Data Processing Addendum (DPA)
In compliance with the General Data Protection Regulation (GDPR)
Last revised on: May 23, 2018
This Data Processing Addendum (“Addendum”) applies to the Services provided pursuant to the terms and conditions (the “Terms”) to which this Addendum is attached and the Privacy Statement incorporated therein (collectively, the Terms and the Privacy Statement, the “Agreement”) between Matrix Fusions Inc. the operator of Corsizio (“Corsizio”) and the Event Organizer that agrees to the Agreement during registration on the Service (“Event Organizer”). This Addendum is hereby incorporated into and made a part of the Agreement.
1 Purpose And Application
This Addendum is the parties’ agreement with respect to the Processing by Corsizio of Personal Data under the Agreement. Except where the terms of this Addendum state otherwise, the terms of this Addendum will apply regardless of whether the GDPR or other Data Protection Laws apply to the Processing of Personal Data.
The terms of this Addendum shall be in force on the later of: (a) the date of this Addendum; or, (b) upon registration for an account with Corsizio.
Capitalized terms used but not defined in this Addendum have the meanings set out in the Agreement. In this Addendum, unless stated otherwise:
“Authorized Personnel” has the meaning given to the term in Section 4.1.2.
“Controller” means the entity which determines the purposes and means of the Processing of Personal Data.
“Event Organizer Data” has the meaning given to the term in the Agreement.
“Data Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of, or access to, Personal Data.
“Data Protection Laws” means laws and regulations applicable to the Processing of Personal Data under the Agreement, including the Personal Information Protection and Electronic Documents Act, SC 2000, c. 5., and the GDPR to the extent applicable to such Processing.
“GDPR” means the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016); and prior to 25 May 2018, the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995; and any applicable legislation adopted by any Member State of the European Union, or by the United Kingdom post its ceasing to be a Member State of the European Union.
“Personal Data” means Event Organizer Data that is information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Processing” means any operation or set of operations which is performed upon or with respect to Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, erasure or destruction.
“Processor” means the natural or legal person which Processes Personal Data on behalf of the Controller.
“Restricted Transfer” means the transfer of any Personal Data to which the GDPR applies to any country or organisation, where such transfer would not be permitted by the GDPR in the absence of some legal basis permitted by the GDPR.
“Services” means the Services set out in the Terms.
“Subprocessor” means a third-party who Processes Event Organizer Data on behalf of the Processor in order to provide portions of the Services.
3 Processing of Personal Data
3.1 Roles and Responsibilities
3.1.1 Where the GDPR applies to the Processing of Personal Data by Corsizio, Event Organizer is, for all purposes and with respect to all Data Protection Laws, the Controller of the Personal Data and Corsizio is the Processor of the Personal Data, except only when Event Organizer acts as a Processor of Personal Data on behalf of a third party who is the Controller of same, in which case Corsizio shall be only a Subprocessor. Where Corsizio is a Subprocessor, Event Organizer represents and warrants that it has all necessary authority of the relevant Controller to engage Corsizio as a Subprocessor. Notwithstanding anything to the contrary, in all cases, Event Organizer acknowledges, agrees and represents that Corsizio shall not be the Controller of Personal Data.
3.1.2 Corsizio shall only comply with Data Protection Laws to the extent they apply to Corsizio’s Processing of Personal Data on behalf of Event Organizer. Event Organizer shall comply with all Data Protection Laws applicable to Personal Data. For clarity, Event Organizer shall obtain all required consent from the data subjects of Personal Data for Corsizio to Process Personal Data and shall comply with all obligations under Data Protection Laws as a Controller of Personal Data and all similar obligations.
3.2 Scope of Processing
3.2.1 Event Organizer instructs Corsizio to process Personal Data: (a) to provide the Services; (b) as set out in the Agreement, including this Addendum; (c) as specified by Event Organizer’s use of the Services; and, (d) as further documented in any other of Event Organizer’s written instructions that are acknowledged by Corsizio as being instructions for the purposes of the Agreement.
3.2.2 Event Organizer’s instructions for Corsizio’s Processing of Personal Data shall comply with all Data Protection Laws. Event Organizer shall not instruct Corsizio to undertake any Restricted Transfer.
3.2.3 Notwithstanding Section 3.2.1 above, Corsizio may Process Personal Data where required by any applicable law to which Corsizio is subject, in which case Corsizio shall (to the extent permitted by law) inform Event Organizer of that legal requirement before carrying out the Processing.
3.2.4 The nature and purpose of Corsizio’s Processing of Personal Data shall be to provide the Services pursuant to the Agreement. The type of Personal Data, the categories of data subjects, and the obligation and rights of Event Organizer are set out in the Agreement, including in this Addendum.
4.1 Security Measures
4.1.1 Corsizio and Event Organizer shall, taking into account the costs of implementation, and the nature, scope, context and purposes of Processing, take appropriate technical and organizational measures to ensure a level of security for the Personal Data, within their respective possession, which is appropriate to the risks to the applicable individual data subjects that may result from the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the Personal Data.
4.1.2 Corsizio shall cause that access to Personal Data within the possession of Corsizio is limited to those individuals who need access in order to meet Corsizio’s obligations under the Agreement (together the “Authorized Personnel”).
4.1.3 All Authorized Personnel are or will be trained in the handling of Personal Data, informed of the confidential nature of the Personal Data, and will be bound by appropriate confidentiality obligations when accessing it, and they will not Process Personal Data except pursuant to the instructions of Event Organizer.
4.2 Data Incident
4.2.1 On becoming aware of a Data Incident, Corsizio will: (a) notify Event Organizer of the Data Incident without undue delay; (b) make reasonable efforts to identify the cause of such Data Incident; and, (c) where the Data Incident was not caused by Event Organizer or any User, take those steps that Corsizio deems necessary and reasonable in order to remediate the cause of the Data Incident to the extent the cause of the Data Incident is in Corsizio’s reasonable control.
4.3 Event Organizer Responsibilities
4.3.1 Event Organizer is responsible for securing all logins and Users and all systems and devices that Event Organizer uses to access the Services.
5.1.1 Corsizio shall not engage Subprocessors (excluding independent contractors) without prior specific or general written authorization of Event Organizer and will require such Subprocessors to be bound by provisions substantially similar to those in this Addendum, as applicable. A list of Corsizio’s current Subprocessors are set out in Appendix A and Event Organizer hereby authorizes Corsizio to use such Subprocessors.
5.1.2 Corsizio may, at its discretion, choose to engage additional third-parties as Subprocessors generally. If Corsizio chooses to engage Subprocessors generally, Corsizio will inform Event Organizer of any new Subprocessors at least 30 days prior to authorizing the Subprocessor to Process Personal Data and Event Organizer may object to the new Subprocessor by providing Corsizio written notice within 15 days of receipt of such notice. If Event Organizer objects to the new Subprocessor under this Section 5.1.2: (i) Corsizio will, in its sole discretion, provide the Services without the new Subprocessor Processing any Personal Data; or, (ii) Event Organizer may terminate the Services which require the new Subprocessor.
6.1 GDPR Audits
6.1.1 Where the Processing of Personal Data is subject to the GDPR, at Event Organizer’s sole expense, Corsizio shall make available to Event Organizer such of Corsizio’s information as is reasonably necessary to demonstrate compliance with the obligations in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by Event Organizer or another auditor mandated by Event Organizer.
7 Deletion and Return of Personal Data
7.1.1 At the end of the Services and at the choice of Event Organizer, Corsizio shall delete or return all the Event Organizer Data to Event Organizer, and delete all Personal Data unless prohibited by Data Protection Laws.
8 Rights of Data Subjects
8.1.1 Corsizio shall, at Event Organizer’s sole expense, fulfill data subject requests to access, rectify, and restrict processing of Personal Data in a manner consistent with Data Protection Laws, the functionality of the Services, and Corsizio’s role as a Processor.
9 Impact Assessment
9.1.1 Where the Processing of Personal Data is subject to the GDPR, at Event Organizer’s sole expense, Corsizio will provide reasonable assistance to Event Organizer in its obligations to comply with its obligations to conduct privacy impact assessments and consult with regulatory bodies in relation to any Processing of Personal Data undertaken under this Agreement.
10.1.1 Event Organizer shall fully indemnify and keep indemnified and defend at its own expense Corsizio against all liability, losses, claims, costs and reasonable expenses, including legal fees, which Corsizio may incur, or for which Corsizio may become liable to the extent arising from any Processing of Personal Data in accordance with the instructions of the Event Organizer, any Event Organizer breach of this Addendum or any Data Protection Laws, or any of Event Organizer’s acts or omissions in respect of its obligations as a Controller of Personal Data.