Data processing.
Data Processing Terms
PLEASE READ THESE DATA PROCESSING TERMS (THESE “TERMS”) CAREFULLY. THESE TERMS ARE A BINDING CONTRACT FOR PROCESSING OF PERSONAL DATA OF EUROPEAN UNION DATA SUBJECTS THROUGH THE USE OF NERDFLIPP Company, INC. (“Nerdflipp”) EDGE CLOUD SERVICES.
IF YOU DO NOT AGREE TO BE BOUND BY ALL OF THE PROVISIONS OF THESE TERMS, AND YOU HAVE NOT SEPARATELY AGREED WITH NERDFLIPP Company ON TERMS REGARDING THE PROCESSING OF PERSONAL DATA OF EUROPEAN UNION DATA SUBJECTS, DO NOT ACCESS OR USE NERDFLIPP Company’S SERVICES FOR THE PROCESSING OF PERSONAL DATA OF EUROPEAN UNION DATA SUBJECTS.
IF YOU REQUIRE A SIGNED VERSION OF THESE TERMS PLEASE CONTACT contact@nerdflipp.com
BY ACCESSING OR USING NERDFLIPP Company SERVICES YOU ARE ACCEPTING THESE TERMS (ON BEHALF OF YOURSELF OR THE ENTITY THAT YOU REPRESENT) AND YOU REPRESENT AND WARRANT THAT YOU HAVE THE RIGHT, AUTHORITY, AND CAPACITY TO ENTER INTO THESE TERMS (ON BEHALF OF YOURSELF OR THE ENTITY THAT YOU REPRESENT AND ITS AFFILIATES).
THESE TERMS WERE INITIALLY POSTED ON August 11, 2024. THERE HAVE BEEN NO PRIOR VERSIONS OF THESE TERMS. IF AND WHEN UPDATED, ANY PRIOR VERSIONS OF THESE TERMS WILL BE AVAILABLE AT NERDFLIPP Company and nerdflipp.com
NERDFLIPP Company DATA PROCESSING TERMS
1. Purpose. In consideration of the parties’ mutual obligations to comply with applicable law by the Agreement, these NERDFLIPP Company Data Processing Terms (these “Terms”) apply to NERDFLIPP Company’s Processing of Personal Data on Subscriber’s behalf as a Data Controller (or as a Data Processor on behalf a third-party Data Controller) subject to the Directive, the GDPR or applicable Privacy and Data Protection Laws. In the course of providing the Services to the Subscriber under the Agreement, NERDFLIPP Company may Process Personal Data on behalf of the Subscriber. Unless otherwise expressly agreed in writing between Subscriber and NERDFLIPP Company, this version of the Terms (1) is incorporated into and subject to the Agreement and each Service Order, (2) shall be effective and remain in force for the term of the Agreement and each Service Order, and (3) in the event of any conflict between the terms of the Agreement, a Service Order, and these Terms, the relevant provisions of these Terms shall take precedence. These Terms shall not apply to any Subscriber that does not access or use the Services for Processing of Personal Data subject to the Privacy and Data Protection Laws.
2. Definitions. Capitalized terms not defined in these Terms shall have the meaning outlined in the Agreement.
2.1 “Agreement” means any master subscription agreement applicable to the Subscriber’s use of the Services, such as the NERDFLIPP Company Terms of Service (available at nerdflipp.com).
2.2 “Certification” means NERDFLIPP Company’s notice of self-certification under the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks available at nerdflipp.com
2.3 “Data Controller” has the meaning ascribed to it in the GDPR.
2.4 “Data Processor” has the meaning ascribed to it in the GDPR.
2.5 “Data Subject” has the meaning ascribed to it in the GDPR.
2.6 “Data Subject Request” means Data Subject requests under Privacy and Data Protection Laws, including without limitation the exercise of rights by Data Subjects of Personal Data under Chapter III of the GDPR.
2.7 “Directive” means Directive 95/46/EC of the European Parliament and of the Council on the Protection of Individuals about the Processing of Personal Data and on the Free Movement of Such Data.
2.8 “Documentation” means the online documentation available via nerdflipp.com
2.9 “NERDFLIPP Company” means NERDFLIPP Company, Inc. and its affiliates engaged in the Processing of Personal Data.
2.10 “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons about the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC and to the extent the GDPR is no longer applicable in the United Kingdom, any implementing legislation or legislation having equivalent effect in the United Kingdom.
2.11 “Model Contract Clauses” means the agreed form standard contractual clauses for Article 26(2) of the Directive for the transfer of personal data to data processors established in third countries under Commission Decision (2010/87/EU) notified under document C(2010) 593 attached to these Terms as Exhibit A (including the appendices).
2.12 “Personal Data” means personal data as defined in the GDPR contained in Subscriber Data and caused to be submitted to NERDFLIPP Company via the Services according to Subscriber’s configuration of the Services.
2.13 “Privacy and Data Protection Laws” means the national provisions adopted under the Directive (when in effect) and the Federal Data Protection Act of 19 June 1992 (Switzerland), the Data Protection Act 1998 (United Kingdom), the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework, the General Data Protection Regulation (when in effect), and the national provisions adopted under the GDPR, for each as applicable to Subscriber as Data Controller of Subscriber Data and to NERDFLIPP Company as Data Processor of Subscriber Data and when in effect.
2.14 “Processing” has the meaning ascribed to it in the GDPR.
2.15 “Service Order” means one or more online or written ordering documents which incorporate the Agreement.
2.16 “Services” has the meaning of such a defined term in the Agreement.
2.17 “Subscriber” means the subscriber that has executed a Service Order for Services.
2.18 “Subscriber Data” has the meaning of such defined term in the Agreement.
2.19 “Sub-processor” means any Data Processor engaged by NERDFLIPP Company or a member of the NERDFLIPP Company, including NERDFLIPP Company affiliates.
2.20 “Supervisory Authority” has the meaning ascribed to it in the GDPR.
3. Processing Of Personal Data
3.1 Roles of the Parties. The parties acknowledge and agree that in the Processing of Personal Data, the Subscriber is the Data Controller and NERDFLIPP Company, and members of the NERDFLIPP Company Group, as the case may be, are Data Processors. Exhibit B to these Terms sets out certain information regarding NERDFLIPP Company’s Processing of Personal Data as required by Article 28(3) of the GDPR.
3.2 Subscriber’s Processing of Personal Data. Subscriber shall, in its use of the Services, only Process Personal Data or transfer such Personal Data to NERDFLIPP Company, by the requirements of Privacy and Data Protection Laws and the Documentation. For the avoidance of doubt, the Subscriber’s instructions for the Processing of Personal Data shall comply with Privacy and Data Protection Laws. In particular, Subscriber represents and warrants on an ongoing basis that, for Article 6 of the GDPR, there is, and will be throughout the term of the Agreement, a legal basis for the Processing by NERDFLIPP Company of Personal Data on behalf of Subscriber by these Terms and the Agreement (including any and all instructions issued by Subscriber from time to time in respect of such Processing).
3.3 Nerdflipp Company’s Processing of Personal Data. By the requirements of Privacy and Data Protection Laws, NERDFLIPP Company shall only Process Personal Data upon the Subscriber’s documented instructions and immediately notify Subscriber in writing if, in NERDFLIPP Company’s reasonable opinion, their instructions infringe Privacy and Data Protection laws; provided, Subscriber acknowledges that the Services will Process Personal Data on an automated basis by Subscriber’s configurations, which NERDFLIPP Company does not monitor. Subscriber instructs NERDFLIPP Company to Process Personal Data for the following purposes: (i) Processing by the Agreement and applicable Service Orders; (ii) Processing initiated by Subscriber through the Services’ application programming interfaces (APIs) or user interfaces; (iii) Processing to comply with other reasonable documented instructions provided by Subscriber (e.g., via support tickets, email communications and chat platforms) where such instructions are consistent with the terms of the Agreement and (iv) Processing otherwise required of NERDFLIPP Company by applicable laws. These Terms and the Agreement contain the Subscriber’s sole instructions to NERDFLIPP Company for the Processing of Personal Data. Subscriber acknowledges that as part of performing its Services NERDFLIPP Company maintains a growing global network of points of presence (“PoPs”). NERDFLIPP Company’s PoPs will process requests and transmit and cache content (including Personal Data) by the Subscriber’s configurations of the Services. Subscriber acknowledges that its Subscriber Data will automatically transit across national borders in response to Subscriber’s clients’ requests and Subscriber’s configurations by the Documentation.
4. Transfers Of Personal Data
4.1 Model Contract Clauses. The terms of the Model Contract Clauses will apply and are incorporated into these Terms, to all Processing of Personal Data by NERDFLIPP Company and its affiliates where the Personal Data is transferred from the European Economic Area (“EEA”) and/or Switzerland to outside the EEA and/or Switzerland, either directly or via onward transfer, to any country or recipient: (a) not recognized by the European Commission as providing an adequate level of protection for personal data (as described in the Directive or GDPR as applicable), and (b) to the extent the transfer is not covered by the Certification to the EU-U.S. or Swiss-U.S. Privacy Shield Frameworks (as described in Section 4.2) or another a suitable framework (e.g., binding corporate rules, etc.) recognized by the relevant authorities or courts as providing an adequate level of protection for personal data. For the EU Model Clauses, NERDFLIPP Company and Subscriber agree that (i) Subscriber will act as the data exporter on its own behalf and on behalf of any of its affiliates and (ii) NERDFLIPP Company will act on its own behalf and/or on behalf of the relevant members of the 7NERDFLIPP Company Group as the data importers.
4.2 EU-US and Swiss-US Privacy Shield Frameworks. NERDFLIPP Company makes available the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks together with NERDFLIPP Company’s Certification as the transfer mechanism governing transfers of Personal Data to the United States from the EEA and/or its member states and Switzerland. NERDFLIPP Company will in accordance with its Certification:
4.2.1 Provide at least the same level of protection for Personal Data as is required by the relevant principles of the EU-U.S. and Swiss-U.S. Privacy Shield frameworks.
4.2.2 Promptly notify the Subscriber of any failure or inability to provide at least the same level of protection.
4.2.3 Where NERDFLIPP Company permits a Sub-processor to access Personal Data, NERDFLIPP Company will require the Sub-processor to provide at least the same level of protection as is required by the relevant principles of the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks.
4.3 Consent to Transfer. NERDFLIPP Company may store and process Personal Data in the United States or any other country in which NERDFLIPP Company or any of its Sub-processors maintains facilities, subject to this Section 4.
4.4 Order of Precedence. In the event of any conflict or inconsistency among the following, the provisions of the following agreements, in order of precedence, shall prevail: (i) the Model Contract Clauses (when applicable), (ii) these Terms, (iii) the Service Order(s) and (iv) the Agreement.
4.5 Registration and approvals. Subscriber agrees that it shall take all reasonable steps to determine whether the parties are required under Privacy and Data Protection Laws to either: (a) register the Model Contract Clauses with any Supervisory Authority in any member state of the EEA and/or Switzerland, or (b) procure approval from any such Supervisory Authority for the transfer referred to in the Model Contract Clauses. Subscriber agrees that it shall inform NERDFLIPP Company immediately upon becoming aware of such requirements.
4.6 Cooperation. The parties agree that they shall cooperate to (a) make any such necessary registrations and obtain such approvals referred to in Section 4.5; and (b) without limitation, provide any additional information about the transfer referred to in the Model Contract Clauses where required or requested to do so by any Supervisory Authority of competent jurisdiction.
5. Correction, Amendment, and Deletion Of Personal Data. To the extent Subscriber, in its use of the Services, cannot correct, amend, or delete Personal Data as required by Privacy and Data Protection Laws, NERDFLIPP Company shall comply with any commercially reasonable request by Subscriber to facilitate such actions to the extent NERDFLIPP Company is legally permitted to do so and has reasonable access to the Personal Data.
6. Data Subject Requests. NERDFLIPP Company shall, to the extent legally permitted, promptly notify the Subscriber if it receives a Data Subject Request. Subject to its obligations under Privacy and Data Protection Laws, NERDFLIPP Company shall not respond to any such Data Subject Request without the Subscriber’s prior written consent except to confirm that the Data Subject Request relates to the Subscriber. Taking into account the nature of the Processing and to the extent Subscriber does not have access to the relevant information through its use of the Services, NERDFLIPP Company shall, at Subscriber’s cost, provide Subscriber with such assistance as may be reasonably necessary and technically possible in the circumstances, to assist Subscriber in fulfilling its obligations to Data Subject Requests. Subscriber acknowledges that the storage and removal of cached content by the Services occurs automatically based upon Subscriber’s configurations and NERDFLIPP Company cannot correct, amend, or permanently delete cached copies of Personal Data hosted or stored on equipment controlled by Subscriber.
7. NERDFLIPP Company Personnel
7.1 Confidentiality. NERDFLIPP Company shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed confidentiality agreements.
7.2 Reliability. NERDFLIPP Company shall take commercially reasonable steps to ensure the reliability of any NERDFLIPP Company personnel engaged in the Processing of Personal Data.
7.3 Limitation of Access. NERDFLIPP Company shall limit its access to Personal Data to those personnel who require such access to perform the Agreement.
7.4 Data Protection Officer. Members of the NERDFLIPP Company Group have appointed a data protection officer to the extent this is required by Privacy and Data Protection Laws. The appointed person may be reached at gc contact@nerdflipp.com.
8. Sub-Processors
8.1 Appointment of Sub-processors. Under Clause 5(h) of the Model Contract Clauses and Article 28(2) of the GDPR (when in effect) Subscriber acknowledges and agrees that (a) members of the NERDFLIPP Company Group may be retained as Sub-processors; and (b) members of the NERDFLIPP Company Group may engage third-party Sub-processors in connection with the provision of the Services, in which case, members of the NERDFLIPP Company Group (as the case may be) shall procure that the NERDFLIPP Company Group has entered into a written agreement with respect to each Sub-processor containing: (i) data protection obligations in substantially similar terms to those in these Terms with respect to the protection of Personal Data to the extent applicable to the nature of the Services provided by such Sub-processor; and (ii) which terminates automatically on the earlier of the termination of either: (A) the Agreement; or (B) these Terms, in accordance with their respective terms. NERDFLIPP Company will make available to Subscriber a current list of Sub-processors engaged in connection with the provision of the Services with the identities of those Sub-processors upon request of Subscriber or by posting such list to a NERDFLIPP Company website. Effective as of May 25, 2018, additions or changes to the list of Sub-processors will be provided to Subscribers according to the Documentation updates provision of the Agreement.
8.2 Right to Object. In the event the Subscriber objects to a new or replacement Sub-processor(s) that Processes Personal Data, the Subscriber may terminate the applicable Service Order(s) for those Services which cannot be provided by NERDFLIPP Company without the Processing of Personal Data by the objected-to new Sub-processor (including by changing Subscriber’s configuration or use of the Services to avoid Processing of Personal Data by the objected-to new or replacement Sub-processor without unreasonably burdening Subscriber or materially diminishing functionality) by providing written notice to NERDFLIPP Company within sixty (60) days of NERDFLIPP Company’s notice or disclosure of such new Sub-processor(s). Subscriber shall receive a refund of any prepaid fees for the period following the effective date of termination in respect of such terminated Services.
8.3 Liability. NERDFLIPP Company shall be liable for the acts and omissions of its Sub-processors to the same extent NERDFLIPP Company would be liable if performing the services of each Sub-processor directly under the terms of these Terms, except as otherwise set forth in the Agreement.
9. Security Controls for the Protection of Personal Data. NERDFLIPP Company shall maintain appropriate administrative, physical and technical safeguards for protection of the security and integrity of the Personal Data as set forth in the Documentation. NERDFLIPP Company regularly monitors compliance with these safeguards.
10. Security Breach Management And Notification. NERDFLIPP Company shall notify Subscriber without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data Processed by NERDFLIPP Company or its Sub-processors of which NERDFLIPP Company becomes aware (“Security Breach”), providing Subscriber with sufficient information (insofar as such information is within NERDFLIPP Company’s possession) to allow Subscriber to meet its obligations to report or inform Data Subjects and/or Supervisory Authorities of the Security Breach under the GDPR, to the extent permitted by law. NERDFLIPP Company shall make commercially reasonable efforts to assist Subscriber in the investigation, mitigation, and remediation of a Security Breach that is known to NERDFLIPP Company to the extent such Security Breach is caused by a violation of the requirements of these Terms by NERDFLIPP Company.
11. Limitation of Liability. Nothing in these Terms is intended to prejudice or limit any of NERDFLIPP Company’s right to limitations of liability afforded to data processors pursuant to Privacy and Data Protection Laws (including, for example, Annex III, Section 3 (“Secondary Liability”) of the Privacy Shield) or other laws applicable to the Services (including, for example, Articles 12-14 of Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (“Directive on electronic commerce”). Without prejudice to such any limitations afforded to data processors, each party’s liability arising out of or related to these Terms (whether in contract, tort, or under any other theory of liability) is subject to the limitations of liability set forth in the Agreement; provided, in no event will such limitation apply to any Data Subject’s rights under the Model Contract Clauses.
12. EU-Specific Provisions.
12.1 Data Protection Impact Assessment. With effect from August 11, 2024, upon Subscriber’s request and Subscriber’s cost, NERDFLIPP Company shall provide Subscriber with reasonable assistance needed to fulfill Subscriber’s obligation under the GDPR to carry out a data protection impact assessment related to Processing of Personal Data by NERDFLIPP Company taking into account the nature of the Processing and to the extent Subscriber does not otherwise have access to the relevant information, and to the extent such information is available to NERDFLIPP Company.
12.2 Prior Consultation. With effect from August 11, 2024, upon Subscriber’s request and Subscriber’s cost, NERDFLIPP Company shall provide Subscriber with reasonable assistance with any prior consultations to any Supervisory Authority of Subscriber which are required under Article 36 of the GDPR related to Processing of Personal Data by NERDFLIPP Company and taking into account the nature of the Processing and to the extent Subscriber does not otherwise have access to the relevant information and to the extent such information is available to NERDFLIPP Company.
12.3 Audits. The parties agree that the audits described in Clause 5(f) and Clause 12(2) of the Model Contract Clauses and the GDPR shall be carried out in accordance with the following specifications:
12.3.1 Upon Subscriber’s request, and subject to the confidentiality obligations set forth in the Agreement, NERDFLIPP Company shall make available to Subscriber information regarding the NERDFLIPP Company Group’s compliance with the obligations set forth in these Terms in the form of the third-party certifications and audits set forth in the Documentation and Subscriber shall use such information solely for the purposes of complying with its obligations under Privacy and Data Protection Laws.
12.3.2 Subject to the requirements set out in Sections 12.3.3 to 12.3.4, Subscriber may request an on-site audit of the procedures relevant to the protection of Personal Data under these Terms. Prior to agreeing to any on-site audit, NERDFLIPP Company shall provide a copy of NERDFLIPP Company’s then most recent relevant third-party audits or certifications, as applicable, or any summaries thereof.
12.3.3 If the information made available pursuant to Section 12.3.2 is insufficient, in Subscriber’s reasonable judgment, to confirm NERDFLIPP Company’s compliance with its obligations under these Terms, Subscriber shall give NERDFLIPP Company reasonable notice of any on-site audit to be conducted under this Section 12.3 (which shall in no event be less than thirty (30) days’ notice unless required by a Supervisory Authority).
12.3.4 Subscriber shall reimburse NERDFLIPP Company for any time expended for any such on-site audit at the NERDFLIPP Company Group’s then-current professional services rate, which shall be made available to Subscriber upon request. Before the commencement of any such on-site audit, Subscriber and NERDFLIPP Company shall mutually agree upon the scope, timing and duration of the audit in addition to the reimbursement rate for which Subscriber shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by NERDFLIPP Company. Subscriber shall promptly notify NERDFLIPP Company with information regarding any non-compliance discovered during the course of an audit.
12.4 Deletion of Personal Data. With effect from August 11, 2024, NERDFLIPP Company shall delete Personal Data upon the termination or expiration of all Service Orders providing for the Processing of Personal Data and upon the request of Subscriber to the extent permitted by applicable law. Subscriber acknowledges that, except to the extent described in the Documentation, the Services do not export Subscriber Data and, therefore, NERDFLIPP Company will not return any Personal Data.
12.5 Certification of Deletion. The parties agree that the certification of deletion of Personal Data that is described in Clause 12(1) of the Model Contract Clauses shall be provided by NERDFLIPP Company to the Subscriber only upon the Subscriber’s request.
13. Changes to these Data Processing Terms. In consideration of NERDFLIPP Company’s ongoing obligations to comply with applicable law in the performance of the Services, NERDFLIPP Company may update these Terms. On and after August 11, 2024, NERDFLIPP Company will provide no less than thirty (30) days prior notice of any change to these Terms (formatting and other immaterial changes excepted), unless prior notice is not practicable due to a conflict in applicable law or regulation or other changes outside of NERDFLIPP Company’s reasonable control. This notice of an update to these Terms will be posted on nerdflipp.com. Subscribers may subscribe to receive email and RSS updates to nerdflipp.com.
14. Enforcement. If any provision of these Terms is held by a court of competent jurisdiction to be contrary to law, the provision will be deemed null and void, and the remaining provisions of these Terms will remain in effect.
EXHIBIT A: MODEL CONTRACT CLAUSES
Commission Decision C(2010)593
Standard Contractual Clauses (processors)
For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection
Name of the data exporting organization: …
Address: …
Tel.: …
Fax: …
E-mail: …
Member State in which data exporting organization is established: …
Other information needed to identify the organization: …
( the data exporter)
And
Name of the data importing organization: NERDFLIPP Company, Inc.
email: 708pressco.com
(the data importer)
each a "party"; together "the parties"
HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.
Clause 1
Definitions
For the purposes of the Clauses:
(a) ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
(b) ‘the data exporter’ means the controller who transfers the personal data;
(c) ‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
(d) ‘the sub-processor’ means any processor engaged by the data importer or by any other sub-processor of the data importer who agrees to receive from the data importer or from any other sub-processor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
(e) ‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
(f) ‘technical and organizational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure, or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
Clause 2
Details of the transfer
The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.
Clause 3
Third-party beneficiary clause
1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
2. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
3. The data subject can enforce against the sub-processor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.
4. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.
Clause 4
Obligations of the data exporter
The data exporter agrees and warrants:
(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
(b) that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;
(c) that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;
(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
(e) that it will ensure compliance with the security measures;
(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
(g) to forward any notification received from the data importer or any sub-processor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for sub-processing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
(i) that, in the event of sub-processing, the processing activity is carried out in accordance with Clause 11 by a sub-processor providing at least the same level of protection for the personal data and the rights of the data subject as the data importer under the Clauses; and
(j) that it will ensure compliance with Clause 4(a) to (i).
Clause 5
Obligations of the data importer
The data importer agrees and warrants:
(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(c) that it has implemented the technical and organizational security measures specified in Appendix 2 before processing the personal data transferred;
(d) that it will promptly notify the data exporter about:
(i) any legally binding request for disclosure of personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,
(ii) any accidental or unauthorized access, and
(iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorized to do so;
(e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
(f) at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
(g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for sub-processing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
(h) that, in the event of sub-processing, it has previously informed the data exporter and obtained its prior written consent;
(i) that the processing services by the sub-processor will be carried out in accordance with Clause 11;
(j) to send promptly a copy of any sub-processor agreement it concludes under the Clauses to the data exporter.
Clause 6
Liability
1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or sub-processor is entitled to receive compensation from the data exporter for the damage suffered.
2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his sub-processor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.
The data importer may not rely on a breach by a sub-processor of its obligations in order to avoid its own liabilities.
3. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the sub-processor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the sub-processor agrees that the data subject may issue a claim against the data sub-processor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the sub-processor shall be limited to its own processing operations under the Clauses.
Clause 7
Mediation and jurisdiction
1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
(a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
(b) to refer the dispute to the courts in the Member State in which the data exporter is established.
2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.
Clause 8
Cooperation with supervisory authorities
1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any sub-processor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any sub-processor preventing the conduct of an audit of the data importer, or any sub-processor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).
Clause 9
Governing Law
The Clauses shall be governed by the law of the Member State in which the data exporter is established.
Clause 10
Variation of the contract
The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business-related issues where required as long as they do not contradict the Clause.
Clause 11
Sub-processing
1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the sub-processor which imposes the same obligations on the sub-processor as are imposed on the data importer under the Clauses. Where the sub-processor fails to fulfill its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the sub-processor’s obligations under such agreement.
2. The prior written contract between the data importer and the sub-processor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.
3. The provisions relating to data protection aspects for sub-processing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.
4. The data exporter shall keep a list of sub-processing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.
Clause 12
Obligation after the termination of personal data processing services
1. The parties agree that on the termination of the provision of data processing services, the data importer and the sub-processor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
2.The data importer and the sub-processor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.
On behalf of the data exporter:
By: …
Name: …
Title: …
Address: …
Date: …
On behalf of the data importer:
By: …
Name: …
Title: …
Address: …
Date: …
Appendix 1 to the Standard Contractual Clauses
This Appendix forms part of the Clauses and must be completed and signed by the parties.
The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.
Data exporter
The data exporter is (please specify briefly your activities relevant to the transfer):
The data exporter is (i) the legal entity that has executed the Standard Contractual Clauses as a data exporter and, (ii) all affiliates of data exporter established within the European Economic Area (EEA) and Switzerland that have purchased the services set forth on Appendix 3 hereto on the basis of the Data Processing Terms or an order form that incorporates the Data Processing Terms.
Data importer
The data importer is (please specify briefly activities relevant to the transfer):
NERDFLIPP Company, Inc. is an Internet intermediary that processes HTTP and HTTPS protocol requests upon the instruction of the data exporter by the terms of (i) the Agreement and (ii) the Data Processing Terms (to which these Clauses are attached) with data exporter.
Data subjects
The personal data transferred concern the following categories of data subjects:
Data subjects include the identified or identifiable persons contained in content or requests, including internet protocol (IP) addresses, caused to be submitted by of for the data exporter to the data importer via the Services according to, by or at the direction of data exporter’s configuration of the Services.
Categories of data
The personal data transferred concern the following categories of data:
Personal data relating to an identified or identifiable persons contained in content or requests, including IP addresses, caused to be submitted to the data importer via the Services according to, by, or at the direction of the data exporter’s configuration of the Services.
Special categories
The data exporter may submit to the data importer via the Services according to, by, or at the direction of the data exporter’s configuration of the Service’s special categories of data, the extent of which is determined and controlled by the data exporter in its sole discretion, and which is, for the sake of clarity, personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership and the processing of data concerning health or sex life.
Processing operations
The personal data transferred will be subject to the following basic processing activities (please specify):
The objective of processing of personal data by the data importer is the performance of the Services pursuant to the Agreement with the data exporter.
DATA EXPORTER
Name: …
Authorized Signature: …
DATA IMPORTER
Name: …
Authorized Signature: …
Appendix 2 to the Standard Contractual Clauses
This Appendix forms part of the Clauses and must be completed and signed by the parties.
Description of the technical and organizational security measures implemented by the data importer by Clauses 4(d) and 5(c) (or document/legislation attached):
Data importer will maintain administrative, physical, and technical safeguards for the protection of the security, confidentiality, and integrity of Personal Data as described in the Security Measures applicable to the specific Services purchased by the data exporter, as updated from time to time, and accessible via 708pressco.com or otherwise made reasonably available by data importer.
DATA EXPORTER
Name: …
Authorized Signature: …
DATA IMPORTER
Name: …
Authorized Signature: …
Appendix 3 to the Standard Contractual Clauses
This Appendix forms part of the Clauses and must be completed and signed by the parties.
NERDFLIPP Company’s content delivery services are described here.
DATA EXPORTER
Name: …
Authorized Signature: …
DATA IMPORTER
Name: …
Authorized Signature: …
EXHIBIT B
DETAILS OF PROCESSING PERSONAL DATA
Exhibit B includes certain details of the Processing of Personal Data as required by Article 28(3) of the GDPR.
Subject matter and duration of the Processing of Personal Data
The subject matter and duration of the Processing of the Personal Data are set out in the Agreement and the Data Processing Terms.
The nature and purpose of the Processing of Personal Data
NERDFLIPP Company will Process Personal Data as necessary to perform the Services pursuant to the Agreement, as further specified in the Documentation and in accordance with Subscriber’s configurations of the Services.
The types of Personal Data to be Processed
Personal Data relating to an identified or identifiable persons contained in content or requests, including internet protocol (IP) addresses, caused to be submitted to NERDFLIPP Company via the Services according to, by or at the direction of Subscriber’s configuration of the Services.
Special categories of data in this content or these requests may include Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership and the processing of data concerning health or sex life.
The categories of Data Subject to whom the Personal Data relates
Data Subjects include the identified or identifiable persons contained in content or requests, including internet protocol (IP) addresses, caused to be submitted to NERDFLIPP Company via the Services according to, by, or at the direction of Subscriber’s configuration of the Services. Special categories of data contained in content or requests (as determined and controlled by the data exporter) may include, Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and the processing of data concerning health or sex life.
The obligations and rights of Subscriber
The obligations and rights of the Subscriber are set out in the Agreement and the Data Processing Terms.