Data Processing Addendum

This Data Processing Addendum ("DPA") is incorporated into, and is subject to the terms and conditions of, the Agreement between Consultingcentral GmbH ("Processor") and the party identified as the customer of the Service (or "you") in the Agreement ("Company").

All capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement. This DPA applies where and only to the extent that Consultingcentral processes Company Data that is protected by Data Protection Laws applicable to the EEA.

1. Definitions

Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the following meaning:

"Agreement" means Consultingcentral’s Standard Terms of Use, or other written or electronic agreement, which govern the provision of the Service to Company, as such terms or agreement may be updated from time to time.

"Company Personal Data" means any personal data that Mailchimp processes on behalf of Customer as a processor in the course of providing the Service, as more particularly described in this DPA.

"Contracted Processor" means the Processor.

"Data Transfer" means a transfer of Company Personal Data from the Company to a Contracted Processor or an onward transfer of Company Personal Data from a Contracted Processor to a Subcontracted Processor, or between two establishments of a Contracted Processor, in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws).

"EU Data Protection Law" means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country.

"EEA" means, for the purposes of this DPA, the European Union, the European Economic Area and/or their member states, Switzerland and/or the United Kingdom.

"Privacy Shield" means the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield Framework self-certification program operated by the U.S. Department of Commerce and approved by the European Commission pursuant to Decision C(2016)4176 of 12 July 2016 and by the Swiss Federal Council on January 11, 2017 respectively.

"SCCs" means the standard contractual clauses for processors as approved by the European Commission or Swiss Federal Data Protection Authority (as applicable).

"Security Incident" means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, or alteration of, or unauthorized disclosure of or access to, Customer Data on systems managed or otherwise controlled by Consultingcentral.

"Subcontracted Processor" means any processor engaged by Processor or its Affiliates to assist in fulfilling its obligations with respect to providing the Service pursuant to the Agreement or this DPA. Subcontracted Processors may include third parties or Affiliates of Processor but shall exclude Processor employees or consultants.

The terms, "Commission", "Controller", "Data Subject", "Member State", "Personal Data", "Personal Data Breach", "Processing" and "Supervisory Authority" shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

2. Processing of Company Personal Data

2.1 Processor shall:

2.1.1 comply with all applicable Data Protection Laws in the Processing of Company Personal Data; and

2.1.2 not Process Company Personal Data other than on the relevant Company’s documented instructions.

2.2 The Company instructs Processor to process Company Personal Data.

2.3 Customer compliance. Customer represents and warrants that (i) it has complied, and will continue to comply, with all applicable Data Protection Laws in respect of its processing of Company Personal Data and any processing instructions it issues to Processor; and (ii) it has provided, and will continue to provide, all notice and has obtained, and will continue to obtain, all consents and rights necessary under Data Protection Laws for Processor to process Company Personal Data for the purposes described in the Agreement. Company shall have sole responsibility for the accuracy, quality, and legality of Company Personal Data and the means by which Company acquired Company Personal Data. Without prejudice to the generality of the foregoing, Company agrees that it shall be responsible for complying with all laws (including Data Protection Laws) applicable to any emails or other content created, sent or managed through the Service, including those relating to obtaining consents (where required) to send emails, the content of the emails and its email deployment practices.

3. Processor Personnel

Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor of Processor who may have access to the Company Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Company Personal Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with Applicable Laws in the context of that individual’s duties to the Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

4. Security

4.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Processor shall in relation to the Company Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.

4.2 In assessing the appropriate level of security, Processor shall take account in the risks that are presented by Processing, in particular from a Personal Data Breach.

5. Subprocessing

5.1 Authorized Subcontracted Processor. Customer agrees that Processor may engage Subcontracted Processors to process Company Personal Data on Company's behalf. The Subcontracted Processors currently engaged by Processor and authorized by Company are available in Annex A.

5.2 Subcontracted Processor obligations. Processor shall: (i) enter into an agreement with each Subcontracted Processor containing data protection obligations that provide at least the same level of protection for Company Personal Data as those in this DPA, to the extent applicable to the nature of the services provided by such Subcontracted Processor; and (ii) remain responsible for such Subcontracted Processor’s compliance with the obligations of this DPA and for any acts or omissions of such Subcontracted Processor that cause Processor to breach any of its obligations under this DPA.

6. Data Subject Rights

6.1 Taking into account the nature of the Processing, Processor shall assist the Company by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Company obligations, as reasonably understood by Company, to respond to requests to exercise Data Subject rights under the Data Protection Laws.

6.2 Processor shall:

6.2.1 promptly notify Company if it receives a request from a Data Subject under any Data Protection Law in respect of Company Personal Data; and

6.2.2 ensure that it does not respond to that request except on the documented instructions of Company or as required by Applicable Laws to which the Processor is subject, in which case Processor shall to the extent permitted by Applicable Laws inform Company of that legal requirement before the Contracted Processor responds to the request.

7. Personal Data Breach

7.1 Processor shall notify Company without undue delay upon Processor becoming aware of a Personal Data Breach affecting Company Personal Data, providing Company with sufficient information to allow the Company to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.

7.2 Processor shall co-operate with the Company and take reasonable commercial steps as are directed by Company to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

8. Data Protection Impact Assessment and Prior Consultation

Processor shall provide reasonable assistance to the Company with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Company reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Company Personal Data by, and taking into account the nature of the Processing and information available to, the Contracted Processors.

9. Deletion or return of Company Personal Data

9.1 Subject to this section 9 Processor shall promptly and in any event within 10 business days of the date of cessation of any Services involving the Processing of Company Personal Data (the "Cessation Date"), delete and procure the deletion of all copies of those Company Personal Data.

10. Audit rights

10.1 Subject to this section 10, Processor shall make available to the Company on request all information necessary to demonstrate compliance with this Agreement, and shall allow for and contribute to audits, including inspections, by the Company or an auditor mandated by the Company in relation to the Processing of the Company Personal Data by the Contracted Processors.

10.2 Information and audit rights of the Company only arise under section 10.1 to the extent that the Agreement does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law.

11. Data Transfer

11.1 The Processor may not transfer or authorize the transfer of Data to countries outside the EU and/or the European Economic Area (EEA) without the prior written consent of the Company. If Company Personal Data processed under this Agreement is transferred from a country within the European Economic Area to a country outside the European Economic Area, the Parties shall ensure that the Company Personal Data are adequately protected. To achieve this, the Parties shall, unless agreed otherwise, rely on Privacy Shield or EU approved standard contractual clauses (SCC) for the transfer of personal data.

12. General Terms

12.1 This DPA shall remain in effect for as long as Processor carries out Customer Data processing operations on behalf of Company or until termination of the Agreement (and all Company Personal Data has been returned or deleted).

12.2 Notices. All notices and communications given under this Agreement must be in writing and will be delivered personally, sent by post or sent by email to the address or email address set out in the heading of this Agreement at such other address as notified from time to time by the Parties changing address.

12.3 In the event of any conflict or inconsistency between this DPA and the Processor Standard Terms of Use, the provisions of the following documents (in order of precedence) shall prevail: (a) SCCs; then (b) this DPA; and then (c) the Processor Standard Terms of Use.

12.4 Notwithstanding anything to the contrary in the Agreement (including this DPA), Processor shall have a right to collect, use and disclose data relating to the use, support and/or operation of the Service ("Service Data") for its legitimate business purposes, such as billing, account management, technical support, and product development. To the extent any such Service Data is considered personal data under Data Protection Laws, Processor shall be responsible for and shall process such data in accordance with the Processor Privacy Policy and Data Protection Laws. For the avoidance of doubt, this DPA shall not apply to Service Data.

12.5 No one other than a party to this DPA, its successors and permitted assignees shall have any right to enforce any of its terms.

12.6 This DPA shall be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by applicable Data Protection Laws.

Annex A Subcontracted Processors

Digital Ocean, www.digitalocean.com, California

— Last updated in May 2019