Effective date: November 5th, 2020
This Data Protection Addendum (Addendum) is between you as either a Customer or a User and us, Remo USA, Inc., and is part of our User & Customer Terms of Service published on our website. This Addendum governs the Processing of Personal Data when you use the Service and when European laws apply.
Definitions
- Capitalized terms not otherwise defined herein have the meaning given to them in the Terms of Service. If the terms below are not defined in the Terms of Service, they have the definitions below.
- “EEA” means the European Economic Area.
- “European Laws” mean (a) the GDPR, and (b) any other European Union (EU) or Member State data protection laws, regulations and secondary legislation implementing the GDPR, including the United Kingdom (UK) Data Protection Act 2018 and any replacement legislation implemented by the UK pursuant to the withdrawal of the UK from the EU and the Federal Data Protection Act of 19 June 1952 (Switzerland).
- “General Data Protection Regulation” or “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC.
- “Non-European Laws” means laws in force outside the EEA, the UK and Switzerland.
- “Restricted Transfer” means
- A transfer of Personal Data from you to us, or
- An onward transfer of Personal Data between us and another Processor or between two of our establishments.
- “Standard Contractual Clauses” mean the standard data protection clauses for the transfer of Personal Data to either Controllers or Processors in third countries which do not ensure an adequate level of data protection as provided for in Article 46 of the GDPR.
- “Subprocessor” means a Processor engaged by us for carrying out specific Processing activities on your behalf.
- The terms “Commission,” “Controller,” “Data Subject,” “Member State,” “Personal Data,” “Personal Data Breach,” “Processing (including “Process”),” “Processor,” and “Supervisory Authority,” have the meanings given them or to similar terms in the GDPR.
- The terms “data importer” and “data exporter” have the meanings given them in the Standard Contractual Clauses.
Scope of European Laws
- European Laws apply to the processing of Personal Data if, for example:
- The Processing is carried out in the context of activities of an establishment in the territory of the EEA, the UK or Switzerland; and/or
- The Personal Data relate to Data Subjects who are in the EEA, the UK and Switzerland, and the Processing relates to the offering of the Service in the EEA, the UK or Switzerland or the monitoring of the behavior of Data Subjects as far as their behavior takes place in the EEA, the UK or Switzerland.
- Non-European Laws apply to the Processing of Personal Data outside the territorial scope of the EEA, the UK or Switzerland.
Processing of Personal Data
- In order to provide the Service, with respect to the Personal Data submitted by you or on your behalf, we shall:
- Comply with all European Laws in the Processing of Personal Data, and
- Not Process Personal Data other than on your documented instructions unless Processing is required by European Laws to which we are subject, in which case we shall to the extent permitted by European Laws inform you of that legal requirement before the relevant Processing of the Personal Data, unless the law prohibits informing you on important grounds of public interest.
- We Process the Personal Data only on documented instructions from you as defined by the Terms of Service and as defined when you register an Account and when you organize an Event or Workplace in order to use the Service. If, in our opinion, your documented instruction violates European Laws or if we cannot comply with your documented instruction for whatever reason, we shall inform you and work together to find an alternative, and if an alternative is not feasible, you may terminate the Service in accordance with the Terms of Service.
- You instruct us (and authorize us to instruct each Subprocessor) to:
- Process Personal Data; and
- In particular, transfer Personal Data to any country or territory, as reasonably necessary for the provision of the Services.
- Annex 1 to this Addendum sets out certain information regarding our Processing of the Personal Data as required by Article 28(3) of the GDPR (and, possibly, equivalent requirements of other European Laws). You may make reasonable amendments to Annex 1 by written notice to us from time to time as you reasonably consider necessary to meet these requirements. Nothing in Annex 1 (including as amended pursuant to this section 3.d.) confers any right or imposes any obligations on either you or us.
- Our Processing of Personal Data is subject to this Data Protection Addendum, our Terms of Service (link), our Privacy Notice (link), and our Cookie Notice (link).
Processor and Controller Responsibilities
- You as either User or Customer of the Service, are the Controller, and we are the Processor, except when you act as the Processor, in which case we are the Subprocessor. If you are a Processor, you warrant that our appointment as a Subprocessor has been authorized by the relevant Controller. As Controller, you represent and warrant that (a) you have a legal basis to Process the relevant Personal Data and (b) the Content is not unlawful and does not infringe any right of a third party. You indemnify us against all claims and actions of third parties related to (a) the Processing of Personal Data without a legal basis to Process, and (b) unlawful Content and infringement of the rights of third parties.
- As a Controller, you solely are responsible for making an independent determination as to whether the technical and organizational measures for the Service meet your requirements, including any of your security obligations under the GDPR or other European Laws.
Personnel
- We shall take reasonable steps to make sure our employees, agents or contractors who may have access to Personal Data:
- Have strictly limited access in each case to those individuals who need to know and to access the Personal Data, as strictly necessary for the purposes of this Addendum, and to comply with European Laws in the context of their individual duties, and
- Are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
Security
- Taking into account the state of the art, the costs of the implementation and the nature, scope, content and purposes of the Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, we shall in relation to the nature of the Personal Data implement appropriate technical and organizational measures to achieve a level of security appropriate to that risk, including as appropriate the measures referred to in Article 32(1) of the GDPR. These security measures include measures to:
- Encrypt personal data;
- Help achieve ongoing confidentiality, integrity, availability and resilience of our systems and services;
- Help restore timely access to Personal Data following an incident; and
- Regularly test effectiveness
- In assessing the appropriate level of security, we shall take into account in particular the risks that are presented by Processing, especially from a Personal Data Breach. We may update these security measures from time to time, provided that these updates do not result in their overall degradation.
Subprocessors
- You authorize us to engage (and permit each Subprocessor engaged in accordance with this Section 7 to engage) Subprocessors in accordance with this Section 7.
- We may continue to use those Subprocessors already engaged by us as of the date of this Addendum, subject to us as soon as practicable meeting the obligations set out in Section 7.c.
- We shall send a list of the categories of Subprocessors engaged by us organized by the type of Processing undertaken by each Subprocessor upon request.
- With respect to each Subprocessor, we shall:
- Before the Subprocessor first Processes Personal Data (or where relevant, in accordance with Section 7.b.), carry out adequate due diligence (taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purpose of the processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons) to determine whether the Subprocessor is capable of providing the level of protection for Personal Data required by this Addendum.
- Enter into a written contract that governs the arrangement between us on the one hand and the Subprocessor on the other hand, including terms which offer at least the same level of protection for Personal Data as those set out in this Addendum and meet the requirements of Article 28(3) and (4) of the GDPR, and in particular, provides sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the Processing meets the requirements of European Laws;
- If the arrangement involves a Restricted Transfer, incorporate the Standard Contractual Clauses into this Addendum at all relevant times between us on the one hand and the Subprocessor on the other hand, or before the Subprocessor first Processes the Personal Data, procure that it enters into an agreement with you incorporating the Standard Contractual Clauses; and
- We shall supervise each Subprocessor so that the obligation under Sections 3.a., 5, 6, 8.a., 9.b., 10 and 12 are performed.
Data Subject Rights
- Taking into account the nature of the Processing, we shall implement appropriate technical and organizational measures, insofar as this is possible for the fulfillment of our obligations, as reasonably understood by us, to respond to requests to exercise Data Subject rights under all European Laws.
- If we receive a request from a Data Subject and the request identifies you, we will notify you; if a Subprocessor receives a request, the Subprocessor will notify us, and we will notify you.
Personal Data Breach
- We shall notify you promptly and without undue delay upon becoming aware of a Personal Data Breach and provide you with sufficient information allowing you to meet any obligations to report or inform Data Subjects and the applicable Supervisory Authority of the Personal Data Breach under European Laws.
- We shall cooperate with you and take such reasonable commercial steps as are directed by you to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
Data Protection Impact Assessment and Prior Consultation
- We shall provide reasonable assistance to you with any data protection impact assessment and prior consultations with Supervising Authorities or other competent data privacy authorities which you reasonably consider to be required of you by Articles 35 and 36 of the GDPR or equivalent provisions of any other European Law, in each such case taking into account the nature of the Processing and the information available to us.
Deletion or Return of Personal Data
- Subject to Sections 11.b. and 11.c., at your written direction, we shall promptly delete and procure the deletion of all copies of Personal Data.
- Subject to Section 11.c., you may in your absolute discretion by written notice to us require us to:
- Promptly return a complete copy of all Personal Data to you by secure file transfer in such format as is reasonably notified by you to us; and
- Delete and procure the deletion of all other copies of Personal Data Processed by us.
- We and any Subprocessor may retain Personal Data to the extent required by European Laws and only to the extent and for such period as required by European Laws and always provided that the confidentiality of Personal Data is maintained and Personal Data are Processed only as necessary for the purpose(s) specified in European Laws requiring their storage and for no other purpose.
- If requested, we shall provide written certification to you that we have fully complied with this Section 11.
Audit Rights
- Upon request, we shall make available to you the information necessary to assess our compliance with our obligations under European Laws to the extent we are acting as a Processor on your behalf. If the GDPR applies to the Processing of your Personal Data, in order to confirm our compliance with our obligations under Article 28 of the GDPR, you or an auditor mandated by you may conduct the inspections or audits in accordance with the procedures described in Sections 12.b.-12.e.
- Any requests for audits must be sent to success@remo.co. Following receipt of such a request no more than once annually, with our reasonable costs of complying with any such request to be met by you, we:
- Shall discuss and agree in advance on the reasonable start date, scope and duration of any security and confidentiality controls applicable to the audit; and
- May object in writing to an auditor appointed by you to conduct any audit if the auditor is, in our reasonable opinion, not suitably qualified or independent, a competitor of ours, or otherwise manifestly unsuitable. Any such objection by us will require you to appoint another auditor or to conduct the audit yourself.
- Notwithstanding Section 12.b., if your request for an audit occurs during our quarter or year end, or such other time during which we cannot reasonably accommodate your request, we shall mutually agree on an extension.
- You shall execute a confidentiality agreement in form and substance reasonably satisfactory to us prior to such audit. For the avoidance of doubt, nothing contained herein permits you to review data pertaining to our other customers or partners.
- You shall bear your own costs and expenses with respect to the audits described in this Section 12. You shall use all reasonable endeavors when exercising rights under this Section 12 to minimize disruption to our business activities. You shall make (and supervise each of your mandated auditors so they make) reasonable endeavors to avoid causing (or, if it cannot avoid, to minimize) any damage, injury or disruption to our premises, equipment, personnel and business while your personnel are on our premises in the course of such an audit or inspection.
Restricted Transfers
- Subject to Section 13.c., you (as ”data exporter”) and us, as appropriate (as “data importer”), hereby enter into Standard Contractual Clauses in respect of any Restricted Transfer.
- The Standard Contractual Clauses shall come into effect under this Section 13.b. on the later of:
- The data exporter becoming a party to them,
- The data importer becoming a party to them,
- Commencement of the relevant Restricted Transfer.
- Section 13.a. shall not apply to a Restricted Transfer unless its effect, together with other reasonably practicable compliance steps (which, for the avoidance of doubt, do not include obtaining consents from Data Subjects), is to allow the relevant Restricted Transfer to take place without breach of European Laws.
- We warrant and represent that, before the commencement of any Restricted Transfer to a Subprocessor, our entry into the Standard Contractual Clauses under Section 13.a., and agreement to variations to those Standard Contractual Clauses made under this Section 13.d., as agent for and on behalf of that Subprocessor, will have been duly and effectively authorized (or subsequently ratified) by that Subprocessor.
General Terms
- Without prejudice to clauses 7 (Mediation and Jurisdiction) and 9 (Governing Law) of the Standard Contractual Clauses, any disputes or claims howsoever arising under this Addendum, including disputes regarding its existence, validity or termination or the consequences of its nullity, and this Addendum and all non-contractual or other obligations arising out of or in connection with this Addendum, will be governed by and construed in accordance with the Choice of Law provisions in the Terms of Service.
- In the event of any conflict or inconsistencies between this Addendum and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail. In the event of inconsistencies between the provisions of this Addendum and any other agreements between both of us, including (except where explicitly agreed otherwise in writing, signed on behalf of both of us) agreements entered into or purported to be entered into after the date of this Addendum, the provisions of this Addendum shall prevail.
- You may make variations to the Standard Contractual Clauses (including any Standard Contractual Clauses entered into under Section 13.a.) as they apply to Restricted Transfers subject to a particular European Law, which are required as a result of any change in, or decision of a competent authority under, that European Law, to allow those Restricted Transfers to be made (or continue to be made) without breach of that European Law, and to propose any other variations to this Addendum which you reasonably consider necessary to address the requirements of any Applicable Law. If you make or propose any such variations, we shall promptly co-operate (and make sure that any affected Subprocessors promptly cooperate) so that equivalent variations are made to any agreement put in place under Section 7.d.
- Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either amended so it is valid and enforceable or if this is not possible, construed in a manner as if the invalid or unenforceable part had never been contained therein.
ANNEX 1: DETAILS OF PROCESSING OF PERSONAL DATA
This Annex 1 includes certain details of the Processing of Personal Data as required by Article 28(3) of the GDPR.
SUBJECT MATTER OF THE PROCESSING
Our provision of the Service to you
DURATION OF THE PROCESSING
Until you delete your Account or you delete an Event or Workspace
NATURE AND PURPOSE OF THE PROCESSING
We will process the Personal Data for the purposes of providing the Service to you in accordance with this Data Protection Addendum
TYPE OF PERSONAL DATA TO BE PROCESSED
Personal Data relating to you provided by you to us
CATEGORIES OF DATA SUBJECTS
Individuals who use the Service
OBLIGATIONS AND RIGHTS OF THE CONTROLLER
Your obligations and rights are set forth in this Data Protection Addendum.