Data Processing Addendum (DPA)
Cloud Commerce Group and Customer have entered into an Order Form or other written or electronic agreement for the provision of the services agreed between the Parties (the “Services”), (as amended from time to time, the “Agreement”). The terms of this Data Processing Addendum (including the appendices, “this DPA”) supplement the Agreement. This DPA will be effective, and replace any previously applicable terms relating to their subject matter (including any data processing amendment or data processing addendum relating to the Services), from the Addendum Effective Date.
In the course of providing the Services to Customer pursuant to the Agreement, CCG may Process Customer Personal Data on behalf of Customer and the Parties agree to comply with the following provisions with respect to Customer Personal Data.
1. Definitions
1.1 Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement. In this DPA, the following terms shall have the meanings set out below:
| Addendum Effective Date | means, notwithstanding the date of signature hereof, the later of (a) 12 April 2022; or (b) the Effective Date of the Agreement; |
| Affiliate | means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means ownership (directly or indirectly) of more than 50% of the voting rights in the applicable entity; |
| CCG Group | means CCG and its Affiliates engaged in the Processing of Customer Personal Data; |
| Customer Group Member | means Customer or any Customer Affiliate; |
| Customer Personal Data | means any Personal Data Processed by a Contracted Processor on behalf of Customer pursuant to the Agreement; |
| Contracted Processor | means CCG or a Subprocessor; |
| Controller | means the natural or legal person, public authority, CCG or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data; |
| Data Protection Laws | means all laws and regulations, including laws and regulations of the EU and the EEA and their respective member states, Switzerland and the UK, applicable to the Processing of Personal Data under the Agreement; |
| Data Subject | means the identified or identifiable natural person to whom Personal Data relates; |
| EEA | means the European Economic Area; |
| EU | means the European Union; |
| EU GDPR | means EU General Data Protection Regulation 2016/679; |
| GDPR | means (as applicable): (a) EU GDPR; and/or (b) UK GDPR; |
| Personal Data | means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; |
| Processing | means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (and its cognate terms shall be construed accordingly); |
| Processor | means a natural or legal person, public authority, CCG or other body which Processes Personal Data on behalf of the Controller; “Subprocessor” means any third party appointed by CCG to Process Customer Personal Data on behalf of Customer in connection with the Agreement; |
| Supervisory Authority | (a) in respect of Processing that is subject to EU GDPR, has the meaning given in EU GDPR; (b) in respect of Processing that is subject to UK GDPR, means the Information Commissioner; and (c ) in respect of Processing that is subject to any other Data Protection Laws, means any public authority responsible for the supervision of Data Protection Laws in the applicable jurisdiction; |
| UK | means the United Kingdom; and |
| UK GDPR | means the UK GDPR as defined in Section 3(10) of the UK Data Protection Act 2018. |
1.2 The word “include” shall be construed to mean include without limitation, and cognate terms shall be construed accordingly.
2. Processing of Personal Data
2.1 Roles of the Parties. The parties acknowledge and agree that with regard to the Processing of Customer Personal Data, Customer is the Controller, CCG is the Processor and that CCG or members of the CCG Group will engage Sub-processors pursuant to the requirements set forth in Section 5 “Sub-processors” below.
2.2 Customer’s Processing of Personal Data. Customer shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws. For the avoidance of doubt, Customer’s instructions for the Processing of Personal Data shall comply with Data Protection Laws. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data.
2.3 CCG’s Processing of Personal Data. CCG shall treat Customer Personal Data as confidential and shall only Process Customer Personal Data on behalf of and in accordance with Customer’s documented instructions for the following purposes: (i) Processing in accordance with the Agreement and applicable Order Form(s); (ii) Processing initiated by Data Subjects in their use of the Services; and (iii) Processing to comply with other documented reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Agreement.
2.4 Details of the Processing. The subject-matter of Processing of Customer Personal Data by CCG is the performance of the Services pursuant to the Agreement. The duration of the Processing, the nature and purpose of the Processing, the types of Customer Personal Data and categories of Data Subjects Processed under this DPA are further specified in Annex 1 (Details of the Processing) to this DPA.
2.5 Instructions for Processing. Each Customer Group Member instructs CCG and each CCG Affiliate (and authorises CCG and each CCG Affiliate to instruct each Subprocessor) to: Process Customer Personal Data; and in particular, transfer Customer Personal Data to any country or territory, as reasonably necessary for the provision of the Services and consistent with the Agreement; and warrants and represents that it is and will at all relevant times remain duly and effectively authorised to give the instructions set out in this section on behalf of each relevant Customer Affiliate. In circumstances where additional agreements are required in order for a transfer of Customer Personal Data to any country or territory to be lawful under Data Protection Laws (including standard contractual clauses approved from time to time by the European Commission or the Information Commissioner), Customer and CCG shall co-operate reasonably to execute such additional agreements.
3. Rights of Data Subjects
3.1 Data Subject Request. CCG shall, to the extent legally permitted, promptly notify Customer if CCG receives a request from a Data Subject to exercise the Data Subject’s right of access, right to rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, object to the Processing, or its right not to be subject to an automated individual decision making (“Data Subject Request”). Taking into account the nature of the Processing, CCG shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to a Data Subject Request under Data Protection Laws. In addition, to the extent Customer, in its use of the Services, does not have the ability to address a Data Subject Request, CCG shall upon Customer’s request provide commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent CCG is legally permitted to do so and the response to such Data Subject Request is required under Data Protection Laws. To the extent legally permitted, Customer shall be responsible for any costs arising from CCG’s provision of such assistance.
4. CCG Personnel
4.1 Confidentiality. CCG shall ensure that its personnel engaged in the Processing of Customer Personal Data are informed of the confidential nature of the Customer Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements.
4.2 Reliability. CCG shall take commercially reasonable steps to ensure the reliability of any CCG personnel engaged in the Processing of Customer Personal Data.
4.3 Limitation of Access. CCG shall ensure that CCG’s access to Customer Personal Data is limited to those personnel performing Services in accordance with the Agreement.
4.4 Data Protection Officer. To the extent required by applicable Data Protection Laws, members of the CCG Group have appointed a data protection officer.
5. Sub-Processors
5.1 Appointment of Sub-processors. Each Customer Group Member authorises CCG and each CCG Affiliate to appoint (and permit each Subprocessor appointed in accordance with this section 5 to appoint) Subprocessors in accordance with this section 5. CCG and each CCG Affiliate may continue to use those Subprocessors already engaged by CCG or any CCG Affiliate as of the date of this DPA, subject to CCG and each CCG Affiliate in each case as soon as practicable meeting the obligations set out in this section. CCG or an CCG Affiliate has entered or will enter into a written agreement with each Sub-processor containing data protection obligations substantially similar to those in this Agreement with respect to the protection of Customer Personal Data to the extent applicable to the nature of the Services provided by such Sub-processor.
5.2 Notification of and Object Right to New Sub-processors. CCG shall use reasonable endeavours to give Customer prior written notice of the appointment of any new Subprocessor, including details of the Processing to be undertaken by the Subprocessor. If, within ten (10) business days of receipt of that notice, Customer notifies CCG in writing of any objections (on reasonable grounds) to the proposed appointment, CCG shall not appoint (or disclose any Customer Personal Data to) that proposed Subprocessor until reasonable steps have been taken to address the objections raised by any Customer Group Member and Customer has been provided with a reasonable written explanation of the steps taken.
6. Security
6.1 Controls for the Protection of Customer Data. CCG shall maintain appropriate technical and organizational measures designed to protect the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration, unauthorized disclosure of, or access to, Customer Personal Data), confidentiality and integrity of Customer Personal Data, as set forth in the WPP Information Security Policy. CCG regularly monitors compliance with these measures.
6.2 Audit.
6.2.1 CCG shall reasonably cooperate with Customer, in relation to any audit of CCG necessary to enable Customer to comply with its obligations under applicable Data Protection Laws and shall seek the equivalent cooperation from relevant Subprocessors. Any such audit shall be subject to the confidentiality obligations set forth in the Agreement.
6.2.2 Information and audit rights of the Customer only arise under section 6.2.1 to the extent that the Agreement does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law (including, where applicable, article 28(3)(h) of the GDPR).
6.2.3 CCG shall on request provide a Customer appointed auditor from PWC, Deloitte, KPMG or Ernst & Young (an “Independent Auditor”), with such access, on reasonable written notice (minimum thirty (30) calendar days) and within normal working hours, to those records as may be reasonably required by Customer to exercise its rights of audit as set out in section 6.2.1. Customer accepts that certain sensitive information in relation to IT and security will be redacted before being audited and may only be audited at the CCG’s premises. At Customer’s option, this audit may cover documents only or may include an onsite audit, subject to Customer notifying CCG of the identity of any onsite Independent Auditors and giving confirmation that any Independent Auditors have entered into appropriate confidentiality agreements, as approved by the CCG (such approval not to be unreasonably withheld or delayed). Customer shall use reasonable endeavours to minimise any disruption caused to the CCG’s business activities as a result of such audit. No audit shall last more than five (5) business days each time unless a longer period is required to fulfil any request or comply with any requirement of any regulator. Audits shall take place no more than once in any calendar year unless and to the extent that Customer (acting reasonably and in good faith) have reasonable grounds to suspect any material breach of this DPA by CCG. Costs of the audit, including appointment of the Independent Auditor, will be borne by Customer.
6.2.4 CCG shall be entitled to a reasonable time to review and retain any audit report, prepared by Independent Auditor and to consult the Independent Auditor on the content, prior to the report being submitted to Customer. For avoidance of doubt, all confidential information of CCG obtained by Customer or an Independent Auditor pursuant to any audit shall be maintained in confidence by Customer and its Independent Auditor and may not be disclosed to any third party, including, without limitation, any other agents or representatives of Customer except to the extent necessary to assert or enforce any of the Customer’s rights under this DPA or is required to be disclosed by Data Protection Law, by any Supervisory Authority or by a court or other authority of competent jurisdiction provided that, to the extent it is legally permitted to do so, it gives CCG as much notice of this disclosure as possible and, where notice of disclosure is not prohibited and is given in accordance with this section, it takes into account the reasonable requests of CCG in relation to the content of this disclosure.
7. Customer Data Incident Management and Notification
CCG maintains security incident management policies and procedures and shall notify Customer without undue delay and in line with the timelines required by applicable Data Protection Laws after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data, transmitted, stored or otherwise Processed by CCG or its Sub-processors which results in any actual loss or misuse of Customer Personal Data (a “Customer Data Incident”). CCG shall make reasonable efforts to identify the cause of such Customer Data Incident and take those steps as CCG deems necessary and reasonable in order to remediate the cause of such a Customer Data Incident to the extent the remediation is within CCG’s reasonable control. CCG shall have no liability for costs arising from a Customer Data Incident unless caused solely by a breach of CCG’s security obligations under section 6 of this DPA. In the event of a Customer Data Incident, Customer shall be responsible for notifying Data Subjects and/or Supervisory Authorities. Before any such notification is made, Customer shall consult with and provide CCG an opportunity to comment on any notification made in connection with a Customer Data Incident.
8. Return and Deletion of Customer Data
CCG shall, at any time on the request of Customer, return all Personal Data of which Customer is the sole Controller, and which is Processed by CCG on behalf of Customer under this Agreement, to Customer and/or at Customer's request delete the same from its systems, so far as is reasonably practicable and other than any back-up copies which CCG or its Affiliates are required to retain for compliance with applicable laws or regulatory requirements provided that such copies are kept confidential and secure in accordance with this Agreement.
9. Limitation of Liability
Each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to a breach of its obligations under this DPA (including any additional agreement entered into pursuant to this DPA), whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement. Nothing in this section 9 limits the liability of either party or its Affiliates to any Data Subject.
10. Data Protection Impact Assessment
Upon Customer’s request, CCG shall provide client with reasonable cooperation and assistance, at Customer’s cost, needed to fulfil Customer’s obligation under applicable Data Protection Laws to carry out a data protection impact assessment related to Customer’s use of the Services, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to CCG. CCG shall provide reasonable assistance to Customer in the cooperation or prior consultation with the Supervisory Authority in the performance of its tasks relating to this section of this DPA, to the extent required under applicable Data Protection Laws.
11. Governing Law
The parties to this DPA hereby submit to the choice of jurisdiction stipulated in the Agreement with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity; and this DPA is governed by the laws of the country or territory stipulated for this purpose in the Agreement.
Annex 1: Details of Processing of Client Personal Data
This Annex 1 includes certain details of the Processing of Customer Personal Data as required by Article 28(3) GDPR and equivalent requirements of other Data Protection Laws.
Subject matter and duration of the Processing of Customer Personal Data
The subject matter and duration of the Processing of the Customer Personal Data are set out in the Agreement and this DPA.
The nature and purpose of the Processing of Customer Personal Data
For purposes of providing the Services in accordance with the Agreement.
The types of Customer Personal Data to be Processed
Users’ name, surname and email address; contact details for billing purposes; contact detail for support purposes; and Customer’s customer delivery details (name, surname, physical address, email address and telephone number).
The categories of Data Subject to whom the Customer Personal Data relates
(a) Customer’s employees and contractors; and
(b) Customer’s customers.
The obligations and rights of Customer and Customer Affiliates
The obligations and rights of Customer and Customer Affiliates are set out in the Agreement and this DPA.