Dated as of May 4th 2020
This Data Processing Agreement (“Agreement“) forms part of the Terms and Conditions available here (“Terms“) and is entered between Contractor (as defined therein) (the “Contractor “, “you”) And the company Mindfuture World Ltd (the “Data Processor” or “Company“, ” us” or ” we“)
(together defined as the “Parties“)
(A) The Contractor acts as a Data Controller and entrusts the Company, which is a Data Processor, personal data of the viewers/end-users.
(B) The Company wishes to subcontract certain Services, which imply the further processing of personal data, to sub-processors.
(C) The Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework in relation to data processing and with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
(D) The Parties wish to determine their rights and obligations.
IT IS AGREED AS FOLLOWS:
1. Definitions and Interpretation
1.1 Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the following meaning:
1.1.1 “Agreement” means this Data Processing Agreement and all Schedules;
1.1.2 “Contractor’s Personal Data” means any Personal Data entrusted to the Company by the Contractor in connection with the Terms and additional agreements concluded between the Parties;
1.1.3 “Controller” means the entity that determines the purposes and means of the Processing of Personal Data, in this case the Contractor;
1.1.4 “Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;
1.1.5 “EEA” means the European Economic Area;
1.1.6 “End User” means the end user of an internet connected device, for example: a visitor on advertisement or campaign web page, a user of a mobile app, a visitor to a web page, or a user of an IoT device;
1.1.7 “GDPR” means EU General Data Protection Regulation 2016/679;
1.1.8 “Data subject” means the individual to whom Personal Data relates, in this case the viewers/end users;
1.1.9 “Data transfer” means:
126.96.36.199 a transfer of Contractor’s Personal Data from the Contractor to the Company; or
188.8.131.52 an onward transfer of Contractor’s Personal Data from the Company to a sub-processor, in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws);
1.1.10 “Personal Data” means any personal information, which is related to the identified or identifiable person as defined in the GDPR, Art. 4.1;
1.1.11 “Data Processor” or “Processor” means the entity, which processes Personal Data on behalf of the Data Controller, in this case the Company;
1.1.12 “Services” means the services provided by Mindfuture World Ltd via Fluuid Platform (available on the website: www.fluuid.live) that are provided in accordance with the Terms and additional agreements concluded between the Parties.
1.1.13 “Sub-processor” means any person or entity appointed by or on behalf of the Processor to process Contractor’s Personal Data for the proper performance of Services.
1.2 The terms, “Commission“, “Member State“, “Personal Data“, “Personal Data Breach“, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly
2. Processing of the Contractor’s Personal Data
2.1 Under this Agreement, Mindfuture is a Processor of Personal data entrusted by the Contractor.
2.1.1 comply with all applicable Data Protection Laws in the Processing of Contractor’s Personal Data; and
2.1.2 not Process Contractor’s Personal Data in other way than on the relevant Contractor’s documented instructions; for the avoidance of doubt, the Parties assume that the provisions of this Agreement constitute such instructions
2.2 Processor will only collect, process and/or use Personal Data on behalf and in accordance with this Agreement and Terms.
2.3 Processor shall only process the Personal Data as agreed by the
a) Processing shall be carried out in accordance with this Agreement, Terms and alternatively other written instructions provided to the Processor by the Contractor, unless required to do so by Union or Member State law to which the Processor is subject; in such a case, the Processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
b) Processing outside of the scope of this Agreement, will require prior written amendment to the Agreement concluded between Contractor and the Processor and the Contractor’s additional instructions for processing;
c) Processor will not comply with the Contractor’s instructions whether we see that this might violate applicable laws; then we will immediately inform the Contractor if, in our opinion, and instruction infringes the GDPR or applicable Member State data protection provisions.
2.4 Mindfuture uses the Personal Data in order to provide the Services to the Contractor, in accordance with the Terms.
2.5 Processor processes Personal Data on your behalf in order to prevent fraud, bot detection, analytics, viewability as well as testing, development and operation of the Services.
2.6 Processor may process the following Contractor’s Personal Data: viewers/end-users’ IP address, user agent, HTTP Request Header, HTTP Request Parameters, Request Time and nickname.
2.7 The Contractor shall not provide the Processor with any data which is not necessary to use the Services, which falls in the special categories of Personal Data as defined in the GDPR, Art. 9 and Art.10.
3. Processor’s Personnel
Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor who may have access to the Contractor’s Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Personal Data, as strictly necessary for the purposes of the Terms, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory
obligations of confidentiality.
4. Security and rights of Data Subjects
4.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Processor in relation to the Contractor’s Personal Data implemented appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32 of the GDPR.
4.2 In assessing the appropriate level of security, Processor shall take into account the risks that are connected with the Processing, in particular in relation to Personal Data Breach.
4.3 The Processor shall not respond to any requests from Data Subjects without the Contractor’s prior consent. However any requests from a Data Subject to access, correct or delete Data Subject’s Personal Data shall be transferred to the Contractor.
5.1 Processor may appoint Sub-Processors in order to perform the Services for the Contractor.
5.2 Contractor agrees that the Company will use the following Sub- Processors for the purpose of providing its services:
a) Amazon Web Services – which provides cloud hosting services and it is a participant of the Privacy Shield Framework; Privacy Shield Framework Principles issued by the U.S. Departure of Commerce, located at https://privacyshield.gov (transborder data processing legal basis);
b) Datadog Inc. – which provides analytical services and it is a participant of the Privacy Shield Framework; Privacy Shield Framework Principles issued by the U.S. Departure of Commerce, located at https://privacyshield.gov (transborder data processing legal basis);
c) Slack Technologies, Inc. – which provides internal company communication services and it is a participant of the Privacy Shield Framework; Privacy Shield Framework Principles issued by the U.S. Departure of Commerce, located at https://privacyshield.gov (transborder data processing legal basis);
d) Sentry (Functional Software, Inc) – which provides error and application monitoring services and it is a participant of the Privacy Shield Framework; Privacy Shield Framework Principles issued by the U.S. Departure of Commerce, located at https://privacyshield.gov (transborder data processing legal basis)
d) Codewise Gaming Spółka z ograniczoną odpowiedzialnością – which provides database support, compliance, IT; the entity is based in Poland (European Union).
5.3 The processor will inform the Contractor about any intended changes concerning the addition or replacement of the sub- processors stated in point 5.2 above. The Contractor may object to any sch changes if it present justified reasons. In this case, the Company may terminate the Terms and any additional agreements with the Contractor immediately if it cannot ensure the proper provision of Services without this sub-processor.
5.4 The same data protection obligations as set out in this Agreement between the Contractor and the Company shall be imposed on the sub-processors by the Company in the data processing agreement. The provisions of that data processing agreement shall in particular provide sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the GDPR. Where the Sub-processor fails to fulfil its data protection obligations, the Company shall remain fully liable to the
Contractor for the performance of the Sub-processor’s obligations.
6. Data Subject Rights
6.1 Taking into account the nature of the Processing, Processor shall assist the Contractor by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Contractor’s obligations, as reasonably understood by Contractor, to respond to requests to exercise Data Subjects’ rights under the Data Protection Laws.
6.2 Processor shall:
6.2.1 promptly notify Contractor if it receives a request from a Data Subject under any Data Protection Law in respect of Contractor’s Personal Data; and
6.2.2 ensure that it does not respond to that request except on the documented instructions of Contractor or as required by Applicable Laws to which the Processor is subject, in which case Processor shall to the extent permitted by Data Applicable Laws inform Contractor of that legal requirement before the Processor responds to the request.
7. Personal Data Breach
7.1 Processor shall notify Contractor without undue delay upon Processor becoming aware of a Personal Data Breach affecting Contractor’s Personal Data, providing Contractor with sufficient information to allow the Contractor to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
7.2 Processor shall cooperate with the Contractor and take reasonable steps as are directed by Contractor to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
8. Data Protection Impact Assessment and Prior Consultation
Processor shall provide reasonable assistance to the Contractor with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Contractor reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Contractor’s Personal Data.
9. Deletion or return of Company Personal Data
9.1 Subject to this section 9 Processor shall promptly and in any event within 10 business days of the date of cessation of any Services involving the Processing of Contractor Personal Data (the “Cessation Date”), delete and procure the deletion of all copies of the Contractor’s Personal Data or return it to the Contractor if the Contractor makes such a request before the Cessation Date. The Processor shall not delete copies of aforementioned Personal Data if the Union or Member State law requires its storage.
9.2 Processor shall provide written certification to Contractor that it has fully complied with this section 9 within 10 business days of the Cessation Date.
10. Audit rights
10.1 Subject to this section 10, Processor shall make available to the Contractor on request all information necessary to demonstrate compliance with this Agreement, and shall allow for and contribute to audits, including inspections, by the Contractor or an auditor mandated by the Contractor in relation to the Processing of the Contractor’s Personal Data by the Company.
Such an audit shall be pre-scheduled minimum 30 days in advance in writing, performed once per year. Any costs for the audit should be assumed by the Contractor. Audit result should not be disclosed to anyone and should be used solely for the purposes of the audit under the section 6 of the GDPR and will not be used for any other purposes. Sharing the results of the audit with any third party has to be prior approved by the Processor in writing, explaining the details and necessity of the disclosure, as well as provide all further necessary assistance in order to prevent such disclosure.
10.2 Information and audit rights of the Contractor only arise under section 10.1 to the extent that the Agreement does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law.
11. Data Transfer
11.1 The Contractor hereby authorizes the Company to transfer the Contractor’s Personal Data to the Sub-Processors based outside of the European Economic Area (EEA) to the extent necessary to duly perform the Service(s), under the condition that the Sub-Processors will provide sufficient guarantees in relation to the required level of data protection, e.g. through a Privacy Shield certification according to the EU Commission Decision 2016/1250, or a subcontracting agreement based on the standard contractual clauses launched by virtue of the EU Commission Decision on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC or GDPR (the “Model Contract Clauses”), or based on other applicable transborder data transfer mechanisms.
12. General Terms
12.1 Confidentiality. Each Party must keep this Agreement and information it receives about the other Party and its business in connection with this Agreement (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that:
(a) disclosure is required by law;
(b) the relevant information is already in the public domain.
12.2 Notices. All notices and communications given under this Agreement must be in writing and will be delivered personally, sent by post or sent by email to our Data Protection Officer: firstname.lastname@example.org .
12.3 Time. Contractor authorizes the Company to retain Personal Data for the period of two years from the date of its collection on Contractor’s behalf and for the purpose of serving its interests, including for fraud protection, complains, reporting services. This data may be deleted from the Company’s servers after this retention period and/or after the termination of the agreement or earlier, at your written request. If the Contractor instructs the Company to delete such data during the term of this Agreement, such data will no longer be available for the Contractor.
12.4. This Agreement is automatically supplementing the Terms concluded by the Contractor and Processor when you create your account on Fluuid Platform (available on the website: www.fluuid.live) and shall be valid till the termination of the Terms.
13. Limitation of Liability
13.1 The liability of each party under this agreement is subject to limitations set in the Terms.
13.2. The Contractor shall indemnify and hold the Company and its employees, directors, shareholders, contractors and agents harmless and against any fines, charges, damages, penalties, liabilities, expenses, etc. arising from any claims against the Processor in connection with any claims, demands, proceedings or similar which has been brought by any legal persons, supervisory authorities or Data Subjects under the Data Protection laws, which are applicable.
14. Governing Law and Jurisdiction
14.1 This Agreement is governed by the laws of England and Wales.
14.2 Any dispute arising in connection with this Agreement, which the Parties will not be able to resolve amicably, will be submitted to the exclusive jurisdiction of the appropriate courts in England and Wales.