DATA PROCESSING ADDENDUM
(Revised August 2020)
This Data Processing Addendum, including its Schedules and Appendices, (“DPA”) forms part of the Master E-Commerce Services Agreement or other written or electronic agreement between Lingble and Client for the purchase of services from Lingble (the “Agreement”), which includes the services listed in the Agreement (the “Services”) to reflect the parties’ agreement with regard to the Processing of Personal Data.
By signing the Agreement, Client enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws and Regulations, in the name and on behalf of its Authorized Affiliates, if and to the extent Lingble processes Personal Data for which such Authorized Affiliates qualify as the Controller. For the purposes of this DPA only, and except where indicated otherwise, the term “Client” shall include Client and Authorized Affiliates. All capitalized terms not defined herein shall have the meaning set forth in the Agreement.
In the course of providing the Services to Client pursuant to the Agreement, Lingble may Process Personal Data on behalf of Client and the Parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.
- “CCPA” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., and its implementing regulations adopted thereunder (all of which as may be amended from time to time).
- “Controller” means the entity which determines the purposes and means of the Processing of Personal Data.
- “Data Protection Laws and Regulations” means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, Switzerland, the United Kingdom and the United States and its states, applicable to the Processing of Personal Data under the Agreement. The term refers to substantially similar laws and regulations in other jurisdictions if they are encompassed by this Agreement.
- “Data Subject” means the identified or identifiable natural person or household to whom Personal Data relates, however identified, including by any unique identifier.
- “Data Subject Request” means a request from a Data Subject to exercise the Data Subject’s right of access, right to rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, object to the Processing, an opt-out from “sales” or right not to be subject to an automated individual decision making.
- “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
- “Personal Data” means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with (i) a Data Subject (defined above) and, (ii) an identified or identifiable legal entity (where such information is protected similarly as personal data or personally identifiable information under applicable Data Protection Laws and Regulations, the CCPA, or other applicable law), where for each (i) or (ii), such data is Client Data.
- “Processing” (including its various forms) means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- “Processor” means the entity which Processes Personal Data on behalf of the Controller, including as applicable any “Service Provider” as that term is defined by the CCPA.
- “Service Provider” shall be interpreted in accordance with the California Consumer Privacy Act of 2018.
- “Sub-processor” means any Processor engaged by Lingble or a member of the Lingble Group.
- “Supervisory Authority” means an independent public authority which is established by an EU/EEA Member State pursuant to the GDPR.
- PROCESSING OF PERSONAL DATA
- The parties acknowledge and agree that with regard to the Processing of Personal Data, Client is the Controller, Lingble is the Processor and Service Provider and that Lingble will engage Sub-processors pursuant to the requirements set forth in Section 5 below.
- Client shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws and Regulations, including any applicable requirement to provide notice to Data Subjects of the use of Lingble as Processor. For the avoidance of doubt, Client’s instructions for the Processing of Personal Data shall comply with Data Protection Laws and Regulations. Client shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Client acquired Personal Data. Client specifically acknowledges that its use of the Services will not violate the rights of any Data Subject that has opted-out from sales or other disclosures of Personal Data, to the extent applicable under the CCPA or any applicable Data Protection Laws and Regulations.
- Lingble shall treat Personal Data as Confidential Information and shall Process Personal Data on behalf of and only in accordance with Client’s documented instructions for the following purposes: (i) Processing in accordance with the Agreement and applicable Order Form(s); (ii) Processing initiated by Authorized Users in their use of the Services; and (iii) Processing to comply with other documented reasonable instructions provided by Client (e.g., via email, the Administrative Panel, etc.) where such instructions are consistent with the terms of the Agreement.
- The subject-matter of Processing of Personal Data by Lingble is the performance of the Services pursuant to the Agreement. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Schedule 1 (Details of the Processing) to this DPA.
- DATA PROTECTION
- Any transfers of Personal Data under this DPA from the European Union, the European Economic Area and/or their member states, Switzerland and the United Kingdom to countries which do not ensure an adequate level of data protection within the meaning of Data Protection Laws and Regulations of the foregoing territories, to the extent such transfers are subject to such Data Protection Laws and Regulations, shall be done in compliance with relevant Data Protection Laws and Regulations.
- When Lingble Processes Personal Data in the course of providing the Services, Lingble will:
- Process the Personal Data as a Processor and/or Service Provider, only for the purpose of providing the Services in accordance with documented instructions by Client (provided that such instructions are commensurate with the functionalities of the Services), and as may subsequently be agreed to by Client. If Lingble is required by law to Process the Personal Data for any other purpose, Lingble will provide you with prior notice of this requirement, unless Lingble is prohibited by law from providing such notice;
- notify Client if, in Lingble’s opinion, Client’s instruction for the processing of Personal Data infringes applicable Data Protection Laws and Regulations;
- notify Client promptly, to the extent permitted by law, upon receiving an inquiry or complaint from a Supervisory Authority relating to Lingble’s Processing of the Personal Data;
- implement and maintain appropriate technical and organizational measures to protect the Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorized or unlawful processing, accidental loss, destruction, damage or theft of Personal Data and appropriate to the nature of the Personal Data which is to be protected;
- upon request, provide reasonable information, to the extent Client does not otherwise have access to the relevant information, and to the extent such information is available to Lingble, to help the Client complete the Client’s data protection impact assessments;
- upon Client’s request, and subject to the confidentiality obligations set forth in the Agreement, Lingble shall make available to Client that is not a competitor of Lingble (or Client’s independent, third-party auditor that is not a competitor of Lingble) information regarding the Lingble Group’s compliance with the obligations set forth in this DPA in the form of the third-party certifications and audits to the extent Lingble makes them generally available to its clients. Client may contact Lingble in accordance with the “Notices” Section of the Agreement to request an on-site audit of the procedures relevant to the protection of Personal Data. Client shall reimburse Lingble for any time expended for any such on-site audit at the Lingble Group’s then-current professional services rates, which shall be made available to Client upon request. Before the commencement of any such on-site audit, Client and Lingble shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which Client shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by Lingble. Client shall promptly notify Lingble with information regarding any non- compliance discovered during the course of an audit;
- notify Client without undue delay upon becoming aware of and confirming any accidental, unauthorized, or unlawful processing of, disclosure of, or access to the Personal Data;
- ensure that Lingble personnel who access the Personal Data are subject to confidentiality obligations that restrict their ability to disclose the Customer Personal Data; and
- upon termination of the Agreement, Lingble may initiate its purge process to delete or anonymize the Personal Data; Client may request that Lingble transfer all of Client’s sales order data and Customer data held by Lingble to Client in database table format within 30-days of termination of the Agreement, after which Lingble may destroy all data (except Aggregated Statistics) in accordance with its data retention policies.
- DATA SUBJECT REQUESTS
Lingble shall, to the extent legally permitted, promptly notify Client if Lingble receives a Data Subject Request. Taking into account the nature of the Processing, Lingble shall assist Client by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Client’s obligation to respond to a Data Subject Request under Data Protection Laws and Regulations. In addition, to the extent Client, in its use of the Services, does not have the ability to address a Data Subject Request, Lingble shall upon Client’s request provide commercially reasonable efforts to assist Client in responding to such Data Subject Request, to the extent Lingble is legally permitted to do so and the response to such Data Subject Request is required under Data Protection Laws and Regulations. To the extent legally permitted, Client shall be responsible for any costs arising from Lingble’s provision of such assistance.
- DATA PROTECTION OFFICER
Based on Lingble’s processing activities, Lingble is not required to appoint a Data Protection Officer. Lingble reserves the right to voluntarily appoint a Data Protection Officer in the future. For questions about this DPA, GDPR compliance, data privacy, data transfers, or any other privacy issues please send an email to firstname.lastname@example.org.
- Client acknowledges and agrees that (a) Lingble’s Affiliates may be retained as Sub- processors; and (b) Lingble and Lingble’s Affiliates respectively may engage third-party Sub-processors in connection with the provision of the Services. Lingble or a Lingble Affiliate has entered into a written agreement with each Sub-processor containing data protection obligations not less protective than those in this DPA with respect to the protection of Client Data to the extent applicable to the nature of the Services provided by such Sub-processor.
- Lingble shall make available to Client upon written request the current list of Sub-processors for the Services. Such Sub-processor lists shall include the identities of those Sub-processors and their privacy documentation. Lingble, through electronic notification to the Client shall provide notice of any new Sub-processor(s) before authorizing any new Sub-processor(s) to Process Personal Data in connection with the provision of the applicable Services.
- Client may object to Lingble’s use of a new Sub-processor by notifying Lingble promptly in writing within ten (10) days after receipt of Lingble’s notice in accordance with the mechanism set out in Section 4.b, stating specific reasons why Client believes that the new Sub-processor lacks sufficient guarantees to implement appropriate technical and organizational measures so as to ensure that processing will meet the requirements of the GDPR and the protection of the rights of Data Subjects. In the event Client objects to a new Sub-processor, as permitted in the preceding sentence, Lingble will use reasonable efforts to make available to Client a change in the Services or recommend a commercially reasonable change to Client’s configuration or use of the Services to avoid Processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening Client. Where required by applicable law, if Lingble is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Client may terminate only the Services in any applicable Order Form(s) which cannot be provided by Lingble without the use of the objected-to new Sub-processor by providing written notice to Lingble. This section only applies to new Sub-processors engaged during the term of the Agreement and does not apply to the list of pre-approved Sub-processors available upon request from Lingble.
- Lingble shall be liable for the acts and omissions of its Sub-processors to the same extent Lingble would be liable if performing the services of each Sub-processor directly under the terms of this DPA, except as otherwise set forth in the Agreement.
This DPA and the Agreement are Client’s complete and final documented instructions at the time of signature of the Agreement to Lingble for the Processing of Personal Data. Any additional or alternate instructions must be agreed upon separately. The following are deemed instructions by the Client to process Personal Data: (a) Processing in accordance with the Agreement and applicable Order Form(s); (b) Processing initiated by Authorized Users in their use of the Services and (c) Processing to comply with other reasonable documented instructions provided by Client (e.g., via email, Administrative Panel, etc.) where such instructions are consistent with the terms of the Agreement.
- AUTHORIZED AFFILIATES
- The parties acknowledge and agree that, by executing the Agreement, Client enters into the DPA on behalf of itself and, as applicable, in the name and on behalf of its Authorized Affiliates, thereby establishing a separate DPA between Lingble and each such Authorized Affiliate subject to the provisions of the Agreement and this Section 7) and Section 9)b). Each Authorized Affiliate agrees to be bound by the obligations under this DPA and, to the extent applicable, the Agreement. For the avoidance of doubt, an Authorized Affiliate is not and does not become a party to the Agreement, and is only a party to the DPA. All access to and use of the Services by Authorized Affiliates must comply with the terms and conditions of the Agreement and any violation of the terms and conditions of the Agreement by an Authorized Affiliate shall be deemed a violation by Client.
- The Client that is the contracting party to the Agreement shall remain responsible for coordinating all communication with Lingble under this DPA and be entitled to make and receive any communication in relation to this DPA on behalf of its Authorized Affiliates.
- Where an Authorized Affiliate becomes a party to the DPA with Lingble, it shall to the extent required under applicable Data Protection Laws and Regulations be entitled to exercise the rights and seek remedies under this DPA, subject to the following:
- Except where applicable Data Protection Laws and Regulations require the Authorized Affiliate to exercise a right or seek any remedy under this DPA against Lingble directly by itself, the parties agree that (i) solely the Client that is the contracting party to the Agreement shall exercise any such right or seek any such remedy on behalf of the Authorized Affiliate, and (ii) the Client that is the contracting party to the Agreement shall exercise any such rights under this DPA not separately for each Authorized Affiliate individually but in a combined manner for itself and all of its Authorized Affiliates together (as set forth, for example, in Section 7)c)i), below).
- The parties agree that the Client that is the contracting party to the Agreement shall, when carrying out an audit of the procedures relevant to the protection of Personal Data, take all reasonable measures to limit any impact on Lingble and its Sub-processors by combining, to the extent reasonably possible, several audit requests carried out on behalf of itself and all of its Authorized Affiliates in one single audit.
- CALIFORNIA SPECIFIC PROVISIONS
- “Consumer Request” means a consumer request submitted to Client or Lingble pursuant to CCPA to provide access to Personal Data, delete Personal Data, and/or direct Client not to “Sell” Personal Data.
- “Sell”, “Selling”, “Sale”, or “Sold” have the meaning set forth in CCPA section 1798.140(t).
- In the event there is any ambiguity as to the meaning of a term used in these California Specific Provisions, the term shall have the meaning set forth in the CCPA section 1798.140 or other applicable regulation.
- Lingble will comply with the CCPA requirements directly applicable to Lingble’s provision of its Services.
- Lingble acknowledges that any Personal Data that Client discloses to or permits access by Lingble is disclosed or permitted for the purpose of Lingble performing the Services. Client and Lingble agree that any provision or transfer of Personal Data by or on behalf of Client to Lingble under the Agreement shall not constitute a Sale of such data and shall not otherwise be for monetary or other consideration.
- In accordance with Section 3 on Data Subject Rights, Lingble will provide reasonable assistance to Client, upon written request, to enable Client to respond to Consumer Requests under the CCPA. Service Provider will not respond to any Consumer Request except on written instructions from Client.
- Lingble will not (a) access, retain, use, or disclose Personal Data for any purpose other than for the specific purpose of performing the Services in this Agreement; (b) access, retain, use, or disclose Personal Data outside of the direct business relationship between Lingble and Client, and not for any commercial or other purpose other than as needed to perform the Services; (c) collect Personal Data from any Data Subject, other than as needed to perform the Services; or (d) Sell to any third party, or use for the benefit of any third party, any Personal Data.
- Subject to any restrictions in the Agreement, Lingble may retain, use, or disclose Personal Data to the extent allowed by the CCPA, including section 1798.145, subdivisions (a)(1) through (a)(4), and implementing regulations, including § 999.314, such as: (a) to process or maintain Personal Data on behalf of Client; (b) to retain or employ another service provider as a subcontractor, where the subcontractor meets the requirements for a service provider under the CCPA and its implementing regulations; (c) for internal use by Lingble to build or improve the quality of its services, provided that this does not include building or modifying household or consumer profiles to use in providing services to another business, or correcting or augmenting data acquired from another source; (d) to detect data security incidents, or protect against fraudulent or illegal activity.
- In the event of any conflict or inconsistency between the provisions of the Agreement and this DPA, the provisions of this DPA shall prevail.
- Each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, and all DPAs between Authorized Affiliates and Lingble, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and all DPAs together. For the avoidance of doubt, Lingble’s and its Affiliates’ total liability for all claims from Client and all of its Authorized Affiliates arising out of or related to the Agreement and all DPAs shall apply in the aggregate for all claims under both the Agreement and all DPAs established under the Agreement, including by Client and all Authorized Affiliates, and, in particular, shall not be understood to apply individually and severally to Client and/or to any Authorized Affiliate that is a contractual party to any such DPA.
- Lingble may amend this DPA from time to time by posting a revised version on its website, available at www.lingble.com/legal/dpa. If Lingble makes any amendments negatively and materially affecting the rights or obligations of Client in this DPA, Lingble shall notify Client electronically in writing or by posting a notice in the Administrative Panel. Upon receiving notice of material changes to this DPA, to the extent that Client is negatively and materially impacted by such changes, Client shall have ten (10) days to notify Lingble in writing of its intention to terminate the Agreement, after which, Client will be deemed to have accepted the revised DPA. Client’s notification of its intention to terminate the Agreement as a result of material amendments to this DPA under this section, shall include a specific description of how the changes materially and negatively impact Client. Lingble shall terminate the Agreement and all Services at any time within sixty (60) days from the day of such written notice to Lingble.
SCHEDULE 1 – DETAILS OF THE PROCESSING
Nature and Purpose of Processing
Duration of Processing
Categories of Data Subjects
Client may submit Personal Data to the Services, the extent of which is determined and controlled by Client in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:
- Prospects, customers, business partners and vendors of Client (who are natural persons)
- Employees or contact persons of Client’s prospects, customers, business partners and vendors
- Employees, agents, advisors, freelancers of Client (who are natural persons)
- Authorized Users authorized by Client to use the Services
Type of Personal Data
Client may submit Personal Data to the Services, the extent of which is determined and controlled by Client in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:
- First and last name
- Contact information (company, email, phone, physical business address)
- Localization data
Special categories of data (if appropriate)