Data Processing Addendum

Updated 28th. January 2019

This Data Processing Addendum (“Addendum”) supplements the Terms of Service Agreement (the “Agreement”) by and between Customer and ZIZERA as updated from time to time between Customer and ZIZERA.

This Addendum shall apply to personal data that ZIZERA processes in the course of providing Customer the Services under the Agreement. In this context, ZIZERA will act as “processor” to Customer who may act either as “controller” or “processor” with respect to Personal Data (as each term is defined in the GDPR). Unless otherwise defined in this Addendum or the Agreement, all capitalized terms under this Addendum will have the meanings given to them in Section 7 of this Addendum.

  1. INTERPRETATION - All terms of this Addendum shall be interpreted in accordance with the current interpretation of the GDPR and the relevant national laws by the relevant public authorities.

  2. No term of the Addendum shall be interpreted as setting out more burdensome obligations on ZIZERA than what follows from the current interpretation.

  3. In case of doubt as to the correct current interpretation of the GDPR, the interpretation that is least burdensome for ZIZERA shall take precedence.

  4. Should this Addendum include terms that are not in accordance with the GDPR at the time it becomes effective between Customer and ZIZERA the relevant term or terms is or are to be considered null and void.

  5. Should this Addendum include terms, that are repealed, become obsolete or are not applicable in accordance with the current interpretation, the relevant term or terms is or are to be considered null and void.

  6. CHANGES - When necessary, this Addendum will be changed due to the changing of relevant laws, regulations, current interpretations or due to inconveniencies in the terms of the Addendum.

  7. DEFINITIONS - The following definitions will be used throughout this Addendum.

    1. “Article” refers to an article in the GDPR.

    2. “Data subject” is an identified or identifiable natural person whose personal data is processed by the Customer or ZIZERA.

    3. “GDPR” means European Directives 2002/58/EC, the General Data Protection Regulation and any legislation and/or regulation, implementing or made pursuant to them, or which amends, replaces, re-enacts or consolidates any of them (including the General Data Protection Regulation.

    4. “Parties” refers to both the ZIZERA and the Customer, collectively.

    5. “Personal Data” is any information relating to a Data subject, who can be identified, directly or indirectly, in particular to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity and is uploaded to the Services under Customer’s ZIZERA accounts.

    6. “Processing” means any operation or set of operations performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.

    7. “Sub-processor” refers to an entity engaged by ZIZERA who agrees to receive personal data from the Customer exclusively intended for processing activities to be carried out on behalf of the Customer.

  8. INSTRUCTION TO PROCESS PERSONAL DATA - ZIZERA may only process the Personal Data on documented instructions from the Customer, unless required to do so by Union or Member State law to which ZIZERA is subject. In such a case, ZIZERA shall inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest in accordance with Article 28(3).

  9. Customer’s instructions at the time of entry into this Addendum is set forth in Appendix 1, thus ZIZERA may only process the categories of personal data and data regarding the Data subjects as listed in Appendix 1.

  10. When providing these services to the Customer, ZIZERA processes personal data for which the Customer is responsible, thus ZIZERA processes personal data on behalf of the Customer.

  11. The terms of the services are set out in further detail in the Agreement at zizera.com/terms of service

  12. OBLIGATIONS AND RIGHTS OF THE CUSTOMER - Customer has both the rights and the obligations to determine the purposes and means of the processing of personal data.

  13. Lawfulness of the data processing carried out by ZIZERA is the responsibility of the Customer, unless ZIZERA processes personal data outside the instruction to process personal data.

  14. Towards the Data subject and the outside world in general, namely the customers of the Customer, the Customer is responsible for the processing of personal data carried out by ZIZERA.

  15. CONFIDENTIALITY - ZIZERA ensures that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

  16. SECURITY OF PROCESSING - Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, ZIZERA will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk in order to protect the personal data against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.

  17. SUB-PROCESSORS - Under Article 28(2) and (4) ZIZERA shall not engage another processor (”Sub-processor”) without prior specific or general written authorization of the Customer.

  18. In the case of general written authorization, ZIZERA shall inform the Customer of any intended changes concerning the addition or replacement of Sub-processors, thereby giving the Customer the opportunity to object to such changes.

  19. ZIZERA informs Customer via an e-mail notification of intended changes concerning the addition or replacement of Sub-processors. If the Customer has a reasonable basis to object to ZIZERA’s use of a new Sub-processor and therefore wishes to terminate the Agreement, the Customer shall notify ZIZERA within 10 business days after receipt of ZIZERA’s notice.

  20. Where ZIZERA engages a Sub-processor for carrying out specific processing activities on behalf of the Customer, the same data protection obligations as set out in the Addendum shall be imposed on the Sub-processor by way of a contract or other legal act under Union or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR.

  21. Where the Sub-processor fails to fulfil its data protection obligations, ZIZERA shall remain fully liable to the Customer for the performance of the Sub-processor's obligations.

  22. TRANSFERS OF PERSONAL DATA TO THIRD COUNTRIES AND INTERNATIONAL ORGANISATIONS - ZIZERA processes the personal data only on documented instructions from the Customer, including with regard to transfers of personal data to a third country or an international organization, unless required to do so by Union or Member State law to which ZIZERA is subject. In such a case, ZIZERA shall inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

  23. ZIZERA only transfers personal data to third countries in accordance with the GDPR, including the instructions from the Customer.

  24. ASSISTANCE TO THE CUSTOMER - Taking into account the nature of the processing, ZIZERA assists the Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Customer’s obligation to respond to requests for exercising the Data subject's rights laid down in Chapter III of the GDPR, including the following:

    1. The obligation to provide information to the Data subject where personal data are collected from the Data subject

    2. The obligation to provide information to the Data subject where personal data have not been obtained from the Data subject

    3. The right of access by the Data subject

    4. The right to rectification

    5. The right to erasure (‘right to be forgotten’)

    6. The right to restriction of processing

    7. The obligation of the Customer to ensure, that notification regarding rectification or erasure of personal data or restriction of processing is given to each recipient

    8. The right to data portability

    9. The right to object

    10. The right to object against the result of automated individual decision-making, including profiling

  25. ZIZERA assists the Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 taking into account the nature of processing and the information available to ZIZERA, including the following:

    1. The obligation to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk of the processing.

    2. In the case of a personal data breach: The obligation to without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the competent supervisory authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

    3. When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons: The obligation to communicate the personal data breach to the Data subject without undue delay.

    4. Where a type of processing in particular using new technologies is likely to result in a high risk to the rights and freedoms of natural persons: The obligation to, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.

    5. Where a data protection impact assessment as set out in the previous term indicates that the processing would result in a high risk in the absence of measures taken by the Customer to mitigate the risk: The obligation to consult the supervisory authority prior to processing.

  26. NOTIFICATION OF A PERSONAL DATA BREACH - ZIZERA shall notify the Customer without undue delay after becoming aware of a personal data breach.

  27. ZIZERA, in accordance with the obligations to assist the Customer, shall on request provide the Customer with the following information:

    1. A description of the nature of the personal data breach including where possible, the categories and approximate number of Data subjects concerned and the categories and approximate number of personal data records concerned

    2. A description of the likely consequences of the personal data breach

    3. A description of the measures taken or proposed to be taken by ZIZERA to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects

  28. DELETION AND RETURN OF PERSONAL DATA - At the request of the Customer, ZIZERA deletes or returns all the personal data to the Customer after the end of the provision of services in accordance with the Agreement relating to processing, and deletes existing copies unless Union or Member State law requires storage of the Personal Data.

  29. MONITORING AND AUDITS - ZIZERA makes available to the Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer.

  30. ZIZERA shall immediately inform the Customer if, in its opinion, an instruction in accordance with the obligation of the Customer to monitor ZIZERA infringes the GDPR Regulation or other Union or Member State data protection provisions.

  31. If the Customer mandates a third party to conduct the audit on behalf of the Customer, the Customer must ensure that the third party enters into a non-disclosure agreement and that the third party takes necessary security measures when conducting the audit.

  32. Audits must be conducted during ZIZERA’s business hours and ZIZERA must be notified of audits within a reasonable time prior to the audit. The audit shall not grant the Customer access to ZIZERA’s trade secrets or proprietary information unless this is required in order for the Customer to comply with the GDPR.

  33. All costs incurred by ZIZERA as a consequence of the audit by the Customer, must be paid by the Customer.

  34. ZIZERA is obliged to give public authorities access to all personal data and to all information necessary for the performance of its tasks.

  35. ZIZERA is obliged to give public authorities access to any premises of ZIZERA, including to any data processing equipment and means, in accordance with Union or Member State procedural law.

  36. LIABILITY - Pursuant to Article 82.2 of the GDPR, ZIZERA shall only be liable for damage caused by processing where ZIZERA has not complied with obligations of the GDPR specifically directed to processors or where ZIZERA has acted outside or contrary to the Addendum.

  37. ZIZERA shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage.

  38. INDEMNIFICATION - If the Customer, against the regulations set forth in Appendix 1, collects sensitive personal data and thus makes ZIZERA process such information, the Customer undertakes to indemnify and hold ZIZERA harmless for any and all damages and losses incurred by ZIZERA due to the Customer’s breach of this Addendum and the Agreement.

  39. TERMINATION - This Addendum is terminated in accordance with the Agreement.

  40. The Addendum is not with standing binding until the end of the processing by ZIZERA on behalf of the Customer, including deletion from ZIZERA and possible Sub-processors.

  41. MISCELLANEOUS - The parties agree that this Addendum and the Agreement (including the provision of instructions via configuration tools such as ZIZERA management console and APIs made available by ZIZERA for the Services) constitute Customer’s documented instructions regarding ZIZERA’s processing of Personal Data (“Documented Instructions”). ZIZERA will process Personal Data only in accordance with Documented Instructions. Additional instructions outside the scope of the Documented Instructions (if any) require prior written agreement between ZIZERA and Customer, including agreement on any additional fees payable by Customer to ZIZERA for carrying out such instructions. Customer is entitled to terminate this Addendum and the Agreement if ZIZERA declines to follow instructions requested by Customer that are outside the scope of, or changed from, those given or agreed to be given in this Addendum.

  42. Where Customer uses multiple of ZIZERA Services, Customer acknowledges that ZIZERA may combine information from Customer use of the Services to deliver integrated services across the suite of Services that Customer has purchased (for example to allow Customer to search across ZIZERA Services or to combine notifications from multiple Services). Customer also acknowledges that ZIZERA may process information generated by Authorized Users for research and analytical purposes, in order to improve, benchmark and develop the ZIZERA Services. ZIZERA will ensure that the results of this processing does not identify sensitive personal data of Customer or any of its Authorized Users and that all such processing is subject to appropriate technical and organizational measures.

  43. In the event of any conflict or inconsistency between the provision of the Agreement and this Addendum, the provisions of this Addendum shall prevail. For avoidance of doubt and to the extent allowed by applicable law, any and all liability under this Addendum will be governed by the relevant provisions of the Agreement, including limitations of liability, venue and jurisdiction. Save as specifically modified and amended in this Addendum, all of the terms, provisions and requirements contained in the Agreement shall remain in full force and effect and govern this Addendum. Except as otherwise expressly provided herein, no supplement, modification, or amendment of this Addendum will be binding, unless executed in writing by a duly authorized representative of each party to this Addendum. If any provision of the Addendum is held illegal or unenforceable in a judicial proceeding, such provision shall be severed and shall be inoperative, and the remainder of this Addendum shall remain operative and binding on the parties.