Data Protection Addendum
Last updated: May 24,2018
This Data ProtectionAddendum, henceforth referred to as the “Addendum”, is entered into by andbetween Jason Portnoy and/or JPORT Media., henceforth referred to as“www.jportnoy.com”, and the customer agreeing to this Addendum, henceforthreferred to as the “Customer”.
This Addendum will beeffective from the Addendum Effective Date (as defined below) and replace anypreviously applicable data protection addendum.
If you are acceptingthis Addendum on behalf of Customer/Affiliate, you represent and warrant that:
- You have readand understood this Addendum
- You have fulllegal authority to bind yourself, or the applicable entity, to these Terms
- You agree, on behalf of the party yourepresent, to this Addendum.
If you do not have thelegal authority to bind Customer, please do not “Sign/Accept/Opt IN”.
This Addendum sets out termsthat will apply to www.jportnoy.com processing of Customer’s Personal Data under the PrivacyPolicy Agreement executed by www.jportnoy.com and Customer.
Terms Defined by the General Data ProtectionRegulation (GDPR):
- “AddendumEffective Date” is defined as the date on which Customer clicked to accept oropt-in to this Addendum.
- “AdequateCountry” is defined as a country which is deemed adequate by the European Commissionunder Article 25(6) of Directive 95/46/EC or Article 45 of GDPR.
- “Data Subject”is defined as the identified or identifiable person who is the subject ofPersonal Data.
- “Personal Data”is defined as any information included in the Customer Data relating to anidentified or identifiable natural person; an identifiable person is one whocan be identified, directly or indirectly, in particular by reference to anidentification number or to one or more factors specific to his physical,physiological, mental, economic, cultural, or social identity.
- “Processing” isdefined by the applicable EU Data Protection Law and “process”, “processes” and“processed” will be interpreted accordingly.
- “DataController” is defined as the party that determines the purposes and means ofthe Processing of Personal Data.
- “DataProcessor” is defined as the party that Processes Personal Data on behalf of,or under the instruction of, the Data Controller.
- “Data TransferMechanism” is defined as an alternative data export solution for the lawfultransfer of Customer Data (as recognized under EU Data Protection Law) outsidethe EEA.
- “DataProtection Laws” are defined with respect to a party, all privacy, data protection,information security-related, and other laws and regulations applicable to suchparty, including, where applicable, EU Data Protection Law.
- “DataProtection Authority” is defined as the competent body in the jurisdictioncharged with enforcement of applicable Data Protection Law.
- “EEA” means theEuropean Economic Area, United Kingdom, and Switzerland.
- “EU DataProtection Law” means
○ Prior to 25thMay 2018, European Union Directive 95/46/EC; and
○ On and after25th May 2018, European Union Regulation 2016/679 (“GDPR”)
- References to“written instructions” and related terms mean Data Controller’s instructionsfor Processing of Customer Data, which consist of
○ The terms ofthe Agreement and this Addendum,
○ Processingenabled by Data Controller through the Service, and
○ Otherreasonable written instructions of Data Controller consistent with the terms ofthe Agreement.
- “ModelContracts” are defined as the Standard Contractual Clauses for Processors asapproved by the European Commission under Decision 2010/87/EU in the form madeaccessible in the www.jportnoy.com Workspace.
- “SecurityIncident” is defined as any unauthorized or unlawful confirmed breach ofsecurity that leads to the accidental or unlawful destruction, loss,alteration, unauthorized disclosure of, or access to Personal Data in DataProcessor’s control.
- “Subprocessor”is defined as any Third Party engaged by Data Processor or its affiliates toprocess any Customer Data pursuant to the Agreement or this Addendum.
- “Third Party”shall mean any natural or legal person, public authority, agency, or any otherbody other than the Data Subject, Data Controller, Data Processor,Subprocessors, or other persons who, under the direct authority of the Data Controlleror Data Processor, are authorized to Process the data.
- Other capitalized terms not defined herein havethe meanings given in the Agreement.
Terms Defined by www.jportnoy.com with Respectto GDPR:
- “Data Subjects”are defined to include the individuals about whom data is provided towww.jportnoy.com via the Services by (or at the direction of) the Customer.
- “Details ofProcessing Subject Matter” is defined as the subject matter of the dataprocessing under this Addendum is the Customer Data.
- “Duration ofthe Processing” is defined as the duration of the data processing under thisAddendum is until the termination of the Agreement plus the period from theexpiry of the Agreement until deletion of all Customer Data by www.jportnoy.comin accordance with the terms of the Addendum.
- “Nature andPurpose of the Processing” is defined as the purpose of the Processing underthis Addendum is the provision of the Service to Customer and the performanceof www.jportnoy.com's obligations under the Agreement (including this Addendum)or as otherwise agreed by the parties.
- “Categories ofData” is defined as data relating to individuals provided to www.jportnoy.comwhen Customers sign up, login, use the product, interact with the website, andinteract with the ads.
- “Security Measures” are defined as the measuresthat www.jportnoy.com agrees to use. They are commercially reasonable technicaland organizational measures designed to prevent unauthorized access, use,alteration, or disclosure of the Service or Customer Data.
- This Addendumforms part of the Agreement and except as expressly set forth in this Addendum,the Agreement remains unchanged and in full force and effect. If there is anyconflict between this Addendum and the Agreement, this Addendum shall prevailto the extent of that conflict in connection with the Processing of Customer’sPersonal Data.
- All activitiesunder this Addendum (including without limitation Processing of Customer Data)remain subject to the applicable limitations of liability set forth in theAgreement.
- This Addendumwill be governed by and construed in accordance with governing law andjurisdiction provisions in the Agreement, unless required otherwise byapplicable Data Protection Laws.
- This Addendum and Model Contracts willautomatically terminate upon expiration or termination of the Agreement.
4. SCOPE AND APPLICABILITY OF THIS ADDENDUM:
- This regulationapplies to the processing of the personal data in the context of the activitiesof the establishment of a Controller or a Processor in the EU.
- This Addendumapplies where and to the extent that www.jportnoy.com processes Customer Datathat originates from the EEA or that is otherwise subject to EU Data ProtectionLaw on behalf of Customer in the course of providing the Service pursuant tothe Agreement.
- This Addendum applies where and to the extentthat www.jportnoy.com processes Customer Data that originates from the EEA orthat is otherwise subject to EU Data Protection Law on behalf of Customer inthe course of providing the Service pursuant to the Agreement.
5. ROLE AND SCOPE OF THE PROCESSING:
- Customer willact as the Data Controller and www.jportnoy.com will act as the Data Processorunder this Addendum. Both Customer and www.jportnoy.com shall be subject toapplicable Data Protection Laws in the carrying out of their responsibilitiesas set forth in this Addendum.
- Customerretains all ownership rights in the Customer Data, as set forth in theAgreement. Except as expressly authorized by Customer in writing or asinstructed by Customer, www.jportnoy.com shall have no right directly orindirectly to sell, rent, lease, combine, display, perform, modify, transfer,or disclose the Customer Data or any derivative work thereof. www.jportnoy.comshall act only in accordance with Customer's instructions regarding theProcessing of the Customer Data except to the extent prohibited by applicableData Protection Laws.
- Additionalinstructions not consistent with the scope of the Agreement require priorwritten agreement of the parties, including agreement on any additional feespayable by Customer.
- Notwithstandingthe above, Customer acknowledges that www.jportnoy.com shall have a right touse Aggregated Anonymous Data as detailed in the Agreement Section 4.4.
- www.jportnoy.comshall not disclose the Customer Data to any Third Party in any circumstancesother than in compliance with Customer’s instructions or in compliance with alegal obligation to disclose. www.jportnoy.com shall inform Customer in writingprior to making any such legally required disclosure, to the extent permittedby Data Protection Laws.
- For clarity, nothing in this Addendum limitswww.jportnoy.com from transmitting Customer Data (including without limitationPersonal Data) as instructed by Customer through the Service.
- www.jportnoy.com’sobligations under this Addendum shall apply to www.jportnoy.com’s employees,agents and Subprocessors who may have access to the Personal Data.
- Customer agreesthat www.jportnoy.com is authorized to use Subprocessors (including withoutlimitation cloud infrastructure providers) to Process the Personal Data,provided that www.jportnoy.com:
○ Enters into awritten agreement with any Subprocessor, imposing data protection obligationssubstantially similar to this Addendum; and
○ Remains liablefor compliance with the obligations of this Addendum and for any acts oromissions of the Subprocessor that cause www.jportnoy.com to breach any of itsobligations under this Addendum.
- Information about Subprocessors, includingtheir functions and locations, is available on request and may be updated bywww.jportnoy.comfrom time to time in accordance with this Addendum.
- www.jportnoy.comshall implement and maintain appropriate technical and organizational securitymeasures to protect Personal Data from Security Incidents and to preserve thesecurity and confidentiality of the Personal Data, in accordance withwww.jportnoy.com's security standards.
- Customer isresponsible for reviewing the information made available by wwww.jportnoy.comrelating to data security and making an independent determination as to whetherthe Service meets the Customer’s requirements and legal obligations under DataProtection Laws. Customer acknowledges that the Security Measures are subjectto technical progress and that www.jportnoy.com may update or modify theSecurity Measures from time to time provided that such updates andmodifications do not result in the degradation of the overall security of theService purchased by Customer.
- www.jportnoy.com shall ensure that any personwho is authorized by Customer to process Personal Data (including its staff,agents and Subprocessors) shall be under an appropriate contractual orstatutory obligation of confidentiality.
8. ONWARD TRANSFER:
- www.jportnoy.commay, subject to complying with this Section 8, store and process Customer Dataanywhere in the world where www.jportnoy.com, its affiliates or Subprocessorsmaintain data processing operations.
- To the extentthat www.jportnoy.com processes any Personal Data protected by GDPR and/ororiginating from the EEA in the United States or another country outside theEEA that is not designated as an Adequate Country, then the parties shall signthe Model Contracts.
- The partiesagree that www.jportnoy.com is the “data importer” and Customer is the “dataexporter” under the Model Contracts (notwithstanding that Customer may be anentity located outside of the EEA).
- The parties agree that the data export solutionidentified in Section 8.B shall not apply if and to the extent thatwww.jportnoy.com adopts an Alternative Transfer Mechanism. In which event, theAlternative Transfer Mechanism shall apply instead (but only to the extent suchAlternative Transfer Mechanism extends to the territories to which PersonalData is transferred).
9. REGULATORY COMPLIANCE:
- At Customer’srequest and expense, www.jportnoy.com shall reasonably assist Customer asnecessary to meet its obligations to regulatory authorities, including DataProtection Authorities.
- www.jportnoy.com shall (at Customer's expense)reasonably assist Customer to respond to requests from individuals in relationto their rights of data access, rectification, erasure, restriction,portability and objection. In the event that any such request is made directlyto www.jportnoy.com, www.jportnoy.com shall not respond to such communicationdirectly without Customer's prior authorization unless required by DataProtection Laws.
10. REVIEWS OF DATA PROCESSING:
- At Customer’srequest, www.jportnoy.com shall provide Customer with written responses to allreasonable requests for information made by Customer relevant to the Processingof Personal Data under this Addendum, including responses to security and auditquestionnaires, in each case solely to the extent necessary to confirmwww.jportnoy.com’s compliance with this Addendum.
- www.jportnoy.comwill provide such information within thirty (30) days of Customer’s writtenrequest, unless shorter notice is required by Customer’s regulatoryauthorities.
- Except asexpressly required by Data Protection Laws, any review under this Section 10will:
○ Be conducted nomore often than once per year during www.jportnoy.com’s normal business hours,in a manner so as not to interfere with standard business operations;
○ Be subject towww.jportnoy.com’s reasonable confidentiality and security constraints;
○ Be conducted atCustomer’s expense; and
○ Not extend toany information, systems or facilities of www.jportnoy.com’s other customers orits Third Party infrastructure providers.
- Any information provided by www.jportnoy.comunder this Section 10 constitutes www.jportnoy.com’s Confidential Informationunder the Agreement.
11. RETURN OF DELETION OF DATA:
- www.jportnoy.comshall, within ninety (90) days after request by Customer at the termination orexpiration of the Agreement, delete or return, at Customer's choice, all of thePersonal Data from www.jportnoy.com’s systems. Within a reasonable periodfollowing deletion, at Customer’s request, www.jportnoy.com will providewritten confirmation that www.jportnoy.com’s obligations of data deletion ordestruction have been fulfilled.
- Notwithstanding the foregoing, the Customerunderstands that www.jportnoy.com may retain Customer Data as required by DataProtection Laws, which data will remain subject to the requirements of thisAddendum.
12. ADDITIONAL SECURITY:
- Upon becomingaware of a confirmed Security Incident, www.jportnoy.com shall notify theCustomer without undue delay, in accordance with the Security Measures.Notwithstanding the foregoing, www.jportnoy.com is not required to make suchnotice to the extent prohibited by Data Protection Laws, and www.jportnoy.commay delay such notice as requested by law enforcement and/or in light of www.jportnoy.com'slegitimate needs to investigate or remediate the matter before providingnotice.
- Each notice ofa Security Incident will include:
○ The extent towhich Personal Data has been, or is reasonably believed to have been, used,accessed, acquired, or disclosed during the Security Incident;
○ A descriptionof what happened, including the date of the Security Incident and the date ofdiscovery of the Security Incident, if known;
○ The scope ofthe Security Incident, to the extent known; and
○ A descriptionof www.jportnoy.com's response to the Security Incident, including stepswww.jportnoy.com has taken to mitigate the harm caused by the Security Incident.
- www.jportnoy.com shall take reasonable measuresto mitigate the harmful effects of the Security Incident and prevent furtherunauthorized access or disclosure.
13. CHANGES TO SUBPROCESSORS:
When any newSubprocessor is engaged, www.jportnoy.com will, at least a week before the newSubprocessor processes any Customer Data, inform Customer of the engagement bysending an email or via the in-app notification.
14. FURTHER COOPERATION:
- Where and whenrequired by Data Protection Laws, www.jportnoy.com will provide the relevantData Protection Authorities with information related to www.jportnoy.com’sProcessing of Personal Data. www.jportnoy.com further agrees that it willmaintain such required registrations and where necessary renew them during theterm of this Addendum. Any changes to www.jportnoy.com’s status in this respectshall be notified to Customer immediately either via email or in-appnotifications.
- To the extent www.jportnoy.com is requiredunder Data Protection Laws, www.jportnoy.com shall (at Customer's expense)provide reasonably requested information regarding the Service or priorconsultations with Data Protection Authorities to enable Customer to carry outdata protection impact assessments.