Data Processing Agreement

Introduction

This Data Processing Agreement (“DPA“) is incorporated into, and is subject to the terms and conditions of, the agreement between the Subscriber that is a party to the agreement (“Subscriber” or “you“) and ClickView (“ Agreement”).

All capitalised terms not defined in this DPA have the meanings set out in the Agreement. For the avoidance of doubt, all references to the “Agreement” shall include this DPA.

It is agreed:

1. Roles and responsibilities

The parties acknowledge and agree that the Subscriber is the Controller and ClickView is the Processor.

2. Processing of Subscriber Personal Data

2.1 Processing of Subscriber Personal Data

The Subscriber acknowledges and agrees that:

  1. ClickView may Process Subscriber Personal Data for the purpose of providing the Services in accordance with the terms of the Agreement and as authorised under the terms of this DPA, or otherwise on the documented instructions of the Subscriber.
  2. The subject matter and types of Subscriber Personal Data that ClickView may collect and Process are set out in ClickView’s Privacy Policy.
  3. The duration of Processing of Subscriber Personal Data corresponds to the duration of the Agreement, or otherwise on the documented instructions of the Subscriber.
  4. The Categories of Data Subject to whom the Subscriber Personal Data relates may include Subscriber’s end users, the parents or legal guardians of users, employees, contractors, suppliers and other third parties.

ClickView is entitled to assume that any instruction given by a representative of the Subscriber under clause 2.1(a) is to be given with the Subscriber’s full authority. The Subscriber further acknowledges and agrees that ClickView will not be under any duty to investigate the completeness, accuracy or sufficiency of any instructions given to it by any Subscriber representative.

2.2 Compliance with laws

  1. ClickView will comply with all applicable Data Protection Laws in respect of the Processing of Subscriber Personal Data.
  2. ClickView will not Process Subscriber Personal Data other than on Subscriber’s instructions unless Processing is required by Data Processing Laws to which ClickView is subject, in which case ClickView will to the extent permitted by Data Processing Laws inform Subscriber of that legal requirement before the relevant Processing of that Personal Data.
  3. Subscriber must comply with all obligations it has as a Controller under Data Protection Laws and must not use the Services or provide Subscriber Personal Data to ClickView to the extent that doing so would violate any applicable Data Protection Laws. Subscriber will inform ClickView if it becomes aware or reasonably believes that Subscriber’s data processing instructions violate any applicable Data Protection Law.

2.3 Instruction and agreement by Subscriber

The Subscriber:

  1. instructs ClickView (and authorises ClickView to instruct each Sub-processor) to Process Subscriber Personal Data; and
  2. agrees to the transfer of Subscriber Personal Data by ClickView,

in accordance with the terms of this DPA and as reasonably necessary for the provision of the Services and consistent with the Agreement.

The Subscriber warrants and represents that it is and will at all relevant times remain duly and effectively authorised to give the instruction set out in this clause.

2.4 Transfer of Personal Data

  1. Subscriber acknowledges that ClickView may transfer and process Subscriber Personal Data in locations where ClickView, its affiliates or its Sub-processors maintain data processing operations. ClickView will at all times ensure that such transfers are made in compliance with the requirements of Data Protection Laws and this DPA.
  2. If the Subscriber Personal Data is protected under the UK GDPR, by entering into this DPA, to the extent ClickView’s processing of Subscriber Personal Data involves a Restricted Transfer, Subscriber agrees to ClickView’s use of the International Data Transfer Agreement (IDTA) between ClickView Limited (CRN 05919237) and ClickView Australia Pty Ltd. ClickView will provide the IDTA to Subscriber. The IDTA will be incorporated by reference and form part of this DPA.
  3. If the Subscriber Personal Data is protected under the GDPR, by entering into this DPA, to the extent ClickView’s processing of Subscriber Personal Data involves a Restricted Transfer, Subscriber agrees to enter into Standard Contractual Clauses approved by the European Commission. In such instances ClickView will provide Standard Contractual Clauses to Subscriber and the Standard Contractual Clauses will be incorporated by reference and form part of this DPA.

2.5 ClickView Personnel

  1. ClickView shall take reasonable steps to ensure that access to the Subscriber Personal Data is strictly limited to those employees, agents and contractors who need to access the relevant Subscriber Personal Data, as strictly necessary for the purposes of the Agreement, and to comply with Data Protection Laws. ClickView will ensure that all such individuals are subject to confidentiality obligations or professional or statutory obligations of confidentiality.
  2. ClickView will implement appropriate technical and organisational measures to ensure that those of its personnel only have access to such part or parts of the Subscriber Personal Data as is strictly necessary for the performance of their duties and obligations.

3. Security

  1. Taking into account the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, ClickView will implement appropriate technical and organisational measures to ensure the Subscriber Personal Data is secured as appropriate and in particular from the risk of any accidental or unlawful destruction, loss, alteration and any unauthorised disclosure or access, taking into account the risks associated with the Processing of the Subscriber Personal Data.
  2. Security measures will include, where appropriate, measures for the pseudonymisation and encryption of Personal Data; the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; the ability to restore the availability of and access to Personal Data in a timely manner in the event of a physical or technical incident; and a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

4. Sub-processing

  1. The Subscriber authorises ClickView to appoint Sub-processors in accordance with this DPA.
  2. The Subscriber authorises ClickView to transfer Subscriber Personal Data to its affiliates and those Sub-processors currently engaged by ClickView as at the date of this DPA. A list of the Sub-processors engaged by ClickView and the purpose of their engagement may be maintained on the ClickView website or accessed here.
  3. Subscriber authorises ClickView to engage other Sub-processors, provided that ClickView notifies Subscriber of any new Sub-processors, either by providing written notice of the appointment of a Sub-processor or by maintaining an up to date list of Sub-processors on its website or here, and provided that ClickView will ensure that each agreement it has with a Sub-processor is governed by a written contract with terms which provide the same level of protection for Subscriber Personal Data as those set out in this DPA and meet the requirements of applicable Data Protection Laws.
  4. Subscriber may object to the appointment of any new Sub-processor by ClickView within 30 days after notification by ClickView on the basis that such appointment would cause Subscriber to breach Data Protection Laws. In the event of such objection the parties will work in good faith to make reasonable changes to the Services to resolve the Subscriber’s concerns.

5. Data Subject Rights

ClickView will:

  1. promptly notify Subscriber if ClickView receives a request from a Data Subject under any Data Protection Law in respect of Subscriber Personal Data;
  2. respond to any request from a Data Subject in accordance with the instructions of Subscriber or as required by Data Protection Laws to which ClickView is subject; and
  3. provide reasonable assistance to Subscriber in respect of any request from a Data Subject.

6. Personal Data Breach

  1. ClickView will notify Subscriber promptly upon ClickView becoming aware of a Personal Data Breach affecting Subscriber Personal Data. ClickView will provide Subscriber with sufficient information to allow Subscriber to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
  2. ClickView shall co-operate with Subscriber and take such reasonable commercial steps as are directed by Subscriber to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

7. Data Protection Impact Assessment and Prior Consultation

ClickView will provide reasonable assistance to Subscriber with any data protection impact assessments, and prior consultations with any competent data privacy authorities, which Subscriber reasonably considers to be required by applicable Data Protection Laws.

8. Deletion or return of Subscriber Personal Data

Following expiration or termination of the Agreement and cessation of any Services involving the Processing of Subscriber Personal Data, and otherwise upon any direction from Subscriber which is consistent with applicable Data Protection Laws, ClickView will delete or return to Subscriber all Personal Data in ClickView’s possession upon request as provided in the Agreement, and procure the same for all Sub-Processors, except to the extent ClickView or a Sub-processor is required by applicable law to retain some or all of the Personal Data.

9. Jurisdiction-Specific Terms

To the extent ClickView processes Personal Data originating from and protected by Data Protection Laws in one of the jurisdictions listed in Annexure A, then the terms specified in Annexure A relating to the applicable jurisdiction(s) (“Jurisdiction-Specific Terms”) apply in addition to the terms of this DPA. In the event of any conflict or ambiguity between the Jurisdiction-Specific Terms and any other terms of this DPA, the applicable Jurisdiction-Specific Terms will take precedence, but only to the extent of the Jurisdiction-Specific Terms’ applicability to ClickView.

10. Limitation of liability

  1. To the maximum extent permitted by law, each party’s liability arising out of or related to this DPA (including the Standard Contractual Clauses) is subject to the exclusions and limitations of liability set out in the Agreement.
  2. In no event shall any party limit its liability with respect to any individual’s data protection rights under this DPA or otherwise limit liability that cannot be limited under applicable Data Protection Laws.

11. Further acts

ClickView will upon request make available to the Subscriber all information necessary to demonstrate compliance with this DPA, and permit any audit by Subscriber in accordance with the Subscriber’s rights of audit under applicable Data Protection Laws.

12. General

12.1 Definitions

ClickView means: (i) if the Subscriber is established in Europe or the United Kingdom – ClickView Limited (CRN 05919237); (ii) if the Subscriber is located in the United States – ClickView (US) (Corporate Number 86-3807728);

Data Protection Laws means: (i) all data protection laws and regulations applicable to Europe, including the General Data Protection Regulation (GDPR) and applicable national implementations of the GDPR; (ii) the UK General Data Protection Regulation (UK GDPR) established by the European Union (Withdrawal) Act 2018 and the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 and includes any subsequent UK legislation substituted for or amending the UK GDPR and the Data Protection Act 2018; and (iii) the California Consumer Privacy Act 2018 Cal. Civ. Code Title 1.81.5, § 1798.100 et seq. (CCPA) and its implementing regulations;

Processor means an entity that processes Personal Data on behalf of a Controller, as defined in the GDPR and UK GDPR;

Services means the services and content supplied by ClickView for Subscriber, and the use by Subscriber and the Data Subjects of the ClickView platform, pursuant to the Agreement;

Standard Contractual Clauses means the contractual clauses adopted by the European Commission for the transfer of personal data from data controllers in the EU to data processors in jurisdictions outside the European Economic Area (EEA);

Subscriber Personal Data means any Personal Data Processed by ClickView or a Sub-processor on behalf of Subscriber pursuant to or in connection with the Agreement;

Sub-processor means any person appointed by or on behalf of ClickView to Process Personal Data on behalf of Subscriber in connection with the Agreement; and

The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Restricted Transfer” shall have the same meaning as in the GDPR and the UK GDPR.

12.2 Interpretation

  1. Capitalised terms not otherwise defined in this DPA have the meaning given to them in the Agreement.
  2. Except as modified by this DPA, the terms of the Agreement remain in full force and effect.

12.3 Entire agreement

  1. This DPA constitutes the entire agreement between the parties regarding the matters set out in it and supersedes any prior representations, understandings or arrangements made between the parties, whether orally or in writing.
  2. In the event of any conflict or inconsistency between this DPA and ClickView’s General Terms and Conditions, the provisions of the following documents (in order of precedence) shall prevail: (i) this DPA; and then (ii) ClickView’s General Terms and Conditions.

12.4 Waiver

A right created by this deed cannot be waived except in writing signed by the party entitled to that right. Delay by a party in exercising a right does not constitute a waiver of that right, nor will a waiver (either wholly or in part) by a party of a right operate as a subsequent waiver of the same right or of any other right of that party.

12.5 Further assurances

Each party must promptly execute all documents and do everything necessary or desirable to give full effect to the arrangements contained in this deed.

12.6 Governing law and jurisdiction

  1. The laws of the country in which the Subscriber is established govern this DPA.
  2. The parties submit to the jurisdiction of the courts of the country in which the Subscriber is established.

12.7 Severance

If any clause or part of any clause is in any way unenforceable, invalid or illegal, it is to be read down so as to be enforceable, valid and legal. If this is not possible, the clause (or where possible, the offending part) is to be severed from this deed without affecting the enforceability, validity or legality of the remaining clauses (or parts of those clauses) which will continue in full force and effect.


Annexure A – Jurisdiction-Specific Terms

California:

  1. Except as described otherwise, the definitions of: “controller” includes “Business”; “processor” includes “Service Provider”; “data subject” includes “Consumer”; “personal data” includes “Personal Information”; in each case as defined under the CCPA.
  2. For this “California” section only, ClickView will only process Subscriber Personal Data for the purposes described in this DPA and in accordance with Customer’s documented lawful instructions as set forth in this DPA, as necessary to comply with applicable law, as otherwise agreed in writing, including, without limitation, in the Agreement, or as otherwise may be permitted for “service providers” under the CCPA.
  3. ClickView’s obligations regarding data subject requests, as described in clause 5 of this DPA, apply to Subscriber’s rights under the CCPA.
  4. ClickView may de-identify or aggregate Subscriber Personal Data as part of performing the Services specified in this DPA and the Agreement.
  5. Where ClickView engages Sub-processors to process the personal data of Subscriber contacts, ClickView takes steps to ensure that such Sub-processors are Service Providers under the CCPA with whom ClickView has entered into a written contract that includes terms substantially similar to this DPA or are otherwise exempt from the CCPA’s definition of “sale”. ClickView conducts appropriate due diligence on its Sub-processors.