Data Processing Addendum ("DPA")
This Data Processing Addendum (the “DPA” or “Addendum”) is entered into by and between dscout, Inc. (“dscout”) and _____ (“Customer”) and amends and/or is hereby incorporated into the [Master Agreement (as amended from time to time, the “Agreement”) (the “Agreement”)] under which dscout agreed to provide access to the dscout’s website, mobile application, and related tools for research (collectively, the “Platform”) as described in such Agreement (the “Access”) to Customer. All capitalized terms used in this document but not defined shall have the meaning set forth in the Agreement. Customer and dscout shall hereafter be collectively known as the “Parties” and individually known as a “Party”. To the extent that any of the terms or conditions contained in this Addendum may contradict or conflict with any of the terms or conditions of the Agreement, it is expressly understood and agreed that the terms of this Addendum shall take precedence and supersede the Agreement.
In the course of providing the Access to the Platform under the Agreement, the Parties consider it necessary to share Personal Data for the purpose of offering and utilizing the dscout Platform as set forth in the Agreement (the “Purpose”).
“Controller” means the entity which determines the purposes and means of the Processing of Personal Data.
“Data Protection Laws” means all laws and regulations, including laws and binding regulations of the European Union, the European Economic Area and their member states, Switzerland and the United Kingdom, applicable to the Processing of Personal Data under the Agreement.
“Data Subject” means the identified or identifiable person to whom Personal Data relates.
“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
“Personal Data” means any information relating to an identified or identifiable individual and has the meaning set forth in any applicable law pertaining to Personal Data, personal information, and/or personally identifiable information.
“Process” or “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Processor” means the entity which Processes Personal Data on behalf of the Controller.
“Supervisory Authority” means an independent public authority which is established by an EU Member State pursuant to the GDPR.
2. PROCESSING OF PERSONAL DATA
2.1 Legal Posture of the Parties. Each Party is a controller of Personal Data and is independently responsible for compliance with Data Protection Law with respect to its own processing of such Personal Data in connection with this Agreement, including data subject notice and transparency requirements and the requirement to obtain any legally required consents or take any other necessary steps to lawfully conduct its business.
2.2 Processing Obligations. Each Party agrees to only Process the Personal Data it receives from the other Party in accordance with the Agreement and this DPA. Each Party agrees it shall (i) only provide such Personal Data to the other Party in accordance with Data Protection Law and (ii) obtain any necessary consents or waivers in order to provide such Personal Data to the other Party. If Customer wishes to make Personal Data received in connection with the Agreement publicly available or share it beyond with its Subprocessors, it will coordinate with dscout to receive appropriate consent of the applicable Data Subject.
2.3 Data Transfer. dscout participates in and has certified its compliance with the EU-U.S. and Swiss-U.S. Privacy Shield Framework. dscout is committed to subjecting all Personal Data transferred from the European Union to the applicable EU-U.S. and Swiss-U.S. Privacy Shield Framework Principles “Privacy Shield”). Customer agrees (i) to process the Personal Data with the same level of protection as the Privacy Shield Principles; and (ii) if Customer determines that it can no longer provide this level of protection, Customer will promptly notify dscout of this determination, and (iv) in that case, or upon notice, Customer will take reasonable and appropriate steps to stop and remediate unauthorized processing of the data.
3. RIGHTS OF DATA SUBJECTS
3.1 Data Subject Requests. Each Party shall be responsible for responding to and, if required, complying with, any such requests related to Personal Data it receives from Data Subjects, including but limited to any requests from a Data Subject to exercise rights pursuant to Articles 12-23 of the GDPR (each, a “Data Subject Request”). Where Customer receives a request relating to Personal Data in the possession of dscout, or relating to Personal Data that dscout has a right to access or modify under the Agreement, Customer shall, as soon as reasonably practical and in any event within three (3) business days forward the request to dscout, and, if requested by dscout, promptly inform the Data Subject that it has done so and that dscout will manage the response. Customer and dscout agree to provide reasonable and prompt assistance as is necessary to each other to enable response to and/or compliance with any such requests, and to respond to any other queries or complaints from Data Subjects.
4.1 Security Measures. Each Party agrees to implement appropriate technical, physical, and organizational measures to protect Personal Data in its possession against unauthorized access; against unauthorized or unlawful processing; and against accidental loss, destruction, damage, alteration, or disclosure.
4.2 Incident Notification. Each Party agrees to promptly notify the other following the discovery of any potential or actual loss of or unauthorized access to Personal Data received from the other Party. Customer shall notify dscout immediately if Customer suspects or becomes aware of any unauthorized use of Customer’s username or password. Each Party agrees to provide reasonable assistance as is necessary to facilitate the handling of any such Personal Data incident, including, as applicable in investigating and remediating the breach, cooperating with any supervisory authorities and law enforcement, and assisting with any notifications as required.
If Customer has previously executed a data processing addendum with Dscout, this DPA supersedes and replaces such prior Data Processing Addendum.