These Wunderkind Data Processing terms (“Terms”) are incorporated by reference into the Wunderkind Data Processing Addendum (the “Addendum” or “DPA”) that further modifies the platform or services agreement (“Agreement”) currently in place between Company (as defined in the applicable DPA) and Wunderkind.
The parties agree to comply with the following provisions with respect to any Personal Data of Data Subjects located in the European Economic Area Processed in connection with the Agreement. The purposes of these Terms is to ensure such Processing is conducted in accordance with Data Protection Laws, including the GDPR and with due respect for the rights and freedoms of individuals whose Personal Data are Processed. References to the Agreement will be construed as including the DPA and these Terms.
Except as amended by these Terms, the Agreement will remain in full force and effect. If there is a conflict between the Agreement and this Addendum, the terms of this Addendum will control. Capitalized terms used but not defined in these Terms have the same meanings as set out in the Addendum and the Agreement. To the extent that these Terms differ from those in the Agreement or Addendum, the terms of these Terms shall govern.
1 DEFINITIONS
1.1 “Affiliates” means any entity which is controlled by, controls or is in common control with one of the parties.
1.2 “Data Protection Laws” means all privacy and data protection laws and regulations applicable to the Processing of Personal Data under the Agreement, including, as applicable: (a) the GDPR; (b) the UK Data Protection Act 2018 and/or (c) the Federal Data Protection Act of 19 June 1992 (Switzerland) and applicable to the Processing of Personal Data under the Agreement.
1.3 “Data Subject” means the individual to whom Personal Data relates.
1.4 “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC. For purposes of clarity, references to the GDPR are intended to include the UK Data Protection Act 2018.
1.5 “Company Third Party Partner” means any entity engaged by Company for the Processing of Personal Data.
1.6 “Security Breach” has the meaning set forth in Section 7 of these Terms.
1.7 “Sub-processor” means any sub-processor engaged by Wunderkind for the Processing of Personal Data.
1.8 “Supervisory Authority” has the meaning set forth in Article 51 of the GDPR, or means the Federal Data Protection and Information Commissioner of Switzerland, or the entity responsible for regulating the protection of the Personal Data of Data Subjects, as applicable.
1.9 “Term” means the period from the date these Terms are incorporated into the DPA and the date the DPA is terminated in accordance with Section 11.1.
1.10 The terms “Controller“, “Personal Data”, “Processor”, “Processed” and “Processing” have the meanings given to them in Data Protection Laws. If and to the extent that Applicable Privacy Laws do not define such terms, then the definitions given in the GDPR will apply.
2 [INTENTIONALLY LEFT BLANK]
3 PROCESSING OF PERSONAL DATA PURSUANT TO THESE TERMS.
3.1 To the extent the products and services covered under the Agreement and these Terms involves the Processing of Personal Data, the parties agree that Company is the Data Controller and Wunderkind is a Data Processor and that the subject matter and details of the processing of such Personal Data are described in Appendix 1. To the extent that the data protection legislation of another jurisdiction is applicable to either party’s processing of data covered under these Terms, the parties acknowledge and agree that the relevant party will comply with any obligations applicable to it under that legislation with respect to the processing of that data. Wunderkind shall keep a record of all processing activities with respect to Company’s Personal Data covered under these Terms as required under GDPR.
3.2 Each party will comply with the obligations applicable to it under the Data Protection Legislation with respect to the processing of Personal Data covered under these Terms, including but not limited to providing the other party contact details for each party’s Data Protection Officer which are accurate and up to date. Wunderkind shall further provide Company with reasonable information and assistance with Company’s data protection impact assessments as well as consultations between the Company and a Supervisory Authority with regard to the Personal Data covered under these Terms. Company shall, in its use or receipt of the Services covered under these Terms, Process Personal Data in accordance with the requirements of the Data Protection Laws and Company will ensure that its instructions for the Processing of Personal Data covered under these Terms shall comply with the Data Protection Laws. If Wunderkind believes or becomes aware that any of Company’s instructions conflicts with any Data Protection Laws, Wunderkind shall inform Company. As between the parties, Company shall have sole responsibility for determining the legal basis for processing of Personal Data covered under these Terms and (to the extent legally required) obtain all consents from Data Subjects necessary for collection and Processing of Personal Data in the scope of the Services.
3.3 The objective of Processing of Personal Data by Wunderkind is the performance of the Services covered under these Terms pursuant to the Agreement. During the Term of the Agreement, Wunderkind shall only Process Personal Data covered under these Terms on behalf of and in accordance with the Agreement and Company’s instructions and shall treat Personal Data covered under these Terms as Confidential Information. Company instructs Wunderkind to Process Personal Data covered under these Terms for the following purposes: (i) Processing in accordance with the Agreement; and (ii) Processing to comply with other reasonable instructions provided by Company where such instructions are acknowledged by Wunderkind as consistent with the terms of the Agreement. Wunderkind may Process Personal Data covered under these Terms other than on the instructions of the Company if it is mandatory under applicable law to which Wunderkind is subject. In this situation Wunderkind shall inform the Company of such a requirement unless the law prohibits such notice.
3.4 Wunderkind shall provide reasonable and timely assistance to the Company (at the Company’s expense) to enable the Company to respond to: (i) any request from a Data Subject to exercise any of its rights under Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable); and (ii) any other correspondence, enquiry or complaint received from a Data Subject in connection with the processing of the Personal Data covered under these Terms. In the event that any such request, correspondence, enquiry or complaint is made directly to Wunderkind (hereinafter a “Direct Access Request”), Wunderkind shall to the extent legally permitted, promptly inform the Company providing full details of the same and, upon request, provide the Company with contact details of the Data Subject(s). If Company fails to respond to a Direct Access Request within 30 days, Wunderkind reserves the right to take appropriate steps in its reasonable judgement to respond to such request(s). If required by Article 21 of the GDPR, Company shall make available the mechanism(s) by which Wunderkind enables Data Subjects to object to Processing.
3.5 Wunderkind will comply with instructions from Company to delete certain Personal Data covered under these Terms as soon as reasonably practicable, unless Data Protection Law (or, in the case the data is not subject to Data Protection Law, applicable law) requires further storage.
4 WUNDERKIND AND COMPANY PERSONNEL
4.1 Both parties shall ensure that their respective personnel engaged in the Processing of Personal Data under these Terms are informed of the confidential nature of the Personal Data as well as any security obligations with respect to such Data.
4.2 Wunderkind will take appropriate steps to ensure compliance with the Security Measures outlined in Appendix 2 by its personnel to the extent applicable to their scope of performance, including ensuring that all persons authorized to process Personal Data covered under these Terms have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and that any such obligations survive the termination of that individual’s engagement with Wunderkind.
4.3 Wunderkind shall ensure that access to Personal Data covered under these Terms is limited to those personnel who require such access to perform the Services.
5 SECURITY; AUDIT RIGHTS
5.1 Wunderkind shall maintain administrative, physical and technical safeguards for protection of the security, confidentiality and integrity of Personal Data it Processes under these Terms. Wunderkind will implement and maintain technical and organizational measures to protect such Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access as described in Appendix 2 (the “Security Measures”). As described in Appendix 2, the Security Measures include measures to encrypt Personal Data; to help ensure ongoing confidentiality, integrity, availability and resilience of Wunderkind’s systems and services; to help restore timely access to Personal Data following an incident; and for regular testing of effectiveness. Wunderkind may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services.
5.2 Both parties will (taking into account the nature of the processing of Personal Data under these Terms) cooperatively and reasonably assist each other in ensuring compliance with any of each other’s respective obligations with respect to the security of Personal Data and Personal Data breaches under these Terms, including (if applicable) any obligations pursuant to Articles 32 to 34 (inclusive) of the GDPR, by: (a) in the case of Wunderkind, implementing and maintaining the Security Measures in accordance with Appendix 2; and (b) complying with the terms of Section 7 of these Terms.
5.3 Company may engage a mutually agreed upon third party to audit Wunderkind solely for the purposes of meeting its audit requirements pursuant to Article 28, Section 3(h) of the General Data Protection Regulation (“GDPR”). To request an audit, Company must submit a detailed audit plan at least four (4) weeks in advance of the proposed audit date describing the proposed scope, duration, and start date of the audit. Audit requests must be sent to GDPR@wunderkind.co. The auditor must be approved in advance by Wunderkind (such approval may not be unreasonably withheld) and execute a written confidentiality agreement acceptable to Wunderkind before conducting the audit. The audit must be conducted during regular business hours, subject to Wunderkind’s policies, and may not unreasonably interfere with Wunderkind’s business activities. Any such audits are at Company’s expense and any request for Wunderkind to provide assistance which requires the use of resources different from or in addition to those required by law may be charged as a separate service by Wunderkind under a reasonable fee structure that takes into account the resources expended by Wunderkind. Company shall promptly notify Wunderkind with information regarding any non-compliance discovered during the course of an audit.
6 SUB-PROCESSORS
6.1 Company acknowledges and agrees that Wunderkind may engage third-party Sub-processors in connection with the provision of the Services. Any such Sub-processors will be permitted to obtain Personal Data only to deliver the services Wunderkind has retained them to provide, and are prohibited from using Personal Data for any other purpose. Wunderkind will have a written agreement with each Sub-processor and agrees that any agreement with a Sub-processor will include substantially the same data protection obligations as set out in these Terms.
6.2 A list of Sub-processors is available in the Wunderkind user interface or at a particular web page hosted by Wunderkind. Wunderkind may change the list of such other Sub-processors by no less than 10 business days’ notice via the Wunderkind user interface. If Company objects to Wunderkind’s change in such Sub-processors, Wunderkind may, as its sole and exclusive remedy, terminate the portion of the Agreement relating to the Services that cannot be reasonably provided without the objected-to new Sub-processor by providing 30 days’ written notice to Company.
6.3 Wunderkind shall be liable for the acts and omissions of its Sub-processors to the same extent Wunderkind would be liable if performing the services of each Sub-processor directly under the terms of these Terms, except as otherwise set forth in the Agreement.
6.4 Company acknowledges and agrees that Company Third Party Partners are not Sub-processors and Wunderkind assumes no responsibility or liability for the acts or omissions of Company Third Party Partners.
7 SECURITY BREACH MANAGEMENT AND NOTIFICATION
7.1 If Wunderkind becomes aware of any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to any Personal Data transmitted, stored or otherwise Processed on Wunderkind’s equipment or facilities (“Security Breach”) which, in the reasonable opinion of Wunderkind’s Data Protection Officer, requires such notification, Wunderkind will promptly notify Customer of the Security Breach. Notifications made pursuant to this section will describe, to the extent possible, details of the Security Breach, including steps taken to mitigate the potential risks and steps Wunderkind recommends Customer take to address the Security Breach. Notifications of any Security Breach will take place within a reasonable time and certainly no longer than seventy-two (72) hours after the discovery where require by law. Each party will promptly investigate the Personal Data Breach if it occurred on its infrastructure or in another area it is responsible for and will assist the other party as reasonably necessary for both parties to meet their obligations under Data Protection Laws.
7.2 Customer agrees that an unsuccessful Security Breach attempt will not be subject to this Section 7. An unsuccessful Security Breach attempt is one that results in no unauthorized access to Personal Data processed pursuant to these Terms or to any of either party’s equipment or facilities storing Personal Data, and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, or similar incidents.
7.3 Notification(s) of Security Breaches, if any, will be delivered to one or more of the other party’s business, technical or administrative contacts by any reasonable means, including via email. It is each party’s responsibility to ensure it maintains accurate contact information.
7.4 Any notification of or response to a Security Breach under this Section 7 will not be construed as an acknowledgement by either party of any fault or liability with respect to the Security Breach.
7.5 Wunderkind shall implement reasonable technical and organizational Security Measures to provide a level of security appropriate to the risk in respect to the Personal Data. As technical and organizational measures are subject to technological development, Wunderkind is entitled to implement alternative measures provided they are at least as protected as those offered by the Security Measures and they do not fall short of the level of data protection set out by Data Protection Law.
8 DATA DELETION
8.1 On expiry of the Agreement, both parties hereby instruct the other to delete all Personal Data (including existing copies) from their respective systems and discontinue Processing of such Personal Data in accordance with Data Protection Law as soon as reasonably practicable unless Data Protection Laws (or, in the case the data is not subject to Data Protection Law, applicable law) requires further storage. This requirement shall not apply to the extent that Wunderkind is required by any applicable laws to retain some or all of the Personal Data.
9 CROSS-BORDER DATA TRANSFERS
9.1 Wunderkind may, subject to this Section 9, store and process the relevant Personal Data in the European Economic Area, the United Kingdom and the United States.
9.2 Given that the Services involve the storage and/or processing of Company’s Personal Data which transfers Company’s Personal Data out of the European Economic Area, Switzerland or the UK to a jurisdiction other than the United States that does not have adequate data protection laws, and the Data Protection Laws apply to the transfers of such data (“Transferred Personal Data”), both parties agree that the Standard Contractual Clauses for transfers reflecting the roles of the parties as described in the DPA in the form approved by the European Commission and available at https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_en (as amended or updated from time to time) (“Standard Contractual Clauses”) shall be incorporated by reference and form an integral part of this DPA. Appendices 1 and 2 of this DPA will take the place of Appendices 1 and 2 of the Standard Contractual Clauses respectively.
9.3 If the Standard Contractual Clauses are deemed invalid by a governmental entity with jurisdiction over Transferred Personal Data (e.g., the EU Court of Justice) or if such governmental entity imposes additional rules and/or restrictions regarding such Transferred Personal Data, the parties agree to work in good faith to find an alternative and/or modified approach with respect to such Transferred Personal Data which is in compliance with Data Protection Laws..
9.4 To the extent Company is the recipient of Personal Data from Wunderkind pursuant to these Terms, Company will provide at least the same level of protection for the information as is available under the Standard Contractual Clauses.
10 LIABILITY
10.1 Both parties agree that their respective liability under these Terms shall be apportioned according to each parties’ respective responsibility for the harm (if any) caused by each respective party.
10.2 Nothing in this Section 10 will affect the remaining terms of the Agreement relating to liability (including any specific exclusions from any limitation of liability).
11 MISCELLANEOUS
11.1 These Terms will remain in effect until the termination or expiration of the Agreement between the parties.
11.2 Nothing in these Terms shall impact Company’s intellectual property rights with respect to Personal Data provided by Company under the Agreement except to the extent required by applicable law.
11.3Nothing in these Terms shall confer any benefits or rights on any person or entity other than the parties to these Terms.
Appendix 1
Subject matter and details of the processing
Data Exporter: Company
Data Importer: Wunderkind Corporation
Data Subjects: The Data Exporter’s customers, other visitors to the Data Exporter’s website, the Data Exporter’s personnel and any other persons affected.
Categories of data: The Personal Data transferred concern the following categories of Data Subjects: Data Exporter may submit Personal Data to the Data Importer’s proprietary platform (Wunderkind Platforms), the extent of which is determined and controlled by the Data Exporter in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:
First and last name
Contact information (company, email, phone, physical business address)
Device ID data (cookie ID, AD ID, Mobile ID address and other pseudonymous information and identifiers)
Log-file Data
IP Address
Cookie Data
Other data reasonably required to implement the performance requested by Data Exporter under the Agreement.
Special categories of data The Personal Data transferred concern the following special categories of data (please specify): None
Processing operations: The Personal Data transferred will be subject to the following processing activities:
Processing activities in the performance of the services as set forth in the Agreement for the duration of the Agreement.
Appendix 2 – The TOMS
Description of the technical and operational Security Measures used by the Data Importer
Data Importer will implement and maintain a comprehensive written information security program designed to protect Personal Data from unauthorized access, use, modification, disclosure or destruction, and that complies with the most recent published version of one or more of the following industry security standards: NIST Cybersecurity Framework, ISO 27001, or SANS/CIS Critical Security Controls. As part of its information security program, Data Importer will limit access to Personal Data to the minimum number of Data Importer’s personnel who require such access in order to provide services to Data Exporter. Data Importer shall also provide the appropriate training to its personnel who process Personal Data.
Appendix 2(A) – Supplemental Technical and Operational Measures
Client is data exporter
Wunderkind is data importer
1. Disclosure Requests and Encryption
a) Notwithstanding other obligations of the Data Importer in this agreement to implement appropriate technical and organizational measures, the Data Importer is obliged, as far as possible, to encrypt Personal Data processed under this agreement immediately upon receipt and to only transmit Personal Data using end-to-end encryption.
b) Data Importer will not disclose Personal Data except: (1) as Data Exporter directs; (2) as expressly authorized in this agreement; or (3) as required by law. All processing of Personal Data is subject to Data Importer’s obligation of confidentiality under this agreement.
c) Data Importer will not intentionally disclose Personal Data to law enforcement, other governmental authority, or other persons (“Requesting Body”) unless Data Importer receives a civil or criminal subpoena, warrant, or other official and written request which:
aa) is issued by a Requesting Body with the authority and jurisdiction to demand the disclosure, and
bb) is, in the reasonable judgment of Data Importer, legally binding on Data Importer and requires Data Importer to disclose Personal Data in response thereto (a “Disclosure Request”).
d) Data Importer affirms that it has not, as of today’s date, been the recipient of a Disclosure Request and shall notify Data Export of any Disclosure Requests that pertains to Data Exporter’s data during the term of the Agreement unless prohibited from doing so by applicable law. If Data Importer is contacted with a Disclosure Request, Data Importer will
aa) attempt to redirect the Requesting Body to request that Personal Data directly from Data Exporter instead;
bb) promptly notify Data Exporter and provide a copy of the Disclosure Request unless legally prohibited from doing so;
cc) review the Disclosure Request to determine whether it is valid and if Data Importer has a legal requirement to disclose Personal Data; and
dd) assert its legal rights, including to resist and narrow the demand by taking all available remedies to the fullest extent possible, and/or seek a stay from enforcement of the Disclosure Request.
e) In the event Data Importer is notified by the Requesting Body issuing a Disclosure Request that Data Importer is prohibited by law from giving notice to Data Exporter of the Disclosure Request, Data Importer will use best efforts to relieve itself of any such prohibition so that it may fully disclose such Disclosure Request to Data Exporter and coordinate with Data Exporter in responding to the Disclosure Request solely to the extent possible without incurring additional or outside legal fees or expenses. In any case, Data Importer will provide notice to Data Exporter of the Disclosure Request immediately as soon as legally permissible. Data Importer will notify the Data Exporter of a Disclosure Request by contacting the indicated contact person.
f) Data Importer will only provide Personal Data if, and to the extent that, it is necessary and proportionate to comply with a Disclosure Request. Unless specifically requested by the Requesting Body, Data Importer will not provide any Requesting Body: (a) direct, indirect, blanket, or unfettered access to Personal Data; (b) encryption keys used to secure Personal Data or the ability to break such encryption; or (c) access to Personal Data if Data Importer is aware that the Personal Data is to be used for purposes other than those stated in the Disclosure Request.
g) In support of the above, Data Importer may provide Data Exporter’s basic contact information to the Requesting Body.
h) The parties understand and agree that “best efforts” of the Data Importer in responding to and/or challenging a Disclosure Request are limited to what is reasonable. Under no circumstances is the Data Importer expected to incur additional legal fees or expenses in excess of $1,000 in meeting its obligations under subsections 1(d) through 1(i). If permitted under applicable law, Data Importer will provide Data Exporter with an estimate of any additional legal fees and/or expenses and provide the Data Exporter with the opportunity to pay for such fees and/or expenses.
i) The Data Importer states that: (1) it has not purposefully created back doors or similar programming that could be used to access it’s systems and/or personal data (2) it has not purposefully created or changed its business processes in a manner that facilitates access to personal data or systems, and (3) that neither U.S. law nor government policy requires the importer to create or maintain back doors or to facilitate access to personal data or systems or for the importer to be in possession or to hand over the encryption key.
j) The Data Importer has internal policies, organizational methods and standards to support the foregoing.
k) The parties recognize that Data Importer has sole discretion over its approach to adhering to the above and shall not be in breach of this section unless Data Exporter is able to demonstrate willful misconduct or gross negligence.