MemberClicks’ Statement on Data Processing and Standard Terms and Conditions for Compliance with the General Data Protection Regulation
OVERVIEW AND RATIONALE:
These Processing Terms are intended to provide Controller Clients of Memberclicks with sufficient guarantees with respect to MemberClicks’ implementation of technical and organizational measures to demonstrate that Processing meets the requirements set forth under the GDPR and to ensure the protection of the rights of the various data subjects whose Personal Data has been provided to MemberClicks’ pursuant to its Controller Client’s utilization of the Services.
These Processing Terms are intended to form the contractual basis for which Memberclicks as Processor and Client as Controller, subject to Article 28 paragraph 3 of the GDPR. These Processing Terms are intended to function as the “Data Processing Agreement” or “DPA” between Controller Client and Memberclicks as Processor. These Processing Terms shall supersede any other agreement between Client and Memberclicks with respect to the Processing of Personal Data or any other obligations attributable to Memberclicks under the GDPR.
those obligation and rights extend to the Personal Data they may process in the course of their business operations on behalf of Data Subjects through the utilization of MemberClicks’ Services.
1. MemberClicks shall process Personal Data on behalf of Controller Clients for the duration of the term of the Agreement. Client is solely responsible for determining the nature and purpose of processing, the type of data and categories of Data Subjects and for the communication of such information to the data subjects.
3. Memberclicks shall not engage with another processor without prior specific or general written authorization of Controller Clients. (Article 28 Paragraph 2). In the event MemberClicks is required to engage another Processor in order to provide the Services to Client or to carry out any specific processing activities on behalf of the Client, MemberClicks will require those Processors to comply with the same data protection obligations as set out in the these Processing Terms and the Privacy Shield Principles. Additionally, MemberClicks shall require third party Processors to provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing shall meet the requirements of the GDPR.
4. MemberClicks shall ensure that all MemberClicks’ employees with access to or who are otherwise authorized to Process Personal Data have committed themselves to confidentiality.
5. MemberClicks has implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risk including where technically feasible and within the direct control of Memberclicks. Such measures include, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, as appropriate; (1) Pseudonymisation and encryption of personal data where possible and technically feasible; (2) the ability to ensure the ongoing confidentiality, integrity, availability and resilience or processing systems and services; (3) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; (4) a process for
regularly testing, assessing and evaluating the effectiveness of technical and organization measures for ensuring the security of processing.
6. MemberClicks shall notify Controller Clients without undue delay where feasible after becoming aware of a breach affecting Personal Data for which Controller Clients are responsible.
7. MemberClicks, taking into account the nature of the processing, shall assist the Controller Client, where possible and feasible, by appropriate technical and organization measures assist the Controller Client in fulfilling the Controller Client’s obligations to respond to request for exercising the rights of the Data Subject.
8. MemberClicks, at the election of the Controller Client, shall delete or return all of Client’s data to Client after the end of the provisioning of Services relating to processing and delete existing copies unless prohibited under US law.
9. MemberClicks shall make available to the Controller Client all information necessary to demonstrate compliance with the obligations laid down in these Processing Terms and shall ensure that the Controller Client can demonstrate compliance with the technical and organizational measures taken by MemberClicks and other processors engaged by MemberClicks, if any, and allow for and contribute to audits, including inspections, conducted by the data controller or another auditor mandated by the Controller Client.
10. MemberClicks shall expressly assure Controller Clients that either it has appointed in writing a Data Protection Officer (hereinafter “DPO”) or that and for what reason such appointment is not necessary. MemberClicks will immediately notify the Controller Client in writing of the name and contact data of the DPO, including any subsequent changes, when applicable.
11. The DPO of MemberClicks shall ensure without any restrictions that all relevant EU or EEA Member State data protection provisions are complied with by MemberClicks and performed in relation to the contractual relationship between MemberClicks and the Controller Client. The DPO shall inform the Controller Client in writing without delay of any irregularities in connection with MemberClicks’ Processing activities.
12. The Controller Client represents that Personal Data, submitted to Memberclicks through in order to provide Services to Controller Client is in compliance with any and/or all laws, rules, directives, and regulations, on any local, provincial, federal or national level including, but not limited to those pertaining to data privacy, data security, and/or the protection of Personal Data including but not limited to the General Data Protection Regulation 2016/697 (“GDPR”) all together referred to hereinafter as (“Applicable Law”).
13. MemberClicks shall only process Personal Data on behalf of and for the benefit of Client in order to perform its obligations under the Agreement and in accordance with Controller Client’s written instructions and under Applicable Law.
14. Controller Client shall be fully responsible for ensuring the parties compliance under Applicable law regarding all international data transfers. To the extent data transfer agreements including, as applicable, the EU Commission Model Clauses, Privacy Shield or any adequacy decision relied upon is declared invalid, Controller Client shall be entitled to revoke its consent to the data transfers and MemberClicks shall cooperate with Controller Client in good faith to find an alternative legal ground for such data transfers.
15. The parties agree that it is each party’s responsibility to cooperate fully in order to review, adopt and agree upon the necessary requirements imposed on Data Controllers and Data Processor as those terms are defined under the GDPR.
16. Nothing in this DPA shall limit or exclude the liability of either Party for: fraud or fraudulent misrepresentation; or any other liability which by applicable law cannot be limited or excluded. Neither Party shall be liable to the other Party, whether in contract, tort (including negligence) or restitution, or for breach of statutory duty or misrepresentation or otherwise, for: (a) any special, indirect, or consequential damage or loss; (b) any economic loss (whether direct or indirect) including loss of business, profits, revenues, contracts, or anticipated savings; or (c) loss of or damage to data, arising under or in connection with these Processing Terms. Subject to exclusions for fraud, fraudulent misrepresentation or any other liability which by applicable law cannot be limited or excluded the total aggregate liability of MemberClicks arising under or in connection with these Processing Terms, whether arising in contract, tort (including negligence) or restitution, or for breach of statutory duty or misrepresentation, or otherwise, shall, to the extent permitted by applicable law, shall not exceed fifty-percent (50%) of the total amount paid by client to MemberClicks under the Agreement in the twelve (12) months prior to when the liability arises. All liability is cumulative and not per incident.