This Data Processing Addendum (“DPA”) is referred to in, and forms an integral part of, SharpSpring Ads’s Terms of Service (the “Terms of Service”) and is effective upon acceptance of the Terms of Service. The terms used in this DPA shall have the meanings set forth herein. Capitalized terms not otherwise defined shall have the meaning given to them in the Terms of Service. Except as modified below, the terms set forth in the Terms of Service shall remain in full force and effect. In consideration of the mutual obligations set out herein, the parties hereby agree that the terms and conditions set forth below shall be added as a DPA to the Terms of Service.
- (a) “controller”, “processor”, “data subject”, and “processing”; (and “process”) shall have the meanings given in Applicable Data Protection Law.
- (b) “Applicable Data Protection Law” shall mean: (i) prior to 25 May 2018, Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data; and (ii) on and after 25 May 2018, Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
- (c) “Personal Data” shall mean any data related to an identified or identifiable individual natural person; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to its physical, physiological, mental, economic, cultural or social identity.
- Relationship of the parties: You (the “controller”) appoint SharpSpring Ads as a processor to process the Personal Data described in the Terms of Service and his DPA. Each party shall comply with this DPA and any obligations that apply to it under Applicable Data Protection Law.
- Prohibited data: You shall not disclose (and shall not permit any data subject to disclose) any special categories of Personal Data to SharpSpring Ads for processing.
- Purpose limitation: SharpSpring Ads shall process the Personal Data as a processor as necessary to perform its obligations under the Terms of Service and/or strictly in accordance with your documented instructions (the “Permitted Purpose”).
- International transfers: SharpSpring Ads shall not transfer Personal Data (nor permit Personal Data to be transferred) outside of the European Territories unless it takes such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Law. Such measures may include (without limitation) transferring the Personal Data to a recipient in a country that the European Commission has decided provides adequate protection for personal data, to a recipient that has achieved binding corporate rules authorisation in accordance with Applicable Data Protection Law, to a recipient that participates in the EU-US Privacy Shield certification program, or to a recipient that has executed standard contractual clauses adopted or approved by the European Commission.
- Confidentiality of processing: SharpSpring Ads shall ensure that any person that it authorises to process Personal Data (including SharpSpring Ads’s staff, agents and subcontractors) (an “Authorized Person”) shall be subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty), and shall not permit any person to process Personal Data who is not under such a duty of confidentiality.
- Security: SharpSpring Ads shall implement appropriate technical and organizational measures to protect the Personal Data (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorised disclosure of, or access to the Personal Data (a “Security Incident”).
- Subcontracting: You consent to SharpSpring Ads engaging third party subprocessors to process Personal Data for the Permitted Purpose provided that: (i) SharpSpring Ads maintains an up-to-date list of its subprocessors to be provided to you upon request, which it shall update with details of any proposed change a reasonable time in advance of appointing or replacing a subprocessor; (ii) SharpSpring Ads imposes data protection terms on any subprocessor it appoints that require it to protect the Personal Data to the standard required by Applicable Data Protection Law and this DPA; and (iii) SharpSpring Ads remains liable for any breach of this provision caused by an act, error or omission of its subprocessor. A list of approved subprocessors is attached with Schedule A. You may object to SharpSpring Ads appointment or replacement of a subprocessor prior to its appointment or replacement, provided such objection is based on reasonable grounds relating to data protection. In such event, SharpSpring Ads will either not appoint or replace the subprocessor or, if this is not possible, you may suspend or terminate the Terms of Service (without prejudice to any fees incurred by you prior to suspension or termination) upon 30 days written notice to SharpSpring Ads.
- Cooperation and data subjects’ rights: SharpSpring Ads shall provide all reasonable and timely assistance (including by appropriate technical and organisational measures) to you (at your expense) to enable you to respond to: (i) any request from a data subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable); and (ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data. In the event that any such request, correspondence, enquiry or complaint is made directly to SharpSpring Ads, SharpSpring Ads shall promptly inform you providing full details of the same.
- Data Protection Impact Assessment: SharpSpring Ads shall provide reasonable cooperation to you (at your expense) in connection with any data protection impact assessment that you may be required to conduct under Applicable Data Protection Law.
- Security incidents: Upon becoming aware of a Security Incident, SharpSpring Ads shall inform you without undue delay and shall provide all such timely information and cooperation as you may require in order for you to fulfil its data breach reporting obligations under (and in accordance with the timescales required by) Applicable Data Protection Law. SharpSpring Ads shall further take all such measures and actions as are necessary to remedy or mitigate the effects of the Security Incident and shall keep you up-to-date about all developments in connection with the Security Incident.
- Deletion or return of Personal Data: Upon termination or expiry of the Terms of Service, SharpSpring Ads shall (at your election) destroy or return to you all Personal Data in its possession or control (including any Personal Data subcontracted to a third party for processing). This requirement shall not apply to the extent that SharpSpring Ads is required by any EU (or any EU Member State) law to retain some or all of the Personal Data, in which event SharpSpring Ads shall isolate and protect the Personal Data from any further processing except to the extent required by such law.
- Audit: SharpSpring Ads shall permit you (or your appointed third party auditors) to audit SharpSpring Ads’s compliance with this DPA, and shall make available to you all information, systems and staff reasonably necessary for you (or your third party auditors) to conduct such audit. SharpSpring Ads acknowledges that you (or your third party auditors) may enter its premises for the purposes of conducting this audit, provided that you provide reasonable prior notice of your intention to audit, conduct your audit during normal business hours, and take all reasonable measures to prevent unnecessary disruption to SharpSpring Ads’ operations. You will not exercise your audit rights more than once in any 12 calendar month period, except (i) if and when required by instruction of a competent data protection authority; or (ii) you believe a further audit is necessary due to a Security Incident.