DATA PROCESSING ADDENDUM
This Data Processing Addendum (“DPA”) is an addendum to and forms part of the Agreement between Bloomreach ("Bloomreach" and "data importer") and party identified as the Customer in the Agreement ("Customer" or "data exporter"). This DPA sets out the terms that apply to the parties when Processing Personal Data in connection with the provision of the Services.
For the avoidance of doubt, the Bloomreach Entity that is the party to the Agreement, shall be the same party entering into this DPA.
For the purposes of this DPA, capitalized terms not otherwise defined shall have the meaning given to them in the Agreement.
“Agreement” means either (i) the Master Subscription Agreement, together with applicable Appendices and Sales Orders; or (ii) any other written or electronic agreement incorporating this DPA, governing the Customer's access and use of the Services.
"Bloomreach" means the Bloomreach Entity that is a party to the Agreement.
"Bloomreach Entity" means Bloomreach, Inc., Bloomreach B.V. or any other Affiliate of Bloomreach Inc.
“Affiliate(s)” means any entity controlling, controlled by, or under common control of a Party.
“CCPA” means the California Consumer Privacy Act, California Civil Code §§1798.100 et seq., including as modified by the California Privacy Rights Act (“CPRA”) once the CPRA takes effect, together with any implementing regulations.
“Data Breach” means a breach of security of the Services leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed by Bloomreach under this DPA.
“Data Protection Legislation” means, as applicable to a party and its Processing of Personal Data, the data protection laws and regulations of any relevant jurisdiction, including but not limited to: (i) EU/ UK Data Protection Law, (ii) the CCPA, (iii) any other United States state or federal data protection laws, and (iv) all laws implementing or supplementing the foregoing.
"EU/UK Data Protection Law" means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (the "GDPR"); (ii) the GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 (the "UK GDPR") and the UK Data Protection Act 2018 (collectively referred to for these purposes as "UK Data Protection Law"); (iii) the EU e-Privacy Directive (Directive 2002/58/EC); (iv) the Swiss Federal Act on Data Protection 1992 ("Swiss DPA"); and (iv) any and all applicable national data protection laws made under, pursuant to or that apply in conjunction with any of (i), (ii) (iii) or (iv); in each case as may be amended or superseded from time to time.
“Personal Data” means any information that (i) is protected as "personal data", "personal information" or "personally identifiable information" under Data Protection Legislation; and (ii) is Processed by Bloomreach on behalf of Customer in the course of providing the Services, as more particularly described in Annex 1 (A) of this DPA.
"Restricted Transfer" means: (i) where the GDPR applies, a transfer of Personal Data from the European Economic Area to a country outside of the European Economic Area which is not subject to an adequacy determination by the European Commission; (ii) where UK Data Protection Law applies, a direct or onward transfer of Personal Data from the United Kingdom to any other country which is not subject based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018; and (iii) where the Swiss DPA applies, a transfer of Personal Data from Switzerland to any other country which is not determined to provide adequate protection for personal data by the Federal Data Protection and Information Commission or Federal Council (as applicable).
“Sub-processor” means any third party engaged by Bloomreach to assist in fulfilling its obligations with respect to providing the Services and that Processes Personal Data as Processor.
“Services” means the services provided by Bloomreach to the Customer pursuant to and as more particularly described in the Agreement.
"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021.
"UK Addendum" means the International Data Transfer Addendum to the SCCs issued by Information Commissioners Office under S.119(A) of the UK Data Protection Act 2018, as it is revised under Section 18 therein; as may be amended or superseded from time to time.
The terms "Controller", "Processor", "Process", "Processing" and "Data Subject" shall have the same meanings given to them under the GDPR, and the terms "Business", "Service Provider," "Share," "Sell" and "Sale" have the same meanings given to them under the CCPA.
1. BLOOMREACH OBLIGATIONS
1.1 Roles. For the purposes of EU/UK Data Protection Law, Customer is the Controller, or Processor on behalf of a third-party Controller, of Personal Data and Bloomreach shall Process Personal Data as a Processor; and for the purposes of the CCPA (where applicable), Customer is the "Business" and Bloomreach is the "Service Provider".
1.2 Permitted Purposes. Bloomreach shall Process Personal Data only for the purposes described in Annex 1 or otherwise agreed between the Parties and in accordance with the Customer's documented lawful instructions ("Permitted Purposes"), except where otherwise required by law(s) that are not incompatible with applicable Data Protection Legislation. In no event will Bloomreach Process Personal Data for its own purposes or those of a third party. To the extent required by Data Protection Legislation, this Section 1.2 constitutes the certification from Bloomreach to the Processing instructions herein. Bloomreach acts on behalf of and on the instructions of the Customer in carrying out the Permitted Purposes.
1.3 Processing Instructions. The Agreement, including this DPA, along with the Customer's configuration of any settings or options in the Services, constitute Customer's complete and final instructions to Bloomreach regarding the Processing of Personal Data, including for the purposes of the Standard Contractual Clauses. Any additional or alternate instructions must be consistent with the terms of the Agreement. Bloomreach: (i) shall immediately inform the Customer if it becomes aware that Customer's Processing instructions infringe Data Protection Legislation (but without obligation to actively monitor Customer's or, where applicable its Controller's, compliance with Data Protection Legislation); and (ii) in such circumstances, Bloomreach may, without liability, temporarily cease all Processing of the affected Personal Data (other than securely storing such data) and/or suspend access to the Customer’s account. If parties do not agree on a resolution to the issue in question and the costs thereof, Customer may as its sole and exclusive remedy, terminate the Agreement (including this DPA) with respect to the affected Processing. Customer will have no further claims against Bloomreach (including, without limitation, requesting refunds for the Services) pursuant to the termination of the Agreement as described in this Section.
1.4 Processing Subject to the CCPA. To the extent the CCPA is applicable, Bloomreach will not: (a) Sell or Share any Personal Data; (b) retain, use, or disclose any Personal Data (i) for any purpose other than for the business purposes specified in the Agreement, or (ii) outside of the direct business relationship between the Customer and Bloomreach; or (c) combine Personal Data received from, or on behalf of, Customer with Personal Data received from or on behalf of any third party, or collected from Bloomreach’s own interaction with Data Subjects, except to perform any business purpose permitted by the CCPA. Bloomreach certifies that it understands the foregoing restrictions under this Section 1.4 and will comply with them. Bloomreach will comply with applicable obligations under the CCPA and provide the same level of privacy protection to Personal Data as is required by the CCPA. Bloomreach will notify Customer if it can no longer comply with its obligations under the CCPA. Customer has the right to take reasonable steps to help ensure that Bloomreach uses the Personal Data in a manner consistent with Customer’s obligations under the CCPA by exercising Customer’s audit rights in Section 2. Customer's transfer of Personal Data to Bloomreach is not a Sale and does not constitute Sharing, and Bloomreach provides no monetary or other valuable consideration to Customer in exchange for Personal Data.
1.5 Security Measures. Bloomreach shall implement and maintain reasonable and appropriate technical and organizational measures designed to protect Personal Data from Data Breaches and to preserve security and confidentiality of Personal Data, in accordance with the measures identified in Annex 3 of this DPA ("Security Measures"). The Customer acknowledges that the Security Measures are subject to technical progress and development and accordingly, Bloomreach may update or modify the Security Measures from time to time provided that such updates and modifications do not degrade or diminish the overall security of the Services.
1.6 Access and Confidentiality. Bloomreach shall ensure that any personnel tasked with the Processing the Personal Data shall be subject to appropriate obligations of confidentiality (whether a contractual or statutory duty), have received appropriate training, and that they Process Personal Data only for the Permitted Purposes.
1.7 Data Returns and Deletion. Upon termination or expiration of the Agreement, Bloomreach shall (at Customer's election) delete or return to Customer all Personal Data (including copies) in its possession or control in accordance with the Agreement. The parties agree that this requirement shall not apply to the extent Bloomreach is required by applicable law to retain some or all of the Personal Data, or to Personal Data archived on back-up systems, which Personal Data Bloomreach shall securely isolate and protect from any further Processing. Bloomreach shall delete such retained data without undue delay when technically feasible and/or allowed by the applicable law. The parties agree that the certification of deletion of Personal Data described in Clause 8.5 and 16.(d) of SCCs shall be provided by Bloomreach to Customer only upon Customer's written request.
2. AUDIT RIGHTS
2.1 Audit Reports. Upon request, Bloomreach shall supply (on a confidential basis) copies of any certifications, audit report summaries and/or other relevant documentation it holds and which Bloomreach generally makes available to its customers. In addition, Bloomreach shall respond to all reasonable requests for information made by Customer that are necessary to confirm Bloomreach's compliance with this DPA, including responses to information security, due diligence and audit questionnaires, by making additional information available regarding its security program upon Customer's written request, provided that Customer shall not exercise this right more than once per year.
2.2 Audit. Whilst it is the parties intention to ordinarily rely on the audit measures described in Section 2.1 (above) to verify Bloomreach's compliance with this DPA (including the Standard Contractual Clauses), following a confirmed Data Breach or where a data protection authority requires it, Bloomreach shall allow the Customer (or subject to complying with Section 2.3, a third party licensed auditor) to carry out the on-site or remote audit of Bloomreach's electronic data files, systems and documentation relating to the Processing of Personal Data, provided that: (i) Data Protection Legislation obliges Bloomreach to allow for such audit (ii) Bloomreach is notified of the audit via a written notice at least 30 (thirty) days in advance; (iii) the audit shall be conducted at Customer's expense; (iv) the parties shall mutually agree upon the scope, timing and duration of the audit; and (v) the audit shall not take place more than once a calendar year and shall not unreasonably impact Bloomreach's regular operations.
2.3 Audit by a third party. Customer may exercise its audit rights under Section 2.2 through the engagement of a third independent party that is an external licensed auditor, provided that Customer provides Bloomreach with reasonable prior written notice and the opportunity to object in accordance with this Section 2.3. Bloomreach may object to such an auditor conducting the audit if the auditor is, in Bloomreach’s reasonable opinion, not suitably qualified or independent, a competitor of Bloomreach, or otherwise manifestly unsuitable. Any such objection will require the Customer to appoint another auditor.
3. CUSTOMER’S OBLIGATIONS
3.1 Customer’s Processing of Personal Data. Customer shall, in its use of the Services and provision of its Processing instructions, Process Personal Data in accordance with Data Protection Legislation (including where the Customer is a Processor, by ensuring the ultimate Controller does so). Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data. Where Customer acts as a Processor on behalf of a third party Controller (or other intermediary to the ultimate Controller), Customer warrants that its Processing instructions, including its authorizations to Bloomreach for the appointment of Sub-processor in accordance with this DPA, have been authorized by the relevant Controller. The Customer shall be solely responsible for forwarding any notifications received by Bloomreach to the relevant Controller where appropriate.
3.2 Customer’s Compliance. Customer agrees that (i) it shall comply with its obligations as a Controller under Data Protection Legislation in respect of its Processing of Personal Data and any Processing instructions it issues to Bloomreach; (ii) it has provided notice and obtained (or shall obtain) all consents or any other necessary authorizations (as applicable) under Data Protection Legislation for Bloomreach to Process Personal Data for the Permitted Purposes, (iii) it has fulfilled (or shall fulfill) all registration or notification obligations to which Customer is subject to under the Data Protection Legislation and (iv) it is responsible for its own Processing of Personal Data including integrity, security, maintenance and appropriate protection of Personal Data that are under Customer’s control.
3.3 Technical and organizational measures. Without prejudice to Bloomreach's obligations under Section 1.4 (Security Measures), Customer is responsible for its secure use of the Services, including securing its account authentication credentials, protecting the security of Personal Data when in transit to and from the Services and taking any appropriate technical, organizational and security measures to securely encrypt or backup any Personal Data uploaded to the Services. Customer is also responsible for the use of the Services by any of its employees, any person Customer authorizes to access or use the Services, and any person who gains access to its Personal Data or the Services as a result of its failure to use reasonable security precautions, even if such use was not authorized by Customer. Customer agrees to immediately notify Bloomreach of any unauthorized use of Services or Customer’s Account or of any other breach of security involving the Services upon becoming aware.
4.1 Data Subject Rights. To the extent that Customer is unable to independently access the relevant Personal Data within the Services, Bloomreach shall (at Customer's expense), taking into account the nature of the Processing, provide reasonable assistance (including by appropriate technical and organizational measures, in so far as this is possible), to enable Customer to: (i) respond to any requests from a data subject seeking to exercise any of its rights under Data Protection Legislation (including its right of access, correction, objection, erasure and data portability, as applicable); and (ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Personal Data (collectively "Correspondence"). In the event that any Correspondence from a Data Subject is made directly to Bloomreach, it shall where the Customer is identified or identifiable from the Correspondence, promptly notify Customer (who, where Customer is a Processor, shall in turn be responsible for informing the ultimate Controller) and shall not, unless legally compelled to do so, respond directly, except that Customer authorizes Bloomreach to redirect the Data Subject as necessary to allow Customer to respond as appropriate. Any assistance provided under this Section 4.1 shall be relevant to Services that support the Processing of Personal Data, commercially reasonable and proportionate to the objective of the exercise with which Bloomreach is requested to assist.
4.2 Data Protection Impact Assessment. To the extent required by Data Protection Legislation, Bloomreach shall (taking into account the nature of the Processing and the information available to Bloomreach) provide all reasonably requested information regarding the Services to enable Customer to carry out data protection impact assessments or prior consultations with data protection authorities as required by Data Protection Legislation. Bloomreach shall comply with the foregoing by: (i) complying with Section 2 (Audit Rights); (ii) providing the information contained in the Agreement, including this DPA; and (iii) if the foregoing sub-sections (i) and (ii) are insufficient for Customer to comply with such obligations, upon request, providing additional reasonable assistance at Customer's expense.
4.3 Data Breaches
4.3.1 Data Breach Notification. Upon becoming aware of a Data Breach, Bloomreach shall notify the Customer (who, where Customer is a Processor, shall in turn be responsible for informing the ultimate Controller(s)) without undue delay and shall provide such timely information and cooperation as Customer may reasonably require in order for Customer (or where Customer is a Processor, its Controller) to fulfill its data breach reporting obligations under Data Protection Legislation. Where, and in so far as, it is not possible to provide all the details at the same time, the information may be provided in phases, without undue delay. Bloomreach shall further take all such measures and actions as are necessary to remedy or mitigate the effects of the Data Breach and shall keep Customer informed of all developments in connection with the Data Breach. Customer agrees that Bloomreach's obligation to notify the Data Breach is not an acknowledgement by Bloomreach of any fault or liability of Bloomreach with respect to such Data Breach. If a Data Breach is caused or materially contributed to by Customer, Bloomreach will reasonably cooperate in the investigation of the Data Breach subject to Customer's obligation to compensate Bloomreach for its reasonable costs.
4.3.2 Liability for Data Breaches. Bloomreach's liability for a Data Breach toward Customer and any third party is subject to the following limitations: (a) the Data Breach is a result of a breach of Bloomreach's information security obligations under this DPA; and (b) the Data Breach is not caused by: (i) acts or omissions of Customer, or any person acting on behalf of or jointly with Customer, including any Authorized Users (collectively "Customer Representatives"); or (ii) Customer Representatives' instructions to Bloomreach.
5.1 Authorized Sub-processors. Customer provides a general authorization for Bloomreach to engage Sub-processors to Process Personal Data on Customer's behalf, including the Sub-processors listed in Annex 2 ("Sub-processor List"). Updated list of Sub-processors will always be available at https://www.bloomreach.com/en/legal/subprocessors and Bloomreach shall provide Customer with notification of new Sub-processors. The Customer will have the right to object to addition of a new Sub-processor in accordance with Section 5.2 below. Bloomreach shall impose substantially the same data protection terms on any Sub-processor it appoints as contained in this DPA (including data transfer provisions, where applicable) and shall remain responsible for any acts or omissions of Sub-processor’s to the extent they cause Bloomreach to breach any of its obligations under this DPA.
5.2 Objections to Sub-processors. Bloomreach shall notify Customer if it adds or removes Sub-processors using the mechanism set out in Section 5.1 above. The Customer may object in writing to the appointment of such a new Sub-processor on reasonable grounds relating to data protection by notifying Bloomreach promptly in writing within 10 calendar days of receipt of Bloomreach's notice. Such notice shall explain the reasonable grounds for the objections. In such an event, the parties shall discuss Customer´s concerns in good faith with a view to achieving commercially reasonable resolution.
6. DATA TRANSFERS
6.1 International data transfers. Personal Data that Bloomreach Processes under the Agreement may be Processed in any country in which Bloomreach and its Sub-processors maintain facilities to perform the Services, as further detailed in the Sub-processor List. Bloomreach shall not participate in (nor permit any Sub-processors to participate in) any Restricted Transfers of Personal Data unless the Restricted Transfer is made in compliance with EU/ UK Data Protection Law and this DPA.
6.2 Application of Standard Contractual Clauses.
6.2.1 The Parties agree that when and to the extent the transfer of Personal Data from Customer to Bloomreach is a Restricted Transfer and EU/UK Data protection Law requires that appropriate safeguards are put in place, such transfer shall be governed by the Standard Contractual Clauses, which shall be incorporated by reference into and form an integral part of this DPA as follows.
6.2.2 In relation to transfers of Personal Data protected by the GDPR, the SCCs will apply as follows:
188.8.131.52 where Customer is a Controller of Personal Data, Module Two (Controller to Processor Clauses) will apply and where Customer is a Processor acting on behalf of third party Controllers, Module Three (Processor to Processor Clauses) will apply;
184.108.40.206 in Clause 7 (Docking Clause), the optional docking clause will apply;
220.127.116.11 in Clause 9 (Use of Sub-processors), Option 2 will apply, and the time period for prior notice of Sub-processor changes shall be as set out in Clause 5.2. of this DPA;
18.104.22.168 in Clause 11 (Redress), the optional language to permit data subjects to lodge complaints with an independent dispute resolution body will not apply;
22.214.171.124 in Clause 17 (Governing Law), Option 1 will apply, and the SCCs will be governed by Dutch law;
126.96.36.199 in Clause 18(b) (Choice of forum and jurisdiction), disputes shall be resolved before the courts of Amsterdam, the Netherlands;
188.8.131.52 Annex I shall be deemed completed with the information set out in Annex 1 to this Agreement;
184.108.40.206 Annex II shall be deemed completed with the information set out in Annex 3 to this DPA.
6.2.3 In relation to transfers of Personal Data protected by the UK Data Protection Law, the SCCs: (i) shall apply as completed in accordance with Section 6.2.2 above; and (ii) shall be deemed amended as specified by the UK Addendum attached as Annex 4 of this DPA, which shall deemed executed by the parties and incorporated into and form an integral part of this DPA. Any conflict between the terms of the SCCs and the UK Addendum shall be resolved in accordance with Section 10 and Section 11 of the UK Addendum.
6.2.4 In relation to transfers of Personal Data protected by the Swiss DPA, the SCCs will also apply in accordance with Section 6.2.2. above, with the following modifications:
220.127.116.11 references to "Regulation (EU) 2016/679" shall be interpreted as references to the Swiss DPA;
18.104.22.168 references to specific Articles of "Regulation (EU) 2016/679" shall be replaced with the equivalent article or section of the Swiss DPA;
22.214.171.124 references to "EU", "Union", "Member State" and "Member State law" shall be replaced with references to "Switzerland" or "Swiss law";
126.96.36.199 the term "member state" shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (i.e., Switzerland);
188.8.131.52 Clause 13(a) and Part C of Annex 1 are not used and the "competent supervisory authority" is the Swiss Federal Data Protection Information Commissioner;
184.108.40.206 references to the "competent supervisory authority" and "competent courts" shall be replaced with references to the "Swiss Federal Data Protection Information Commissioner" and "applicable courts of Switzerland";
220.127.116.11 in Clause 17, the Standard Contractual Clauses shall be governed by the laws of Switzerland; and
18.104.22.168 Clause 18(b) shall state that disputes shall be resolved before the applicable courts of Switzerland.
6.3 In the event that any provision of this DPA contradicts, directly or indirectly, the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail to the extent of such conflict.
6.4 Alternative Transfer Mechanism. If Bloomreach adopts an alternative lawful data export mechanism for the transfer of Personal data not described in this DPA ("Alternative Transfer Mechanism"), the Alternative Transfer Mechanism shall apply instead of any applicable transfer mechanism described in this DPA (but only to the extent such Alternative Transfer Mechanism complies with EU/UK Data Protection Law and extends to the territories to which the relevant Personal Data is transferred) subject to Customer’s consent which cannot be unreasonably withheld.
7. LIMITATION OF LIABILITY
7.1 Limitation of Liability. To the maximum extent permitted by law, each party and its Affiliates' aggregate liability to the other party arising out of or in relation to this DPA (including the Standard Contractual Clauses), whether in contract, tort or under any other theory of liability, will be subject to the limitations and exclusions of liability (including any agreed aggregate financial cap) set forth under the Agreement. For the avoidance of doubt, nothing in this DPA is intended to limit the rights a Data Subject may have against either Party arising out of such Party's breach of the Standard Contractual Clauses, where applicable.
8.1 Third Party Beneficiaries. Data Subjects are the sole third party beneficiaries to the Standard Contractual Clauses, and there are no other third party beneficiaries to the Agreement and this DPA. Without prejudice to the foregoing, the Agreement and the terms of this DPA apply only to the Parties and do not confer any rights to any Customer’s Affiliate, Customer’s end user or any third-party Data Subjects.
8.2 Governing Law and Jurisdiction. This DPA shall be governed by and construed with governing law and jurisdiction provisions in the Agreement, unless and to the extent required otherwise by the Data Protection Legislation or the Standard Contractual Clauses.
8.3 Scope of this DPA. For the avoidance of doubt, the processing of information other than Personal Data for the Permitted Purposes does not fall under the scope of this DPA.
8.4 Term. This DPA will continue to be in effect for the term of the Agreement or any applicable Sales Order plus the period from expiry of the Agreement or Sales Order (as applicable) until Bloomreach ceases to process Personal Data on behalf of the Customer (the "Processing Term").
Description of the Processing
Annex 1 (A) List of Parties:
Annex 1(B) Description of Processing Bloomreach Engagement:
Other Bloomreach Services:
Annex 1(C): Competent supervisory authority
The Customer's competent supervisory authority will be determined in accordance with the GDPR, where applicable.
The list of approved sub-processors of Bloomreach is available at https://www.bloomreach.com/en/legal/subprocessors
Technical and organizational measures
The technical and organizational measures implemented by Bloomreach (including any relevant certifications) to ensure an appropriate level of security taking into account the nature, scope, context and purposes of the processing, and the risks for the rights and freedoms of natural persons are as follows:
This Annex 4 forms part of this DPA and applies in accordance with Section 6.2.3 of the DPA (transfers from the UK).