This Data Protection Agreement (“DPA“) forms part of the Agreement entered into by and between Surfe and the Customer (as defined in the Agreement) (each a “Party” and together the “Parties“) and applies where, and to the extent that, Surfe processes Personal Data as a Controller as well as a Processor for Customer when providing Services under the Agreement.
Unless otherwise specified in this DPA, the terms of the Agreement shall continue in full force and effect. All capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement or the meaning given to them in the “Data Protection Laws“, which refers to the Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 (“GDPR“), as well as any other applicable laws, regulations, directives, or mandatory recommendations.
Any privacy or data protection related clauses or agreement previously entered into by Surfe and Customer, shall be superseded and replaced with this DPA.
PART 1 – Data Controller (customer) to Data Controller (Surfe) relationship:
This section of the DPA applies where both Parties act as independent Controllers (i.e when Surfe processes customer data necessary to monitor and provide its services, ensure security, prevention of fraud, legal compliance and supporting marketing and advertising activities, or when it collects data on its own behalf to build a database useful for its customers).
The Parties mutually undertake to comply with Data Protection Laws. In particular, they undertake to:
- collect and process Personal Data in accordance with Data Protection Laws;
- ensure that Personal Data is used exclusively for the performance of the Agreement;
- not disclose, in any form whatsoever, all or part of the Personal Data to persons other than those duly authorized to have access to it;
- ensure the effectiveness of the rights of Data Subjects: right of access, rectification, erasure, and objection, right to restriction of processing, right to data portability, etc.;
- implement appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, accidental loss, alteration, disclosure, or unauthorized access.
When one of the Parties communicates Personal Data to the other Party and the latter is located in a country which does not offer an adequate level of protection, the Parties shall perform such processing in accordance with the Standard Contractual Clauses set forth in Appendix 1 to this DPA and/or in accordance with Articles 44 to 49 of the GDPR.
No instructions on how to process Personal Data shall be given by one Party to the other Party.
The Parties shall in no way be considered Joint Controllers or Processors of each other.
PART 2 – Data Processor (Surfe) to Data Controller (Customer) relationship:
1. Purpose
This section of the DPA applies where Customer acts as a Controller and Surfe acts as a Processor (i.e when Surfe processes customer data under the instructions of its customer to enrich its already existing database. In this case, Surfe acts as a mere intermediary. Surfe does not determine the data to be collected or the use to be made of it).
2. Parties obligations
2.1 Customer shall:
a) use the Services in compliance with Data Protection Laws;
b) ensure all instructions given by it to Surfe in respect of the Processing of Personal Data are at all times in accordance with Data Protection Laws;
c) ensure all Personal Data provided to Surfe has been collected in accordance with Data Protection Laws and that Customer has all authorizations and/or consents necessary to provide such Personal Data to Surfe; and
d) keep the amount of Personal Data provided to Surfe to the minimum necessary for the provision of the Products and/or Services.
2.2 Surfe shall:
a) only Process the Personal Data in accordance with Customer’s documented instructions set forth in Appendix 1. Surfe will promptly notify Customer if Surfe reasonably believes that Customer’s instructions are inconsistent with Data Protection Laws;
b) ensure its applicable representatives who may Process Personal Data have written contractual obligations in place with Surfe to keep the Personal Data confidential;
c) appoint data protection representative(s). Upon request, Surfe will provide the contact details of the appointed person(s);
d) assist Customer as reasonably needed to respond to requests from supervisory authorities, Data Subjects, or others to provide information related to Surfe’s Processing of Personal Data;
e) if required by Data Protection Laws, court order, subpoena, or other legal or judicial process to Process Personal Data other than in accordance with Customer’s instructions, notify Customer without undue delay of any such requirement before Processing the Personal Data (unless mandatory applicable law prohibits such notification, in particular on important grounds of public interest);
f) maintain records of the Processing of any Personal Data received from Customer under the Agreement;
g) provide such assistance as Customer reasonably requires in order to meet any applicable filing, approval or similar requirements in relation to Data Protection Laws;
h) provide such information and assistance as Customer reasonably requires (taking into account the nature of Processing and the information available to Surfe) to enable compliance by Customer with its obligations under Data Protection Laws with respect to:
- security of Processing;
- Data Protection Impact Assessments;
- prior consultation with a supervisory authority regarding high-risk Processing; and
- notifications to the applicable supervisory authority and/or communications to Data Subjects by Customer in response to any Data Breach.
i) on termination of the DPA for whatever reason, cease to Process Personal Data, and upon Customer’s written request and without undue delay, (i) return, or make available for return, Personal Data in its possession or control, or (ii) securely delete or permanently render unreadable or inaccessible existing copies of the Personal Data; unless continued retention and Processing is required or is permitted by Data Protection Laws and/or mandatory applicable law. At Customer’s request, Surfe shall give Customer confirmation in writing that it has fully complied with this Section 2.2(i) or provide a justification as to why such compliance is not feasible.
3. Transfers of Personal Data
Where Surfe Processes Personal Data from the EEA on behalf of Customer, in a country which does not offer an adequate level of protection, Surfe shall perform such Processing in accordance with the Standard Contractual Clauses set forth in Appendix 2 to this DPA and/or in accordance with Articles 44 to 49 of the GDPR.
4. Subprocessing
4.1.
A list of Surfe’s current Subprocessors is set forth in Appendix 3.
4.2.
Surfe shall not subcontract its obligations under this DPA to new Subprocessors, in whole or in part, without providing Customer with notice (for example, by publishing this information at Surfe’s platform or by email) and an opportunity to object. The Customer may object by registered letter with acknowledgement of receipt if (i) the Subprocessor is a competitor of the Customer, (ii) the Customer and the Subprocessor are in a pre-litigation or litigation situation, and (iii) the Subprocessor has been convicted by a data protection supervisory authority within one year of its recruitment by Surfe. Each of these situations must be demonstrated. In the absence of an undertaking by Surfe to appoint the new Subprocessor within three months from receiving the objection, the Customer may terminate the Agreement subject to prior notice of three (3) months and without compensation.
4.3.
Surfe undertakes to only recruit Subprocessors with necessary and sufficient safeguards to ensure the security and confidentiality of the Customer’s Personal Data. Where Surfe appoints a Subprocessor, Surfe will execute a written agreement containing terms at least as protective as this DPA.
4.4.
Surfe shall be liable for the acts or omissions of Subprocessors to the same extent it is liable for its own actions or omissions under this DPA.
4.5.
For the purposes of Clause 9 of the Standard Contractual Clauses, Customer provides a general consent to Surfe to engage Subprocessors. Such consent is conditional on Surfe’s compliance with Section 4 of this DPA.
5. Rights of Data Subjects
Surfe shall, to the extent legally permitted, promptly redirect the Data Subjects to send their requests to the Customer or notify Customer if it receives a request from a Data Subject for access to, rectification, portability, objection, restriction or erasure of such Data Subject’s Personal Data. Unless required by Data Protection Laws, Surfe shall not respond to any such Data Subject request without Customer’s prior written consent except to redirect the Data Subject to the Customer. Surfe shall provide such information and cooperation and take such action as the Customer reasonably requests in relation to a Data Subject request.
6. Security
Surfe shall implement and maintain appropriate technical and organizational measures designed to protect the Personal Data as set forth in the Security Measures in Appendix 4. Surfe regularly monitors compliance with these Security Measures.
7. Audit
7.1.
Customer shall have the right to carry out an audit in the form of a written questionnaire once a year to verify Surfe’s compliance with this DPA. The questionnaire may be transmitted in any form to Surfe, who undertakes to reply to it within a maximum of two months following its receipt.
7.2.
Customer shall also have the right to carry out an on-site audit, at its own expense, once a year only in the event of a proven data breach or non-compliance with the applicable Data Protection Laws and this DPA, including as established by the written questionnaire. An on-site audit may be conducted either by Customer or by an independent third party appointed by Customer and must be notified to Surfe in writing at least thirty (30) days prior to the audit. Surfe shall have the right to refuse the choice of the independent third party if the latter is i) a competitor or ii) in pre-litigation or litigation with it. In this case, Customer undertakes to select a new independent third party to carry out the audit. Surfe may refuse access to certain areas for confidentiality or security reasons. In this case, Surfe shall carry out the audit in these areas at its own expense and report the results to Customer. In the event of any discrepancy during the audit, Surfe undertakes to implement, without delay, the necessary measures to comply with this DPA.
8. Notification and Communication
8.1.
Surfe shall notify Customer within 48 hours of confirmation of a Data Breach relating to Customer’s Personal Data. Surfe shall provide all such timely information and cooperation as Customer may reasonably require in order for Customer to fulfil its Data Breach reporting obligations under (and in accordance with the timescales required by) Data Protection Law. Surfe shall further take such measures and actions as it considers necessary or appropriate to remedy or mitigate the effects of the Data Breach and shall keep Customer informed in connection with the Data Breach.
8.2.
Except as required by mandatory applicable law, Surfe agrees that it will not inform any third party of a Data Breach referencing or identifying the Customer, without Customer’s prior written consent. Surfe shall reasonably cooperate with Customer and law enforcement authorities concerning a Data Breach. Surfe shall retain, for an appropriate period of time, all information and data within Surfe’s possession or control that is directly related to any Data Breach. If disclosure of the Data Breach referencing or identifying the Customer is required by mandatory applicable law, Surfe will work with Customer regarding the timing, content, and recipients of such disclosure.
8.3.
Surfe shall reasonably cooperate with Customer in any post-incident investigation, remediation, and communication efforts.
8.4.
If Surfe receives any official complaint, notice, or communication that relates to Surfe’s Processing of Personal Data or either Party’s compliance with Data Protection, to the extent legally permitted, Surfe shall promptly notify Customer and, to the extent applicable, Surfe shall provide Customer with commercially reasonable cooperation and assistance in relation to any such complaint, notice, or communication. Customer shall be responsible for any reasonable costs arising from Surfe’s provision of assistance in relation to any official complaint, notice, or communication that relates to Customer’s compliance with Data Protection Laws.
9. General
9.1.
Nothing in this DPA is intended to limit the Parties’ direct liability towards Data Subjects or applicable supervisory data protection authorities which cannot be limited under mandatory applicable law.
9.2.
No one other than a Party to this DPA, their successors and permitted assignees shall have any right to enforce any of its terms.
9.3.
This DPA will become effective on the effective date of the Agreement and remain in force for the term of Agreement.
Reach out to [email protected] to obtain the full version of this DPA.
