DATA PROCESSING ADDENDUM
(Revised October 2023)
This Data Processing Agreement, including its Appendix, (this “DPA”) forms part of the Master E-Commerce Services Agreement or other written or electronic contract between Lingble and the Client for the purchase of services from Lingble (the “Agreement”), which reflects the parties’ agreement with regard to the Processing of Personal Data.
For the purpose of exercising the rights and fulfilling the obligations under the Agreement, the Exporter will disclose and transfer Personal Data to the Importer. Under this DPA, the Importer will Process the transferred Personal Data on behalf of the Exporter, in accordance with the Exporter’s requirements provided by this DPA.
Under this DPA, the Exporter acts as a Data Controller, determining the purposes and means of the Personal Data Processing, in accordance with the Applicable Data Protection Legislation and the Importer acts as a Data Processor, Processing the transferred Personal Data on behalf of the Controller.
Both Parties have the responsibility to respect the provisions of this DPA.
- “Agreement” means the Master E-Commerce Services Agreement or other written or electronic agreement concluded between Lingble and the Client for the purchase of services from Lingble;
- “Applicable Data Protection Legislation” means the laws applicable to the specific Personal Data Processing in accordance with its personal, material and territorial scope; the Applicable Data Protection Legislation usually is determined by reference to the Data Subject’s location;
- “Client” means the legal entity Lingble provides services to, in accordance with the Agreement. The term “Client” shall include Client and authorized affiliates;
- “Data Breach” means any loss or unauthorized use, copying, modification, disclosure, or destruction of, or access to, Personal Data transferred under this DPA;
- “Data Controller” or “Controller” means the Party which determines the purposes and means of the Processing of Personal Data;
- “Data Exporter” or “Exporter” means the Party which transfers Personal Data to the Data Importer under this DPA;
- “Data Importer” or “Importer” means the Party which receives Personal Data from the Data Exporter for Processing under this DPA;
- “Data Processor” or “Processor” means the Party which Processes Personal Data on behalf of the Controller, also referred to data intermediary/entrusted person;
- “Data Subject” means the natural person to whom the Personal Data refers;
- “Data Sub-Processor” means any person or legal entity which may be engaged by the Data Importer to assist in the Processing of the Personal Data under this DPA;
- “DPA” means this Data Processing Addendum;
- “Enforcement Authority(ies)” means the competent supervisory data protection authority where the Data Subjects or the Data Exporter is located;
- “Lingble” means Lingble Pte. Ltd., legal entity incorporated by Singapore laws, with its registered address at 1 Raffles Place, #20-01, One Raffles Place, Singapore 048616;
- “Personal Data” means any information relating to a Data Subject;
- “Processing” means any operation or set of operations that are performed on Personal Data or on sets of Personal Data, whether or not by automated means, including, for example, collection, use and disclosure of Personal Data; and
- “Services” mean the services provided by the Data Importer to the Data Exporter in accordance with the Agreement.
- RESPONSIBILITIES OF THE PARTIES
- Each Party has the responsibility to comply with the clauses of this DPA, in accordance with the Applicable Data Protection Legislation.
- Both Parties have the responsibility to ensure the Personal Data protection and security, in accordance with their roles and obligations under the Applicable Data Protection Legislation.
- Both Parties have the responsibility to respect the Data Subject’s rights and to provide the means for their exercise, in accordance with their roles and obligations under the Applicable Data Protection Legislation.
- Each Party shall be liable to the other Party(ies) for any damages it causes the other Party(ies) by any breach of this DPA.
- Where more than one Party is responsible for any damage caused to the Data Subject as a result of a breach of this DPA, all responsible Parties shall be jointly and severally liable and the Data Subject is entitled to bring an action in court against any of these Parties.
- The Parties agree that if one Party is held liable under paragraph (e), it shall be entitled to claim back from the other Party(ies) that part of the compensation corresponding to its / their responsibility for the damage.
- The Data Exporter warrants, represents and undertakes that:
- The Personal Data has been collected, used, disclosed and transferred to the Data Importer under this DPA in accordance with Applicable Data Protection Legislation.
- The Personal Data transferred to the Data Importer under this DPA is accurate, complete and relevant for the purposes of processing.
- The Data Exporter shall implement adequate technical and operational measures to ensure the security of the Personal Data during transmission to the Data Importer.
- The Data Exporter shall respond to enquiries from Data Subjects or Enforcement Authorities regarding the Processing of Personal Data by the Data Importer as required by the Applicable Data Protection Legislation. Responses to such enquiries and requests shall be made within a reasonable time frame or within the time frame and in the manner, if any, required under the Applicable Data Protection Legislation.
- Where applicable, the Exporter is responsible for collecting the consent of the data subjects so that the Importer may process, use or disclose personal data on behalf of the Exporter.
- The Data Importer warrants, represents and undertakes that:
- The Data Importer shall Process the Personal Data only in compliance with the Data Exporter’s instructions and for the purposes described in the Appendix to the DPA.
- The Data Importer shall not further disclose or transfer the Personal Data it receives from the Data Exporter to another person, Enforcement Authority or legal entity, including to Data Sub-Processors, unless it has notified the Data Exporter of such further disclosure or transfer in writing, and provided reasonable opportunity for the Data Exporter to object.
- The Data Importer agrees that prior to any disclosure or transfer of Personal Data to third parties, including to Data Sub-Processors, the Data Importer shall ensure that the third party shall be subject to and bound by the obligations of the Data Importer to the Data Exporter.
- The Data Importer agrees to take reasonable steps to implement measures on the storage and Processing of Personal Data that comply with adequate security standards prescribed by the Data Exporter.
- The Data Importer shall promptly communicate and refer to the Data Exporter any enquiries and requests from Data Subjects relating to the Personal Data transferred by the Data Exporter, including requests to access or correct the Personal Data.
- The Data Importer shall correct any error or omission in the Personal Data reasonably requested by the Data Exporter within 30 days of receipt of the request, or such other time frame required by the Applicable Data Protection Legislation, whichever is shorter.
- Upon the termination of the Agreement or completion of Processing required under this DPA, the Data Importer shall, at the election of the Data Exporter, either return to the Data Exporter the Personal Data held in its possession pursuant to this DPA, or cease to retain such Personal Data in manner approved of by the Data Exporter. The Data Importer agrees to confirm this with the Data Exporter in writing once action has been taken to cease to retain such Personal Data.
- The Data Importer shall have in place reasonable and appropriate technical, administrative, operational and physical measures, consistent with the Applicable Data Protection Legislation to protect the confidentiality, integrity and availability of Personal Data, in particular against risks of Data Breaches.
- If the Data Importer becomes aware that a Data Breach has occurred affecting Personal Data in its possession or under its control, or in the possession or under the control of an importer of an onward disclosure or transfer of the Personal Data, it shall notify the Data Exporter without undue delay.
- The Data Importer shall promptly notify and consult with the Data Exporter regarding any investigation regarding the collection, use, transfer, disclosure, security, or disposal of the Personal Data transferred under this DPA, unless otherwise prohibited under law.
- The Importer shall comply with all its obligations under the Applicable Data Protection Legislation at its own cost.
- Where the Exporter provides Personal Data to the Importer, the Exporter shall make reasonable effort to ensure that the Personal Data is accurate and complete before providing the same to the Importer. The Importer shall put in place adequate measures to ensure that the Personal Data in its possession or control remain or is otherwise accurate and complete. In any case, the Importer shall take steps to correct any errors in the Personal Data, as soon as practicable upon the Exporter’s written request.
- The Importer is only responsible under this DPA for the processing of the Personal Data, when transferred by the Exporter, as provided by the Exporter.
- DATA PROTECTION SAFEGUARDS
- The Exporter warrants that it has used reasonable efforts to determine that the Importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under this DPA.
- The Importer shall process the personal data received from the Exporter or processed on behalf of the Exporter only on documented instructions from the Exporter. The Exporter may give such instructions throughout the duration of the Agreement.
- The Importer shall immediately inform the Exporter if it is unable to follow those instructions.
- The Importer shall process the Personal Data received from the Exporter or processed on behalf of the Exporter only for the specific purpose(s) of the transfer, as set out in this DPA, unless on further instructions from the Exporter.
- The Importer shall only disclose the Personal Data received from the Exporter or processed on behalf of the Exporter to a third party on documented instructions from the Exporter and in accordance with the requirements of the Applicable Data Protection Legislation
- SECURITY OF PROCESSING
- The Importer and the Exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data. In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the Data Exporter.
- The Importer shall grant access to the Personal Data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the Agreement. It shall ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- In the event of a Personal Data Breach concerning Personal Data Processed by the Importer under this DPA, the Importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects and notify the Exporter without undue delay after having become aware of the breach.
- The Importer shall protect the Personal Data in the Importer’s control or possession by making reasonable security arrangements (including, where appropriate, physical, administrative, procedural and information & communications technology measures) to prevent: (i) unauthorised or accidental access, collection, use, disclosure, copying, modification, disposal or destruction of the Personal Data, or other similar risks; and (ii) the loss of any storage medium or device on which Personal Data is stored.
- The Exporter shall be accountable for compliance with its own legal obligations and shall will indemnify the Importer for any and all damages caused to the Importer as a result of the Exporter's failure to comply with its own legal obligations and with its internal policies and procedures.
- USE OF SUB-PROCESSORS
- GENERAL WRITTEN AUTHORISATION: The Data Importer has the Data Exporter’s general authorisation for the engagement of sub-processor(s).
- Where the Data Importer engages a sub-processor to carry out specific processing activities (on behalf of the Data Exporter), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those binding the Data Importer under this DPA.
- The Data Importer shall agree a third-party beneficiary clause with the sub-processor whereby - in the event the Data Importer has factually disappeared, ceased to exist in law or has become insolvent - the Data Exporter shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the Personal Data.
- DATA SUBJECTS’ RIGHTS
- The Importer shall promptly notify the Exporter of any request it has received from a Data Subject. It shall not respond to that request itself unless it has been authorised to do so by the Exporter.
- The Importer shall assist the Exporter in fulfilling its obligations to respond to Data Subjects’ requests for the exercise of their rights.
- In case of a dispute between a Data Subject and one of the Parties as regards compliance with this DPA, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them.
- RETENTION OF PERSONAL DATA
- The Importer shall not retain the Personal Data subject to this DPA (or any documents or records containing this Personal Data, electronic or otherwise) for any period of time longer than is necessary to serve the purposes of this DPA.
- The Importer shall, upon the request of the Exporter:
- return to the Exporter, all Personal Data; or
- delete all Personal Data in its possession, and after returning or deleting all Personal Data, provide the Exporter with written confirmation that it no longer possesses any Personal Data subject to this DPA. Where applicable, the Importer shall also instruct all third parties to whom it has disclosed the Personal Data for the purposes of this DPA to return to the Processor or delete, such Personal Data.
- The clauses provided by paragraphs (a) and (b) above shall not apply to the specific situations when the Importer is subject to a legal obligation concerning the retention of personal data for a longer period of time.
- DISPUTE RESOLUTION AND THE APPLICABLE LAW
- Any dispute under this DPA shall be resolved by amicable settlement.
- If an amicable settlement is not possible, any dispute shall be settled in accordance with the Dispute Resolution clause set out in the Agreement.
- If there is any conflict or inconsistency between clauses in this DPA and Applicable Data Protection Legislation, then the provisions of the Applicable Data Protection Legislation shall prevail.
- CONSEQUENCES FOR NON-COMPLIANCE
- In case any of the Parties fails to comply with the responsibilities under this DPA, the affected Party shall notify the Party at-fault to remediate the non-conformity within a reasonable period of time.
- Depending on the gravity of the non-conformity, the affected Party may suspend the transfer or the Processing of the Personal Data under this DPA for the period of time necessary to remediate the non-conformity.
- In the event that
- the transfer or the Processing of Personal Data to or by the Data Importer has been temporarily suspended for longer than 6 months pursuant to paragraph (b); or
- compliance by the any of the Parties with this DPA would put it in breach of its obligations under the law in the country in which it is Processing the Personal Data; or
- there is a final decision from which no further appeal is possible of a competent court that there has been a breach of this DPA by any of the Parties; or
- any of the Parties ceases its operations voluntarily or involuntarily, announces its intent to cease operations, or transfers all or substantially all of its assets to a non-affiliated entity, then the harmed Party, without prejudice to any other rights which it may have against the Party in fault shall be entitled to terminate this DPA.
- The Parties agree that the termination of this DPA at any time, in any circumstances and for whatever reason does not exempt them from the obligations of this DPA regarding the return or deletion of the Personal Data transferred.
- The Exporter shall be accountable for compliance with its own legal obligations and shall indemnify the Importer for any and all damages caused to the Importer as a result of the Exporter's failure to comply with its own legal obligations.
- GENERAL UNDERTAKINGS
- Each Party warrants, represents and undertakes to the other Party that it has full capacity and authority to enter into and to perform its obligations under and in accordance with this DPA.
- Each Party agrees to comply with all Applicable Data Protection Legislation in connection with the performance of its obligations under this DPA.
- In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.
- FINAL PROVISIONS
- The Parties may, by written agreement, adopt or modify this DPA, or as required by the Applicable Data Protection Legislation. This does not preclude the Parties from adding or amending clauses, by written agreement, as appropriate for their commercial or business arrangements.
- Each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, and all DPAs between Authorized Affiliates and Lingble, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and all DPAs together. For the avoidance of doubt, Lingble’s and its Affiliates’ total liability for all claims from Client and all of its Authorized Affiliates arising out of or related to the Agreement and all DPAs shall apply in the aggregate for all claims under both the Agreement and all DPAs established under the Agreement, including by Client and all Authorized Affiliates, and, in particular, shall not be understood to apply individually and severally to Client and/or to any Authorized Affiliate that is a contractual party to any such DPA.
- Lingble may amend this DPA from time to time by posting a revised version on its website, available at https://www.lingble.com/legal/data-processing-addendum/. If Lingble makes any amendments negatively and materially affecting the rights or obligations of Client in this DPA, Lingble shall notify Client electronically in writing or by posting a notice in the Administrative Panel. Upon receiving notice of material changes to this DPA, to the extent that Client is negatively and materially impacted by such changes, Client shall have ten (10) days to notify Lingble in writing of its intention to terminate the Agreement, after which, Client will be deemed to have accepted the revised DPA. Client’s notification of its intention to terminate the Agreement as a result of material amendments to this DPA under this section, shall include a specific description of how the changes materially and negatively impact Client. Lingble shall terminate the Agreement and all Services at any time within sixty (60) days from the day of such written notice to Lingble.
- This DPA is part of the Agreement concluded between the Parties.
- Termination or suspension of this DPA determines the impossibility to continue the Personal Data Processing under this DPA, with serious consequences on the execution of the Agreement.
DESCRIPTION OF PROCESSING
A. LIST OF PARTIES
The Partner as mentioned in the Agreement
Activities relevant to the data transferred under these Clauses: The Data Exporter transfers the Personal Data and the Data Importer stores the Personal Data in order to execute the services provision Agreement concluded between the Data Exporter and the Importer.
Role (controller/processor): Controller
Name: Lingble Pte. Ltd.
Address: 1 Raffles Place, #20-01, One Raffles Place, Singapore 048616
Data Protection Officer or Contact person: [email protected]
Activities relevant to the data transferred under these Clauses: The Data Importer receives the Personal Data from the Data Exporter and Processes it on behalf of the Data Exporter, in accordance with the instuctions given by the last one.
Role (controller/processor): Processor
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred:
The Data Subject category concerned by the transfers subject to this DPA are the Data Exporter’s customers and the users of the Exporter’s website
Categories of personal data transferred:
Users of the website: Personal Data may concern name, surname, country, phone number, e-mail, data from cookies and other information necessary to create an account on the website or for support on different matters related to the website functionalities, services or products, reviews
Customers: name, surname, phone number, e-mail, address, shipping address, information about the orders – data and time of the purchase, payment method, products/services ordered, shipping date and time, represented company and role (if the client is a company)
Sensitive data transferred:
No sensitive data Processed under this DPA
The frequency of the transfer:
Data transfers take place on a continous basis, in accordance with the nature of the commercial agreement
Nature of the processing:
The Processing is based on the commercial relationship according to the Agreement concluded between the Exporter and the Importer and it is a normal Processing which does not involve special categories of Personal Data, neither automated decision making or profiling or other Processing which is likely to result in a high risk to the rights and freedoms of the natural person.
Purpose(s) of the data transfer and further processing:
The main purpose for the processing of Personal Data is the execution of the Agreement concluded between the Data Exporter and the Data Importer, whose subject matter is the administration and operations of the Data Exporter’s online business through its website.
The specific purposes for the processing of Personal Data are:
- hosting of the website/platform;
- creating and managing customer accounts on the Exporter’s website/platform;
- providing customer support related to the customer account, to the purchase orders, to any dysfunctionality and/or to the products and services and answering all customer’s requests;
- keeping records of the purchase orders;
- provision of business reports to the Data Exporter;
- monitoring the marketing campaigns;
- keeping the Exporter’s customers database and marketing consent records;
- other ancillary purposes necessary for the execution of the Agreement.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:
Personal Data Processed under this DPA shall be processed by the Importer only during the execution of the Agreement and no further.
Transfers to sub-processors:
The Importer may transfer the Personal Data subject to this DPA or make it available for its providers only for or in accordance with the purposes of the transfer, limiting the access to what is strictly necessary for the provision of the Services and only for the period of time when the Services are provided.
C. COMPETENT SUPERVISORY AUTHORITY
The competent supervisory authority shall be determied in accordance with the law applicable where the Data Subjects and the data Exporter are located.