This Data Processing Agreement (“
DPA”) amends the
Terms of Service and the
Privacy Policy. Please read the DPA carefully as this forms a contract between you and Subotiz and/or its Affiliates (referred to as “us”, “we”, “our”). As referenced in our
Terms of Service or in any services agreement between you (“
Subotiz Users”) and us (“
Terms”), this DPA will apply where we process Personal Data on your behalf. The capitalized terms used in this DPA but not defined herein shall have the same meaning as defined in the Terms. In the event of a conflict between this DPA and the Terms, this DPA shall prevail. This DPA shall continue to be in full force and effect for the duration of Your Subscription(s) and shall cease automatically thereafter. For queries, please contact us at service@subotiz.com.
We primarily provide Services to you, our Users, to facilitate your business. If you use the Services to support your business, in order to provide relevant Subotiz Services to you, we may, on behalf of you and under your entrustment and instruction, collect the personal information of your End-Customers, and process such personal information as directed by you. Legally speaking, we are a Data Processor or Sub-Processor and we act in accordance with the agreement we entered with you as well as the Privacy Policy and this DPA. You, as the personal Data Controller or Processor, assume all responsibilities towards your End-Customers with the Data Controller as the case may be. When you decide how the personal information of your End-Customers will be used, you need to make sure your End-Customers understand how you (and how we on your behalf) collect and process their personal information. You should do this by, at a minimum, posting a privacy policy on your website that describes the information you collect, how you use it, and who you share it with. It is your sole responsibility to respond to queries and requests from your End-Customers with regard to how you process their Personal Information. If the End-Customers have questions about how a specific merchant or store uses and processes their information, please visit their privacy policy.
In this DPA, you and we are individually referred to as a
"Party" and collectively as
"Parties".
1.DEFINITIONS
“
Applicable Data Protection Law” means any applicable legislative or regulatory regime enacted by a recognized government, or governmental or administrative entity with the purpose of protecting the privacy rights of natural persons or households consisting of natural persons, in particular the General Data Protection Regulation 2016/679 (“
GDPR”), and supplementing data protection laws of the European Union Member States, the United Kingdom’s Data Protection Act 2018 and the GDPR as saved into United Kingdom laws by virtue of Section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (“
UK GDPR”), Canada’s Personal Information Protection and Electronic Documents Act S.C. 2000, c. 5 (“
PIPEDA”), and any provincial legislation deemed substantially similar to PIPEDA under the procedures set forth therein, California Civil Code Sec. 1798.100 et seq., also known as the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, and any regulations promulgated thereunder (“
CCPA”), and other applicable United States federal and state privacy laws, Hong Kong’s Personal Data (Privacy) Ordinance Cap. 486 (“
PDPO”), China’s Personal Information Protection Law (“
PIPL”).
"
Controller", "
Processor",
“Sub-Processor”, "
Data Subject",
“Personal Data”, “
Personal Data Breach” or similar terms shall have the meanings given under Applicable Data Protection Law."
Personal Data" shall have the meaning given under Applicable Data Protection Law and is limited to that Personal Data we process as part of Service Data.
“
Process” or “
Processing” means any operation or set of operations which is performed upon Personal Data or sets of Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction. For the avoidance of doubt, this includes processing of Personal Data to disclose, aggregate, pseudonymize, de-identify or anonymize Personal Data, and to combine Personal Data with other Personal Data, or to derive any data or information from such Personal Data.
2.PROCESSING OF PERSONAL DATA
2.1 The Parties acknowledge and agree that with regard to the Processing of Personal Data, you may be either the Controller or the Processor of the Personal Data. Where you are the Controller, we may be the Processor and where you are a Processor, we may be a Sub-Processor to you. We will further engage Sub-Processors pursuant to the requirements set forth in Section 6 Sub-Processors below.
2.2 Processing of Personal Data by Us. We shall Process the Personal Data solely as necessary to perform its obligations and strictly in accordance with your documented instructions for the following purposes: (i) Processing in accordance with the Terms, this DPA, Applicable Data Protection Laws, the Privacy Policy (to the extent applicable), any other agreement or addendum executed by the Parties; (ii) Processing as required for compliance with applicable law; (iii) Processing initiated by End-Customers in their use of the Services; and (iv) Processing to comply with other documented reasonable instructions provided by you where such instructions are consistent with the terms of the Terms.
You shall ensure that the processing undertaken by us is based on a legal basis, that you have obtained your End-Customers' consent or had other legitimate grounds for processing, and that the Personal Data you provide to us is sourced legally. You shall ensure that our processing of Personal Data on your behalf shall not violate any legal provisions or the commitments you have made to your End-Customers; otherwise, you shall indemnify us for any losses incurred.
We shall immediately inform you in writing if, in our opinion, an instruction infringes Applicable Data Protection Law. We shall not be liable for any liabilities, losses, fines, costs, penalties and/or damages, arising from or in connection with any processing in accordance with your instructions following your receipt of any information provided by us in accordance with the foregoing sentence. We shall provide reasonable assistance to you to assist it in complying with Applicable Data Protection Law. Nothing in this DPA shall require us to take actions beyond what is required under applicable law. You acknowledge that it is solely responsible for determining the lawful basis of processing, and for providing any required notices or consents to Data Subjects.
3.RIGHTS OF DATA SUBJECTS
We shall, to the extent legally permitted, promptly notify you if we receive a request from a Data Subject to access, correct or delete their Personal Data or if a Data Subject objects to the Processing thereof (“
Data Subject Request”). We shall not respond to a Data Subject Request without your prior written consent except to confirm that such request relates to you to which you hereby agree. To the extent you, in your use of the Services, do not have the ability to address a Data Subject Request, we shall upon your request provide commercially reasonable assistance to facilitate such Data Subject Request to the extent we are legally permitted to do so and provided that such Data Subject Request is exercised in accordance with Applicable Data Protection Law. To the extent legally permitted, you shall be responsible for any reasonable costs arising from our provision of such assistance.
4.OUR PERSONNEL
We ensure that our personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written agreements addressing relevant obligations regarding confidentiality. We shall ensure that such confidentiality obligations survive the termination of the personnel engagement.
5.DISCLOSURE PURSUANT TO APPLICABLE LAWS
We will not disclose Personal Data to any government agency, court, or law enforcement except as necessary to comply with applicable mandatory laws. If we are obliged to disclose Personal Data, then we agree to make reasonable efforts to give you notice of the disclosure request. We will take reasonable measures to protect the Personal Data from undue disclosure as if it were our own confidential information being requested and shall inform you promptly as soon as possible if and when such legal prohibition ceases to apply.
6.SUB-PROCESSORS
6.1 You hereby grant a general authorization: (a) to us to appoint our Affiliates as Sub-Processors, and (b) to us and our Affiliates to appoint any other third party as Sub-Processors to support the performance of the Services.
6.2 We will maintain a list of
Sub-Processors, applicable to the provision of the Services on Websites and will add the names of Sub-Processors to the list. If you have a reasonable objection to any new or replacement Sub-Processor, you shall notify us of such objections in writing within ten (10) days from change in the list and the Parties will seek to resolve the matter in good faith. If you do not provide a timely objection to any new or replacement Sub-Processor in accordance with this Section 6.2, you will be deemed to have consented to the Sub-Processor and waived its right to object. Where we use a Sub-Processor, it shall ensure that it has in place a written contract with that Sub-Processor applying essentially the same data protection terms as are set out in this DPA.
7.SECURITY REPORTS & AUDITS
7.1 Security Measures. We implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized access, loss, or disclosure. We regularly monitor and update these measures to ensure ongoing compliance.
7.2 Determination of Security Requirements. You acknowledge that the Services include certain features and functionalities that you may elect to use that impact the security of the data processed by your use of the Services, such as, but not limited to, encryption of custom fields and availability of multi-factor authentication on your Account. You are responsible for properly configuring the Services and using available features and functionalities to maintain appropriate security in light of the nature of the data processed by your use of the Services.
7.3 Personal Data Breach Notification We shall, to the extent permitted by law, notify you of any Personal Data Breach. To the extent such Personal Data Breach is caused by a violation of the requirements of this DPA by us, we shall make reasonable efforts to identify and remediate the cause of such Personal Data Breach. We shall provide reasonable information, cooperation and assistance to you in relation to any action to be taken in response to a Personal Data Breach and in the event, you are required under Applicable Data Protection Law to notify a supervisory authority or any Data Subjects of the Personal Data Breach.
8.DELETION OF PERSONAL DATA
Following termination of the Account, we will retain the Personal Data forming part of the Service Data for the period necessary to achieve the purpose for which we Processed it (“
Data Retention Period”). Upon the expiration of the Data Retention Period, we will no longer have an obligation to maintain or provide you and End-Customers access to the Personal Data. Thereafter, unless required for compliance with applicable laws and regulations, or as necessary to protect, defend or establish our rights, or defend against potential claims, we reserve the right to destroy all Personal Data in our possession. You understand that Personal Data, once deleted, cannot be recovered. Notwithstanding the Data Retention Period, upon your written request following the termination of an Account, we will destroy all Personal Data in our possession, provided, however, that we may retain Service Data to the extent required for compliance with applicable laws and regulations, or as necessary to protect, defend or establish our rights, or defend against potential claims.
9.DATA TRANSFER
9.1 In the event of any cross-border transfer of Personal Data by the Processor to its affiliates or to Sub-processors, the following shall apply:
(a) Personal Data may be transferred to one or more of the Processor’s affiliates or Sub-processors located in the EEA in accordance with applicable Data Protection Laws;
(b) Personal Data may also be transferred to Sub-processors located outside the EEA based on a valid legal basis under applicable Data Protection Laws, including the use of appropriate safeguards. Where applicable, such safeguards may include the execution of the standard contractual clauses as approved by the European Commission or approved by the European Commission, or other lawful mechanisms recognized under relevant data protection frameworks;
(c) Upon the Controller’s request, the Processor shall inform the Controller of the legal basis relied upon for any such cross-border transfer.
9.2 Where the data protection or privacy laws of countries outside the EEA apply, the Controller confirms that any international transfer of Personal Data is permitted and shall ensure appropriate safeguards are in place, as required under applicable Data Protection Laws.
10.ASSISTANCE WITH DATA PROTECTION IMPACT ASSESSMENT
Processor shall provide reasonable assistance to the Controller with any data protection impact assessments (“
DPIA”) which are required under Applicable Data Protection Laws and with any prior consultations to any supervisory authority of the Controller which are required under Article 36 GDPR, in each case in relation to processing of Personal Data by Processor on behalf of the Controller and taking into account the nature of the processing and information available to Processor.
11.TERM AND TERMINATION
11.1 This DPA shall continue to be in full force and effect for the duration of the Terms and shall cease automatically thereafter.
11.2 Where amendments are required to ensure compliance of this DPA with Applicable Data Protection Law, the Parties shall agree on such amendments upon your request. Where the Parties are unable to agree upon such amendments, you have the right but not an obligation to terminate the Terms and this DPA with prior written notice to Us.
12.MISCELLANEOUS
12.1 In case of any conflict, the provisions of this DPA shall take precedence over the provisions of any other agreement between us and you.
12.2 We may amend this DPA from time to time by posting the most current version on the Websites, in which case the new DPA will supersede prior versions. Please check this DPA periodically to take notice of changes as they will be binding on you. If an amendment materially affects your rights, we will notify you (by, for example, sending a message to the e-mail address associated with your Account, or posting on the Websites or as a notification inside the Services). Your continued use of the Services following the effective date of any such amendment may be relied upon by us as your acceptance of any such amendment.
12.3 Should individual provisions of this DPA become void, invalid or non-viable, this shall not affect the validity of the remaining conditions of this DPA.
