This Data Processing Addendum (“DPA”) amends and is made part of the Agreement by and between the customer identified in the Agreement (“Customer”) and Unblocked. Capitalized terms used but not defined in this DPA have the meaning given to them in the Agreement or Data Protection Laws.
Personal Data. Pursuant to the Agreement, Unblocked provides the Services for or on behalf of Customer, which may require Unblocked to process Personal Data. Customer acknowledges that, as between Customer and Unblocked, Customer is the controller of the Personal Data provided to or collected by Unblocked on Customer’s behalf pursuant to the Agreement and shall take all steps necessary to ensure that it has all necessary authority to enable Unblocked to use the Personal Data to provide the Services and process (as that term is defined by Data Protection Laws) Personal Data consistent with Data Protection Law, the Agreement, and this DPA, including without limitation timely providing Unblocked all instructions for Unblocked’s processing as may be required by Data Protection Law. As used herein, “Personal Data” means “personal information,” “personally identifiable information,” “personal data,” or other such similar terms as defined or used in Data Protection Laws. For the avoidance of doubt, Personal Data does not include personal data or information for which Customer is not the controller or for which Unblocked is an independent controller.
Processing Instructions. Unblocked is permitted to process Personal Data solely for purposes of providing the Services and to carry out the business purposes under the Agreement, or as otherwise required or permitted by Data Protection Law of a service provider/processor, or as agreed to or instructed by Customer. For the avoidance of doubt, Unblocked is a “service provider” as that term is defined in the CCPA.
Processing Restrictions. Without limiting the generality of the foregoing, except as otherwise permitted by the forgoing sentence, Unblocked is prohibited from: (a) Selling or Sharing Personal Data; (b) retaining, using, disclosing, or otherwise processing Personal Data for any purpose other than for the specific purpose of providing Services to Customer and to carry out the business purposes relevant to the Agreement; (c) retaining, using, or disclosing Personal Data for any commercial purpose other than to provide the Services and to carry out the business purposes under the Agreement; (d) retaining, using, disclosing, or processing Personal Data outside of the direct business relationship between Customer and Unblocked; and (e) combining Personal Data received from or on behalf of Customer with personal data it receives from, or on behalf of, another person(s), or collects from its own interaction with a consumer, except where expressly required to perform the Services.
Obligations. Unblocked will, with respect to the Services and Personal Data:
4.1 Comply with Data Protection Laws in the provision of the Services, reasonably assist Customer in meeting its obligations under Data Protection Laws, and make available to Customer information in Unblocked’s possession necessary to demonstrate its compliance with its obligations under Data Protection Laws upon Customer’s reasonable request;
4.2 Ensure the reasonable security of Customer Personal Data including by: (i) providing the level of privacy protection to Personal Data as is required by Data Protection Laws and (ii) ensuring each person processing Personal Data is subject to a duty of confidentiality with respect to such Personal Data.
4.3 Notify Customer within the time period required by Data Protection Laws if it determines it can no longer meet its obligations under Data Protection Laws and allow Customer to take reasonable and appropriate steps to stop and remediate unauthorized processing of Personal Data.
4.4 Provide reasonable assistance to enable Customer to fulfill privacy rights requests (“PRRs”), including but not limited to notifying Unblocked’s subcontractors to delete Customer-specified Personal Data in response to a PRR made to Customer. Customer shall inform Unblocked of PRRs that it needs Unblocked’s assistance to comply with and shall provide Unblocked with information necessary to assist Customer to comply with such PRRs.
4.5 If Unblocked receives a PRR from a Consumer that might relate to Personal Data it shall respond that it cannot act upon requests made to it as to data it processes as a Services Provider/Processor. If the request specifically identifies Customer in connection with the PRR, Unblocked shall inform Customer of such request.
4.6 Notify Customer of security incidents affecting Unblocked’s processing of Personal Data that require notification to data subjects and/or government authorities under Data Protection Laws (“Breach”) and provide reasonable assistance and information regarding such Breach.
4.7 Provide Customer information to reasonably enable it to conduct and document data protection assessments.
4.8 Delete Personal Data at the end of the provision of Services, or as otherwise instructed by Customer, unless retention is (i) required by Data Protection Laws; or (ii) part of backup or record keeping, so long as only used for such purposes and only for as long as reasonably necessary, subject to Data Protection Laws and this DPA; and
4.9 Not more than once annually, and upon request of Customer, provide assurance that Unblocked has used the Personal Data it has collected pursuant to the Agreement in a manner consistent with Customer’s and Unblocked’s obligations under Data Protection Laws. Customer’s rights under this subsection are limited to receiving information from Unblocked and do not include a right to conduct reviews, scans, audits, Customer- or third-party assessments, or other technical or operational testing, unless specifically required by Data Protection Laws.
Sub-Processors. Customer hereby authorizes Unblocked to engage third-party entities to process Personal Data on behalf of and as specifically directed by Unblocked pursuant to a written contract that includes obligations that are at least as protective as those set out in this DPA and as required by Data Protection Laws.
Privacy Notice. Customer agrees it will provide and abide by an appropriate consumer-facing privacy policy and any other privacy notice as required to comply with Data Protection Laws. Customer’s privacy policy shall provide notice of the processing of Personal Data as contemplated by the Services.
Additional Terms. To the extent that applicable data protection laws, such as EU Regulation 2016/679 (“GDPR”) or the UK Data Protection Act 2018 (“UK GDPR”), impose additional obligations on Unblocked regarding the collection, use, or disclosure of Personal Data under the Agreement, the parties agree to negotiate additional terms to this DPA in good faith, as necessary to comply with such applicable laws.