Data Processing Addendum

  1. Crono Ltd., with a registered office in 2nd Floor 168 Shoreditch High Street, E1 6RA, London, United Kingdom, (the “Processor”), has entered into an agreement with any organization subscribing to its services and accepting its terms and condition (the “Controller”) according to which the Processor is obliged to process Controller end-user data to grant the Controller access to Processor’s services (the “Agreement”);
  2. the fulfillment of the Agreement requires the Processor to process personal data of several data subjects (the Controller’s end-users) on behalf of the Controller as further described in Annex I (respectively, “Personal Data” and “Data Subjects”);
  3. Regulation (EU) 2016/679 on the protection of natural persons about the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the “Data Protection Law”) requires to regulate the processing activities carried out by the Processor through a legal act binding on the processor and providing specific instructions as to the processing of the personal data;
  4. the Processor provides sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of the Data Protection Law and ensure the protection of the rights of the Data Subjects;
  5. with this data processing agreement (the “Data Processing Agreement”), the Controller and the Processor intend to regulate the processing of Personal Data necessary to execute the Agreement according to the applicable Data Protection Law.
 

Now, Therefore

the Controller and the Processor have entered into this Data Processing Agreement as follows.

  • Purpose of the regulation

The purpose of this Data Processing Agreement is to govern the processing activities that the Processor will carry out on behalf of the Controller to execute the Agreement and to establish the conditions under which the Processor may process the Personal Data relating to the Data Subjects.

  • Obligations of the processor 

The Processor undertakes to:

  1. process the Personal Data exclusively on behalf of the Controller, only as long as necessary to execute the Agreement, and in accordance with the Data Protection Law and the instructions and conditions provided by the Controller with this Data Processing Agreement;

  2. ensures that the persons processing the Personal Data under its authority, including its employees, interns, and consultants, have committed themselves to confidentiality and have received proper instructions to process the Personal Data in accordance with the Data Protection Law and the instructions provided by the Controller;

  3. implement all technical and organizational measures to ensure a level of security appropriate to the risk presented by the nature, scope, context, and purposes of the processing of Personal Data;

  4. when engaging another processor (the “Sub-processor”),
     
    • appoint only Sub-processors providing sufficient guarantees to implement appropriate technical and organizational measures to respect the requirements of the Data Protection Law;
    • impose on the Sub-processor, by way of a contract, the same obligations imposed on the Processor under this Data Processing Agreement;
    • inform the Controller of such appointment;

  5. notify the Controller of any request received by Data Subjects and assist the Controller in fulfilling such requests;

  6. assist the Controller to:

    • identify and implement adequate technical and organizational measures; 
    • identify and notify a data breach to the competent supervisory authority without undue delay after having become aware of it;
    • notify a data breach to the Data Subjects when it is likely to result in a high risk to the rights and freedoms of natural persons; 
    • carry out a data protection impact assessment and consult the authority on its results when it indicates that the processing would result in a high risk for the Data Subjects;

  7. upon the termination of this Data Processing Agreement, at the choice of the Controller, delete or return to the Controller all Personal Data, except where retaining Personal Data is required to comply with an obligation upon the Processor, in which case it shall inform the Controller of such obligation;

  8. upon request of the Controller, made available all information necessary to demonstrate compliance with the instructions provided for in this Data Processing Agreement. The Processor also undertakes to allow the Controller to carry out audit activities by itself or, at its own cost, through an independent auditor to verify the compliance with the instructions set out in this Data Processing Agreement. In any case, the Controller undertakes to:

    • keep all the information collected during the audit as confidential;
    • inform the Processor at least 10 (ten) days before the audit; 
    • conduct the audit only to the extent strictly necessary to verify compliance with this Data Processing Agreement and the Data Protection Law, during normal working hours and in a manner that does not unreasonably disrupt the normal activities of the Processor;
    • bear any cost related to the audit;

  9. when required by the Data Protection Law, the Processor shall maintain and keep updated a record of processing activities according to the requirements set forth by the applicable Data Protection Law;

  10. when necessary, under the applicable Data Protection Law, the Processor shall appoint a Data Protection Officer and communicate its contacts to the Controller.
  • Duration 

This Data Processing Agreement has the same duration as the Agreement signed between the Controller and the Processor and will cease should the Agreement expire or be terminated for any reason. 

  • Processor Liability

The Processor undertakes to indemnify and hold harmless the Controller for any damage or sanction resulting to the Controller for its failure to comply with this Data Processing Agreement or with the applicable Data Protection Law and from any damage, expense, cost or charge arising out of a violation of the data protection obligations imposed to any Sub-processor.

On the other end, the Controller undertakes to  indemnify and hold harmless the Processor for any damage or sanction resulting to the Processor for its failure to comply with this Data Processing Agreement or with the applicable Data Protection Law as a consequence of the processing instructions received by the Controller.

  • Changes to Data Protection Law

If any change to the applicable Data Protection Law may affect the responsibilities and obligations imposed under this Data Processing Agreement, the Controller and the Processor undertake to discuss and negotiate in good faith any possible amendment necessary to comply with the amended Data Protection Law. 

  • Severability

Whenever a provision of this Data Processing Agreement be or becomes invalid or not applicable, such provision will be considered autonomously in respect thereto and, if possible, it will be replaced by a lawful provision which truthfully reflects the intention of the parties pursuant to this Data Processing Agreement and, if applicable, does not affect the validity and/or applicability of any further provisions thereof.

  • Order of precedence

If there is any inconsistency between the provisions of this Data Processing Agreement and the provisions of the Agreement on data protection, the provisions of this Data Processing Agreement shall prevail.

  • Applicable Law and Jurisdiction 
    1. This Data Processing Agreement is regulated by UK Law.
  1. Any disputes arising from or in connection with this Data Processing Agreement shall be brought exclusively before the competent court of London. 

 

Annexes

ANNEX I: Description of the processing

  1. Purpose(s) for which the Personal Data is processed on behalf of the Controller: the Personal Data transferred is processed by the Processor to (i) provide the services pursuant to the Agreement (Processor’s services) (ii) guarantee the effectiveness and maintenance of the Services (iii) provide on Customer’s request ongoing consulting services on how to leverage the Services to increase the users’ engagement and achieve business goals.

  2. Duration of the processing:
    • Contract Term

  3. Categories of Data Subjects whose personal data is processed:
    • User Data; Employee Data, [-]

  4. Categories of Personal Data processed:
    • User ID, User Personal Info and User Activity  [-]

  5. Special categories of Personal Data processed (if applicable):
    • Not applicable

  6. Place of storage and processing of the Personal Data: 
    • EU

 

⚡️Bolt - The B2B Sales newsletter by Crono

Subscribe to our newsletter to receive monthly updates and insights on the future of B2B Sales!