These Wunderkind Data Processing terms (“Terms”) are incorporated by reference into the Wunderkind Data Processing Addendum (the “Addendum” or “DPA”) that further modifies the platform or services agreement (“Agreement”) currently in place between Company (as defined in the applicable DPA) and Wunderkind.
The parties agree to comply with the following provisions with respect to any Personal Data of Data Subjects located in the European Economic Area Processed in connection with the Agreement. The purposes of these Terms is to ensure such Processing is conducted in accordance with Data Protection Laws, including the GDPR and with due respect for the rights and freedoms of individuals whose Personal Data are Processed. References to the Agreement will be construed as including the DPA and these Terms.
Except as amended by these Terms, the Agreement will remain in full force and effect. If there is a conflict between the Agreement and this Addendum, the terms of this Addendum will control. Capitalized terms used but not defined in these Terms have the same meanings as set out in the Addendum and the Agreement. To the extent that these Terms differ from those in the Agreement or Addendum, the terms of these Terms shall govern.
1.1 “Affiliates” means any entity which is controlled by, controls or is in common control with one of the parties.
1.2 “Wunderkind Third Party Partner” means any entity, exclusive of any Wunderkind engaged Processors or Sub-processor, engaged by Wunderkind for the Processing of Personal Data.
1.3 “Data Protection Laws” means all privacy and data protection laws and regulations applicable to the Processing of Personal Data under the Agreement, including, as applicable: (a) the GDPR; and/or (b) the Federal Data Protection Act of 19 June 1992 (Switzerland) and applicable to the Processing of Personal Data under the Agreement.
1.4 “Data Subject” means the individual to whom Personal Data relates.
1.5 “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
1.6 “Company Third Party Partner” means any entity engaged by Company for the Processing of Personal Data.
1.7 “Privacy Shield” means the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework as set forth by the US Department of Commerce.
1.8 “Security Breach” has the meaning set forth in Section 7 of these Terms.
1.9 “Sub-processor” means any sub-processor engaged by Wunderkind for the Processing of Personal Data.
1.10 “Supervisory Authority” has the meaning set forth in Article 51 of the GDPR, or means the Federal Data Protection and Information Commissioner of Switzerland, as applicable.
1.11 “Term” means the period from the date these Terms are incorporated into the DPA and the date the DPA is terminated in accordance with Section 10.1.
1.12 The terms “Controller“, “Personal Data”, “Processor,” “Processed” and “Processing,” have the meanings given to them in Data Protection Laws. If and to the extent that Data Protection Laws do not define such terms, then the definitions given in GDPR will apply.
2 PROCESSING OF PERSONAL DATA – ARRANGEMENT BETWEEN CONTROLLERS
2.1 The parties agree that Company and Wunderkind are Controllers with respect to the processing of such Personal Data under these Terms with respect to these Terms as described in Appendix 1. To the extent that the data protection legislation of another jurisdiction is applicable to either party’s processing of data, the parties acknowledge and agree that the relevant party will comply with any obligations applicable to it under that legislation with respect to the processing of that data. Both parties shall keep a record of all Processing activities with respect to Personal Data covered under these Terms as required under GDPR.
2.2 Each party will comply with the obligations applicable to it under the Data Protection Laws with respect to the processing of Personal Data covered under these Terms, including but not limited to: (i) providing the other party contact details for each party’s Data Protection Officer which are accurate and up to date; (ii) providing reasonable information and assistance to the other party conducting data protection impact assessments as required by Data Protection Laws; and (iii) providing reasonable information and assistance to the other party regarding consultations between that party and a Supervisory Authority. Company shall, in its use or receipt of the Services covered under these Terms, Process Personal Data in accordance with the requirements of the Data Protection Laws. Wunderkind shall, in its provision of the Services covered under these Terms, Process Personal Data in accordance with the requirements of the Data Protection Laws. Each party shall have individual responsibility for determining its legal basis for processing Personal Data covered under these Terms. As between the parties, Company shall have sole responsibility (to the extent legally required) to obtain all consents from Data Subjects necessary for collection, storage (e.g., via HTTP cookies) and Processing of Personal Data in the scope of the Services covered under these Terms. Wunderkind will provide a list of any Wunderkind Third Party Partners to Company as necessary to enable Company to comply with this Section 2.2.
2.3 The objective of its Processing of Personal Data by Wunderkind is the performance of the Services covered under these Terms pursuant to the Agreement. Company agrees that Wunderkind will Process Personal Data covered under these Terms for the following purposes: (i) Processing in accordance with the Agreement in order to provide the Services covered under these Terms; and (ii) Processing to comply with other reasonable instructions provided by Company where such instructions are acknowledged by Wunderkind as consistent with the terms of the Agreement. Wunderkind may Process Personal Data other than as written herein if it is mandatory under applicable law to which Wunderkind is subject. In this situation Wunderkind shall inform the Company of such a requirement unless the law prohibits such notice.
2.4 Each party is separately responsible for honoring Data Subject access requests which pertain to Personal Data governed by this Section 2 under Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable) and responding to correspondence, inquiries and complaints from data subjects. Each party shall provide reasonable and timely assistance to the other party as necessary to help facilitate compliance with this Section 2.4. If required by Article 21 of the GDPR, Company shall make available the mechanism(s) by which Wunderkind enables Data Subjects to object to Processing.
3 INTENTIONALLY LEFT BLANK
4 WUNDERKIND AND COMPANY PERSONNEL
4.1 Both parties shall ensure that their respective personnel engaged in the Processing of Personal Data under these Terms are informed of the confidential nature of the Personal Data as well as any security obligations with respect to such Data.
4.2 Wunderkind will take appropriate steps to ensure compliance with the Security Measures outlined in Appendix 2 by its personnel to the extent applicable to their scope of performance, including ensuring that all persons authorized to process Personal Data covered under these Terms have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and that any such obligations survive the termination of that individual’s engagement with Wunderkind. With respect to any Personal Data Processed by Company under these Terms, Company hereby represents and warrants that its security measures are at least as stringent as those of Wunderkind with respect to Company’s Processing of Personal Data covered under these Terms pursuant to these Terms.
4.3 Wunderkind shall ensure that access to Personal Data covered under these Terms is limited to those personnel who require such access to perform the Services. Company shall ensure that access to Personal Data covered under these Terms is limited to those personnel who require such access to receive the Services.
5 SECURITY; AUDIT RIGHTS
5.1 Wunderkind shall maintain administrative, physical and technical safeguards for protection of the security, confidentiality and integrity of Personal Data it Processes under these Terms. Wunderkind will implement and maintain technical and organizational measures to protect such Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access as described in Appendix 2 (the “Security Measures”). As described in Appendix 2, the Security Measures include measures to encrypt Personal Data; to help ensure ongoing confidentiality, integrity, availability and resilience of Wunderkind’s systems and services; to help restore timely access to Personal Data following an incident; and for regular testing of effectiveness. Wunderkind may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services.
5.2 Both parties will (taking into account the nature of the processing of Personal Data under these Terms) cooperatively and reasonably assist each other in ensuring compliance with any of each other’s respective obligations with respect to the security of Personal Data and Personal Data breaches under these Terms, including (if applicable) any obligations pursuant to Articles 32 to 34 (inclusive) of the GDPR, by: (a) in the case of Wunderkind, implementing and maintaining the Security Measures in accordance with Appendix 2; and (b) complying with the terms of Section 7 of these Terms.
5.3 Company may engage a mutually agreed upon third party to audit Wunderkind solely for the purposes of meeting its audit requirements pursuant to Article 28, Section 3(h) of the General Data Protection Regulation (“GDPR”). To request an audit, Company must submit a detailed audit plan at least four (4) weeks in advance of the proposed audit date describing the proposed scope, duration, and start date of the audit. Audit requests must be sent to firstname.lastname@example.org. The auditor must be approved in advance by Wunderkind (such approval may not be unreasonably withheld) and execute a written confidentiality agreement acceptable to Wunderkind before conducting the audit. The audit must be conducted during regular business hours, subject to Wunderkind’s policies, and may not unreasonably interfere with Wunderkind’s business activities. Any such audits are at Company’s expense and any request for Wunderkind to provide assistance which requires the use of resources different from or in addition to those required by law may be charged as a separate service by Wunderkind under a reasonable fee structure that takes into account the resources expended by Wunderkind. Company shall promptly notify Wunderkind with information regarding any non-compliance discovered during the course of an audit.
6.1 Company acknowledges and agrees that Wunderkind may engage third-party Sub-processors in connection with the provision of the Services. Any such Sub-processors will be permitted to obtain Personal Data only to deliver the services Wunderkind has retained them to provide, and are prohibited from using Personal Data for any other purpose. Wunderkind will have a written agreement with each Sub-processor and agrees that any agreement with a Sub-processor will include substantially the same data protection obligations as set out in these Terms.
6.2 A list of Sub-processors is available in the Wunderkind user interface or at a particular web page hosted by Wunderkind. Wunderkind may change the list of such other Sub-processors by no less than 10 business days’ notice via the Wunderkind user interface. If Company objects to Wunderkind’s change in such Sub-processors, Wunderkind may, as its sole and exclusive remedy, terminate the portion of the Agreement relating to the Services that cannot be reasonably provided without the objected-to new Sub-processor by providing 30 days’ written notice to Company. Where Wunderkind is processing Personal Data covered under these Terms, Wunderkind agrees that Processors engaged by Wunderkind will be treated as Sub-processors solely with respect to the requirements under this Section 6.
6.3 Wunderkind shall be liable for the acts and omissions of its Sub-processors to the same extent Wunderkind would be liable if performing the services of each Sub-processor directly under the terms of these Terms, except as otherwise set forth in the Agreement.
6.4 Company acknowledges and agrees that neither Company Third Party Partners nor Wunderkind Third Party Partners are Sub-processors and Wunderkind assumes no responsibility or liability for the acts or omissions of such Company Third Party Partners and Wunderkind Third Party Partners.
7 SECURITY BREACH MANAGEMENT AND NOTIFICATION
7.1 If either party becomes aware of any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to any Personal Data transmitted, stored or otherwise Processed on the other party’s equipment or facilities under these Terms (“Security Breach”) which, in the reasonable opinion of that party’s Data Protection Officer, requires such notification, such party will promptly notify the other party of the Security Breach. Notifications made pursuant to this section will describe, to the extent possible, details of the Security Breach, including steps taken to mitigate the potential risks and steps Wunderkind recommends Customer take to address the Security Breach. Notifications of any Security Breach will take place within a reasonable time and certainly no longer than seventy-two (72) hours after the discovery where required by law. Each party will promptly investigate the Personal Data Breach if it occurred on its infrastructure or in another area it is responsible for and will assist the other party as reasonably necessary for both parties to meet their obligations under Data Protection Laws.
7.2 Both parties agree that an unsuccessful Security Breach attempt will not be subject to this Section 7. An unsuccessful Security Breach attempt is one that results in no unauthorized access to Personal Data processed pursuant to these Terms or to any of either party’s equipment or facilities storing Personal Data, and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, or similar incidents.
7.3 Notification(s) of Security Breaches, if any, will be delivered to one or more of the other party’s business, technical or administrative contacts by any reasonable means, including via email. It is each party’s responsibility to ensure it maintains accurate contact information.
7.4 Any notification of or response to a Security Breach under this Section 7 will not be construed as an acknowledgement by either party of any fault or liability with respect to the Security Breach.
7.5 Wunderkind shall implement reasonable technical and organizational Security Measures to provide a level of security appropriate to the risk in respect to the Personal Data. As technical and organizational measures are subject to technological development, Wunderkind is entitled to implement alternative measures provided they are at least as protected as those offered by the Security Measures and they do not fall short of the level of data protection set out by Data Protection Law.
8 CROSS-BORDER DATA TRANSFERS
8.1 Wunderkind may, subject to this Section 9, store and process the relevant Personal Data in the European Economic Area and the United States.
8.2 Wunderkind self-certified to and complies with the Privacy Shield, and Wunderkind shall maintain its self-certification to and compliance with the Privacy Shield with respect to the Processing of Personal Data that is transferred from the European Economic Area or Switzerland to the United States.
8.3 At the request of Company, or if the Services involve the storage and/or processing of Company’s Personal Data which transfers Company’s Personal Data out of the European Economic Area to a jurisdiction other than the United States that does not have adequate data protection laws, and the Data Protection Laws apply to the transfers of such data (“Transferred Personal Data”), the parties will enter into Model Contractual Clauses or find an alternative legal basis for such Transferred Personal Data which is in compliance with Data Protection Laws.
8.4 To the extent Company is the recipient of Personal Data from Wunderkind pursuant to these Terms, Company will provide at least the same level of protection for the information as is available under the Privacy Shield framework or Model Contractual Clauses.
9.1 Both parties agree that their respective liability under these Terms shall be apportioned according to each parties’ respective responsibility for the harm (if any) caused by each respective party.
9.2 Liability Cap Exclusions. Nothing in this Section 10 will affect the remaining terms of the Agreement relating to liability (including any specific exclusions from any limitation of liability).
10.1 These Terms will remain in effect until the termination or expiration of the Agreement between the parties.
10.2 Nothing in these Terms shall impact Company’s intellectual property rights with respect to Personal Data provided by Company under the Agreement except to the extent required by applicable law.
10.3 Nothing in these Terms shall confer any benefits or rights on any person or entity other than the parties to these Terms.
Subject matter and details of the processing
Data Exporter: Company
Data Importer: Wunderkind, Inc.
Data Subjects: The Data Exporter’s customers, other visitors to the Data Exporter’s website, the Data Exporter’s personnel and any other persons affected.
Categories of data: The Personal Data transferred concern the following categories of Data Subjects: Data Exporter may submit Personal Data to the Data Importer’s proprietary platform (Wunderkind Platforms), the extent of which is determined and controlled by the Data Exporter in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:
- First and last name
- Contact information (company, email, phone, physical business address)
- Device ID data (cookie ID, AD ID, Mobile ID address and other pseudonymous information and identifiers)
- Log-file Data
- IP Address
- Cookie Data
- Other data reasonably required to implement the performance requested by Data Exporter under the Agreement.
Special categories of data The Personal Data transferred concern the following special categories of data (please specify): None
Processing operations: The Personal Data transferred will be subject to the following processing activities:
Processing activities in the performance of the services as set forth in the Agreement for the duration of the Agreement.
Description of the technical and operational Security Measures used by the Data Importer
Data Importer will implement and maintain a comprehensive written information security program designed to protect Personal Data from unauthorized access, use, modification, disclosure or destruction, and that complies with the most recent published version of one or more of the following industry security standards: NIST Cybersecurity Framework, ISO 27001, or SANS/CIS Critical Security Controls. As part of its information security program, Data Importer will limit access to Personal Data to the minimum number of Data Importer’s personnel who require such access in order to provide services to Data Exporter. Data Importer shall also provide the appropriate training to its personnel who process Personal Data.