GDPR Data Processing Addendum
CGI – GDPR Data Processing Addendum (Affiliates)
This Data Processing Addendum (“Addendum”) sets out the terms that apply as between CGI and Marketing Affiliate when processing EEA personal data in connection with the Marketing Affiliate Program. This Addendum forms part of the Marketing Affiliate Program Agreement. Capitalized terms used in this Addendum shall have the meanings given to them in the Marketing Affiliate Program Agreement (the “Agreement”) unless otherwise defined in this Addendum.
- Definitions: (a) “controller,” “processor,” “data subject,” and “processing” (and “process”) shall have the meanings given to them in Applicable Data Protection Law; (b) “Applicable Data Protection Law” means any and all applicable privacy and data protection laws and regulations applicable to the Personal Data in question, including, where applicable, EU Data Protection Law (in each case, as may be amended, superseded or replaced from time to time); (c) “EU Data Protection Law” means: (i) the EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”); and (ii) the EU e-Privacy Directive (Directive 2002/58/EC); and (iii) any national data protection laws made under or pursuant to clause (i) or (ii); and (d) “Personal Data” means any information relating to an identified or identifiable natural person to the extent that such information is protected as personal data under Applicable Data Protection Law.
- Purposes of processing. The parties acknowledge that in connection with the Marketing Affiliate Program, each party may provide or make available to the other party Personal Data. Each party shall process such data: (i) for the purposes described the Agreement; and/or (ii) as may otherwise be permitted under Applicable Data Protection Law.
- Relationship of the parties. Each party will process the copy of the Personal Data in its possession or control as an independent controller (not as a joint controller with the other party). For the avoidance of doubt and without prejudice to the foregoing, CGI shall be an independent controller of any Personal Data that it receives or shares with Affiliate in connection with the Marketing Affiliate Program.
- Compliance with law. Each party shall separately comply with its obligations under Applicable Data Protection Law and this Addendum when processing Personal Data. Neither party shall be responsible for the other party’s compliance with Applicable Data Protection Law. In particular, each party shall be individually responsible for ensuring that its processing of the Personal Data is lawful, fair and transparent, and shall make available to data subjects a privacy statement that fulfils the requirements of Applicable Data Protection Law.
- International transfers. Where Applicable Data Protection Law in the European Economic Area (“EEA”), and/or its member states, United Kingdom and/or Switzerland (collectively for the purposes of this Addendum, the “EU’), applies to the Personal Data (“EU Personal Data”), neither party shall process any EU Personal Data (nor permit any EU Personal Data to be processed) in a territory outside of the EU unless it has taken such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Law. To the extent a Marketing Affiliate transfers EU Personal Data to CGI and CGI is located in a territory outside the EU that does not provide adequate protection for Personal Data (as determined by Applicable Data Protection Law), CGI agrees to abide by and process such EU Personal Data in accordance with the Standard Contractual Clauses for Controllers as approved by the European Commission and available at http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32004D0915 (as amended, superseded or updated from time to time) (“Model Clauses”), which are incorporated by reference in, and form an integral part of, this Addendum. CGI agrees that it is a “data importer” and the Marketing Affiliate is the “data exporter” under the Model Clauses (notwithstanding that CGI may be an entity located outside of the EEA).
Each party shall implement and maintain all appropriate technical and organizational measures to protect any copies of the Personal Data in their possession or control from (i) accidental or unlawful destruction, and (ii) loss, alteration, or unauthorized disclosure or access (a “Security Incident”) and to preserve the security and confidentiality of such Personal Data. Each party shall notify the other party without undue delay on becoming aware of any breach of EU Data Protection Law/Applicable Data Protection Law. In addition to the obligations set forth in Section 4 (FTC Endorsement Compliance), Affiliate shall comply with all applicable data protection laws regarding the transmission of data exported to or from the United States or the country in which Affiliate resides, including without limitation, the General Data Protection Regulation 2016/679 of European Parliament and of the Council of 27 April 2016 (the “GDPR”). Affiliate, as a controller under the GDPR, shall also implement appropriate technical measures to ensure a level of security appropriate to the risk, taking into account the nature, scope, context, and purpose of processing any personal data. Affiliate agrees to promptly assist CGI in complying with any data subject rights request under the GDPR that CGI may receive from any individuals referred to CGI by Affiliate. Affiliate further agrees to promptly assist CGI in complying with any duties to cooperate with supervisory authorities under the GDPR.