Exhibit D-1 - European Data Processing Terms
- 1. Definitions. For purposes of this Exhibit D-1, the terms “controller”, “processor", and “supervisory authority” have the meanings given in European Data Protection Laws; "EEA" means the European Economic Area as well as any country for which the European Commission has published an adequacy decision as published at https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en; "Standard Contractual Clauses" means the mandatory provisions of the standard contractual clauses for the transfer of
- Personal Data to Processors established in third countries which do not ensure an adequate level of data protection pursuant to the European Commission’s decision (C(2010)593) of 5 February 2010; and “data importer” and “data exporter” have the meanings given in the Standard Contractual Clauses.
-
- 2. Processing of Customer Personal Data.
-
- 2.1 Roles and Regulatory Compliance. The parties acknowledge and agree that (a) CMX is a processor of the Customer Personal Data under European Data Protection Laws; (b) Customer is a controller of the Customer Personal Data under European Data Protection Laws; and (c) each party will comply with the obligations applicable to it in such role under European Data Protection Laws with respect to the Processing of Customer Personal Data.
-
- 2.2 Subject Matter and Details of Processing. The parties acknowledge and agree that: (a) the subject matter of the Processing under the Agreement is CMX’s provision of the Services; (b) the duration of the Processing is from CMX’s receipt of Customer Personal Data until deletion of all Customer Personal Data by CMX in accordance with the Agreement and this Addendum; (c) the nature and purpose of the Processing is to provide the Services; (d) the Data Subjects to whom the Processing pertains are Customer’s employees, contractors, consultants, franchisees, customers, prospective customers, business partners, and other contacts of Customer; and (e) the categories of Customer Personal Data are such categories as Customer is authorized to provide or submit under the Agreement.
-
- 2.3 CMX’s Compliance with Instructions. CMX will only Process Customer Personal Data in accordance with Customer’s instructions as described in this Addendum unless European Data Protection Laws require otherwise, in which case CMX will notify Customer (unless that law prohibits CMX from doing so).
-
- 3. Data Protection Impact Assessment and Prior Consultation. In the event that Customer considers that the Processing of Customer Personal Data requires a privacy impact assessment to be undertaken or requires assistance with any prior consultations to any supervisory authority of Customer, following written request from Customer, CMX shall use reasonable commercial efforts to provide relevant information and assistance to Customer to fulfil such request, provided that CMX may charge Customer on a time and materials basis in the event that CMX considers, in its reasonable discretion, that such assistance is onerous, complex, frequent, or time consuming.
-
4. Relevant Records and Audit Rights. CMX shall make available to Customer on request all information reasonably necessary to demonstrate compliance with this Addendum and allow for and contribute to audits, including inspections by Customer or an auditor mandated by Customer, not being competitors of CMX ("Mandated Auditor") of any premises where the Processing of Customer Personal Data takes place in order to assess compliance with this Addendum. CMX shall provide reasonable cooperation to Customer in respect of any such audit and shall at the request of Customer, provide Customer with relevant records of compliance with its obligations under this Addendum. CMX shall promptly inform Customer if, in its opinion, a request infringes the Data Protection Laws or any other confidentially obligations with CMX’s other Customers. Customer agrees that: (1) audits may only occur during normal business hours, and where possible only after reasonable notice to CMX (not less than 20 days' advance written notice); (2) audits will be conducted in a manner that does not have any adverse impact on CMX's normal business operations; (3) Customer or any Mandated Auditor will comply with CMX's standard safety, confidentiality, and security procedures in conducting any such audits; and (4) any records, data, or information accessed by Customer or any Mandated Auditor in the performance of any such audit will be deemed to be the Confidential Information of CMX. To the extent any such audit incurs in excess of 20 hours of CMX personnel time, CMX may charge Customer on a time and materials basis for any such excess hours.
- 5. Data Transfer.
-
-
- 5.1 Data Processing Facilities. CMX may, subject to Section 5.2 of this Addendum, Process Customer Personal Data in the United States or anywhere CMX or its Subprocessors maintains facilities. Subject to CMX’s obligations in this Section 5, Customer is responsible for ensuring that its use of the Services comply with any cross-border data transfer restrictions of European Data Protection Laws.
-
- 5.2 Standard Contractual Clauses. In the event that Customer transfers any Customer Personal Data to CMX in a country outside the EEA and no lawful alternative basis for such transfer applies, such transfer will be governed by the Standard Contractual Clauses, the terms of which are hereby incorporated into this Addendum. In furtherance of the foregoing, CMX and Customer agree that:
- 5.2.1 for purposes of the Standard Contractual Clauses, (a) Customer will act as the data exporter and (b) CMX will act as the data importer;
- 5.2.2 for purposes of Appendix 1 to the Standard Contractual Clauses, the categories of data subjects, data, special categories of data (if appropriate), and the processing operations shall be as set out in Section 2.2 to this Exhibit D-1;
- 5.2.3 for purposes of Appendix 2 to the Standard Contractual Clauses, the technical and organizational measures shall be the security measures described in the Addendum;
- 5.2.4 upon data exporter’s request under the Standard Contractual Clauses, data importer will provide the copies of the subprocessor agreements that must be sent by the data importer to the data exporter pursuant to Clause 5(j) of the Standard Contractual Clauses, and that data importer may remove or redact all commercial information or clauses unrelated the Standard Contractual Clauses or their equivalent beforehand;
- 5.2.5 the audits described in Clause 5(f) and Clause 12(2) of the Standard Contractual Clauses shall be performed in accordance with Section 4 of this Exhibit D-1;
- 5.2.6 Customer’s authorizations in Section 6 of the Addendum will constitute Customer’s prior written consent to the subcontracting by CMX of the Processing of Customer Personal Data if such consent is required under Clause 5(h) of the Standard Contractual Clauses;
- 5.2.7 certification of deletion of Customer Personal Data as described in Clause 12(1) of the Standard Contractual Clauses shall be provided only upon Customer’s request;
- 5.2.8 the Standard Contractual Clauses shall automatically terminate once the Customer Personal Data transfer governed thereby becomes lawful under European Data Protection Laws in the absence of such Standard Contractual Clauses on any other basis; and
- 5.2.9 in the event that the Standard Contractual Clauses cease to be recognized as a legitimate basis for the transfer of Personal Data to an entity located outside the EEA, the parties shall reasonably cooperate to identify and implement an alternative legitimate basis for such transfer to the extent that one is required by European Data Protection Laws.