or other applicable transfer mechanisms become invalid, they will be replaced with other valid instruments prescribed by Applicable Data Protection Laws.
4.2.2. Where the Services involve the transfer of Personal Data from the United Kingdom to any country or recipient not recognized as providing adequate level of protection for Personal Data (the UK adequacy regulations), the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (the “UK Addendum”) dated 21 March 2022 as amended or replaced from time to time, will apply and are hereby incorporated by reference into this Agreement.
5.2. In furthence of clause 5.1 herein, if the Applicable Data Protection Laws requires to do so (like GDPR does), the Company shall inform the Data Controller of any intended changes concerning the addition or replacement of Subprocessors, thereby giving the Data Controller the opportunity to object to such changes.
5.3. If the Applicable Data Protection Laws requires to do so (like GDPR does), where the Company engages Subprocessors for carrying out specific processing activities on behalf of the Data Controller, the same data protection obligations as set out in herein shall be imposed on such Subprocessors, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the Applicable Data Protection Laws. Where a Subprocessor fails to fulfil its data protection obligations, the Company (initial Data Processor) shall remain fully liable for the performance of that Subprocessor’s obligations.
If the Client is a Data Controller: the Client hereby grants the Company for the term of the Agreement the permission to post the Data Controller’s Privacy Policy in the App in the scope and for the purpose of providing Services under the Principal Agreement, including Co-registration Services.
6.2. If the Client acts on behalf of the Advertiser: the Client warrants and represents that the Client is empowered by the Advertiser to grant the Company for the term of the Agreement the permission to use the Advertiser`s intellectual property, including name, brand name, trade name, trademark, logo and/or symbol in the scope and for the purpose of providing Services under the Principal Agreement, including Co-registration Services.
If the Client is an Advertiser: the Client hereby grants the Company for the term of the Agreement the permission to use the Client`s intellectual property, including name, brand name, trade name, trademark, logo and/or symbol in the scope and for the purpose of providing Services under the Principal Agreement, including Co-registration Services.
7.2. In no way the Company is responsible for any actions and/or omissions with the User Data committed by the Data Controller and/or Client and/or any other third party involved by them to the processing of the User Data.
8.2. All notices and communications given under this Agreement must be in writing and will be delivered personally, sent by post or sent by email to the address or email address set out in the heading of this Agreement at such other address as notified from time to time by the Parties changing address.
9.2. The Parties agree to refer to arbitration administered by the Hong Kong International Arbitration Centre (HKIAC) under the HKIAC Administered Arbitration Rules any dispute, controversy, difference or claim (including any dispute regarding non-contractual obligations) arising out of or relating to this Agreement. The law of this arbitration agreement shall be Hong Kong law. The seat of arbitration shall be Hong Kong. The number of arbitrators shall be one. The arbitration proceedings shall be conducted in the English language.
Annex I
DESCRIPTION OF PROCESSING
1. Categories of Data Subjects whose Personal Data is processed: App Users.
2. The list of actions (operations) for Processing Personal Data within the Agreement: collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, alignment or combination, restriction, erasure or destruction, anonymisation, pseudoninisation. Processing is carried out by the Company using automation tools.
3. Duration of the Processing. The period of Processing Personal Data by the Company shall be not less than the period of validity of the Advertising Order. Unless otherwise instructed to the Company, not later than 3 months after the end of the provision of Services, the Company shall delete or return to the Data Controller all the Personal Data processed on behalf of the Data Controller, provided that the deletion of these data does not conflict with any statutory storage obligations of the Company. The deletion in accordance with data protection and data security regulations must be documented and confirmed upon request of the Data Controller.
Some of User Data collected by the Company as a Data Processor on behalf of the Data Controller during providing the Services for the purposes declared in the Data Controller`s Privacy Policy, may fully or partially coincide with User Data collected by the Company as a Data Controller prior, simultaneously with or after providing the Services, for the Company `s own purposes declared in the Company `s Privacy Policy. Such User Data belongs to the Company and will not be recognized or claimed by the Data Controller to be the Data Controller`s User Data and will not be subject to the restrictions and obligations stated herein.
4. Purposes of the Processing:
· for the purpose that the Data Controller and/or its affiliates sends marketing communications to App Users through different channels such as email, SMS, Push notifications, phone and other authorized digital channels, including targeted advertising;
· other purposes ad determined by the Data Controller in accordance with its Privacy Policy.
5. Description of the technical and organizational measures: physical and technical and administrative (organizational) security measures designed to protect Personal Data from damage, loss, alteration, destruction or unauthorized use, access or processing, including:
· minimising the Processing of Personal Data;
· the ability to ensure the ongoing confidentiality and security of the Processing of Personal Data;
· the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
· a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing.
the “Client”, whereas the Client may be a Data Controller or may act on behalf of the Data Controller,
and
PERIOD TRACKER & PREGNANCY AND BABY CALENDAR LIMITED, a private company limited by shares organized and existing under the laws of SAR Hong Kong, having its principal place of business located at: 2301, Bayfield Building, 99 Hennessy Road, Wanchai, Hong Kong, Business Registration No.(BRN): 70409838 (the “Company”),
jointly referred to as the “Parties”,
This Agreement is an integral part of the TERMS AND CONDITIONS FOR ADVERTISING in Pregnancy Tracker Mobile Application[OT1] (the “Terms”). This Agreement is applied unless another document governing personal data issues (including any other Data Processing Agreement) is concluded between the Company and the Data Controller (or the Client acting on behalf of the Data Contoller) in writing, in which case the latter prevails.
WHEREAS:
(A) The Company owns, controls, and operates the App that helps women, including but not limited to pregnant women track their pregnancy and parents capture their newborns’ milestones and the Data Controller wishes to expand its audience and target its promotional activities on the App Users.
(B) In order to achieve the above goal the Parties have entered into an advertising agreement based on the Terms and a corresponding Advertising Order(s) thereto (the “Principal Agreement”). According to the Principal Agreement, the Company shall provide advertising Services whether for own use of the Client (in this case, the Client is an Advertiser) or in favor of another Advertiser. The provision of the services requires the certain User Data to be collected and processed by the Company (a Data Processor) on behalf of the Data Controller.
(С) The Client may be a Data Controller or may act on behalf of the Data Controller.
(D) The Parties seek to implement an agreement that complies with the requirements of the current legal framework in relation to Personal Data Processing.
(E) The Parties wish to lay down their rights and obligations in that regard.
IT IS AGREED AS FOLLOWS:
1. Definitions and Interpretation
1.1. Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the following meaning:1.1.1. “Agreement” means this Agreement and all Annexes thereto.
1.1.2. “Applicable Data Protection Law” means (a) all applicable laws pertaining to Processing Personal Data in any part of the world; and (b) all formal guidance and codes issued by any data protection authority, or equivalent regulator, applicable in any part of the world, each as amended from time to time.
1.1.3. “Application” or “Pregnancy Tracker Mobile Application” or “App” is the mobile application that is published in online stores:
• iTunes/App Store (https://apps.apple.com/us/app/pregnancy-app-and-baby-tracker/id990178211);
• Google Play (https://play.google.com/store/apps/details?id=ru.mobiledimension.kbr&hl=en).
1.1.4. “App Users” – users of the App.
1.1.5. “Data Controller’s Privacy Policy” – the Data Controller’s Processing Policy that pertains to Processing Personal Data, as may from time to time be revised by the Data Controller to comply with the Data Protection Laws.
1.1.6. “Registration Field Placement” or “Co-registration” means placing the Advertiser’s subscription box on the registration screen of the App where App Users are given an opportunity to sign up for the Advertiser’s promotional program by way of checking the appropriate box confirming the consent of the App Users to the Processing of their Personal Data in accordance with the Data Controller's Privacy Policy for the purpose of receiving marketing communications through different channels such as email and other digital channels.
Usually, the Advertiser and/or its affiliate(s) is a Data Controller(s) as stated in the Advertiser`s Privacy Policy.
1.1.7. “User Data” means any App Users’ information Processed by the Company on behalf of the Data Controller pursuant to or in connection with this Agreement that may include Personal Data.
“Data Controller”, “Data Processor”, “Data Subject”, “Subprocessor”, “Data Transfer”, “Personal Data”, “Process/Processing” and “Privacy Policy” or “Privacy Notice” have the meanings set out in the Applicable Data Protection Laws.
1.2. All other capitalized words and expressions in the Agreement shall, unless explicitly stated otherwise or the context otherwise requires, have the same respective meanings as in the Principal Agreement.
2. Subject Matter of the Agreement
2.1. The Client being itself a Data Controller or acting on behalf of the Data Controller hereby instructs the Company (a Data Processor) to Process the User Data of App Users for and on behalf of the Data Controller while providing Services under the Principal Agreement, including Co-registration Services.2.2. Categories of Data Subjects, the list of actions (operations) for Processing Personal Data, duration of the Processing, purposes of the Processing, the description of the technical and organizational measures are laid out in Annex 1 hereto.
2.3. The User Data to be Processed, as well as the timeframe of Processing and any additional terms shall be laid out in the Advertising Order(s).
2.4. If the Client acts on behalf of the Data Controller: when this Agreement refers to the obligation of the Company to inform the Data Controller of vice versa, then the communication between the Company and the Data Controller shall be done through the Client, unless otherwise is expressly stated in the Principal Agreement or otherwise agreed by the Parties or required by the Data Controller.
3. Rights and Obligations of the Parties
3.1. The Company undertakes to:3.1.1. Process User Data: (i) in accordance with the documented (including through digital channels) instructions from the Data Controller, including with regard to cross-border (international) Data Transfer; and (ii) to the extent necessary to perform its obligations under the Principal Agreement, except to the extent the Company is required to do otherwise by the Applicable Data Protection Laws, in which case the Company will inform the Data Controller of the Applicable Data Protection Laws before Processing (unless the Applicable Data Protection Laws prohibits such information on important grounds of public interest).
3.1.2. ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
3.1.3. implement appropriate technical and organizational measures in such a manner that Processing will meet the requirements of the Applicable Data Protection Laws and ensure the protection of the rights of the Data Subject.
3.1.4. assist the Data Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Data Controller’s obligation to respond to requests for exercising the Data Subject’s rights.
3.1.5. notify the Data Controller without undue delay after becoming aware of a Personal Data breach, enabling the Data Controller to take necessary and appropriate measures to mitigate damages.
3.1.6. assist the Data Controller in ensuring compliance with other obligations pursuant to the Applicable Data Protection Laws, including in particular with respect to (a) giving effect to the rights of Data Subjects (such as under Chapter III of the GDPR), (b) notifying governmental authorities and/or Data Subjects of Personal Data breach (such as under Articles 33 and 34 of the GDPR) and (c) conducting data protection impact assessments, reviewing associated Processing to ensure it is performed in accordance with such assessments, and consulting with and obtaining any necessary authorizations from governmental authorities to Process Personal Data (such as under Articles 35 and 36 of the GDPR).
3.1.7. make available to the Data Controller all information necessary to demonstrate compliance with the obligations laid down in the Applicable Data Protection Laws and allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller.
3.1.8. procure API (Application Programming Interface) integration with the help of which the User Data will be transmitted to the Data Controller and/or any third party designated by the Data Controller, unless the other way of transfer is agreed by the Parties.
3.1.9. If the Company receives any communication from a Data Subject, governmental authority, or any other third party, which relates to the Processing of Personal Data by the Data Controller, the Company will notify the Data Controller (directly or through the Client) and provide a copy of such communication within 5 (five) business days of receipt of the communication. The Company will provide the Data Controller with full cooperation and assistance in relation to any such communication. The Company will provide any relevant Personal Data to the requestor and/or fulfill the request in relation to Personal Data (including the rectification, the erasure, the restriction of processing, etc.) only in accordance with the Data Controller’s explicit prior written instructions. The Data Controller is solely responsible for compliance with Data Subject’s rights fulfillment.
3.2. If the Client is a Data Controller, the Client undertakes to do the following, and if the Client is acting on behalf of the Data Controller, the Client warrants and represents that:
3.2.1. The Data Controller shall ensure that the Processing operations assigned to the Company through this Agreement are lawful and that the purposes are in accordance with the legal bases that authorize the Processing, as stipulated in the Applicable Data Protection Laws;
3.2.2. The Data Controller shall comply with the principle of transparency and inform the Data Subjects about the purposes and other terms of the Processing, as well as provide a channel through which they can exercise the rights, as required by the Applicable Data Protection Laws;
3.2.3. When processing data of children and adolescents, the Data Controller shall ensure that the Processing is carried out in the best interest of the minor, as well as obtaining the consent of the holder of parental responsibility, as required by the Applicable Data Protection Laws.
3.2.4. When processing special categories of Personal Data, the Data Controller shall ensure that the consent of Data Subjects is explicit, as required by the Applicable Data Protection Laws (e.g., article 9 of the GDPR).
3.2.5. The Client shall provide that the Company receives instructions from the Data Controller on Processing Personal Data, including on implementing appropriate technical and organizational measures.
3.2.6. If required by the Applicable Data Protection Laws, the Data Controller shall directly name the Company as a Data Processor, with all the rights and obligations as such, in the Data Controller’s Privacy Policy, including cross-border Data Transfer provisions if applicable.
3.2.7. If the Data Controller has instructed the Company to post the Data Controller’s Privacy Policy in the App or link to it, then the Data Controller shall timely provide revised versions of the Data Controller’s Privacy Policy to be posted in the App.
3.2.8. If the Data Controller has instructed the Company to transfer the user Data through API integration, then the Data Controller shall ensure that the Company has all the information and access status necessary for the API integration.
3.2.9. The Data Controller at its own discretion identifies the purposes, period and other terms of Processing Personal Data, reflects such information in its Privacy Policy or another applicable document.
3.3. The Parties undertake to:
3.3.1. take reasonable steps to ensure the reliability of any employee, agent or contractor or any other Subprocessor who may have access to the User Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant User Data, and to comply with Applicable Data Protection Laws in the context of that individual’s duties in relation to Personal Data, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
3.3.2. The Parties agree to cooperate and assist each other in complying with the obligations set out by the Applicable Data Protection Laws including the cooperation in terms of data breaches.
· The term of providing information shall not exceed 5 (five) business days.
· The assistance shall, in each case, be limited to processing Personal Data under this Agreement.
3.3.3. The Data Controller and the Company (a Data Processor) shall take steps to ensure that any natural person acting under the authority of the Data Controller and the Company (a Data Processor) who has access to Personal Data does not process them except on instructions from the Controller, unless he or she is required to do so by the Applicable Data Protection Laws.
3.4. Either Party warrants and represents that it complies with all Applicable Data Protection Laws in Processing User Data throughout the term of the Agreement. If the Client acts on behalf of the Data Controller, the Client warrants and represents that the Data Controller complies with all Applicable Data Protection Laws in Processing User Data throughout the term of the Agreement.
4. Cross-border (international) Data Transfer
4.1. Where there is cross-border (international) Data Transfer, the Parties shall ensure that the Personal Data are adequately protected. To achieve this, the Parties shall, unless agreed otherwise, rely on other Applicable Data Protection Laws for the transfer of Personal Data.4.2.1. Unless otherwise agreed by the Parties in writing, if Personal Data is transferred from any European Economic Area (EEA) Member State or Switzerland to any country or recipient not recognized by the European Commission as providing an adequate level of protection, the applicable standard contractual clauses for the Transfers of Personal Data to Processors Established in Third Countries dated 4 June 2021 (2021/914/EU) (https://commission.europa.eu/publications/standard-contractual-clauses-international-transfers_en), as amended or replaced from time to time (the “Standard Clauses”) will apply and are hereby incorporated by reference into this Agreement:
- if the Company (acting as a data exporter) transfers Personal Data to the Data Controller (acting as a data importer), then MODULE FOUR: Transfer processor to controller applies;
- if the Company (acting as a data exporter) transfers Personal Data to the Client or another third party designated by the Data Controller, then MODULE THREE: Transfer processor to processor (acting as a data importer) applies.
For purposes of the Standard Clauses:
(a) clause 7 (Docking Clause) of the Standard Clauses may apply accordingly;
(b) any Subprocessors will be subject to Clause 9 (Sub-processing) of the Standard Clauses Option 1 (SPECIFIC PRIOR AUTHORISATION);
(c) under Clause 11 (redress), the optional language requiring that data subjects be permitted to lodge a complaint with an independent dispute resolution body shall not be deemed to be included;
(d) Under Clause 17 (governing law), module 3, OPTION 1 is selected. The parties select the laws of Spain. Under Clause 17 (governing law), module 4, the parties select the laws of Spain.
(e) Under Clause 18, (choice of forum and jurisdiction), the parties select the courts of Spain.
(f) Annex I and Annex III of the Standard Clauses will be populated with the information set forth herein;
(g) Annex II of the Standard Clauses will be populated with standard security requirements necessary to be compliant with the applicable law but no less than those stipulated herein.
If the Standard Clauses are amended or replaced from time to time, then the foregoing Clause and Appendix references will be deemed updated as appropriate effective from the date of invalidity of the then current Standard Clauses. To the extent that there is a conflict between this Agreement and the Standard Clauses, the Standard Clauses will prevail. If the Standard Clauses or other applicable transfer mechanisms become invalid, they will be replaced with other valid instruments prescribed by Applicable Data Protection Laws.
4.2.2. Where the Services involve the transfer of Personal Data from the United Kingdom to any country or recipient not recognized as providing adequate level of protection for Personal Data (the UK adequacy regulations), the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (the “UK Addendum”) dated 21 March 2022 as amended or replaced from time to time, will apply and are hereby incorporated by reference into this Agreement.
5. Engaging Suprocessors
5.1. If the Client is acting on behalf of the Data Controller: the Client warrants and represents that the Client is empowered by the Data Controller to grant the Company the general written authorization to engage Subprocessors, and if the Client is an Data Controller: the Client hereby grants the Company the general written authorization to engage Subprocessors.5.2. In furthence of clause 5.1 herein, if the Applicable Data Protection Laws requires to do so (like GDPR does), the Company shall inform the Data Controller of any intended changes concerning the addition or replacement of Subprocessors, thereby giving the Data Controller the opportunity to object to such changes.
5.3. If the Applicable Data Protection Laws requires to do so (like GDPR does), where the Company engages Subprocessors for carrying out specific processing activities on behalf of the Data Controller, the same data protection obligations as set out in herein shall be imposed on such Subprocessors, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the Applicable Data Protection Laws. Where a Subprocessor fails to fulfil its data protection obligations, the Company (initial Data Processor) shall remain fully liable for the performance of that Subprocessor’s obligations.
6. Warranties and Representations. Permissions
6.1. If the Client is acting on behalf of the Data Controller: the Client warrants and represents that the Client is empowered by the Data Controller to grant the Company for the term of the Agreement all permissions and instructions contained herein, including the permission to post the Data Controller’s Privacy Policy in the App in the scope and for the purpose of providing Services under the Principal Agreement, including Co-registration Services.If the Client is a Data Controller: the Client hereby grants the Company for the term of the Agreement the permission to post the Data Controller’s Privacy Policy in the App in the scope and for the purpose of providing Services under the Principal Agreement, including Co-registration Services.
6.2. If the Client acts on behalf of the Advertiser: the Client warrants and represents that the Client is empowered by the Advertiser to grant the Company for the term of the Agreement the permission to use the Advertiser`s intellectual property, including name, brand name, trade name, trademark, logo and/or symbol in the scope and for the purpose of providing Services under the Principal Agreement, including Co-registration Services.
If the Client is an Advertiser: the Client hereby grants the Company for the term of the Agreement the permission to use the Client`s intellectual property, including name, brand name, trade name, trademark, logo and/or symbol in the scope and for the purpose of providing Services under the Principal Agreement, including Co-registration Services.
7. Liability
7.1. Each Party (“Indemnifying Party”) shall indemnify, defend and hold harmless the other Party (“Indemnified Party”) and their respective affiliates, officers, directors, employees, agents, successors, and assigns from and against any losses, claims, liabilities, damages, and expenses (including reasonable legal fees, expenses, and costs) arising out of any third-party claims resulting from the breach of any term, condition, representation, warranty and/or obligation made by the Indemnifying Party in this Agreement and/or in the Principal Agreement.7.2. In no way the Company is responsible for any actions and/or omissions with the User Data committed by the Data Controller and/or Client and/or any other third party involved by them to the processing of the User Data.
8. General terms
8.1. The Term of this Agreement shall be equal to the term of the Principal Agreement.8.2. All notices and communications given under this Agreement must be in writing and will be delivered personally, sent by post or sent by email to the address or email address set out in the heading of this Agreement at such other address as notified from time to time by the Parties changing address.
9. Governing Law and Jurisdiction
9.1. The validity, interpretation, construction and performance of this Agreement is governed by the laws of Hong Kong, without giving effect to the principles of conflict of laws.9.2. The Parties agree to refer to arbitration administered by the Hong Kong International Arbitration Centre (HKIAC) under the HKIAC Administered Arbitration Rules any dispute, controversy, difference or claim (including any dispute regarding non-contractual obligations) arising out of or relating to this Agreement. The law of this arbitration agreement shall be Hong Kong law. The seat of arbitration shall be Hong Kong. The number of arbitrators shall be one. The arbitration proceedings shall be conducted in the English language.
Annex I
DESCRIPTION OF PROCESSING
1. Categories of Data Subjects whose Personal Data is processed: App Users.
2. The list of actions (operations) for Processing Personal Data within the Agreement: collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, alignment or combination, restriction, erasure or destruction, anonymisation, pseudoninisation. Processing is carried out by the Company using automation tools.
3. Duration of the Processing. The period of Processing Personal Data by the Company shall be not less than the period of validity of the Advertising Order. Unless otherwise instructed to the Company, not later than 3 months after the end of the provision of Services, the Company shall delete or return to the Data Controller all the Personal Data processed on behalf of the Data Controller, provided that the deletion of these data does not conflict with any statutory storage obligations of the Company. The deletion in accordance with data protection and data security regulations must be documented and confirmed upon request of the Data Controller.
Some of User Data collected by the Company as a Data Processor on behalf of the Data Controller during providing the Services for the purposes declared in the Data Controller`s Privacy Policy, may fully or partially coincide with User Data collected by the Company as a Data Controller prior, simultaneously with or after providing the Services, for the Company `s own purposes declared in the Company `s Privacy Policy. Such User Data belongs to the Company and will not be recognized or claimed by the Data Controller to be the Data Controller`s User Data and will not be subject to the restrictions and obligations stated herein.
4. Purposes of the Processing:
· for the purpose that the Data Controller and/or its affiliates sends marketing communications to App Users through different channels such as email, SMS, Push notifications, phone and other authorized digital channels, including targeted advertising;
· other purposes ad determined by the Data Controller in accordance with its Privacy Policy.
5. Description of the technical and organizational measures: physical and technical and administrative (organizational) security measures designed to protect Personal Data from damage, loss, alteration, destruction or unauthorized use, access or processing, including:
· minimising the Processing of Personal Data;
· the ability to ensure the ongoing confidentiality and security of the Processing of Personal Data;
· the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
· a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing.