Data Processing Addendum
This Data Processing Addendum (“DPA”) supplements the Order concluded between you (“the Controller” or “the Customer”) and GetResponse S.A. or GetResponse Inc [depending on you concluded an Order with] (“the Processor” or “GetResponse”).
The Customer and GetResponse entered into a GetResponse Order Form for GetResponse MAX or MAX² Service or any other written agreement, including GetResponse MAX (Enterprise) or MAX² Service Agreement (an “Order”).
1.1 The following words and phrases used in this Agreement shall have the following meanings except where the context otherwise requires:
“Confidential Information” all information relating to the Customer’s Contacts and prospective Contacts (including without limitation the Personal Data), current or projected financial or trading situations, business plans, business strategies, developments and all other information relating to the Customer’s business affairs imparted by the Customer to GetResponse during the term of this DPA.
“Controller” has the meaning under the GDPR.
“Processor” has the meaning under the GDPR.
“Data Subject” has the meaning under the GDPR.
“GDPR” the EU General Data Protection Regulation (2016/679) and laws implementing and supplementing GDPR.
“Personal Data” the personal data (as defined in the GDPR) of the Customer’s customers as set out HERE.
“Purpose” the purpose for processing Personal Data as set out HERE.
“Services” the processing of Personal Data to be carried out by GetResponse in accordance with this DPA, the scope of which is set out in HERE.
1.2 This DPA is subject to the terms of an Order and is incorporated into the Order.
1.3. Except as otherwise defined herein, all capitalized terms used in this DPA shall have the meaning attributed to them in the Order and Terms of Service constituting integral part of the Order.
2. Subject Matter of this DPA and Processing Purposes
2.1 For the Purposes of this DPA, the Parties have agreed that the Customer is the Controller and GetResponse is the Processor of the Personal Data.
2.2 The subject matter, duration, nature and purposes of processing and the Personal Data categories and Data Subject types in respect of which GetResponse may process to fulfill the business purposes of the Order and this DPA are available at www.getresponse.com/legal/max-dpa-description-of-processing.
2.3 The scope of the Services provided by GetResponse shall be limited to providing the Customer with the service tools to be used for the Purpose of Personal Data processing.
2.4 The Services provided by GetResponse shall not impact on the scope of the Personal Data processed by the Customer under the Order and this DPA except for specifying the minimum scope of the Personal Data required for the proper use of the Services.
2.5 GetResponse shall not determine the Purposes and means of processing and shall not monitor the scope of the Personal Data processed nor the lawful bases for their processing as determined by the Customer.
3. Customers Obligations
3.1 The Customer shall ensure that it will provide GetResponse with such information and co-operation as GetResponse reasonably requires to carry out its services under this DPA.
3.2 The Customer shall ensure that in circumstances where it intends to carry on the activities of direct marketing it has obtained all necessary marketing consents, including consents to send and distribute commercial information by email or telephone and to use telecommunications terminal equipment and automated phone call systems for direct marketing purposes strictly in accordance the GDPR.
3.3 The Customer shall use the Services in accordance with the Order and ensure the security of Customer account authentication data at all times and protect this account authentication data against unauthorized access and use.
3.4 The Customer also confirms and expressly undertakes not to engage in any activity in connection with Personal Data that is in breach of the GDPR.
3.5 The Customer shall not request or instruct GetResponse to perform any act or service that amounts to an infringement of the GDPR.
4. Obligations of GetResponse
4.1 GetResponse shall process the Personal Data for the Purpose of the Service Agreement and this Agreement only, and for no other purpose.
4.2 GetResponse shall process the Personal Data only in accordance with GDPR and shall not perform its obligations under this DPA in such a way as to cause the Customer to breach any of its applicable obligations under the GDPR.
4.3 GetResponse shall only process the Personal Data on behalf of the Customer and in strict compliance with the Customer’s instructions as set out and contained in this Agreement and the Service Agreement and shall not process the Personal Data in any manner for any other purposes, save as is required by applicable law or by any regulatory body. At a justified request of the Customer, GetResponse shall make available to the Customer any further information necessary to demonstrate its compliance with the obligations laid down in Article 28 of the GDPR.
4.4 GetResponse shall ensure that all GetResponse employees:
a. are informed of the confidential nature of the Personal Data and are bound by confidentiality obligations and use restrictions of the Personal Data;
b. have undertaken training on the data protection and security;
c. are aware both of their personal duties and obligations under the GDPR and this DPA.
4.5. GetResponse shall implement and ensure that it has in place appropriate technical and organisational measures to protect the Personal Data against unauthorized or unlawful processing, and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorized or unlawful processing, accidental loss, destruction or damage to the Personal Data, having regard to the state of technological development, the costs of implementation (including, as appropriate, the measures referred to in Article 32(1) of the GDPR), and the nature, scope, context and purposes of processing the Personal Data, as well as the risk of varying likelihood and severity for the rights and freedoms of the Data Subjects. GetResponse may at any time change the implemented measures provided that the protection level shall not be lower than originally provided and ensured.
4.6 GetResponse shall provide all reasonable assistance to the Customer in the Customer’s response to any data subject requests, complaints or enquiries from either a data subject or from a relevant Supervising Authority.
4.7 GetResponse shall assist the Customer in complying with the obligations pursuant to Articles 32 to 36 of the GDPR in respect of the Services by providing the Customer with all necessary information and in respect of supporting the Customer in connection with any data protection impact assessment and consultation with a Supervising Authority shall do so only in so far as the Customer is unable to fulfil its obligations by other means and upon payment of the reasonable costs incurred by GetResponse.
5 Transfer of Personal Data Outside The EEA
1. In case of transfer of Personal Data under this DPA outside the European Economic Area (EEA) to third countries that ensure an adequate level of protection of Personal Data, the implementing decisions of the European Commission stating the adequate level of protection of personal data shall apply.
2. In case of transfer of Personal Data under this DPA outside the European Economic Area (EEA) to third countries that do not ensure an adequate level of protection of Personal Data within the meaning of the GDPR, the SCC shall apply to this Agreement. SCC content is available here.
3. To the extent that the Parties rely on the SCC to legalize the transfer of Personal Data outside the EEA, and this mechanism is no longer considered to provide an adequate level of protection within the meaning of the GDPR, the Parties undertake to cooperate to promptly identify and implement an appropriate alternative mechanism, that can lawfully support such a transfer.
GetResponse shall at all times implement appropriate technical and organizational measures against unauthorized or unlawful processing, access, disclosure, copying, modification, storage, reproduction, display or distribution of Personal Data ,and against accidental or unlawful loss, destruction, alteration, disclosure or damage to Personal Data in accordance with the security measures listed at www.getresponse.com/legal/max-dpa-technical-measures.
7. Personal Data Breach
7.1 GetResponse will promptly and within 48 hours notify the Customer if any Personal Data is lost or destroyed or becomes damaged, corrupted or unusable.
7.2 GetResponse will promptly and within 48 hours notify the Customer if it becomes aware of any accidental, unauthorised or unlawful processing of the Personal Data or any Personal Data breach.
7.3 GetResponse will provide the Customer with a description of the nature of the Personal Data breach including the categories and approximate number of both the Data Subjects and Personal Data records concerned, the likely consequences and the measures taken to mitigate against any possible adverse effects arising from the Personal Data breach.
8.1.The Customer authorises GetResponse to engage any of the third party sub-processors listed at www.getresponse.com/legal/max-dpa-list-of-subprocessors
8.2 In the event of any intended change to the listed sub processors, GetResponse shall inform the Customer of such change upon 30 days’ notice via web page indicated at sec 8.1 herein and the Customer’s account .
8.3 The Customer shall have the opportunity to object to such change by emailing GetResponse and within 14 days of receipt of notice of such intended change.
8.4 In the event of any objection GetResponse shall have a period of 30 days from receipt of such objection to determine its response. On the expiry of the 30 day period either Party may terminate the Order pursuant to the relevant provisions of the Order.
8.5. Engagement of sub-processors may only take place within the limits of and for the purpose of performing the Service. GetResponse hereby represents that (i) the sub-processors it has engaged meet all the requirements arising from the GDPR and from applicable data protection provisions, (ii) it has entered into Personal Data processing agreements with the subprocessors as required under Article 28(4) of the GDPR and that such agreements include provisions imposing obligations analogical to those defined in the Agreement in respect of GetResponse, and that (iii) the personal data protection standard followed by the sub-processors is at least equal to the personal data protection standard followed by GetResponse. If sub-processor chosen by GetResponse is located in a third country within the meaning of GDPR, GetResponse shall be obliged to ensure that the conditions set in Chapter V of the GDPR are met.
9. Data Subject requests and third party rights
9.1 GetResponse shall reasonably support the Customer and take such technical and organisational measures as may be appropriate and promptly provided the Customer with such information as the Customer may reasonably require to enable the Customer to comply with the rights of Data Subjects under the GDPR subject always to the Customer agreeing to pay the reasonable costs incurred by GetResponse in providing such assistance. The Customer shall responsible to satisfy the requests of the Data Subjects and to prepare replies to such requests.
9.2 GetResponse will notify the Customer if it receives any complaint, notice or communication that relates directly or indirectly to the processing of the Personal Data or to either Party’s compliance with the GDPR.
This DPA will remain in full force and effect so long as the Order remains in effect, unless the following provisions impose additional obligations.
11. Data return and destruction
11.1 If the Order is terminated GetResponse shall, according to Customer’s statement, delete the Personal Data or return them to the Customer. If GetResponse does not receive the statement referred to in the preceding sentence, whether in writing or by e-mail, within 5 days of the Order termination, the Customer shall be deemed to require that the entrusted Personal Data be deleted, unless GetResponse has the right to further process the Personal Data.
11.2 During the continuation of this DPA, the Customer may request a copy of the processes Personal Data but not later than 30 days after termination of the Order.
11.3 After the end of the 30 days period in 10.2 above and within 15 days thereafter the Personal Data will be encrypted and stored in back up copies only.The said 15-day period is required to delete the Personal Data completely due to specifics of the backup copies operations
12.1 GetResponse will permit the Customer and its third party representative to audit its compliance with its Agreement obligations on conditions agreed by the Parties.
12.2 GetResponse will give the Customer all necessary assistance to conduct such audits. The audit shall be limited to and conditional on:
(a)The appointment of an independent auditor who is not in conflict with or a competitor of GetResponse;
(b)The Personal Data entrusted to GetResponse for processing under this DPA;
(c)A period of time agreed between GetResponse and the Customer;
(d)The Confidentiality of this DPA and the Personal Data processed.
(e)The Customer paying the costs of and incidental to the audit.
13.1 The Customer and GetResponse are liable for a breach of Personal Data in accordance with the scope of Personal Data entrusted to them. With regard to the limitation of liability of GetResponse from contract and tort, the Parties confirm the validity of the relevant provisions (Limitation of Liability) in the Terms of Services of GetResponse.
13.2 GetResponse shall be liable for to the Customer for the acts and omissions of any sub processor listed at www.getresponse.com/legal/max-dpa-list-of-subprocessors as if they were the acts and omissions of GetResponse.
13.3 GetResponse shall be liable for satisfying claims of Personal Data subjects in connection with any damage arising from improper processing of personal data hereunder, if the Customer demonstrates that the damage resulted from the sole through fault of GetResponse or GetResponse’s sub-processors
13.4 GetResponse shall be liable for its violation of the provisions of the Agreement or any applicable data protection legal regulations, as a result of which the Customer shall be obliged to pay compensation or any fine only if GetResponse not fulfill obligations which GDPR directly imposes at data processors or if GetResponse process the Personal Data not compliant with the Customer’s instructions.
14. Force Majeure
Neither Party shall be liable for failure to perform or delay in performing any obligation under this DPA if the failure or delay is caused by any circumstances beyond its reasonable control, including but not limited to acts of god, war, terrorism, civil commotion or industrial dispute (not extending to disputes by its own employees or sub-contractors).
15.1 The failure on the part of either Party to this DPA to exercise or enforce any rights conferred by this DPA shall not be deemed to be a waiver of any such right nor operate so as to bar the exercise or enforcement at any time.
15.2 No variation of this DPA shall be binding unless agreed to in advance by the Parties.
15.3 If any provision of this DPA is declared by any competent court or body to be illegal, invalid or unenforceable under the law of any jurisdiction, or if any enactment is passed that renders any provision of this DPA illegal, invalid or unenforceable under the law of any jurisdiction this shall not affect or impair the legality, validity or enforceability of the remaining provisions of this DPA or the Order.
16. Entire Agreement
This DPA (as amended from time to time) together with any document expressly referred to in its terms, contains the entire agreement between the Parties relating to the subject matter covered, unless otherwise stipulated in the Order. No oral explanation or oral information given by any Party shall alter the interpretation of this DPA.
17. Rights of Third Parties
Nothing in this DPA shall be construed as conferring any rights (including the right to rely on any exclusion or limitation clause contained within it) or obligations on any person or class of persons whether in existence now or at any time in the future that is not a party to this DPA.