Prepare for Google Consent Mode v2 | Book a FREE Consultation Call - ☎️ 📆
Book a call
Log in
Get started
Dropdown de Idiomas
🇺🇸
🇧🇷

Data Processing Agreement (DPA)

1. Definitions

1.1 “Agreement”: The contract between the Controller and the Processor, including this DPA, under which the Processor provides services to the Controller as defined in the Terms of Service.

1.2 “Applicable Laws”: All data protection and privacy laws applicable to the processing of Personal Data, including the GDPR, the California Consumer Privacy Act (CCPA), and other relevant legislation.

1.3 “Controller”: The entity that determines the purposes and means of the processing of Personal Data.

1.4 “Data Subject”: An identified or identifiable natural person to whom the Personal Data relates.

1.5 “Personal Data”: Any information relating to an identified or identifiable natural person (“data subject”), such as names, contact details, online identifiers, and any other information that can directly or indirectly identify an individual.

1.6 “Personal Data Breach”: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.

1.7 “Processing”: Any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

1.8 “Processor”: The entity that processes Personal Data on behalf of the Controller.

1.9 “Sub-Processor”: Any third party engaged by the Processor or its sub-contractors who agrees to receive from the Processor or from any other Sub-Processor of the Processor, Personal Data exclusively intended for processing activities to be carried out on behalf of the Controller in accordance with its instructions, the terms of the DPA, and the terms of the sub-contract.

1.10 “Supervisory Authority”: An independent public authority established by a Member State of the European Union or other jurisdiction as defined in applicable data protection laws.

1.11 “Technical and Organizational Measures”: Measures implemented by the Processor to ensure a level of security appropriate to the risk, including but not limited to encryption, access controls, and regular security assessments.

1.12 “Third Country”: A country that is not a member of the European Economic Area (EEA).

2. Subject Matter and Duration

2.1 Subject Matter: This DPA sets out the terms and conditions under which the Processor will process Personal Data on behalf of the Controller as specified in the Terms of Service.

2.2 Duration: The processing shall commence on the effective date of the Terms of Service and shall continue until the Terms of Service expire or are terminated, and Personal Data is either returned or securely deleted as stipulated herein.

3. Processing of Personal Data

3.1 Purpose of Processing: The Processor shall process Personal Data solely as necessary to provide the services defined in the Terms of Service. This includes activities such as consent management, cookie tracking, tracking and managing data subject requests, policy management, and other support and operational services.

3.2 Nature of Processing: The nature of the processing includes all actions necessary to fulfill the services provided, such as the collection, storage, analysis, and reporting of data. The Processor will not process Personal Data for any other purpose without the Controller’s prior written consent.

3.3 Categories of Data Subjects: The categories of data subjects include, but are not limited to, individuals who interact with the Controller’s services, including customers, website visitors, employees, and other end-users.

3.4 Types of Personal Data: Types of Personal Data processed may include, but are not limited to:

  • Identifiers (e.g., name, email address)
  • Professional information (e.g., job title, employer)
  • Financial information (e.g., billing information, payment details)
  • Consent preferences (e.g., type of banner, site in which the consent was shared, region, applicable regulation)

4. Controller Responsibilities

4.1 Legal Basis: The Controller warrants that it has obtained all necessary consents or has another lawful basis for the collection and processing of Personal Data, and that such processing complies with applicable data protection laws.

4.2 Instructions: The Controller shall provide clear, lawful, and documented instructions to the Processor, specifying the nature and scope of the data processing required.

4.3 Data Subject Rights: The Controller shall be responsible for ensuring that data subjects’ rights, such as access, rectification, deletion, and objection, are upheld and responded to appropriately. The Controller shall provide instructions to the Processor for assisting with these requests.

5. Processor Responsibilities

5.1 Compliance with Laws: The Processor shall comply with applicable data protection laws, including those governing the transfer of Personal Data to third countries, if applicable.

5.2 Confidentiality: The Processor shall ensure that any person it authorizes to process Personal Data has agreed to maintain the confidentiality of such data.

5.3 Security Measures: The Processor shall implement and maintain appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures shall include, but are not limited to:

  • Encryption of data in transit and at rest.
  • Access controls to ensure that only authorized personnel can access Personal Data.
  • Regular security assessments and audits to ensure ongoing protection.

5.4 Sub-Processing: The Processor may engage sub-processors, provided that it:

  • Notifies the Controller of any intended changes concerning the addition or replacement of sub-processors.
  • Ensures that the sub-processor is bound by contractual terms that are no less protective than those provided in this DPA.

5.5 Assistance with Data Subject Rights: The Processor shall assist the Controller in fulfilling its obligations to respond to data subject requests. This includes, where applicable, providing mechanisms for data subjects to access, rectify, or delete their data.

5.6 Data Breach Notification: In the event of a Personal Data Breach, the Processor shall notify the Controller without undue delay, providing sufficient information to allow the Controller to meet any obligations to report or inform data subjects or supervisory authorities of the Personal Data Breach.

6. Data Transfers

6.1 Transfers to Third Countries: The Processor shall not transfer Personal Data to a third country or international organization without the prior written authorization of the Controller. Any such transfers shall be conducted in compliance with applicable data protection laws, including the implementation of appropriate safeguards.

6.2 Standard Contractual Clauses: Where required, the Parties shall enter into standard contractual clauses approved by the European Commission to ensure an adequate level of protection for Personal Data transferred outside the EEA.

7. Data Subject Rights

7.1 Access and Rectification: Data subjects have the right to request access to and rectification of their Personal Data. The Processor shall assist the Controller in providing data subjects with access to their Personal Data and correcting any inaccuracies.

7.2 Erasure and Restriction: Data subjects have the right to request the erasure of their Personal Data or the restriction of its processing. The Processor shall assist the Controller in fulfilling these requests, provided that such actions comply with applicable laws.

7.3 Data Portability: Data subjects have the right to receive their Personal Data in a structured, commonly used, and machine-readable format. The Processor shall assist the Controller in providing such data to the data subject or to another data controller upon the data subject’s request.

7.4 Objection to Processing: Data subjects have the right to object to the processing of their Personal Data. The Processor shall assist the Controller in addressing any objections raised by data subjects, as required by applicable laws.

8. Sub-Processing

8.1 Authorization of Sub-Processors: The Controller generally authorizes the use of sub-processors by the Processor. The Processor shall provide a list of sub-processors upon the Controller’s request and shall update the list with any changes.

8.2 Objection to Sub-Processors: The Controller may object to the use of a new sub-processor within 30 days of notification, provided that the objection is based on reasonable grounds relating to data protection. In such cases, the Processor will either not engage the sub-processor or will discuss alternative arrangements with the Controller.

9. Data Breach Management

9.1 Incident Management: The Processor shall maintain a process for managing data breaches, including detection, containment, investigation, and notification procedures.

9.2 Breach Notification: In the event of a Personal Data Breach, the Processor shall notify the Controller without undue delay and, where feasible, no later than 72 hours after becoming aware of the breach. The notification shall include, at a minimum:

  • A description of the nature of the breach, including the categories and approximate number of data subjects and Personal Data records concerned.
  • The likely consequences of the breach.
  • The measures taken or proposed to be taken to address the breach and mitigate its possible adverse effects.

10. Audit and Compliance

10.1 Audit Rights: The Controller shall have the right to conduct audits or inspections of the Processor’s processing activities to ensure compliance with this DPA and applicable laws. The Controller may exercise this right at least once per year, with reasonable prior notice, and during normal business hours.

10.2 Cooperation and Assistance: The Processor shall provide all necessary cooperation and assistance to facilitate the Controller’s audit rights, including access to relevant documentation, systems, and personnel.

10.3 Cost of Audits: The Controller shall bear the costs of any audits or inspections. However, if the audit reveals material non-compliance with this DPA, the Processor shall bear the costs of the audit.

11. Termination and Consequences

11.1 Termination: This DPA shall terminate automatically upon the termination or expiration of the Terms of Service, or upon the completion of the data processing activities.

11.2 Consequences of Termination: Upon termination of the DPA, the Processor shall, at the choice of the Controller, delete or return all Personal Data processed on behalf of the Controller and delete existing copies unless storage is required by applicable law. The Processor shall certify the deletion or return of the data upon the Controller’s request.

12. Liability

12.1 Liability of the Processor: The Processor shall be liable for any direct damages arising from a breach of this DPA caused by its actions or omissions, subject to the limitations and exclusions of liability set forth in the Terms of Service. Under no circumstances shall the Processor be liable for indirect, incidental, special, punitive, or consequential damages, including but not limited to loss of profits, loss of business, or loss of data, whether in contract, tort, or otherwise, even if the possibility of such damages has been advised or could have been reasonably foreseen.

12.2 Liability of the Controller: The Controller shall be liable for ensuring that Personal Data is processed in accordance with applicable laws, and for any claims, actions, or damages arising from the Controller’s instructions to the Processor, including but not limited to the legality and appropriateness of the Personal Data processing.

12.3 Limitation of Liability: Notwithstanding anything to the contrary, the total aggregate liability of the Processor under this DPA shall not exceed the total fees paid or payable to the Processor under the Terms of Service during the twelve (12) months immediately preceding the date on which the claim arose. This limitation applies regardless of the form or source of the claim or loss, whether arising from breach of contract, tort (including negligence), or otherwise.

12.4 Indemnification: The Controller agrees to indemnify, defend, and hold harmless the Processor and its affiliates, officers, directors, employees, agents, and contractors from and against any and all claims, liabilities, damages, losses, costs, and expenses (including reasonable legal fees) arising out of or in connection with any breach of this DPA by the Controller, including but not limited to any failure to obtain necessary consents from data subjects.

12.5 Force Majeure: Neither Party shall be liable for any failure or delay in the performance of its obligations under this DPA if such failure or delay is caused by events beyond the reasonable control of the affected Party, including but not limited to acts of God, war, terrorism, strikes, lockouts, industrial disputes, government orders or restrictions, failure of suppliers or sub-contractors, or any other event of force majeure.

13. Miscellaneous

13.1 Amendments: This DPA may be amended only by a written agreement signed by authorized representatives of both Parties.

13.2 Severability: If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.

13.3 Governing Law: This DPA shall be governed by and construed in accordance with the laws of the State of Delaware, United States of America, without regard to its conflict of laws principles.

13.4 Jurisdiction: The Parties agree to submit to the exclusive jurisdiction of the courts of the State of Delaware for the resolution of any disputes arising under this DPA.

13.5 Entire Agreement: This DPA, together with the Terms of Service and any other documents incorporated by reference, constitutes the entire agreement between the Parties with respect to the subject matter hereof and supersedes all prior negotiations, agreements, and understandings, whether written or oral.

13.6 Counterparts: This DPA may be executed in counterparts, each of which shall be deemed an original, but all of which together shall constitute one and the same instrument.



Try illow platform
Ensure compliance with today's regulations now!
Start for free!
Comply with
Legal
Free Tools
Resources
social-07
social-10
google consent mode v2
CMP_Badge
prestashop-illow
illow white logo

360 NW 27th St, Miami, FL 33127    |    Av. Cidade Jardim, 377 – Itaim Bibi, São Paulo

Youtube Linkedin