GLOBAL DATA PROCESSING ADDENDUM (VENDORS)
This Global Data Processing Addendum (“Addendum”) is effective as of the Addendum Effective Date (as defined below), specifically amends the global data protection obligations of GumGum, Inc. (“GumGum”) as a “Data Controller” or “Covered Business” to the business or entity (herein referred to as “Data Processor”) to whom GumGum has entered into a Services Agreement (the “Main Agreement”), whereby Data Processor processes Personal Information.
1. Order of Precedence & Interpretation
In the event that any terms of this Addendum and its appendices are inconsistent with any other terms of the Main Agreement or any data protection addendum thereunder, the parties intend for the terms of this Addendum, its appendices, and the Main Agreement to be construed in the manner that permits each party to fulfill its obligations under applicable law.
2. Scope & Purposes of Processing; Retention
- Subject matter, nature, and purpose of Processing Data Processor will process data solely to provide GumGum with services and to fulfill its purposes under the Main Agreement, which may include any lawful processing or business purposes as provided for under Applicable Data Protection Laws.Subject matter, nature, and purpose of Processing Data Processor will process data solely to provide GumGum with services and to fulfill its purposes under the Main Agreement, which may include any lawful processing or business purposes as provided for under Applicable Data Protection Laws.
- Categories of Personal Data typically subject to Processing under the Main Agreement - All types of Personal Data, except for special categories of data, as that term is defined under the GDPR. GumGum represents and warrants to Data Processor that GumGum shall not transfer or otherwise provide to Data Processor any Personal Data that may constitute special categories of personal data.
- Typical categories of Data Subjects - As set forth in Appendix 2 (download here).
- Anticipated duration of Processing - For the term of the Main Agreement or to the extent that Data Processor continues to lawfully Process Personal Data, whichever is longer.
Data Processor will not:
- Sell Personal Data for any purpose except as permitted in the Main Agreement. For purposes of this paragraph, “Sell” shall have the meaning set forth under the CCPA.
- Process Personal Data for any purpose other than for the specific purposes set forth herein. For the avoidance of doubt, Data Processor will not Process Personal Data outside of the direct business relationship between GumGum and Data Processor.
- Attempt to link, identify, or otherwise create a relationship between Personal Data and non-Personal Data or any other data without the express authorization of GumGum.
Information that has been de-identified is not Personal Data. “De-identified” shall have the meaning set forth under the Applicable Data Protection Laws (and may include similar terms such as “pseudo-anonymized”). Data Processor may de-identify Personal Data only if it:
- Has implemented technical safeguards that prohibit reidentification of the Data Subject to whom the information may pertain;
- Has implemented business processes that specifically prohibit reidentification of the information; and
- Makes no attempt to reidentify the information.
3. Data Processor’s Compliance with Laws
Data Processor will only Process Personal Data as set forth in this Addendum and in compliance with Applicable Data Protection Laws.
Data Processor hereby certifies that it understands its restrictions and obligations set forth in this Addendum and will comply with them.
4. Personal Data Processing Requirements
Data Processor will:
- Ensure that the persons it authorizes to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and that such persons are aware of the procedures that Data Processor has put in place and receive appropriate training on data protection and security.
- Upon written request of GumGum, assist GumGum in the fulfilment of GumGum’s obligations to respond to verifiable requests by Data Subjects (or their representatives) for exercising their rights under Applicable Data Protection Laws, such as rights to access or delete Personal Data.
- Promptly notify GumGum of (i) any third-party or Data Subject requests or complaints regarding the Processing of Personal Data or (ii) any government or Data Subject requests for access to or information about Data Processor’s Processing of Personal Data on GumGum’s behalf, unless prohibited by Applicable Data Protection Laws. If Data Processor receives a third-party, Data Subject, or governmental request, Data Processor will await written instructions from GumGum on how, if at all, to assist in responding to the request. Data Processor will provide GumGum with reasonable cooperation and assistance in relation to any such request.
- Provide reasonable assistance to and cooperation with GumGum for GumGum’s performance of a data protection impact assessment of Processing or proposed Processing of Personal Data.
- Provide reasonable assistance to and cooperation with GumGum for any consultation with regulatory authorities in relation to the Processing or proposed Processing of Personal Data, including complying with any obligation applicable to Data Processor under Applicable Data Protection Laws to consult with a regulatory authority in relation to Data Processor’s Processing or proposed Processing of Personal Data.
5. Security Safeguards & Incident Reporting; Audit Rights
Security Safeguards. Data Processor will implement and maintain appropriate administrative, technical, physical, and organizational measures to protect Personal Data to assure the following:
- Data Processor will comply with the obligations related to security breach that is directly applicable to it under data privacy laws. Data Processor will implement and maintain technical and organizational security measures to adequately protect each GumGum Affiliate’s Personal Information against the risks inherent in the (a) Processing of Personal Information for the purposes identified in the Main Agreement and (b) unauthorized or unlawful Processing, destruction, damage, misuse, or loss. Data Processor will implement and maintain reasonable security procedures and practices appropriate to the nature of the Personal Information it Processes.
- Data Processor shall assist GumGum in response to requests from data protection authorities relating to the Processing of Personal Information in connection with the Main Agreement. In the event that any such request is made directly to Data Processor, Data Processor shall not respond to such communication directly without GumGum’s prior authorization, unless legally compelled to do so. In such instance that Data Processor is legally required to respond to such a request, Data Processor shall promptly notify GumGum and provide it with a copy of the request unless legally prohibited from doing so.
- Data Processor will promptly and without undue delay and in any case no later than twenty-four (24) hours of becoming aware, inform GumGum in the event of (a) any serious interruption of Data Processor‘s Processing operations; (b) any unauthorized acquisition, loss, access, or use of Personal Information; or (c) any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosures of, or access to Personal Information (altogether, a “Security Incident”).
Audits. Without prejudice to the Main Agreement, GumGum will provide and make available to GumGum such information and assistance as may be required to facilitate audits, and any other information necessary to complete a data protection impact assessment or to confirm compliance with any provision of this Addendum, the Main Agreement, and all Applicable Data Protection Laws. For the avoidance of doubt, this provision will not require Data Processor to provide GumGum with access to the confidential information of Data Processor’s other customers or other confidential or proprietary information belonging to Data Processor.
6. Data Deletion
Upon termination or expiration of the Main Agreement, at GumGum’s request or as pursuant to Applicable Data Protection Laws, Data Processor shall return to GumGum a complete copy of the Personal Information it Processed in connection with the Main Agreement, in a form and format reasonably agreed upon by the parties. Following GumGum’s confirmation that it received such copy, Data Processor shall securely dispose of all Personal Information remaining in its possession or control.
GumGum acknowledges and agrees that Data Processor may use Data Processor Affiliates and/or subcontractors to Process Personal Data in accordance with the provisions within this Addendum and Applicable Data Protection Laws. Data Processor shall provide GumGum with a current list of its subcontractors in the attached Appendix 2, and upon GumGum’s reasonable written request from time to time.
Where Data Processor subcontracts any of its rights or obligations concerning Personal Data, including to any Affiliate, Data Processor will (i) take commercially reasonable measures to select and retain subcontractors that are capable of maintaining appropriate privacy and security measures to protect Personal Data consistent with Applicable Data Protection Laws and (ii) enter into a written agreement with each subcontractor that imposes obligations on the subcontractor that are no less restrictive than those imposed on Data Processor under this Addendum.
In addition to any indemnity obligations of Data Processor pursuant to the Main Agreement, Data Processor shall be liable for and shall indemnify GumGum against any and all claims, actions, liabilities, losses, damages and expenses (including legal expenses) incurred by GumGum resulting from a violation of this Addendum by Data Processor or Data Processor’s subcontractors and assignees, including without limitation those arising out of any third-party demand, claim or action, including by a data protection authority, or any material breach of contract, negligence, fraud, willful misconduct, breach of statutory duty, or non-compliance with any applicable data protection laws and regulations by Data Processor. For the avoidance of doubt, the parties acknowledge and agree that the terms of this indemnification provision do not supersede, but rather are in addition to and are in no way inconsistent with any indemnification provision of the Main Agreement.
9. Limitation of Liability.
Data Processor’s liability arising out of or related to this Addendum is subject to the provisions on limitation of liability stated in the Main Agreement. In addition, GumGum is responsible for its own liability and obligations of compliance with respect to all Applicable Data Protection Laws, and Data Processor bears no liability for GumGum’s breach with these laws, except as set forth in this Addendum.
10. Governing Law
Unless otherwise required by the Standard Contractual Clauses as defined under GDPR, or other data transfer requirements, this Addendum will be subject to the governing law identified in the Main Agreement without giving effect to conflict of laws principles.