This Divot Assets Data Processing Addendum (“DPA”) reflects the parties’ agreement with respect to the processing of personal data in connection with the applicable Divot Assets offering(s). This DPA supplements our agreements with our customers and sets forth the obligations of both Divot Assets and our customers with respect to applicable data protection laws and regulations.
Divot Assets DATA PROCESSING ADDENDUM
This Data Processing Addendum (“DPA”) applies to Divot Assets Processing of Personal Data as a Processor on behalf of Customer as part of Divot Assets provision of Software, Services, or Software-as-a-Service (“Services”) to Customer. This DPA forms part of the Terms of Service or other written or electronic agreement (“Agreement”) between Divot Assets and Customer for the purchase of Services to reflect the parties’ agreement with regard to the Processing of Personal Data.
In the course of providing products and/or services to Customer pursuant to this DPA, Divot Assets may Process Personal Data on behalf of Customer and the parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.
The terms of this DPA will be effective and replace any previously applicable data processing terms as of the date of execution.
Introduction
- Customer is a Controller of certain Personal Data and wishes to appoint Divot Assets as a Processor to Process this Personal Data on its behalf.
- The parties are entering into this DPA to ensure that Divot Assets conducts such data Processing in accordance with Customer’s instructions and Applicable Data Protection Law requirements, and with full respect for the fundamental data protection rights of the Data Subjects whose Personal Data will be Processed.
Definitions
In this DPA, the following terms shall have the following meanings:
“Controller“, “Processor“, “Data Subject“, “Personal Data” and “Processing” (and “Process“) shall have the meanings given in Applicable Data Protection Law. The term “Personal Data” shall be deemed to include concepts of “Personal information” or “Personally Identifiable Information” if and as those terms may be defined under Applicable Data Protection Law.
“Applicable Data Protection Law” shall mean all worldwide data protection and privacy laws and regulations applicable to the personal data in question, including, where applicable, EU/UK Data Protection Law.
“EU/UK Data Protection Law” shall mean: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the “EU GDPR“); (ii) the EU GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (the “UK GDPR“); (iii) the EU e-Privacy Directive (Directive 2002/58/EC); and (iv) any and all applicable national data protection laws made under, pursuant to or that apply in conjunction with any of (i), (ii) or (iii); in each case as may be amended or superseded from time to time.
“Restricted Transfer” shall mean: (i) where the EU GDPR applies, a transfer of personal data from the European Economic Area to a country outside of the European Economic Area which is not subject to an adequacy determination by the European Commission; and (ii) where the UK GDPR applies, a transfer of personal data from the United Kingdom to any other country which is not based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018.
“Standard Contractual Clauses” means: (i) where the EU GDPR applies, the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCCs“); and (ii) where the UK GDPR applies, standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR (“UK SCCs“).
“UK Addendum” means the International Data Transfer Addendum to the EU SCCs issued by the Information Commissioner’s Office under s119A of the UK Data Protection Act 2018.
Data Processing
- Relationship of the Parties. Customer (the Controller) appoints Divot Assets as a Processor to Process the Personal Data that is the subject matter of the Agreement. Each party shall comply with the obligations that apply to it under Applicable Data Protection Law.
- Purpose Limitation. Divot Assets shall Process the Personal Data as a Processor only as necessary to perform its obligations under the Agreement, and strictly in accordance with the documented instructions of Customer (the “Permitted Purpose“), except where otherwise required or allowed by Applicable Data Protection Law applicable to Divot Assets. In no event shall Divot Assets Process the Personal Data for its own purposes or those of any third party except as set forth in the Agreement. Other than as otherwise agreed upon by the parties in the Agreement or as otherwise permitted under Applicable Data Protection Law, Divot Assets shall not (i) sell the Personal Data, or (ii) retain, use or disclose the Personal Data for any commercial purpose.
- Confidentiality of Processing. Divot Assets shall ensure that any person that it authorizes to Process the Personal Data (including Divot Assets staff, agents and subcontractors) (an “Authorized Person“) shall be subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty) and shall not permit any person to Process the Personal Data who is not under such a duty of confidentiality. Divot Assets shall ensure that all Authorized Persons Process the Personal Data only as necessary for the Permitted Purpose.
- Security. Divot Assets shall implement appropriate technical and organizational measures to protect the Personal Data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the Personal Data (a “Security Incident“).
- Deletion or Return of Data. After termination or expiration of the Agreement, or upon Customer’s request, Divot Assets shall destroy or return to Customer all Personal Data (including all copies of the Personal Data) in its possession or control. This requirement shall not apply to the extent that Divot Assets is required by any EU (or any EU Member State) law to retain some or all of the Personal Data, in which event Divot Assets shall isolate and protect the Personal Data from any further Processing except to the extent required by such law.