LAST UPDATED DECEMBER 23, 2019
This Addendum applies to the Processing of Personal Information carried out by GumGum in connection with GumGum’s services (the “Services”) provided to Customer and its applicable Affiliates and shall survive the termination or expiration of the Main Agreement for so long as GumGum or its subcontractors Process the Personal Data.
1. Order of Precedence & Interpretation
In the event that any terms of this Addendum and its appendices are inconsistent with any other terms of the Main Agreement or any data protection addendum thereunder, the parties intend for the terms of this Addendum, its appendices, and the Main Agreement to be construed in the manner that permits each party to fulfill its obligations under applicable law.
2. Scope & Purposes of Processing; Retention
GumGum will Process all Personal Data solely to fulfill its obligations to Customer under the Main Agreement, including this Addendum, and on Customer’s behalf, and for no other purposes, unless otherwise required by Applicable Data Protection Laws to which GumGum is subject. In such case, GumGum will inform Customer of that legal requirement before Processing, unless that law prohibits Customer from providing such information on important grounds of public interest within the meaning of Applicable Data Protection Laws.
Without limiting the foregoing, Customer directs GumGum to Process Personal Data in accordance with Customer’s written instructions, as may be provided by Customer to GumGum from time to time, and in the following manner:
Subject matter, nature, and purpose of Processing- GumGum will process data solely to provide Customer with services and to fulfill its purposes under the Main Agreement, which may include any lawful processing or business purposes as provided for under Applicable Data Protection Laws.
Categories of Personal Data typically subject to Processing under the Main Agreement- All types of Personal Data, except for special categories of data, as that term is defined under the GDPR. Customer represents and warrants to GumGum that Customer shall not transfer or otherwise provide to GumGum any Personal Data that may constitute special categories of personal data.
Typical categories of Data Subjects- As set forth in Appendix 2 (download here).
Anticipated duration of Processing- For the term of the Main Agreement or to the extent that GumGum continues to Process Personal Data, whichever is longer.
GumGum will not:
Sell Personal Data for any purpose except as permitted in the Main Agreement. For purposes of this paragraph, “Sell” shall have the meaning set forth under the CCPA.
Process Personal Data for any purpose other than for the specific purposes set forth herein. For the avoidance of doubt, GumGum will not Process Personal Data outside of the direct business relationship between Customer and GumGum.
Attempt to link, identify, or otherwise create a relationship between Personal Data and non-Personal Data or any other data without the express authorization of Customer.
Information that has been de-identified is not Personal Data. GumGum may de-identify Personal Data only if it:
- Has implemented technical safeguards that prohibit reidentification of the Data Subject to whom the information may pertain;
- Has implemented business processes that specifically prohibit reidentification of the information; and
- Makes no attempt to reidentify the information.
3. GumGum’s Compliance with Laws
GumGum will only Process Personal Data as set forth in this Addendum and in compliance with Applicable Data Protection Laws.
GumGum hereby certifies that it understands its restrictions and obligations set forth in this Addendum and will comply with them.
4. Personal Data Processing Requirements
- Ensure that the persons it authorizes to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and that such persons are aware of the procedures that GumGum has put in place and receive appropriate training on data protection and security.
- Upon written request of Customer, assist Customer in the fulfilment of Customer’s obligations to respond to verifiable requests by Data Subjects (or their representatives) for exercising their rights under Data Privacy Laws, such as rights to access or delete Personal Data.
- Promptly notify Customer of (i) any third-party or Data Subject requests or complaints regarding the Processing of Personal Data or (ii) any government or Data Subject requests for access to or information about GumGum’s Processing of Personal Data on Customer’s behalf, unless prohibited by Data Privacy Laws. If GumGum receives a third-party, Data Subject, or governmental request, GumGum will await written instructions from Customer on how, if at all, to assist in responding to the request. GumGum will provide Customer with reasonable cooperation and assistance in relation to any such request.
- Provide reasonable assistance to and cooperation with Customer for Customer’s performance of a data protection impact assessment of Processing or proposed Processing of Personal Data.
- Provide reasonable assistance to and cooperation with Customer for Customer’s consultation with regulatory authorities in relation to the Processing or proposed Processing of Personal Data, including complying with any obligation applicable to GumGum under Data Privacy Laws to consult with a regulatory authority in relation to GumGum’s Processing or proposed Processing of Personal Data.
5. Security Safeguards & Incident Reporting; Audit Rights
Security Safeguards. GumGum will implement and maintain appropriate administrative, technical, physical, and organizational measures to protect Personal Data to assure the following:
- GumGum will comply with the obligations related to security breach that is directly applicable to it under data privacy laws. GumGum will implement and maintain technical and organizational security measures to adequately protect each Customer Affiliate’s Personal Information against the risks inherent in the (a) Processing of Personal Information for the purposes identified in the Main Agreement, and (b) unauthorized or unlawful Processing and destruction, damage, misuse and loss. GumGum will implement and maintain reasonable security procedures and practices appropriate to the nature of the Personal Information it Processes.
- GumGum shall assist Customer in response to requests from data protection authorities relating to the Processing of Personal Information in connection with the Main Agreement. In the event that any such request is made directly to GumGum, GumGum shall not respond to such communication directly without the Customer’s prior authorization, unless legally compelled to do so. If GumGum is required to respond to such a request, GumGum shall promptly notify Customer and provide it with a copy of the request unless legally prohibited from doing so.
- GumGum will promptly and without undue delay and in any case no later than twenty-four (24) hours after becoming aware, inform Customer in the event of: (a) any serious interruption of GumGum’s Processing operations; (b) any unauthorized acquisition, loss, access, or use of Personal Information; or (c) any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosures of, or access to Personal Information (altogether, a “Security Incident”).
Audits. Without prejudice to the Main Agreement, GumGum will provide and make available to Customer such information and assistance as may be required to facilitate audits, and any other information necessary to complete a data protection impact assessment or confirm compliance with any provision of this Addendum, the Main Agreement and all Applicable Data Protection. For the avoidance of doubt, this provision will not require GumGum to provide Customer with access to the confidential information of GumGum’s other customers or other confidential or proprietary information belonging to GumGum.
6. Data Deletion
Upon termination or expiration of the Main Agreement, at Customer’s request or as pursuant to Applicable Data Protection Laws, GumGum shall return to Customer a complete copy of the Personal Information it Processed in connection with the Main Agreement, in a form and format reasonably agreed upon by the parties. Following Customer’s confirmation that it received this copy, GumGum shall securely dispose of all Personal Information remaining in its possession or control.
Customer acknowledges and agrees that GumGum may use GumGum Affiliates and/or subcontractors to Process Personal Data in accordance with the provisions within this Addendum and Applicable Data Protection Laws. GumGum shall provide Customer with a current list of subcontractors upon Customer’s request.
Where GumGum sub-contracts any of its rights or obligations concerning Personal Data, including to any affiliate, GumGum will (i) take steps to select and retain subcontractors that are capable of maintaining appropriate privacy and security measures to protect Personal Data consistent with Applicable Data Protection Laws, and (ii) enter into a written agreement with each subcontractor that imposes obligations on the subcontractor that are no less restrictive than those imposed on GumGum under this Addendum.
In addition to any indemnity obligations of GumGum pursuant to the Main Agreement, GumGum shall be liable for and shall indemnify Customer against any and all claims, actions, liabilities, losses, damages and expenses (including legal expenses) incurred by the Customer resulting from a violation of this Addendum directly by GumGum or GumGum’s subcontractors and assignees, including without limitation those arising out of any third-party demand, claim or action, including by a data protection authority, or any material breach of contract, negligence, fraud, willful misconduct, breach of statutory duty or non-compliance with any applicable data protection laws and regulations by GumGum. For the avoidance of doubt, the parties acknowledge and agree that the terms of this indemnification provision do not supersede, but rather are in addition to and are in no way inconsistent with any indemnification provision of the Main Agreement.
9. Limitation of Liability
GumGum’s liability arising out of or related to this Addendum is subject to the provisions on limitation of liability stated in the Main Agreement. In addition, Customer is responsible for its own liability and obligations of compliance with respect to all Applicable Data Protection Laws, and GumGum bears no liability for Customer’s breach with these laws, except as set forth in this Addendum.
10. Governing Law
Unless otherwise required by the Standard Contractual Clauses as defined under GDPR, or other data transfer requirements, this Addendum will be subject to the governing law identified in the Agreement without giving effect to conflict of laws principles.
“Addendum Effective Date” means January 1, 2020 or the effective date set forth in the Main Agreement, whichever is later.
“Affiliates” means a company, person, or entity that is owned or controlled by or is under common ownership or control with a party.
Ownership shall mean direct or indirect ownership of more than 50% of the shares in a company or entity, and control shall mean any power to appoint persons to the board of directors of a company or entity.
“Applicable Data Protection Laws" shall mean all applicable data protection laws and regulations in any relevant jurisdiction relating to the processing of personal data and privacy, including, but not limited to, the Assembly Bill 375 of the California House of Representatives, an act to add Title 1.81.5 (commencing with Section 1798.100) to Part 4 of Division 3 of the Civil Code, relating to privacy and approved by the California Governor on June 28, 2018 (California Consumer Privacy Act, “CCPA”), Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, “GDPR”).
“Data Controller or “Controller” means (a) the person or entity which, alone or jointly with others, determines the purposes and means of the Processing of Personal Information, or (b) a “Covered Business” as defined under the CCPA.
“Data Processor” or “Processor” means the person or entity that Processes Personal Information on behalf of the Data Controller.
“Data Subject” means (a) an identified or identifiable natural person who is in the European Economic Area (“EEA”) or whose rights are protected by the GDPR, (b) a “Consumer” as defined under the CCPA, or (c) any other protected classification of individuals intended to be covered by relevant data protection laws.
“Personal Data” or “Personal Information” shall mean (a) any information relating to an identified or identifiable natural person and (b) any information defined as “personally identifiable information,” “personal information,” “personal data,” or similar terms as defined under applicable laws or regulations, limited to that Personal Information GumGum Processes in connection with Services provided to a Customer.
“Process” or “Processing” means (a) a natural or legal person which processes personal data on behalf of the controller or (b) a “Service Provider” as defined under the CCPA, and applies to the operation or set of operations performed upon Personal Information, whether or not by automatic means.
“Sell” or “Selling” shall have the meaning defined under the CCPA.
"Sub-Processor" means (a) any processor engaged by the Processor or by any other Sub-Processor of the Processor who agrees to receive the Personal Data exclusively intended for processing activities to be carried out on behalf of the Controller after the transfer of Personal Data in accordance with the Data Controller’s instructions and in connection with the Main Agreement for the provision of services to the Data Controller or (b) a “Service Provider” as defined under the CCPA.
To download a complete copy of GumGum's Global Data Processing Addendum for Clients, please click here.