DATA PROCESSING ADDENDUM
This Data Processing Addendum (“DPA”) is an addendum to and forms part of the Agreement between Bloomreach ("Bloomreach" and "data importer") and party identified as the Customer in the Agreement ("Customer" or "data exporter"). This DPA sets out the terms that apply to the parties when Processing Personal Data in connection with the provision of the Services.
For the avoidance of doubt, the Bloomreach Entity that is the party to the Agreement, shall be the same party entering into this DPA.
For the purposes of this DPA, capitalized terms not otherwise defined shall have the meaning given to them in the Agreement.
“Agreement” means either (i) the Master Subscription Agreement, together with applicable Appendices and Sales Orders; or (ii) any other written or electronic agreement incorporating this DPA, governing the Customer's access and use of the Services.
"Bloomreach" means the Bloomreach Entity that is a party to the Agreement.
"Bloomreach Entity" means Bloomreach, Inc., Bloomreach B.V. or any other Affiliate of Bloomreach Inc.
“Affiliate(s)” means any entity controlling, controlled by, or under common control of a Party.
“CCPA” means the California Consumer Privacy Act, California Civil Code §§1798.100 et seq., including any amendments and implementing regulations that become effective on or after the effective date of this DPA.
“Data Breach” means a breach of security of the Services leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed by Bloomreach under this DPA.
“Data Protection Legislation” means, as applicable to a party and its Processing of Personal Data: (i) the CCPA and any national data protection laws made under the CCPA, and (ii) EU/ UK Data Protection Law.
"EU/UK Data Protection Law" means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (the "GDPR"); (ii) the GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 (the "UK GDPR"); (iii) the EU e-Privacy Directive (Directive 2002/58/EC); (iv) the Swiss Federal Act on Data Protection 1992 ("Swiss DPA"); and (iv) any and all applicable national data protection laws made under, pursuant to or that apply in conjunction with any of (i), (ii) (iii) or (iv); in each case as may be amended or superseded from time to time.
“Personal Data” means any information that (i) is protected as "personal data", "personal information" or "personally identifiable information" under Data Protection Legislation; and (ii) is Processed by Bloomreach on behalf of Customer in the course of providing the Services, as more particularly described in Annex 1 (A) of this DPA.
"Restricted Transfer" means: (i) where the GDPR applies, a transfer of Personal Data from the European Economic Area to a country outside of the European Economic Area which is not subject to an adequacy determination by the European Commission; (ii) where the UK GDPR applies, a transfer of Personal Data from the United Kingdom to any other country which is not subject based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018; and (iii) where the Swiss DPA applies, a transfer of Personal Data from Switzerland to any other country which is not determined to provide adequate protection for personal data by the Federal Data Protection and Information Commission or Federal Council (as applicable).
“Sub-processor” means any third party engaged by Bloomreach to assist in fulfilling its obligations with respect to providing the Services and that Processes Personal Data as Processor.
“Services” means the services provided by Bloomreach to the Customer pursuant to and as more particularly described in the Agreement.
"Standard Contractual Clauses" means: (i) the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 (the "EU SCCs") ; and (ii) where the UK GDPR applies, standard data protection clauses adopted pursuant to Article 46(2)(c) or (d) of the UK GDPR ("UK SCCs"), as applicable in accordance with Section 6 (Data Transfers).
The terms "Controller", "Processor", "Process", "Processing" and "Data Subject" shall have the same meanings given to them under the GDPR, and the terms "business", "service provider" and "sale" have the same meaning given to it under the CCPA.
1.1 Roles. For the purposes of EU/UK Data Protection Law, Customer is the Controller or Processor of Personal Data and Bloomreach shall Process Personal Data as a Processor; and for the purposes of the CCPA (where applicable), Customer is the "business" and Bloomreach is the "service provider".
1.2 Permitted Purposes. Bloomreach shall Process Personal Data only for the purposes described in Annex 1. or otherwise agreed between the Parties and in accordance with the Customer's documented lawful instructions ("Permitted Purposes"), except where otherwise required by law(s) that are not incompatible with applicable Data Protection Legislation. In no event will Bloomreach Process Personal Data for its own purposes or those of a third party. In particular and to the extent the CCPA is applicable, Customer's transfer of Personal Data to Bloomreach is not a sale, and Bloomreach provides no monetary or other valuable consideration to Customer in exchange for Personal Data. To the extent required by Data Protection Legislation, this Section 1.2 constitutes the certification from Bloomreach to the Processing instructions herein. Bloomreach acts on behalf of and on the instructions of the Customer in carrying out the Permitted Purposes.
1.3 Processing Instructions. The Agreement, including this DPA, along with the Customer's configuration of any settings or options in the Services, constitute Customer's complete and final instructions to Bloomreach regarding the Processing of Personal Data, including for the purposes of the Standard Contractual Clauses. Any additional or alternate instructions must be consistent with the terms of the Agreement. Bloomreach: (i) shall immediately inform the Customer if it becomes aware that Customer's Processing instructions infringe Data Protection Legislation (but without obligation to actively monitor Customer's or, where applicable its Controller's, compliance with Data Protection Legislation); and (ii) in such circumstances, Bloomreach may, without liability, temporarily cease all Processing of the affected Personal Data (other than securely storing such data) and/or suspend access to the Customer’s account. If parties do not agree on a resolution to the issue in question and the costs thereof, Customer may as its sole and exclusive remedy, terminate the Agreement (including this DPA) with respect to the affected Processing. Customer will have no further claims against Bloomreach (including, without limitation, requesting refunds for the Services) pursuant to the termination of the Agreement as described in this Section.
1.4 Security Measures. Bloomreach shall implement and maintain reasonable and appropriate technical and organizational measures designed to protect Personal Data from Data Breaches and to preserve security and confidentiality of Personal Data, in accordance with the measures identified in Annex 3 of this DPA ("Security Measures"). The Customer acknowledges that the Security Measures are subject to technical progress and development and accordingly, Bloomreach may update or modify the Security Measures from time to time provided that such updates and modifications do not degrade or diminish the overall security of the Services.
1.5 Access and Confidentiality. Bloomreach shall ensure that any personnel tasked with the Processing the Personal Data shall be subject to appropriate obligations of confidentiality (whether a contractual or statutory duty), have received appropriate training, and that they Process Personal Data only for the Permitted Purposes.
1.6 Data Returns and Deletion. Upon termination or expiration of the Agreement, Bloomreach shall (at Customer's election) delete or return to Customer all Personal Data (including copies) in its possession or control in accordance with the Agreement. The parties agree that this requirement shall not apply to the extent Bloomreach is required by applicable law to retain some or all of the Personal Data, or to Personal Data archived on back-up systems, which Personal Data Bloomreach shall securely isolate and protect from any further Processing. Bloomreach shall delete such retained data without undue delay when technically feasible and/or allowed by the applicable law. The parties agree that the certification of deletion of Personal Data described in Clause 8.5 and 16.(d) of EU SCCs shall be provided by Bloomreach to Customer only upon Customer's written request.
2. Audit Rights
2.1 Audit Reports. Upon request, Bloomreach shall supply (on a confidential basis) copies of any certifications, audit report summaries and/or other relevant documentation it holds and which Bloomreach generally makes available to its customers. In addition, Bloomreach shall respond to all reasonable requests for information made by Customer that are necessary to confirm Bloomreach's compliance with this DPA, including responses to information security, due diligence and audit questionnaires, by making additional information available regarding its security program upon Customer's written request, provided that Customer shall not exercise this right more than once per year.
2.2 Audit. Whilst it is the parties intention to ordinarily rely on the audit measures described in Section 2.1 (above) to verify Bloomreach's compliance with this DPA (including the Standard Contractual Clauses), following a confirmed Data Breach or where a data protection authority requires it, Bloomreach shall allow the Customer (or subject to complying with Section 2.3, a third party licensed auditor) to carry out the on-site or remote audit of Bloomreach's electronic data files, systems and documentation relating to the Processing of Personal Data, provided that: (i) Data Protection Legislation obliges Bloomreach to allow for such audit (ii) Bloomreach is notified of the audit via a written notice at least 30 (thirty) days in advance; (iii) the audit shall be conducted at Customer's expense; (iv) the parties shall mutually agree upon the scope, timing and duration of the audit; and (v) the audit shall not take place more than once a calendar year and shall not unreasonably impact Bloomreach's regular operations.
2.3 Audit by a third party. Customer may exercise its audit rights under Section 2.2 through the engagement of a third independent party that is an external licensed auditor, provided that Customer provides Bloomreach with reasonable prior written notice and the opportunity to object in accordance with this Section 2.3. Bloomreach may object to such an auditor conducting the audit if the auditor is, in Bloomreach’s reasonable opinion, not suitably qualified or independent, a competitor of Bloomreach, or otherwise manifestly unsuitable. Any such objection will require the Customer to appoint another auditor.
3. CUSTOMER’S OBLIGATIONS
3.1 Customer’s Processing of Personal Data. Customer shall, in its use of the Services and provision of its Processing instructions, Process Personal Data in accordance with Data Protection Legislation (including where the Customer is a Processor, by ensuring the ultimate Controller does so). Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data. Where Customer acts as a Processor on behalf of a third party Controller (or other intermediary to the ultimate Controller), Customer warrants that its Processing instructions, including its authorizations to Bloomreach for the appointment of Sub-processor in accordance with this DPA, have been authorized by the relevant Controller. The Customer shall be solely responsible for forwarding any notifications received by Bloomreach to the relevant Controller where appropriate.
3.2 Customer’s Compliance. Customer agrees that (i) it shall comply with its obligations as a Controller under Data Protection Legislation in respect of its Processing of Personal Data and any Processing instructions it issues to Bloomreach; (ii) it has provided notice and obtained (or shall obtain) all consents or any other necessary authorizations (as applicable) under Data Protection Legislation for Bloomreach to Process Personal Data for the Permitted Purposes, (iii) it has fulfilled (or shall fulfill) all registration or notification obligations to which Customer is subject to under the Data Protection Legislation and (iv) it is responsible for its own Processing of Personal Data including integrity, security, maintenance and appropriate protection of Personal Data that are under Customer’s control.
3.3 Technical and organizational measures. Without prejudice to Bloomreach's obligations under Section1.4 (Security Measures), Customer is responsible for its secure use of the Services, including securing its account authentication credentials, protecting the security of Personal Data when in transit to and from the Services and taking any appropriate technical, organizational and security measures to securely encrypt or backup any Personal Data uploaded to the Services. Customer is also responsible for the use of the Services by any of its employees, any person Customer authorizes to access or use the Services, and any person who gains access to its Personal Data or the Services as a result of its failure to use reasonable security precautions, even if such use was not authorized by Customer. Customer agrees to immediately notify Bloomreach of any unauthorized use of Services or Customer’s Account or of any other breach of security involving the Services upon becoming aware.
4.1 Data Subject Rights. To the extent that Customer is unable to independently access the relevant Personal Data within the Services, Bloomreach shall (at Customer's expense), taking into account the nature of the Processing, provide reasonable assistance (including by appropriate technical and organizational measures, in so far as this is possible), to enable Customer to: (i) respond to any requests from a data subject seeking to exercise any of its rights under Data Protection Legislation (including its right of access, correction, objection, erasure and data portability, as applicable); and (ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Personal Data (collectively "Correspondence"). In the event that any Correspondence from a Data Subject is made directly to Bloomreach, it shall where the Customer is identified or identifiable from the Correspondence, promptly notify Customer (who, where Customer is a Processor, shall in turn be responsible for informing the ultimate Controller) and shall not, unless legally compelled to do so, respond directly, except that Customer authorizes Bloomreach to redirect the Data Subject as necessary to allow Customer to respond as appropriate. Any assistance provided under this Section 4.1 shall be relevant to Services that support the Processing of Personal Data, commercially reasonable and proportionate to the objective of the exercise with which Bloomreach is requested to assist.
4.2 Data Protection Impact Assessment. To the extent required by Data Protection Legislation, Bloomreach shall (taking into account the nature of the Processing and the information available to Bloomreach) provide all reasonably requested information regarding the Services to enable Customer to carry out data protection impact assessments or prior consultations with data protection authorities as required by Data Protection Legislation. Bloomreach shall comply with the foregoing by: (i) complying with Section 2 (Audit Rights); (ii) providing the information contained in the Agreement, including this DPA; and (iii) if the foregoing sub-sections (i) and (ii) are insufficient for Customer to comply with such obligations, upon request, providing additional reasonable assistance at Customer's expense.
4.3 Data Breaches
4.3.2 Liability for Data Breaches. Bloomreach's liability for a Data Breach toward Customer and any third party is subject to the following limitations: (a) the Data Breach is a result of a breach of Bloomreach's information security obligations under this DPA; and (b) the Data Breach is not caused by: (i) acts or omissions of Customer, or any person acting on behalf of or jointly with Customer, including any Authorized Users (collectively "Customer Representatives"); or (ii) Customer Representatives' instructions to Bloomreach.
5.1 Authorized Sub-processors. Customer provides a general authorization for Bloomreach to engage Sub-processors to Process Personal Data on Customer's behalf, including the Sub-processors listed in Annex 2 ("Sub-processor List"). Updated list of Sub-processors will always be available at https://www.bloomreach.com/en/legal/subprocessors and Bloomreach will be considered to have provided a notification on adding a new Subprocessor to Customer by publishing the Sub-processor´s name on the said link. Customer may also opt to receive notifications of new Sub-processors by emailing [email protected] with the subject "Subscribe" and if a Customer contact subscribes, Bloomreach shall provide the subscriber with notification of new Sub-processor's. The Customer will have the right to object to addition of a new Sub-processor in accordance with Section 5.2 below. Bloomreach shall impose substantially the same data protection terms on any Sub-processor it appoints as contained in this DPA (including data transfer provisions, where applicable) and shall remain responsible for any acts or omissions of Sub-processor’s to the extent they cause Bloomreach to breach any of its obligations under this DPA.
5.2 Objections to Sub-processors. Bloomreach shall notify Customer if it adds or removes Sub-processors using the mechanism set out in Section 5.1 above. The Customer may object in writing to the appointment of such a new Sub-processor on reasonable grounds relating to data protection by notifying Bloomreach promptly in writing within 10 calendar days of receipt of Bloomreach's notice. Such notice shall explain the reasonable grounds for the objections. In such an event, the parties shall discuss Customer´s concerns in good faith with a view to achieving commercially reasonable resolution.
6. DATA TRANSFERS
6.1 International data transfers. Personal Data that Bloomreach Processes under the Agreement may be Processed in any country in which Bloomreach and its Sub-processors maintain facilities to perform the Services, as further detailed in the Sub-processor List. Bloomreach shall not participate in (nor permit any Sub-processors to participate in) any Restricted Transfers of Personal Data unless the Restricted Transfer is made in compliance with EU/ UK Data Protection Law and this DPA.
6.2 Application of Standard Contractual Clauses.
6.2.2 In relation to transfers of Personal Data protected by GDPR the EU SCCs will apply with following modifications:
22.214.171.124 in Clause 7 (Docking Clause), the optional docking clause will apply;
126.96.36.199 in Clause 9 (Use of Sub-processors), Option 2 will apply, and the time period for prior notice of Sub-processor changes shall be as set out in Clause 5.2. of this DPA;
188.8.131.52 in Clause 11 (Redress), the optional language to permit data subjects to lodge complaints with an independent dispute resolution body will not apply;
184.108.40.206 in Clause 17 (Governing Law), Option 1 will apply, and the EU SCCs will be governed by Dutch law;
220.127.116.11 in Clause 18(b) (Choice of forum and jurisdiction), disputes shall be resolved before the courts of Amsterdam, the Netherlands;
18.104.22.168 Annex I shall be deemed completed with the information set out in Annex 1 to this Agreement;
22.214.171.124 Annex II shall be deemed completed with the information set out in Annex 3 to this DPA.
126.96.36.199 references to specific Articles of "Regulation (EU) 2016/679" shall be replaced with the equivalent article or section of UK GDPR or the Swiss DPA (as applicable);
188.8.131.52 references to "EU", "Union", "Member State" and "Member State law" shall be replaced with references to the "UK" or "Switzerland", or "UK law" or "Swiss law" (as applicable);
184.108.40.206 the term "member state" shall not be interpreted in such a way as to exclude data subjects in the UK or Switzerland from the possibility of suing for their rights in their place of habitual residence (i.e., the UK or Switzerland);
220.127.116.11 Clause 13(a) and Part C of Annex 1 are not used and the "competent supervisory authority" is the United Kingdom Information Commissioner or Swiss Federal Data Protection Information Commissioner (as applicable);
18.104.22.168 references to the "competent supervisory authority" and "competent courts" shall be replaced with references to the "Information Commissioner" and the "courts of England and Wales" or the "Swiss Federal Data Protection Information Commissioner" and "applicable courts of Switzerland" (as applicable);
22.214.171.124 in Clause 17, the Standard Contractual Clauses shall be governed by the laws of England and Wales or Switzerland (as applicable); and
126.96.36.199 with respect to transfers to which UK GDPR apply, Clause 18 shall be amended to state "Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may bring a legal proceeding against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts", and with respect to transfers to which the Swiss DPA applies, Clause 18(b) shall state that disputes shall be resolved before the applicable courts of Switzerland.
6.4 Alternative Transfer Mechanism. If Bloomreach adopts an alternative lawful data export mechanism for the transfer of Personal data not described in this DPA ("Alternative Transfer Mechanism"), the Alternative Transfer Mechanism shall apply instead of any applicable transfer mechanism described in this DPA (but only to the extent such Alternative Transfer Mechanism complies with EU/UK Data Protection Law and extends to the territories to which the relevant Personal Data is transferred) subject to Customer’s consent which cannot be unreasonably withheld.
7. LIMITATION OF LIABILITY
7.1 Limitation of Liability. To the maximum extent permitted by law, each party and its Affiliates' aggregate liability to the other party arising out of or in relation to this DPA (including the Standard Contractual Clauses), whether in contract, tort or under any other theory of liability, will be subject to the limitations and exclusions of liability (including any agreed aggregate financial cap) set forth under the Agreement. For the avoidance of doubt, nothing in this DPA is intended to limit the rights a Data Subject may have against either Party arising out of such Party's breach of the Standard Contractual Clauses, where applicable.
8.1 Third Party Beneficiaries. Data Subjects are the sole third party beneficiaries to the Standard Contractual Clauses, and there are no other third party beneficiaries to the Agreement and this DPA. Without prejudice to the foregoing, the Agreement and the terms of this DPA apply only to the Parties and do not confer any rights to any Customer’s Affiliate, Customer’s end user or any third-party Data Subjects.
8.2 Governing Law and Jurisdiction. This DPA shall be governed by and construed with governing law and jurisdiction provisions in the Agreement, unless and to the extent required otherwise by the Data Protection Legislation or the Standard Contractual Clauses.
8.3 Scope of this DPA. For the avoidance of doubt, the processing of information other than Personal Data for the Permitted Purposes does not fall under the scope of this DPA.
8.4 Term. This DPA will continue to be in effect for the term of the Agreement or any applicable Sales Order plus the period from expiry of the Agreement or Sales Order (as applicable) until Bloomreach ceases to process Personal Data on behalf of the Customer (the "Processing Term").
Description of the Processing
Annex 1 (A) List of Parties:
Annex 1(B) Description of Processing Bloomreach Engagement:
Other Bloomreach Services:
Annex 1(C): Competent supervisory authority
The Customer's competent supervisory authority will be determined in accordance with the GDPR, where applicable.
Annex 2: Approved Sub-processors
The list of approved sub-processors of Bloomreach is available at https://www.bloomreach.com/en/legal/subprocessors
Annex 3: Technical and organizational measures
The technical and organizational measures implemented by Bloomreach (including any relevant certifications) to ensure an appropriate level of security taking into account the nature, scope, context and purposes of the processing, and the risks for the rights and freedoms of natural persons are as follows: