DPA

LAST UPDATED: JAN 25, 2024

 

TWMP Data Processing Addendum (DPA)

Based on the General Data Protection Regulation (GDPR) and European Commission Decision 2010/87/EU - Standard Contractual Clauses (Processors)

This Data Processing Addendum (“DPA”) supplements the Ordering Document as well as the TWMP Software as a Service Agreement, as updated from time-to-time between the Merchant and Top Web Marketing Platforms LLC (“Agreement”) when the GDPR applies to your use of the TWMP Services to process Personal Data (“Data”). The Services provide the Merchant with a number of controls, including security features and functionalities, that the Merchant may use to retrieve, correct, delete or restrict Data as described in the DPA. The Merchant may use these controls as technical and organizational measures to assist it in connection with its obligations under the GDPR, including its obligations relating to responding to requests from data subjects.
This DPA is an agreement between you or the entity you represent (“Merchant”, “you” or “your”) and Top Web Marketing Platforms LLC (“TWMP”), both referred to as “The Parties”. This DPA applies when Personal Data is processed by TWMP. In this context, TWMP will act as “Processor” to the Merchant who may act as “Controller” with respect to Merchant Personal Data (as each term is defined in the GDPR).
This DPA consists of distinct parts: this body and its set of definitions and provisions, the Annex 1 (Standard Contractual Clauses), and Appendices 1-3.

 

HAVING REGARD TO THE BELOW FACTS, and in particular that:

• The Merchant wishes to use the Services offered by TWMP based on their Agreement, and the latter is willing to provide the said services to the Merchant.
• The Merchant has determined the purpose of and the means for the processing of personal data as governed by the terms and conditions referred to herein; Therefore, it is hereby deemed to be the responsible party within the meaning of article 5, 24 of the GDPR;
• TWMP has undertaken to comply with this DPA and to abide by the security obligations and all other aspects of the General Data Protection Regulation (EU 679/2016), and EU and Greek data protection laws, and regulations, as in force. Therefore, TWMP is hereby deemed to be the Processor within the meaning of article 28 of the GDPR.
• TWMP guarantees in terms of its resources and expertise to implement technical and organisational measures to comply with the GDPR and protect the rights of the data subjects (e.g. evidence of organizational and technical measures taken, confidentiality clauses signed by each Processor’s employees, certifications, etc.).
• The Parties, having regard also to the provisions of article 28 of the GDPR, wish to lay down their rights and duties in writing in this Data Processing Addendum.

1. Definitions
1.1 Capitalized terms used but not defined in this DPA have the meanings given elsewhere in the Addendum. In this DPA, the following terms shall have the meanings set out:

1.1.1 "Agreement" means the contract in effect between the parties, namely the TWMP SaaS Agreement along with the Ordering Document;
1.1.2 "Data Processing Addendum" means this agreement, including all annexes and addendums attached herein, as these may be modified from time to time;
1.1.3 “Data Protection Law” means any and all data protection laws and regulations that apply to the Processing of Personal Data by TWMP under the Agreement;
1.1.4 “Documented Instructions” means this DPA along with the Ordering Document and the Agreement (including the Documentation), which constitute the Merchant’s documented instructions regarding TWMP’s processing of Merchant Personal Data.
1.1.5 “Data Subject” means an identified or identifiable natural person, to whom Personal Data relates;
1.1.6 "Applicable Laws" means (a) European Union or Member State laws with respect to any Personal Data in respect of which the Merchant is subject to EU Data Protection Laws; and (b) any other applicable law with respect to any Personal Data in respect of the Merchant subject to any other Data Protection Laws;
1.1.7 "Controller" means you or the entity you represent, which determines the purposes and the means of processing of personal data, namely the Merchant.
1.1.8 “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
1.1.9 “Processing” has the meaning given to it in the GDPR and “process”, “processes” and “processed” will be interpreted accordingly.
1.1.10 "Processor" means the entity, which processes the Personal Data on behalf of the Merchant and under its instructions as provided thereof, namely TWMP.
1.1.11 "Sub-processor" means any person (including any third party and any affiliate of TWMP), appointed by or on behalf of TWMP to process Personal Data on behalf of the Merchant in connection with the Agreement.
1.1.12 "Merchant Personal Data" means any Personal Data processed by TWMP on behalf of the Merchant pursuant to or in connection with the Agreement, and this Data Processing Agreement (listed in Appendix 1).
1.1.13 "Data Protection Laws" means all laws and regulations, including legislative instruments of the European Union, the European Economic Area, and their member states, applicable to the processing of personal data under the DPA, and in particular the General Data Protection Regulation (EU 679/2016), and EU and Greek data protection laws, and regulations, as in force (henceforth the “GDPR” and the “EU/Greek law” respectively).
1.1.14 "EEA" and "EU" means the European Economic Area, and the European Union respectively.
1.1.15 "GDPR" means EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation); and any subsequent amendments.
1.1.16 "Services" means the services and other activities to be supplied to or carried out by or on behalf of TWMP for the Merchant pursuant to the Agreemen.
1.1.17 "Standard Contractual Clauses" means the contractual clauses set out in Annex 1, amended as indicated (in square brackets and italics) in this DPA; attached to and forming part of this DPA pursuant to the European Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to Processors established in third countries.
1.1.18 "Sensitive Data" means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and data concerning a natural person's sex life or sexual orientation;
1.1.19 "Special Personal Data" means one or more of the following categories of Personal Data: Health Data, Sensitive Data, Genetic Data, Biometric Data or Judicial Data;

1.2 Other terms have the definitions provided for them in the applicable EU legislation, the Agreement or as otherwise specified below.
2. Scope and order of precedence
In respect of the provision of the Services and related support services and on behalf of the Merchant, TWMP processes the Merchant Personal Data according to the Agreement and this Data Processing Addendum.
This Data Processing Addendum aims to ensure compliance with Data Protection Laws including the safeguard for the protection of privacy and the fundamental human rights and freedoms in connection with TWMP being granted access to process the Personal Data.
Except as expressly stated otherwise, in the event of any conflict between the terms of the Ordering Document along with TWMP SaaS Agreement and the terms of this Data Processing Addendum, the relevant terms of this Data Processing Addendum shall take precedence as regards data protection issues. In the event of any conflict or inconsistency between this DPA and the Model Contract, the Model Contract shall prevail. This Data Processing Agreement shall be effective for the Services Period of any other similar service placed under the Agreement.
3. Processing of Merchant Personal Data
3.1 TWMP shall process Personal Data only: (a) in a manner consistent with your documented instructions including (i) to provide the Services, (ii) as permitted under the Agreement, and (iii) consistent with other reasonable instructions; and (b) with prior notice (unless notice is legally prohibited), as required by applicable law. Without limiting the foregoing, TWMP will not collect, retain, use, or disclose the Personal Data for any purpose other than as necessary for the specific purpose of performing the Services, including not collecting, retaining, using, or disclosing the Personal Data for a commercial purpose other than providing the Services.
3.2 TWMP shall:
3.2.1 comply with all applicable Data Protection Laws in the processing of Merchant Personal Data and in accordance with the conditions laid down in this Data Processing Addendum;
3.2.2 not process Merchant Personal Data other than as instructed on your relevant Documented Instructions unless processing is required by applicable laws to which TWMP is subject, in which case TWMP or the relevant Sub-processor shall, to the extent permitted by applicable laws inform you of that legal requirement before the relevant processing of that Personal Data. Additional instructions outside the scope of the Documented Instructions (if any) require prior written agreement between you and TWMP, including agreement on any additional fees payable by you to TWMP for carrying out such instructions
3.2.3 consider that if any instruction violates the GDPR or any other Member State’s data protection provision, TWMP shall immediately inform you thereof.
3.2.4 inform you of: (a) any request by a public authority for transfer of Merchant Personal Data covered by the Agreement, unless the notification is explicitly prohibited by law, e.g. pursuant to rules designed to ensure the non-disclosure of investigations performed by a law-enforcement authority; (b) of any subpoena, judicial, administrative or arbitral order of an executive or administrative agency, regulatory agency, or other governmental authority that it receives and which relates to the processing of the Data, and their disclosure; and (c) any request for access received directly from the data subject or from a third party unless such procedure has been approved.
3.2.5 will not publish any of the Merchant Personal Data without your written approval and should approval be given TWMP will adhere to any disclosure policies that apply.

3.3 You or the entity you represent shall:
3.3.1 instruct TWMP (and authorize TWMP to instruct each Sub-processor; if any) how to process Merchant Personal Data;
3.3.2 take adequate steps to maintain appropriate security, protection, and deletion of the Merchant Personal Data;
3.3.3 protect the Merchant Personal Data from unauthorized access; and
3.3.4 take appropriate measures to control access rights to the Merchant Personal Data; and
3.3.5 ensure that your authorized users maintain accurate contact information on record with TWMP.

4. Security and Safeguards
4.1 With regard to the TWMP Personnel – Obligation of non-disclosure – confidentiality – access rights
4.1.1 TWMP shall take reasonable steps to ensure the reliability of any of his employees, agents or contractors or any Sub-processors who may have access to the Merchant Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Merchant Personal Data, as strictly necessary for the purposes of the Agreement and this Data Processing Agreement, and to comply with Applicable Laws in the context of those individual's duties. TWMP ensures that its personnel engaged in processing of the Merchant Personal Data are informed of the confidential nature of the Merchant Personal Data, have received appropriate training on their responsibilities and are subject to obligations of confidentiality, and such obligations survive the termination of that persons’ engagement with TWMP.
4.1.2 TWMP, or its personnel, or partners, shall not disclose the Merchant Personal Data to third parties, unless expressly authorized by you, in the events legally admissible. TWMP may disclose the Merchant Personal Data to other Processors in accordance with your instructions. In this case, you shall previously identify in writing the recipient entity, the data to be disclosed and the security measures to be applied to the disclosure, and in any case where such permission is given, TWMP shall ensure that the other person(s) are engaged by confidentiality in writing, are fully aware of the procedures to be followed and that they comply with them.
4.1.3 TWMP will not allow any other person(s) access to the Merchant Personal Data without your written permission.

4.2 Security:
4.2.1 TWMP as a Processor and any Sub-processor shall implement the technical and organisational measures necessary pursuant to Art. 28 (3) of the GDPR. TWMP must implement and thus safeguard the Merchant Personal Data with the necessary technical and organisational measures (inter alia with regard to storage, computing, networking access, transfer, input, order and availability control), taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Art. 32(1) of the GDPR. In particular, the technical and organizational measures indicatively mentioned in Appendix 2 should be applied.
4.2.2 Protective measures could include using state-of-the-art software, computers and encryption methods as well as the use of adequate access controls, password procedures, automatic blocking, case specific authorization concepts, logging and documentation of processes and the implementation of a data security concept. The adopted security measures are appropriate to protect Merchant Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation. TWMP will endeavour to ensure that the security measures are of a reasonable level, having regard to the state of the art, the sensitivity of the personal data and the costs related to the security measures.
4.2.3 The measures shall be updated by TWMP at regular intervals based on the state of the art, best practices, and any security incident(s).
4.2.4 In assessing the appropriate level of security, TWMP as a Processor and any Sub-processor shall take into account the risks incurred by the processing, in particular from a Personal Data Breach.

5. Data Subject Rights
5.1 TWMP or any of its Sub-processors shall not respond to requests regarding the answer to the exercise of the rights of: access, rectification, erasure and objection, restriction of the processing, data portability, not to be subject to automated individual decisions (including the elaboration of profiles).
5.2 However, taking into account the nature of the processing, TWMP shall assist you for the fulfilment of your obligations as a Controller, to respond to requests to exercise Data Subject rights under the Data Protection Laws by implementing appropriate technical and organizational measures.
6. Personal Data Breach
6.1 TWMP shall notify you without undue delay and in no event within the maximum term of 48 hours, upon TWMP or any Sub-processor becoming aware of a Personal Personal Data Breach affecting Merchant Personal Data, providing you with sufficient information to allow you to meet any obligations to report or inform the Supervisory Authority or Data Subjects of the Personal Personal Data Breach under the Data Protection Laws.
6.2 TWMP shall co-operate with you and take such reasonable steps as are directed by you to assist in the investigation, mitigation and remediation of each such Personal Data Breach. In particular, in the event of incident or Data Breach, TWMP shall take all measures necessary and appropriate to restore the Data and/or to limit the negative impact of the incident or the Personal Data Breaches much as possible (including but not limited to the provision of forensic assistance), it being understood that you shall, where reasonably possible, always consult TWMP on the measures to be taken.
6.3 TWMP shall also cooperate in notifying the Supervisory Authority (-ies), and/or Data subjects. In any case, you remain the responsible party for any statutory obligations in respect thereof.
6.4 Without prejudice to the legal obligations of TWMP as a Processor, you shall be the only responsible party for the notification of the incident and/or the Personal Data Breach to the competent Supervisory Authority(ies) and/or the Data Subject(s).
7. Duty to report
In the event of a security incident, TWMP has the duty to report it to you. After this, TWMP shall determine whether or not to inform the Data Subjects and/or the competent Supervisory Authorityy (-ies). This duty to report applies irrespective of the impact of the incident to Data Subjects.
8. DPIA and Prior Consultation
8.1 TWMP and any Sub-processor shall provide you with reasonable assistance with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities as per by Art. 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in relation to the processing of Merchant Personal Data.
8.2 In particular, TWMP commits to assisting you with the analysis of the question whether a Data Protection Impact Assessment (“DPIA”) is necessary for the Processing of Merchant Personal Data by you. This for example implies that if the Processing by you requires the use of new technologies, TWMP shall inform you hereof prior to the Processing of the Merchant Personal Data. The obligation and the respective liability for assessing whether a DPIA is required, and conducting the said assessment lies exclusively on you.
8.3 When you find it necessary to conduct a DPIA, or to update one, TWMP commits to assisting you in its execution.

9. Deletion or return of Merchant Personal Data
9.1 TWMP will enable you and/or End Users to delete Personal Data during the term of the Agreement in a manner consistent with the functionality of the Services.
9.2 TWMP and any Sub-processors shall promptly and in any event within five (5) working days of the date of cessation of any Services involving the processing of Merchant Personal Data (the "Cessation Date"), securely and irreversibly delete or return to you all the Merchant Personal Data after the end of the provision of Services relating to processing, and delete, or procure the deletion of all copies of those Data.
9.3 You may in your absolute discretion by written notice to TWMP within five (5) working days of the Cessation Date require TWMP and any Sub-processor to (a) return a complete copy of the Merchant Personal Data to you by secure file transfer when reasonably requested; and (b) delete and procure the deletion of all other copies of Merchant Personal Data processed by TWMP and any Sub-processor.
9.4 TWMP and any Sub-processor may retain Merchant Personal Data to the extent required by Applicable Laws and only to the extent and for such period as required by Applicable Laws and always provided that TWMP and any Sub-processor shall ensure the confidentiality of all such Merchant Personal Data within this time and beyond, and shall ensure that such Merchant Personal Data is only processed as necessary for the purpose(s) specified in the Applicable Laws requiring its storage and for no other purpose.
9.5 The Parties agree that, upon the request of the Merchant, within ten (10) working days of the Cessation Date, TWMP shall provide written certification of destruction.
10. Audit rights
10.1 If the European Data Protection Legislation applies to the processing of Merchant Personal Data In order to verify compliance with this Data Processing Agreement, you shall be at liberty to conduct an audit by assigning an independent third party who shall be obliged to observe confidentiality in this regard. Any such audit will follow TWMP’s reasonable security requirements, and will not interfere unreasonably with TWMP’s business activities. In the case where a third party auditor is engaged, the third party must execute a written confidentiality agreement before conducting the audit.
10.2 TWMP shall make available upon your request to your advisor (third party) all information necessary to demonstrate compliance with this DPA, and shall allow for and contribute to audits, including inspections by you or an auditor mandated by you in relation to the processing of the Merchant Personal Data by TWMP or any Sub-processor.
10.3 The audit may only be undertaken solely when there are specific grounds for suspecting the misuse of Merchant Personal Data, and no earlier than two weeks after TWMP was provided with written notice.
10.4 The findings in respect of the performed audit will be discussed and evaluated by the Parties and, where applicable, implemented accordingly as the case may be by one of the Parties or jointly by both Parties.
10.5 The costs of the audit will be borne by the Merchant.
11. Statements and Declarations
11.1 On TWMP’s behalf that:
  • Currently it has no reason to believe that the legislation applicable to data protection prevents it from fulfilling the instructions received from you and its obligations under this DPA and the Agreement.
  • Shall take no unilateral decisions regarding the processing of the personal data for other purposes, including decisions regarding the provision thereof to third parties and the storage duration of the data.
  • TWMP commits to appointing suitably qualified and capable contact person(s) concerning this DPA. Use this email address to contact this person dpa-contact@twmp.us
  • TWMP acknowledges all its distinct and autonomous obligations based on the GDPR.
On your or your entity’s behalf that:
  • All personal data processed on your behalf shall remain your property and/or the relevant Data Subjects;
  • The processing is lawful according to the principles of processing as per article 5 of the GDPR and based on any of the legal conditions referred in articles 6 and/or 7,8 (if consent). The contents of the data are not unlawful and do not infringe any rights of a third party.

11.2 On both Parties’ behalf that:
  • The parties will negotiate in good faith with respect to any other change in the services offered, or in the event of new privacy legislation.

12. General Terms
If there is a conflict (a) the terms of this DPA will prevail over the terms of the Agreement and (b) the Standard Contractual Clauses will prevail over this DPA. Except for the matters covered by this DPA, all terms of the Master Agreement, remain in effect.
12.1.1 This DPA may be amended from time to time and in particular if the European Commission or the national Supervisory Authority adopts Model Contract(s) pursuant to Article 28(7) and/or Article 28(8) of the GDPR.
12.1.2 The amendments and additions to the DPA are only valid if explicitly agreed upon by the Parties in writing.

12.2 You may:
12.2.1 by at least 30 (thirty) calendar days' written notice to TWMP from time to time propose any other variations to this DPA which you reasonably consider to be necessary to address the requirements of any Data Protection Law.

12.3 The DPA is severable. If one or more provisions that do not concern the essence of the Data Processing Agreement are declared entirely or partially invalid, null and void or unenforceable, this shall not affect the validity and enforceability of the remaining provisions. The DPA shall in such event continue to exist between the Parties, as if the provision declared invalid, null and void or unenforceable had never existed. In that case, the Parties commit to renegotiate the DPA in good faith, to amend the provision declared (entirely or partially) null and void, invalid or unenforceable or replace it by a provision which lends itself as close as possible to the purpose of the provision declared invalid, null and void or unenforceable.
13. Termination – Effect
13.1 The DPA enters into force on the date of signing of the accompanying Ordering Document and the Agreement incorporated into it (the Effective Date).
13.2 This DPA shall continue in force until the termination of the Agreement (the “Termination Date”) in accordance with its terms.
13.3 The violation of any term of the present DPA is considered a “material breach”.
13.4 Without prejudice to the respective clause of the Agreement, either Party shall be permitted to terminate the Agreement, and this DPA on written notice to the other if the other is in material breach of this Agreement and (where the breach is capable of remedy) has failed to remedy the breach within thirty (30) days of receiving notice of the breach.
14. Notices
Formal written notices to be given under or in connection with this DPA shall be made in writing in English, including via email.
15. Applicable law
15.1 This DPA, and all non-contractual or other obligations arising out of or in relation to, shall be governed by the law of the Member State in which the data exporter, namely the Merchant is established.
15.2 This DPA is entered into and becomes a binding part of the Agreement with effect from the Effective Date as set out in the accompanying Ordering Document.

 

ANNEX 1: STANDARD CONTRACTUAL CLAUSES

Standard Contractual Clauses (processors)

For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries:
The entity identified as “Merchant” in the DPA
(the “data exporter”)
and
Top Web Marketing Platforms LLC
Address: 18529 Bittern Ave., Lutz, FL 33558 USA
(the “data importer”)
HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.
Background

The entity identified as data exporter has entered into a data processing agreement (“DPA”) with the data importer, meaning Top Web Marketing Platforms LLC (together the “parties”). Pursuant to the terms of the DPA, it is contemplated that services provided by the data importer will involve the transfer of personal data to data importer. Data importer is located in a country not ensuring an adequate level of data protection. To ensure compliance with Directive 95/46/EC and applicable data protection law, the controller agrees to the provision of such Services, including the processing of personal data incidental thereto, subject to the data importer’s execution of, and compliance with, the terms of these Contractual Clauses (the Clauses).

Clause 1
Definitions

For the purposes of the Clauses:
(a) 'personal data', 'special categories of data', 'process/processing', 'controller', 'processor', 'data subject' and 'supervisory authority' shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data; [If these Clauses are governed by a law which extends the protection of data protection laws to corporate persons, the words “except that, if these Clauses govern a transfer of data relating to identified or identifiable corporate (as well as natural) persons, the definition of "personal data" is expanded to include those data” are added.]
(b) 'the data exporter' means the controller who transfers the personal data;
(c) 'the data importer' means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country's system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC; [If these Clauses are not governed by the law of a Member State, the words "and who is not subject to a third country's system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC" are deleted.]
(d) 'the subprocessor' means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
(e) 'the applicable data protection law' means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
(f) 'technical and organisational security measures' means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

Clause 2
Details of the transfer

The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.

Clause 3
Third-party beneficiary clause

1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
2. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
3. The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
4. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.

Clause 4
Obligations of the data exporter

The data exporter agrees and warrants:
(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
(b) that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter's behalf and in accordance with the applicable data protection law and the Clauses;
(c) that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Addendum 4 to this contract;
(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
(e) that it will ensure compliance with the security measures;
(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
(g) to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Addendum 4, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
(i) that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and
(j) that it will ensure compliance with Clause 4(a) to (i).

Clause 5
Obligations of the data importer

The data importer agrees and warrants:
(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(c) that it has implemented the technical and organisational security measures specified in Addendum 4 before processing the personal data transferred;
(d) that it will promptly notify the data exporter about:
(i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,
(ii) any accidental or unauthorised access, and
(iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;

(e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
(f) at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
(g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Addendum 4 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
(h) that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;
(i) that the processing services by the subprocessor will be carried out in accordance with Clause 11;
(j) to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.

Clause 6
Liability

1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.
2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity. The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.
3. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.

Clause 7
Mediation and jurisdiction

1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
(a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
(b) to refer the dispute to the courts in the Member State in which the data exporter is established.

2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

Clause 8
Cooperation with supervisory authorities

1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).

Clause 9
Governing Law

The Clauses shall be governed by the law of the Member State in which the data exporter is established.

Clause 10
Variation of the contract

The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.

Clause 11
Subprocessing

1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses. Where the subprocessor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor's obligations under such agreement.
2. The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
3. The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.
4. The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter's data protection supervisory authority.

Clause 12
Obligation after the termination of personal data processing services

1. The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
2. The data importer and the subprocessors warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.

 

APPENDIX 1 to the Standard Contractual Clauses

This Appendix forms part of the Clauses and includes certain details of the processing of the Data as required by Article 28(3) GDPR.
Data exporter
The data exporter is the entity identified as “Controller” in the DPA.
Data importer
The data importer is Top Web Marketing Platforms LLC, a provider of software as a service.
Data subjects
The personal data transferred concern the Data Exporter’s Authorized Users, and the End Users (customers and prospective customers).
Categories of data
The personal data transferred concern the following categories of data:

  • First and last name;
  • Contact details; including email address, mailing address, street address, postcode, and/or mobile telephone number;
  • Gender;
  • Date of birth;

and any other personal information requested by us and/or provided by the Controller.
Special categories of data (if appropriate)
None anticipated.
Processing operations
The personal data transferred will be subject to the following basic processing activities:
The objective of Processing of Personal Data by the data importer is the performance of the Services pursuant to the TWMP SaaS Agreement.

 

APPENDIX 2: MINIMUM ORGANISATIONAL AND TECHNICAL SECURITY MEASURES

This Appendix forms part of the Clauses. The technical and organizational security measures implemented by the data importer are as described in the DPA. You can also contact us for more details.
Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c):
Organisational measures:

  • Security policy and procedures for the protection of Data: The security policy is a high level document that sets the basic principles for the security and protection of Data in an organisation. It, thus, forms the basis for the implementation of all specific technical and organisational measures.
  • Roles and responsibilities related to the use of Data shall be clearly defined and allocated in accordance with the security policy. Roles and responsibilities related to the use of Data shall be clearly defined and allocated in accordance with the security policy.
  • Access control policy: An access control policy shall be detailed and documented. The Processor shall determine in this document the appropriate access control rules, access rights and restrictions for specific user roles towards the processes and procedures related to Data.
  • Handling of Incidents / Data Breaches: An incident response plan with detailed procedures shall be defined to ensure effective and orderly response to incidents pertaining Data.
  • Subprocessors: Formal requirements and obligations shall be formally agreed between the Processor and the Subprocessor. The Subprocessor shall be able to provide sufficient documented evidence of compliance.

Technical measures
  • Information Security Program. Processor and/or our subprocessors will maintain an information security program (including the adoption and enforcement of internal policies and procedures) designed to (a) help Controller secure Controller Personal Data against accidental or unlawful loss, access or disclosure, (b) identify reasonably foreseeable and internal risks to security and unauthorised access to the Services, and (c) minimise security risks, including through risk assessment and regular testing. Processor and/or our subprocessors will designate one or more employees to coordinate and be accountable for the information security program. The information security program will include the following measures:
  • Network Security. The Network will be electronically accessible to employees, contractors and any other person as necessary to provide the Services. Processor and/or our subprocessors will maintain access controls and policies to manage what access is allowed to the Network from each network connection and user, including the use of firewalls or functionally equivalent technology and authentication controls. Processor and/or our subprocessors will maintain corrective action and incident response plans to respond to potential security threats.
  • Physical Security
    • Physical Access Controls. Physical components of the Network are housed by the Processor and/or our subprocessors in nondescript facilities. Controls are used to prevent unauthorized entrance to the facilities. Employees and contractors are assigned photo-ID badges that must be worn while the employees and contractors are at any of the Facilities. Visitors are required to sign-in with designated personnel, must show appropriate identification, are assigned a visitor ID badge that must be worn while the visitor is at any of the facilities, and are continually escorted by authorised employees or contractors while visiting the facilities.
    • Limited Employee and Contractor Access. Processor and/or our subprocessors provide access to the facilities to those employees and contractors who have a legitimate business need for such access privileges. When an employee or contractor no longer has a business need for the access privileges assigned to him/her, the access privileges are promptly revoked, even if the employee or contractor continues to be an employee of the Processor and/or our subprocessors.
    • Physical Security Protections. All access points (other than main entry doors) are maintained in a secured (locked) state. Access points to the facilities are monitored by video surveillance cameras designed to record all individuals accessing the facilities.
  • Continued Evaluation. Processor and/or our subprocessors will conduct periodic reviews of the security of the Network and adequacy of its information security program as measured against industry security standards and its policies and procedures. Processor and/or our subprocessors will continually evaluate the security of the Network and associated Services to determine whether additional or different security measures are required to respond to new security risks or findings generated by the periodic reviews.
  • Access control and authentication: An access control system applicable to all users accessing the IT system shall be implemented. The system shall allow creating, approving, reviewing and deleting user accounts.
  • Workstation security: Anti-virus applications and detection signatures shall be configured on a daily basis.
  • Backup: Full backups shall be carried out regularly.

 

APPENDIX 3: SUBPROCESSOR(S) NOTIFIED BY THE DATA PROCESSOR AND APPROVED BY THE DATA CONTROLLER

This Appendix forms part of the Clauses. The Controller consents to Processor’s use of sub-processors as described in this Section. Except as the Controller may otherwise authorize, Processor will not permit any sub-processor to carry out processing activities on the Merchant Personal Data on behalf of the Controller.
The list of Subprocessors approved by the data importer as of the effective date of the DPA is as set forth on https://twmp.us/terms-for-merchants/subprocessors
The Processor undertakes also the obligation to keep the list on the above webpage updated when changes are made and to notify the Controller every time a material change exist in relation to its content.