Last Modified:

August 25, 2022

Last Modified:

August 25, 2022

Last Modified:

August 25, 2022

This Data Processing Addendum (hereinafter: ‚ÄúAddendum‚ÄĚ) forms an integral part of the Terms of Service of Readymag Inc., a Delaware corporation operating under the laws of State of Delaware, having its registered office at 160 Greentree Drive, Suite 101, Dover, DE 19904 (hereinafter: ‚ÄúData Processor‚ÄĚ) accepted by its user (hereinafter: ‚ÄúData Controller‚ÄĚ) during the registration procedure on the website of the Data Processor (hereinafter: ‚ÄúPrincipal Agreement‚ÄĚ) (Data Controller and Data Processor shall collectively be referred to as the: ‚ÄúParties‚ÄĚ).

This Data Processing Addendum (hereinafter: ‚ÄúAddendum‚ÄĚ) forms an integral part of the Terms of Service of Readymag Inc., a Delaware corporation operating under the laws of State of Delaware, having its registered office at 160 Greentree Drive, Suite 101, Dover, DE 19904 (hereinafter: ‚ÄúData Processor‚ÄĚ) accepted by its user (hereinafter: ‚ÄúData Controller‚ÄĚ) during the registration procedure on the website of the Data Processor (hereinafter: ‚ÄúPrincipal Agreement‚ÄĚ) (Data Controller and Data Processor shall collectively be referred to as the: ‚ÄúParties‚ÄĚ).

This Data Processing Addendum (hereinafter: ‚ÄúAddendum‚ÄĚ) forms an integral part of the Terms of Service of Readymag Inc., a Delaware corporation operating under the laws of State of Delaware, having its registered office at 160 Greentree Drive, Suite 101, Dover, DE 19904 (hereinafter: ‚ÄúData Processor‚ÄĚ) accepted by its user (hereinafter: ‚ÄúData Controller‚ÄĚ) during the registration procedure on the website of the Data Processor (hereinafter: ‚ÄúPrincipal Agreement‚ÄĚ) (Data Controller and Data Processor shall collectively be referred to as the: ‚ÄúParties‚ÄĚ).

Readymag

Data Processing Addendum

Preamble

In connection with the personal data collected from individuals located within the European Union (‚ÄúEU‚ÄĚ) member countries, in accordance with the Article 28 (Processor) of the General Data Protection Regulation 2016/679 of the European Union, the Parties decided to record in writing their rights and obligations regarding their data processing relationship.

The terms used in this Addendum shall have the meanings set forth in this Addendum. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Principal Agreement. Except as modified below, the terms of the Principal Agreement shall remain in full force and effect.

In consideration of the mutual obligations set out herein, the Parties hereby agree that the terms and conditions set out below shall be added as an amendment to the Principal Agreement. Except where the context requires otherwise, references in this Addendum to the Principal Agreement are to the Principal Agreement as amended by, and including, this Addendum.

Preamble

In connection with the personal data collected from individuals located within the European Union (‚ÄúEU‚ÄĚ) member countries, in accordance with the Article 28 (Processor) of the General Data Protection Regulation 2016/679 of the European Union, the Parties decided to record in writing their rights and obligations regarding their data processing relationship.

The terms used in this Addendum shall have the meanings set forth in this Addendum. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Principal Agreement. Except as modified below, the terms of the Principal Agreement shall remain in full force and effect.

In consideration of the mutual obligations set out herein, the Parties hereby agree that the terms and conditions set out below shall be added as an amendment to the Principal Agreement. Except where the context requires otherwise, references in this Addendum to the Principal Agreement are to the Principal Agreement as amended by, and including, this Addendum.

Preamble

In connection with the personal data collected from individuals located within the European Union (‚ÄúEU‚ÄĚ) member countries, in accordance with the Article 28 (Processor) of the General Data Protection Regulation 2016/679 of the European Union, the Parties decided to record in writing their rights and obligations regarding their data processing relationship.

The terms used in this Addendum shall have the meanings set forth in this Addendum. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Principal Agreement. Except as modified below, the terms of the Principal Agreement shall remain in full force and effect.

In consideration of the mutual obligations set out herein, the Parties hereby agree that the terms and conditions set out below shall be added as an amendment to the Principal Agreement. Except where the context requires otherwise, references in this Addendum to the Principal Agreement are to the Principal Agreement as amended by, and including, this Addendum.

1. Definitions

1.1 In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:

1.1.1 ‚ÄúApplicable Laws‚ÄĚ means European Union or Member State of the European Union laws with respect to any Data Controller Personal Data in respect of which Data Controller is subject to EU Data Protection Laws;

1.1.2 ‚ÄúContracted Processor‚ÄĚ means Data Processor or a Subprocessor;

1.1.3 ‚ÄúData Controller Personal Data‚ÄĚ means any Personal Data Processed by a Contracted Processor on behalf of Data Controller in connection with the Principal Agreement;

1.1.4 ‚ÄúData Protection Laws‚ÄĚ means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;

1.1.5 ‚ÄúGDPR‚ÄĚ means EU General Data Protection Regulation 2016/679;

1.1.6 ‚ÄúServices‚ÄĚ means the services and other activities to be supplied to or carried out by or on behalf of Data Processor for Data Controller pursuant to the Principal Agreement;

1.1.7 ‚ÄúSubprocessor‚ÄĚ means any person (including any third party, but excluding an employee of Data Processor or any of its sub-contractors) appointed by or on behalf of Data Processor to Process Personal Data in connection with the Principal Agreement.

1.2 The terms, ‚ÄúData Subject‚ÄĚ, ‚ÄúPersonal Data‚ÄĚ, ‚ÄúPersonal Data Breach‚ÄĚ, ‚ÄúProcessing‚ÄĚ and ‚ÄúSupervisory Authority‚ÄĚ shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly (Extract of the GDPR ‚Äď see Annex 2 to this Addendum).

1.3 The word ‚Äúinclude‚ÄĚ shall be construed to mean include without limitation, and cognate terms shall be construed accordingly.

1. Definitions

1.1 In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:

1.1.1 ‚ÄúApplicable Laws‚ÄĚ means European Union or Member State of the European Union laws with respect to any Data Controller Personal Data in respect of which Data Controller is subject to EU Data Protection Laws;

1.1.2 ‚ÄúContracted Processor‚ÄĚ means Data Processor or a Subprocessor;

1.1.3 ‚ÄúData Controller Personal Data‚ÄĚ means any Personal Data Processed by a Contracted Processor on behalf of Data Controller in connection with the Principal Agreement;

1.1.4 ‚ÄúData Protection Laws‚ÄĚ means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;

1.1.5 ‚ÄúGDPR‚ÄĚ means EU General Data Protection Regulation 2016/679;

1.1.6 ‚ÄúServices‚ÄĚ means the services and other activities to be supplied to or carried out by or on behalf of Data Processor for Data Controller pursuant to the Principal Agreement;

1.1.7 ‚ÄúSubprocessor‚ÄĚ means any person (including any third party, but excluding an employee of Data Processor or any of its sub-contractors) appointed by or on behalf of Data Processor to Process Personal Data in connection with the Principal Agreement.

1.2 The terms, ‚ÄúData Subject‚ÄĚ, ‚ÄúPersonal Data‚ÄĚ, ‚ÄúPersonal Data Breach‚ÄĚ, ‚ÄúProcessing‚ÄĚ and ‚ÄúSupervisory Authority‚ÄĚ shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly (Extract of the GDPR ‚Äď see Annex 2 to this Addendum).

1.3 The word ‚Äúinclude‚ÄĚ shall be construed to mean include without limitation, and cognate terms shall be construed accordingly.

1. Definitions

1.1 In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:

1.1.1 ‚ÄúApplicable Laws‚ÄĚ means European Union or Member State of the European Union laws with respect to any Data Controller Personal Data in respect of which Data Controller is subject to EU Data Protection Laws;

1.1.2 ‚ÄúContracted Processor‚ÄĚ means Data Processor or a Subprocessor;

1.1.3 ‚ÄúData Controller Personal Data‚ÄĚ means any Personal Data Processed by a Contracted Processor on behalf of Data Controller in connection with the Principal Agreement;

1.1.4 ‚ÄúData Protection Laws‚ÄĚ means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;

1.1.5 ‚ÄúGDPR‚ÄĚ means EU General Data Protection Regulation 2016/679;

1.1.6 ‚ÄúServices‚ÄĚ means the services and other activities to be supplied to or carried out by or on behalf of Data Processor for Data Controller pursuant to the Principal Agreement;

1.1.7 ‚ÄúSubprocessor‚ÄĚ means any person (including any third party, but excluding an employee of Data Processor or any of its sub-contractors) appointed by or on behalf of Data Processor to Process Personal Data in connection with the Principal Agreement.

1.2 The terms, ‚ÄúData Subject‚ÄĚ, ‚ÄúPersonal Data‚ÄĚ, ‚ÄúPersonal Data Breach‚ÄĚ, ‚ÄúProcessing‚ÄĚ and ‚ÄúSupervisory Authority‚ÄĚ shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly (Extract of the GDPR ‚Äď see Annex 2 to this Addendum).

1.3 The word ‚Äúinclude‚ÄĚ shall be construed to mean include without limitation, and cognate terms shall be construed accordingly.

2. Processing of Data Controller Personal Data

2.1 Data Processor shall:

2.1.1 comply with all applicable Data Protection Laws in the Processing of Data Controller Personal Data; and

2.1.2 not process Data Controller Personal Data other than on the Data Controller’s documented instructions unless Processing is required by Applicable Laws to which the relevant Contracted Processor is subject, in which case Data Processor shall to the extent permitted by Applicable Laws inform the Data Controller of that legal requirement before the relevant Processing of that Personal Data.

2.2 Data Controller shall instruct Data Processor to:

2.2.1 process Data Controller Personal Data and

2.2.2 in particular, transfer Data Controller Personal Data to any country or territory, as reasonably necessary for the provision of the Services and consistent with the Principal Agreement.

2. Processing of Data Controller Personal Data

2.1 Data Processor shall:

2.1.1 comply with all applicable Data Protection Laws in the Processing of Data Controller Personal Data; and

2.1.2 not process Data Controller Personal Data other than on the Data Controller’s documented instructions unless Processing is required by Applicable Laws to which the relevant Contracted Processor is subject, in which case Data Processor shall to the extent permitted by Applicable Laws inform the Data Controller of that legal requirement before the relevant Processing of that Personal Data.

2.2 Data Controller shall instruct Data Processor to:

2.2.1 process Data Controller Personal Data and

2.2.2 in particular, transfer Data Controller Personal Data to any country or territory, as reasonably necessary for the provision of the Services and consistent with the Principal Agreement.

2. Processing of Data Controller Personal Data

2.1 Data Processor shall:

2.1.1 comply with all applicable Data Protection Laws in the Processing of Data Controller Personal Data; and

2.1.2 not process Data Controller Personal Data other than on the Data Controller’s documented instructions unless Processing is required by Applicable Laws to which the relevant Contracted Processor is subject, in which case Data Processor shall to the extent permitted by Applicable Laws inform the Data Controller of that legal requirement before the relevant Processing of that Personal Data.

2.2 Data Controller shall instruct Data Processor to:

2.2.1 process Data Controller Personal Data and

2.2.2 in particular, transfer Data Controller Personal Data to any country or territory, as reasonably necessary for the provision of the Services and consistent with the Principal Agreement.

3. Annex 1

Annex 1 to this Addendum sets out certain information regarding the Contracted Processors' Processing of the Data Controller Personal Data as required by Article 28(3) of the GDPR. The Parties may make reasonable amendments to Annex 1 by written notice to the other Party from time to time as Party reasonably considers necessary to meet those requirements. Nothing in Annex 1 confers any right or imposes any obligation on the Parties to this Addendum.

3. Annex 1

Annex 1 to this Addendum sets out certain information regarding the Contracted Processors' Processing of the Data Controller Personal Data as required by Article 28(3) of the GDPR. The Parties may make reasonable amendments to Annex 1 by written notice to the other Party from time to time as Party reasonably considers necessary to meet those requirements. Nothing in Annex 1 confers any right or imposes any obligation on the Parties to this Addendum.

3. Annex 1

Annex 1 to this Addendum sets out certain information regarding the Contracted Processors' Processing of the Data Controller Personal Data as required by Article 28(3) of the GDPR. The Parties may make reasonable amendments to Annex 1 by written notice to the other Party from time to time as Party reasonably considers necessary to meet those requirements. Nothing in Annex 1 confers any right or imposes any obligation on the Parties to this Addendum.

4. Data Processor

Data Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to the Data Controller Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Data Controller Personal Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with Applicable Laws in the context of that individual's duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

4. Data Processor

Data Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to the Data Controller Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Data Controller Personal Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with Applicable Laws in the context of that individual's duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

4. Data Processor

Data Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to the Data Controller Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Data Controller Personal Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with Applicable Laws in the context of that individual's duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

5. Security

5.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Data Processor shall in relation to the Data Controller Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.

5.2 In assessing the appropriate level of security, Data Processor shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.

5. Security

5.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Data Processor shall in relation to the Data Controller Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.

5.2 In assessing the appropriate level of security, Data Processor shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.

5. Security

5.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Data Processor shall in relation to the Data Controller Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.

5.2 In assessing the appropriate level of security, Data Processor shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.

6. Subprocessing

6.1 Data Controller authorizes Data Processor to appoint Subprocessors in accordance with this section 5 and any restrictions in the Principal Agreement.

6.2 Data Processor may continue to use those Subprocessors already engaged as at the date of the present Addendum, subject to Data Processor in each case as soon as practicable meeting the obligations set out in section 6.4.

6.3 Data Processor shall give Data Controller prior written notice of the appointment of any new Subprocessor, including full details of the Processing to be undertaken by the Subprocessor. If, within 3 (three) calendar days of receipt of that notice, Data Controller notifies Data Processor in writing of any objections to the proposed appointment:

6.3.1 Data Processor shall work with Data Controller in good faith to make available a commercially reasonable change in the provision of the Services which avoids the use of that proposed Subprocessor; and

6.3.2 where such a change cannot be made within 30 (thirty) calendar days from Data Processor’s receipt of Data Controller’s notice, notwithstanding anything in the Principal Agreement, Data Controller may by written notice to Data Processor with immediate effect terminate the Principal Agreement to the extent that it relates to the Services which require the use of the proposed Subprocessor.

6.4 With respect to each Subprocessor, Data Processor shall:

6.4.1 before the Subprocessor first Processes Data Controller Personal Data (or, where relevant), in accordance with section 5.2., shall ascertain that the Subprocessor is capable of providing the level of protection for Data Controller Personal Data required by the Principal Agreement;

6.4.2 ensure that the arrangement between on the one hand (a) Data Processor, or (b) the relevant intermediate Subprocessor; and on the other hand the Subprocessor, is governed by a written contract including terms which offer at least the same level of protection for Data Controller Personal Data as those set out in this Addendum and meet the requirements of Article 28(3) of the GDPR; and


6.4.3 provide to Data Controller for review such copies of the Contracted Processors' agreements with Subprocessors as Data Controller may request from time to time.


6.5 Data Processor shall ensure that each Subprocessor performs the obligations set out in this Addendum, as they apply to Processing of Data Controller Personal Data carried out by that Subprocessor, as if it were party to this Addendum in place of Data Processor.

6. Subprocessing

6.1 Data Controller authorizes Data Processor to appoint Subprocessors in accordance with this section 5 and any restrictions in the Principal Agreement.

6.2 Data Processor may continue to use those Subprocessors already engaged as at the date of the present Addendum, subject to Data Processor in each case as soon as practicable meeting the obligations set out in section 6.4.

6.3 Data Processor shall give Data Controller prior written notice of the appointment of any new Subprocessor, including full details of the Processing to be undertaken by the Subprocessor. If, within 3 (three) calendar days of receipt of that notice, Data Controller notifies Data Processor in writing of any objections to the proposed appointment:

6.3.1 Data Processor shall work with Data Controller in good faith to make available a commercially reasonable change in the provision of the Services which avoids the use of that proposed Subprocessor; and

6.3.2 where such a change cannot be made within 30 (thirty) calendar days from Data Processor’s receipt of Data Controller’s notice, notwithstanding anything in the Principal Agreement, Data Controller may by written notice to Data Processor with immediate effect terminate the Principal Agreement to the extent that it relates to the Services which require the use of the proposed Subprocessor.

6.4 With respect to each Subprocessor, Data Processor shall:

6.4.1 before the Subprocessor first Processes Data Controller Personal Data (or, where relevant), in accordance with section 5.2., shall ascertain that the Subprocessor is capable of providing the level of protection for Data Controller Personal Data required by the Principal Agreement;

6.4.2 ensure that the arrangement between on the one hand (a) Data Processor, or (b) the relevant intermediate Subprocessor; and on the other hand the Subprocessor, is governed by a written contract including terms which offer at least the same level of protection for Data Controller Personal Data as those set out in this Addendum and meet the requirements of Article 28(3) of the GDPR; and


6.4.3 provide to Data Controller for review such copies of the Contracted Processors' agreements with Subprocessors as Data Controller may request from time to time.


6.5 Data Processor shall ensure that each Subprocessor performs the obligations set out in this Addendum, as they apply to Processing of Data Controller Personal Data carried out by that Subprocessor, as if it were party to this Addendum in place of Data Processor.

6. Subprocessing

6.1 Data Controller authorizes Data Processor to appoint Subprocessors in accordance with this section 5 and any restrictions in the Principal Agreement.

6.2 Data Processor may continue to use those Subprocessors already engaged as at the date of the present Addendum, subject to Data Processor in each case as soon as practicable meeting the obligations set out in section 6.4.

6.3 Data Processor shall give Data Controller prior written notice of the appointment of any new Subprocessor, including full details of the Processing to be undertaken by the Subprocessor. If, within 3 (three) calendar days of receipt of that notice, Data Controller notifies Data Processor in writing of any objections to the proposed appointment:

6.3.1 Data Processor shall work with Data Controller in good faith to make available a commercially reasonable change in the provision of the Services which avoids the use of that proposed Subprocessor; and

6.3.2 where such a change cannot be made within 30 (thirty) calendar days from Data Processor’s receipt of Data Controller’s notice, notwithstanding anything in the Principal Agreement, Data Controller may by written notice to Data Processor with immediate effect terminate the Principal Agreement to the extent that it relates to the Services which require the use of the proposed Subprocessor.

6.4 With respect to each Subprocessor, Data Processor shall:

6.4.1 before the Subprocessor first Processes Data Controller Personal Data (or, where relevant), in accordance with section 5.2., shall ascertain that the Subprocessor is capable of providing the level of protection for Data Controller Personal Data required by the Principal Agreement;

6.4.2 ensure that the arrangement between on the one hand (a) Data Processor, or (b) the relevant intermediate Subprocessor; and on the other hand the Subprocessor, is governed by a written contract including terms which offer at least the same level of protection for Data Controller Personal Data as those set out in this Addendum and meet the requirements of Article 28(3) of the GDPR; and


6.4.3 provide to Data Controller for review such copies of the Contracted Processors' agreements with Subprocessors as Data Controller may request from time to time.


6.5 Data Processor shall ensure that each Subprocessor performs the obligations set out in this Addendum, as they apply to Processing of Data Controller Personal Data carried out by that Subprocessor, as if it were party to this Addendum in place of Data Processor.

7. Data Subject Rights

7.1 Taking into account the nature of the Processing, Data Processor shall assist the Data Controller by implementing appropriate technical and organizational measures prior accepted by the Data Controller, insofar as this is possible, for the fulfilment of the Data Controller’s obligations, to respond to requests to exercise Data Subject rights under the Data Protection Laws.

7.2 Data Processor shall:

7.2.1 promptly notify Data Controller if any Contracted Processor receives a request from a Data Subject under any Data Protection Law in respect of Data Controller Personal Data; and

7.2.2 ensure that the Contracted Processor does not respond to that request except on the documented instructions of Data Controller or as required by Applicable Laws to which the Contracted Processor is subject, in which case Data Processor shall to the extent permitted by Applicable Laws inform Data Controller of that legal requirement before the Contracted Processor responds to the request.

7. Data Subject Rights

7.1 Taking into account the nature of the Processing, Data Processor shall assist the Data Controller by implementing appropriate technical and organizational measures prior accepted by the Data Controller, insofar as this is possible, for the fulfilment of the Data Controller’s obligations, to respond to requests to exercise Data Subject rights under the Data Protection Laws.

7.2 Data Processor shall:

7.2.1 promptly notify Data Controller if any Contracted Processor receives a request from a Data Subject under any Data Protection Law in respect of Data Controller Personal Data; and

7.2.2 ensure that the Contracted Processor does not respond to that request except on the documented instructions of Data Controller or as required by Applicable Laws to which the Contracted Processor is subject, in which case Data Processor shall to the extent permitted by Applicable Laws inform Data Controller of that legal requirement before the Contracted Processor responds to the request.

7. Data Subject Rights

7.1 Taking into account the nature of the Processing, Data Processor shall assist the Data Controller by implementing appropriate technical and organizational measures prior accepted by the Data Controller, insofar as this is possible, for the fulfilment of the Data Controller’s obligations, to respond to requests to exercise Data Subject rights under the Data Protection Laws.

7.2 Data Processor shall:

7.2.1 promptly notify Data Controller if any Contracted Processor receives a request from a Data Subject under any Data Protection Law in respect of Data Controller Personal Data; and

7.2.2 ensure that the Contracted Processor does not respond to that request except on the documented instructions of Data Controller or as required by Applicable Laws to which the Contracted Processor is subject, in which case Data Processor shall to the extent permitted by Applicable Laws inform Data Controller of that legal requirement before the Contracted Processor responds to the request.

8. Personal Data Breach

8.1 Data Processor shall notify Data Controller without undue delay upon Data Processor or any Subprocessor becoming aware of a Personal Data Breach affecting Data Controller Personal Data, providing Data Controller with sufficient information to allow Data Controller to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.

8.2 Such notification shall as a minimum:

8.2.1 describe the nature of the Personal Data Breach, the categories and numbers of Data Subjects concerned, and the categories and numbers of Personal Data records concerned;

8.2.2 communicate the name and contact details of Data Processor’s data protection officer or other relevant contact from whom more information may be obtained;

8.2.3 describe the likely consequences of the Personal Data Breach; and

8.2.4 describe the measures taken or proposed to be taken to address the Personal Data Breach.

8.3 Data Processor shall co-operate with Data Controller and take such reasonable commercial steps as are directed by Data Controller to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

8. Personal Data Breach

8.1 Data Processor shall notify Data Controller without undue delay upon Data Processor or any Subprocessor becoming aware of a Personal Data Breach affecting Data Controller Personal Data, providing Data Controller with sufficient information to allow Data Controller to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.

8.2 Such notification shall as a minimum:

8.2.1 describe the nature of the Personal Data Breach, the categories and numbers of Data Subjects concerned, and the categories and numbers of Personal Data records concerned;

8.2.2 communicate the name and contact details of Data Processor’s data protection officer or other relevant contact from whom more information may be obtained;

8.2.3 describe the likely consequences of the Personal Data Breach; and

8.2.4 describe the measures taken or proposed to be taken to address the Personal Data Breach.

8.3 Data Processor shall co-operate with Data Controller and take such reasonable commercial steps as are directed by Data Controller to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

8. Personal Data Breach

8.1 Data Processor shall notify Data Controller without undue delay upon Data Processor or any Subprocessor becoming aware of a Personal Data Breach affecting Data Controller Personal Data, providing Data Controller with sufficient information to allow Data Controller to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.

8.2 Such notification shall as a minimum:

8.2.1 describe the nature of the Personal Data Breach, the categories and numbers of Data Subjects concerned, and the categories and numbers of Personal Data records concerned;

8.2.2 communicate the name and contact details of Data Processor’s data protection officer or other relevant contact from whom more information may be obtained;

8.2.3 describe the likely consequences of the Personal Data Breach; and

8.2.4 describe the measures taken or proposed to be taken to address the Personal Data Breach.

8.3 Data Processor shall co-operate with Data Controller and take such reasonable commercial steps as are directed by Data Controller to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

9. Data Protection Impact Assessment and Prior Consultation

Data Processor shall provide assistance to Data Controller with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Data Controller reasonably considers to be required by Article 35 or 36 of the GDPR, in each case solely in relation to Processing of Data Controller Personal Data by and taking into account the nature of the Processing and information available to, the Contracted Processors. The Data Controller shall ensure that during such data protection impact assessment the usual session at the Data Processor will not cause any unnecessary inconvenience to the Data Processor.

9. Data Protection Impact Assessment and Prior Consultation

Data Processor shall provide assistance to Data Controller with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Data Controller reasonably considers to be required by Article 35 or 36 of the GDPR, in each case solely in relation to Processing of Data Controller Personal Data by and taking into account the nature of the Processing and information available to, the Contracted Processors. The Data Controller shall ensure that during such data protection impact assessment the usual session at the Data Processor will not cause any unnecessary inconvenience to the Data Processor.

9. Data Protection Impact Assessment and Prior Consultation

Data Processor shall provide assistance to Data Controller with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Data Controller reasonably considers to be required by Article 35 or 36 of the GDPR, in each case solely in relation to Processing of Data Controller Personal Data by and taking into account the nature of the Processing and information available to, the Contracted Processors. The Data Controller shall ensure that during such data protection impact assessment the usual session at the Data Processor will not cause any unnecessary inconvenience to the Data Processor.

10. Deletion or return of Data Controller Personal Data

10.1 Subject to sections 10.2 and 10.3 Data Processor shall promptly and in any event within 3 (three) calendar days of the date of cessation of any Services involving the Processing of Data Controller Personal Data (the ‚ÄúCessation Date‚ÄĚ), or by anytime upon written request of the Data Controller, delete and procure the deletion of all copies of those Data Controller Personal Data.

10.2 Subject to section 10.3, Data Controller may in its absolute discretion by written notice to Data Processor within 3 (three) calendar days of the Cessation Date, or by anytime upon written request of the Data Controller require Data Processor to (a) return a complete copy of all Data Controller Personal Data to Data Controller by secure file transfer in such format as is reasonably notified by Data Controller to Data Processor; and (b) delete and procure the deletion of all other copies of Data Controller Personal Data Processed by any Contracted Processor. Data Processor shall comply with any such written request within 3 (three) calendar days of the Cessation Date.

10.3 Each Contracted Processor may retain Data Controller Personal Data to the extent required by Applicable Laws and only to the extent and for such period as required by Applicable Laws and always provided that Data Processor shall ensure the confidentiality of all such Data Controller Personal Data and shall ensure that such Data Controller Personal Data is only Processed as necessary for the purposes specified in the Applicable Laws requiring its storage and for no other purpose.

10. Deletion or return of Data Controller Personal Data

10.1 Subject to sections 10.2 and 10.3 Data Processor shall promptly and in any event within 3 (three) calendar days of the date of cessation of any Services involving the Processing of Data Controller Personal Data (the ‚ÄúCessation Date‚ÄĚ), or by anytime upon written request of the Data Controller, delete and procure the deletion of all copies of those Data Controller Personal Data.

10.2 Subject to section 10.3, Data Controller may in its absolute discretion by written notice to Data Processor within 3 (three) calendar days of the Cessation Date, or by anytime upon written request of the Data Controller require Data Processor to (a) return a complete copy of all Data Controller Personal Data to Data Controller by secure file transfer in such format as is reasonably notified by Data Controller to Data Processor; and (b) delete and procure the deletion of all other copies of Data Controller Personal Data Processed by any Contracted Processor. Data Processor shall comply with any such written request within 3 (three) calendar days of the Cessation Date.

10.3 Each Contracted Processor may retain Data Controller Personal Data to the extent required by Applicable Laws and only to the extent and for such period as required by Applicable Laws and always provided that Data Processor shall ensure the confidentiality of all such Data Controller Personal Data and shall ensure that such Data Controller Personal Data is only Processed as necessary for the purposes specified in the Applicable Laws requiring its storage and for no other purpose.

10. Deletion or return of Data Controller Personal Data

10.1 Subject to sections 10.2 and 10.3 Data Processor shall promptly and in any event within 3 (three) calendar days of the date of cessation of any Services involving the Processing of Data Controller Personal Data (the ‚ÄúCessation Date‚ÄĚ), or by anytime upon written request of the Data Controller, delete and procure the deletion of all copies of those Data Controller Personal Data.

10.2 Subject to section 10.3, Data Controller may in its absolute discretion by written notice to Data Processor within 3 (three) calendar days of the Cessation Date, or by anytime upon written request of the Data Controller require Data Processor to (a) return a complete copy of all Data Controller Personal Data to Data Controller by secure file transfer in such format as is reasonably notified by Data Controller to Data Processor; and (b) delete and procure the deletion of all other copies of Data Controller Personal Data Processed by any Contracted Processor. Data Processor shall comply with any such written request within 3 (three) calendar days of the Cessation Date.

10.3 Each Contracted Processor may retain Data Controller Personal Data to the extent required by Applicable Laws and only to the extent and for such period as required by Applicable Laws and always provided that Data Processor shall ensure the confidentiality of all such Data Controller Personal Data and shall ensure that such Data Controller Personal Data is only Processed as necessary for the purposes specified in the Applicable Laws requiring its storage and for no other purpose.

11. Audit rights

11.1 Subject to sections 10.2, Data Processor shall make available to Data Controller on request all information necessary to demonstrate compliance with this Addendum, and shall allow for and contribute to audits, including inspections, by Data Controller or an auditor mandated by Data Controller in relation to the Processing of the Data Controller Personal Data by the Contracted Processors.

11.2 Data Controller undertaking an audit shall give Data Processor reasonable notice of any audit or inspection to be conducted under section 10.1 and shall make reasonable endeavors to avoid causing or, if it cannot avoid, to minimize any damage, injury or disruption to the Contracted Processors' premises, equipment, personnel and business while its personnel are on those premises in the course of such an audit or inspection.

11. Audit rights

11.1 Subject to sections 10.2, Data Processor shall make available to Data Controller on request all information necessary to demonstrate compliance with this Addendum, and shall allow for and contribute to audits, including inspections, by Data Controller or an auditor mandated by Data Controller in relation to the Processing of the Data Controller Personal Data by the Contracted Processors.

11.2 Data Controller undertaking an audit shall give Data Processor reasonable notice of any audit or inspection to be conducted under section 10.1 and shall make reasonable endeavors to avoid causing or, if it cannot avoid, to minimize any damage, injury or disruption to the Contracted Processors' premises, equipment, personnel and business while its personnel are on those premises in the course of such an audit or inspection.

11. Audit rights

11.1 Subject to sections 10.2, Data Processor shall make available to Data Controller on request all information necessary to demonstrate compliance with this Addendum, and shall allow for and contribute to audits, including inspections, by Data Controller or an auditor mandated by Data Controller in relation to the Processing of the Data Controller Personal Data by the Contracted Processors.

11.2 Data Controller undertaking an audit shall give Data Processor reasonable notice of any audit or inspection to be conducted under section 10.1 and shall make reasonable endeavors to avoid causing or, if it cannot avoid, to minimize any damage, injury or disruption to the Contracted Processors' premises, equipment, personnel and business while its personnel are on those premises in the course of such an audit or inspection.

12. Indemnification and penalty

12.1 Data Processor shall indemnify Data Controller for any and all loss, damage, payments, deficiencies, fines, judgements, liabilities, costs and expenses resulting from Data Processor’s or a Subprocessor’s incompliance with or infringement of the provisions of this Addendum or the requirements of the GDPR.

12.2 Data Processor shall within 30 (thirty) calendar days of the written notice of the Data Controller indemnify Data Controller for the losses described in section 11.1.

12. Indemnification and penalty

12.1 Data Processor shall indemnify Data Controller for any and all loss, damage, payments, deficiencies, fines, judgements, liabilities, costs and expenses resulting from Data Processor’s or a Subprocessor’s incompliance with or infringement of the provisions of this Addendum or the requirements of the GDPR.

12.2 Data Processor shall within 30 (thirty) calendar days of the written notice of the Data Controller indemnify Data Controller for the losses described in section 11.1.

12. Indemnification and penalty

12.1 Data Processor shall indemnify Data Controller for any and all loss, damage, payments, deficiencies, fines, judgements, liabilities, costs and expenses resulting from Data Processor’s or a Subprocessor’s incompliance with or infringement of the provisions of this Addendum or the requirements of the GDPR.

12.2 Data Processor shall within 30 (thirty) calendar days of the written notice of the Data Controller indemnify Data Controller for the losses described in section 11.1.

13. General Terms

13. General Terms

13. General Terms

14. Governing law and jurisdiction

Without prejudice to the clauses of the Principal Agreement on the governing law (section 20) and jurisdiction (section 21):

14.1 The Parties to this Addendum hereby stipulate the exclusive competence of the courts of Cyprus regarding any disputes or claims howsoever arising under this Addendum, including disputes regarding its existence, effect, validity or termination or the consequences of its nullity.

14.2 The existence, effect, validity, termination and the consequences of nullity of the present Addendum shall be governed and construed by the laws of Cyprus.

14.3 Obligations regarding personal data protection shall be governed and construed by the GDPR and the Applicable Law.

14. Governing law and jurisdiction

Without prejudice to the clauses of the Principal Agreement on the governing law (section 20) and jurisdiction (section 21):

14.1 The Parties to this Addendum hereby stipulate the exclusive competence of the courts of Cyprus regarding any disputes or claims howsoever arising under this Addendum, including disputes regarding its existence, effect, validity or termination or the consequences of its nullity.

14.2 The existence, effect, validity, termination and the consequences of nullity of the present Addendum shall be governed and construed by the laws of Cyprus.

14.3 Obligations regarding personal data protection shall be governed and construed by the GDPR and the Applicable Law.

14. Governing law and jurisdiction

Without prejudice to the clauses of the Principal Agreement on the governing law (section 20) and jurisdiction (section 21):

14.1 The Parties to this Addendum hereby stipulate the exclusive competence of the courts of Cyprus regarding any disputes or claims howsoever arising under this Addendum, including disputes regarding its existence, effect, validity or termination or the consequences of its nullity.

14.2 The existence, effect, validity, termination and the consequences of nullity of the present Addendum shall be governed and construed by the laws of Cyprus.

14.3 Obligations regarding personal data protection shall be governed and construed by the GDPR and the Applicable Law.

15. Order of precedence

15.1 Nothing in this Addendum reduces Data Processor’s obligations under the Principal Agreement in relation to the protection of Personal Data or permits Data Processor to Process or permit the Processing of Personal Data in a manner which is prohibited by the Principal Agreement.

15.2 Subject to section 12.2.1, with regard to the subject matter of this Addendum, in the event of inconsistencies between the provisions of this Addendum and any other agreements between the Parties, including the Principal Agreement and including agreements entered into or purported to be entered into after the date of this Addendum, the provisions of this Addendum shall prevail.

15. Order of precedence

15.1 Nothing in this Addendum reduces Data Processor’s obligations under the Principal Agreement in relation to the protection of Personal Data or permits Data Processor to Process or permit the Processing of Personal Data in a manner which is prohibited by the Principal Agreement.

15.2 Subject to section 12.2.1, with regard to the subject matter of this Addendum, in the event of inconsistencies between the provisions of this Addendum and any other agreements between the Parties, including the Principal Agreement and including agreements entered into or purported to be entered into after the date of this Addendum, the provisions of this Addendum shall prevail.

15. Order of precedence

15.1 Nothing in this Addendum reduces Data Processor’s obligations under the Principal Agreement in relation to the protection of Personal Data or permits Data Processor to Process or permit the Processing of Personal Data in a manner which is prohibited by the Principal Agreement.

15.2 Subject to section 12.2.1, with regard to the subject matter of this Addendum, in the event of inconsistencies between the provisions of this Addendum and any other agreements between the Parties, including the Principal Agreement and including agreements entered into or purported to be entered into after the date of this Addendum, the provisions of this Addendum shall prevail.

16. Changes in Data Protection Laws, and modification of the Contract

16.1 Data Controller may:

16.1.1 by at least 15 (fifteen) calendar days' written notice to Data Processor from time to time make any variations to the Contract, which are required, as a result of any change in the Data Protection Law, or decision of a competent authority under the Data Protection Law; and

16.1.2 propose any other variations to this Addendum which Data Controller reasonably considers to be necessary to address the requirements of any Data Protection Law.

16.2 If Data Controller gives notice under section 12.3.1.1 Data Processor shall promptly co-operate and ensure that any affected Subprocessors promptly co-operate; and

16.3 If Data Controller gives notice under section 12.3.1.2, the parties shall promptly discuss the proposed variations and negotiate in good faith with a view to agreeing and implementing those or alternative variations designed to address the requirements identified in Data Controller's notice as soon as is reasonably practicable.

16. Changes in Data Protection Laws, and modification of the Contract

16.1 Data Controller may:

16.1.1 by at least 15 (fifteen) calendar days' written notice to Data Processor from time to time make any variations to the Contract, which are required, as a result of any change in the Data Protection Law, or decision of a competent authority under the Data Protection Law; and

16.1.2 propose any other variations to this Addendum which Data Controller reasonably considers to be necessary to address the requirements of any Data Protection Law.

16.2 If Data Controller gives notice under section 12.3.1.1 Data Processor shall promptly co-operate and ensure that any affected Subprocessors promptly co-operate; and

16.3 If Data Controller gives notice under section 12.3.1.2, the parties shall promptly discuss the proposed variations and negotiate in good faith with a view to agreeing and implementing those or alternative variations designed to address the requirements identified in Data Controller's notice as soon as is reasonably practicable.

16. Changes in Data Protection Laws, and modification of the Contract

16.1 Data Controller may:

16.1.1 by at least 15 (fifteen) calendar days' written notice to Data Processor from time to time make any variations to the Contract, which are required, as a result of any change in the Data Protection Law, or decision of a competent authority under the Data Protection Law; and

16.1.2 propose any other variations to this Addendum which Data Controller reasonably considers to be necessary to address the requirements of any Data Protection Law.

16.2 If Data Controller gives notice under section 12.3.1.1 Data Processor shall promptly co-operate and ensure that any affected Subprocessors promptly co-operate; and

16.3 If Data Controller gives notice under section 12.3.1.2, the parties shall promptly discuss the proposed variations and negotiate in good faith with a view to agreeing and implementing those or alternative variations designed to address the requirements identified in Data Controller's notice as soon as is reasonably practicable.

17. Severance

Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (I) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, (II) construed in a manner as if the invalid or unenforceable part had never been contained therein.

17. Severance

Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (I) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, (II) construed in a manner as if the invalid or unenforceable part had never been contained therein.

17. Severance

Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (I) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, (II) construed in a manner as if the invalid or unenforceable part had never been contained therein.

Annex 1

DETAILS OF PROCESSING OF DATA CONTROLLER PERSONAL DATA

This Annex 1 includes certain details of the Processing of Data Controller Personal Data as required by Article 28(3) GDPR.

1. Subject matter and duration of the Processing of Data Controller Personal Data


The subject matter of the Processing is the personal data of the Data Controller Processed during the use of the Services of the Data Processor available on the Data Processor’s Site.

Data Processor Processes the personal data until the Data Controller deletes its user profile on the Site.

2. The nature and purpose of the Processing of Data Controller Personal Data

To perform the Data Processor obligations to maintain and provide the Services set forth in the Principal Agreement.

3. The types of Data Controller Personal Data to be Processed

The personal data Processed by the Data Controller.

4. The categories of Data Subject to whom the Data Controller Personal Data relates

The categories of the partners and users of the Data Controller.

5. The obligations and rights of Data Controller

The obligations and rights of Data Controller are set out in the Principal Agreement and in this Addendum.

Annex 1

DETAILS OF PROCESSING OF DATA CONTROLLER PERSONAL DATA

This Annex 1 includes certain details of the Processing of Data Controller Personal Data as required by Article 28(3) GDPR.

1. Subject matter and duration of the Processing of Data Controller Personal Data


The subject matter of the Processing is the personal data of the Data Controller Processed during the use of the Services of the Data Processor available on the Data Processor’s Site.

Data Processor Processes the personal data until the Data Controller deletes its user profile on the Site.

2. The nature and purpose of the Processing of Data Controller Personal Data

To perform the Data Processor obligations to maintain and provide the Services set forth in the Principal Agreement.

3. The types of Data Controller Personal Data to be Processed

The personal data Processed by the Data Controller.

4. The categories of Data Subject to whom the Data Controller Personal Data relates

The categories of the partners and users of the Data Controller.

5. The obligations and rights of Data Controller

The obligations and rights of Data Controller are set out in the Principal Agreement and in this Addendum.

Annex 1

DETAILS OF PROCESSING OF DATA CONTROLLER PERSONAL DATA

This Annex 1 includes certain details of the Processing of Data Controller Personal Data as required by Article 28(3) GDPR.

1. Subject matter and duration of the Processing of Data Controller Personal Data


The subject matter of the Processing is the personal data of the Data Controller Processed during the use of the Services of the Data Processor available on the Data Processor’s Site.

Data Processor Processes the personal data until the Data Controller deletes its user profile on the Site.

2. The nature and purpose of the Processing of Data Controller Personal Data

To perform the Data Processor obligations to maintain and provide the Services set forth in the Principal Agreement.

3. The types of Data Controller Personal Data to be Processed

The personal data Processed by the Data Controller.

4. The categories of Data Subject to whom the Data Controller Personal Data relates

The categories of the partners and users of the Data Controller.

5. The obligations and rights of Data Controller

The obligations and rights of Data Controller are set out in the Principal Agreement and in this Addendum.

Annex 2

Extract of the GPDR

Annex 2

Extract of the GPDR

Annex 2

Extract of the GPDR

Article 4

Definitions

[…]

‚ÄėPersonal Data‚Äô means any information relating to an identified or identifiable natural person (‚ÄėData Subject‚Äô); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

‚ÄėPersonal Data Breach‚Äô means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

‚ÄėProcessing‚Äô means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

‚ÄėSupervisory Authority‚Äô means an independent public authority which is established by a Member State pursuant to Article 51 of GDPR.

[…]

Article 4

Definitions

[…]

‚ÄėPersonal Data‚Äô means any information relating to an identified or identifiable natural person (‚ÄėData Subject‚Äô); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

‚ÄėPersonal Data Breach‚Äô means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

‚ÄėProcessing‚Äô means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

‚ÄėSupervisory Authority‚Äô means an independent public authority which is established by a Member State pursuant to Article 51 of GDPR.

[…]

Article 4

Definitions

[…]

‚ÄėPersonal Data‚Äô means any information relating to an identified or identifiable natural person (‚ÄėData Subject‚Äô); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

‚ÄėPersonal Data Breach‚Äô means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;

‚ÄėProcessing‚Äô means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

‚ÄėSupervisory Authority‚Äô means an independent public authority which is established by a Member State pursuant to Article 51 of GDPR.

[…]