This Data Processing Agreement (the “DPA”), is entered into by
Outfunnel’s customer identified on the account registration for Outfunnel’s services (“Controller”)
and
Outfunnel OÜ (“Processor”) registry code 14469427, legal address Harju county, Tallinn, Põhja-Tallinn, Valgevase 13, 10414
and which governs the processing of personal data that the Processor processes on behalf of the Controller
and what Controller provides to Processor.
This DPA is incorporated into the services contract (“Agreement”) previously executed by Controller and Processor.
1. DEFINITIONS
“Controller’s Personal
Data” means Personal Data that Processor processes on behalf of Controller or what Controller provides Processor in connection with its use of Controller’s services.
“Data Protection Requirements” means the General Data Protection Regulation, Local Data Protection Laws, any subordinate legislation and regulation implementing the General Data Protection Regulation.
“EU Personal Data” means Personal Data of which the sharing pursuant to this DPA is regulated by the General Data Protection Regulation and Local Data Protection Laws.
“General Data Protection
Regulation” means the European Union Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
“Local Data Protection Laws” means any subordinate legislation and regulation implementing the General Data Protection Regulation which may apply to this DPA.
“Personal Data” means any information relating to an identified or identifiable natural person; an identifiable natural person is
one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. It includes data that Controller chooses to provide to Processor.
“Personal Data Breach” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Controller’s Personal Data.
“Privacy Laws” means all applicable laws, regulations, and other legal requirements relating to (a) privacy, data security, consumer protection, marketing, promotion, and text messaging, email, and other communications; and (b) the use, collection, retention, storage, security, disclosure, transfer, disposal, and other processing of any Personal Data.
“Process” and its cognates mean any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Sub-processor” means any entity which provides processing services to Processor in furtherance of Processor’s processing on
behalf of Controller.
“Supervisory Authority” means Estonian Data Inspectorate.
2. NATURE OF DATA PROCESSING
3. COMPLIANCE WITH LAWS
The parties shall each comply with their respective obligations under all applicable Data Protection Requirements.
4.CONTROLLER’S OBLIGATIONS
Controller agrees to:
- Provide instructions to Processor and determine the purposes and general means of Processor’s processing of Controller’s Personal Data in accordance with this DPA;
- Comply with its data protection, security and other obligations with respect to Controller’s Personal Data prescribed by Data Protection Requirements for data controllers by: (a) establishing and maintaining a procedure for the exercise of the rights of the individuals whose Personal Data are processed on behalf of Controller; (b) processing only data that has been lawfully and validly collected and ensuring that such data will be relevant and proportionate to the respective uses; and (c) ensuring compliance with the provisions of this DPA by its personnel or by any third-party accessing or using Controller’s Personal Data on its behalf.
Controller is responsible for obtaining consent from data subjects, where applicable. Consent is an indication from the data subject to allow their Personal Data to be processed by Controller. Consent needs to be in a written or electronic form.
5. PROCESSOR’S OBLIGATIONS
A. Processor will:
- Process Controller’s Personal Data (i) only for the purpose of providing, supporting and improving Processor’s services, using appropriate technical and organizational security measures; and (ii) in compliance with the instructions received from Controller. Processor will not use or process the Controller’s Personal Data for any other purpose. Processor will promptly inform Controller if it cannot comply with the requirements under Sections 5-8 of this DPA, in which case Controller may terminate this DPA or take any other reasonable action, including suspending data processing operations;
- Inform Controller promptly if, in Processor’s opinion, an instruction from Controller violates applicable Data Protection Requirements;
- Take commercially reasonable steps to ensure that persons employed by it and other persons engaged to perform on Processor’s behalf comply with the terms of this DPA;
- Ensure that its employees, authorized agents and any Sub-processors are required to comply with and acknowledge and respect the confidentiality of the Controller’s Personal Data, including after the end of their respective employment, contract or assignment. The Processor and any person acting under its authority who has access to Controller’s Personal Data, shall not process that data unless upon instructions by the Controller, including the powers granted under this DPA, unless they are required to do so by law.
- Upon request, provide Controller with a summary of Processor’s privacy and security policies or other documented evidence that the Processor has implemented necessary technical and organisational measures;
- Inform Controller if Processor undertakes an independent security review.
- Maintain appropriate organisational and technical security measures (including with respect to personnel, facilities, hardware and software, storage and networks, access controls, monitoring and logging, vulnerability and breach detection, incident response, encryption of Controller’s Personal Data while in transit and at rest) to protect against unauthorized or accidental access, loss, alteration, disclosure or destruction of Controller’s Personal Data;
- Be responsible for the sufficiency of the security, privacy, and confidentiality safeguards of all Processor personnel with respect to Controller’s Personal Data and liable for any failure by such Processor personnel to meet the terms of this DPA;
- Take reasonable steps to confirm that all Processor personnel are protecting the security, privacy and confidentiality of Controller’s Personal Data consistent with the requirements of this DPA and
- Notify Controller of any Personal Data Breach by Processor, its Sub-processors, or any other third-parties acting on Processor’s behalf without undue delay and in any event within 48 hours of becoming aware of a Personal Data Breach.
B. Processor will inform Controller if Processor becomes aware of:
- Any non-compliance by Processor or its employees with Sections 5-8 of this DPA or the Data Protection Requirements relating to the protection of Controller’s Personal Data processed under this DPA;
- Any legally binding request for disclosure of Controller’s Personal Data by a law enforcement authority, unless Processor is otherwise forbidden by law to inform Controller, for example to preserve the confidentiality of an investigation by law enforcement authorities;
- Any notice, inquiry or investigation by a Supervisory Authority with respect to Controller’s Personal Data or
- Any complaint or request (in particular, requests for access to, rectification or blocking of Controller’s Personal Data) received directly from Controller’s data subjects. Processor will not respond to any such request without Controller’s prior written authorization.
C. Processor will provide reasonable assistance to Controller regarding:
- Any requests from Controller’s data subjects in respect of access to or the rectification, erasure, restriction, portability, blocking or deletion of Controller’s Personal Data that Processor processes for Controller. In the event that a data subject
sends such a request directly to Processor, Processor will promptly send such request to Controller. Such requests shall be fulfilled by the Processor in accordance with documented instructions by the Controller without undue delay. - The investigation of Personal Data Breaches and the notification to the Supervisory Authority and Controller’s data subjects regarding such Personal Data Breaches
- Where appropriate, the preparation of data protection impact assessments and, where necessary, carrying out
consultations with any Supervisory Authority.Processor may claim a reasonable fee for support services which are not included in the description of the services and which are not attributable to failures on the part of the Processor.
D. If Processor is required by Data Protection Requirements to process any Controller’s Personal Data for a reason other than providing the services described in the DPA, Processor will inform Controller of this requirement in advance of any processing, unless Processor is legally prohibited from informing Controller of such processing (e.g. as a result of secrecy requirements that may exist under applicable EU member state laws).
E. If Processor intends to engage Sub-processors to help it satisfy its obligations in accordance with this DPA or to delegate all or part of the processing activities to such Sub-processors, Processor must (i) keep an exclusive of the list of Sub-processors Processor maintains online and obtain the prior written consent of Controller to such subcontracting (such consent should not be unreasonably withheld), except for the sub-processors listed in
6. LIABILITY AND AUDITS
- Any person who has suffered material or non-material damage as a result of an infringement of Data Protection
Requirements, has the right to receive compensation from Controller or Processor for the damage suffered. The party responsible for the event giving rise to the damage mustcompensate the damage to the data subject. - Each party to this DPA commits to indemnify the other party for damages or expenses resulting from its own culpable infringement of this DPA, including any culpable infringement committed by its legal representative, subcontractors, employees or any other agents. Furthermore, each party commits to indemnify the other party against any claim exerted by third parties due to or in connection with any culpable infringement by the respectively
other party . - If a Supervisory Authority requires an audit of the data processing facilities from which Processor processes Controller’s Personal Data to ascertain or monitor Controller ‘s compliance with Data Protection Requirements, Processor will cooperate with such audit.
Controller is responsible for all costs and fees related to such audit, including all reasonable costs and fees for any and all time Processor expends for any such audit, in addition to the rates for services performed by Processor. - Upon consultation with the Processor, the Controller has the right to carry out inspections or to have them carried out by an auditor to be designated on a case-by-case basis. The auditor shall have the right to assess the Processor’s compliance with this DPA in his business operations by means of random checks, which are ordinarily to be announced in advance.
Processor shall allow the Controller to verify compliance with its obligations as provided by the General Data Protection Regulation. Processor undertakes to give the Controller the necessary information on request and, in particular, to demonstrate the implementation of the technical andorganisational measures.Processor may charge a reasonable fee to the Controller for enabling inspections.
7. DATA TRANSFERS
EU Personal Data will be processed and used exclusively within the territory of a member state of the European Union or the European Economic Area and any movement of EU Personal Data to a non-EU country requires the prior written consent of Controller and shall only be carried out at the specific conditions set forth by Article 44 et seq. GDPR.
8. DATA RETURN AND DELETION
Processor shall not create copies or duplicates of Controller’s Personal Data without the Controller’s knowledge and consent, except for backup copies as far as they are necessary to ensure orderly data processing, as well as data required to meet
regulatory data retention requirements.
The parties agree that on the termination of the data processing services or upon Controller’s reasonable request, Processor shall, and shall cause any Sub-processors to, at the choice of Controller, return all the Controller’s Personal Data and copies of such data to Controller or securely destroy them and demonstrate to the satisfaction of Controller that it has taken such measures, unless Data Protection Requirements prevent Processor from returning or destroying all or part of the Controller’s Personal Data disclosed. In such case, Processor agrees to preserve the confidentiality of the Controller’s Personal Data retained by it and that it will only actively process such Controller’s Personal Data after such date in order to comply with applicable laws.
9. THIRD PARTY DATA PROCESSORS
Controller acknowledges that in the provision of some services, Processor on receipt of instructions from Controller, may transfer Controller’s Personal Data to and otherwise interact with third party data processors. Controller agrees that
if and to the extent such transfers occur, Controller is responsible for entering into separate contractual arrangements with such third-party data processors binding them to comply with obligations in accordance with Data Protection Requirements. For avoidance of doubt, such third-party data processors are not Sub-processors.
10. TERM
This DPA shall remain in effect as long as Processor carries out Personal Data processing operations on behalf of the Controller or until the termination of the Agreement. All Personal Data has to be returned or deleted in accordance with Section 8 above.
11. MISCELLANOUS
This DPA shall be governed by the laws of Estonia and any action or proceedings related to this DPA (including those arising from non-contractual disputes or claims) will be brought in Harju County Court, Tallinn, Estonia.
ANNEX A
DESCRIPTION OF THE PROCESSING
1. Data Subjects. The personal data processed concerns
the following categories of data subjects:
- Controller’s contacts (which may be prospects, customers or other types of contacts)
2. Purposes of the processing. The processing carries the following purposes.
The processing is intended to enable Controller to do following:
- To upload or create an email distribution list or to put together a marketing campaign using Processor’s services
- To send emails to recipients using Processor’s services
- To track who opened the emails, clicked on any of the hyperlinks included, unsubscribed from emails, failed to receive emails (bounced) and other email actions
- To measure and report the performance of email campaigns and other marketing activities and channels
- To track web visits of identified contacts
3. Categories of Data. The personal data processed concerns
the following categories of data.
- Personal data from the Controller’s e-mail distribution lists, CRM database and marketing campaigns that the Processor has access to and is covered with this DPA
- Personal data of Controller’s contacts received by tracking the opening of e-mails and clicking of any of the hyperlinks included
- Personal data of Controller’s contacts’ web visits and accompanying metadata including but not limited to device type, source of the visit and IP address.
4. Recipients. The personal data processed may be disclosed only to the following recipients or categories of recipients:
- Employees and other representatives of Processor, who have a legitimate business purpose for the processing of such personal data.
5. Infrastructure providers and sub-processors
The list of our infrastructure providers and sub-processors is available here
- Contact Information
Contact points for data protection enquiries:
Processor’s email: info@outfunnel.com