DATA PROCESSING ADDENDUM

This Data Processing Addendum (“Addendum”) forms part of a service agreement (the “Agreement”) entered into between IO Integration Incorporated (“IOI”), including subsidiaries and the Customer to whom IOI provides the services (“Customer”), either previously or concurrently with this Addendum.

Where there is any conflict between the terms of the Agreement and the terms of this Addendum, the terms of this Addendum shall prevail. Except where the context requires otherwise, references in this Addendum to the Agreement are to the Agreement as amended by and including this Addendum.

THE PARTIES AGREE AS FOLLOWS:

01. SCOPE

The following clauses will only apply to the extent that Data Protection Legislation applies to Protected Data (both as defined below).

DEFINITIONS

Appropriate Safeguards: means such legally enforceable mechanism(s) for transfers of Personal Data outside the European Economic Area as may be permitted under Data Protection Legislation from time to time.
Controller: has the meaning given to that term in Data Protection Legislation.
Data Protection Legislation: means any applicable UK or EU law, statute, regulation, or sub-ordinate legislation and all policies, codes of conduct, direction, policy rule, or order issued by any regulatory body having jurisdiction over a party that is from time to time in force, relating to data protection, privacy and the processing of personal data, including:

(a) the GDPR from the date the GDPR applies (as set out in Article 99 Entry into force and application) and/or (a) the GDPR from the date the GDPR applies (as set out in Article 99 Entry into force and application) and/or

(b) any corresponding or equivalent national laws or regulations from the date that they come into force.

Data Subject: has the meaning given to it in Data Protection Legislation.

EU: The European Union.

UK: The United Kingdom of Great Britain and Northern Ireland

GDPR: means the General Data Protection Regulation (EU) 2016/679;

Member State: A member state of the EU.

Personal Data: has the meaning given to that term in Data Protection Legislation.

Personal Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, any Protected Data on systems managed by or otherwise controlled by IOI, excluding unsuccessful attempts or activities that do not compromise the security of the Protected Data.

Processing or processing: has the meaning given to that term in Data Protection Legislation and related terms such as ‘process’ have corresponding meanings.

Processor: has the meaning given to that term in Data Protection Legislation.

Protected Data: means Personal Data processed by IOI on behalf of the Customer as a Processor in connection with the provision of the Services.

Sensitive Data: means Personal Data that is protected under a special legislation and requires unique treatment, such as “special categories of data”, “sensitive data” or other materially similar terms under applicable Data Protection Laws, which may include any of the following: (a) social security number, tax file number, passport number, driver’s license number, or similar identifier (or any portion thereof); (b) credit or debit card number; (c) financial, credit, genetic, biometric or health information; (d) information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences; and/or (e) account passwords in unhashed form.

Services: The services IOI provides to the Customer pursuant to the Agreement.

Sub-Processor: another processor engaged by IOI for carrying out processing activities in respect of the Protected Data as part of the Services.

Supervisory Authority: An independent public authority which is established by a Member State or the UK pursuant to Article 51 of the GDPR.

The definitions in this clause should, as far as possible, be interpreted in accordance with the GDPR.

3. GENERAL

3.1. The Annexes form part of this Addendum and shall have effect as if set out in full in the body of this Addendum. Any reference to this Addendum includes the Annexes.

3.2. The Customer has engaged IOI to perform and deliver the Services which may require IOI to process Personal Data on behalf of the Customer as a Processor.

3.3. Annex A (“Details of Processing”) contains details about the processing of Protected Data by IOI.

4. INSTRUCTIONS BY CONTROLLER

4.1. IOI agrees that it shall only carry out processing of Protected Data on the documented instructions of the Customer as set out in this Addendum and Annex A (“Details of the Processing”), as updated from time to time upon written Agreement between the parties (including with regard to the transfer of Personal Data to a third country or an international organization).

4.2. IOI may process the Protected Data outside of the instructions of the Customer if IOI is required to do so by EU or Member State law to which IOI is subject; in such a case, IOI shall, to the extent permitted by law, inform the Customer of that legal requirement before processing.

5. SENSITIVE DATA

The Parties agree that the Services are not intended for the Processing of Sensitive Data and that if the Customer wishes to use the Services to Process Sensitive Data, it must first obtain the Processor’s explicit prior written consent and enter into any additional agreements as may be required by IO Integration.

6. SECURITY

6.1. IOI shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the costs of implementation and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

6.2. IOI shall, in assessing the appropriate level of security, take into account, in particular, the risks that are presented by processing, in particular from an accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise processed.

7. CONFIDENTIALITY

7.1. IOI shall ensure that persons authorized by them to process the Protected Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

8. COOPERATION AND INFORMATION

8.1. IOI shall provide such information and assistance to the Customer as the Customer may reasonably require to allow it to comply with requirements of the GDPR, including information and assistance relating to the security of processing, notification of Personal Data Breaches to the Supervisory Authority, communication of a Personal Data Breach to the Data Subject (where required), data protection impact assessments and/or prior consultation with a Supervisory Authority regarding high-risk processing.

9. REQUESTS

9.1. IOI shall promptly assist the Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Customer’s obligation to respond to requests for exercising the Data Subject’s rights laid down in Chapter III of the GDPR.

10. DATA BREACH

10.1. IOI shall notify the Customer of any Personal Data Breach promptly upon becoming aware of such Personal Data Breach.

10.2. In the case of a Personal Data Breach, IOI will assist the Customer in meeting its obligations under Articles 33 and 34 of the GDPR to inform the competent Supervisory Authority and Data Subjects. As the Controller, the Customer is solely responsible for complying with its notification obligations for Personal Data Breaches under Data Protection Legislation.

11. SUB-PROCESSORS

11.1. The Customer acknowledges and agrees that IOI engages Sub-Processors to provide certain services. The Customer provides general consent to the engagement of such Sub-Processors. The current Sub-Processors are set out in Annex B.

11.2. IOI may only subcontract the processing of Protected Data under this Addendum to a Sub-Processor if IOI has imposed legally binding contractual terms substantially the same as those contained in this Addendum on the Sub-Processor.  The Customer acknowledges and agrees that it has no right to audit and inspect a Sub-Processor’s facilities and premises and that IOI shall not be obliged to include such rights in its agreements with Sub-Processors.

12. AUDITS AND COMPLIANCE

12.1. Upon reasonable request of the Customer, IOI agrees to make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in this Addendum and the Data Protection Legislation and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer subject to clause 11.2.

12.2. The Customer shall give IOI reasonable prior notice of any information request, audit, or inspection and ensure that such audit or inspection is undertaken during normal business hours for IOI and with minimal disruption to IOI.  The Customer shall ensure that all information obtained or generated by the Customer pursuant to clause 11.1 is kept strictly confidential (save for disclosure to a Supervisory Authority or as otherwise required by applicable law).  The Customer shall pay IOI’s reasonable costs for assisting with the provision of information and allowing for and contributing to inspections and audits.

12.3 IOI may object to any third-party auditor appointed by the Customer to conduct any audit or inspection under clause 11.1 if the auditor is not, in IOI’s reasonable opinion, suitably qualified or independent. Nothing in clause 11.1 gives the Customer any right to access any data of any other customer of IOI or any information that could cause IOI to breach its obligations under Data Protection Legislation and/or its confidentiality or privacy obligations to any third party.

13. DATA RETENTION AND DISPOSAL

13.1. IOI shall, at the express choice of the Customer and upon the end of the provision of Services relating to processing, either return to the Customer or delete or destroy all copies of the Protected Data in IOI’s possession or control and if the Customer requests, certify to the Customer that it has done so unless EU or Member State law requires the storage of the Protected Data.

14. DATA TRANSFERS

14.1 IOI shall not transfer Protected Data outside the European Economic Area unless there are Appropriate Safeguards in place, and any transfer shall be in accordance with Data Protection Legislation.

15. AMENDMENTS

15.1 IOI may amend this Addendum at any time where required to comply with any applicable laws or where such amendments do not result in a material reduction in the protection of the Protected Data and do not breach Data Protection Legislation.

16. LIABILITY

16.1. IOI’s liability under this Addendum shall be subject to the exclusions and limitations set out in the Agreement.

17. ENTRY INTO FORCE AND DURATION

17.1. This Addendum will enter into force upon signing by both parties of the Agreement.

17.2. This Addendum will remain in effect until the Agreement is terminated.

Annex A – Details of the Processing

Nature and purpose of Processing

The processing of Personal Data to the extent necessary in providing the Services.

  • Providing the Services to Customers;
  • Performing the Agreement, this DPA and/or other contracts executed by the Parties;
  • Acting upon Customer’s instructions, where such instructions are consistent with the terms of the Agreement;
  • Complying with applicable laws and regulations;
  • All tasks related with any of the above.

Duration of the Processing

  • Subject to any section of the DPA and/or the Agreement dealing with the duration of the Processing and the consequences of the expiration or termination thereof, Processor will Process Personal Data pursuant to the DPA and Agreement for the duration of the Agreement, unless otherwise agreed upon in writing.

Types of Personal Data processed

  • Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion.

Categories of Data Subjects

Customers may submit Personal Data to the Services, which may include but is not limited to, Personal Data relating to the following categories of Data Subjects:

  • Employees, agents, advisors, freelancers of Customer (who are natural persons).
  • Prospects, customers, business partners, and vendors of Customer (who are natural persons).
  • Employees or contact persons of Customer’s prospects, customers, business partners, and vendors.
  • Any other third-party individual with whom Customer decides to communicate through the Services.

Annex B – Sub Processors

Sub-ProcessorApplicable ServiceSubject MatterNature of ProcessingHosting Region EU & UK Data Transfer Mechanism
AWSIO AppFlow, Support ServicesPersonal data contained in communications sent through or uploaded to the services.Infrastructure Provider hosting compute and storage services.United StatesSCC
DataDogIO AppFlowPersonal data contained in System and Event LogOperational MonitoringUnited StatesSCC
MicrosoftAll ServicesPersonal data contained in communications sent through the ServicesIdentity Management, General Business, and Customer Operations.United StatesSCC

SOLUTIONS FOR CREATIVE OPERATIONS

Learn More About Our Creative Operations Workflow Solutions & Services and How We Can Help Improve Your Business.

Speak With An Expert