Data Handling Exhibit
Last updated on August 12, 2022
These Data Handling Standards for Authorized Service Providers are in addition to the terms in the Agreement. Words used in these Standards without a definition but with an initial capital letter have the same meaning (i) as defined in these standards in Section 14 “Definitions;” or (ii) as found in the EU General Data Protection Regulation (GDPR); or (iii) as found in the California Consumer Privacy Act (CCPA); or (iv) as found in the Agreement. Where a term in these Data Handling Standards for Authorized Service Providers conflicts with a corresponding term in the Agreement, the term in these Data Handling Standards for Authorized Service Providers will control with respect to the parties’ obligations under these Data Handling Standards for Authorized Service Providers.
In consideration of the mutual obligations set out herein, the parties hereby agree that the terms and conditions set out below shall be incorporated by reference into the Agreement. Except where the context requires otherwise, references in these Data Handling Standards for Authorized Service Providers to the Agreement are to the Agreement as amended by, and including, these Data Handling Standards for Authorized Service Providers.
- Background and Purpose. Each party is responsible for complying with any privacy, data security, and Data Protection Legislation that may apply to the handling of Personal Data under the Agreement. These Data Handling Standards for Authorized Service Providers were created to allow Digital River to have an open data sharing arrangement with you. The purpose is to ensure that any transfers of Personal Data between the parties are completed using appropriate safeguards and that each party understands its obligations under Data Protection Legislation. These Data Handling Standards for Authorized Service Providers lay out the obligations of each party, including our respective responsibilities under Data Protection Legislation.
- Obligations of the Parties. Each party is responsible for ensuring that it processes Personal Data correctly under Data Protection Legislation. Digital River is the Data Controller of the Personal Data. You are Digital River’s Data Processor (or Service Provider as defined by the CCPA) of the Personal Data. In that capacity, you shall process the Personal Data only for the limited and specified purposes set out in the Agreement, and in compliance with Digital River’s documented, lawful instructions.
- Description of Personal Data and Purpose of Processing. You will process, on behalf of Digital River, the Personal Data of those purchasers that purchase a title, license right, and/or usage right to a product using Digital River Services (“Shopper”) that are protected under Data Protection Legislation. The categories of Personal Data that you process may include, but are not limited to, names, addresses, email addresses, phone numbers, and other related transaction information. The Personal Data will be processed for the following purposes:
- To ensure performance of your obligations as a Processor under the Agreement,
- To share the data with third parties and service providers and use Sub-processors for carrying out specific processing activities in a manner consistent with Sections 9(d) and (e) of these Data Handling Standards for Authorized Service Providers.
- Privacy Policies. For the avoidance of doubt, Digital River’s privacy policy will govern how Digital River will collect and process Personal Data as well as how Digital River will hold its third parties, service providers, and processors accountable for processing on its behalf. Digital River is responsible for fulfilling promises as outlined in its privacy policy, and you are responsible for fulfilling its obligations under these Data Handling Standards for Authorized Service Providers.
- Security of Personal Data. You agree to take reasonable steps to provide a level of security appropriate to the sensitivity of the information in your control. You represent, warrant and covenant to us that you have implemented technical and organizational security measures, which meet industry best practices and comply with all applicable Data Protection Legislation, to prevent any unauthorized access, use or disclosure of Personal Data, and your processing of Personal Data shall at all times be performed in accordance with such technical and organizational security measures.
- Security Breach. You will immediately notify Digital River in accordance with applicable law about any actual or reasonably suspected accidental or unauthorized access, loss, use, acquisition, disclosure or Processing of Personal Data (a “Security Breach”). With respect to any Security Breach, you will take all steps reasonably necessary to investigate and remediate the effects of such occurrence, to mitigate any harm to those individuals that are affected or could be affected by such occurrence, prevent the re-occurrence, and comply with applicable law.
- Remediation or Security Audit. You agree to abide by any and all security guidelines, policies and requirements that Digital River provides to you from time to time (collectively, the “Security Requirements”). Digital River reserves the right to require remediation of any security report qualifications or perform an audit of your security controls. Any audit of your security controls shall be performed upon fourteen (14) calendar days prior written notice to you. Digital River may also make such an audit a precondition of entering into any transaction(s) with you under these Data Handling Standards for Authorized Service Providers. The parties agree to discuss in good faith any issues identified by us in connection with any such audit, including without limitation remediation efforts in such regard; provided however the costs associated with any changes to your infrastructure effectuated by you as a result of such audit will be borne solely by you. You represent and warrant that you have in place a business continuity and disaster recovery plan in writing and shall provide such plan to Digital River upon written request.
- Transfers of Personal Data Outside of the EEA or United Kingdom. You shall not transfer Personal Data to a territory outside of the EEA or the United Kingdom unless you have taken such measures as are necessary to ensure the transfer is in compliance with applicable law. The parties acknowledge that adequate protection for the Personal Data must exist for any transfer and will, if needed, enter into an appropriate agreement governing such transfer of Personal Data, including, but not limited to Standard Contractual Clauses, taking into account the level of protection of the third country and taking additional steps to guarantee protection, if necessary, unless another appropriate safeguard for the transfer exists. To the extent that that this Agreement involves the transfer of the Personal Data outside of the EEA or United Kingdom, the parties agree that Standard Contractual Clauses shall be incorporated into the Agreement. To that end, for Agreements entered into on or after September 27, 2021, the Standard Contractual Clauses applicable to the transfer of Personal Data outside of the EEA EU Standard Contractual Clauses (https://www.digitalriver.com/legal-other/eu-standard-contractual-clauses-authorized-service-providers/) plus the relevant Privacy Details in the Authorized Service Provider Registration Form shall constitute the completed EU Standard Contractual Clauses and the International Data Transfer Agreement applicable to the transfer of Personal Data outside of the UK Standard Contractual Clauses (https://www.digitalriver.com/legal-other/uk-standard-contractual-clauses-authorized-service-providers/), plus the relevant Privacy Details in the Authorized Service Provider Registration Form shall constitute the completed UK Standard Contractual Clauses. For agreements entered into prior to September 27, 2021, the contractual requirements for the transfer of Personal Data to Processors established in third countries found in the European Commission’s Decision 2010/87/EU of 5 February 2010 plus the Privacy Details in the Authorized Service Provider Registration Form shall constitute Completed Standard Contractual Clauses and shall remain in full force and effect until the parties enter into an amendment adopting new Standard Contractual Clauses. Where and to the extent that the Standard Contractual Clauses apply pursuant to this Clause, if there is any conflict between these Data Handling Standards for Authorized Service Providers and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
- Processor Obligations. Where you process Personal Data while performing your obligations under the Agreement, you shall act as the Data Processor in accordance with Data Protection Legislation.
- Purposes. You may use or otherwise process the Personal Data for the duration of the Agreement and only in accordance with Digital River’s documented instructions and in order to fulfil the obligations laid out in the Agreement.
- Digital River’s Instructions. You will process Personal Data on Digital River’s behalf and will not process Personal Data for any purpose other than providing the Services to Digital River as specified in the Agreement. Without limiting the foregoing, you will not sell the Personal Data. If you are required by law to process the Personal Data in a manner which goes beyond Digital River’s instructions, unless prohibited by law, you will inform Digital River of that legal requirement and seek its written consent before engaging in such processing.
- Access requests. You must assist Digital River in honoring any data handling requests from individuals exercising their rights under Data Protection Legislation, which rights may include the right to erasure, rectification, withdrawal, restriction of processing, among others. The parties also agree to work in good faith to outline more specific process requirements related to how these requests will be communicated to the other party.
- Transfer of Personal Data; use of Sub-processors. You shall not engage or transfer data to another processor (“Sub-processor”) for carrying out specific processing activities without first obtaining express written consent from Digital River. Any such transfer must be governed by a written contract that outlines the obligations of the Sub-processor to include: (a) the Sub-processor must satisfy all of the requirements related to privacy and security under the Agreement, including the requirement to provide at least the same level of privacy protection as outlined in Standard Contractual Clauses (or its equivalent protection); (b) the Sub-processor may only process the Personal Data according to the Data Processor’s instructions, which must be consistent with the instructions given to you by Digital River; and (c) you shall remain fully liable to Digital River for the performance of the Sub-processor’s obligations as required by the Agreement and Data Protection Legislation.
- Consent by Digital River. In relation to the requirement outlined directly above, as of the date of these Data Handling Standards for Authorized Service Providers, Digital River consents to the onward transfer of Personal Data to all Sub-processors used by you provided that, where reasonable, you have previously notified Digital River of such Sub-processors and the Sub-processors are using the Personal Data solely for the limited purposes as described in the Agreement. In the case of this general authorization, you shall inform Digital River of any intended changes concerning the addition or replacement of other Sub-processors, thereby giving Digital River the opportunity to object to such changes.
- Obligation of Confidentiality. You shall ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- Delete or Return Personal Data. At Digital River’s option, you shall delete or return all of the Personal Data to Digital River at the end of the provision of services relating to the Agreement and agree to delete existing copies unless applicable law requires storage of the Personal Data. You must provide Digital River with a written statement of destruction demonstrating your commitment to this section signed by an executive officer or other authorized signatory of your company.
- Audit Rights. You shall make available to us all information necessary to demonstrate compliance with the obligations laid down in this section and allow for and contribute to audits, including inspections, conducted by Digital River or another auditor mandated by Digital River. In relation, you shall immediately inform Digital River if, in your opinion, an instruction infringes applicable law or other Union or Member State data protection provisions.
- Liabilities, Indemnification. You agree to be held solely liable for the performance of your obligations under Data Protection Legislation, and any fines imposed by a Supervisory Authority (or its equivalent) for your failure to comply with applicable law shall be paid by you. You shall defend, indemnify and hold harmless Digital River, its corporate affiliates, respective officers, directors, and employees from and against any losses in connection with any claims that Digital River may incur or suffer, which results from, relates to or arises from your use, storage, handling or processing of data even if such incident related to the data is unintended by you or not within your control.
- Requests from Supervisory Authorities. You agree to cooperate with Digital River where a Supervisory Authority or other governmental request that could impact Digital River, or any other claim that could impact Digital River. Where you receive the request, you shall communicate the request to Digital River expeditiously, and prior to responding to the Supervisory Authority.
- Survival of these Data Handling Standards for Authorized Service Providers. Regardless of whether the Agreement is terminated or expires, if either party has access to, processes or otherwise retains Personal Data, the parties agree to comply with all applicable requirements under Data Protection Legislation. Therefore, the applicable sections of these Data Handling Standards for Authorized Service Providers that relate to the parties’ obligations under Data Protection Legislation, survives any termination or expiration of the Agreement. To the extent there are no further obligations of the parties under Data Protection Legislation, these Data Handling Standards for Authorized Service Providers will terminate.
- Applicable Law and Dispute Resolution. These Data Handling Standards for Authorized Service Providers (including the Agreement) constitute the entire agreement between the parties with respect to the subject matter hereof, and these Data Handling Standards for Authorized Service Providers supersede all prior agreements or representations, oral or written, regarding such subject matter. These Data Handling Standards for Authorized Service Providers are governed by the law governing the Agreement, except for where the applicable Standard Contractual Clauses are executed between the parties, which contain specific provisions on the applicable law under the section, “Governing law”.
- Definitions. The following definitions apply to these Data Handling Standards for Authorized Service Providers:
- California Consumer Protection Act (CCPA) is the California state statute that created new consumer rights relating to the access to, deletion of, and sharing of personal information which became effective on January 1, 2020 and any subsequent modifications.
- Controller or Data Controller is the natural or legal person, which alone or jointly with others, determines the purpose and means of the processing of Personal Data. Controller and Data Controller may be used interchangeably.
- Data Processor is the natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller (as defined above).
- Data Protection Legislation means any applicable data protection, security, consumer protection and related regulatory and legal obligations, including the GDPR (defined below) the CCPA (defined above), any binding orders issued by relevant bodies, and any subsequent modifications or amendments.
- General Data Protection Regulation (GDPR) Regulation (EU) 2016/679 is that regulation of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data, which was enforceable as of 25 May 2018 and any subsequent modifications or amendments.
- Legitimate Interests means that processing is permitted if it is necessary for the purposes of legitimate interests pursued by the controller (or by a third party), except where the controller’s interests are overridden by the interests, fundamental rights or freedoms of the affected Shoppers or other individuals that require protection.
- Personal Data is any information relating to an identified or identifiable natural person (such as name, an identification number, location data, or online identifier) that is collected during the course of a sales transaction and processed by you.
- Sell means any activity that qualifies as “sell,” “selling,” “sale,” or “sold,” under the CCPA.
- Standard Contractual Clauses (Controllers to Processors) are the contractual requirements approved by a relevant authority to ensure the appropriate data protection safeguards are in place in the event of an international transfer of Personal Data to Processors.
- Supervisory Authority (or its equivalent) is the authority to whom Shoppers or other individuals may lodge a complaint.