Data Processing Addendum
Data Processing Addendum for GDRP compliance at Reloadly
Reloadly Inc., a company incorporated under the laws of USA having its registered office and principal place of business on 78 SW 7th St. Miami, FL 5th Floor, 33130 USA, as registered with the Commercial Register of Delaware, United States. under number 6580650 (“Reloadly”, the “Data Processor” or the “Processor”), and the customer (the “Customer” or the “Controller”), hereby agree as follows:
1 Scope
This data processing addendum (the “Data Processing Addendum” or “Addendum”) applies exclusively to the processing of personal data (the “Customer Personal Data” or “Personal Data”) that is subject to European Union (EU) and USA data processing law, in the scope of the services (the “Services Agreement”) between the Data Controller and the Processor (each a “Party” and together the “Parties”) on the provision of services (the “Services”).
1.1
The term EU data privacy law (“EU Data Privacy Law”) means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation or GDPR). Reloadly complies with the EU-U.S. Privacy Shield Framework as set forth by the U.S.Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union to the United States. Reloadly has certified to theDepartment of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/.
1.2
Terms such as “Processing”, “Personal Data”, “Data Controller” and “Processor” shall have the meaning ascribed to them in USA / EU Data Privacy Law, as applicable.
1.3
Insofar as the Data Processor will be processing Personal Data of the Data Controller subject to the EU-US Data Privacy Law in the course of the performance of the Services Agreement with the Data Controller, the terms of this Data Processing Addendum shall apply. An overview of the categories of Personal Data, the types of data subjects (the “Data Subjects”), and purposes (the “Purposes”) for which the Personal Data are being processed is provided below.
2 Binding character of this Addendum
The Parties hereby agree to be bound by the provisions and obligations set forth in this Addendum in respect of all their data protection obligations and data processing relationships and agree that any data protection and data processing obligations as agreed to previously amongst the Parties shall be deleted and repealed in its entirety and be replaced with this Addendum.
3 Information required by Data Privacy Law
The Parties agree to the following information, as required by the EU-US Data Privacy Law:
Subject matter of processing
Equity management services by means of an online software application (the “Application”) and the fulfillment of contractual obligations under the Services Agreement and this Data Processing Addendum.
Duration of processing
For the duration of the Services Agreement until terminated or once processing by Reloadly of any Personal Data is no longer required for the performance of its relevant obligations under the Services Agreement or Addendum or for its other legitimate interests.
Purpose of processing
Processing of Customer’s Personal Data and equity data for the purposes of the provision of the Services. Personal Data is provided by Customer.
Customer Personal Data
Equity data: Shareholder information (including their General Personal Data), company information, share ledger transaction history, legal documents, other cap table details.General Personal Data: Name, date of birth, country of origin, telephone number, email, postal address, bank details.
Data Subjects
Shareholders, other third parties (e.g. lawyers).
4 Reloadly as Processor
The Customer and Reloadly hereby agree that for the purposes of this Addendum, Reloadly (and each permitted subcontractor) shall be the Data Processor.
5 Reloadly’s obligations
Reloadly, acting as Data Processor, shall:
5.1
only process the Customer Personal Data as necessary to perform its obligations under this Services Agreement, as required by laws applicable to it (provided that Reloadly first informs the Customer of that legal requirement before processing, unless that law prohibits this on important grounds of public interest);
5.2
ensure that all staff who have access to Customer Personal Data have committed themselves to appropriate obligations of confidentiality;
5.3
maintain all appropriate technical and organizational measures to ensure the security of the Customer Personal Data; The Parties acknowledge that security requirements are constantly changing and that effective security requires frequent evaluation and regular improvements of outdated security measures. Reloadly will, therefore, evaluate the measures on an on-going basis and will tighten, supplement and improve these measures. The Parties will negotiate in good faith the cost, if any, and an amendment to the Services Agreement, if necessary, to implement material changes required by specific updated security requirements set forth in applicable Data Privacy Law or by data protection authorities of competent jurisdiction; An overview of the current technical and organizational measures can be found on the Website, as amended from time to time;
5.4
assist, to the extent possible, the Customer to fulfill its obligations in responding to requests for exercising of Data Subject rights set out in the applicable Data Privacy Law;
5.5
not engage any other processor in relation to the Services except in accordance with Customer’s general authorization. Upon request by Customer, (i) Reloadly shall make available to the Customer a list of processors and (ii) the Customer shall have a right to be informed of new processors and veto proposed changes in good faith for material grounds within 30 days of publication. For the avoidance of doubt, Reloadly shall enter into an agreement with each sub-contractor containing obligations which are equivalent to those set out in this Clause 5;
5.6
subcontracting relationships within the meaning of this Clause 5 shall not include services which Reloadly makes use of with third parties as an ancillary service to support the execution of the order. This includes, for example, telecommunications services, maintenance and user service, data hosting services, cleaning staff, inspectors or the disposal of data media. However, Reloadly shall be obliged to make appropriate contractual agreements in accordance with the law and to take control measures in order to guarantee the protection and security of the Customer’s data even in the case of ancillary services awarded to third parties;
5.7
subject to reasonable access arrangements and save for disclosure of information which is confidential, commercially sensitive or privileged, permit Customer or a third-party auditor acting under the Customer’s direction, to conduct, at the Customer’s cost, data protection audits, assessments and inspections concerning Reloadly’s data protection procedures relating to its compliance with this Clause 5. For the avoidance of any doubt, the Customer’s audit, access, and inspection rights under this Clause are limited to Reloadly’s records only and does not apply to Reloadly’s physical premises;
5.8
notify the Customer as soon as reasonably practicable and in writing if it becomes aware of a reportable breach and provides the Customer with assistance in responding to and mitigating it;
5.9
assist the Customer in complying with Article 35 (Data protection impact assessment) and Article 36 (Prior consultation) of the GDPR in respect of any new type of processing proposed, in accordance with EU-US Data Privacy Law.
5.10
save as to where required by law or in accordance with the Services Agreement, on termination or expiry of this Addendum however made and for any reason, and unless otherwise stipulated in the Services Agreement, either destroy all Customer Personal Data or transfer it to Customer or a nominated third party (in a mutually agreed format and by a mutually agreed method);
5.11
Notwithstanding anything to the contrary in the Addendum, Reloadly’s aggregate liability to Customer hereunder and in relation to all of Reloadly’s data protection obligations under Data Privacy Law shall be limited to and shall not exceed 100% of the fees paid by the Customer in a Contract Year under the Services Agreement for each such Contract Year and shall in no event exceed, in aggregate for the entire duration of the Services Agreement and thereafter, 200% of the fees paid by the Customer in the Contract Year with the lowest fees. For the purposes of this Clause, “Contract Year” shall mean each period of 12 months following on from the effective date of the Services Agreement or its anniversary and shall include such 12-month periods that continue after the termination of the Services Agreement.
6 The Customer’s obligations
The Customer, acting as the Controller, hereby warrants and represents:
6.1
that all processing of Customer Personal Data will be in compliance with all Data Privacy Law, and that the processing of the Customer Personal Data by Reloadly in accordance with this Addendum will not breach Data Privacy Law;
6.2
that Customer Personal Data provided to Reloadly are accurate and will be updated to ensure continued accuracy as and when required;
6.3
that it has notified data subjects of any applicable period for which Customer Personal Data or any element of Customer Personal Data will be stored by Reloadly;
6.4
that the Customer has the right to provide Customer Personal Data to Reloadly and has provided Data Subjects with all necessary information and data protection notices on or in connection with the collection of such Customer Personal Data from data subjects including, but not limited to, the supply of Customer Personal Data to Reloadly and details of the purposes for which such Customer Personal Data will be processed by Reloadly including, if applicable, as set out in Reloadly’s retention policy;
6.5
Customer warrants and represents:
6.5.1
that the Customer will not provide Reloadly with nor request Reloadly to process the types and categories of Personal Data listed, defined, or referenced to in Articles 8–10 of the GDPR or respective definitions in the EU-US Data Privacy Law (collectively “High-Risk Personal Data”), and
6.5.2
that the Customer will not provide Reloadly with nor pass to Reloadly personal data for which Reloadly has no knowledge of, is unaware of, or which is not explicitly provided for under this Data Protection Addendum, and that where applicable, the Customer will not enter any personal data into free text fields embedded in relevant Reloadly products and/or Services and will not incorporate any personal data outside of the scope of Personal Data as contemplated in the Services Agreement and this Addendum into any attachments that are to be uploaded into Reloadly’s Application;
6.6
that the Customer shall, and shall procure its employees, contractors, and/or agents to keep the login credentials used to access to the Services secure and shall be liable for the access to the Services through such login credentials. The Customer further warrants that it shall promptly notify Reloadly of any unauthorized use of any login credentials, or other breaches of security, including loss, theft or unauthorized disclosure of login credentials.
7 Liability
The Customer acknowledges that Reloadly is reliant on the Customer for instructions as to the extent to which Reloadly is entitled to use and process the Customer Personal Data. Consequently, Reloadly will not be liable for and the Customer shall, immediately on demand, fully indemnify Reloadly and keep Reloadly effectively indemnified against all costs, claims, demands, expenses (including legal costs and disbursements on a full indemnity basis), losses (including indirect losses, loss or corruption of data, loss of reputation, goodwill and profits), actions, proceedings and liabilities of whatsoever nature incurred by Reloadly or for which Reloadly may become liable due to any claim brought by a data subject or Supervisory Authority arising from any action or omission by Reloadly, to the extent that such action or omission resulted from the Customer’s instructions.
8 Indemnification
The Customer shall, immediately on demand, fully indemnify Reloadly and keep Reloadly fully and effectively indemnified against all costs, claims, demands, expenses (including legal costs and disbursements on a full indemnity basis), losses (including indirect losses, loss or corruption of data, loss of reputation, goodwill and profits), actions, proceedings and liabilities of whatsoever nature arising from or incurred by Reloadly or its affiliates in connection with any failure of the Customer or any third party appointed by the Customer to comply with any of the provisions of Clause 6 and/or Data Privacy Law in respect of its processing of Customer Personal Data.
9 Prevalence of this Addendum
To the extent of any conflict between this Addendum and any parts of the Services Agreement, this Addendum shall prevail, govern, and supersede. This Addendum and the obligations hereunder shall survive the termination or expiry of the Services Agreement however effected or arising.
10 Compensation
Subject to Clause 5.11, to the extent that either Party (the “Claiming Party”) has an entitlement under Data Privacy Law to claim from the other Party (the “Compensating Party”) compensation paid by the Claiming Party to a data subject as a result of a breach of Data Privacy Law to which the Compensating Party contributed, the Compensating Party shall be liable only for such amount as it directly relates to its responsibility for any damage caused to the relevant data subject. For the avoidance of doubt the Compensating Party shall only be liable to make payment to the Claiming Party under this Clause 10 upon receipt of evidence from the Claiming Party, to the Compensating Party’s reasonable satisfaction, that clearly demonstrates the Compensating Party:
10.1
where Reloadly is the Compensating Party only, that Reloadly has acted outside of the instructions of the Customer; and
10.2
has breached applicable Data Privacy Law; and
10.3
that such breach contributed (in part or in full) to the harm caused and entitling the relevant data subject to receive compensation in accordance with the applicable Data Privacy Law; and
10.4
the proportion of responsibility for the harm caused to the relevant data subject which is attributable to the Compensating Party.
11 Competent Court
Any disputes arising from or in connection with this Data Processing Addendum shall be brought exclusively before the competent courts of the Canton of Zurich, Switzerland.