JumpDEMAND, Inc. GDPR Addendum

READ THE FOLLOWING TERMS AND CONDITIONS CAREFULLY BEFORE ACCEPTANCE. BY SELECTING “I ACCEPT”, YOU AGREE TO FOLLOW AND BE BOUND BY THE TERMS AND CONDITIONS IN THIS ADDENDUM. YOU REPRESENT THAT YOU HAVE THE AUTHORITY AND POWER TO BIND A COMPANY OR LEGAL ENTITY IN THE CASE YOU ENTER THIS AGREEMENT ON BEHALF OF A COMPANY OR LEGAL ENTITY. IF YOU DO NOT AGREE TO EACH TERM AND CONDITION OF THIS ADDENDUM, SELECT “I DECLINE”. YOU MAY NOT USE THESE SERVICES WITHOUT ACCEPTING THE TERMS AND CONDITIONS OF THIS ADDENDUM.

Upon selecting “I Accept” you (the “Subscriber”) and JumpDEMAND Inc. (the “Service Provider”) are bound by this Addendum on the later of (a) the time/date the Subscriber selects “I Accept” and (b) 25 May 2018 (the “Addendum Effective Date”).

Background

(A) The Subscriber and the Service Provider are parties to an existing Agreement, pursuant to which the Service Provider provides the Services.
(B) The Service Provider is incorporated in Alberta, Canada. The Service Provider is not subject to the Canadian Personal Information Protection and Electronic Documents Act (“PIPEDA”) but is subject to the Personal Information Protect Act (Alberta) (“Alberta PIPA”), in respect of the collection, use and disclosure of personal information that occurs in Alberta. Alberta PIPA is provincial legislation that is deemed to be substantially similar to PIPEDA, and an exemption order was granted by the Federal Government, exempting organizations from PIPEDA application in respect of the collection, use and disclosure of personal information that occurs within the Province of Alberta. The possibility of such an exemption is referred to in recital 6 of the European Commission’s adequacy decision in respect of Canada dated 20 December 2001: http://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX:32002D0002. Moreover, PIPEDA applies where personal information collected in Alberta is disclosed across provincial borders. However to cover the possibility that this combination of Alberta PIPA/PIPEDA does not afford adequate data protection for transfers of personal data from Europe, the Service Provider offers its subscribers in the European Economic Area a separate pre-signed Model Clause Agreement.
(C) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 came into force on 24 May 2016 and becomes directly applicable on 25 May 2018.
(D) The parties wish to enter into this Addendum in order to vary, supplement and update the existing Agreement for the purpose of GDPR compliance and to supplement the Model Clause Agreement.

Agreed terms

  • 1. Consideration
    • 1.1 In consideration of the mutual benefits of data protection compliance, the parties agree to the provisions of this Addendum.
  • 2. Definitions
    • 2.1 In this Addendum the defined terms set out in Appendix 1 (Definitions) shall have the meanings given to them there (unless the context requires otherwise).
    • 2.2 Where the Subscriber is a marketing agency, it shall, and shall procure that each of its end clients shall, comply with the terms of this Addendum. All subsequent references to the “Subscriber” in this Addendum shall be construed as including a reference to the Subscriber’s end clients.
  • 3. Application of this Addendum
    • 3.1 This Addendum amends and forms part of the Agreement, whose terms apply to this Addendum. The parties agree that the click-wrap mechanism for acceptance constitutes “an instrument in writing signed by the parties” as set out in the Agreement.The Addendum supplements the Model Clause Agreement. It shall take effect on the Addendum Effective Date, and shall continue for the Term.
    • 3.2 Subject to article 4 (commercial terms), to the extent that there is any conflict between the requirements of this Addendum, the Model Clause Agreement and the Agreement, it shall be resolved in the following order of precedence:
      • 3.2.1 First the Addendum (because it reflects the GDPR requirements, for example new or upgraded individual rights, data protection impact assessments and breach notification, which post-date the 2010 standard contractual clauses on which the Model Clause Agreement is based);
      • 3.2.2 Secondly the Model Clause Agreement; and
      • 3.2.3 Finally, the Agreement.
  • 4. Processor provisions
    • 4.1. The parties acknowledge that the Subscriber is a Controller and that the Service Provider is a Processor of the Relevant Data.
    • 4.2. Details of the Processing the Service Provider carries out on behalf of the Subscriber under the Agreement are set out in part 1 of Appendix 2 (Details of Data Processing). The Subscriber’s documented instructions are set out in part 2 of Appendix 2 (Details of Data Processing).
    • 4.3. The Service Provider shall:
      • 4.3.1. Process the Relevant Data only in accordance with documented instructions from the Subscriber (including with regard to transfers of Relevant Data to a Restricted Country), unless required to do so by European Law to which the Service Provider is subject; in such a case, the Service Provider shall inform the Subscriber of that legal requirement before Processing, unless that European Law prohibits such information on important grounds of public interest;
      • 4.3.2. ensure that persons authorised to process the Relevant Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
      • 4.3.3. take all measures required pursuant to Article 32 GDPR;
      • 4.3.4. comply with the conditions referred to in para