DATA PROCESSING ADDENDUM
This data processing addendum (the “Addendum”) is between Greenlight Commerce Limited, registered in England with company number 09690841, and with its registered office at The Varnish Works, 3 Bravingtons Walk, London, N1 9AJ (“Greenlight”) and the customer of Greenlight (“Customer”) which is receiving Greenlight services (“Services”). This Addendum applies to personal data that Greenlight processes on the Customer’s behalf as part of the Services provided pursuant to any agreement between the parties (the “Agreement”) or any applicable agreed statements of work entered into thereunder (“SOW”). By continuing to receive the Services, Customer agrees to the terms of this Addendum and such terms shall form part of the Agreement between the Customer and Greenlight.
In the event of a conflict between the Agreement and this Addendum, this Addendum prevails. Any terms not defined in this Addendum have the meanings given to them in the Agreement.
In this Addendum, the term “Data Privacy Laws” shall mean all applicable laws relating to data protection and privacy including (without limitation) the EU General Data Protection Regulation (2016/679) (“GDPR”), the EU Privacy and Electronic Communications Directive 2002/58/EC as implemented in each jurisdiction, the UK Data Protection Act 2018, and any amending, supplementary or replacement legislation from time to time.
In this Addendum, the terms “personal data”, “process”, “data controller”, “data processor”, “data subject”, and “personal data breach” have the meanings set out in the Data Privacy Laws.
The subject matter of the data processing under this Addendum is the Services that involve the processing of personal data on the Customer’s behalf. The duration of the processing under this Addendum is for the duration of the Agreement or the applicable SOW. The nature and purpose of the processing, the type of personal data and categories of data subjects are either as specified in Exhibit A to this Addendum or as specified in the applicable SOW.
1. The Customer’s instructions
1.1 To the extent Greenlight processes any personal data on the Customer’s behalf, Greenlight will process such personal data only on the Customer’s documented instructions, unless required to do so by applicable law. Where applicable law requires otherwise, Greenlight will inform the Customer of the legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
1.2 The parties agree that this Addendum, the Agreement and SOW, constitutes the Customer’s documented instructions for the processing of personal data. Additional instructions outside the aforementioned instructions will be subject to the prior written agreement between the parties, including in relation to any additional fees that the Customer is required to pay to Greenlight for carrying out such instructions.
1.3 The Customer will ensure that: (a) its instructions regarding the processing of any personal data and the provision or otherwise making available to Greenlight of any personal data, in each case will comply with all applicable laws (including Data Privacy Laws), and (b) Greenlight’s processing of any personal data in accordance with the Customer’s instructions will not cause Greenlight to be in breach of any applicable laws (including Data Privacy Laws).
1.4 The Customer acknowledges and agrees that the Customer shall be responsible for providing all necessary information and notices to data subjects in respect of the processing of any personal data pursuant to this Addendum in each case in accordance with Data Privacy Laws.
2. Greenlight’s obligations
2.1. To the extent, Greenlight processes any personal data on the Customer’s behalf, Greenlight will:
(a) ensure that its personnel whom it authorises to process such personal data have committed themselves to appropriate obligations of confidentiality;
(b) implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks associated with processing such personal data;
(c) taking into account the nature of the processing and the information available to Greenlight, subject to payment of Greenlight’s reasonable and demonstrable costs and expenses, provide reasonable and appropriate assistance to the Customer, to the extent possible, in relation to:
(i) the fulfilment by the Customer of the Customer’s obligations to respond to requests relating to the exercise of individuals’ rights under Data Privacy Laws where Greenlight processes such individuals’ personal data pursuant to this Addendum; and
(ii) the Customer’s compliance with its obligations under Data Privacy Laws relating to the security of personal data, notification of personal data breaches to the applicable supervisory authority and/or communication of personal data breaches to individuals (to whom such personal data relate), data protection impact assessments and prior consultation with supervisory authorities, in each case in relation to any personal data Greenlight processes pursuant to this Addendum;
(d) notify the Customer without undue delay after becoming aware of a personal data breach affecting such personal data;
(e) at the written request of the Customer, delete or return such personal data to the Customer after the end of the provision of the Services, and delete existing copies unless applicable law requires storage of any such personal data;
(f) not process or transfer any personal data outside the European Economic Area nor process or transfer any personal data in or to a country in respect of which a valid adequacy decision has not been issued by the European Commission, without providing for appropriate safeguards in accordance with applicable Data Privacy Laws. Such appropriate safeguards shall include, without limitation, Greenlight and Customer or Greenlight and its Sub-processor (as defined in clause 3.1 below), as appropriate, entering into the EU Standard Contractual Clauses; or, if the processing is to take place in the USA, only transferring personal data to entities which certify and maintain certification to the United States Department of Commerce that it complies with the Privacy Shield principles and supplemental principles located at https://www.privacyshield.gov/EU-US-Framework, as may be amended from time to time; and
(g) make available to the Customer all information necessary to demonstrate compliance with the obligations in this Addendum.
3.1 Notwithstanding any other provisions of the Agreement, Greenlight will not, without the Customer’s prior written consent, engage any third party to process any personal data under this Addendum (a “Sub-processor”) other than those set out in the Agreement or in any SOWs or other than those sub-processors in the list accessible via (in respect of which Sub-processors, the Customer hereby gives its consent) (“Approved Sub-Processors”).
3.2 Greenlight will inform the Customer of any intended changes concerning the replacement of any permitted Sub-processor, and give the Customer the opportunity to object to such changes.
3.3 Other than the Approved Sub-Processors (each of which provide services and process personal data subject to the terms of the relevant Sub-processor’s data processing agreement (“Data Processing Terms”) which such Data Processing Terms shall apply in place of the terms of this Addendum as between Greenlight and Customer to the extent of any conflict between the Data Processing Terms and this Addendum), any Sub-processor Greenlight engages will be subject to materially equivalent terms regarding data protection as are imposed on Greenlight pursuant to this Addendum.
3.4 Where any Sub-processor fails to fulfil its obligations regarding data protection, Greenlight will remain liable for the performance of the Sub-processor’s obligations, subject to the exclusions and limitations of liability under the Agreement, the applicable SOW or the relevant Data Processing Terms.
4. Audit and inspections
4.1 Subject to clause 2 of this Addendum, Greenlight will allow for and contribute to audits (including inspections) conducted by the Customer or another auditor mandated by the Customer.
4.2 Any audit conducted pursuant to clause 1 of this Addendum is subject to the following conditions:
(a) the Customer will provide reasonable advance notice of any audit;
(b) any audit may only be conducted during Greenlight’s normal business hours;
(c) any audit must be conducted so as to cause minimal disruption to Greenlight’s normal business operations;
(d) any auditor will enter into direct confidentiality obligations with Greenlight which are reasonably acceptable to Greenlight;
(e) any audit will be limited only to Greenlight’s data processing activities as part of its Services as a data processor to Customer, and to such information as is reasonably necessary for Customer to assess Greenlight’s compliance with the terms of this Addendum;
(f) as part of any audit, Customer (or its auditor) will not have access to Greenlight’s Confidential Information; and
(g) Customer will reimburse Greenlight’s reasonable costs and expenses associated with any audit.
CATEGORIES OF PERSONAL DATA
The following types and categories of Personal Data will be processed by Greenlight:
Data Subjects: Customer’s End Users
Data Categories: Personal details including:
- Name and contact information
- Online identifiers, including cookie IDs, IP address and device identifiers.
- User activity details and user preferences.
- Browser history details.
- Location details.
- Information collected through cookies.
- Contractual details including the goods and services provided.
- Personal data collected by Sub-Processors, as listed in the relevant Sub-Processor’s Data Processing Terms
The purpose of the processing is to provide development and support Services to the Customer and includes development and support of software.