6.4 Alternative transmission mechanism. To the extent that Mailchimp introduces an alternative data export mechanism (including a new version or successor to the SCC or Privacy Shield) for the transfer of EU data not described in this DPA (« Alternative Transfer Mechanism »), the Alternative Transfer Mechanism will apply in place of the transmission mechanisms described in this DPA (but only to the extent that such alternative transfer mechanism complies with the applicable application. EU data protection legislation extends to the countries to which EU data is transferred). In addition, if and to the extent that a competent court or supervisory authority (for any reason) orders that the measures described in this DPA may not be used for the lawful transfer of data from the EU (within the meaning of the applicable European data protection legislation), Mailchimp may take additional steps or safeguards reasonably necessary to enable the lawful transfer of data from the EU. Online replicas and backups: Whenever possible, production databases are designed to replicate data between at least 1 primary database and 1 secondary database. All databases are backed up and maintained using at least industry standard methods. e. If, after the end of the healing period, the data importer has not remedied or is unable to remedy the non-compliance, the data exporter may suspend and/or terminate the affected part of the services in accordance with the terms of the contract without being liable to either party (but without prejudice to any costs incurred by the data exporter prior to suspension or termination). The data exporter shall not be obliged to provide such communication if it considers that there is a significant risk of harm to the data subjects or their personal data. b.
Accordingly, in accordance with clause 11 of those clauses, the data exporter gives the data importer its general consent to engage other sub-processors. This consent is subject to the condition that the data importer complies with the requirements set out in the « Notification and objection for new sub-processors » section of the DPA. « Approved Affiliates » means all of your Affiliates who (i) may use the Subscription Services under the Agreement but have not signed their own separate agreement with us and are not a « Customer » within the meaning of the Agreement, (ii) qualify as a controller of the Personal Data we process, and (iii) are subject to European data protection laws. The data exporter shall request the data importer to process the personal data in countries where the data importer or its sub-processors have the necessary facilities for the provision of the service. g. Demonstrate compliance. We will provide you with all information reasonably necessary to demonstrate compliance with this DPA and we will allow and assist audits, including inspections by you, to assess compliance with this DPA. You acknowledge and agree that you will exercise your audit rights under this DPA by requiring us to comply with the audit measures described in this subsection (g). You acknowledge that the Subscription Service is hosted by our data center partners who maintain independently validated security programs (including SOC 2 and ISO 27001) and that our systems are regularly tested by independent contractors for penetration testing.
Upon request, we will provide you (on a confidential basis) with a summary of the penetration test reports so that you can verify our compliance with this DPA. In addition, upon your written request, we will provide written responses (on a confidential basis) to any reasonable request for information from you necessary to confirm our compliance with this DPA, provided that you do not exercise this right more than once per calendar year. (c) it has taken the technical and organisational security measures referred to in Annex 2 before processing the personal data transmitted; The GDPR only allows the export of data to countries outside the EU if the recipient outside the EU can guarantee an adequate level of protection. 8.7. Entire Agreement. This Agreement is the complete and exclusive agreement between the parties with respect to the subject matter of this Agreement and supersedes all prior or contemporaneous agreements, negotiations and communications (written and oral) with respect to that subject matter. Please note that this does not mean that a separate risk assessment and separate additional safeguards are no longer required. As an entrepreneur, you still need to carry out the necessary preliminary investigations before exporting personal data outside the EU, but the new NCCs are already provided for this substantive obligation anyway, which was not the case with the old ones. One. The data importer agrees that the data exporter may comply with its obligation to return or destroy all personal data for the purpose of providing data processing services by complying with the « Deletion or Return of Personal Data » section of the DPA. Data subjects.
The personal data transmitted concern the following categories of data subjects (please specify): The clauses are governed by the law of the Member State in which the data exporter is established, i.e.: the Member State in which the address of the data exporter is located, as indicated in his user profile on the services of the data importer. This addendum, as well as the contract, contains the Customer`s instructions to the Seller on the processing of personal data. Contacts: identification and contact details (name, date of birth, gender, general, professional or other demographic information, address, title, contact details, including e-mail address); personal interests or preferences (including purchase history, marketing preferences and publicly available social media profile information); Computer information (IP addresses, usage data, cookie data, online browsing data, location data, browser data); Financial information (credit card details, account details, payment information). 2. Where a data subject is unable to assert a claim for compensation in accordance with paragraph 1 against the data exporter resulting from a breach by the data importer or its sub-processor of any of its obligations under Clause 3 or Clause 11 because the data exporter has effectively disappeared or ceased to exist before the law or has become insolvent, The data importer agrees that the data subject may assert a claim against the data importer as if he or she were the data exporter, unless a successor organisation has assumed all the legal obligations of the data exporter by contract or by law, in which case the data subject may assert his or her rights against that entity. The data importer shall not invoke a breach of its obligations by a processor in order to avoid its own responsibilities. e. Data protection impact assessments and consultation of supervisory authorities.
To the extent that the required information is reasonably available to us and you do not have access to the required information, we will provide you with appropriate assistance for data protection impact assessments and prior consultations with supervisory or other competent data protection authorities to the extent required by European data protection laws. 1. The data importer shall not subcontract any of its processing operations carried out on behalf of the data exporter in accordance with the clauses without the prior written consent of the data exporter. If the data importer subcontracts its obligations under the Clauses with the consent of the data exporter, it will only do so through a written agreement with the sub-processor imposing on the sub-processor the same obligations as the data importer under the Clauses. If the Sub-Processor fails to comply with its data protection obligations under such a written agreement, the Data Importer will remain fully liable to the Data Exporter for the performance of the Sub-Processor`s obligations under this Agreement. HubSpot, Inc. processes personal information to the extent necessary to provide the Subscription Services to data exporters in accordance with the Agreement. A handful of countries are automatically considered an adequate level of protection, but for most other countries, exporting data since the end of the EU-U.S. Privacy Shield requires a data export agreement that provides written privacy guarantees. .
Commentaires récents