DATA PROCESSING AGREEMENT
This Data Processing Agreement (“DPA”) is formed between SixMix LLC d/b/a MailMunch (“MailMunch”) and MBS LifeStyle Brand (“Customer”) and is effective on the date both parties sign the DPA (“Effective Date”). This DPA is part of MailMunch’s Terms of Service Agreement (“TOS”) and is incorporated by reference herein.
“Affiliate” means an entity that directly or indirectly Controls, is Controlled by, or is under common Control with an entity.
“Controller” means the natural or legal person, public authority, agency, or any other body which alone or jointly with others determines the purposes and means of the Processing of personal data.
“Customer Data” means any Personal Data that MailMunch Processes on behalf of the Customer as a Data Processor in the course of providing its Services.
“Data Breach” means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, damage, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise Processed.
“Data Protection Laws” means all data protection and privacy laws and regulations of the EU, EEA and their member states, Switzerland and the United Kingdom, applicable to the Processing of Personal Data under the TOS and DPA.
“Data Subject” means the identified or identifiable person to whom Personal Data relates.
“EEA” means, for the purposes of this DPA, the European Economic Area, United Kingdom, and Switzerland.
“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data and repealing Directive 95/46/EC (General Data
“Personal Data” means any information relating to an identified or identifiable natural person.
“Privacy Shield” means the EU-U.S. Privacy Shield Framework and Swiss- U.S. Privacy Shield Framework self-certification program operated by the U.S. Department of Commerce and approved by the European Commission pursuant to Decision C(2016)4176 of July 12, 2016, and by the Swiss Federal Council on January 11, 2017.
“Process,” “Processed,” “Processes,” and “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
“Processor” means a natural or legal person, public authority, agency, or any other body which Processes Personal Data on behalf of the controller.
“Services” means any product or service provided by MailMunch pursuant to MailMunch’s Terms of Service Agreement (“TOS”).
“Subprocessor” means any third-party Processor engaged by MailMunch.
“TOS” means MailMunch’s Terms of Service Agreement which governs the provision of Services to Customer.
2. Applicability of this DPA
a. This DPA applies to EU/EEA Customers Processing personal data on behalf of EU/EEA Data Subjects.
3. Roles of Parties
a. Customer is the Controller, MailMunch is the Processor, and MailMunch engages Subprocessors according to the terms of this DPA.
4. Customer’s Processing of Personal Data
- Customer is responsible for the control of Personal Data and will remain the Controller for purposes of MailMunch’s Services, the TOS, and DPA. Customer is responsible for complying with its obligations as Controller, in particular for justification of any transmission of Personal Data to MailMunch (including providing any required notices and obtaining any required consents), and for its decisions and actions concerning the Processing and use of Customer Data.
- Except as provided in this DPA, Customer is responsible for its secure use of the Services, including securing its account authentication credentials, protecting the security of Customer Data when in transit to and from the Services, and taking all appropriate steps to securely encrypt and/or backup all Customer Data uploaded to the Services.
5. MailMunch’s Processing of Personal Data
a. MailMunch shall Process Customer Data only for the purposes described in the TOS and this DPA and in accordance with Customer’s documented lawful instructions. MailMunch and Customer agree that the TOS and this DPA set out the Customer’s complete and final instructions to MailMunch in relation to the Processing of Customer
Data and Processing outside the scope of these instructions shall require prior written agreement by MailMunch and Customer.
6. Details of MailMunch’s Data Processing
- Nature and Purpose of Processing: MailMunch will Process Customer Data as necessary to perform the Services and MailMunch’s obligations under the TOS and DPA or as otherwise agreed in writing by MailMunch and Customer.
- Subject Matter of Processing: The subject matter of the Processing under this DPA is the Customer Data.
- Duration of Processing: MailMunch will Process Customer Data for the duration of the TOS unless otherwise agreed upon in writing by MailMunch and Customer.
- Categories of Data Subjects:
- Any individual accessing and/or using the Services through the Customer’s account (“Users”); and
- Any individual whose email address is included in the Customer’s distribution list; whose information is stored on or collected via the Services; or to whom Users send emails or otherwise engage or communicate with via the Services (collectively, “Subscribers”).
- Types of Customer Data:
I. Customers, Users, and Subscribers: identification and contact data (name, date of birth, gender, address, title, contact details, username, or other demographic information); financial information (credit card details, account details, payment information); employment details (employer, job title, geographic location, area of responsibility), IT information (IP address, usage data, cookies data, online navigation data, location data, browser data, access
device information); personal interests or preferences (purchase history, marketing preferences, website preferences, publicly available social media profile information).
7. Data Subject Requests
a. MailMunch’s Services provide Customer with controls to retrieve, correct, delete, or restrict Customer Data, which Customer may use in connection with its obligations under Data Protection Laws, including responding to requests from data protection authorities or Data Subjects. Requests from Data Subjects may include the Data Subject’s right of access, right to rectification, restriction from Processing, erasure (“right to be forgotten”), data portability, and object to the
Processing. To the extent that Customer is unable to independently access the relevant Customer Data within the Services, MailMunch will, at Customer’s expense, provide reasonable assistance to help Customer respond to requests from Data Subjects or data protection authorities relating to the Processing of Personal Data under the DPA. In the event any request is made directly to MailMunch, MailMunch will not respond to the request directly without Customer’s prior authorization, unless legally compelled to do so. If MailMunch is required to respond to a request, MailMunch will promptly notify Customer and provide it with a copy of the request unless legally prohibited from doing so.
- If a law enforcement agency sends MailMunch a demand for Customer Data for example, through a subpoena or court order, MailMunch will attempt to redirect the law enforcement agency to request that data directly from Customer. As part of this effort, MailMunch may provide Customer’s basic contact information to the law enforcement agency. If compelled to disclose Customer Data to a law enforcement agency, MailMunch will give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy unless MailMunch islegally prohibited from doing so.
- To the extent MailMunch is required by law, MailMunch will, at Customer’s expense, provide reasonably requested information regarding the Services to enable Customer to carry out data protection impact assessments or prior consultations with data protection authorities as required by Data Protection Laws.
a. Customer agrees that MailMunch may engage Subprocessors to Process Customer Data on Customer’s behalf in connection with
MailMunch’s provision of its Services.
- MailMunch shall enter into an agreement with Subprocessors imposing data protection obligations that require Subprocessors to protect Customer Data to the standard required by Privacy Shield and Data Protection Laws.
- MailMunch is responsible for its compliance with this DPA and for any acts or omissions of its Subprocessors that cause MailMunch to breach any of its obligations under this DPA.
- Customer may request that MailMunch provide information related to Subprocessors’ implementation of the data protection obligations required by Privacy Shield and Data Protection Laws, including relevant terms of MailMunch’s agreement with Subprocessors. If the agreement contains confidential information, MailMunch may provide a redacted version.
9. Changes to Subprocessors
- MailMunch maintains a list of Subprocessors that Process Personal Data of its Customers and will provide a copy of that list to Customer upon request. If Customer has requested a list of MailMunch’s Subprocessors, MailMunch will notify Customer via email if it adds Subprocessors at least ten (10) days prior to any such changes.
- Customer may object in writing to MailMunch’s addition of a new Subprocessor within five (5) business days of such notice, provided that such objection is based on reasonable grounds relating to Data Protection Laws. In such event, MailMunch and Customer shall discuss such concerns in a good faith effort to achieve resolution. If resolution is impossible, Customer may terminate the TOS by providing written notice to MailMunch. MailMunch will return any prepaid but unused Customer fees for the period following the effective date of termination.
10. MailMunch Personnel
a. MailMunch shall ensure that any person authorized to Process Personal Data is informed of the confidential nature of Personal Data and has executed written confidentiality agreements.
11. Return or Deletion of Customer Data
- Upon termination or expiration of the TOS, MailMunch shall, at Customer’s request, delete or return to Customer all Customer Data in its possession or control except:I. Customer Data that MailMunch is required by law to retain; and
II. Customer Data archived on back-up systems which MailMunch will securely isolate and protect from any further Processing, except to the extent required by law.
- Customer is responsible for any costs arising from the return or
deletion of Customer Data after the termination or expiration of the TOS.
- MailMunch shall maintain appropriate technical and organizational measures for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Customer Data), confidentiality, and integrity of Customer Data. MailMunch regularly monitors compliance with these measures. MailMunch’s Security Policy will be updated from time to time in accordance with this DPA.
- Customer agrees it is responsible for reviewing the information made available by MailMunch relating to its data security and making an
independent determination as to whether the Services meet Customer’s requirements and legal obligations under Privacy Shield and/or Data Protection Laws.
c. Upon Customer’s written request not more than once per year, and subject to the confidentiality obligations set forth in the TOS and DPA, MailMunch shall make available to Customer that is not a competitor of MailMunch, information necessary to confirm MailMunch’s compliance with its Security Policy and this DPA.
13. Data Breach Response
a. Upon becoming aware of a Data Breach, MailMunch will notify Customer without undue delay and provide timely information relating to the Data Breach as it becomes known or as is reasonably requested by Customer. The obligations herein shall not apply to incidents that are caused by Customer or Customer’s Users.
14. International Transfers
- If MailMunch Processes any Customer Data protected by Data Protection Laws under the TOS and DPA and/or that originates from the EEA, in a country that has not been designated by the European Commission, or Swiss Federal Data Protection Authority (as applicable) as providing an adequate level of protection for
Personal Data, the parties agree that MailMunch shall be deemed to provide adequate protection (within the meaning of GDPR) for any such Customer Data by having self-certified its compliance with Privacy Shield.
- The parties agree that the international data transfer solution identified in Section 13(a) shall not apply if and to the extent that MailMunch adopts an alternative data export solution for the lawful transfer of
Personal Data (as recognized by GDPR) outside of the
EEA, in which event, the alternative data export solution shall apply instead, but only to the extent that the alternative data export solutions extends to the regions to which Personal Data is transferred.
- MailMunch and Customer agree that this DPA replaces any existing DPA the parties may have previously entered into in connection with the Services.
- Except for the changes made by this DPA, the TOS remains unchanged and in full force and effect. If there is any conflict between this DPA and the TOS, the relevant terms of this DPA take precedence.
- Any claims brought under or in connection with this DPA are subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the TOS.
- No one other than a party to this DPA, its successors, and permitted assignees have any right to enforce any of its terms.
- Any claims against MailMunch or its Affiliates under this DPA shall be brought solely against the entity that is a party to the DPA. In no event shall any party limit its liability with respect to any individual’s data protection rights under this DPA or otherwise. Customer further agrees that any regulatory penalties incurred by MailMunch in relation to the Customer Data that arise as a result of, or in connection with, Customer’s failure to comply with its obligations under this DPA or any applicable Data Protection Laws shall count toward and reduce MailMunch’s liability under the DPA as if it were liability to the Customer under the DPA.
- This DPA shall be governed by and construed in accordance with governing law and jurisdiction provisions in the TOS, unless required
otherwise by applicable Data Protection Laws.
IN WITNESS WHEREOF, the parties have caused this DPA to be executed by their authorized representative:
Name: Adeel Raza Title: CEO
Date: May 10th 2018
CUSTOMER: MBS LifeStyle Brand
Name: Hayley Lloyd Wilkins Title: MD
Date: May 10th 2018