PLEASE READ THE FOLLOWING TERMS CAREFULLY. BY ACCESSING OR USING THE SERVICES THAT MAY ENTAIL PROCESSING OF PERSONAL DATA, YOU AGREE TO BE BOUND BY THESE TERMS. IF YOU DO NOT AGREE TO ALL OF THESE TERMS, YOU MAY NOT ACCESS OR USE THE SERVICES PROVIDED BY US.
This is a Data Processing Agreement (“DPA”) between M.S. Project Zeus CY Limited dba ListBuilders (“Processor”) and you and/or your company/companies (“Controller”) (Controller and Processor shall be known as the “Parties”). The Parties do business pursuant to which the Processor provides services to Controller pursuant to Processor’s terms of service (collectively, the “Services”) that may entail the Processing of Personal Data (as defined below). The Parties may have one or more existing agreements (the “Agreements”).
The European General Data Protection Regulation (GDPR) imposes specific obligation on Controller and other companies (controllers) with regard to their vendor relationships. The GDPR requires companies to conduct appropriate due diligence on processors and to have contracts containing specific provisions relating to data protection.
The Parties are required to comply with all applicable laws. This DPA documents the data protection requirements imposed upon the parties by the GDPR. This DPA is hereby incorporated by reference into any and all Agreements in order to demonstrate the Parties’ compliance with the GDPR. In the absence of any Agreements, this DPA shall stand alone as an agreement between the Parties.
1. For purposes of this DPA, “GDPR” means Regulation (EU) 2016/679, the General Data Protection Regulation, together with any addition implementing legislation, rules or regulations that are issued by applicable supervisory authorities. Words and phrases in this DPA shall, to the greatest extent possible, have the meanings given to them in Article 4 of the GDPR. In particular:
(a) “Personal Data“ has the meaning given to it in Article 4(1) of the GDPR: “any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person,” but only to the extent such personal data pertain to residents of the European Economic Area (EEA) or are otherwise subject to the GDPR.
(b) “Personal Data Breach” has the meaning given to it in Article 4(12) of the GDPR: “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
(c) “Processing” has the meaning given to it in Article 4(2) of the GDPR: “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;”
(d) “Subprocessor” means any processor as defined in Article 4(8) of the GDPR: “a natural or legal person, public authority, agency or other body which processes personal data” on behalf of the Processor (including any affiliate of the Processor).
(e) “Transfer” means to disclose or otherwise make Personal Data available to a third party (including to any affiliate or Subprocessor), either by physical movement of the Personal Data to such third party or by enabling access to the Personal Data by other means.
2. The Controller determines the purposes and means of the processing of Personal Data. The Controller shall comply with its obligations pursuant to the GDPR or any other applicable data protection legislation, including the responsibility to ensure the necessary legal basis for collecting, processing and transfer of Personal Data.
3. In accordance with Article 28(1) of the GDPR, Processor represents that it has implemented appropriate technical and organizational measures in such a manner that its Processing of Personal Data will meet the requirements of the GDPR and ensure the protection of the rights of the data subjects as set forth in Schedule 1 D.
4. In accordance with Article 28(2) of the GDPR, Controller hereby authorizes the Processor to engage its partners and affiliates as Subprocessors to provide the Services without additional written consent of the Controller. Processor shall inform Controller of any intended changes concerning the addition or replacement of Subprocessors and give Controller the opportunity to object to such changes. The Processor shall also comply with the requirements for subprocessing as set forth in Article 28(4) of the GDPR, namely that the data protection obligations set forth herein (and as may otherwise be agreed by the Processor in the Agreements) such be imposed upon the Subprocessor, so that the Processor’s contract with the Subprocessor contains sufficient guarantees that the Processing will meet the requirements of the GDPR.
5. In accordance with Article 28(3) of the GDPR, the Parties agree to the following:
(a) The Processor to the extent required to perform the Services shall only on behalf of the Controller process the Personal Data received from the Controller or tasked by the Controller to produce, acquire or organize (i) as needed to provide the Services, (ii) strictly in accordance with the express authorization and instructions that it has received from CONTROLLER (which may be specific instructions or instructions of a general nature or as otherwise provided by the Controller to the Processor), including with regard to any Transfers, and (iii) as needed to comply with the law (in which case, the Processor shall provide prior notice to CONTROLLER of such legal requirement, unless that law prohibits this disclosure);
(b) Processor shall ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
(c) Processor shall take all security measures required by Article 32 of the GDPR, namely:
(i) Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including for example as appropriate: (a) the pseudonymization and encryption of Personal Data; (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (c) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
(ii) In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise processed.
(iii) The Processor shall take steps to ensure that any natural person acting under the authority of the Processor or the Subprocessor who has access to Personal Data does not process them except on instructions from Controller, unless he or she is required to do so by EEA Member State law.
(d) Taking into account the nature of the processing, Processor shall reasonably assist Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Controller obligation to respond to requests for exercising the data subject’s rights;
(e) Taking into account the nature of processing and the information available to the Processor, Processor shall comply with (and shall reasonably assist Controller to comply with) the obligations regarding Personal Data Breaches (as set forth in Articles 33 and 34 of the GDPR), data protection impact assessments (as set forth in Article 35 of the GDPR), and prior consultation (as set forth in Article 36 of the GDPR);
(f) At Controller’s discretion, the Processor shall delete or return all the Personal Data to Controller after the end of the provision of services relating to Processing, and delete existing copies unless applicable EEA member state law requires storage of the Personal Data;
(g) The Processor shall provide Controller with all information necessary to demonstrate compliance with the obligations laid down in the GDPR;
(h) Processor shall allow for and contribute to audits, including inspections, conducted by Controller or another auditor mandated by Controller to demonstrate compliance with the obligations laid down in the GDPR, provided that Controller bears all costs associated with such audits and inspections; and
(i) The Processor shall immediately inform Controller if, in its opinion, an instruction infringes the GDPR or other Union or Member State data protection provisions.
6. The Processor shall not Transfer any Personal Data (and shall not permit its Subprocessors to Transfer any Personal Data) without the prior consent of Controller.
7. For any Transfer of Personal Data from the European Economic Area (“EAA”) to a country outside of the EAA that has not been deemed by the European Commission to provide an adequate level of data protection, the EU Standard Contractual Clauses (2021/914) published by the European Commission including any successor clauses (“SCCs”) will govern such transfers. To the extent that Controller transfers Personal Data of data subjects of the EEA to Processor outside of the EAA, Module 2 of the SCCs will govern such transfers as determined in accordance with Schedule 1. The Parties agree that, where appropriate, on the date of this DPA they shall complete all relevant details in, and enter into, the SCCs in the form set out in Schedule 1, such being incorporated into and forming part of this DPA.
8. In providing the Services, Processor and its Subprocessors may transfer and access Personal Data to and from other countries where they have operations, or as otherwise required by applicable law. Subject to the obligations set forth in Section 7 above, Controller hereby authorizes Processor to process Personal Data outside the EAA in accordance with Chapter V of the GDPR.
9. The Processor will promptly and thoroughly investigate all allegations of unauthorized access to, use or disclosure of the Personal Data. Processor will notify Controller without undue delay in the event of any Personal Data Breach. Controller is responsible for notifying any governing supervisory authority of such Personal Data Breach in a timely manner.
10. The Processor shall maintain all records required by Article 30(2) of the GDPR, and (to the extent they are applicable to Processor’s activities for Controller) Processor shall make them available to Controller upon request.
11. In case of an audit or any other inspection for compliance by a governing supervisory authority in connection with the processing of Personal Data subject to this DPA, the Processor shall provide reasonable assistance to the Controller, taking into account all relevant information available to the Processor. The Controller shall bear any costs accrued by the Processor related to such assistance.
12. Controller and Processor undertake for a period of two years after the last exchange of information has occurred, to keep confidential any information which has commercial value and is either (i) technical information, including patent, copyright, trade secret, and other proprietary information, techniques, sketches, drawings, models, inventions, know-how, processes, apparatus, equipment, algorithms, software programs, software source documents, and formulae related to the current, future and proposed products and services of the disclosing Party, or (ii) non-technical information relating to a Party’s products, including without limitation pricing, margins, merchandising plans and strategies, finances, financial and accounting data and information, suppliers, customers, customer lists, purchasing data, sales and marketing plans, future business plans and any other information which is proprietary and confidential to the disclosing Party and other information designated as confidential by either Party (hereinafter referred to as “Confidential Information”), including but not limited to the Processor’s and its Subprocessors’ implemented technical and organizational security measures and to protect the Confidential Information at least in the same manner as they do with their own trade secrets.
In addition, Controller and Processor undertake to use the Confidential Information only and exclusively to perform the Services and to meet the duties hereunder. Only with written consent of the other Party has any Party the right to disclose the Confidential Information to third parties who are not associated with the disclosing Party, except that Processor may provide Personal Data for processing purposes to its Subprocessors. Information is not considered Confidential Information as defined herein that (a) was generally available to the public without violation of any obligation of confidentiality, (b) that either of the parties can prove to have known prior to the disclosure by the other Party, that (c) is rightfully received from a third party without restriction on disclosure; (d) is independently developed by the receiving Party; or (e) is disclosed pursuant to judicial order, pursuant to requirement of a governmental agency, or by operation of law. If a Party bound by confidentiality discloses such a fact, then that Party shall inform the other Party within a reasonable time so as to allow the latter to take the required action to safeguard confidentiality and/or to reasonably satisfy the information requirement by other means.
Recognizing that improper use or disclosure of Confidential Information may cause the disclosing Party irreparable damage for which other remedies may be inadequate, the nonbreaching Party shall be entitled to equitable relief to protect its interest therein, including but not limited to injunctive relief, as well as money damages notwithstanding anything to the contrary contained herein.
13. Controller agrees, at its sole expense, to defend, indemnify and hold Processor, and its agents, affiliates, subsidiaries, directors, officers, employees, contractors, suppliers, and their respective directors, employees and agents, harmless from and against any and all actual or threatened suits, actions, proceedings (at law or in equity), claims, damages, payments, deficiencies, fines, judgments, settlements, liabilities, losses, costs and expenses (including, but not limited to, reasonable attorney fees, costs, penalties, interest and disbursements) caused by, arising out of, resulting from, attributable to or in any way incidental to any data processing activities which are subject to this DPA.
14. TO THE EXTENT NOT PROHIBITED BY LAW, IN NO EVENT SHALL PROCESSOR OR ITS AFFILIATES, OFFICERS, DIRECTORS, EMPLOYEES, CONTRACTORS, AGENTS, SUPPLIERS, SUBPROCESSORS OR LICENSORS BE LIABLE FOR PERSONAL INJURY, OR ANY INCIDENTAL, SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES WHATSOEVER, INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, LOSS OF SALES OR BUSINESS, LOSS OF DATA, BUSINESS INTERRUPTION OR ANY OTHER COMMERCIAL DAMAGES OR LOSSES, ARISING OUT OF OR RELATED TO YOUR USE OF OR INABILITY TO USE THE SERVICES, HOWEVER CAUSED, REGARDLESS OF THE THEORY OF LIABILITY (CONTRACT, TORT OR OTHERWISE) AND EVEN IF PROCESSOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IN NO EVENT SHALL PROCESSOR’S TOTAL LIABILITY TO CONTROLLER FOR ALL DAMAGES (OTHER THAN AS MAY BE REQUIRED BY APPLICABLE LAW IN CASES INVOLVING PERSONAL INJURY) EXCEED THE AMOUNT CONTROLLER HAS PAID FOR PROCESSOR’S SERVICES IN THE LAST SIX (6) MONTHS, OR, IF GREATER, THE AMOUNT OF ONE HUNDRED DOLLARS ($100.00).
15. SOME JURISDICTIONS DO NOT ALLOW THE LIMITATION OF LIABILITY FOR PERSONAL INJURY, OR OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THIS LIMITATION MAY NOT APPLY. Any controversy or claim arising out of or relating to this DPA, or the breach thereof, shall be settled by arbitration administered by the American Arbitration Association under its Commercial Arbitration Rules, and judgment on the award rendered by the arbitrator(s) may be entered in any court having jurisdiction thereof.
16. This DPA will be governed by the laws of the State of Delaware without regard to its conflict of law provisions. With respect to any disputes or claims not subject to arbitration, as set forth above, Controller and Processor agree to submit to the personal and exclusive jurisdiction of the state and federal courts located within the State of Delaware.
17. If any provision of this DPA shall be deemed unlawful, void or for any reason unenforceable, then that provision shall be deemed severable from this DPA and shall not affect the validity and enforceability of any remaining provisions.
18. With questions about this DPA you may contact Processor at the following email address: [email protected].
Incorporation of EU Standard Contractual Clauses (2021/914)
Specific to Annex I of the SCCs:
A. LIST OF PARTIES
The Controller who entered into the DPA with Processor is a controller of the Personal Data; (Module 2 applies). The Controller is also the data exporter.
The Controller agrees to appoint a single point of contact for all matters related to the DPA and the Processing of Personal Data:
* Please insert n/a if not applicable
M.S. Project Zeus CY Limited dba ListBuilders is a Processor of the Personal Data on the Controller’s behalf and is also the data importer of Personal Data:
M.S. Project Zeus CY Limited dba ListBuilders
118 Tomb of The Kings Road
Paphos. Cyprus, 8015
Dover DE 19901
Email: [email protected]
Phone number: (929)-333-3559
B. DESCRIPTION OF PROCESSING / TRANSFER
Categories of Data Subjects
Unless otherwise specified by the data exporter, transferred Personal Data relates to the following categories of data subjects:
- Employees, contractors and temporary workers (current, former, prospective) and other contact persons of data exporter, , the extent of which is determined and controlled by the data exporter in its sole discretion; and
- Potential prospects, customers, business partners and suppliers of the data exporter, employees and contact persons of such prospects, customers, business partners and suppliers of data exporter, or other individuals with whom the data exporter may want to interact in the course of its business.
Categories of Data Transferred
The transferred Personal Data may be collected and/or processed includes data in multiple formats, including email, documents and other electronic forms. Depending on the applicable use of the Services, Processor may collect and/or process Personal Data from any of the following categories:
- Individual Identifiers – This includes information like a name, email address, physical address, telephone number, employer and employment information, title, position, professional life data, personal life data, localization data, login alias, IP address or other information that identifies the data subject regardless of the relationship to Processor or Controller.
- Customer Records – This includes information like a data subject’s company name, job title, account number, customer identifier, or other information that relates to a data subject as a customer of Processor or Controller.
- Commercial Information – This includes payment card data, financial account information, account information, records of products or services purchased, obtained or considered, or other purchasing or consuming histories or tendencies of the customer, and other information necessary to collect and process payment for products and services ordered by the customer.
- Electronic Network Information – This includes information like browser and device data, and internet or network activity information, such as activity on our websites and Services, data collected through cookies, pixel tags and other technologies, and other information that is generated through the end user’s use of the internet to access our websites.
Frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis).
The transfer may occur on a continuous or one-off basis depending on the Products or Services outlined in the underlying agreement(s).
Nature of the processing
Processing may include the collection, use, analysis, storage, and deletion, including the sharing of data with authorized third party subprocessors for the purposes of providing, monitoring, and improving products or services.
The transferred Personal Data may be subject to the following basic processing activities:
- use of Personal Data to set up and provide the Services, including communication to customers;
- continuous improvement of product or service features and functionalities provided as part of the Services including automation, transaction processing and machine learning;
- provision of Services;
- process and complete transactions in connection with the Services (e.g., to enable you to purchase products we offer on our website);
- to request feedback and to otherwise contact customers about the Services;
- to respond to customer emails, questions, comments, requests and complaints, and to provide customer service;
- to monitor and analyze website usage and trends;
- to personalize and improve the website, and our users’ experiences with the website (such as providing content or features that match interests), and to increase the website’s functionality and user friendliness;
- to send customer confirmations, updates, security alerts and support and administrative messages, and otherwise facilitate customer’s use of, and Processor’s administration and operation of the Services;
- to notify customer about important changes to the Service;
- for any other purpose for which the information was collected.
Purpose(s) of the data transfer and further processing
The data transfer to Processor is required to provide the Services, and support, monitor, develop and improve the Services, and to develop new related Services.
Data Retention Period
Processor will retain Personal Data for as long as needed or permitted in light of the purpose(s) for which it was obtained per the underlying Agreement and consistent with applicable law. Transfers to Sub-processors shall be on the same basis.
C. COMPETENT SUPERVISORY AUTHORITY
In respect of the applicable Module 2 of the SCCs, the Controller’s supervisory authority is the supervisory authority in accordance with Clause 13 of the Clauses.
Specific to Annex II of the SCCs:
D. TECHNICAL AND ORGANISATIONAL MEASURES
Processor maintains an information security program that contains physical, technical, and organizational measures designed to protect Personal Data in Processor’s possession or control. This Subsection D describes core measures that Processor has in place to protect the security of Personal Data. Processor may modify these security measures from time to time, provided that such modifications will not materially reduce the overall level of protection for Personal Data.
- Information Security Policies and Procedures
Processor’s information security program includes policies and procedures designed to:
- Maintain the confidentiality, integrity, and availability of Personal Data in Processor’s possession or control;
- Protect such Personal Data against unauthorized access, use, disclosure, alteration, or destruction; and
- Identify and mitigate potential threats or hazards to the security of the Personal Data.
- Physical Security
Processor maintains physical security controls to prevent unauthorized access to the information systems in which Personal Data is stored.
- Technical Security
Processor maintains technical security controls designed to:
- Restrict access to the information systems in which Personal Data is stored.
- Protect Personal Data from unauthorized access during electronic transmission, transport or storage by Processor.
- Organizational Security
Processor maintains policies, procedures, and technical controls to limit access to Personal Data to authorized persons, and to remove access rights promptly in the event of a change in job status.
- Business Continuity
Processor maintains disaster recovery and business continuity plans to mitigate the effects of natural disasters, emergencies, or similar events on Processor’s information systems and Processor regularly reviews and updates these plans to keep them up-to-date.
Processor maintains protocols for the disposal of equipment and media containing Personal Data, to guard against unauthorized access to Personal Data during or after the disposal process.
Specific to Annex III to the Clauses:
E. AUTHORIZED SUB-PROCESSORS
Subject to and in accordance with Clause 9(a) in Module 2, Processor has Controller’s general authorization to engage Sub-processors, which includes any of Processor’s affiliates.
Specific to Clause 17 of the SCCs:
F. GOVERNING LAW
The Clauses shall be governed by the law of the EU Member State in which the primary place of business of Controller is located. Provided such primary place of business is not located in an EU Member State, the Parties agree that this DPA shall be governed by the laws of Germany without regard to conflict of law principles.
Specific to Clause 18(b) of the Clauses:
G. CHOICE OF FORUM AND JURISDICTION
The Parties agree to the jurisdiction of the competent courts of the EU Member State in which the primary place of business of Controller is located. Provided such primary place of business is not located in an EU Member State, the Parties agree to the jurisdiction of the competent courts in Munich, Germany.