Pico Privacy Data Protection Addendum

This Data Processing Addendum (“DPA”) supplements and forms part of the Terms of Service (“Terms”) between Pico Privacy, LLC (“Pico Privacy”) and the Customer (“Customer”) executing the Terms, to reflect the parties’ agreement with regard to Pico Privacy’s Processing of Personal Data on behalf of Customer.

The capitalized terms used in this DPA shall have the meanings set forth in this DPA. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Terms. Reference to the Terms in this DPA includes any Order Form subject to the Terms (including any such Order Form entered into in the future). Except as modified below, the terms of the Terms shall remain in full force and effect. This DPA shall be effective for the duration of the Terms (or longer to the extent required by applicable law).

For the avoidance of doubt, acceptance of the Terms and of this DPA shall be deemed to constitute signature and acceptance of the Standard Contractual Clauses incorporated herein, including their Appendices.

1.     Definitions.

1.1.          “Controller” means the entity which determines the purposes and means of the Processing of Personal Data.

1.2.          “Data Protection Laws” means all applicable data protection and data privacy laws and regulations, including but not limited to the EU General Data Protection Regulation (GDPR), Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), and the California Consumer Privacy Act (CCPA).

1.3.          “Data Subject” means the identified or identifiable person or household to whom Personal Data relates.

1.4.          “Personal Data” shall have the meaning ascribed to “personally identifiable information,” “personal information,” “personal data,” or equivalent terms as such terms are defined under the Data Protection Laws, in each case that is Customer Data.

1.5.          “Personal Data Incident” shall have the meaning assigned by Data Protection Laws to the terms “security incident,” “security breach” or “personal data breach” and shall include any situation in which Pico Privacy becomes aware that Personal Data, which is transmitted, stored or otherwise Processed by Pico Privacy or its Sub-processors, has been or is likely to have been accessed, disclosed, altered, lost, destroyed or used by unauthorized persons, in an unauthorized manner.

1.6.          “Processing” means any operation or set of operations that is performed on Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

1.7.          “Processor” means the entity that Processes Personal Data on behalf of the Controller, including as applicable any “service provider” as that term is defined by the CCPA.

1.8.          “Sub-processor” means any Processor engaged by Pico Privacy.

 

2.     Obligations.

2.1.          Roles of the Parties. The parties acknowledge and agree that regarding the Processing of Personal Data under the Terms, Customer is the Controller, Pico Privacy is the Processor and Pico Privacy will engage Sub-processors pursuant to Section 3 below.

2.2.          Customer’s Processing of Personal Data. Customer shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws, including any applicable requirement to provide notice to Data Subjects of the use of Pico Privacy as Processor. For the avoidance of doubt, Customer’s instructions for the Processing of Personal Data shall comply with Data Protection Laws. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data. Customer specifically acknowledges that its use of the Services will not violate the rights of any Data Subject that has opted-out from sales or other disclosures of Personal Data, to the extent applicable under Data Protection Laws. Customer acknowledges that in no event will the Services constitute legal advice from Pico Privacy and that, as between Customer and Pico Privacy, Customer bears all liability for its implementation and use of the Services, except as otherwise provided in this DPA or the Terms.

2.3.          Pico Privacy’s Processing of Personal Data. Pico Privacy shall treat Personal Data as confidential and shall only Process Personal Data on behalf of and in accordance with Customer’s documented instructions unless Processing is required by Data Protection Laws. Customer instructs Pico Privacy (and authorizes Pico Privacy to instruct each Sub-processor) to Process Personal Data for the following purposes: (i) Processing in accordance with the Terms; (ii) Processing initiated by Customer’s users in their use of the Services; or (iii) Processing to comply with other documented reasonable instructions provided by Customer (e.g. via email) where such instructions are consistent with the terms of the Terms.

2.4.          Details of the Processing. The subject matter of Processing of Personal Data by Pico Privacy is the performance of the Services pursuant to the Terms. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data Processed and the categories of Data Subjects for whom Personal Data is Processed are set forth in Schedule 1.

2.5.          Confidentiality. Pico Privacy shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements.

2.6.          Security Controls. Pico Privacy shall implement appropriate technical and organizational measures to maintain the security, confidentiality, and integrity of Personal Data, including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Personal Data.

2.7.          Data Subject Requests. Pico Privacy shall, to the extent legally permitted, promptly notify Customer of any requests from Data Subjects seeking to exercise their rights under Data Protection Laws and, taking into account the nature of the Processing, assist Customer by implementing appropriate technical and organizational measures, insofar as this is possible, to assist with Customer’s obligation to respond to such requests. To the extent that Personal Data is not accessible to Customer, in its use of the Services, Pico Privacy shall, where legally permitted and upon Customer’s request, provide commercially reasonable efforts to assist Customer in responding to such requests if responses to such requests are required by Data Protection Laws. To the extent legally permitted, Customer shall be responsible for any costs arising from Pico Privacy’s provision of such assistance.

2.8.          Data Protection Impact Assessment. Pico Privacy shall, upon Customer’s written request and taking into account the nature of processing and information available, provide reasonable assistance to Customer in connection with obligations under Article 36 of the GDPR or equivalent provisions under Data Protection Laws.

2.9.          Return or Deletion of Personal Data. Pico Privacy shall, upon Customer’s written request, promptly destroy or return any Personal Data after the end of the provision of Services, unless storage of the Personal Data is required by applicable law.

2.10.       Data Processor Point of Contact. If Customer has any questions related to Processing of Personal Data by Pico Privacy, Customer may send such questions to the following email: pivacy@picoprivacy.com.

 

3.     Sub-Processors.

3.1.          Appointment of Sub-processors. Customer acknowledges and agrees that Pico Privacy may engage Sub-processors in connection with provision of the Services. Pico Privacy shall enter into a written agreement with any engaged Sub-processor that contains data protection obligations no less protective than those contained in this DPA with respect to the protection of Personal Data to the extent applicable to the nature of the Services provided by such Sub-processor.

3.2.          List of Current Sub-processors and Notification of New Sub-Processors. A current list of Sub-processors for the Services, including the identities of those Sub-processors and their country of location, is located available upon request. Customer may receive notifications of new Sub-processors by emailing privacy@picoprivacy.com with the subject “Subprocessor Subscribe”.

3.3.          Objection to New Sub-processors. Customer may object to Pico Privacy’s use of a new Sub-processor by notifying Pico Privacy in writing within ten (10) business days after receipt of Pico Privacy’s communication advising of the new Sub-processor. In the event Customer reasonably objects to the use of a new Sub-processor as permitted in the prior sentence, Pico Privacy will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s configuration or use of the Services to avoid Processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening Customer. If Pico Privacy is unable to make available such change within a reasonable period, which shall not exceed ninety (90) days, Customer may terminate the applicable Order Form with respect only to those Services which cannot be provided by Pico Privacy without the use of the objected-to new Sub-processor by providing written notice to Pico Privacy. Pico Privacy will refund Customer any prepaid fees covering the remainder of the term of such Order Form following the effective date of termination with respect to such terminated Services, without imposing a penalty for such termination on Customer.

3.4.          Liability. Pico Privacy shall be liable for the acts and omissions of its Sub-processors to the same extent Pico Privacy would be liable if performing the services of each Sub-processor directly under the terms of this DPA, except as otherwise set forth in the Terms.

 

4.     Personal Data Incidents.

4.1.          Pico Privacy shall notify Customer without undue delay after becoming aware of a Personal Data Incident. Pico Privacy shall make reasonable efforts to identify the cause of such Personal Data Incident and take those steps necessary and reasonable to remediate the cause of such a Personal Data Incident to the extent the remediation is within Pico Privacy’s reasonable control.

 

5.     International Data Transfers.

5.1.          Personal Data Transfers. Customer agrees to allow transfer of Personal Data outside the country from which it was originally collected provided that such transfer is required in connection with the provision of Services under the Terms and such transfers take place in accordance with Data Protection Laws, including, without limitation, completing any prior assessments required by Data Protection Laws.

5.2.          European Specific Provisions. Where Pico Privacy transfers Personal Data collected in the European Economic Area to a country outside of the European Economic Area and without an adequacy finding under Article 45 of the GDPR, at least one of the transfer mechanisms listed below shall apply:

5.2.1.      Binding Corporate Rules. To the extent Pico Privacy has adopted Binding Corporate Rules, it shall maintain such rules and promptly notify Customer in the event that the rules are no longer a valid transfer mechanism between Pico Privacy and Customer.

5.2.2.      EU Standard Contractual Clauses (“SCCs”). The EU Standard Contractual Clauses pursuant to 2010/87/EU (the European Commission’s decision 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (notified under document C(2010) 593)(Schedule 2) are hereby incorporated in their entirety into this DPA and, to the extent applicable, Pico Privacy shall ensure that its Sub-processors comply with the obligations of a data importer (as defined in the SCCs).  To the extent there is any conflict between this DPA and the SCCs, the terms of the SCCs shall prevail.

6.     Certifications and Audits.

6.1.          Upon written request, Pico Privacy, to the extent that it is acting as a Processor to Customer, shall make available to Customer that is not a competitor of Pico Privacy (or Customer’s independent, third-party auditor that is not a competitor of Pico Privacy) information regarding Pico Privacy’s compliance with the obligations set forth under Data Protection Laws, provided that Pico Privacy shall have no obligation to provide commercially confidential information.  On no more than an annual basis, Pico Privacy shall, to the extent that it is acting as a Processor to Customer, following a request by Customer and at Customer’s expense, further allow for and contribute to audits and inspections by Customer or its authorized third-party auditor that shall not be a competitor of Pico Privacy.  The scope, timing and duration of any such audits, including conditions of confidentiality, shall be mutually agreed upon by Pico Privacy and Customer prior to initiation.  Customer shall promptly notify Pico Privacy with information regarding non-compliance discovered during the course of an audit, and Pico Privacy shall use commercially reasonable efforts to address any confirmed non-compliance.

 

7.     Liability

7.1.   Liability arising out of or related to Processing of Personal Data in accordance with this DPA (whether in contract, tort or under any other theory of liability) is subject to any limitations of liability provision(s) set forth in the Terms.

 

List of Schedules

Schedule 1: Details of the Processing

Schedule 2: Standard Contractual Clauses

 

 

Schedule 1: Details Of Personal Data Processing

 

Nature and Purpose of Processing

Pico Privacy will Process Personal Data pursuant to the Agreement, and as further instructed by Customer in its use of the Services.

 

Duration of Processing

Pico Privacy will Process Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing.

 

Categories of Data Subjects

Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion. This may include, but is not limited to, Personal Data relating to the following categories of data subjects:

 

  • Prospects, customers, business partners, and vendors of Customer (who are natural persons)

  • Employees of Customer’s prospects, customers, business partners, and vendors

  • Employees, agents, subcontractors, advisors, and freelancers of Customer (who are natural persons)

Categories of Personal Data

Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion. Such data may include, but is not limited to, the following categories of Personal Data:

 

  • First and last name

  • Contact information (company, email, phone, physical address)

  • ID data

  • Personal life data

  • Professional life data

  • Localization data

 

Schedule 2: Standard Contractual Clauses

 

  1. Application of Modules. If Customer is acting as a Controller with respect to Personal Data, “Module Two: Transfer controller to processor” of the Standard Contractual Clauses shall apply.  If Customer is acting as a Processor to a third-party Controller with respect to Personal Data, Pico Privacy is a sub-Processor and “Module Three: Transfer processor to processor” of the Standard Contractual Clauses shall apply.

  2. Sections I-IV.  The parties agree to the following selections in Sections I-IV the Standard Contractual Clauses: (a) the parties select Option 2 in Clause 9(a) and the specified time period shall be the notification time period set forth in Section 3 of the DPA; (b) the optional language in Clause 11(a) is omitted; (c) the parties select Option 1 in Clause 17 and the governing law of the Republic of Ireland will apply; and (d) in Clause 18(b), the parties select the courts of the Republic of Ireland.

  3. Annexes.  The name, address, contact details, activities relevant to the transfer, and role of the parties set forth in the Agreement and the DPA shall be used to complete Annex I.A. of the Standard Contractual Clauses. The information set forth in Schedule 1 to the DPA shall be used to complete Annex I.B. of the Standard Contractual Clauses. The competent supervisory authority in Annex I.C. of the Standard Contractual Clauses shall be the relevant supervisory authority determined by Clause 13 and the GDPR, unless otherwise set forth in Sections 4 or 5 of this Schedule 2.  If such determination is not clear, then the competent supervisory authority shall be the Irish Data Protection Authority.

  4. Transfers from the United Kingdom.  If Customer transfers Personal Data to Pico Privacy that is subject to UK Data Protection Laws, the parties acknowledge and agree that: (a) the template addendum issued by the Information Commissioner’s Office of the United Kingdom and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022 (available at: https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf), as it may be revised from time to time by the Information Commissioner’s Office (the “UK Addendum”) shall be incorporated by reference herein; (b) the UK Addendum shall apply to and modify the Standard Contractual Clauses solely to the extent that UK Data Protection Laws apply to Client’s Processing when making the transfer; (c) the information required to be set forth in “Part 1: Tables” of the UK Addendum shall be completed using the information provided in this Schedule 2 and the DPA; and (d) either party may end the UK Addendum in accordance with section 19 thereof.

  5. Transfers from Switzerland.  If Customer transfers Personal Data to Pico Privacy that is subject to the Swiss FADP, the following modifications shall apply to the Standard Contractual Clauses to the extent that the Swiss FADP applies to Client’s Processing when making that transfer: (a) the term “member state” as used in the Standard Contractual Clauses shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from suing for their rights in their place of habitual residence in accordance with Clause 18(c) of the Standard Contractual Clauses; (b) the Standard Contractual Clauses shall also protect the data of legal entities until the entry into force of the revised Swiss FADP on or about 1 January 2023; (c) references to the GDPR or other governing law contained in the Standard Contractual Clauses shall also be interpreted to include the Swiss FADP; and (d) the parties agree that the supervisory authority as indicated in Annex I.C of the Standard Contractual Clauses shall be the Swiss Federal Data Protection and Information Commissioner.

***