Effective April 9, 2020
Data Processing Agreement
This Data Processing Agreement (“DPA”) forms an integral part of, and is subject to the agreement for the provision of services, entered into by and between party identified as the Customer of the Service (“Controller”) and ListnPlay Inc, d.b.a Feature.fm. and its Affiliates (as defined below) (“Processor”) (the “Agreement”). Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement.
Whereas, in connection with the performance of its obligations under the Agreement, Processor may Process Controller Personal Data (both as defined below) on behalf of the Controller; and
Whereas, the parties wish to set forth the mutual obligations with respect to the processing of Controller Personal Data by the Processor;
Now therefore, intending to be legally bound, the Parties hereby agree as follows:
Definitions. In addition to capitalized terms defined elsewhere in this DPA, the following terms shall have the meanings set forth below:
- “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control” for purposes of this definition means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
- “Applicable Law” means Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (“GDPR”) and laws implementing or supplementing the GDPR.
- “Controller Personal Data” means any Personal Data Processed by Processor on behalf of Controller pursuant to or in connection with the Agreement;
- “Data Protection Laws” means Applicable Law and, to the extent applicable, the data protection or privacy laws of any other applicable country as agreed in writing between the Parties.
- “Sub Processor” means any person (excluding an employee of Processor or any Processor Affiliate) appointed by or on behalf of Processor or any Processor Affiliate to Process Personal Data on behalf of the Controller in connection with the Agreement; and
- The terms “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processor”, “Processing” and “Supervisory Authority” shall have the meanings ascribed to them in the GDPR.
Processing of Controller Personal Data.
Processor shall Process Controller Personal Data at the Controller’s instructions as specified in the Agreement and/or this DPA, including without limitation, with regard to transfers of Controller Personal Data to a third country or international organization. Any other Processing shall only be permitted in the event that such Processing is required by EU or Member State to which the Processor is subject. In such event, Processor shall, unless prohibited by such EU or Member State Law, inform Controller of that requirement before engaging in such Processing.
Controller instructs Processor (and authorizes Processor to instruct each Sub Processor) to (i) Process Controller Personal Data for the provision of the services, as detailed in the Agreement (“Services”) and as otherwise set forth in the Agreement and in this DPA; and (ii) transfer Controller Personal Data to any country or territory as reasonably necessary for the provision of the Services and in accordance with Applicable Law.
Controller sets forth the details of the Processing of Controller Personal Data, as required by article 28(3) of the GDPR in Schedule 1 (Details of Processing of Controller Personal Data), attached hereto. The Processor shall be allowed to exercise its own discretion in the selection and use of such means as it considers necessary to pursue the purposes set forth in Schedule 1, subject to the requirements of this DPA.
Controller represents and warrants that it has and shall maintain throughout the term of the Agreement and this DPA, all necessary rights to provide the Controller Personal Data to Processor for the Processing to be performed in relation to the Services and in accordance with the Agreement and this DPA. To the extent required by Applicable Law, Controller is responsible for obtaining any necessary Data Subject consents to the Processing, and for ensuring that a record of such consents is maintained throughout the terms of the Agreement and this DPA and/or as otherwise required under Applicable Law. In the event that any Data Subject exercises any of its rights under Applicable Law, then Controller shall notify Processor of any such Data Subject request relevant to Processor, within seven (7) business days.
Processor shall take reasonable steps to ensure that access to the Controller Personal Data is limited on a need to know and/or access basis, and that all Processor employees receiving such access are subject to confidentiality undertakings or professional or statutory obligations of confidentiality in connection with their access to and use of Controller’s Personal Data.
Processor shall implement appropriate technical and organizational measures to ensure an appropriate level of security of the Controller Personal Data, including, as appropriate and applicable, the measures referred to in Article 32(1) of the GDPR. In assessing the appropriate level of security, Processor shall take into account the risks that are presented by the nature of the Processing and the information available to the Processor.
Personal Data Breach.
Processor shall notify Controller without undue delay and, where feasible, not later than within forty eight (48) hours upon Processor becoming aware of a Personal Data Breach affecting Controller Personal Data. In such event, Processor shall provide Controller with reasonable and available information to assist Controller to meet any obligations to inform Data Subjects or Supervisory Authorities of the Personal Data Breach as required under the Applicable Law.
At the written request of the Controller, Processor shall reasonably cooperate with Controller and take such commercially reasonable steps as are agreed by the parties or required under Applicable Law to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
Controller authorizes Processor to appoint (and permits each Sub Processor appointed in accordance with this Section to appoint) Sub Processors in accordance with this Section.
Processor may continue to use those Sub Processors already engaged by Processor as identified to Controller as of the date of this DPA.
Processor may appoint new Sub Processors and shall give notice of the appointment of any new Sub Processor to Controller. If, within seven (7) days of such notice, Controller notifies Processor in writing of any objections (on reasonable grounds) to the proposed appointment, Processor shall not appoint for the processing of Controller Personal Data the proposed Sub Processor until reasonable steps have been taken to address the objections raised by Controller, and Controller has been provided with a reasonable written explanation of the steps taken. Where such steps are not sufficient to relieve Controller’s reasonable objections then Controller or Processor may, by written notice to the other Party, with immediate effect, terminate the Agreement to the extent that it relates to the Services which require the use of the proposed Sub Processor without bearing liability for such termination.
With respect to each new Sub Processor, Processor shall:
- Before the Sub Processor first Processes Controller Personal Data, take reasonable steps (for instance by way of reviewing privacy policies as appropriate) to ensure that the Sub Processor is committed and able to provide the level of protection for Controller Personal Data required by the Agreement; and
- Ensure that the arrangement between the Processor and the Sub Processor is governed by a written contract, including terms which offer materially similar level of protection for Controller Personal Data as those set out in this DPA and that meet the requirements of Applicable Law.
Processor shall remain fully liable to the Controller for the performance of any Sub Processor’s obligations.
Data Subject Rights.
Controller shall be solely responsible for compliance with any statutory obligations concerning requests to exercise Data Subject rights under Data Protection Laws (e.g., for access, rectification, deletion of Controller Personal Data, etc.). Processor shall use commercially reasonable efforts to assist Controller to fulfill Controller’s obligations with respect to such Data Subject requests, as required under Applicable Law, at Controller’s sole expense.
- Promptly notify Controller if it receives a request from a Data Subject under any Data Protection Law in respect of Controller Personal Data; and
- Ensure that it does not respond to that request except on the documented instructions of Controller or as required by Applicable Law to which the Processor is subject, in which case Processor shall, to the extent permitted by Applicable Law, inform Controller of that legal requirement before it responds to the request.
Data Protection Impact Assessment and Prior Consultation.
At Controller’s written request and expense, the Processor and each Sub Processor shall provide reasonable assistance to Controller with respect to any Controller Personal Data Processed by Processor and/or a Sub Processor, with any data protection impact assessments or prior consultations with Supervisory Authorities or other competent data privacy authorities, as required under any applicable Data Protection Laws.
Deletion or Return of Controller Personal Data
Processor shall promptly and in any event within up to sixty (60) days of the date of cessation of provision of the Services to Controller involving the Processing of Controller Personal Data (the “Cessation Date”), delete, return or anonymize all copies of those Controller Personal Data, provided however that Processor may, subject to Applicable Law, retain Controller Personal Data.
Subject to additional terms in this Section, Processor shall make available to a reputable auditor mandated by Controller in coordination with Processor, upon prior written request, such information reasonably necessary to demonstrate compliance with this DPA, and shall allow for audits, including inspections, by such reputable auditor mandated by the Controller in relation to the Processing of the Controller Personal Data by the Processor, provided that such third-party auditor shall be subject to confidentiality obligations.
Any audit or inspection shall be at Controller’s sole expense and shall be subject to the terms of the Agreement, and to Processor’s obligations to third parties, including with respect to confidentiality.
Controller and any auditor on its behalf shall use best efforts to minimize or avoid causing any damage, injury or disruption to the Processors’ premises, equipment, employees and business. Controller and Processor shall mutually agree upon the scope, timing and duration of the audit or inspection in addition to the reimbursement rate for which Controller shall be responsible. Processor need not give access to its premises for the purposes of such an audit or inspection:
- to any individual unless he or she produces reasonable evidence of identity and authority;
- if Processor was not given a prior written notice of such audit or inspection;
- outside normal business hours at those premises, unless the audit or inspection needs to be conducted on an emergency basis; or
- for the purposes of more than one (1) audit or inspection, in respect of each Processor, in any calendar year, except for any additional audits or inspections which:
- Controller reasonably considers necessary because of genuine concerns as to Processor’s compliance with this DPA; or
- Controller is required to carry out by Applicable Law, a Supervisory Authority or any similar regulatory authority responsible for the enforcement of Applicable Law in any country or territory, where Controller has identified its concerns or the relevant requirement or request in its prior written notice to Processor of the audit or inspection.
Liability and Indemnity
Controller shall indemnify and hold Processor harmless against all claims, actions, third party claims, losses, damages and expenses incurred by the Processor and arising directly or indirectly out of or in connection with a breach of this DPA and/or the Applicable Law by Controller.
Governing Law and Jurisdiction.
The Parties to this DPA hereby submit to the choice of jurisdiction stipulated in the Agreement with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity; and
This DPA and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Agreement.
Order of Precedence.
Nothing in this DPA reduces Processor’s obligations under the Agreement in relation to the protection of Controller Personal Data or permits Processor to Process (or permit the Processing of) Controller Personal Data in a manner that is prohibited by the Agreement.
This DPA is not intended to, and does not in any way limit or derogate from Controller’s own obligations and liabilities towards the Processor under the Agreement, and/or pursuant to the Applicable Law or any law applicable to Controller, in connection with the collection, handling and use of Controller Personal Data by Controller or its Affiliates or other processors or their sub-processors, including with respect to the transfer or provision of Controller Personal Data to Processor and/or providing access thereto to Processor.
Subject to this Section, with regard to the subject matter of this DPA, in the event of inconsistencies between the provisions of this DPA and any other agreements between the Parties, including the Agreement and including (except where explicitly agreed otherwise in writing, signed on behalf of the Parties) agreements entered into or purported to be entered into after the date of this DPA, the provisions of this DPA shall prevail.
Changes in Data Protection Laws.
Controller may by at least forty-five (45) calendar days’ prior written notice to Processor, request in writing any variations to this DPA if they are required as a result of any change in, or decision of a competent authority under any applicable Data Protection Law in order to allow Controller Personal Data to be Processed (or continue to be Processed) without breach of that Data Protection Law; and
If Controller gives notice with respect to its request to modify this DPA due to changes in data protection laws as described above:
- Processor shall make commercially reasonable efforts to accommodate such modification request; and
- Controller shall not unreasonably withhold or delay agreement to any consequential variations to this DPA proposed by Processor to protect the Processor against additional risks, or to indemnify and compensate Processor for any further steps and costs associated with the variations made herein.
Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall either be (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
Schedule 1: Details of Processing of Controller Personal Data
This Schedule 1 includes certain details of the Processing of Controller Personal Data as required by Article 28(3) GDPR.
Subject matter and duration of the Processing of Controller Personal Data
The subject matter and duration of the Processing of the Controller Personal Data are set out in the Agreement, in Processor’s Privacy Notice (“Privacy Notice”) and this DPA.
The nature and purpose of the Processing of Controller Personal Data:
- (ii) Processing initiated by Users in their use of the Services; and
- (iii) Processing to comply with other documented reasonable instructions provided by Controller (e.g., via email) where such instructions are consistent with the terms of the Agreement.
The types of Controller Personal Data to be Processed are as follows:
As detailed in the Privacy Notice.
The categories of Data Subject to whom the Controller Personal Data relates to are as follows:
- (i) Data Subjects who are end users of the Controller’s web and mobile application services.
- (ii) Data Controller individuals or affiliates who log into the application web app
The obligations and rights of Controller
The obligations and rights of Controller and Controller Affiliates are set out in the Agreement and this DPA.