This Data Processing Agreement (hereinafter, the “DPA”) is part of Red Points’ service terms and conditions; unless the Client has entered into a superseding written agreement with Red Points, in which case, it forms part of such written agreement (in either case, collectively, the “Agreement”).
This DPA and other provisions of the Agreement are complementary, however, in the event of a conflict, this DPA shall prevail.
This DPA shall apply to Personal Data processed on behalf of the Client throughout its use of the Services.
The term of this DPA shall be the same as the term of the Agreement. This means that this DPA shall automatically terminate upon termination of the Agreement or upon prior termination in accordance with the terms of this DPA.
II. TERMS OF THE DPA
Unless otherwise defined herein, all terms beginning with a capital letter which are defined in the Service Terms and Conditions shall have the same meanings herein as therein unless the context hereof otherwise requires.
“Controller”, “Processor”, “Data Subject”, “Processing” and “appropriate technical and organizational measures” “Standard Contractual Clauses”, as used in this DPA, shall have the meanings ascribed to them in the European Data Protection Law.
“European Data Protection Law” means: (i) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; (iii) any applicable national implementation.
2. Scope of data protection law
The Parties acknowledge that European Data Protection Law will only apply to Personal Data that is covered by the definitions contained in such laws.
3. Identification of the Parties
For the purposes of this DPA:
Red Points shall be considered the Data Processor.
The Client shall be considered the Data Controller.
4. Description of the processing and TOMs
A detailed description of the processing to be carried out can be found attached to this DPA as Schedule 1. A list of the applicable security standards can be found in Schedule 2.
5. Responsibilities of the Controller and Processor
Each Party shall comply with the GDPR and the relevant implementing legislation throughout the processing. In addition, each Party shall comply with the duties to inform provided in the GDPR and relevant legislation. In this sense, the Processor has posted a generic legal text addressed to Potential Infringers to inform them of our processing activities (https://www.redpoints.com/reported-content/).
6. Provisions regarding the processing by the Processor
In the processing of the Client’s Personal Data, Red Points commits to comply with the European Data Protection Law.
The purpose of the data processing shall be exclusively to provide the Services on the terms dictated by the Client. This DPA sets out the nature and purpose of the processing, the types of Personal Data that Red Points will process and the Data Subjects whose Personal Data will be processed. In this regard, the processing will be carried out fulfilling Red Points’ obligations under Article 28 of the GDPR, that is:
a) process Personal Data only in accordance with the Client’s documented instructions (as set out in this DPA or the Agreement, or as directed by you through the Services) for the performance of the Service.
b) by taking the necessary measures in accordance with Article 32 GDPR, in the terms set out in Clause VII of this DPA and as set out in Schedule 2.
c) notifying Client without undue delay if, in our opinion, an instruction to process Personal Data given by Client is in breach of European Data Protection Law;
d) making available all information reasonably requested in order to demonstrate that Red Points’ obligations regarding the appointment of sub-processors have been fulfilled, without prejudice to Clause VI;
e) assisting Client in fulfilling its obligations under Articles 35 and 36 of the GDPR.
f) assisting Client in fulfilling its obligations under Articles 15 to 18 of the GDPR, providing Client with documentation or helping Client to retrieve, correct, delete or block Personal Data;
g) ensuring that Red Points’ personnel who are required to access Personal Data are subject to a binding duty of confidentiality with regard to such Personal Data;
h) Upon termination of the Agreement, Red Points will delete all Personal Data processed and any copy thereof in its possession. Notwithstanding the foregoing, Personal Data blockage during the liability periods as stated under article 32 of LOPDGDD or under any other applicable Union or Member State law may apply;
In addition, and on the condition that Client has previously signed a confidentiality and non-disclosure agreement with Red Points:
a) We will allow Client and its authorized representatives to access and review documents to ensure compliance with the terms of this DPA.
b) During the term of the Agreement and as required by European Data Protection Law, we will permit Client and its authorized representatives to conduct audits to ensure compliance with the terms of this DPA. Without prejudice to the foregoing, any such audit shall be conducted during normal business hours with reasonable notice to Red Points and subject to reasonable confidentiality protocols.
The scope of any audit shall not obligate Red Points to disclose to Client or its authorized representatives or allow access to: (i) any data or information of any other Red Points client; (ii) any Red Points internal accounting or financial information; (iii) any Red Points trade secrets; (iv) any information which, in our reasonable opinion, could compromise the security of our systems or facilities; or cause us to breach our obligations under the European Data Protection Law or our security, confidentiality or privacy obligations to any other client of Red Points or any third party; or (v) any information which Client seeks to access for any reason other than good faith compliance with your obligations under European Data Protection Law and our compliance with the terms of this DPA.
In addition, audits will be limited to once a year, unless Red Points has suffered a security breach in the previous twelve (12) months that has affected Personal Data; or an audit reveals a material breach.
7. Rights of Data Subjects
If Red Points, as processor, receives notice of any claim, complaint, request, direction, enquiry, investigation, proceeding or other action from any Data Subject, court, regulatory or supervisory authority, or any body, organization or association, which relates in any way to Personal Data processed by Red Points on behalf of the Client, Red Points undertakes to:
notify the Client of this circumstance so that the Client may comply with the request to the extent that such notification is legally permissible;
provide the Client with reasonable cooperation and assistance; and
shall not be liable at its own expense, unless the Client is legally obliged to do otherwise in writing.
The Client consents to Red Points’ use of the sub-processors listed on Schedule 3. Furthermore, the Client authorizes Red Points to engage additional external sub-processors to process the Client’s Personal Data, provided that:
Red Points notifies the Client of the updated list of new sub-processors at least twenty (20) days in advance before allowing them to process Personal Data, thus, giving the Client the opportunity to object to such changes.
In the event that the Client objects to the substitution or hiring of a new sub-processor, the Parties shall negotiate in good faith alternative solutions that are commercially reasonable.
Red Points requires the new sub-processor to protect the Client’s Personal Data to a standard no less strict than that required by this DPA and European Data Protection Law.
Client understands that, by virtue of any confidentiality restrictions that may apply to sub-processors, Red Points may be limited in its ability to disclose sub-processor agreements to Client. In this regard, Red Points undertakes to use all reasonable efforts to require any sub-processor it appoints to allow it to disclose the sub-processor agreement to the Client. Where, despite best efforts, Red Points is unable to disclose a sub-processor agreement to the Client, the Parties agree that, upon the Client’s request, Red Points will provide, on a confidential basis, such information as it reasonably can in connection with such sub-processor agreement to Client.
9. Security of the processing
Red Points shall implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure, in accordance with this DPA. Such measures shall be proportionate to the harm that could result from any unauthorized or unlawful processing, accidental loss, destruction, damage or theft of the Personal Data and appropriate to the nature of the Personal Data to be protected. In this sense, Red Points may update the technical and organizational measures, provided that such modifications do not diminish the general level of security.
If Red Points becomes aware of and confirms any accidental, unauthorized or unlawful destruction, loss, alteration, disclosure or access to Client’s Personal Data (“Security Breach”) that we process in the course of providing the Services we will notify Client without undue delay and in any event no later than 48 hours.
In this sense, Red Points responds to the alteration, loss, processing or unauthorized access to the Personal Data due to causes directly and exclusively attributable to the Processor, taking into account the state of the technology, the nature of the Data and the risks to which they are exposed.
10. Data transfers
It is part of Red Points’ policy to give preference in the contracting of sub-processors to those companies located in the European Economic Area that meet the highest standards of privacy and data protection.
Notwithstanding the foregoing, in the event that Red Points processes Personal Data in a country that does not have an adequacy decision (within the meaning of Article 45 GDPR), Red Points will adopt an appropriate transfer mechanism in accordance with the GDPR.
If Red Points carries out any international transfer for which the transfer mechanism employed is no longer valid under the GDPR (e.g. as a result of an court ruling, etc.), the Client shall allow Red Points a reasonable period of time to remedy the breach (“Remediation Period”), in order to identify what additional safeguards or other measures can be taken to ensure its compliance with European Data Protection Law.
The Client acknowledges and agrees that, as part of the provision of the Services, Red Points is entitled to use data relating to or obtained in connection with the operation, support or use of the Services for its legitimate internal business purposes, such as supporting billing processes, administering the Services, improving, benchmarking and developing products and services, complying with applicable laws (including law enforcement requests), ensuring the security of the Services and preventing fraud or mitigating risk.
In relation to Personal Data, Red Points warrants not to use it for its own purposes unless it has aggregated and anonymized the data so that it does not identify the Client or any other person or entity, in particular Authorized Users.
This DPA is subject to the applicable law and the terms of jurisdiction of the Agreement.
Without limiting the foregoing, to the extent permitted by applicable law, all liability arising under this DPA shall be governed by the limitations of liability (including caps on liability) in the Agreement.
In the event that any provision of this DPA is held to be invalid, illegal or unenforceable, the validity, legality and enforceability of the remaining provisions shall not be affected or impaired thereby and such provision shall be ineffective only to the extent of such invalidity, illegality or unenforceability.
(Description of the processing)
Personal data refers to signatories of the Agreement as well as the Client’s contact person, employees and, where applicable, Client’s Authorized Users and of potential infringers.
Personal Data includes:
a) the signatories’ name, surname, position, identity card, telephone and address;
b) the Client’s contact personal data, which includes the name, surname, telephone number, e-mail, and position of its personnel;
c) the Client’s Authorized Users identification, which consists of a username and password to access the Software Platform, notwithstanding d) other data to be processed in the Software Platform as explained and further detailed in the “Client’s Authorized User Data Protection Policy” posted in the Software Platform which is subject to this Clause; and
the contact details of the potential infringers in connection with the infringing evidence of the contents found by the bots under the Software Platform as customized by the Authorized Users, such as their nickname, full name, telephone, address, identification number under a domain, and/or email.
Purpose of processing
The purposes of the Data processing carried out under the Agreement are: (i) the preparation and execution of the Agreement; (ii) the performance of the contractual relationship between the Parties; and (iii) to enable the Authorized Users to access and use the Software Platform.
The processing activities under the Software Platform are carried out for the specific following purposes:
a) Tracking the corresponding websites and marketplaces for possible counterfeits or infringements of the Client’s intellectual property rights, in accordance with the Controller’s instructions provided by the Authorized Users in the Software Platform.
b) Tracking the corresponding websites and marketplaces for breaches of contract terms by the Client’s official sellers, based on information and instructions provided by the Controller as customized by the Authorized Users in the Software Platform.
c) Preparing a list of possible infringements that shall be validated by the Client (via the Authorized Users in the Software Platform), whose rights may be violated by the acts of the alleged infringer.
d) In the event that the Client has indicated the infringement and/or has identified an authorized seller/distributor for the sale of its products or services, such Data will also be processed for further control done in the Software Platform as per Controller’s instructions in connection with the eventual intellectual property infringement and/or to monitor compliance with the distribution and sale conditions agreed between the Client and the seller.
e) Monitoring online activity of the alleged infringer, once validated by the Controller (via the Authorized Users in the Software Platform), in order to identify new infringements of the Client’s intangible assets rights on different e-commerce platforms or similar sources.
f) Obtaining Data from other possible sources so as to gather any other contact details of the eventual infringers.
g) Filing claims in the marketplaces or websites where infringements of the Client’s rights are located once these are validated by the Controller for takedown (via the Authorized Users in the Software Platform).
Types of processing
Collection or recording of personal data.
Storage or retention of personal data.
Communication of personal data.
Use of personal data.
The Data processing in the Software Platform and in connection with the retrieving of contact details in other sources of the eventual infringers consists of, where applicable, searching for contractual infringements by the Controller’s official sellers, counterfeits or infringements of the Controller’s intellectual property rights on the Internet websites or domains specified by the Client via the customization of the bots by the Authorized Users, such as any particular e-commerce, social network or other similar sources under a domain name, providing a listing that must be validated by the Controller. In addition to this, Processor will also carry out statistical studies on the sellers’ and potential infringers’ activities for the Controller so as to protect the Controller’s intangible assets.
(Applicable security standards)
Access control to premises and facilities
Measures must be taken to prevent unauthorized physical access to premises and facilities containing Personal Data. Measures shall include:
Access control system.
ID reader, magnetic card, chip card.
(Issuance of) keys.
Door locking (electric strikes, etc.).
Registration of exits/entries from the premises.
Controlling access to systems
Measures should be taken to prevent unauthorized access to computer systems. These should include the following technical and organizational measures for user identification and authentication:
Password protocols (including special characters, minimum length, forced password change).
There is no access for guest users or anonymous accounts.
Centralized management of access to the system.
Access to IT systems is subject to approval by HR management and IT system administrators.
Data access control
Measures must be taken to prevent authorized users from accessing data beyond their authorized access rights and to prevent the unauthorized input, reading, copying, deletion, modification or disclosure of data. These measures should include:
Differentiated access rights.
Access rights defined according to functions.
Automated logging of user access through computer systems.
Measures to prevent the use of automated data-processing systems by unauthorized persons using data communication equipment.
Measures must be taken to prevent unauthorized access, alteration or deletion of data during transfer, and to ensure that all transfers are secure and recorded. These measures shall include:
Mandatory use of encrypted private networks for all data transfers.
Encryption via VPN for remote access, transport and data communication.
Measures should be put in place to ensure that all data management and maintenance is recorded, and an audit trail should be kept indicating whether data has been entered, modified or deleted (erased) and by whom.
Measures should include:
Logging of user activities in IT systems
It is possible to verify and establish to which bodies personal data have been or may be transmitted or made available by means of data communication equipment.
That it is possible to verify and establish what personal data have been entered into automated data processing systems and when and by whom;
Control of the order
Measures should be put in place to ensure that data are processed strictly in accordance with the controller’s instructions. These measures should include:
Monitoring the execution of the contract
Measures should be put in place to ensure the protection of data against accidental destruction or loss.
These measures should include:
Installed systems can, in case of interruption, be restored.
That systems work and that failures are reported.
Stored personal data cannot be corrupted by a system malfunction.
Uninterruptible Power Supply (UPS).
Business continuity protocols.
(List of sub-processors)
Processor: Amazon Web Services
Function: Hosting Services
Transfer mechanism: N/A
Processor: Gainsight, Inc.
Function: Customer Success tool
Transfer mechanism: SCCs