Last updated on December 6, 2020
These Data Handling Standards for Authorized Service Providers are in addition to the terms in the Agreement. Words used in these Standards without a definition but with an initial capital letter have the same meaning (i) as defined in these standards in Section 14 “Definitions;” or (ii) as found in the EU General Data Protection Regulation (GDPR); or (iii) as found in the California Consumer Privacy Act (CCPA); or (iv) as found in the Agreement. Where a term in these Data Handling Standards for Authorized Service Providers conflicts with a corresponding term in the Agreement, the term in these Data Handling Standards for Authorized Service Providers will control with respect to the parties’ obligations under these Data Handling Standards for Authorized Service Providers.
In consideration of the mutual obligations set out herein, the parties hereby agree that the terms and conditions set out below shall be incorporated by reference into the Agreement. Except where the context requires otherwise, references in these Data Handling Standards for Authorized Service Providers to the Agreement are to the Agreement as amended by, and including, these Data Handling Standards for Authorized Service Providers.
- Background and Purpose. Each party is responsible for complying with any privacy, data security, and Data Protection Legislation that may apply to the handling of Personal Data under the Agreement. These Data Handling Standards for Authorized Service Providers were created to allow Digital River to have an open data sharing arrangement with you. The purpose is to ensure that any transfers of Personal Data between the parties are completed using appropriate safeguards and that each party understands its obligations under Data Protection Legislation. These Data Handling Standards for Authorized Service Providers lay out the obligations of each party, including our respective responsibilities under Data Protection Legislation.
- Obligations of the Parties. Each party is responsible for ensuring that it processes Personal Data correctly under Data Protection Legislation. Digital River is the Data Controller of the Personal Data. You are Digital River’s Data Processor (or Service Provider as defined by the CCPA) of the Personal Data. In that capacity, you shall process the Personal Data only for the limited and specified purposes set out in the Agreement, and in compliance with Digital River’s documented, lawful instructions.
- Description of Personal Data and Purpose of Processing. You will process, on behalf of Digital River, the Personal Data of those purchasers that purchase a title, license right, and/or usage right to a product using Digital River Services (“Shopper”) that are protected under Data Protection Legislation. The categories of Personal Data that you process may include, but are not limited to, names, addresses, email addresses, phone numbers, and other related transaction information. The Personal Data will be processed for the following purposes:
- To ensure performance of your obligations as a Processor under the Agreement,
- To share the data with third parties and service providers and use Sub-processors for carrying out specific processing activities in a manner consistent with Sections 9(d) and (e) of these Data Handling Standards for Authorized Service Providers.
- Security of Personal Data. You agree to take reasonable steps to provide a level of security appropriate to the sensitivity of the information in your control. You represent, warrant and covenant to us that you have implemented technical and organizational security measures, which meet industry best practices and comply with all applicable Data Protection Legislation, to prevent any unauthorized access, use or disclosure of Personal Data, and your processing of Personal Data shall at all times be performed in accordance with such technical and organizational security measures.
- Security Breach. You will immediately notify Digital River in accordance with applicable law about any actual or reasonably suspected accidental or unauthorized access, loss, use, acquisition, disclosure or Processing of Personal Data (a “Security Breach”). With respect to any Security Breach, you will take all steps reasonably necessary to investigate and remediate the effects of such occurrence, to mitigate any harm to those individuals that are affected or could be affected by such occurrence, prevent the re-occurrence, and comply with applicable law.
- Remediation or Security Audit. You agree to abide by any and all security guidelines, policies and requirements that Digital River provides to you from time to time (collectively, the “Security Requirements”). Digital River reserves the right to require remediation of any security report qualifications or perform an audit of your security controls. Any audit of your security controls shall be performed upon fourteen (14) calendar days prior written notice to you. Digital River may also make such an audit a precondition of entering into any transaction(s) with you under these Data Handling Standards for Authorized Service Providers. The parties agree to discuss in good faith any issues identified by us in connection with any such audit, including without limitation remediation efforts in such regard; provided however the costs associated with any changes to your infrastructure effectuated by you as a result of such audit will be borne solely by you. You represent and warrant that you have in place a business continuity and disaster recovery plan in writing and shall provide such plan to Digital River upon written request.
- Transfers of Personal Data Outside of the EEA. You shall not transfer Personal Data to a territory outside of the EEA or the United Kingdom unless you have taken such measures as are necessary to ensure the transfer is in compliance with applicable law. The parties acknowledge that adequate protection for the Personal Data must exist for any transfer and will, if needed, enter into an appropriate agreement governing such transfer of Personal Data, including, but not limited to the EU Standard Contractual Clauses, taking into account the level of protection of the third country and taking additional steps to guarantee protection if necessary, unless another appropriate safeguard for the transfer exists. To the extent that that this Agreement involves the transfer of the Personal Data outside of the EEA or United Kingdom, the parties agree the Standard Contractual Clauses including its Appendices 1 and 2 shall be incorporated into the Agreement. To that end, the Standard Contractual Clauses, including Appendix 1 (which is attached at the end of these Data Handling Standards for Authorized Service Providers) and Appendix 2 (the details of which are included in the Privacy Details in the Authorized Service Provider Registration Form) shall constitute the completed Standard Contractual Clauses. Where and to the extent that the Standard Contractual Clauses apply pursuant to this Clause, if there is any conflict between these Data Handling Standards for Authorized Service Providers and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
- Processor Obligations. Where you process Personal Data while performing your obligations under the Agreement, you shall act as the Data Processor in accordance with Data Protection Legislation.
- Purposes. You may use or otherwise process the Personal Data for the duration of the Agreement and only in accordance with Digital River’s documented instructions and in order to fulfil the obligations laid out in the Agreement.
- Digital River’s Instructions. You will process Personal Data on Digital River’s behalf and will not process Personal Data for any purpose other than providing the Services to Digital River as specified in the Agreement. Without limiting the foregoing, you will not sell the Personal Data. If you are required by law to process the Personal Data in a manner which goes beyond Digital River’s instructions, unless prohibited by law, you will inform Digital River of that legal requirement and seek its written consent before engaging in such processing.
- Access requests. You must assist Digital River in honoring any data handling requests from individuals exercising their rights under Data Protection Legislation, which rights may include the right to erasure, rectification, withdrawal, restriction of processing, among others. The parties also agree to work in good faith to outline more specific process requirements related to how these requests will be communicated to the other party.
- Transfer of Personal Data; use of Sub-processors. You shall not engage or transfer data to another processor (“Sub-processor”) for carrying out specific processing activities without first obtaining express written consent from Digital River. Any such transfer must be governed by a written contract that outlines the obligations of the Sub-processor to include: (a) the Sub-processor must satisfy all of the requirements related to privacy and security under the Agreement, including the requirement to provide at least the same level of privacy protection as outlined in Standard Contractual Clauses (or its equivalent protection); (b) the Sub-processor may only process the Personal Data according to the Data Processor’s instructions, which must be consistent with the instructions given to you by Digital River; and (c) you shall remain fully liable to Digital River for the performance of the Sub-processor’s obligations as required by the Agreement and Data Protection Legislation.
- Consent by Digital River. In relation to the requirement outlined directly above, as of the date of these Data Handling Standards for Authorized Service Providers, Digital River consents to the onward transfer of Personal Data to all Sub-processors used by you provided that, where reasonable, you have previously notified Digital River of such Sub-processors and the Sub-processors are using the Personal Data solely for the limited purposes as described in the Agreement. In the case of this general authorization, you shall inform Digital River of any intended changes concerning the addition or replacement of other Sub-processors, thereby giving Digital River the opportunity to object to such changes.
- Obligation of Confidentiality. You shall ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- Delete or Return Personal Data. At Digital River’s option, you shall delete or return all of the Personal Data to Digital River at the end of the provision of services relating to the Agreement and agree to delete existing copies unless applicable law requires storage of the Personal Data. You must provide Digital River with a written statement of destruction demonstrating your commitment to this section signed by an executive officer or other authorized signatory of your company.
- Audit Rights. You shall make available to us all information necessary to demonstrate compliance with the obligations laid down in this section and allow for and contribute to audits, including inspections, conducted by Digital River or another auditor mandated by Digital River. In relation, you shall immediately inform Digital River if, in your opinion, an instruction infringes applicable law or other Union or Member State data protection provisions.
- Liabilities, Indemnification. You agree to be held solely liable for the performance of your obligations under Data Protection Legislation, and any fines imposed by a Supervisory Authority (or its equivalent) for your failure to comply with applicable law shall be paid by you. You shall defend, indemnify and hold harmless Digital River, its corporate affiliates, respective officers, directors, and employees from and against any losses in connection with any claims that Digital River may incur or suffer, which results from, relates to or arises from your use, storage, handling or processing of data even if such incident related to the data is unintended by you or not within your control.
- Requests from Supervisory Authorities. You agree to cooperate with Digital River where a Supervisory Authority or other governmental request that could impact Digital River, or any other claim that could impact Digital River. Where you receive the request, you shall communicate the request to Digital River expeditiously, and prior to responding to the Supervisory Authority.
- Survival of these Data Handling Standards for Authorized Service Providers. Regardless of whether the Agreement is terminated or expires, if either party has access to, processes or otherwise retains Personal Data, the parties agree to comply with all applicable requirements under Data Protection Legislation. Therefore, the applicable sections of these Data Handling Standards for Authorized Service Providers that relate to the parties’ obligations under Data Protection Legislation, survives any termination or expiration of the Agreement. To the extent there are no further obligations of the parties under Data Protection Legislation, these Data Handling Standards for Authorized Service Providers will terminate.
- Applicable Law and Dispute Resolution. These Data Handling Standards for Authorized Service Providers (including the Agreement) constitute the entire agreement between the parties with respect to the subject matter hereof, and these Data Handling Standards for Authorized Service Providers supersede all prior agreements or representations, oral or written, regarding such subject matter. These Data Handling Standards for Authorized Service Providers are governed by the law governing the Agreement, except for where the applicable Standard Contractual Clauses are executed between the parties, which contain specific provisions on the applicable law under the section, “Governing law”.
- Definitions. The following definitions apply to these Data Handling Standards for Authorized Service Providers:
- California Consumer Protection Act (CCPA) is the California state statute that created new consumer rights relating to the access to, deletion of, and sharing of personal information which became effective on January 1, 2020 and any subsequent modifications.
- Controller or Data Controller is the natural or legal person, which alone or jointly with others, determines the purpose and means of the processing of Personal Data. Controller and Data Controller may be used interchangeably.
- Data Processor is the natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller (as defined above).
- Data Protection Legislation means any applicable data protection, security, consumer protection and related regulatory and legal obligations, including the GDPR (defined below) the CCPA (defined above), any binding orders issued by relevant bodies, and any subsequent modifications or amendments.
- General Data Protection Regulation (GDPR) Regulation (EU) 2016/679 is that regulation of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data, which was enforceable as of 25 May 2018 and any subsequent modifications or amendments.
- Legitimate Interests means that processing is permitted if it is necessary for the purposes of legitimate interests pursued by the controller (or by a third party), except where the controller’s interests are overridden by the interests, fundamental rights or freedoms of the affected Shoppers or other individuals that require protection.
- Personal Data is any information relating to an identified or identifiable natural person (such as name, an identification number, location data, or online identifier) that is collected during the course of a sales transaction and processed by you.
- Sell means any activity that qualifies as “sell,” “selling,” “sale,” or “sold,” under the CCPA.
- Standard Contractual Clauses (Controllers to Processors) are the contractual requirements for the transfer of Personal Data to Processors established in third countries approved by the European Commission from time to time, the approved version is found in the European Commission’s Decision 2010/87/EU of 5 February 2010, available at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en (as that URL is updated from time to time).
- Supervisory Authority (or its equivalent) is the authority to whom Shoppers or other individuals may lodge a complaint.
Appendix 1 to the Standard Contractual Clauses
This Appendix forms part of the Clauses and must be completed and signed by the parties.
The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.
The data exporter will process Personal Data to (please specify briefly your activities relevant to the transfer):
- To provide Shopper with products they purchased using Digital River Solutions and to ensure the performance of the parties’ obligations under the Agreement.
The data importer will process Personal Data to (please specify briefly activities relevant to the transfer):
- Perform Services pursuant to or specified in the Agreement and according to Digital River’s instructions.
Categories of data subjects
The personal data transferred concern the following categories of data subjects (please specify):
- Shoppers who have purchased our mutual Client’s products from Digital River as authorized reseller.
Categories of data
The personal data transferred concern the following categories of data (please specify):
- Contact and order information for Shoppers that have purchased our mutual Client’s products from Digital River, such as First and last name, Title, Position, Employer, email, phone, address, etc.
Special categories of data (if appropriate)
The personal data transferred concern the following special categories of data (please specify if applicable):
- The parties agree that payment information (e.g., purchaser payment account information, including but not limited to, credit/debit card number, account and routing number, card expiration date, and card verification code or value) is not necessary for you to comply with your obligations under the Agreement. As such, it will not be transferred to or processed by you.