This Data Processing Addendum (“DPA“) constitutes an integral part of those certain Terms and Conditions incorporated into the Order Form or such other agreement for services (the “Agreement”) entered into between the Customer identified therein and Retail Zipline, Inc. on behalf of itself and its Affiliates (collectively, “Retail Zipline”) and is incorporated into and forms part of such Agreement. A reference to Retail Zipline herein shall mean the Retail Zipline entity signing the Agreement. This DPA is entered into as of the Effective Date of the Agreement. Each of Retail Zipline and Customer shall individually be referred to as, “Party”, and collectively, as “Parties”. All capitalized terms not defined herein shall have the meaning set forth in the Agreement. A reference to the DPA shall mean this DPA, including its annexes.
The Parties’ acceptance of the Agreement shall constitute their agreement to this DPA. Although the DPA is incorporated into the Agreement and valid without necessity of a written signature, Customer may require a signed written DPA for evidence or internal compliance purposes. To support this, Retail Zipline has a pre-signed version of the DPA. If you intend to execute it, please (i) download a pre-signed copy of the DPA here, (ii) countersign it where indicated, and (iii) send back a countersigned copy to [email protected].
The Parties hereto agree as follows:
1. DEFINITIONS AND INTERPRETATION:
1.1 For the purposes of this DPA:
(a) “Account Credentials” means any username, identification number, password, license, security key or token, PIN, or other security code, method, technology, or device used alone or in combination to verify an individual’s identity and authorization to access and use the Services.
(b) “Adequate Country” means a country or territory outside the EEA that is recognized for the purposes of the Data Protection Laws (including by virtue of a decision of the European Commission) as providing an adequate level of protection for Personal Data.
(c) “Affiliate(s)” has the same meaning ascribed to it in the Agreement and, if not defined in the Agreement, the term means any legal entity directly or indirectly controlling, controlled by or under common control with a Party, where control means the ownership of a majority (more than 50%) share of the stock, equity or voting interests of such entity.
(d) “CCPA” means the California Consumer Privacy Act 2018, California Civil Code Section 1798 et seq., as amended by the California Privacy Rights Act of 2020, and ensuing regulations, and any legislation or regulation implementing, made pursuant to it, or which amends, replaces, re-enacts, or consolidates it.
(e) “Controller” means an entity that determines the purposes and means of Processing of the Personal Data.
(f) “Data Protection Act 2018” means the data protection act in force in the United Kingdom and any legislation, regulation, or implementation made pursuant to it.
(g) “Data Protection Laws” means all laws and regulations applicable to a Party under the Agreement with respect to its Processing of Personal Data under the Agreement, including, as applicable, the GDPR, the Privacy and Electronic Communications Regulations 2003 (the “PECR”), the Law Enforcement Directive (EU) 2016/680 (“LED”), PIPEDA and/or Substantially Similar Provincial Legislation, U.K. Data Protection Laws, Swiss Federal Act on Data Protection 1992, U.S. Privacy Laws, and any legislation and/or regulation implementing or made pursuant to them, or which amends, replaces, re-enacts, or consolidates any of them from time to time.
(h) “Data Subject” means an identified or identifiable natural person and includes “consumer” as defined under the CCPA.
(i) “EEA” means the European Economic Area, including Switzerland.
(j) “GDPR” means the EU General Data Protection Regulation 2016/679, as may be amended or superseded from time to time, and any legislation, regulation, or implementation made pursuant to it. A reference to the GDPR shall include the U.K. GDPR, as applicable in the context. A reference to EU GDPR shall mean the GDPR governing data privacy and protection in the European Union.
(k) “International Data Transfer Agreement (IDTA)” means version A1.0, in force 21 March 2022 of the International Data Transfer Agreement issued by the U.K.’s Information Commissioner’s Office.
(l) “Personal Data” means any information relating to an identified or identifiable natural person that alone or in combination with other information is considered “personal data”, “personal information” or equivalent as defined and regulated under applicable Data Protection Laws.
(m) “PIPEDA and/or Substantially Similar Provincial Legislation” means Canada’s federal Personal Information Protection and Electronic Documents Act, Quebec’s Act respecting the protection of personal information in the private sector, CQLR, c. P-39.1, British Columbia’s Personal Information Protection Act, R.S.B.C. 2003, c. 63, and Alberta’s Personal Information Protection Act, R.S.A. 2003, c. P-6.5, including, any legislation and/or implementation, made pursuant to them, or which amends, replaces, re-enacts, or consolidates any of them.
(n) “Process” or “Processing” means any operation or set of operations that is performed upon Customer Data, whether or not by automated means, such as access, collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure, transmission, dissemination or otherwise making available, alignment or combination, blocking, disposal, return or destruction.
(o) “Processor” means an entity which processes Personal Data on behalf of the Controller, including any Service Provider or Third Party as defined under the CCPA.
(p) “Security Incident” means any known breach of Retail Zipline’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data.
(q) “Services” means the services provided by Retail Zipline to Customer under the Agreement.
(r) “Standard Contractual Clauses” or “SCCs” means the Standard Contractual Clauses for the Transfer of Personal Data to a Restricted Country, approved by the European Commission decision 2021/914, dated 4 June 2021. Reference to the SCCs shall include the SCCs as amended by the U.K. Addendum where the Personal Data subject to the Transfer is governed by the U.K. Data Protection Laws.
(s) “Sub-processor” means any third party appointed by or on behalf of Retail Zipline to Process Customer Data.
(t) “Supervisory Authority” means supervisory authority as defined under GDPR, and/or outside the EEA the relevant regulatory authority with regard to Data Protection Laws, including any U.S. state attorneys general or other entities created for the purpose of supervising and enforcing Data Protection Laws.
(u) “Restricted Country(ies)” means, as applicable, a country or territory outside (i) the EU/EEA that is not an Adequate Country, (ii) a country other than where the Personal Data was originally collected, or (iii) a country other than the country of residence of the Data Subject.
(v) “Transfer” means a transfer of Customer Personal Data to a Restricted Country (including, where applicable, any ‘onwards transfers’ from that Restricted Country).
(w) “U.K” mean England and Wales, Scotland, and Northern Ireland.
(x) “U.K. Addendum” means that certain approved addendum to the SCCs, version B1.0, in force 21 March 2022, issued by the ICO under S119A(1) of the Data Protection Act 2018 (the “DPA”), allowing the Transfer of Personal Data collected in the U.K. to a Restricted Country.
(y) “U.K. Data Protection Laws” means (i) the EU GDPR as it forms part of the U.K. by virtue of section 3 of the European Union (Withdrawal) Act 2018, as modified by Schedule 1 to the Data Protection, Privacy, and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (the “U.K. GDPR”), (ii) the DPA; (iii) the LED as transposed into the law of the U.K. by virtue of Part 3 of the DPA; PECR as it forms part of the law of the U.K. by virtue of section 3 of the European Union (Withdrawal) Act 2018 as modified by Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2020.
(z) “U.S. Privacy Laws” means the CCPA, the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Utah Consumer Privacy Act, the Connecticut Data Privacy Act, and any other U.S. state or federal laws governing Personal Data, and any legislation and/or regulation implementing or made pursuant to them, or which amends, replaces, re-enacts, or consolidates any of them from time to time.
2. RELATIONSHIP OF THE PARTIES & SCOPE
2.1 In providing the Services to Customer pursuant to the Agreement, Retail Zipline may Process Customer Data. With respect to Customer Data, other than Account Credentials, the Parties agree and acknowledge that Customer shall be the Controller or Processor and that Retail Zipline shall be the Processor.
2.2 The Parties acknowledge that with respect to Processing of Account Credentials Retail Zipline is an independent controller, and shall, under no circumstances by considered a joint controller with Customer. As a Controller of such Account Credentials, Retail Zipline may use such data to manage the relationship with Customer and verify a User’s identity.
2.3 The Parties shall each comply with the provisions in this DPA with respect to its Processing of any Customer Personal Data and with all applicable Data Protection Laws.
2.4 Customer represents and warrants to Retail Zipline that in connection with Customer Personal Data:
2.4.1 it has complied, and will continue to comply, with all applicable laws relating to privacy and data protection, including, but not limited to, Data Protection Laws;
2.4.2 it has, and will continue to have, the right to transfer, or provide access to, Customer Personal Data to Retail Zipline for Processing in accordance with the terms of the Agreement and this DPA, and, in particular, that it has one or more lawful bases to support the Processing of Customer Personal Data, or otherwise has obtained all consents or necessary rights to collect and transfer such Customer Personal Data;
2.4.3 it will remain authorized to provide the instructions hereunder; and
2.4.4 it shall not provide or otherwise make available to Retail Zipline any special categories of Personal Data (as the term ‘special categories’ is defined in Article 9(1) of the GDPR or such other “sensitive personal data” as defined under the corresponding Data Protection Laws) and assumes all risk from the Processing thereof.
3. RETAIL ZIPLINE AS PROCESSOR OF CUSTOMER PERSONAL DATA
3.1 Customer Instructions. Where Retail Zipline processes Customer Personal Data on behalf of Customer, Retail Zipline shall:
3.1.1 Not Process Customer Personal Data other than (i) in accordance with the Agreement and applicable Order Form, (ii) on Customer’s documented instructions (in accordance with Section 3.1.2) where such instructions are consistent with the terms of the Agreement; and (iii) as required by applicable laws. To the extent permitted by applicable laws, Retail Zipline shall inform Customer of (a) any Processing to be carried out pursuant to paragraph (ii) herein and the relevant legal requirements that require it to carry out such Processing before carrying out the Processing of such Customer Personal Data.
3.1.2 Customer instructs Retail Zipline to Process Customer Personal Data solely as necessary (i) to provide the Services to Customer (including, without limitation, to improve and update the Services and to carry out Processing initiated by Users in their use of the Services); and (ii) to perform Retail Zipline’s obligations and exercise Retail Zipline’s rights under the Agreement. Nothing in this DPA will be deemed an obligation of Retail Zipline to accept any instructions of Customer other than as required to carry out its obligations under the Agreement. Retail Zipline may refrain from executing Customer’s instruction if it notifies Customer promptly that, in Retail Zipline’s opinion, an instruction for the Processing of Customer Personal Data given by Customer infringes, or is likely to infringe, Data Protection Laws.
3.1.3 Notwithstanding anything to the contrary herein, Retail Zipline must cease all Processing upon written notice to Customer with immediate effect if Retail Zipline considers (in its absolute discretion) that (i) it is unable to adhere to, perform, or implement any instructions issued by Customer, or any obligation under this DPA, due to the technical limitations of its systems, equipment and/or facilities, (ii) to adhere to, perform, or implement any such instructions would require disproportionate effort (whether in terms of time, cost, available technology, manpower or otherwise), or (iii) applicable Data Protection Laws prohibit or materially impair Retail Zipline’s ability to Process Customer Personal Data in accordance with the instructions. Such suspension shall continue until Customer issues new instructions with which Retail Zipline is able to comply. Alternatively, either Retail Zipline or Customer may, in its sole discretion, terminate this DPA, and the Agreement in the event of any of (i), (ii), or (iii) upon prior written notice to the other party. In the event Processing is suspended hereunder, Retail Zipline shall have no liability to Customer for any failure to perform the Services until such time as Customer issues new documented instructions with which Retail Zipline is able to comply.
3.2 Sub-processing
3.2.1 Customer agrees that Retail Zipline may engage Sub-processors to Process Customer Personal Data on Retail Zipline’s behalf. The list of third-party Sub-processors that are currently engaged by Retail Zipline to carry out specific Processing activities can be found here (“Sub-processor List”). Should Retail Zipline update the Sub-Processor List, Retail Zipline shall notify Customer and give Customer the opportunity to object to such Sub-processors or changes concerning the addition or replacement thereof in accordance with the terms in Section 3.2.2 below.
3.2.2 Customer may reasonably object to such new Sub-processor in writing within ten (10) business days of receipt of notice. In such case, Retail Zipline shall use commercially reasonable efforts to make available a change in the provision of Services which avoids the use of the proposed Sub-processor. Continued use of the Services without objection in the period described above shall constitute acceptance of the new Sub-processor.
3.2.3 Retail Zipline shall carry out adequate due diligence to ensure that the Sub-processor is capable of providing the level of protection for Customer Personal Data required by this DPA before such Sub-processor Processes any Customer Personal Data and shall impose on all Sub-processors data protection terms in writing with respect to Customer Personal Data that are at least as restrictive as those provided for by this DPA. Retail Zipline shall remain liable for any breach of the DPA caused by a Sub-processor.
3.3 Data Subject Rights. Retail Zipline shall, at Customer’s written request, and taking into account the nature of the Processing, provide Customer with such assistance as may be reasonably necessary and technically possible, including by appropriate technical and organizational measures, which may include certain tools or functionality in the Services, as reasonably practicable, to enable Customer to respond to any inquiry, communication or request from a Data Subject seeking to exercise his or her rights under Data Protection Laws. In the event such inquiry, communication or request is made directly to Retail Zipline, Retail Zipline shall promptly inform Customer by providing Customer with the full details of the request. Customer agrees and acknowledges it is responsible for responding to and fulfilling Data Subject requests for access, correction, restriction, objection, erasure, or data portability of that Data Subject’s Personal Data. Retail Zipline shall not respond to any Data Subject request except (i) to confirm that such request relates to Customer, (ii) on the documented instructions of Customer, and/or (iii) as required by applicable laws, in which case Retail Zipline shall, to the extent permitted by applicable laws, inform Customer of the legal requirement before Retail Zipline responds to the Data Subject request. Retail Zipline reserves the right to be reimbursed by Customer for the reasonable cost of any time, expenditures or fees incurred in connection with such assistance provided to Customer.
3.4 Data Protection Impact Assessments. Retail Zipline shall, to the extent required by Data Protection Laws, and taking into account the nature of the Processing by, and information available to, Retail Zipline, provide Customer, at Customer’s cost, with reasonable assistance with data protection impact assessments or prior consultations with Supervisory Authorities that Customer reasonably considers it is required to carry out under Data Protection Laws.
3.5 Deletion or Return of Customer Data. Upon termination or expiration of the Agreement, Retail Zipline shall, in accordance with the terms of the Agreement, delete or make available to Customer for retrieval all relevant Customer Data (including copies) in Retail Zipline’s possession, save to the extent that Retail Zipline is required by any applicable law or a governmental or regulatory order to retain some or all of Customer Data, or if it is otherwise subject to liability for not retaining some or all of Customer Data. In such event, Retail Zipline shall extend the protections of the Agreement and this DPA to such Customer Data and limit any further Processing of such Customer Data to only those limited purposes that require the retention for so long as Retail Zipline maintains Customer Data.
4. PERSONNEL AND TRAINING
Retail Zipline shall take commercially reasonable steps to ensure the reliability of any personnel who may Process Customer Personal Data, ensuring in each case that access is limited to those individuals who need to know or access the relevant Customer Personal Data for the purposes described in this DPA, and to comply with applicable Data Protection Laws, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
5. SECURITY
Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Retail Zipline shall in relation to Customer Data implement and maintain appropriate physical, technical and organisational measures to ensure a level of security appropriate to the risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR. Retail Zipline’s security measures are more specifically described in the Security Addendum available here (the “Security Addendum”).
6. SECURITY INCIDENT
If Retail Zipline becomes aware of Security Incident, Retail Zipline shall notify Customer without undue delay, and in any case, where feasible, notify Customer within 72 hours after becoming aware of the Security Incident. Retail Zipline shall provide Customer with information regarding the Security Incident, including, to the extent known to Retail Zipline at such time, a summary of the event, the nature and consequences of the Security Incident, measures taken and or proposed to be taken to mitigate the Security Incident, and other related information available to Retail Zipline at such time. Retail Zipline shall cooperate with information reasonable requested by Customer regarding the Security Incident. Security Incidents will not include unsuccessful attempts to, or activities that do not, compromise the security of Customer Data including, without limitation, unsuccessful log in attempts, denial of service attacks, and other similar attacks on firewalls or network systems. Retail Zipline’s obligation to report or respond to a Security Incident will not be construed as an acknowledgement by Retail Zipline of any fault or liability with respect to the Security Incident.
7. AUDITS & REGULATORY REQUESTS
7.1 Upon Customer’s written request, Retail Zipline shall provide to Customer or Customer’s third party auditor, access to reasonably requested documentation evidencing Retail Zipline’s compliance with its obligations under this DPA, including summaries of its Third-Party Audit certification reports (collectively, the “Certification Reports”).
7.2 Should Customer reasonably consider such Certification Reports to be inadequate, Customer may request in writing to perform an audit of Retail Zipline’s applicable controls, including inspecting its facilities, provided Customer may not, unless expressly agreed in writing by Retail Zipline, conduct any penetration or vulnerability testing. The parties shall mutually agree in advance on the details of the audit, including reasonable start date, scope, and duration of the audit, as well as security and confidentiality controls applicable to any such audit. The purpose of such audit shall be strictly limited to verifying whether Retail Zipline is processing Customer Data in accordance with the obligations in the Agreement. Such audit shall be at Customer’s sole and exclusive cost, provided Retail Zipline reserves the right to charge a fee for any such audit, depending on the time and resources required under such audit. Customer shall reimburse Retail Zipline for all costs incurred by Retail Zipline and time spent by Retail Zipline in connection with any such audit. If an audit finds that Retail Zipline is not in compliance with its obligations under this DPA or the Agreement, Retail Zipline will use commercially reasonable efforts to promptly take actions necessary to comply with such audit findings.
7.3 Any request for Certification Reports under Section 7.1 or to conduct an audit under Section 7.2 shall be made with no less than ten (10) business days prior written notice, and shall not be requested or performed, as applicable, more than once in a twelve (12) month period, unless (i) there has been a Security Incident and Customer reasonably considers such an audit necessary, or (ii) Customer is required to carry out such audit by Data Protection Law or a Supervisory Authority. All Certification Reports and any information disclosed pursuant to an audit hereunder shall be deemed Retail Zipline’s Confidential Information.
8. INTERNATIONAL TRANSFERS
8.1 Customer agrees that Retail Zipline may Process (or permit the Processing by Sub-processors (including onward Transfers to any Sub-Processors located in a Restricted Country) of Customer Personal Data in the U.S. and any other Restricted Country to provide the Services in accordance with the Agreement. Retail Zipline shall ensure such Transfers are made in compliance with the requirements of Data Protection Laws, which, with respect to Customer Personal Data that is subject to the GDPR, may include execution of Standard Contractual Clauses, as amended by the U.K. Addendum for Customer Personal Data collected in the U.K., or for Personal Data of Data Subjects outside of the U.K. or EEA, an appropriate form of data protection agreement, with those parties to whom Customer Personal Data will be transferred, or use of such other recognized and approved mechanism for the lawful Transfer of Personal Data.
8.2 The Parties acknowledge and agree that to the extent Customer Transfers Customer Personal Data to Retail Zipline, it shall be effecting a Transfer which shall comply with the terms of this DPA.
8.3 Standard Contractual Clauses
8.3.1 For Customer Personal Data that is subject to the GDPR, Transfers between Customer and Retail Zipline shall be made pursuant to the terms of the Standard Contractual Clauses or such other recognized and approved mechanism as may be available at the time of Transfer. By entering into this DPA, the parties are deemed to have signed the Standard Contractual Clauses, including their Annexes, as of the Effective Date and shall apply, as applicable, to Transfers of Customer Personal Data. The Standard Contractual Clauses shall be deemed entered into (and incorporated into this DPA by this references) and completed as follows:
(a) Module One (Controller to Controller) will apply where Retail Zipline is processing Account Credentials.
(b) Module Two (Controller to Processor) will apply where Customer is a controller of Customer Personal Data and Retail Zipline is processing such Customer Personal Data on behalf of Customer to provide Customer with the Services.
(c) Module Three (Processor to Subprocessor) will apply where Customer is a processor of Personal Data on behalf of a third party Controller.
8.3.2 The following shall apply for each Module under the Standard Contractual Clauses, as applicable:
(a) In Clause 7, the optional docking clause will not apply.
(b) In Clause 9, Option 2 will apply and the time period for prior notice of sub-processor changes will be as set forth in Section 3.2.2 of this DPA.
(c) In Clause 11, the optional language will not apply.
(d) In Clause 17 (Option 1), the governing law will be the laws of Ireland.
(e) In Clause 18(b), disputes will be resolved before the courts of Ireland.
(f) The Parties’ details, as required in Annex 1.A are set forth in Appendix A(1).
(g) In Clause 13(a) and Annex 1.C, the competent supervisory authority is the supervisory authority of the EEA member state in which Customer is in or where the data subjects are predominantly located;
(h) The descriptions of transfer in Annex 1.B are set forth in Appendix A(2).
(i) The Security Addendum serves as Annex II of the Standard Contractual Clauses.
(j) The Sub-processor List serves as Annex III of the Standard Contractual Clauses.
8.4 Transfers from the U.K.
8.4.1 U.K. Addendum. In the event Customer is subject to U.K. Data Protection Laws and requires Retail Zipline to Process Personal Data subject to the U.K. Data Protection Laws under the Agreement, and Customer also transfers Customer Personal Data that is subject to the EU GDPR, the Parties agree and acknowledge such Transfers of Personal Data subject to the U.K. GDPR shall be made pursuant to the U.K. Addendum. In such cases, the Parties agree that signature of this Addendum shall be deemed acceptance of the U.K. Addendum, as applicable, and shall be incorporated herein by reference. Such U.K. Addendum shall be completed as follows:
(a) The exporter shall be the Customer;
(b) the importer shall be Retail Zipline or the Affiliate party to the Agreement;
(c) Table 2: the following option is selected “the Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum”
Module | Module in operation | Clause 7 (Docking Clause) | Clause 11 (Option) | Clause 9a (Prior Authorisation or General Authorisation) | Clause 9a (Time period) | Is personal data received from the Importer combined with personal data collected by the Exporter? |
1 | Yes | No used | Not used | Not Applicable | Not Applicable | No |
2 | Yes | Not used | Not used | Option 2 | 10 business days | No |
3 | No | Not used | Not used | Option 2 | 10 business days | No |
4 | No |
(d) Table 3:
(i) Annex 1B: The descriptions of transfer are set forth in Schedule 1(B);
(ii) Annex II: technical and organizational measures are set out in Schedule 3 (The Security Requirements); and
(iii) Annex III: Sub-processor List serves as Annex III; and
(e) Table 4: the box for importer is selected.
8.4.2 International Data Transfer Agreement (IDTA). Where the Customer Transfers Personal Data collected in the United Kingdom but is not transferring Customer Personal Data collected in the EEA to Retail Zipline and the parties have therefor not entered into the Standard Contractual Clauses, the parties shall enter into the International Data Transfer Agreement.
8.5 In the event that the European Commission, any applicable Supervisory Authority, or other body with competent authority and jurisdiction and/or the analogous competent authority in the United Kingdom revises and thereafter publishes new Standard Contractual Clauses, or such other documentation as otherwise required or implemented by such authority, such new Standard Contractual Clauses or other similar documentation will supersede and replace the existing Standard Contractual Clauses.
8.6 In the event that the corresponding courts or authorities determine that the Standard Contractual Clauses or the International Data Transfer Agreement are no longer an appropriate basis for Transfers, or there is a change in applicable law, decision, or interpretation from a competent authority regarding the Standard Contractual Clauses, or the International Data Transfer Agreement, as applicable, Retail Zipline and Customer shall promptly take all steps reasonably necessary to demonstrate adequate protection for Customer Personal Data and determine an appropriate transfer mechanism for such Customer Personal Data.
9. CHANGE IN LAW
If after the Effective Date, the applicable Data Protection Laws are amended or any regulations or rules are adopted or promulgated, or there is any change to the interpretation or application of the foregoing, the Parties will negotiate an amendment to this DPA, as applicable, to comply with the then-current applicable Data Protection Laws, or to any change to the interpretation or application of the foregoing.
10. JURISDICTION SPECIFIC TERMS
To the extent Retail Zipline Processes Personal Data in a jurisdiction listed in Appendix B, then the terms specified in Appendix B with respect to such jurisdiction (the “Jurisdiction Specific Terms”) shall apply in addition to the terms of this DPA. In case of any conflict or ambiguity between the jurisdiction Specific Terms and any other terms of this DPA, the applicable Jurisdiction Specific Terms will take precedence.
11. MISCELLANEOUS
11.1 This DPA is effective as of the Effective Date and shall continue for as long as Retail Zipline Processes Customer Personal Data under the Agreement.
11.2 This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by applicable Data Protection Laws.
11.3 By signing this DPA, Customer enters into this DPA on behalf of itself and its Affiliates who are permitted to use the Services under the Agreement and who have not separately executed an Agreement or Service Order with Retail Zipline (the “Permitted Affiliates”). Customer shall be responsible for compliance of its Permitted Affiliates’ obligations under this DPA.
11.4 Customer represents that it is authorized to enter into this DPA for and on behalf of itself and, as applicable, its Permitted Affiliates.
11.5 Except as amended by this DPA, the Agreement will remain in full force and effect.
11.6 Any claims brought under this DPA shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations, set forth in the Agreement, and all Retail Zipline and its Affiliates’ liability hereunder shall mean such parties’ aggregate liability under the Agreement and this DPA together.
11.7 In the event of any conflict or inconsistency among the following documents, the order of precedence will be: (i) the applicable terms in Appendix B, (ii) the terms of this DPA (except for Appendix B), (iii) the Agreement. If there is a conflict between this DPA and the Standard Contractual Clauses in cases where the Parties are relying on the Standard Contractual Clauses to effect a Transfer, the Standard Contractual Clauses shall prevail, subject to the limitations on liability set forth in the Agreement. Nothing in this DPA modifies or affects any Supervisory Authority’s or Data Subject’s rights under the Standard Contractual Clauses (or any such other approved Transfer mechanism).
APPENDIX A
(1) LIST OF PARTIES
Data exporter(s):
Customer as described in the Agreement.
Activities relevant to the data transferred under these Clauses: Fulfillment of the Agreement.
Role: Controller
Data importer(s):
Retail Zipline, Inc. and its Affiliates, as applicable.
Activities relevant to the data transferred under these Clauses: Processing of Customer Personal Data for purposes of providing the Services described in the Agreement.
Role: Processor/Controller
(2) DETAILS OF PROCESSING OF CUSTOMER PERSONAL DATA
This Appendix A(2) includes certain details of the Processing of Customer Personal Data as required by Article 28(3) of the GDPR.
Subject matter and duration of the Processing of Customer Personal Data:
The subject matter and duration of the Processing of Customer Personal Data are set out in the Agreement and this DPA. The Processing will continue until the later of expiration or termination of the Agreement, or Retail Zipline’s obligations to Customer.
The nature and purpose of the Processing of Customer Personal Data:
Retail Zipline Processes Customer Personal Data for providing agreed business outcomes and Services to Customer through its communication and task management solution Services, as more specifically described in the Agreement.
The types of Customer Personal Data to be Processed:
The types of Customer Personal Data to be Processed will include:
Except with respect to Account Credentials, the Personal Data transferred to Retail Zipline for processing is determined and controlled by Customer in its sole discretion. As such, Retail Zipline has no control over the nature, volume and sensitivity of Personal Data processed through its Services by Customer or its Users.
Sensitive Data to be Processed:
No Sensitive Data will be Processed under the Agreement.
The categories of Data Subjects to whom Customer Personal Data relates:
Categories of Data Subjects will include individuals requiring access to the Services and Customer Data, primarily consisting of Customer employees, including, store associates, management, HQ personnel, and any other Users authorized by Customer to use the Services.
The obligations and rights of Customer:
The obligations and rights of Customer are set out in the Agreement and this DPA.
Frequency of Transfers of Customer Personal Data:
The frequency of Processing will be continuous and shall be in accordance with the Agreement and as required to provide the Services.
Retention Period for Customer Personal Data:
Customer Personal Data is removed from the Services upon termination of the Agreement and remains in backup files for 2 years thereafter, in accordance with Retail Zipline’s data retention policy.
APPENDIX B
JURISDICTION SPECIFIC TERMS
1. UNITED STATES
1.1 These terms shall apply to the extent that Customer is subject to the U.S. Privacy Laws and is providing to Retail Zipline Personal Data governed by U.S. Privacy Laws.
1.2 For purposes of the DPA, “Personal Data” shall include Personal Information as such term is defined in the CCPA and any other applicable U.S. Privacy Law.
1.3 All capitalized terms used in this Section 1 but not otherwise defined in the DPA shall have the meaning set forth in the applicable U.S. Privacy Law.
1.4 When Processing Personal Data, the Parties acknowledge and agree that Retail Zipline is a “processor” or “controller” per the terms of the DPA or “services provider”.
1.5 Retail Zipline (i) provides Services to Customer pursuant to the Agreement, and (ii) Processes, on behalf of Customer, Personal Data that is necessary to perform the Services under the Agreement.
1.6 Retail Zipline will:
1.6.1 not Sell or Share Personal Data;
1.6.2 not retain, use or disclose Personal Data (i) for any purpose other than for the specific purpose of performing the Services or as permitted by law, or (ii) outside of the direct business relationship between Customer and Retail Zipline;
1.6.3 not attempt to re-identify any pseudonymized, anonymized, aggregate, or de-identified Personal Data without Customer’s express written permission;
1.6.4 not attempt to link, identify, or otherwise create a relationship between Personal Data and non-Personal Data, or any other data without the express written authorization of Customer, except as permitted under applicable U.S. Privacy Laws and to provide and improve the Services; and
1.6.5 comply with any applicable restrictions under U.S. Privacy Laws on combining Personal Data with personal information that Retail Zipline receives from, or on behalf of, another source, or that Retail Zipline collects from any interaction between it any individual.
1.7 Upon Customer’s request, Retail Zipline shall promptly delete Personal Data from Retail Zipline’ records. In the event Retail Zipline is unable to delete the Personal Data for reasons permitted under U.S. Privacy Laws, Retail Zipline shall (i) promptly inform Customer of the reason(s) for its refusal of the deletion request, (ii) ensure no further retention, use or disclosure of such Personal Data except as may be necessitated by the reason(s) for Retail Zipline’s refusal of the deletion request and as disclosed to Customer, (iii) take commercially reasonable steps to ensure the privacy, confidentiality and security of such Personal Data pursuant to the Agreement and this DPA, and (iv) delete such Personal Data promptly after the reason(s) for Retail Zipline’s refusal has expired.
1.8 Retail Zipline hereby certifies that it understands and will comply with the restrictions and requirements set forth in this Section 1 to the extent it receives Personal Data subject to U.S. Privacy Laws from Customer.
2 CANADA
2.2 These terms shall apply to the extent that Customer is subject to PIPEDA and/or Substantially Similar Provincial Legislation and is providing to Retail Zipline Personal Information governed by PIPEDA and/or Substantially Similar Provincial Legislation.
2.3 For purposes of this DPA, “Personal Data” shall include “Personal Information” as such term is defined in PIPEDA and/or Substantially Similar Provincial Legislation.
2.4 All capitalized terms used in this Section 2 but not otherwise defined in the DPA shall have the meaning set forth in the PIPEDA and/or Substantially Similar Provincial Legislation.
2.5 For the purposes of section 2.4.2 of the DPA, Customer represents and warrants that it has provided any required notices and obtained any required consents to support Retail Zipline’s Processing of Customer Personal Information in accordance with Customer’s instructions.
2.6 Retail Zipline acknowledges and agrees that it will be responsible for its compliance obligations as a third party service provider under PIPEDA and/or Substantially Similar Provincial Legislation.
2.7 Customer acknowledges and agrees that Retail Zipline may transfer Customer Personal Information to, or access Customer Personal Information from outside of Canada in the course of providing the Services, including to the United States, and that Customer is solely responsible for obtaining such consents or providing such notices to relevant parties regarding such cross-border Personal Information transfers as required by PIPEDA and/or Substantially Similar Provincial Legislation or other laws or regulations.
2.8 Upon request of Customer, Retail Zipline will inform Customer of the locations to which Customer’s Personal Information is transferred and processed by Retail Zipline and/or its Sub-processors.