Data Handling Standards
Effective as September 24, 2021
These Standards are in addition to the terms in the Agreement. Words used in these Standards with an initial capital letter have the same meaning (i) as defined in these standards in Section 13 “Definitions;” (ii) as found in the EU General Data Protection Regulation (GDPR); (iii) as found in the California Consumer Privacy Act (CCPA); or (iv) as found in the Agreement. Where a term in these Standards conflicts with a corresponding term in the Agreement, the term in these Standards will control with respect to the parties’ obligations under these Standards.
- Background and Purpose. Each party is responsible for privacy, data security, and compliance with any global Data Protection Legislation that may apply to your commerce solution. These Standards were created to allow us to have an open data sharing arrangement with you. The purpose is to ensure that any transfers of data between the parties are completed using appropriate safeguards, and that each party understands its obligations under Data Protection Legislation. Here, we have laid out the obligations of each party, including our respective responsibilities under Data Protection Legislation.
- Obligations of the Parties. You and we will each maintain the responsibility of being an (Independent) Data Controller for Personal Data. As such, each party is responsible for ensuring that Personal Data is Processed according to Data Protection Legislation and that there is a lawful basis for its Processing activities.
- Description of Personal Data and Purpose of Processing. Each party will process Personal Data of those purchasers that purchase a title, license right, and/or usage right to a product using our Service (the “Shopper”). Those categories of Personal Data may include names, addresses, email addresses, phone numbers, IP addresses, and other related transaction information.
The Personal Data will be processed independently by each party for the following purposes:
- To ensure the performance of the parties’ obligations under the Agreement,
- To provide other similar services to Shoppers where the Shoppers have, if applicable, consented to such services, and as decided by each party as its own (Independent) Data Controller,
- To share the data with third parties, Service Providers, and use Processors to process the data so long as the parties comply with Data Protection Legislation; and
- Digital River agrees that it will only independently process the Shopper Personal Data for the following purposes: performing its obligations under the Agreement, fulfilling Shopper transactions, collecting Shopper payments, conducting fraud screening, providing support to Shoppers, preventing, detecting, or investigating fraud, employing independent fraud modeling, detection, and risk analytics, payment optimization, and generally complying with its contractual or other obligations to the Shopper and complying with its legal obligations. For clarity, DR will not process Shopper Personal Data to market to end users.
For the avoidance of doubt, the parties agree that neither party receives valuable consideration for, and no Sale has occurred as a result of the transfer of data from one party to another. Any transfer of data between the parties is done for the purpose of fulfilling and processing shopper-initiated transactions and for providing related support.
Where applicable, you will gather and document the applicable consents from Shoppers for the processing of their data, such as for marketing activities. And, where there is another lawful basis for the processing (such as “Legitimate Interests”) you will also document the applicable lawful basis and your reasoning behind such decision(s).
- Data Handling Requests; Notifying the Other party. Data Protection Legislation, such as GDPR and CCPA, grants Shoppers certain rights regarding their personal data that a Data Controller holds and obligates Data Controllers to facilitate the exercise of those rights. As such, each party is responsible for facilitating the exercise of Shoppers’ rights under applicable law and must send any applicable data handling requests to the other party without undue delay.
Such rights may include the right to consent, and to withdraw the consent, the right of access, rectification, restriction of Processing, erasure, data portability, and the right to object to Processing. It is up to each party to ensure the Shoppers’ rights are honored as appropriate, considering applicable legal requirements. It is also each party’s responsibility to ensure that the Shopper has been appropriately authenticated under Data Protection Legislation prior to acting on any access request.
Specifically, as it relates to data erasure requests from a Shopper, we request that you log into our administration interface software (or successor user interface) and click on the “Request Removal of Personal Information” button, which will automatically trigger a notification to us. You may also send any communications related to such data handling requests to the Digital River contact point(s) noted in the Order Form under “Privacy.”
- Security of Personal Data. Each party agrees to take reasonable steps to provide a level of security appropriate to the sensitivity of the Personal Data in each party’s control.
- Each party represents, warrants and covenants to the other party that (i) it has implemented technical and organizational security measures, which meet industry standards and comply with all applicable Data Protection Legislation, to prevent any unauthorized access, use or disclosure of Personal Data, and (ii) its processing of Personal Data will at all times be performed in accordance with such technical and organizational security measures; and
- Each Party represents and warrants that it has in place and in writing a business continuity and disaster recovery plan; and
- To the extent required by applicable law, the parties will not transfer the Personal Data to a processor, vendor, service provider, subcontractor or sub-processor (a “Processor”), unless (i) it has first concluded a written agreement with the Processor that imposes obligations and restrictions on the third-party at least as restrictive as those that apply to the other party under these Standards (“Processing Agreements”), and (ii) such transfer complies with applicable Data Protection Legislation; and
- The party who has transferred Personal Data to the Processor shall be liable for the acts or omissions of that Processor with respect to Personal Data.
- Security Breach. With respect to any Security Breach, the parties will take all steps reasonably necessary to (i) investigate and remediate the effects of such occurrence, (ii) mitigate any harm to those Shoppers that are affected or could be affected by such occurrence, (iii) prevent the re-occurrence, and (iv) comply with applicable Data Protection Legislation.
Each party shall notify the other party in writing or by phone (for Digital River, the phone number is 952-253-1234, attention: Legal) after becoming aware of any compromise of the Personal Data that may affect the other party. The responsible party shall also notify the Supervisory Authority and Shoppers, where required and within the applicable time period under Data Protection Legislation. As such, the parties will coordinate with, consult with and keep the other party regularly informed related to its response to any Security Breach.
- Transfers of Personal Data Outside of the EEA or United Kingdom. A party shall not transfer Personal Data (nor permit any Personal Data to be transferred) to a territory outside of the EEA or the United Kingdom unless it has taken such measures as are necessary to ensure the transfer complies with applicable law. The parties acknowledge that adequate protection for the Personal Data must exist for any transfer and will, if needed, enter into an appropriate written agreement governing such transfer of Personal Data, including, but not limited to Standard Contractual Clauses, taking into account the level of protection of the third country and taking additional steps to guarantee protection if necessary, unless another appropriate safeguard for the transfer exists.
To the extent that that the Agreement involves the transfer of Personal Data outside of the EEA or United Kingdom, the parties agree that Standard Contractual Clauses shall be incorporated into the Agreement. To that end, for agreements entered into on or after September 27, 2021 the Standard Contractual Clauses applicable to the transfer of Personal Data outside of the EEA (“EU SCCs”), available at https://www.digitalriver.com/legal-other/eu-standard-contractual-clauses-commerce-connector-solutions/, plus the Privacy details in the Order Form shall constitute the completed EU Standard Contractual Clauses. For agreements entered into prior to September 27, 2021, the contractual requirements for the transfer of Personal Data to Controllers established in third countries found in the European Commission’s Decision 2004/915/EC of 27 December 2004 plus the Privacy details in the Order form shall constitute completed Standard Contractual Clauses and shall remain in full force and effect until the Parties enter into an amendment adopting new Standard Contractual Clauses. Where and to the extent Standard Contractual Clauses apply pursuant to this Clause, if there is any conflict between these Standards and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
- Liabilities and Indemnification. Each party agrees to be held solely liable for the performance of its obligations under Data Protection Legislation and these Standards, and any costs associated with a party’s failure to comply with Data Protection Legislation and these Standards, including any fines imposed by a Supervisory Authority (or its equivalent), shall be paid by the party that failed to comply.
While nothing in the Agreement or these Standards shall be construed as making the parties, acting as (Independent) Data Controllers, involved in the same processing, should, pursuant to Article 82(4) of the GDPR, a party be found to be liable for the entire damage arising from a breach or breaches of the GDPR relating to activities under these Standards, in order to ensure effective compensation of one or more individuals, then that party shall indemnify the other party for that portion of the compensation attributable to any breaches of the GDPR for which it is responsible.
- Requests from Supervisory Authorities. The parties agree to cooperate with each other when they receive a request from a Supervisory Authority or court of law that impacts the other party. Where one party receives the request (the “Receiving Party”), the Receiving Party shall communicate the request to the other party promptly, and where possible, prior to responding to the Supervisory Authority or court of law. However, if this is not possible due to the immediacy of the request, the Receiving Party shall communicate the request to the other party as soon as reasonably possible after submission of the response.
- Survival of these Standards. Regardless of whether the Agreement is terminated or expires, if either party has access to, processes or otherwise retains Personal Data, the parties agree to comply with all applicable requirements under Data Protection Legislation. Therefore, the applicable sections of these Standards that relate to the parties’ obligations under Data Protection Legislation, survives any termination or expiration of the Agreement. To the extent there are no further obligations of the parties under Data Protection Legislation, these Standards will terminate. Also, and for the avoidance of doubt, each party is responsible for destroying the Personal Data in accordance with applicable laws and neither party is required to return to the other party the Personal Data that is in their possession.
- Applicable Law and Dispute Resolution. These Standards (including the Agreement) constitute the entire agreement between the parties with respect to the subject matter hereof, and these Standards supersede all prior agreements or representations, oral or written, regarding such subject matter. These Standards are governed by the law governing the Agreement, except for where the applicable Standard Contractual Clauses are executed between the parties, which contain specific provisions on the applicable law in Clause IV, “Law applicable to the clauses.”
- Definitions. The following definitions apply to these Standards:
- California Consumer Protection Act (CCPA) is the California state statute that created new consumer rights relating to the access to, deletion of, and sharing of personal information of California residents which became effective on January 1, 2020, and any subsequent modifications or amendments.
- Data Protection Legislation means any applicable data protection, security, consumer protection and related regulatory and legal obligations globally, including, but not limited to, the CCPA and the GDPR, and any subsequent modifications or amendments.
- General Data Protection Regulation (GDPR) Regulation (EU) 2016/679 is that regulation of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data, which was enforceable as of 25 May 2018 and any subsequent modifications or amendments.
- Legitimate Interest means that processing is permitted if it is necessary for the purposes of a legitimate interest pursued by the controller (or by a third party), except where the controller’s interests are overridden by the interests, fundamental rights, or freedoms of the affected Shoppers which require protection.
- Sale means any activity that qualifies as “sell,” “selling,” “sale,” or “sold,” under the CCPA.
- Standard Contractual Clauses are the contractual requirements approved by a relevant authority to ensure the appropriate data protection safeguards are in place in the event of the international transfer of Personal Data.