Data Processing Agreement
Last Updated: March 17, 2022
If you have any questions or requests regarding the processing of data, or would otherwise like to contact us in connection with this Agreement, click the button below.
gComm – Platform
Data Processing Agreement
This Data Processing Agreement (“DPA”) is an integral part of the Agreement (as defined in the IO) executed between Sayollo Media LTD (“Sayollo”) and the Seller identified under an applicable IO. Capitalized terms not defined hereunder shall have the meaning ascribed to them in the Agreement.
- “CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et. Seq, as may be amended as well as all regulations promulgated thereunder from time to time.
- The terms “Controller“, “Processor“, “Data Subject“, “Personal Data“, “Processing” (and “Process“), “Personal Data Breach” and “Special Categories of Personal Data” shall all have the meanings given to them in EU Data Protection Law. The terms “Business”, “Business Purpose”, “Consumer”, “California Consumer”, “Service Provider” and “Sell” shall have the same meaning as ascribed to them in the CCPA. “Data Subject” shall also mean and refer to “Consumer”, as such terms defined under the CCPA.
- “Data Protection Law” means any and all applicable privacy and data protection laws and regulations (including, where applicable, EU Data Protection Law, UK GDPR and the CCPA) as may be amended or superseded from time to time.
- “EU Data Protection Law” means the (i) EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”); (ii) the EU e-Privacy Directive (Directive 2002/58/EC), as amended (e-Privacy Law); (iii) any national data protection laws made under, pursuant to, replacing or succeeding (i) and (ii); (iv) any legislation replacing or updating any of the foregoing (v) any judicial or administrative interpretation of any of the above, including any binding guidance, guidelines, codes of practice, approved codes of conduct or approved certification mechanisms issued by any relevant Supervisory Authority.
- “ID” means: (i) a unique identifier stored on an end-user’s device, (ii) a unique identifier generated on the basis of device information, or (iii) a resettable advertising ID associated with a mobile device or an application.
- “Personal Data” or “Personal Information” means any information which (i) can be related, describes, is capable of being associated with, an identifiable individual, including any information that can be linked to an individual or used to directly or indirectly identify an individual or Data Subject; and; (ii) processed by Processor pursuant to the Agreement, including by way of access to the data, and may include, inter alia, demographic data, device information, IDs, cookies, browsing URLs, events, and geo localization data.
- “Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data of the other party. For the avoidance of doubt, any Personal Data Breach of the other Party’s Personal Data will comprise a Security Incident.
- “Standard Contractual Clauses” means the standard contractual clauses for the transfer of Personal Data to third countries pursuant to the GDPR and adopted by the European Commission Decision 2021/914 of 4 June 2021 which is attached herein by linked reference: https://eur-lex.europa.eu/legal content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN.
- “UK GDPR” means the Data Protection Act 2018 and the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by Schedule 1 to the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI 2019/419).
- “UK SCC” means where the UK GDPR applies, the standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR for transferring Personal Data outside of the EEA or UK.
- PARTIES’ ROLES
- The parties agree and acknowledge that under the performance of their obligations set forth in the Agreement, and with respect to the Processing of Users’ Personal Data associated with the Promotion Services and Lead Generation Services (as applicable and in accordance with the IO), Sayollo is acting as a Processor and Seller is acting as a Controller. For the purpose of the CCPA (and to the extent applicable), Seller is the Business and Sayollo is the Service Provider. The parties acknowledge and confirm that when providing the Lead Generation Services to the Seller, Sayollo may act also as an independent Controller to certain Personal Data, subject to applicable consent obtained from Data Subjects. Each party shall be individually and separately responsible for complying with the obligations that apply to under applicable Data Protection Law. Without derogating from the above, and solely with respect to processing activities related to the gComm Platform Services (as applicable and in accordance with the IO), the parties agree and acknowledge that they are each a separate and independent Controller of User’s Personal Data. In no event will the parties Process Users’ Personal Data as joint controllers. Each party shall be individually and separately responsible for complying with the obligations that apply to it under applicable Data Protection Laws.
- The subject matter and duration of the Processing carried out by the Processor on behalf of the Controller, the nature and purpose of the Processing, the type of Personal Data and categories of Data Subjects are described in Schedule 1 attached hereto.
- REPRESENTATIONS AND WARRANTIES
- The Seller represents and warrants that: (a) its Processing instructions shall comply with applicable Data Protection Law; and (b) it will comply with EU Data Protection Law, specifically with the lawful basis for Processing Personal Data, as well as the CCPA.
- Sayollo represents and warrants that it shall process Personal Data as a Processor, as set forth under Article 28(3) of the GDPR, solely for the purpose of providing the Service, and for the pursuit of a Business Purpose as set forth under the CCPA. Notwithstanding the above, in the event required under applicable laws, Sayollo may Process Personal Data other than as instructed by Seller, in such event, Sayollo shall make best efforts to inform Seller of such requirement unless prohibited under applicable law.
- Each party will maintain accurate written records of any and all of the Processing activities of the End-Users Data carried out by it, including the transferring of the End-Users Data, and shall make such records available to the other party upon the other party’s reasonable request.
- NO SALE
It is hereby agreed that any share of Personal Data between the parties is made solely for fulfilling a Business Purpose and Sayollo does not receive or process any Personal Data as consideration for the Services. Thus, such collection, processing and share of Personal Data shall not be considered as a Sale.
- RIGHTS OF DATA SUBJECT AND PARTIES COOPERATION OBLIGATIONS
It is agreed that where a party receives a request from a Data Subject or an applicable authority in respect of Personal Data Processed under the Agreement, where relevant, each party will direct the Data Subject or the applicable authority to the Seller in order to enable the relevant party to respond directly to the Data Subject’s or applicable authority’s request. Both parties shall provide each other with commercially reasonable cooperation and assistance in relation to handling of a Data Subject’s or applicable authority’s request, to the extent permitted under Data Protection Law. Notwithstanding the above, the parties shall cooperate reasonably and in good faith in order to respond to any correspondence or request by the Commission or Supervisor Authorities in accordance with any requirements under Applicable Data Protection Law.
The Seller acknowledges that Sayollo may transfer Personal Data to and otherwise interact with third party data processors (“Sub-Processor”). Seller hereby, authorizes Sayollo to engage and appoint such Sub-Processors to Process Personal Data, as well as permits each Sub-Processor to appoint a Sub-Processor on its behalf. Sayollo shall, where it engages any Sub-Processor impose, through a legally binding contract between Sayollo and Sub-Processor, data protection obligations no less onerous than those set out in this DPA on the Sub-Processor.
- TECHNICAL AND ORGANIZATIONAL MEASURES
- Each party shall implement appropriate technical and organizational measures to protect the Users’ Personal Data and its security, confidentiality and integrity and the Data Subject’s rights, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing the Users’ Personal Data, as well as the risk of varying likelihood and severity for the Data Subject rights, in order to ensure a level of security appropriate to that risk, including measures such as access control, auditing, encrypted transmission of data, encrypted storage and physical protections in line with industry best practices, all in accordance with the Data Protection Laws.
- Each party shall take all necessary steps to ensure: (i) the reliability of its staff (employees, personnel and service providers who have a need to know) who may process, come into contact with, or otherwise have access to the Users’’ Personal Data; (ii) that such members of its staff have committed themselves to confidentiality obligations or are under an any appropriate statutory obligation of confidentiality; and (iii) that such members of its Staff are aware of their responsibilities under this DPA and any Data Protection Laws.
- SECURITY INCIDENT
Sayollo will notify Seller upon becoming aware that an actual Security Incident involving the Users’ Personal Data and processed by Sayollo as a Processor. Sayollo’s notification of or response to a Security Incident under this Section 8 shall not be construed as an acknowledgment by Sayollo of any fault or liability with respect to the Security Incident.
- AUDIT RIGHTS
In its capacity as a Processor, Sayollo shall make available, solely upon prior written notice and no more than once per year, to a reputable auditor nominated by Seller, information necessary to reasonably demonstrate compliance with this DPA, and shall allow for audits, including inspections (“Audit”) in accordance with the terms and conditions hereunder. The Audit shall be subject to the terms of this DPA and confidentiality obligations (including towards third parties). Sayollo may object in writing to an auditor appointed by Seller in the event Sayollo reasonably believes, the auditor is not suitably qualified or independent, a competitor of Sayollo or otherwise manifestly unsuitable (“Objection Notice”). In the event of Objection Notice, Seller will appoint a different auditor or conduct the Audit itself. Seller shall bear all expenses related to the Audit and shall make (and ensure that each of its mandated auditors makes) reasonable endeavors to avoid causing (or, if it cannot avoid, to minimize) any damage, injury or disruption to the Sayollo’s premises, equipment, personnel and business while its personnel are on those premises in the course of such Audit. Any and all conclusions of such Audit shall be confidential and reported back to the Sayollo immediately.
- DATA TRANSFER
- Where the EU Data Protection Laws apply, neither party shall transfer (or access) Users’ Personal Data to a territory outside of the EU Member States, the EEA member countries (Norway, Liechtenstein and Iceland) (collectively, “EEA”), Switzerland and the United Kingdom (“UK”) unless it has taken the following measures as are necessary to ensure that the transfer is in compliance with the EU Data Protection Laws and specifically Chapter V of the GDPR and UK GDPR (“Permitted Transfers”):
- The transfer of the Patient Data is to a country that has received the adequacy decision from the European Commission (“Approved Country”); or
- The transfer of the Users’ Personal Data is subject to the derogations set forth under Article 49 of the GDPR (“Derogations”); or
- The Transfer of the Users’ Personal Data is subject to respective Standard Contractual Clauses or UK SCC as set forth under Article 46 of the GDPR or UK GDPR, respectively.
In the event of a conflict between the terms and conditions of this DPA and the Agreement, this DPA shall prevail. Except as set forth herein all of the terms and conditions of the Agreement shall remain in full force and effect.
SCHEDULE 1 – DETAILS OF PROCESSING OF CONTROLLER PERSONAL DATA
This Schedule 1 includes certain details of the Processing of Personal Data as required by Article 28(3) GDPR and UK GDPR.
Subject matter and duration of the Processing of Personal Data:
Processing shall be carried out in connection with the provision of the services set forth in the applicable IO. The duration shall be for the duration of the Term.
The nature and purpose of the Processing of Personal Data:
To provide the services detailed in the IO.
The types of Personal Data Processed – Lead Generation Services:
Contact details (name, email, phone number etc.);
The categories of Data Subjects to whom the Personal Data or Special Categories of Personal Data relates:
Users (App’s end-users) who engaged with the gComm Platform.