LAST UPDATED: DECEMBER 23, 2019
This Global Data Processing Addendum (“Addendum”) effective as of the Addendum Effective Date (as defined below), specifically amends the global data protection obligations of GumGum, Inc. (“GumGum”) as a “Data Controller” or “Covered Business” to the business or entity (herein referred to as “Data Processor”) to whom GumGum has entered into a Services Agreement (the “Main Agreement”), whereby Data Processor processes Personal Information.
1. Order of Precedence & Interpretation
In the event that any terms of this Addendum and its appendices are inconsistent with any other terms of the Main Agreement or any data protection addendum thereunder, the parties intend for the terms of this Addendum, its appendices, and the Main Agreement to be construed in the manner that permits each party to fulfill its obligations under applicable law.
2. Scope & Purposes of Processing; Retention
Data Processor will Process all Personal Data solely to fulfill its obligations to GumGum under the Main Agreement, including this Addendum, and on GumGum’s behalf, and for no other purposes, unless otherwise required by Applicable Data Protection Laws. In such case, Data Processor will inform GumGum of that legal requirement before Processing.
Without limiting the foregoing, GumGum directs Data Processor to Process Personal Data in accordance with GumGum’s written instructions, as may be provided by GumGum to Data Processor from time to time, and in the following manner:
Subject matter, nature, and purpose of Processing Data Processor will process data solely to provide GumGum with services and to fulfill its purposes under the Main Agreement, which may include any lawful processing or business purposes as provided for under Applicable Data Protection Laws. Subject matter, nature, and purpose of Processing Data Processor will process data solely to provide GumGum with services and to fulfill its purposes under the Main Agreement, which may include any lawful processing or business purposes as provided for under Applicable Data Protection Laws.
Categories of Personal Data typically subject to Processing under the Main Agreement - All types of Personal Data, except for special categories of data, as that term is defined under the GDPR. GumGum represents and warrants to Data Processor that GumGum shall not transfer or otherwise provide to Data Processor any Personal Data that may constitute special categories of personal data.
Typical categories of Data Subjects - As set forth in Appendix 2 (download here).
Anticipated duration of Processing - For the term of the Main Agreement or to the extent that Data Processor continues to lawfully Process Personal Data, whichever is longer.
Data Processor will not:
Sell Personal Data for any purpose except as permitted in the Main Agreement. For purposes of this paragraph, “Sell” shall have the meaning set forth under the CCPA.
Process Personal Data for any purpose other than for the specific purposes set forth herein. For the avoidance of doubt, Data Processor will not Process Personal Data outside of the direct business relationship between GumGum and Data Processor.
Attempt to link, identify, or otherwise create a relationship between Personal Data and non-Personal Data or any other data without the express authorization of GumGum.
Information that has been de-identified is not Personal Data. “De-identified” shall have the meaning set forth under the Applicable Data Protection Laws (and may include similar terms such as “pseudo-anonymized”).
Data Processor may de-identify Personal Data only if the Data Processor:
- Has implemented technical safeguards that prohibit reidentification of the Data Subject to whom the information may pertain;
- Has implemented business processes that specifically prohibit reidentification of the information; and
- Makes no attempt to reidentify the information.
3. Data Processor’s Compliance with Laws
Data Processor will only Process Personal Data as set forth in this Addendum and in compliance with Applicable Data Protection Laws.
Data Processor hereby certifies that it understands its restrictions and obligations set forth in this Addendum and will comply with them.
4. Personal Data Processing Requirements
Data Processor will:
Ensure that the persons it authorizes to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and that such persons are aware of the procedures that Data Processor has put in place and receive appropriate training on data protection and security.
Upon written request of GumGum, assist GumGum in the fulfilment of GumGum’s obligations to respond to verifiable requests by Data Subjects (or their representatives) for exercising their rights under Applicable Data Protection Laws, such as rights to access or delete Personal Data.
Promptly notify GumGum of (i) any third-party or Data Subject requests or complaints regarding the Processing of Personal Data or (ii) any government or Data Subject requests for access to or information about Data Processor’s Processing of Personal Data on GumGum’s behalf, unless prohibited by Applicable Data Protection Laws. If Data Processor receives a third-party, Data Subject, or governmental request, Data Processor will await written instructions from GumGum on how, if at all, to assist in responding to the request. Data Processor will provide GumGum with reasonable cooperation and assistance in relation to any such request.
Provide reasonable assistance to and cooperation with GumGum for GumGum’s performance of a data protection impact assessment of Processing or proposed Processing of Personal Data.
Provide reasonable assistance to and cooperation with GumGum for any consultation with regulatory authorities in relation to the Processing or proposed Processing of Personal Data, including complying with any obligation applicable to Data Processor under Applicable Data Protection Laws to consult with a regulatory authority in relation to Data Processor’s Processing or proposed Processing of Personal Data.
5. Security Safeguards & Incident Reporting; Audit Rights
Security Safeguards. Data Processor will implement and maintain appropriate administrative, technical, physical, and organizational measures to protect Personal Data to assure the following:
Data Processor will comply with the obligations related to security breach that is directly applicable to it under data privacy laws. Data Processor will implement and maintain technical and organizational security measures to adequately protect each GumGum Affiliate’s Personal Information against the risks inherent in the (a) Processing of Personal Information for the purposes identified in the Main Agreement and (b) unauthorized or unlawful Processing, destruction, damage, misuse, or loss. Data Processor will implement and maintain reasonable security procedures and practices appropriate to the nature of the Personal Information it Processes.
Data Processor shall assist GumGum in response to requests from data protection authorities relating to the Processing of Personal Information in connection with the Main Agreement. In the event that any such request is made directly to Data Processor, Data Processor shall not respond to such communication directly without GumGum’s prior authorization, unless legally compelled to do so. In such instance that Data Processor is legally required to respond to such a request, Data Processor shall promptly notify GumGum and provide it with a copy of the request unless legally prohibited from doing so.
Data Processor will promptly and without undue delay and in any case no later than twenty-four (24) hours after becoming aware, inform GumGum in the event of (a) any serious interruption of Data Processor‘s Processing operations; (b) any unauthorized acquisition, loss, access, or use of Personal Information; or (c) any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosures of, or access to Personal Information (altogether, a “Security Incident”).
Audits. Without prejudice to the Main Agreement, GumGum will provide and make available to GumGum such information and assistance as may be required to facilitate audits, and any other information necessary to complete a data protection impact assessment or to confirm compliance with any provision of this Addendum, the Main Agreement, and all Applicable Data Protection Laws. For the avoidance of doubt, this provision will not require Data Processor to provide GumGum with access to the confidential information of Data Processor’s other customers or other confidential or proprietary information belonging to Data Processor.
6. Data Deletion
Upon termination or expiration of the Main Agreement, at GumGum’s request or as pursuant to Applicable Data Protection Laws, Data Processor shall return to GumGum a complete copy of the Personal Information it Processed in connection with the Main Agreement, in a form and format reasonably agreed upon by the parties. Following GumGum’s confirmation that it received such copy, Data Processor shall securely dispose of all Personal Information remaining in its possession or control.
GumGum acknowledges and agrees that Data Processor may use Data Processor Affiliates and/or subcontractors to Process Personal Data in accordance with the provisions within this Addendum and Applicable Data Protection Laws. Data Processor shall provide GumGum with a current list of its subcontractors in the attached Appendix 2, and upon GumGum’s reasonable written request from time to time.
Where Data Processor subcontracts any of its rights or obligations concerning Personal Data, including to any Affiliate, Data Processor will (i) take commercially reasonable measures to select and retain subcontractors that are capable of maintaining appropriate privacy and security measures to protect Personal Data consistent with Applicable Data Protection Laws and (ii) enter into a written agreement with each subcontractor that imposes obligations on the subcontractor that are no less restrictive than those imposed on Data Processor under this Addendum.
In addition to any indemnity obligations of Data Processor pursuant to the Main Agreement, Data Processor shall be liable for and shall indemnify GumGum against any and all claims, actions, liabilities, losses, damages and expenses (including legal expenses) incurred by GumGum resulting from a violation of this Addendum by Data Processor or Data Processor’s subcontractors and assignees, including without limitation those arising out of any third-party demand, claim or action, including by a data protection authority, or any material breach of contract, negligence, fraud, willful misconduct, breach of statutory duty, or non-compliance with any applicable data protection laws and regulations by Data Processor. For the avoidance of doubt, the parties acknowledge and agree that the terms of this indemnification provision do not supersede, but rather are in addition to and are in no way inconsistent with any indemnification provision of the Main Agreement.
9. Limitation of Liability
Data Processor’s liability arising out of or related to this Addendum is subject to the provisions on limitation of liability stated in the Main Agreement. In addition, GumGum is responsible for its own liability and obligations of compliance with respect to all Applicable Data Protection Laws, and Data Processor bears no liability for GumGum’s breach with these laws, except as set forth in this Addendum.
10. Governing Law
Unless otherwise required by the Standard Contractual Clauses as defined under GDPR, or other data transfer requirements, this Addendum will be subject to the governing law identified in the Main Agreement without giving effect to conflict of laws principles.
“Addendum Effective Date” means January 1, 2020 or the effective date set forth in the Main Agreement, whichever is later.
“Affiliates” means a company, person, or entity that is owned or controlled by or is under common ownership or control with a party. Ownership shall mean direct or indirect ownership of more than 50% of the shares in a company or entity, and control shall mean any power to appoint persons to the board of directors of a company or entity.
“Applicable Data Protection Laws" shall mean all applicable data protection laws and regulations in any relevant jurisdiction relating to the processing of personal data and privacy, including, but not limited to, the Assembly Bill 375 of the California House of Representatives, an act to add Title 1.81.5 (commencing with Section 1798.100) to Part 4 of Division 3 of the Civil Code, relating to privacy and approved by the California Governor on June 28, 2018 (California Consumer Privacy Act, “CCPA”), Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, “GDPR”).
“Data Controller or “Controller” means (a) the person or entity which, alone or jointly with others, determines the purposes and means of the Processing of Personal Information, or (b) a “Covered Business” as defined under the CCPA.
“Data Processor” or “Processor” means the person or entity that Processes Personal Information on behalf of the Data Controller.
“Data Subject” means (a) an identified or identifiable natural person who is in the European Economic Area (“EEA”) or whose rights are protected by the GDPR, (b) a “Consumer” as defined under the CCPA, or (c) any other protected classification of individuals intended to be covered by relevant data protection laws.
“Personal Data” or “Personal Information” shall mean (a) any information relating to an identified or identifiable natural person and (b) any information defined as “personally identifiable information,” “personal information,” “personal data,” or similar terms as defined under applicable laws or regulations, limited to that Personal Information GumGum Processes in connection with Services provided to a Customer
“Process” or “Processing” means (a) a natural or legal person which processes personal data on behalf of the controller or (b) a “Service Provider” as defined under the CCPA, and applies to the operation or set of operations performed upon Personal Information, whether or not by automatic means.
“Sell” or “Selling” shall have the meaning defined under the CCPA.
"Sub-Processor" means (a) any processor engaged by the Processor or by any other Sub-Processor of the Processor who agrees to receive the Personal Data exclusively intended for processing activities to be carried out on behalf of the Controller after the transfer of Personal Data in accordance with the Data Controller’s instructions and in connection with the Main Agreement for the provision of services to the Data Controller or (b) a “Service Provider” as defined under the CCPA.
To download a complete copy of GumGum's Global Data Processor Addendum for Vendors, please click here.