Data Handling Standards - Digital River - EN

Data Handling Standards

Effective as July 23, 2020

These Standards are in addition to the terms in the Agreement. Words used in these Standards without a definition but with an initial capital letter have the same meaning (i) as found in Regulation (EU) 2016/679 as of 25 May 2018 and any binding orders thereof issued by relevant authorities; (ii) as defined in Section 13, “Definitions”, included at the end of these Standards; or (iii) as found in the Agreement. Where a term in these Standards conflicts with a corresponding term in the Agreement, the term in these Standards will control with respect to the parties’ obligations under these Standards.

  1. Background and Purpose. We hold ourselves to the highest ethical standards of conduct in our daily activities, including our data handling practices. As such, these Standards were created to allow us to have an open data sharing arrangement with you, while ensuring that any transfers of data between the parties are handled appropriately under Data Protection Legislation. Here, we have laid out the ground rules for which data will be shared, including listing our respective responsibilities under Data Protection Legislation.
  2. Obligations of the Parties. We understand fully our obligations under Data Protection Legislation and we need to ensure that data is shared according to such laws. As such, we need to confirm that the parties will make every effort to process the Personal Data correctly under Data Protection Legislation. Additionally, because under GDPR only data controllers collect personal data from data subjects (and are also independently responsible for determining the legal bases under which they obtain and process the data), both us and you maintain the responsibility of being our own (Independent) Data Controllers for Personal Data and our respective processing activities.
  3. Description of Personal Data and Purpose of Processing. Each party will process Personal Data of those purchasers that purchase a title, license right, and/or usage right to a product using our Service (“Shopper”). Those categories of Personal Data may include names, addresses, email addresses, phone numbers, IP addresses, and other related order information.The Personal Data will be processed independently by each party for the following purposes:
    • To provide the Shoppers with the services they have requested, in accordance with the relevant party’s privacy policy,
    • To ensure the performance of the parties’ obligations under the Agreement,
    • To provide other similar services to Shoppers where the Shoppers have, if applicable, consented to such services, and as decided by each party as its own (Independent) Data Controller, and
    • To share the data with third parties and use Processors to process the data so long as the parties comply with Data Protection Legislation.
  4. Information Provided to Shoppers. The parties agree to include the applicable link to each party’s privacy policy, prior to the collection, by such party, of the Shopper’s Personal Data, so that it is clear to the Shopper which privacy policy applies to the processing of their data. For the avoidance of doubt, your privacy policy will govern how you will process Personal Data; and, ours will govern how we will process Personal Data. We are each responsible for fulfilling our promises as outlined in our respective privacy policies.Where applicable, you will gather and document the applicable consents from Shoppers for the processing of their data, such as for marketing activities. And, where there is another lawful basis for the processing (such as “Legitimate Interests”) you will also document the applicable lawful basis and our reasoning behind such decision(s).
  5. Data Handling Requests; Notifying the Other party. Data Protection Legislation such as GDPR (as defined in Section 13, “Definitions”) grants Shoppers certain rights regarding their personal data that a Data Controller holds and obligates Data Controllers to facilitate the exercise of those rights. As such, each party is responsible for facilitating the exercise of Shoppers’ rights under applicable law, and must send any applicable data handling requests to the other party without undue delay.Such rights may include the right to consent, and to withdraw the consent, right of access, right to rectification, restriction of Processing, erasure, data portability, to object to Processing, and the right not to be subject to automated individual decision making. It is up to each party to ensure the Shoppers’ rights are honored as appropriate, considering applicable legal requirements. It is also each party’s responsibility to ensure that the Shopper has been appropriately authenticated under Data Protection Legislation prior to acting on any access request.Specifically as it relates to data erasure requests from an Shopper, we request that you log into our administration interface software (or successor user interface) and click on the “Request removal of Personal Information” button, which will automatically trigger a notification to us. You may also send any communications related to such data handling requests to the Digital River contact point(s) noted in the Order Form under “Privacy”.
  6. Security of Personal Data. Both parties agree to take reasonable steps to provide a level of security appropriate to the sensitivity of the Personal Data in each party’s control.
    • Both parties represent, warrant and covenant to the other party that (i) it has implemented technical and organizational security measures, which meet industry standards and comply with all applicable Data Protection Legislation, to prevent any unauthorized access, use or disclosure of Personal Data, and (ii) its processing of Personal Data will at all times be performed in accordance with such technical and organizational security measures; and
    • To the extent required by applicable law, the parties will not transfer the Personal Data to a processor, vendor, service provider, subcontractor or sub-processor (a “Processor”), unless (i) it has first concluded a written agreement with the Processor that imposes obligations and restrictions on the third-party at least as restrictive as those that apply to the other party under these Standards (“Processing Agreements”), and (ii) such transfer complies with applicable Data Protection Legislation; and
    • The party who has transferred Personal Data to the Processor shall be liable for the acts or omissions of that Processor with respect to Personal Data.
  7. Security Breach. With respect to any Security Breach, the parties will take all steps reasonably necessary to (i) investigate and remediate the effects of such occurrence, (ii) mitigate any harm to those Shoppers that are affected or could be affected by such occurrence, (iii) prevent the re-occurrence, and (iv) comply with applicable Data Protection Legislation.Each party shall notify the other party in writing or by phone (for Digital River, the phone number is 952-253-1234, attention: Legal) after becoming aware of any compromise of the Personal Data that may affect the other party. The responsible party shall also notify the Supervisory Authority and Shoppers, where required and within the applicable time-period, under Data Protection Legislation. As such, the parties will coordinate with, consult with and keep the other party regularly informed related to its response to any Security Breach.
  8. Transfers of Personal Data Outside of the EEA. A party shall not transfer Personal Data (nor permit any Personal Data to be transferred) to a territory outside of the EEA unless it has taken such measures as are necessary to ensure the transfer is in compliance with applicable law. The parties acknowledge that adequate protection for the Personal Data must exist for any transfer and will, if needed, enter into an appropriate written agreement governing such transfer of Personal Data, including, but not limited to the EU Standard Contractual Clauses, unless another adequacy mechanism for the transfer exists, including without limitation Privacy Shield for transfers to the United States of America.To the extent that the parties’ transfer of Personal Data is reliant on the Standard Contractual Clauses for Controller to Controller transfers, the Standard Contractual Clauses including its Annex B shall form part of the Agreement. As such, the parties agree that the Standard Contractual Clauses using the Annex B which is attached at the end of these Standards, plus the Privacy details in the Order Form, shall constitute the completed Standard Contractual Clauses. Where and to the extent the Standard Contractual Clauses apply pursuant to this section, if there is any conflict between these Standards and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
  9. Liabilities, Indemnification. Each party agrees to be held solely liable for the performance of its obligations under Data Protection Legislation and these Standards, and any fines imposed by a Supervisory Authority (or its equivalent) for that party’s failure to comply with Data Protection Legislation or these Standards shall be paid by that party that failed to comply.While nothing in the Agreement shall be construed as making the parties, acting as (Independent) Data Controller, involved in the same processing, should, pursuant to Article 82(4) of the GDPR, a party be found to be liable for the entire damage arising from a breach or breaches of the GDPR relating to activities under these Standards, in order to ensure effective compensation of one or more individuals, then that party shall indemnify the other party for that portion of the compensation attributable to any breaches of the GDPR for which it is responsible.
  10. Requests from Supervisory Authorities. The parties agree to cooperate with each other when they receive a request from a Supervisory Authority or court of law that impacts the other party. Where one party receives the request (the “Receiving Party”), the Receiving Party shall communicate the request to the other party promptly, and where possible, prior to responding to the Supervisory Authority or court of law. However, if this is not possible due to the immediacy of the request, the Receiving Party shall communicate the request to the other party as soon as reasonably possible after submission of the response.
  11. Survival of these Standards. Regardless of whether the Agreement is terminated or expires, if either party has access to, processes or otherwise retains Personal Data, the parties agree to comply with all applicable requirements under Data Protection Legislation. Therefore, the applicable sections of these Standards that relate to the parties’ obligations under Data Protection Legislation, survives any termination or expiration of the Agreement. To the extent there are no further obligations of the parties under Data Protection Legislation, these Standards will terminate. Also, and for the avoidance of doubt, each party is responsible for destroying the Personal Data in accordance with applicable laws and neither party is required to return to the other party the Personal Data that is in their possession.
  12. Applicable Law and Dispute Resolution. These Standards (including the Agreement) constitute the entire agreement between the parties with respect to the subject matter hereof, and these Standards supersede all prior agreements or representations, oral or written, regarding such subject matter. These Standards are governed by the law governing the Agreement, except for where the applicable Standard Contractual Clauses are executed between the parties, which contain specific provisions on the applicable law in Clause IV, “Law applicable to the clauses.”
  13. Definitions. The following definitions apply to these Standards:
    • Legitimate Interests means that processing is permitted if it is necessary for the purposes of legitimate interests pursued by the controller (or by a third party), except where the controller’s interests are overridden by the interests, fundamental rights or freedoms of the affected Shoppers which require protection.
    • Regulation (EU) 2016/679 or the General Data Protection Regulation (GDPR) is that regulation of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data, which was enforceable as of 25 May 2018.
    • Data Protection Legislation means any applicable data protection, security, consumer protection and related regulatory and legal obligations, the GDPR (defined above), the California Consumer Protection Act and any binding orders issued by relevant bodies.
    • Standard Contractual Clauses are the contractual requirements approved by the European Commission from time to time for the transfer of Personal Data from EU Controllers to non-EU or EEA Controllers. See the European Commission’s Decision 2004/915/EC of 27 December 2004, available at: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_en (as that URL is updated from time to time).

ANNEX B TO SET II STANDARD CONTRACTUAL CLAUSES

DESCRIPTION OF THE TRANSFER

Data subjects:
The personal data transferred concern the following categories of data subjects:

  • Shoppers and other persons (e.g., third parties) who do, or might do, business with the parties so as to conduct its business.
  • The parties’ employees and/or contractors who assist with the business relationship.

Purposes of the transfer(s):
The transfer is made for the following purposes:
The personal data will be processed independently by each party for the following purposes:

  • To provide the Shopper with the services they have requested, in accordance with the relevant party’s privacy policy,
  •  To ensure the performance of the parties’ obligations under the Agreement,
  • To provide other similar services to Shoppers where the Shoppers have, if applicable, consented to such services, and as decided by each party as its own (Independent) Data Controller, and
  • To share the data with third parties service providers of the parties and use Processors to process the data so long as the parties comply with Data Protection Legislation.

Categories of data:
The personal data transferred concern the following categories of data:
Personal data from Shoppers such as information that can be used to identify an individual, either alone or in combination with other information available to the parties, such as a name, shipping or billing address, e-mail address, and phone number.

Recipients:
The personal data transferred may be disclosed only to the following recipients or categories of recipients:
Employees and/or direct or indirect contractors of the parties who are being considered to do, who do, or have done work for, or for the benefit of, the respective data controller.

Sensitive data (if appropriate):
The personal data transferred concern the following categories of sensitive data:
For clarity, the parties understand and agree that any payment information (e.g., purchaser payment account information, including but not limited to credit/debit card number, account and routing number, card expiration date, and card verification code or value) will be exclusively received and handled by Digital River and not be made available to you. As such, sensitive data will not be transferred between Digital River and you.

Contact points for data protection inquiries: (refer to Order Form for contact points)