Last Updated: 1/11/2018
These Terms of Service (this “Agreement”) are entered into by CardoNews Ltd. (“CardoNews”) and the entity executing this Agreement (“you”, or “your”). This Agreement governs your use of the CardoNews ’s service (the “Service”). This Agreement govern your access to and use of our services, including our various websites (CardoNews.com), SMS, APIs, email notifications, applications, buttons, widgets, ads, commerce services, and our other covered services that link to these Terms (collectively, the “Services”), and any information, text, links, graphics, photos, audio, videos, or other materials or arrangements of materials uploaded, downloaded or appearing on the Services (collectively referred to as “Content”). By using the Services you agree to be bound by these Terms.
BY COMPLETING THE REGISTRATION PROCESS AND OPENING AN ACCOUNT ON THE INTERFACE (“ACCOUNT”), OR USING THE SERVICE, YOU ACKNOWLEDGE THAT YOU HAVE REVIEWED AND ACCEPT THIS AGREEMENT AND ARE AUTHORIZED TO ACT ON BEHALF OF, AND BIND TO THIS AGREEMENT, THE OWNER OF THIS ACCOUNT.
We recommend that you save a copy of this Agreement for your records.
You must be at least 13 years of age (or such other minimum age as is applicable in your country of residence) to create use the Services. If you are aged between the relevant minimum age and 18 (or the age of majority where you live), you and your parent or guardian must review this Agreement together. Parents and guardians are responsible for the acts of children under 18 years of age when using the Services. CardoNews recommends that parents and guardians familiarize themselves with parental controls on devices they provide their child.
Certain elements of the Services or other services or programs offered by CardoNews may have different terms and conditions (“Additional Terms”) in order to use or access them. If there is a conflict between the terms of this Agreement and any Additional Terms, the Additional Terms will prevail.
CardoNews reserves the right to update, modify, discontinue or terminate the Services or any part thereof, or to modify this Agreement at any time. If CardoNews modifies this Agreement, it will update this Agreement on the website located www.CardoNews.com and change the “Last Updated” date at the top of this Agreement. In addition, should the update be material, CardoNews shall provide you with notice pertaining to such update through the Platform or by sending you an email or such other method deemed reasonable by CardoNews. Please note that it is your responsibility to review the Agreement from time-to-time to check for updates. By continuing to access or use the Site following any update, you agree to be bound by the modified Agreement. If the modified Agreement is not acceptable to you, your only recourse is to cease using the Platform and terminate this Agreement.
In consideration of the foregoing, the parties agree as follows:
- Nonexclusive License. Subject to the terms and conditions of this Agreement, CardoNews grants you a limited, revocable, non-exclusive, non-sublicensable license to (a) copy and use the CardoNews analytics code (the “Code”) solely to use the Service on websites owned by you (the “Properties”); and (b) access, view and download analytical reports generated by the Services in connection with Your Properties on [http://stats.CardoNews.com or http://marketers.CardoNews.com] (the “Interface”, and together with the Code, the “Platform”).
- Documentation. To the extent that CardoNews makes available Documentation (defined below) to you,you may use such Documentation solely for your internal business purposes and solely in connection with your use of the Platform during the Term. Unless the Documentation is separately referred to herein, all references in this Agreement to the Platform shall include the Documentation. “Documentation” means documentation that CardoNews generally makes available to its clients, in print or electronic form, that describes the features and operation of the Services and the Platform.
- Except as expressly permitted in this Agreement, you must not, and shall not allow any third party to:(i) copy, give, sell, rent, lease, timeshare, sublicense, disclose, publish, assign, market, transfer or distribute the Platform, or any portion of the Platform, to any third party, or use the Platform in any service bureau or time-sharing arrangement; (ii) circumvent, disable or otherwise interfere with security-related features of the Platform or that enforce limitations on use of the Platform; (iii) reverse engineer, decompile or disassemble the Platform or any components thereof; (iv) modify, translate, patch, or create any derivative works of the Platform, or any part thereof; (v) use any robot, spider, scraper, or other automated means or manual process to access, monitor, copy or use the Platform or any portion thereof for any purpose; (vi) take any action that imposes or may impose (in CardoNews’s sole discretion) an unreasonable or disproportionately large load on the CardoNews’s infrastructure; (vii) interfere or attempt to interfere with the integrity or proper working of the Platform, or any related activities; (viii) remove, deface, obscure, or alter CardoNews or any third party’s copyright notices, trademarks, or other proprietary rights affixed to or provided as part of the Platform; (ix) use the Platform to develop a competing service or product; or (x) use the Platform in violation of any applicable law.
- You shall not, and shall not authorize or encourage any third party to: (i) use any means to artificially increase or manipulate the views, engagements, impressions or other interactions in connection with the Services; (ii) directly or indirectly engage in any deceptive or misleading behavior; (iii) use the Services in connection with any websites or content containing any copyright infringements, firearm, drugs, alcohol, tobacco, pornography, gambling, hate speech or any other content which CardoNews reasonably deems objectionable, or which promotes illegal goods, services or activities or link to any of the foregoing; or (iv) use the Services in connection with websites or content targeted to children under the age of 13.
- Your Account. You will be required to access the Platform through your Account using a user name and password (“Credentials“). You shall maintain the confidentiality of the Credentials and not disclose them to any third party. You must not allow anyone other than your authorized employees or independent contractors (the “Permitted Users”) to access and use your Account on the Platform. You acknowledge and agree (a) to keep, and ensure that any Permitted Users keep, all Credentials secure at all times; and (b) that you will remain solely responsible and liable for the activity that occurs in connection with your Account. CardoNews may monitor use of your Account, including without limitation, in order to identify or prevent unauthorized use of your Account. You shall (i) upon CardoNews’s request, provide CardoNews with details of each Permitted User; (ii) promptly notify CardoNews in writing if you become aware of, or have reason to suspect, any unauthorized access or use of your Account or the Platform; and (ii) cooperate with CardoNews to prevent or restrain unauthorized access and use of your Account or the Platform.
- Your Data and Personal Data.
- To the extent that any User Data contains Personal Data subject to the GDPR, the parties agree that as between you and CardoNews, you shall be considered a Data Controller and CardoNews a Data Processor. To this effect, the parties agree to enter into the data processing agreement attached hereto as Annex A (the “DPA”). You agree to indemnify, defend and hold CardoNews harmless against all losses, liabilities fees and damages of any kind (including attorney fees) related to: (i) your breach of your representations, warranties or obligations under this Agreement and/or the DPA; or (ii) your failure to comply with the obligations applicable to you under the GDPR and/or data protection laws or regulations.
- The intellectual property and all other rights, title and interest of any nature in and to the Services, the Platform, and any related content thereunder, including all modifications, upgrades, customizations and derivative works (whether or not permitted under this Agreement) thereof, are and shall remain the exclusive property of CardoNews and its licensors.
- To the extent that you provide CardoNews or its affiliates with any feedback, ideas or suggestions regarding the Services or the Platform or any other of CardoNews’s products or services (collectively, “Feedback“), you agree that such Feedback shall be exclusively owned by CardoNews, and you hereby assign such Feedback to CardoNews and its successors and assigns, and waive, and agree not to assert any rights you may have or retain in such Feedback.
- Client Reference. You agree that CardoNews may (i) use your name and logo on its website and in its promotional materials, press releases, presentations or advertisements to state that you are or have been a client of CardoNews and/or a user of the Services; and (ii) generally describe your business and use of the Service. You agree to serve as a reference customer of CardoNews and shall cooperate with CardoNews’s reasonable marketing and referencing requests.
- Term. This Agreement shall become effective on the Effective Date and shall remain in effect for a period of one (1) year (“Initial Term“). Following the Initial Term, this Agreement shall automatically renew for successive one (1) year periods (“Renewal Terms“, and the Initial Term, together with any Renewal Terms, the “Term“). Notwithstanding the foregoing, either party may terminate this Agreement in accordance with the terms of this Agreement.
- Termination for Convenience. Either party may immediately terminate this Agreement for any reason or no reason. For a reasonable period following termination, CardoNews will provide you with access to the Platform to retrieve or otherwise access your data.
- Termination for Bankruptcy. CardoNews may terminate this Agreement immediately upon written notice to you, upon the filing or institution of bankruptcy, reorganization, liquidation, dissolution or receivership proceedings against you, or if you cease to operate as a going concern or become insolvent or unable to pay your debts, or upon an assignment of a substantial portion of your assets for the benefit of creditors, provided that in the case of involuntary bankruptcy proceedings or receivership proceedings, such right to terminate shall only become effective if you consent to the involuntary bankruptcy or such proceeding is not dismissedwithin sixty (60) days.
- Effect of Termination. Upon termination of this Agreement (i) all amounts owed to CardoNews shall become due; (ii) you shall cease use of the Services and the Platform; (iii) CardoNews may terminate your account and you will lose all access to the Platform; and (iv) you will lose access to your Ads and any other materials stored on the Platform.
- Survival. This Section  and Sections  ,  ,  ,  ,  , ,  , , ,  and any provision so intended, as well any outstanding obligations or rights accrued, shall survive expiration or termination of this Agreement.
- Suspension. If CardoNews believes (in its sole discretion) that you may be using the Services or the Platform in a manner that may cause harm to CardoNews or any third party or expose CardoNews to financial or other risk, or if you are in default of your payment obligations hereunder, then CardoNews may, without derogating from CardoNews’s right to terminate this Agreement under Section  above, suspend your use of the Services and access to and use of the Platform until such time as CardoNews believes the threat of harm, or actual harm, has passed or you have paid any outstanding amounts due (as applicable). You acknowledge and agree that you will have no claim against CardoNews or its affiliates in regard to such suspension of service.
- Fees and Payment.
- You use of the Services is subject to your payment of the applicable fees or revenue share program set forth in Annex B or at https://www.CardoNews.com/pricing/ attached hereto (“Fees“). The calculation of Fees shall be calculated solely on the basis of CardoNews’s reporting system.
Payment Terms. All payments and deposits made in relation to the Services (if any) shall be paid in US Dollars to CardoNews’s bank account or CardoNews’s PayPal account as notified by CardoNews from time to time. Monies deposited or paid in other currencies will be exchanged to U.S. dollars the exchange rate available to CardoNews through the provider of CardoNews’s choosing. Payments shall be made without any right of set-off or deduction and are irrevocable and non-refundable. You acknowledge that payments to CardoNews may be subject to deductions for bank fees associated with payment processing which shall be fully borne by you. You shall pay all CardoNews invoices within thirty (30) days of the date of the invoice. Any amount not paid when due to be paid hereunder shall accrue interest on a daily basis until paid in full at the lesser of: (i) the rate of one and a half percent (1.5%) per month; or (ii) the highest amount permitted by applicable law. In the event of any failure to pay any amounts to CardoNews hereunder, you shall be liable to CardoNews for all costs, expenses, and damages incurred or suffered by CardoNews in connection with the collection of such amounts, including without limitation, any fees paid to collection agencies, administrative costs, court costs and reasonable attorney’s fees. In case you choose to have CardoNews’s revenue share model, CardoNews will pay you your revenue share only once exceeding $200 US Dollars. CardoNews shall pay to you all invoices within forty five (45) days of the date of the invoice. by completing the registration process and opening an account on the interface (“account”), or using the service, you acknowledge and agree to the above terms, as well as the IAB-V3 General Terms and Conditions, which are an integral part of this agreement. See: http://www.iab.net/media/file/IAB_4As-tsandcs-FINAL.pdf
- Taxes. All fees payable to CardoNews are exclusive of applicable taxes (including without limitation VAT), withholdings or duties. You shall be responsible for the payment of all such taxes with respect to this Agreement and the Services, other than taxes based on CardoNews’s net income. In the event that Client is required by applicable law to withhold taxes, then the amounts due to CardoNews shall be increased such that CardoNews receives an amount equal to the sum it would have received had you not made any withholding.
- Warranty Disclaimer.
- EXCEPT AS EXPRESSLY PROVIDED IN THIS AGREEMENT, THE SERVICES, PLATFORM AND ANY PRODUCTS OR SERVICES PROVIDED BY CardoNews, ARE PROVIDED ON AN “AS IS” AND “AS AVAILABLE” BASIS, WITHOUT WARRANTIES OR GUARANTEES OF ANY KIND EITHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING, WITHOUT LIMITATION, IMPLIED WARRANTIES OF MERCHANTABILITY, TITLE, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT OR TITLE, OR WHICH MAY ARISE IN THE COURSE OF DEALING OR USAGE OF TRADE, ALL OF WHICH ARE HEREBY DISCLAIMED.
- YOU ASSUME ALL RESPONSIBILITY FOR THE SELECTION OF THE SERVICES TO ACHIEVE YOUR INTENDED RESULTS. CardoNews DOES NOT WARRANT THAT THE SERVICES OR THE PLATFORM WILL BE UNINTERRUPTED, ERROR-FREE, OR THAT DEFECTS WILL BE CORRECTED. CardoNews DOES NOT MAKE ANY REPRESENTATION, WARRANTY OR GUARANTEE REGARDING ANY CONTENT, INFORMATION, OR RESULTS THAT CLIENT OBTAINS THROUGH THE USE OF THE SERVICES OR THE PLATFORM. CLIENT’S USE OF AND RELIANCE ON THE SERVICES AND THE PLATFORM, CONTENT, USER DATA, PLATFORM FEATURES, REPORTS AND ANY MATERIALS AVAILABLE THROUGH THE PLATFIRM IS ENTIRELY AT YOUR SOLE DISCRETION AND RISK, AND CardoNews SHALL HAVE NO RESPONSIBILITY OR LIABILITY WHATSOEVER TO YOU IN CONNECTION WITH ANY OF THE FOREGOING.
- NEITHER PARTY, NOR ITS AFFILIATES, SUPPLIERS, AND LICENSORS, NOR ANY THIRD-PARTY SERVICE PROVIDERS, SHALL BE HELD RESPONSIBLE FOR ANY CONSEQUENCES THAT MAY RESULT FROM TECHNICAL PROBLEMS INCLUDING WITHOUT LIMITATION IN CONNECTION WITH THE INTERNET (SUCH AS SLOW CONNECTIONS, TRAFFIC CONGESTION OR OVERLOAD OF OUR OR OTHER SERVERS) OR ANY TELECOMMUNICATIONS OR INTERNET PROVIDERS. Applicable law may not allow the exclusion of certain warranties, so to that extent such exclusions may not apply.
- Limitation of Liability.
- NOTWITHSTANDING ANYTHING TO THE CONTRARY AND TO THE FULLEST EXTENT PERMITTED BY LAW, IN NO EVENT SHALL:(A)CardoNews, ITS AFFILIATES AND LICENSORS BE LIABLE FOR ANY INDIRECT, EXEMPLARY OR PUNITIVE, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES OF ANY KIND, OR LOST PROFITS OR REVENUE, ARISING OUT OF THIS AGREEMENT; AND (B) THE AGGREGATE LIABILITY OF CardoNews, ITS AFFILIATES AND LICENSORS, FOR ANY DAMAGES UNDER THIS AGREEMENT OR IN CONNECTION WITH THE USE OF OR THE INABILITY TO USE THE PLATFORM EXCEED THE TOTAL AMOUNT OF FEES PAID BY YOU HEREUNDER DURING THE SIX (6) MONTHS PRIOR TO THE EVENT GIVING RISE TO SUCH CLAIM, IF ANY.
- THE FOREGOING EXCLUSIONS AND LIMITATIONS SHALL APPLY: (A) EVEN IF CardoNews, ITS AFFILIATES OR LICENSORS HAVE BEEN ADVISED, OR WERE OR SHOULD HAVE BEEN AWARE, OF THE POSSIBILITY OF LOSSES OR DAMAGES; (B) EVEN IF ANY REMEDY IN THIS AGREEMENT FAILS OF ITS ESSENTIAL PURPOSE; AND (C) REGARDLESS OF THE THEORY OR BASIS OF LIABILITY (INCLUDING, WITHOUT LIMITATION, BREACH OF CONTRACT, TORT, NEGLIGENCE OR STRICT LIABILITY). THIS SECTION  CONSTITUTES AN ESSENTIAL PART OF THIS AGREEMENT.
- Indemnification. You agree to defend, indemnify and hold harmless CardoNews, its affiliates and licensors, and its and their, respective officers, directors, agents, consultants and employees, from any third party claims, demand, action, suit, and proceedings, and all damages, liabilities, costs, and expenses (including reasonable attorney’s fees) arising from such claims, which arise from: (i) your use of the Services or the Platform; (ii) your breach of this Agreement; or (iii) your negligence or willful misconduct.
- Disclosure. CardoNews reserves the right to access, read, preserve, and disclose any information that CardoNews obtains in connection with the Platform as CardoNews reasonably believes necessary to: (i) satisfy any applicable law, regulation, legal process, subpoena or governmental request, (ii) enforce the terms of this Agreement, including to investigate potential violations hereof, (iii) detect, prevent, or otherwise address fraud, security or technical issues, (iv) respond to Client’s support requests, and/or (v) protect the rights, property or safety of CardoNews, its users or the public.
- Confidential Information.
- Each party may have access to certain non-public and/or proprietary information of the other party, in any form or media, including (without limitation) confidential trade secrets and other information related to the products, software, technology, data, know-how, or business of the other party, whether written or oral, and any such other information that, regardless of the manner in which it is furnished and given the totality of the circumstances, a reasonable person or entity should have reason to believe is proprietary, confidential, or competitively sensitive (“Confidential Information“). Each party shall take reasonable measures, at least as protective as those taken to protect its own confidential information, but in no event less than reasonable care, to protect the other party’s Confidential Information from disclosure to a third party. Except as permitted under this Agreement, neither party shall use or disclose the Confidential Information of the other party except as expressly permitted under this Agreement or by applicable law.
- Confidential Information does not include any information that: (a) was already known through lawful means by the receiving party without an obligation of confidentiality before the receiving party received the information as evidenced by written records predating the disclosure; (b) is readily accessible to the public on or after the date of disclosure to the receiving party other than through the receiving party’s breach of this Agreement and without using the Confidential Information itself to locate the same in a public source (except that this exception applies only after the information becomes so readily accessible); (c) was rightfully received by the receiving party without restriction on disclosure from a third party entitled to make such a disclosure (except that this exception applies only after Recipient receives the information from the third party); or (d) is approved for release or disclosure by written authorization from the party originally disclosing that Confidential Information under this Agreement. The receiving party may comply with an order from a court or other governmental body of competent jurisdiction and disclose the other party’s Confidential Information in compliance with that order only if the receiving party: (i) gives the disclosing party prior notice to such disclosure if the time between that order and such disclosure reasonably permits or, if time does not permit, gives the disclosing party notice of such disclosure promptly after complying with that order and (ii) fully cooperates with the disclosing party in seeking a protective order, confidential treatment, or taking other measures to oppose or limit such disclosure. The receiving party must not release any more of the other parties’ Confidential Information than necessary to comply with that order.
- All right, title and interest in and to Confidential Information are and shall remain the sole and exclusive property of the disclosing party. The terms of this Agreement are Confidential Information of CardoNews (although you may disclose the terms herein to your advisors and investors, subject to a confidentiality undertaking at least as restrictive as this Section, in which case you shall be liable for any act or omission of such advisor or investor as is done by you).
- Assignment. You cannot assign your account without CardoNews’s prior written consent. CardoNews may assign or delegate its rights and obligations in whole or in part without your consent.
- Notice. Any notice under this Agreement shall be in writing and addressed as follows:
|To CardoNews: 3 Rappaport St, Kfar Saba, Israel. ||To you: Pursuant to the details you leave on the Platform.|
Notice shall be deemed to have been received by a party: (i) when delivered personally by hand (with written confirmation of receipt); (ii) on the business day sent, if sent by confirmed email or fax transmission before 5pm (or on the next business day if sent after 5pm); or (iii) on the fifth (5th) business day after which such notice is deposited prepaid in the registered postal system. Either party may change its address for notice purposes upon issuance of notice thereof in accordance with this section. You may also change your details by updating them on the Platform.
- Content on the Services and Your Rights and Grant of Rights in the Content
You are responsible for your use of the Services (CardoNews.com), and for any Content you provide, including compliance with applicable laws, rules, and regulations. You should only provide Content that you are comfortable sharing with others within the service.
Any use or reliance on any Content or materials posted via the Services (CardoNews.com, CardoNews.com, or other domains owned by CardoNews), or obtained by you through the Services is at your own risk. We do not endorse, support, represent or guarantee the completeness, truthfulness, accuracy, or reliability of any Content or communications posted via the Services or endorse any opinions expressed via the Services. You understand that by using the Services, you may be exposed to Content that might be offensive, harmful, inaccurate or otherwise inappropriate, or in some cases, postings that have been mislabeled or are otherwise deceptive. All Content is the sole responsibility of the person who originated such Content. We may not monitor or control the Content posted via the Services and, we cannot take responsibility for such Content.
CardoNews reserve the right to remove Content that violates the User Agreement, including for example, copyright or trademark violations, impersonation, unlawful conduct, or harassment. Information regarding specific policies and the process for reporting or appealing violations can be found in our Help Center. If you believe that your Content has been copied in a way that constitutes copyright infringement, please report this by visiting our Copyright reporting form (https://www.CardoNews.com/about-CardoNews/#contact) or contacting our email at
Email: support (at) CardoNews.com.
- Your Rights and Grant of Rights in the Content
You retain your rights to any Content you submit, post or display on or through the Services.
By submitting, sharing, social bookmarking, pin into a board, posting or displaying Content on or through the Services, you grant CardoNews a worldwide, non-exclusive, royalty-free license (with the right to sublicense) to use, copy, monetize, reproduce, process, adapt, modify, publish, transmit, display and distribute such Content in any and all media or distribution methods (now known or later developed). This license authorizes CardoNews to make your Content available to the rest of the world and to let others do the same. This license authorizes CardoNews to drive traffic back to your site using its services. You agree that this license includes the right for CardoNews to provide, promote, and improve the Services and to make Content submitted to or through the Services available to other companies, organizations or individuals for the syndication, broadcast, distribution, promotion or publication of such Content on other media and services, subject to our terms and conditions for such Content use. Such additional uses by CardoNews, or other companies, organizations or individuals, may be made with no compensation paid to you with respect to the Content that you submit, post, transmit or otherwise make available through the Services.
CardoNews has an evolving set of rules for how ecosystem partners can interact with your Content on the Services. You understand that CardoNews may modify or adapt your Content as it is distributed, syndicated, published, or broadcast by us and our partners and/or make changes to your Content in order to adapt the Content to different media.
You represent and warrant that you have, or have obtained, all rights, licenses, consents, permissions, power and/or authority necessary to grant the rights granted herein for any Content that you submit, post or display on or through the Services. You agree that such Content will not contain material subject to copyright or other proprietary rights, unless you have necessary permission or are otherwise legally entitled to post the material and to grant CardoNews the license described above.
- Governing Law and Disputes. This Agreement and any disputes between you and CardoNews in connection thereto shall be governed by the laws of the State of Israel, without reference to its conflict of laws rules. The exclusive jurisdiction and venue for all disputes between you and CardoNews relating to this Agreement and the Services shall be the courts located in Tel Aviv-Yaffo, and each party hereby irrevocably consents to the jurisdiction of such courts. Application of the United Nations Convention on Contracts for the International Sale of Goods are excluded from this Agreement. Notwithstanding the foregoing, each party reserves the right to seek injunctive relief in any court of competent jurisdiction.
- General. This Agreement comprises the entire agreement between the parties regarding the subject matter hereof and supersedes all prior understandings, oral and written, between the parties relating to the subject matter of this Agreement. The headings used in this Agreement are for convenience only and shall in no case be considered in construing this Agreement. Except for your obligations to pay CardoNews, neither party shall be liable for any failure to perform due to causes beyond its reasonable control. Nothing herein shall be construed to create any employment relationship, partnership, joint venture or agency relationship or to authorize any party to enter into any commitment or agreement binding on the other party. If any part of this Agreement is held by a court of competent jurisdiction to be illegal or unenforceable, the validity or enforceability of the remainder of this Agreement shall not be affected and such provision shall be deemed modified to the minimum extent necessary to make such provision consistent with applicable law. No failure or delay in exercising any right hereunder by either party shall operate as a waiver thereof, nor will any partial exercise of any right hereunder preclude further exercise.
DATA PROCESSING AGREEMENT/ADDENDUM
WHEREAS, CardoNews shall provide emotional analytics services and additional online services for visitors of Customer’s website or application (collectively, the “Services”), as described in the Agreement;and
WHEREAS, The Services may entail the processing of personal data in accordance with the EU Data Protection Directive 95/46/EC and its corresponding implementation laws in the EU Member States, as well as, as of May 25th 2018, the General Data Protection Regulation (EU) 2016/679 (collectively, the “Data Protection Laws and Regulations”); and
WHEREAS, In the course of providing the Services pursuant to the Agreement, we may process Personal Data on your behalf, in the capacity of a “Data Processor”; and the Parties wish to set forth the arrangements concerning the processing of Personal Data within the context of the Services and agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.
NOW THEREFORE, in consideration of the mutual promises set forth herein and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged by the Parties, the parties, intending to be legally bound, agree as follows:
- INTERPRETATION AND DEFINITIONS
- The headings contained in this DPA are for convenience only and shall not be interpreted to limit or otherwise affect the provisions of this DPA.
- References to clauses or sections are references to the clauses or sections of this DPA unless otherwise stated.
- Words used in the singular include the plural and vice versa, as the context may require.
- Capitalized terms not defined herein shall have the meanings assigned to such terms in the Agreement.
- “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control”, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
- “Authorized Affiliate” means any of Customer’s Affiliate(s) which (a) is subject to the Data Protection Laws And Regulations of the European Union, the European Economic Area and/or their member states, Switzerland and/or the United Kingdom, and (b) is permitted to use the Services pursuant to the Agreement between Customer and CardoNews, but has not signed its own agreement with CardoNews and is not a “Customer” as defined under the Agreement.
- “Controller” or “Data Controller” means the entity which determines the purposes and means of the Processing of Personal Data. For the purposes of this DPA only, and except where indicated otherwise, the term “Data Controller” shall include yourself, the Organization and/or the Organization’s Authorized Affiliates.
- “Member State” means a country that belongs to the European Union and/or the European Economic Area. “Union” means the European Union.
- “Data Protection Laws and Regulations” means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their Member States, Switzerland and the United Kingdom, applicable to the Processing of Personal Data under the Agreement.
- “Data Subject” means the identified or identifiable person to whom the Personal Data relates.
- “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
- “Personal Data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person, to the extent subject to the GDPR.
- “Process(ing)” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- “Processor” or “Data Processor” means the entity which Processes Personal Data on behalf of the Controller.
- “Security Documentation” means the Security Documentation applicable to the specific Services purchased by Customer, as updated from time to time, or as otherwise made reasonably available by CardoNews.
- “Sub-processor” means any Processor engaged by CardoNews.
- “Supervisory Authority” means an independent public authority which is established by an EU Member State pursuant to the GDPR.
- “CardoNews” means CardoNews Ltd., a company incorporated under the laws of the state of Delaware.
- “CardoNews Group” means CardoNews and its Affiliates engaged in the Processing of Personal Data.
- PROCESSING OF PERSONAL DATA
- Roles of the Parties. The Parties acknowledge and agree that with regard to the Processing of Personal Data, (i) Customer is the Data Controller, (ii) CardoNews is the Data Processor and that (iii) CardoNews or members of the CardoNews Group may engage Sub-processors pursuant to the requirements set forth in Section 5 “Sub-processors” below.
- Customer’s Processing of Personal Data. Customer shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws and Regulations. For the avoidance of doubt, Customer’s instructions for the Processing of Personal Data shall comply with Data Protection Laws and Regulations. Customer shall have sole responsibility for the means by which Customer acquired Personal Data. Without limitation, Customer shall have any and all required legal bases in order to collect, Process and transfer to Data Processor the Personal Data and to authorize the Processing by Data Processor of the Personal Data which is authorized in this DPA.
- Data Processor’s Processing of Personal Data. Subject to the Agreement, Data Processor shall Process Personal Data in accordance with Customer’s documented instructions for the following purposes: (i) Processing in accordance with the Agreement and this DPA and to provide the Services; (ii) Processing for Customer to be able to use the Services; (iii) Processing to comply with other documented reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Agreement; (iv) Processing as required by Union or Member State law to which Data Processor is subject; in such a case, Data Processor shall inform the Customer of the legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
To the extent that Data Processor cannot comply with a request from Customer and/or its authorized users (including, without limitation, any instruction, direction, code of conduct, certification, or change of any kind), Data Processor (i) shall inform Customer, providing relevant details of the problem, (ii) Data Processor may, without any kind of liability towards Customer, temporarily cease all Processing of the affected Personal Data (other than securely storing those data), and (iii) if the Parties do not agree on a resolution to the issue in question and the costs thereof, each Party may, as its sole remedy, terminate the Agreement and this DPA with respect to the affected Processing, and Customer shall pay to Data Processor all the amounts owed to Data Processor or due before the date of termination. Customer will have no further claims against Data Processor (including, without limitation, requesting refunds for Services) due to the termination of the Agreement and/or the DPA in the situation described in this paragraph (excluding the obligations relating to the termination of this DPA set forth below).
CardoNews will not be liable in the event of any claim brought by a third party, including, without limitation, a Data Subject, arising from any act or omission of CardoNews, to the extent that such is a result of Customer’s instructions.
If Customer provides CardoNews or any of the entities of the CardoNews Group with instructions, requests, suggestions, comments or feedback (whether orally or in writing) with respect to the Services, Customer acknowledges that any and all rights, including intellectual property rights, therein shall belong exclusively to CardoNews and that such shall be considered CardoNews’s intellectual property without restrictions or limitations of any kind, and Customer hereby irrevocably and fully transfers and assigns to CardoNews any and all intellectual property rights therein and waives any and all moral rights that Customer may have in respect thereto.
- Details of the Processing. The subject-matter of Processing of Personal Data by Data Processor is the performance of the Services pursuant to the Agreement. The duration of the Processing, the nature and purpose of the Processing, as well as the types of Personal Data Processed and categories of Data Subjects under this DPA are further specified in Schedule 1 (Details of the Processing) to this DPA.
- RIGHTS OF DATA SUBJECTS
- Data Processor shall, to the extent legally permitted, promptly notify Customer if Data Processor receives a request from a Data Subject to exercise the Data Subject’s right of access, right to rectification, erasure (“right to be forgotten”), restriction of Processing, data portability, right to object, or its right not to be subject to automated individual decision making (“Data Subject Request”). Taking into account the nature of the Processing, Data Processor shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to a Data Subject Request under Data Protection Laws and Regulations. In addition, to the extent Customer, in its use of the Services, does not have the ability to address a Data Subject Request, Data Processor shall upon Customer’s request provide commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent Data Processor is legally permitted to do so and the response to such Data Subject Request is required under Data Protection Laws and Regulations. To the extent legally permitted, Customer shall be responsible for any costs arising from Data Processor’s provision of such assistance.
- CardoNews PERSONNEL
- Confidentiality. Data Processor shall ensure that its personnel engaged in the Processing of Personal Data have committed themselves to confidentiality and non-disclosure.
- Data Processor may disclose and Process the Personal Data (a) as permitted hereunder (b) to the extent required by a court of competent jurisdiction or other Supervisory Authority and/or otherwise as required by applicable Data Protection Laws and Regulations (in such a case, Data Processor shall inform the Customer of the legal requirement before the disclosure, unless that law prohibits such information on important grounds of public interest), or (c) on a “need-to-know” basis under an obligation of confidentiality to its legal counsel(s), data protection advisor(s) and accountant(s).
- AUTHORIZATION REGARDING SUB-PROCESSORS
- Appointment of Sub-processors. Customer acknowledges and agrees that (a) Data Processor’s Affiliates may be used as Sub-processors; and (b) Data Processor and/or Data Processor’s Affiliates respectively may engage third-party Sub-processors in connection with the provision of the Services.
- List of Current Sub-processors and Notification of New Sub-processors.
- Data Processor shall make available to Customer the current list of Sub-processors used by Data Processor via http://www.CardoNews.com/Sub-processor. Such Sub-processor list shall include the identities and details of those Sub-processors and their country of location (“Sub-processor List”). The Sub-processor List as of the date of execution of this DPA, or as of the date of publication (as applicable), is hereby, or shall be (as applicable), authorized by Customer. In any event, the Sub-processor List shall be deemed authorized by Customer unless it provides a written reasonable objection for reasons related to the GDPR within ten (10) business days following the publication of the Sub-processor List. Customer may reasonably object for reasons related to the GDPR to Data Processor’s use of an existing Sub-processor by providing a written objection to support@CardoNews.com. In the event Customer reasonably objects to an existing Sub-processor, as permitted in the preceding sentences, Customer may, as a sole remedy, terminate the applicable Agreement and this DPA with respect only to those Services which cannot be provided by Data Processor without the use of the objected-to Sub-processor by providing written notice to Data Processor provided that all amounts due under the Agreement before the termination date with respect to the Processing at issue shall be duly paid to Data Processor. Customer will have no further claims against Data Processor due to (i) past use of approved Sub-processors prior to the date of objection or (ii) the termination of the Agreement (including, without limitation, requesting refunds) and the DPA in the situation described in this paragraph.
- Data Processor shall provide notification of any new Sub-processor(s) before authorizing such new Sub-processor(s) to Process Personal Data in connection with the provision of the Services.
- Objection Right for New Sub-processors. Customer may reasonably object to Data Processor’s use of a new Sub-processor for reasons related to the GDPR by notifying Data Processor promptly in writing within three (3) business days after receipt of Data Processor’s notice in accordance with the mechanism set out in Section 5.2 and such written objection shall include the reasons related to the GDPR for objecting to Data Processor’s use of such new Sub-processor. Failure to object to such new Sub-processor in writing within three (3) business days following Data Processor’s notice shall be deemed as acceptance of the new Sub-Processor. In the event Customer reasonably objects to a new Sub-processor, as permitted in the preceding sentences, Data Processor will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s use of the Services to avoid Processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening the Customer. If Data Processor is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Customer may, as a sole remedy, terminate the applicable Agreement and this DPA with respect only to those Services which cannot be provided by Data Processor without the use of the objected-to new Sub-processor by providing written notice to Data Processor provided that all amounts due under the Agreement before the termination date with respect to the Processing at issue shall be duly paid to Data Processor. Until a decision is made regarding the new Sub-processor, Data Processor may temporarily suspend the Processing of the affected Personal Data. Customer will have no further claims against Data Processor due to the termination of the Agreement (including, without limitation, requesting refunds) and/or the DPA in the situation described in this paragraph.
- Agreements with Sub-processors. Data Processor shall respect the conditions referred to in Articles 28.2 and 28.4 of the GDPR when engaging another processor for Processing Personal Data provided by Customer. In accordance with Articles 28.7 and 28.8 of the GDPR, if and when the European Commission lays down the standard contractual clauses referred to in such Article, the Parties may revise this DPA in good faith to adjust it to such standard contractual clauses.
- Controls for the Protection of Personal Data. Data Processor shall maintain all industry-standard technical and organizational measures required pursuant to Article 32 of the GDPR for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Personal Data), confidentiality and integrity of Personal Data, as set forth in the Security Documentation which are hereby approved by Customer. Data Processor regularly monitors compliance with these measures. Upon the Customer’s request, Data Processor will assist Customer, at Customer’s cost, in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of the processing and the information available to Data Processor.
- Audits. Data Processor shall make available to Data Controller, upon prior written request, all information necessary to reasonably demonstrate compliance with this Agreement. Data Processor may provide industry-standard third-party audit certifications to demonstrate compliance. Data Processor shall facilitate audits, including inspections, by a reputable auditor mandated by the Data Controller. The scope, duration and methods of such audit will be determined by both parties in good faith. In any event, a third-party auditor shall be subject to confidentiality obligations. Data Processor may object to the selection of the auditor if it reasonably believes that an auditor does not guarantee confidentiality, security or otherwise puts at risk the Processor’s business. All costs associated with the audit including the provision of information in connection thereto shall be at Data Controller’s sole expense. All audits, certifications and the results therefrom, including the documents reflecting the outcome of the audit and/or the certifications, shall only be used by Customer to assess compliance with this Agreement and/or with applicable Data Protection Laws and Regulations, and shall not be used for any other purpose or disclosed to any third party without Data Processor’s prior written approval and, upon Data Processor’s first request, Customer shall return all records or documentation in Customer’s possession or control provided by Data Processor in the context of this section.
- PERSONAL DATA INCIDENT MANAGEMENT AND NOTIFICATION
Data Processor maintains security incident management policies and procedures specified in Security Documentation and, to the extent required under applicable Data Protection Laws and Regulations, shall notify Customer without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data, including Personal Data, transmitted, stored or otherwise Processed by Data Processor or its Sub-processors of which Data Processor becomes aware (a “Personal Data Incident”). Data Processor shall make reasonable efforts to identify the cause of such Personal Data Incident and take those steps as Data Processor deems necessary and reasonable in order to remediate the cause of such a Personal Data Incident to the extent the remediation is within Data Processor’s reasonable control. The obligations herein shall not apply to incidents that are caused by Customer or Customer’s users. In any event, Customer will be the party responsible for notifying supervisory authorities and/or concerned data subjects (where required by Data Protection Laws and Regulations).
- RETURN AND DELETION OF PERSONAL DATA
Subject to the Agreement, Data Processor shall, at the choice of Customer, delete or return the Personal Data to Customer after the end of the provision of the Services relating to processing, and shall delete existing copies unless applicable law requires storage of the Personal Data. In any event, to the extent required or allowed by applicable law, Data Processor may retain one copy of the Personal Data for evidence purposes and/or for the establishment, exercise or defense of legal claims and/or to comply with applicable laws and regulations. If the Customer requests the Personal Data to be returned, the Personal Data shall be returned in the format generally available for Data Processor’s customers.
- AUTHORIZED AFFILIATES
- Contractual Relationship. The Parties acknowledge and agree that, by executing the DPA, the Customer enters into the DPA on behalf of itself and, as applicable, in the name and on behalf of its Authorized Affiliates, thereby establishing a separate DPA between Data Processor. Each Authorized Affiliate agrees to be bound by the obligations under this DPA. All access to and use of the Services by Authorized Affiliates must comply with the terms and conditions of the Agreement and this DPA and any violation of the terms and conditions therein by an Authorized Affiliate shall be deemed a violation by Customer.
- Communication. The Customer shall remain responsible for coordinating all communication with Data Processor under the Agreement and this DPA and shall be entitled to make and receive any communication in relation to this DPA on behalf of its Authorized Affiliates.
- OTHER PROVISIONS
- GDPR. With effect from 25 May 2018, the Parties will Process the Personal Data in accordance with the GDPR requirements directly applicable to each Party in the context of the provision and use of the Services.
- Collaboration with Customers’ Data Protection Impact Assessments. With effect from 25 May 2018, upon Customer’s request, Data Processor shall provide Customer, at Customer’s cost, with reasonable cooperation and assistance needed to fulfil Customer’s obligation under the GDPR to carry out a data protection impact assessment related to Customer’s use of the Services, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to Data Processor. Data Processor shall provide, at Customer’s cost, reasonable assistance to Customer in the cooperation or prior consultation with the Supervisory Authority in the performance of its tasks relating to Section 10.2 of this DPA, to the extent required under the GDPR.
- Transfer mechanisms for data transfers.
- Transfers to countries that offer adequate level of data protection: Personal Data may be transferred from the EU Member States, the three EEA member countries (Norway, Liechtenstein and Iceland) and the United Kingdom (collectively, “EEA”) to countries that offer adequate level of data protection under or pursuant to the adequacy decisions published by the relevant data protection authorities of the EEA, the Union, the Member States or the European Commission (“Adequacy Decisions”), without any further safeguard being necessary.
- Transfers to other countries: If the Processing of Personal Data includes transfers from the EEA to countries which do not offer adequate level of data protection or which have not been subject to an Adequacy Decision (“Other Countries”), the Parties shall comply with Article 46 of the GDPR, and CardoNews on behalf of itself and each member of the CardoNews Group and you on your own behalf and on behalf of each of your Affiliate hereby enter into the Standard Contractual Clauses set out in Annex 2. The parties agree that if an amendment is made to the Standard Contractual Clauses, or new Standard Contractual Clauses are issued, by European Commission, the Parties may revise this DPA in good faith to adjust it to such standard contractual clauses. To the extent that there is any conflict or inconsistency between the terms of the Standard Contractual Clauses and the terms of this DPA, the terms of the Standard Contractual Clauses shall take precedence.
- For clarity, responsibility for compliance with the obligations corresponding to Data Controllers under Data Protection Laws and Regulations shall rest with Customer and not with CardoNews. CardoNews may, at Customer’s cost, provide reasonable assistance to Customer with regards to such obligations.
This DPA shall automatically terminate upon the termination or expiration of the Agreement under which the Services are provided.
- RELATIONSHIP WITH AGREEMENT
In the event of any conflict between the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail over the conflicting provisions of the Agreement.
This DPA may be amended at any time by a written instrument duly signed by each of the Parties.
- LEGAL EFFECT
This DPA shall only become legally binding between Customer and Data Processor when the formalities steps set out in the Section “INSTRUCTIONS ON HOW TO EXECUTE THIS DPA” below have been fully completed.
The Parties represent and warrant that they each have the power to enter into, execute, perform and be bound by this DPA.
You, as the person on behalf of Customer, represent and warrant that you have, or you were granted, full authority to bind the Organization and, as applicable, its Authorized Affiliates to this DPA. If you cannot, or do not have authority to, bind the Organization and/or its Authorized Affiliates, you shall not supply or provide Personal Data to CardoNews.
By accepting the terms of this DPA, Customer enters into this DPA on behalf of itself and, to the extent required or permitted under applicable Data Protection Laws and Regulations, in the name and on behalf of its Authorized Affiliates, if and to the extent that CardoNews processes Personal Data for which such Authorized Affiliates qualify as the/a “data controller”.
This DPA has been pre-signed on behalf of CardoNews.
SCHEDULE 1 – DETAILS OF THE PROCESSING
Data Processor will Process Personal Data as necessary to perform the Services pursuant to the Agreement, as further instructed by Customer in its use of the Services.
Nature and Purpose of Processing
- Providing the Service(s) to Customer.
- Setting up an account/account(s) for Customer.
- For Data Processor to comply with documented reasonable instructions provided by Customer where such instructions are consistent with the terms of the Agreement.
- Performing the Agreement, this DPA and/or other contracts executed by the Parties.
- Providing support and technical maintenance, if agreed in the Agreement.
- Resolving disputes.
- Enforcing the Agreement, this DPA and/or defending Data Processor’s rights.
- Management of the Agreement, the DPA and/or other contracts executed by the Parties, including fees payment, account administration, accounting, tax, management, litigation; and
- Complying with applicable laws and regulations, including for cooperating with local and foreign tax authorities, preventing fraud, money laundering and terrorist financing.
- All tasks related with any of the above.
- Duration of Processing
Subject to any Section of the DPA and/or the Agreement dealing with the duration of the Processing and the consequences of the expiration or termination thereof, Data Processor will Process Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing.
- Type of Personal Data
Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:
- Cookie ID
- IP Address
The Customer and the Data Subjects shall provide the Personal data to Data Processor by uses the Data Processor’s Service on the Customer’s website or application.
- Categories of Data Subjects
- Customer’s end users of its website or application authorized by Customer to use the Services
ANNEX 2: STANDARD CONTRACTUAL CLAUSES
Standard Contractual Clauses (processors)
For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection
Name of the data exporting organisation:
Tel.: ________________; fax: _________________; e-mail:__________________
Other information needed to identify the organisation
(the data exporter)
Name of the data importing organisation: CardoNews Ltd. or any CardoNews Affiliate (in each case as defined in the Agreement)
Other information needed to identify the organisation:
(the data importer)
each a “party”; together “the parties”,
HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.
The data exporter has entered into a data protection addendum (“Addendum”) with the data importer. Pursuant to the terms of the Addendum, it is contemplated that services provided by the data importer will involve the transfer of personal data to data importer. Data importer is located in a country not ensuring an adequate level of data protection. To ensure compliance with Directive 95/46/ECand applicable data protection law, the controller agrees to the provision of such Services, including the processing of personal data incidental thereto, subject to the data importer’s execution of, and compliance with, the terms of these Clauses.
For the purposes of the Clauses:
(a) ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
(b) ‘the data exporter’ means the controller who transfers the personal data;
(c) ‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
(d) ‘the subprocessor’ means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
(e) ‘the applicable data protection law‘ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
(f) ‘technical and organisational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing;
(g) ‘Addendum’ has the meaning given to it in the Background recital above.
Details of the transfer
The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.
Third-party beneficiary clause
1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
2. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
3. The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
4. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.
Obligations of the data exporter
The data exporter agrees and warrants:
(a) that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
(b) that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;
(c) that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;
(d) that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
(e) that it will ensure compliance with the security measures;
(f) that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
(g) to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
(h) to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
(i) that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and
(j) that it will ensure compliance with Clause 4(a) to (i).
Obligations of the data importer
The data importer agrees and warrants:
(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(c) that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;
(d) that it will promptly notify the data exporter about:
(i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,
(ii) any accidental or unauthorised access, and
(iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;
(e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
(f) at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
(g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
(h) that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;
(i) that the processing services by the subprocessor will be carried out in accordance with Clause 11;
(j) to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.
1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.
2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.
The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.
3. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.
Mediation and jurisdiction
1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
(a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
(b) to refer the dispute to the courts in the Member State in which the data exporter is established.
2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.
Cooperation with supervisory authorities
1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).
The Clauses shall be governed by the law of the Member State in which the data exporter is established.
Variation of the contract
The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.
1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses. Where the subprocessor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor’s obligations under such agreement.
2. The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
3. The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.
4. The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.
Obligation after the termination of personal data processing services
1. The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
2. The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.
On behalf of the data exporter:
Name (written out in full):
Other information necessary in order for the contract to be binding (if any):
On behalf of the data importer:
Name (written out in full):
Other information necessary in order for the contract to be binding (if any):
APPENDIX 1 TO THE STANDARD CONTRACTUAL CLAUSES
This Appendix forms part of the Clauses and must be completed and signed by the parties
The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.
The data exporter is:
Customer under the Agreement between the Data Exporter and the Data Importer, which, as between the parties, acts as data controller with respect to personal data pertaining to its clients, end users, business partners, vendors and staff located in the European Economic Area.
The data importer is CardoNews Ltd., a provider of advertising technology and services.
The personal data transferred concern the following categories of data subjects:
See Schedule 1 of the Addendum
Categories of data
The personal data transferred concern the following categories of data:
See Schedule 1 of the Addendum
Special categories of data (if appropriate)
The personal data transferred concern the following special categories of data:
The personal data transferred will be subject to the following basic processing activities:
See Schedule 1 of the Addendum
Authorised Signature ……………………
Authorised Signature ……………………