Data processing addendum
Updated: 24 May 2018
- Confetti offers a service where customers can create websites for their various events (the “Service”).
- The Customer has entered into an agreement (the “Customer Agreement”) with Confetti in order to make use of the Services, which forms the subject matter of the processing of Person- al Data under this Agreement.
- In providing the Services, Confetti will collect and process certain Personal Data about individ- uals registering for the Customer’s events.
- Confetti will, under the applicable data protection laws, act as processor to the Customer in relation to the processing of Personal Data required to carry out the Services.
- In light of the above, Confetti and the Customer have agreed on the following terms and conditions set out in this Agreement concerning the processing of Personal Data under this Agreement.
“Applicable Laws” shall mean all acts, laws, regulations, including but not limited to Data Protection Laws, applicable to each Party.
“Data Protection Laws” shall mean the applicable national laws concerning data protection including, if applicable, the national laws implementing Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of Personal Data and on the free movement of such data and Directive 2002/58/EC of the European Parliament and of the Council concerning the processing of Personal Data and the protection of privacy in theelectronic communications sector (ePrivacy Directive) and the subsequent directives and regulations such as the General Data Protection Regulation (Regu- lation no. 2016/679, the GDPR) and the national implementations thereof and related national legislation.
“EEA” shall mean the European Economic Area.
“Personal Data” shall mean all information that is directly or indirectly referable to a natural living person such as name, email address, IP-address, location data etc.
“Personal Data Breach” shall mean a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmit- ted, stored or otherwise processed.
“Service Processing” shall mean the processing of Personal Data carried out by Confetti on behalf of the Customer, as specified in SCHEDULE 1.
- Confetti may under this Agreement only carry out the Service Processing of Personal Data in accordance with the instructions of the Customer.
- This Agreement is intended to constitute and shall be interpreted as a written data processing agreement between Confetti and the Customer pursuant to applicable Data Protection Laws.
THE Service PROCESSING
- Confetti shall process the Personal Data relating to the categories of data subjects and the Service Processing shall consist of the processing operations as set out in SCHEDULE 1.
- In carrying out the Service Processing of the Personal Data, Confetti shall act as processor to the Customer and the Customer shall act as controller as defined in the Data Protection Laws.
- Confetti shall carry out the Service Processing of the Personal Data for the purpose of provid- ing and optimizing the Service to the Customer.
TERM OF Service Processing
- This Agreement shall enter into force on the date of last signing and, subject to the below section 4.2, shall remain effective until the Customer Agreement is terminated or expires.
- Upon the termination or expiry of the Customer Agreement, without entering into a new agreement replacing this Agreement, the provisions of this Agreement shall continue to apply as long as and to the extent Confetti carries out the Service Processing pursuant to the in- structions of the Customer.
- Confetti may carry out the Service Processing of Personal Data only for purposes necessary for the due performance of the Customer Agreement and only in accordance with the Data Pro- tection Laws applicable to Confetti and in accordance with the written instructions from the Customer as further detailed in SCHEDULE 2 and as otherwise instructed by the Customer in writing from time to time. Confetti may not disclose any Personal Data to a third party without the prior written approval from the Customer or if required by law.
- If Confetti does not have sufficient instructions to enable Confetti to deliver the Service or otherwise fulfil its obligations, Confetti shall without delay inform the Customer hereof and specify the need for further instructions and await further written instructions from the Cus- tomer prior to continuing the relevant Service Processing of the Personal Data.
- Confetti shall implement and maintain appropriate and adequate technical and organisation- al measures as set forth in SCHEDULE 2 and as required under Data Protection Laws to ensure the security for the Personal Data included in the Service Processing. The measures shall as a minimum protect the processed data against accidental or unlawful destruction, loss, alter- ation, unauthorised disclosure of, or access to, the Personal Data transmitted, stored or oth- erwise processed by Confetti. The measures shall take into account the particular risks asso- ciated with the processing of the Personal Data and the sensitivity of the Personal Data which is processed. The measures shall ensure a level of security appropriate to the risk, including inter alia as appropriate:
- the pseudonymisation and encryption of the processed data;
- the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of pro- cessing systems and services;
- the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
- Confetti undertakes to oblige all persons, including but not limited to its employees, who access the processed Personal Data in the course of the Service Processing operations carried out by Confetti to comply with confidentiality obligations and access restrictions with regards to the Service Processing of Personal Data. Confetti shall ensure that only such employees have access to Personal Data who have received training and/or instructions in the care and handling of Personal Data.
- Confetti may, as part of the Service, inform the data subjects about the collection of the Personal Data and seek consent on behalf of the Customer where required, provided that the parties agree on this. The Customer acknowledges that the Customer, as controller of the Per- sonal Data, is ultimately responsible under Data Protection Laws for the collection of consent where required.
- Taking into account the nature of the processing, Confetti shall, upon the Customer’s request and in accordance with the Customer’s written instructions, assist the Customer by appro- priate technical and organisational measures, for the fulfilment of the Customer’s obligation to respond to requests for exercising data subject’s rights under applicable Data Protection Laws.
- Confetti undertakes to assist the Customer upon the Customer’s request in ensuring compli- ance with applicable Data Protection Laws, including but not limited to, with regards to the security of processing, notification to the data protection authority and communication to the data subjects of data breaches, data protection impact assessments and prior consultations with the data protection authority.
- The Customer undertakes to comply with this Agreement and its obligations as controller under the Data Protection Laws, including, as applicable, inform the data subjects about the Service Processing and collect consent in accordance with Applicable Laws.
DATA SUBJECT REQUESTS
- If the Customer receives a request from a Data Subject in relation to the Personal Data and the Customer deems that such request requires information or actions from Confetti, the Custom- er shall inform Confetti and Confetti shall use its best efforts to provide the information and/ or take the actions as instructed by the Customer as soon as reasonably possible. If Confetti receives a request from a Data Subject, the instructions in SCHEDULE 2 shall apply.
- Confetti shall immediately inform the Customer if, in its opinion, an instruction infringes or is contrary to applicable Data Protection Laws.
- Confetti shall notify the Customer without undue delay, after becoming aware of a Personal Data Breach relating to the Personal Data processed in the Service Processing. Confetti shall without undue delay provide the Customer with all information about the Data Breach nec- essary for the Customer to provide notice to the data subjects and authorities, as applicable. Confetti shall not disclose any information relating to a Data Breach without the prior written consent of the Customer. For the avoidance of doubt, information relating to a Data Breach shall be treated by Confetti as confidential information.
- Confetti shall not respond, without the Customer’s prior written specific consent, to requests or inquiries of third parties, including but not limited to government agencies, public author- ities, courts, data subjects, relating to the processing of Personal Data under this Agreement and Confetti shall immediately forward such requests or inquiries to the Customer.
- In the event Confetti is required to disclose information, including but not limited to the processed Personal Data or information relating to the Service Processing, according to Data Protection Laws or the decisions of public authorities or courts, Confetti shall be obligated to inform the Customer thereof immediately and request confidentiality in conjunction with the disclosure of requested information, unless otherwise specified in Applicable Laws.
INFORMATION AND AUDIT
- Each party is obliged to, at its own cost, upon the other Party’s request, make available to the requesting Party all information necessary for the purpose of demonstrating compliance with applicable Data Protection Laws.
- The Customer may carry out or mandate a third party auditor to carry out an audit, with ten (10) days of prior notice, in order to verify Confetti’s compliance with this Agreement and with applicable Data Protection Laws. Confetti grants access to Confetti’s premises, records and documents for the Customer or mandated third party auditor to carry out the audit to which Confetti shall provide assistance and Confetti shall bear the costs of such audit if the audit reveals any non-compliance with this agreement or applicable Data Protection Laws.
- The Customer authorises Confetti to appoint subprocessors in accordance with this section 10.
- Confetti may continue to use those Subprocessors already engaged by Confetti prior to the date of this Agreement listed in SCHEDULE 3, subject to Confetti in each case as soon as prac- ticable meeting the obligations set out in section 10.4.
- Confetti shall give the Customer prior written notice of the appointment of any new Subpro- cessor, including full details of the processing to be undertaken by the subprocessor. If, within 14 days of receipt of that notice, the Customer notifies Confetti in writing of any objections (on reasonable grounds) to the proposed appointment Confetti shall not appoint (or disclose any Personal Data to) that proposed subprocessor until reasonable steps have been taken to address the objections raised by the Customer and the Customer has been provided with a reasonable written explanation of the steps taken.
- Provided that the Customer has provided its consent in accordance with section 10.1, all subprocessors must as a minimum conform to the respective requirements of this Agreement. When engaging subprocessors, Confetti undertakes to ensure that the contract entered into between Confetti and any subprocessor shall impose at least the same data protection obliga- tions as set out in this Agreement.
- Confetti may not transfer Personal Data for the Service Processing to a country outside the EEA without the prior written approval of the Customer. Transfer to the subprocessors listed in SCHEDULE 3 shall be considered approved. Confetti shall be fully liable for the lawfulness of any data transfer approved by the Customer and shall secure necessary safe guards for the transfer.
- Confetti shall, upon the Customer’s request, promptly provide all relevant information relat- ing to the approved subprocessors, such as corporate identity, address, location and a copy of the relevant subprocessing agreement.
- Both Parties warrant that they have the necessary authority and mandate to enter into this Agreement.
- Confetti warrants that the Service Processing of Personal Data is carried out in accordance with applicable Data Protection Laws, including but not limited to the obligations relating to the security of the processing.
LIMITATION OF LIABILITY
- No Party shall be liable under this Agreement to compensate the other Party for any indirect damages, including but not limited to loss of profits or business.
- Confetti’s total liability hereunder, whether arising under or otherwise in connection with this Agreement, shall be limited to an amount equal to the total amount paid by the Customer to APRL under the Customer Agreement during the twelve (12) month period preceding the event giving rise to the claim.
MEASURES UPON COMPLETION OF Service Processing
- When this Agreement is terminated or expires, Confetti shall, upon and in accordance with Controller’s written request, delete all Personal Data used in the Service Processing or delete and return all such Personal Data to the Customer, unless Applicable Laws require Confetti to store Personal Data.
- Neither Party may assign its obligations under this Agreement without the prior written ap- proval of the other Party.
- This Agreement shall supersede any prior agreements, arrangements and understandings between the parties and constitutes the entire agreement between the parties relating to the subject matter hereof.
- The Customer is entitled to amend this Agreement if it is necessary to comply with require- ments of applicable Data Protection Laws. Such amendments enter into force at the latest thirty (30) days after the Customer has sent an amendment notice to Confetti, or such other time period which the Customer is obliged to adhere to according to Data Protection Laws and Regulations or relevant authorities. Other alterations of and amendments to this Agree- ment shall be made in writing and be signed by duly authorised representatives of the Parties to be binding.
GOVERNING LAW AND DISPUTES
- This Agreement shall be governed by and construed in accordance with the laws of Sweden, with the exclusion of its conflict of law rules.
- Any dispute, controversy or claim arising out of or in connection with this Agreement, or the breach, termination or invalidity thereof, shall be finally settled by arbitration administered by the Arbitration Institute of the Stockholm Chamber of Commerce (the SCC Institute). The place of arbitration shall be Stockholm, Sweden. The language to be used in the arbitral pro- ceedings shall be English, unless otherwise agreed.
- The Rules for Expedited Arbitrations of the Arbitration Institute of the Stockholm Chamber of Commerce shall apply, unless the SCC Institute, taking into account the complexity of the case, the amount in dispute and other circumstances, determines, in its discretion, that the Rules of the Arbitration Institute of the Stockholm Chamber of Commerce shall apply. In the latter case, the SCC Institute shall also decide whether the arbitral tribunal shall be composed of one or three arbitrators.
- The Parties undertake and agree that all arbitral proceedings conducted with reference to this arbitration clause will be kept strictly confidential. This confidentiality undertaking shall cover all information disclosed in the course of such arbitral proceedings, as well as any decision or award that is made or declared during the proceedings. Information covered by this confi - dentiality undertaking may not, in any form, be disclosed to a third party without the written consent of the other Party. This notwithstanding, a Party shall not be prevented from dis- closing such information in order to safeguard in the best possible way his rights vis-à-vis the other Party in connection with the dispute, or if the Party is obliged to so disclose pursuant to statute, regulation, a decision by an authority or similar.
Counterparts and Electronic signatures
- This Agreement may be executed in two or more counterparts, each of which shall be deemed an original but all of which together shall constitute one and the same Agreement. The coun- terparts of this Agreement may be executed and delivered by electronic means by any of the parties to any other party and the receiving party may rely on the receipt of such document so executed as if the original had been received.
Processing of Personal Data
Types of Personal Data
The following types of Personal Data are processed by Confetti on behalf of the Customer in the Service Processing under the Agreement:
- (i) First name and last name
- (ii) Email address
- (iii) Company
- (iv) Payment details (bank account and personal identification number)
- (v) Other information which may be required by the Customer due to the nature of the event, however, under no circumstances information constituting special categories of personal data (under GDPR art 9) or personal data relating to criminal convictions and offences (under GDPR art 10).
Categories of data subjects
The processed Personal Data concerns the following categories of data subjects:
Individuals registering to participate in the Customers events.
Service Processing operations
The following Service Processing operations shall be carried out for the below specified pur- poses by Confetti under this Agreement:
Service Processing operations - Collecting information from Data Subject in registration forms.
Purposes - To enable a record of attendees to an event and their respective payments as nec- essary to fulfil Confetti’s obligations to the Customer under the Customer Agreement, which includes processing of the data after the event to enable Customer to communicate with the attendees.
Instructions for processing of the Processed Data on behalf of the Data Controller
Confetti shall comply with the instructions set forth below with respect to the processing of the Personal Data under this Agreement.
Handling and processing of the Personal Data
The premises used by Confetti shall be protected with adequate physical security measures.
Confetti shall implement a security policy which states for example the manner in which the Personal Data shall be processed, to whom Confetti’s personnel shall turn in the event of a
burglary or other incident, which personnel are authorized as regards which type of informa- tion, back-up procedures, contingency plans, etc.
Confetti should create a safe IT-environment.
Data subjects’ requests
Confetti shall make it possible to log and trace processing of the Personal Data, including the disclosure and transfer of the Personal Data.
The Customer authorizes Confetti to, subject to the provisions of this Agreement, directly fulfil the requests of data subjects received by Confetti. Confetti undertakes to inform the Custom- er of any rectification, erasure, or restriction of processing of Personal Data performed by a direct request of a data subject, unless this proves impossible or involves disproportionate effort.
Confetti shall have routines to provide Personal Data concerning a data subject in at the Cus- tomer’s request.
Subject to the provisions of this Agreement, Confetti shall not maintain the processed Person- al Data for longer than is necessary taking into consideration the purpose of the processing.