Data Processing Agreement
Clause 1. Purposes of processing
1.1 The Processor undertakes to process personal data on the Controller’s instructions under the terms of this processing agreement. It will only carry out this processing in the context of providing its platform and extended features, as well as for any purposes reasonably related to this or determined by further agreement.
1.2 The Processor maintains a database in order to provide its platform. For the purpose of maintaining and enriching this database, the Processor is the controller.
1.3. The Controller is itself responsible for the further use of the personal data it obtains through the Processor’s platform, and it must, among other things, have its own legal basis for this and inform data subjects accordingly.
1.4 The personal data processed by the Processor in the context of the activities referred to in the preceding paragraph and the categories of data subjects from whom they originate are set out in Annex 1. The Processor will not process the personal data for any purpose other than that determined by the Controller. The Controller will inform the Processor of the purposes of the processing to the extent that they are not already set out in this processing agreement.
Clause 2. The Processor’s obligations
2.1 With regard to the processing referred to in Clause 1, the Processor will ensure compliance with the applicable laws and regulations, including, in any case, the laws and regulations on the protection of personal data, such as the General Data Protection Regulation (“GDPR”).
2.2 The Processor will inform the Controller, at its first request, of the measures it takes with regard to its obligations under this processing agreement.
2.3 The Processor’s obligations pursuant to this processing agreement also apply to anyone who processes personal data under the Processor’s authority, including but not limited to employees, in the broadest sense of the word.
2.4 The Processor will immediately notify the Controller if, in its opinion, an instruction from the Controller is in breach of the legislation referred to in paragraph 1.
2.5 The Processor will, to the extent that this is within its power, assist the Controller in carrying out data protection impact assessments (“DPIAs”) and in cases of prior consultation. The Processor may charge a reasonable fee for this.
Clause 3. Transfer of personal data
3.1 The Processor may process the personal data in countries within the European Economic Area (“EEA”). Transfers to countries outside the EEA are allowed, provided that the conditions set out in Chapter V of the GDPR are met.
Clause 4. Allocation of responsibility
4.1 The Processor bears sole responsibility for the processing of personal data under this processing agreement, in accordance with the Controller’s instructions and under the express (ultimate) responsibility of the Controller, as set out in Clause 1.1. The Processor is explicitly not responsible for any other personal data processing, including in any case, but not limited to, the collection of the personal data by the Controller and their further use, processing for purposes the Controller has not notified the Processor of, processing by third parties, and/or processing for other purposes.
4.2 The Controller guarantees that the content, use and instructions for the personal data processing as referred to in this processing agreement are not unlawful and do not infringe any third-party right, and it indemnifies the Processor against any third-party claims.
Clause 5. Engagement of subprocessors
5.1 The Processor may use other processors (“Subprocessors”) in the context of this processing agreement when necessary in order to ensure the proper performance of the service. A list of Subprocessors engaged by the Processor at the time this processing agreement was concluded is included in Annex 2. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Subprocessors. The most recent list of Subprocessors is also available via privacy@leadinfo.com.
5.2 In any event, the Processor will ensure that such Subprocessors assume, in writing, materially the same duties as those agreed by the Controller and the Processor.
5.3 The Processor will ensure that these third parties correctly comply with the obligations set out in this processing agreement and, in the event of errors by such third parties, it will itself be liable for all damage as though it had committed the error(s) itself.
Clause 6. Security
6.1 The Processor will endeavour to take sufficient technical and organisational measures with regard to the personal data processing operations to be carried out, to combat loss or any form of unlawful processing (such as unauthorised access to, interference with, alterations to or disclosure of the personal data).
6.2 The most recent list of security measures is available via privacy@leadinfo.com.
Clause 7. Duty to report
7.1 The Controller is always responsible for reporting any data breach, as referred to in Article 4(12) GDPR, to the supervisory authority and, in the case of high risk, to the data subject(s). To enable the Controller to comply with this statutory duty, the Processor will notify the Controller of any data breach without unreasonable delay.
7.2 The duty to report in any event includes reporting the fact that a breach has occurred. Any such report must also include the information specified in Article 33(3) GDPR.
Clause 8. Handling requests from data subjects
8.1 If a data subject submits a request to the Processor to exercise his/legal rights as set out in Articles 15-22 GDPR, the Processor will forward that request to the Controller and the Controller will then deal with it. The Processor may inform the data subject of this.
8.2 If the Controller cannot handle the request independently, the Processor will provide reasonable assistance in that regard to the extent that this is within its power. The Processor may charge a reasonable fee for this.
Clause 9. Secrecy and Confidentiality
9.1 All personal data that the Processor receives from the Controller and/or collects itself in the context of this processing agreement is subject to a duty of confidentiality with respect to third parties. The Processor will not use such information for any purpose other than that for which it was obtained, unless it is put in a format that prevents it from being traceable to data subjects, for example for analysis and quality purposes.
9.2. This duty of confidentiality does not apply where the Controller has given its explicit permission to disclose the information to third parties, if disclosing the information to third parties is logically necessary in view of the nature of the instruction given and the performance of this processing agreement, or if there is a legal obligation to disclose the information to a third party.
Clause 10. Audit
10.1. The Controller has the right to have audits carried out by an independent third party, who is bound by confidentiality, for the purpose of verifying compliance with the terms of this processing agreement.
10.2. This audit may only take place if there is a firm suspicion of misuse of personal data which the Processor has been notified of in writing.
10.3. The Processor will cooperate with the audit and provide all information that is reasonably relevant to it, including supporting data such as system logs, as well as employees, as quickly as possible.
10.4. The findings from the audit will be reviewed by the Processor and may be implemented by the Processor, at the Processor’s sole discretion and in the manner determined by the Processor.
10.5. The Controller will bear the costs of the audit.
Clause 11. Liability
11.1. The parties explicitly agree that the rules on liability set out in the Master Agreement are applicable.
Clause 12. Duration and termination
12.1. This processing agreement will come into effect when the Master Agreement is concluded.
12.2. This processing agreement is entered into between the parties for the duration set out in the Master Agreement and, if it is not determined there, in any event for the duration of the personal data processing listed in Annex 1.
12.3. As soon as the processing agreement ends, for any reason and in any manner whatsoever, the Processor will – at the Controller’s discretion – return to the Controller all the personal data it has in their original form or as a copy, and/or delete such original personal data and any copies of them and/or destroy them.
12.4. The Processor has the right to revise this agreement from time to time. It will give the Controller at least one month’s notice of any amendments.
The Controller may give notice to terminate this agreement with effect from the end of that month it does not agree to the amendments.
Clause 13. Applicable law and dispute resolution
13.1. This processing agreement and the performance of it are governed by Dutch law.
13.2. Any and all disputes that arise between the parties in connection with this processing agreement will be submitted to the competent court for the district in which the Processor has its registered office.
—————————————————
Annex 1: Specification of personal data and data subjects
Personal data
The Processor will process the following personal data on the Controller’s instructions pursuant to Clause 1.1 of this processing agreement by using the Leadinfo Platform:
- IP address
- company profiles displayed on the platform, which may include:
- names;
- positions;
- contact details of employees, directors; (Twitter handle, LinkedIn handle and photo of such individuals, if available, may also be processed)
of the following categories of data subjects:
- potential customers
- website visitors
- employees of companies that have visited the Controller’s website.
The following personal data may also be processed if Controller enables and uses the extended features email and link tracking, email automation, or LinkedIn automation services:
- name
- email address
- telephone number
- job title, department, and seniority
- subject of email
- content of the message, only during the transmission of the data through our service, until the effective delivery of the email
- date and time at which the email was sent
- the location where the email was opened
- device’s IP address (stored in a de-identified format)
- device location (general region)
- device type
- operating system and browser type
- referring URL and domain
The following information will be generated by the services on behalf of the Controller:
- confirmation of opening
- opening history (number, date and time) of the email received
- number of links included in the email
- text and URL of such links
- history of clicks (number, date and time) made on the links contained in the email.
The information is processed on behalf of the Controller for the following purposes:
- to enable integration of sales enablement tools (e.g. email services or CRM-tools)
- to enable lead enrichment
- to enable engagement tracking and (shared) content tracking
- to enable usage analysis
The Controller warrants that the personal data and categories of data subjects specified in this Annex 1 are complete and accurate, and it indemnifies the Processor against any errors and claims resulting from the Controller’s incorrect representation of them.
Annex 2: Subprocessor(s)
When this processing agreement was concluded, the Processor had engaged the following Subprocessor(s):
- Amazon Web Services EMEA SARL. – hosting and infrastructure – Luxembourg
A current list of Subprocessors can be requested via privacy@leadinfo.com.