Data Processing Addendum
This Data Processing Addendum is an addendum to the Retailer Terms. Any terms not defined in this DPA shall have the meaning given to them in the Retailer Terms.
In this DPA, the following expressions bear the following meanings unless the context otherwise requires:
“Controller” has the meaning set out in Data Protection Laws;
“DPA” means this DPA, including any and all subsequent amendments thereto, comprising the terms and conditions in the main body of this document, together with the schedules and any documents expressly incorporated by reference;
“Data Protection Laws” means any data protection laws applicable to processing of Personal Data contemplated by this DPA including, without limitation, in particular the EU General Data Protection Regulation (“GDPR”) and subsequent legislation of a similar nature, and all privacy, security, and data protection laws and regulations of any applicable jurisdiction including any jurisdiction in which the Services are being provided and, to the extent applicable, any jurisdiction from which Bezzu or any Sub-processor provides any of the Services;
“Data Subject” means an individual about whom the Personal Data relates;
“Model Clauses” means the standard contractual clauses for the transfer of Personal Data from the European Union to processors established in third countries (controller-to-processor transfers), as set out in the Annex to Commission Decision 2010/87/EU;
“Personal Data Breach” shall have the meaning set out in the GDPR;
“Processor”, “Processing”, “Process” and “Personal Data” shall have the meaning set out in Data Protection Laws;
“Retailer” means the legal or natural person who has signed up to use the Site as a retailer and subject to the Retailer Terms;
“Services” means the use of Bezzu’s Site by, and services provided by Bezzu to, the Retailer to advertise, promote and sell the Retailer’s Products;
“Subprocessor” means any third party but excluding an employee or consultant of Bezzu or any of its sub-contractors) appointed by or on behalf of Bezzu to Process Personal Data on behalf of Retailer; and
“User Personal Data” means the Personal Data of Users of the Site.
Retailer and Bezzu acknowledge and agree that, in so far as Bezzu is Processing Personal Data in its provision of the Services to support the Retailer in communicating and transacting with Users, Bezzu shall be a Processor on behalf of the Retailer as Controller. This shall be without prejudice to Bezzu’s role as a Controller in:
- its management of User Personal Data in supporting, marketing and administrating the Site generally and in the normal course of business as the Site owner and operator; and
- its Processing of Personal Data of Retailer personnel, being the name, role and contact details of those persons who are authorised to transact and correspond with Bezzu on behalf of the Retailer.
The Retailer and Bezzu agree that Clauses 2 to 18 of this DPA shall apply only in so far as Bezzu is Processing Personal Data as a Processor on behalf of the Retailer as Controller.
3. Personal Data
Through its use of the Services, the Retailer decides what Personal Data to collect from Users (in addition to any information which Retailer receives from a User’s Bezzu profile for the purpose of communicating and transacting with Users who request or purchase services or Products from the Retailer) and, subject to Clause 3.2 below, how to use the information processed via the Services.
The Retailer shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws. Retailer shall ensure that Data Subjects and any relevant third parties have been informed of any Processing which the Retailer intends to perform as required by applicable Data Protection Laws.
4. Details of the Processing contemplated under this DPA
The subject matter of the Processing is the Processing of User Personal Data for the purpose of providing the Services.
The duration of the Processing is until such time as the Retailer’s Bezzu account is terminated.
Nature and purpose of the processing is to support the Retailer in communicating and transacting with Users on the Site by transmitting and hosting User Personal Data and disclosing it to Subprocessors and other third parties who support the Site and the Services (the current list of which is contained in Annex 1).
The type of Personal Data is contact details and financial details.
The categories of Personal Data may include: name, address, e-mail address, contact details, delivery address and (where such is processed through Bezzu’s Stripe account), any payment information used to pay for the Products.
Bezzu may provide notice of any change to this DPA where an update is required due to changes to the nature of the Services or due to applicable Data Protection Laws.
5. Permitted Processing and Disclosure of Personal Data
In so far as Bezzu is acting as a Processor of User Personal Data, Bezzu shall Process any such Personal Data held in connection with the Services only for the purposes of performing the Services and in accordance with relevant documented instructions of the Retailer (unless otherwise required to do so by an EU or EU Member State law to which Bezzu is subject; in such a case Bezzu shall inform the Retailer of that legal requirement before Processing, unless the law prohibits such information on important grounds of public interest).
6. Data Subject Rights
Taking into account the nature of the Processing, Bezzu shall assist the Retailer by implementing appropriate technical and organisational measures, insofar as this is possible, to respond to requests to exercise Data Subject rights, where applicable under the Data Protection Laws. Bezzu reserves the right to charge the Retailer any costs and expenses reasonably incurred in providing such assistance.
7. Security and Integrity of Personal Data
Bezzu agrees to take appropriate technical and organisational measures to ensure that the Personal Data Processed on behalf of Retailer will meet the requirements of Article 32 of GDPR relating to security of processing.
If Bezzu becomes aware of any Personal Data Breach, Bezzu shall, where required by Data Protection Laws, notify the Retailer without undue delay.
Bezzu agrees, where applicable, to make reasonable efforts to assist the Retailer in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of the Processing and the information available to Bezzu. Bezzu reserves the right to charge the Retailer any costs and expenses reasonably incurred in providing such assistance.
Bezzu will make available to the Retailer all information necessary to demonstrate compliance with the data processing obligations laid down in this DPA including by allowing for and contributing to reasonable audits to determine Bezzu’s compliance with its obligations under this DPA. These audits (of frequency of no more than once per year, except where there is reason to suspect a Personal Data Breach may have occurred) may be conducted by Retailer, auditors mandated by Retailer, subject to Retailer and its auditors (if relevant) undertaking reasonable and appropriate confidentiality obligations. Bezzu reserves the right to arrange an independent audit of its Processing operations and to make such report available to Retailers in satisfaction of its obligations hereunder.
The scope of an audit will be limited to Bezzu’s systems, processes and documentation relevant to the Processing and protection of Personal Data that is Retailer’s Data.
Bezzu shall, and shall procure that its Subprocessors shall, ensure that any persons to whom Bezzu discloses Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality with respect to the Personal Data.
10. Appointment of Subprocessors
The Retailer consents to the engagement of the Subprocessors referred to in Clause 11.4.
Bezzu agrees that any appointment of a Subprocessor shall be conditional on the Subprocessor being bound by equivalent data protection obligations as those set out under this DPA.
A list of Subprocessors, current as of January 2020, is included at Annex 1 of this DPA. In the event that Bezzu appoints any additional or replacement Subprocessors, Bezzu shall notify the Retailer of such appointment by posting an update on the Site. In the event that the Retailer objects to the appointment of any such additional or replacement Subprocessor, it accepts that its sole and exclusive remedy is the termination of its use of the Site.
Subject to the disclaimers, limitations and exclusions of liability as set out in the Retailer Terms, Bezzu shall remain liable to Retailer for Processing by such Subprocessors as if the Processing was being conducted by Bezzu.
11. Transfer of Personal Data outside European Economic Area
The Retailer agrees that Bezzu and/or its Subprocessors may transfer Personal Data processed through the Services outside the EEA from time to time. In such instances, the transfer shall take place subject to the parties entering into the Model Clauses for the transfer of Personal Data or other use of “appropriate safeguards” is in place for the transfer of any Personal Data outside the EEA.
12. Return of Personal Data
Subject to Clause 13, on termination or expiry of Retailer’s use of the Services, or otherwise on request by Retailer, Bezzu shall, and shall procure that its Subprocessors shall, with a reasonable timeframe:
- return all the Personal Data to Retailer; or
- destroy all the Personal Data, in a manner agreed to by Retailer;
- unless a law binding on Bezzu or its Sub-processors prevents it from doing as requested.
The Retailer agrees that any copies of Personal Data that have been created pursuant to Bezzu and/or a Subprocessor’s electronic archiving and back-up procedures may be retained until such computer records and files have been deleted in the ordinary course, in each case, pursuant to the bona fide archiving, document retention, electronic archiving and back-up policies of such persons and in such instances, Bezzu shall continue to comply with its legal and contractual obligations under Data Protection Laws and this DPA.
13. Obligations independent of other provisions
The obligations contained in this DPA are without prejudice to Bezzu’s and/or Subprocessors’ other obligations under the Retailer Terms and apply notwithstanding any permitted use or disclosure of Retailer or User data under the Retailer Terms.
14. Indemnity and Liability
Retailer agrees to indemnify and keep indemnified and defend at its own expense Bezzu and its Subprocessors against all costs, losses, expenses, damages, fines, penalties, legal fees, liabilities, claims, demands, actions and settlement arising from or in connection with any failure by Retailer or its employees, contractors, or agents to comply with any of its data protection obligations under this DPA or pursuant to Data Protection Laws.
The liability of Bezzu for any breach of this DPA, whether in contract, tort, or otherwise, causing loss and/or damage to the Retailer, shall be subject to exclusion and/or limitation as set out in the Retailer Terms.
Bezzu reserves the right to transfer information (including User Personal Data) to a third party in the event of a sale, merger, liquidation, receivership or transfer of all or substantially all of the assets of Bezzu’s business, provided that the third party agrees to adhere to Bezzu’s terms relating to Personal Data and provided that the third party only uses Personal Data for the purposes that it has been provided it to Bezzu. The Retailer will be notified in the event of any such transfer.
16. Order of Precedence
With regard to the subject matter of this DPA, in the event of inconsistencies between the provisions of this DPA and any other agreements between the parties, including the Retailer Terms and any agreements entered into or purported to be entered into after the date of this DPA, the provisions of this DPA shall prevail.
Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either:
- amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible;
- construed in a manner as if the invalid or unenforceable part had never been contained therein.
18. Governing Law
This DPA is governed by, and shall be construed in accordance with, the laws of Ireland. The courts of Ireland have exclusive jurisdiction to hear and decide any suit, action or proceedings, and to settle any disputes, which may arise out of or in connection with the Annex and, for these purposes, each party irrevocably submits to the exclusive jurisdiction of the courts of Ireland.
ANNEX 1: DETAILS OF SUBPROCESSORS
Amazon Web Services