This DPA is supplemental to the Agreement and sets out the roles and obligations that apply when Optimize processes Personal Data falling within the scope of the GDPR on behalf of Customer in the course of providing the Optimize Services.
All capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement.
1. Definitions
1.1 For the purposes of this DPA:- (a) "Agreement" means the Terms of Service, terms and conditions or other written or electronic agreement between Optimize and Customer setting out the provisions and use of the Optimize Services.
- (b) "EEA" means the European Economic Area.
- (c) "GDPR" means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
- (d) "Privacy Shield" means the EU-US Privacy Shield self-certification program operated by the U.S. Department of Commerce and approved by the European Commission pursuant to Decision C(2016)4176 of July 12, 2016.
- (e) The terms "Controller", "Processor", "Personal Data", "processing", "special categories of data" and "Data Subject" have the meanings given to them in the GDPR.
2. Applicability of DPA
2.1 Applicability. This DPA will apply from Effective Date onwards and to the extent that Optimize processes Personal Data falling within the scope of the GDPR on behalf of Customer in the course of providing the Optimize Services.
3. Roles and Responsibilities
3.1 Roles of the Parties. As between Optimize and Customer, Customer is the Data Controller of the Personal Data that is provided to Optimize for processing under the Agreement and as described in Annex A and Optimize shall process the Personal Data as a Data Processor on behalf of Customer.
3.2 Customer Processing of Personal Data. Customer shall be responsible for:
- (a) Complying with all applicable laws relating to privacy and data protection in respect of its use of the Optimize Services, its processing of the Personal Data, and any processing instructions it issues to Optimize;
- (b) Ensuring it has the right to transfer, or provide access to, the Personal Data to Optimize for processing pursuant to the Agreement and this DPA; and
- (c) Ensuring that it shall not disclose (nor permit any data subject to disclose) any special categories of data to Optimize for processing.
3.3 Optimize's processing of Personal Data. Optimize shall process the Personal Data only for the purposes described in the Agreement and in accordance with the lawful, documented instructions of Customer (including the instructions of any users accessing the Optimize Services on Customer's behalf) as set out in the Agreement, this DPA or otherwise in writing.
4. Security
4.1 Security. Optimize shall implement appropriate technical and organisational measures to protect the Personal Data from accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access (a "Security Incident").
4.2 Confidentiality obligations. Optimize shall ensure that any personnel that it authorizes to process the Personal Data shall be subject to a duty of confidentiality.
4.3 Security Incidents. Upon becoming aware of a Security Incident, Optimize shall notify Customer without undue delay and shall provide reasonable information and cooperation to Customer so that Customer can fulfill any data breach reporting obligations it may have under the GDPR.
5. Sub-processing
5.1 Sub-processors. Customer agrees that Optimize may engage Optimize affiliates and third party sub-processors ("Sub-processors") to process Personal Data on Optimize's behalf provided that:
- (a) Optimize shall maintain an up to date list of Sub-processors which it shall update with details of any change in Sub-processors at least five (5) days prior to any such change and shall notify Customer in advance of such change;
- (b) Optimize imposes on such Sub-processors data protection terms that require it to protect the Personal Data to the standard required by applicable data protection laws; and
- (c) Optimize remains liable for any breach of the DPA caused by a Subprocessor.
5.2 Objection to Sub-processors. Customer may object prior to Optimize's appointment or replacement of a Sub-processor provided such objection is based on reasonable grounds relating to data protection. In such event, the parties shall cooperate in good faith to reach a resolution and if such resolution cannot be reached, then Optimize, at its discretion, will either not appoint or replace the Sub-processor or, will permit Customer to suspend or terminate the affected Optimize Service (without prejudice to any fees incurred by Customer prior to suspension or termination).
6. International Transfers
6.1 Privacy Shield. The parties acknowledge that Optimize is self-certified to the Privacy Shield framework. To the extent that Optimize processes (or causes to be processed) any Personal Data originating from the EEA in a country that has not been designated by the European Commission as providing an adequate level of data protection, such Personal Data shall be deemed to have appropriate safeguards (within the meaning of the GDPR) by virtue of Optimize having self-certified its compliance with the Privacy Shield. To the extent that Optimize processes such Personal Data outside of the EEA, it shall agree to adhere to the Privacy Shield Principles. Where the parties have previously entered into the standard contractual clauses to enable the transfer of Personal Data outside of the EEA, such clauses shall be null and void as of the date of the execution of this DPA.
7. Cooperation
7.1 Data subject rights. Optimize shall provide reasonable assistance to Customer, insofar as this is possible and at Customer's expense, to enable Customer to respond to requests from data subjects seeking to exercise their rights under the GDPR. In the event such request is made directly to Optimize, Optimize shall promptly inform Customer of the same.
7.2 Data protection impact assessments. Optimize shall, taking into account the nature of the processing and the information available to it, provide reasonable assistance needed to fulfil Customer's obligation under the GDPR to carry out data protection impact assessments and prior consultations with supervisory authorities.
7.3 Security reports and provision of information. Customer acknowledges that Optimize will be assessed against industry security frameworks or standards, including, but not limited to ISO 27001 and SOC II standards. Upon request, Optimize shall provide a summary copy of its most recent certified audit report(s) to Customer, which reports shall be subject to Optimize's confidentiality terms.
8. Return/Deletion of Data
8.1 Return or deletion of Personal Data. Upon request by Customer at the termination of the Agreement, Optimize shall delete or return to Customer the Personal Data (including copies) in Optimize's possession. This requirement shall not apply to the extent that Optimize is required by applicable law to retain some or all of the Personal Data or to Personal Data archived on backup systems.
9. Miscellaneous
9.1 Except as amended by this DPA, the Agreement will remain in full force and effect.
9.2 Any claims brought under this DPA shall be subject to the Agreement, including but not limited to the exclusions and limitations of liability set forth in the Agreement.
9.3 If there is a conflict between this DPA and the Agreement, the DPA will control.
9.4 This DPA shall only become legally binding between Customer and Optimize when the steps set out in the section "How to Execute this DPA" above have been fully completed.
9.5 This DPA shall be governed by, and construed in accordance with, the laws of Ireland and the courts of Dublin, Ireland shall have exclusive jurisdiction to hear any dispute or other issue arising out of, or in connection with, this DPA, except where otherwise required by Applicable Data Protection Law.
By virtue of acceptance of the Terms of Service, the parties' authorized signatories have duly executed this DPA.
ANNEX A - DETAILS OF THE PROCESSING
Description of Customer
Customer is the legal entity that has executed the Agreement with Optimize for the provision of Optimize's Services.
Nature of Services provided by Optimize
Optimization Toolkit provides a knowledge based set of integrated modules designed for users to optimize various aspects of organisation performance
Type(s) of Personal Data processed
User name, email and phone contact information. Although this is intended to be business information and not Personal Data, it is recognised that some of this data is still sensitive.
Special categories of data (if applicable)
Customer does not intentionally collect or transfer any sensitive personal data in relation to these data subjects.
Categories of Data Subjects
The personal data processed concern Optimization Toolkit users (typically employees of Customer) who interact with the platform.
Nature of Processing Operations
The personal data will be subject to the following basic processing activities:
- Personal data will be transferred from the Customer to Optimize for basic user identification within the Optimization Toolkit platform and for Customer to use such platform.