This Addendum applies to the Processing of Personal Information carried out by GumGum in connection with GumGum’s services (the “Services”) provided to Customer and its applicable Affiliates and shall survive the termination or expiration of the Main Agreement for so long as GumGum or its subcontractors Process the Personal Data.
In the event that any terms of this Addendum and its appendices are inconsistent with any other terms of the Main Agreement or any data protection addendum thereunder, the parties intend for the terms of this Addendum, its appendices, and the Main Agreement to be construed in the manner that permits each party to fulfill its obligations under applicable law.
GumGum will Process all Personal Data solely to fulfill its obligations to Customer under the Main Agreement, including this Addendum, and on Customer’s behalf, and for no other purposes, unless otherwise required by Applicable Data Protection Laws to which GumGum is subject. In such case, GumGum will inform Customer of that legal requirement before Processing, unless that law prohibits Customer from providing such information on important grounds of public interest within the meaning of Applicable Data Protection Laws.
Without limiting the foregoing, Customer directs GumGum to Process Personal Data in accordance with Customer’s written instructions, as may be provided by Customer to GumGum from time to time, and in the following manner:
Subject matter, nature, and purpose of Processing- GumGum will process data solely to provide Customer with services and to fulfill its purposes under the Main Agreement, which may include any lawful processing or business purposes as provided for under Applicable Data Protection Laws.
Categories of Personal Data typically subject to Processing under the Main Agreement- All types of Personal Data, except for special categories of data, as that term is defined under the GDPR. Customer represents and warrants to GumGum that Customer shall not transfer or otherwise provide to GumGum any Personal Data that may constitute special categories of personal data.
Typical categories of Data Subjects- As set forth in Appendix 2 (download here).
Anticipated duration of Processing- For the term of the Main Agreement or to the extent that GumGum continues to Process Personal Data, whichever is longer.
GumGum will not:
Sell Personal Data for any purpose except as permitted in the Main Agreement. For purposes of this paragraph, “Sell” shall have the meaning set forth under the CCPA.
Process Personal Data for any purpose other than for the specific purposes set forth herein. For the avoidance of doubt, GumGum will not Process Personal Data outside of the direct business relationship between Customer and GumGum.
Attempt to link, identify, or otherwise create a relationship between Personal Data and non-Personal Data or any other data without the express authorization of Customer.
Information that has been de-identified is not Personal Data. GumGum may de-identify Personal Data only if it:
GumGum will only Process Personal Data as set forth in this Addendum and in compliance with Applicable Data Protection Laws.
GumGum hereby certifies that it understands its restrictions and obligations set forth in this Addendum and will comply with them.
Security Safeguards. GumGum will implement and maintain appropriate administrative, technical, physical, and organizational measures to protect Personal Data to assure the following:
Audits. Without prejudice to the Main Agreement, GumGum will provide and make available to Customer such information and assistance as may be required to facilitate audits, and any other information necessary to complete a data protection impact assessment or confirm compliance with any provision of this Addendum, the Main Agreement and all Applicable Data Protection. For the avoidance of doubt, this provision will not require GumGum to provide Customer with access to the confidential information of GumGum’s other customers or other confidential or proprietary information belonging to GumGum.
Upon termination or expiration of the Main Agreement, at Customer’s request or as pursuant to Applicable Data Protection Laws, GumGum shall return to Customer a complete copy of the Personal Information it Processed in connection with the Main Agreement, in a form and format reasonably agreed upon by the parties. Following Customer’s confirmation that it received this copy, GumGum shall securely dispose of all Personal Information remaining in its possession or control.
Customer acknowledges and agrees that GumGum may use GumGum Affiliates and/or subcontractors to Process Personal Data in accordance with the provisions within this Addendum and Applicable Data Protection Laws. GumGum shall provide Customer with a current list of subcontractors upon Customer’s request.
Where GumGum sub-contracts any of its rights or obligations concerning Personal Data, including to any affiliate, GumGum will (i) take steps to select and retain subcontractors that are capable of maintaining appropriate privacy and security measures to protect Personal Data consistent with Applicable Data Protection Laws, and (ii) enter into a written agreement with each subcontractor that imposes obligations on the subcontractor that are no less restrictive than those imposed on GumGum under this Addendum.
In addition to any indemnity obligations of GumGum pursuant to the Main Agreement, GumGum shall be liable for and shall indemnify Customer against any and all claims, actions, liabilities, losses, damages and expenses (including legal expenses) incurred by the Customer resulting from a violation of this Addendum directly by GumGum or GumGum’s subcontractors and assignees, including without limitation those arising out of any third-party demand, claim or action, including by a data protection authority, or any material breach of contract, negligence, fraud, willful misconduct, breach of statutory duty or non-compliance with any applicable data protection laws and regulations by GumGum. For the avoidance of doubt, the parties acknowledge and agree that the terms of this indemnification provision do not supersede, but rather are in addition to and are in no way inconsistent with any indemnification provision of the Main Agreement.
GumGum’s liability arising out of or related to this Addendum is subject to the provisions on limitation of liability stated in the Main Agreement. In addition, Customer is responsible for its own liability and obligations of compliance with respect to all Applicable Data Protection Laws, and GumGum bears no liability for Customer’s breach with these laws, except as set forth in this Addendum.
Unless otherwise required by the Standard Contractual Clauses as defined under GDPR, or other data transfer requirements, this Addendum will be subject to the governing law identified in the Agreement without giving effect to conflict of laws principles.
“Addendum Effective Date” means January 1, 2020 or the effective date set forth in the Main Agreement, whichever is later.
“Affiliates” means a company, person, or entity that is owned or controlled by or is under common ownership or control with a party.
Ownership shall mean direct or indirect ownership of more than 50% of the shares in a company or entity, and control shall mean any power to appoint persons to the board of directors of a company or entity.
“Applicable Data Protection Laws" shall mean all applicable data protection laws and regulations in any relevant jurisdiction relating to the processing of personal data and privacy, including, but not limited to, the Assembly Bill 375 of the California House of Representatives, an act to add Title 1.81.5 (commencing with Section 1798.100) to Part 4 of Division 3 of the Civil Code, relating to privacy and approved by the California Governor on June 28, 2018 (California Consumer Privacy Act, “CCPA”), Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, “GDPR”).
“Data Controller or “Controller” means (a) the person or entity which, alone or jointly with others, determines the purposes and means of the Processing of Personal Information, or (b) a “Covered Business” as defined under the CCPA.
“Data Processor” or “Processor” means the person or entity that Processes Personal Information on behalf of the Data Controller.
“Data Subject” means (a) an identified or identifiable natural person who is in the European Economic Area (“EEA”) or whose rights are protected by the GDPR, (b) a “Consumer” as defined under the CCPA, or (c) any other protected classification of individuals intended to be covered by relevant data protection laws.
“Personal Data” or “Personal Information” shall mean (a) any information relating to an identified or identifiable natural person and (b) any information defined as “personally identifiable information,” “personal information,” “personal data,” or similar terms as defined under applicable laws or regulations, limited to that Personal Information GumGum Processes in connection with Services provided to a Customer.
“Process” or “Processing” means (a) a natural or legal person which processes personal data on behalf of the controller or (b) a “Service Provider” as defined under the CCPA, and applies to the operation or set of operations performed upon Personal Information, whether or not by automatic means.
“Sell” or “Selling” shall have the meaning defined under the CCPA.
"Sub-Processor" means (a) any processor engaged by the Processor or by any other Sub-Processor of the Processor who agrees to receive the Personal Data exclusively intended for processing activities to be carried out on behalf of the Controller after the transfer of Personal Data in accordance with the Data Controller’s instructions and in connection with the Main Agreement for the provision of services to the Data Controller or (b) a “Service Provider” as defined under the CCPA.
To download a complete copy of GumGum's Global Data Processing Addendum for Clients, please click here.