This Data Processing Agreement (“Agreement”) is formed between NF SPAIN S.L. (“DDP”) and User-You (“Customer”) (hereinafter collectively referred to as “Parties” and individually “Party”) to reflect the Parties’ agreement with regard to the Processing of Personal Data, in accordance with the requirements of Data Protection Laws.
The Agreement is effective on the date 1st May 2018.
1.1. “Customer Data” means any Personal Data that DDP Processes on behalf of the Customer as a Data Processor in the course of providing its Services.
1.2. “Data Controller” means an entity that determines the purposes and means of the Processing of Personal Data.
1.3. “Data Processor” means an entity that Processes Personal Data on behalf of a Data Controller.
1.4. “Data Protection Laws” means all data protection and privacy laws and regulations of the EU, EEA and their member states, Switzerland and the United Kingdom, applicable to the Processing of Personal Data.
1.5. “Data Subject” means the identified or identifiable person to whom Personal Data relates.
1.6. “EEA” means the European Economic Area, the United Kingdom, and Switzerland.
1.7. “EU” means European Union.
1.8. “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
1.9. “Personal Data” means any information relating to an identified or identifiable natural person as defined in GDPR.
1.10. “Privacy Shield” means the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework self-certification program operated by the U.S.
Department of Commerce and approved by the European Commission pursuant to Decision C(2016)4176 of July 12, 2016, and by the Swiss Federal Council on January 11, 2017.
1.11. “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction. “Process”, “Processes” and “Processed” shall be interpreted accordingly.
1.12. “Processor” means a natural or legal person, public authority, agency, or any other body which Processes Personal Data on behalf of the Data Controller.
1.13. “Services” means any product or service provided by DDP pursuant to DDP’s Terms of Service (“TOS”).
1.14. “Sub-processor” means any third-party Processor engaged by DDP.
Applicability of this Agreement
2.1. This Agreement applies to the extent that DDP processes Customer Data that originates from EU/EEA and/or that is otherwise subject to GDPR.
2.2. In the course of providing the Services to Customer, DDP may Process Personal Data on behalf of Customer. DDP agrees to comply with the following provisions with respect to any Personal Data Processed for Customer in connection with the provision of the Services.
Role of Parties
The Parties agree that with regard to the Processing of Personal Data, Customer is the Data Controller and DDP is a Data Processor, acting on behalf of Customer.
Customer’s Processing of Personal Data
4.1. The customer is responsible for the control of Personal Data complying with its obligations as a Data Controller under Data Protection Laws, in particular for justification of any transfer of Customer Data to DDP and for its decisions and actions regarding the Processing and use of Personal Data.
4.2. Customer agrees that it has provided notice and received all consents and rights necessary under Data Protection Laws for DDP to Process Customer Data and provide the Services.
DDP’s Processing of Customer Data
5.1. In connection with DDP’s delivery of the Services to the Customer, DDP shall Process certain categories and types of the Customer data, only for the purposes described in this Agreement and only in accordance with Customer’s documented lawful instructions, including with regard to transfers of Customer data to a third country or an international organisation, unless required to do so by EU or Member State of the EU law to which DDP is subject. In such a case, DDP shall inform the Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.
5.2. The Parties agree that this Agreement sets out the Customer’s complete and final instructions to DDP in relation to the Processing of Customer Data. The Processing outside the scope of these instructions shall require prior written agreement between Customer and DDP.
Details of Data Processing
6.1. Subject matter: The subject matter of the data Processing under this Agreement is the Customer Data.
6.2. Duration of Processing: DDP will Process Customer Data for the duration of the Services, as described in the TOS.
6.3. Nature of the Processing: DDP provides email marketing and automation software as a service and other related services, as described in the TOS.
6.4. Purpose of the Processing: The purpose of the data Processing under this Agreement is the provision of the Services.
6.5. Categories of Data subjects:
“Users” – any individual accessing and/or using the Services through the
Customer’s account or Free Services we provide on our websites.
“Subscribers” – any individual whose email address is included in the Customer’s distribution list / whose information is stored on or collected via the Services / to whom Users send emails or otherwise engage or communicate with via the Services.
6.6. Types of Customer Data:
Users: identification and contact data (name, contact details, including email address, username); billing information (credit card details, account details, payment information); organization information (name, address, geographic location, area of responsibility, VAT code), IT information (IP address, usage data, cookies data, online navigation data, location data, browser data, access device information);
Subscribers: identification and contact data (name, date of birth, gender, occupation or other demographic information, address, title, contact details, including email address), personal interests or preferences (including purchase history, marketing preferences and publicly available social media profile information); IT information (IP address, usage data, cookies data, online navigation data, location data, browser data, access device information).
Confidentiality of Processing
DDP ensures that persons authorised by DDP to Process the Customer Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
Security of Processing
8.2. The Parties shall take steps to ensure that any natural person acting under the authority of the Customer or DDP who has access to Personal Data does not Process them except on instructions from the Customer unless he or she is required to do so by EU or EU Member State law.
8.3. The customer is responsible for reviewing the information made available by DDP relating to its data security and making an independent determination as to whether the Services meet Customer’s requirements and legal obligations under Data Protection Laws. Customer acknowledges that DDP may update or modify DDP’s security standards from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services purchased by the Customer.
8.4. Customer agrees it is responsible for its secure use of the Services, including securing its account authentication credentials, protecting the security of Customer Data when in transit to and from the Services and taking any appropriate steps to securely encrypt or backup any Customer Data uploaded to the Services.
9.1. Customer agrees that DDP may engage Sub-Processors to Process Customer Data on Customer’s behalf. The Sub-Processors currently engaged by DDP and authorized by Customer are listed in the Annex.
9.2. DDP shall ensure that Sub-Processor will protect the Customer Data to the standard required by Data Protection Laws and remain responsible for its compliance with the obligations of this Agreement and for any acts or omissions of the Sub-Processor that cause DDP to breach any of its obligations under this Agreement.
Changes to Sub-Processors
10.1. DDP shall provide a list of the Sub-Processors upon written request from Customer and notify Customer via email if it adds or removes Sub-Processors at least 10 days prior to any such changes.
10.2. Customer may object in writing to DDP’s addition of a new SubProcessor within 5 business days of such notice, provided that such objection is based on reasonable grounds relating to Data Protection Laws. In such event, the DDP and Customer shall discuss such concerns in a good faith effort to achieve resolution. If the resolution is not possible, Customer may suspend or terminate the Agreement by providing written notice to DDP.
11.1. DDP’s Services provide Customer with controls that Customer may use to retrieve, correct, delete or restrict Customer Data, which Customer may use to assist it in connection with its obligations under Data Protection Laws, including responding to requests from data subjects or applicable data protection authorities. Requests from Data Subjects may include the Data Subject’s right of access, right to rectification, restriction from Processing, erasure (“right to be forgotten”), data portability, and object to the Processing.
11.2. To the extent that Customer is unable to independently access the relevant Customer Data within the Services, DDP will, at Customer’s expense, provide reasonable cooperation to help Customer respond to any requests from Data Subjects or applicable data protection authorities relating to the Processing of Personal Data under the Agreement. In the event any such request is made directly to DDP, DDP shall not respond to such communication directly without Customer’s prior authorization unless legally compelled to do so. If DDP is required to respond to a request, DDP shall promptly notify Customer and provide it with a copy of the request unless legally prohibited from doing so.
11.3. To the extent DDP is required under Data Protection Laws, DDP shall, at Customer’s expense, provide reasonably requested information regarding the Services to enable Customer to carry out data protection impact assessments or prior consultations with data protection authorities as required by Data Protection Laws.
11.4. If a law enforcement agency sends DDP a demand for Customer Data (for example, through a subpoena or court order), DDP shall attempt to redirect the law enforcement agency to request that data directly from Customer. As part of this effort, DDP may provide Customer’s basic contact information to the law enforcement agency. If compelled to disclose Customer Data to a law enforcement agency, DDP shall give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedies unless DDP is legally prohibited from doing so.
Security Reports and Audits
12.1. Upon request, DDP shall supply, on a confidential basis, a copy of its audit reports to Customer, so that Customer can verify DDP’s compliance with the audit standards and this Agreement.
12.2. DDP shall also provide written responses, on a confidential basis, to all Customer’s reasonable requests for information to confirm DDP’s compliance with this Agreement.
12.3. Upon becoming aware of any unauthorized or unlawful breach of security, DDP shall notify Customer without undue delay and shall provide timely information as it becomes known or as is reasonably requested by Customer.
Return or Deletion of Customer Data
13.1. Upon termination or expiration of the TOS and/or Agreement, DDP shall, at Customer’s request, delete or return to Customer all Customer Data in its possession or control. This requirement shall not apply to the extent DDP is required by applicable law to retain some or all of the Customer Data, or to
Customer Data it has archived on backup systems, which Customer Data
DDP shall securely isolate and protect from any further processing, except to the extent required by applicable law.
13.2. The customer is responsible for any costs arising from the deletion of Customer Data after the termination or expiration of the TOS.
14.1. DDP may transfer and process Customer Data anywhere in the world where DDP or its Sub-Processors maintain data Processing operations. DDP shall at all times provide an adequate level of protection (within the meaning of Data Protection Laws) for the Customer Data Processed, in accordance with the requirements of Data Protection Laws.
14.2. If DDP Processes any Customer Data protected by Data Protection Laws under the TOS and Agreement and / or that originates from the EEA, in a country that has not been designated by the European Commission or Swiss Federal Data Protection Authority (as applicable) as providing an adequate level of protection for Personal Data, the Parties agree that DDP shall be deemed to provide adequate protection (within the meaning of Data Protection Laws) for any such Customer Data by having self-certified its compliance with Privacy Shield. If
DDP is unable to comply with this requirement, DDP shall inform Customer.
14.3. The Parties agree that the data export solution identified in Section 14.2 shall not apply if and to the extent that DDP adopts an alternative data export solution for the lawful transfer of Personal Data (as recognized by GDPR) outside of the EEA, in which event, the alternative data export solution shall apply instead, but only to the extent such mechanism extends to the territories to which Personal Data is transferred.
15.1. Parties agree that this Agreement replaces any existing agreements the Parties may have previously entered into in connection with the Services. If there is any conflict between this Agreement and the TOS, the relevant terms of this Agreement take precedence.
15.2. Any claims brought under or in connection with this Agreement are subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the TOS.
15.3. No one other than a Party to this Agreement, its successors and permitted assignees shall have any right to enforce any of its terms.
15.4. Any claims against DDP under this Agreement shall be brought solely against the entity that is a Party to the Agreement. In no event shall any Party limit its liability with respect to any individual’s data protection rights under this Agreement or otherwise. Customer further agrees that any regulatory penalties incurred by DDP in relation to the Customer Data that arise as a result of, or in connection with, Customer’s failure to comply with its obligations under this Agreement or any applicable Data Protection Laws shall count toward and reduce DDP’s liability under the Agreement.
15.5. This Agreement shall be governed by and construed in accordance with governing law and jurisdiction provisions in the TOS unless required otherwise by applicable Data Protection Laws.
Annex – List of DDP Sub-Processors
DDP uses a range of third-party Sub-Processors to assist it in providing the Services (as described in the Agreement). These Sub-Processors set out below provide cloud hosting and storage services; content delivery and review services; payment processing; marketing; analytics; data analysis; assist in providing customer support; incident tracking, response, diagnosis and resolution services; etc.
|Entity Name||Corporate Location|
|Zoho Corporation||California, USA|