shall process the personal data only in accordance with the documented instructions from Customer (as set out in this DPA or the Agreement or as otherwise notified by Customer to Drank (from time to time) If Drank is required to process the personal data for any other purpose provided by applicable law to which it is subject, Drank will inform Customer of such requirement prior to the processing unless that law prohibits this on important grounds of public interest;
shall notify Customer without undue delay if, in Drank’s opinion, an instruction for the processing of personal data given by Customer infringes applicable Data Protection Legislation;
shall implement and maintain appropriate technical and organizational measures designed to protect the personal data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorized or unlawful processing, accidental loss, destruction, damage or theft of the personal data and having regard to the nature of the personal data which is to be protected;
may hire other companies to provide limited services on its behalf, provided that Drank complies with the provisions of this Clause. Any such subcontractors will be permitted to process personal data only to deliver the services Drank has retained them to provide, and they shall be prohibited from using personal data for any other purpose. Drank remains responsible for its subcontractors’ compliance with the obligations of this DPA. Any subcontractors to whom Drank transfers personal data will have entered into written agreements with Drank requiring that the subcontractor abide by terms substantially similar to this DPA. If Customer requires prior notification of any updates to the list of subprocessors, Customer can request such notification in writing by emailing email@example.com. Drank will update the list within thirty (30) days of any such notification if Customer does not legitimately object within that timeframe. Legitimate objections must contain reasonable and documented grounds relating to a subcontractor’s non-compliance with applicable Data Protection Legislation. If, in Drank’s reasonable opinion, such objections are legitimate, the Customer may, by providing written notice to Drank, terminate the Agreement.
shall ensure that all Drank personnel required to access the personal data are informed of the confidential nature of the personal data and comply with the obligations sets out in this Clause;
at the Customer’s request and cost (and insofar as is possible), shall assist the Customer by implementing appropriate and reasonable technical and organizational measures to assist with the Customer’s obligation to respond to requests from data subjects under Data Protection Legislation (including requests for information relating to the processing, and requests relating to access, rectification, erasure or portability of the personal data) provided that Drank reserves the right to reimbursement from Customer for the reasonable cost of any time, expenditures or fees incurred in connection with such assistance;
when the General Data Protection Regulation (Regulation (EU) 2016/679) comes into effect, shall take reasonable steps at the Customer’s request and cost to assist Customer in meeting Customer’s obligations under Article 32 to 36 of that regulation taking into account the nature of the processing under this DPA, provided that Drank reserves the right to reimbursement from Customer for the reasonable cost of any time, expenditures or fees incurred in connection with such assistance;
at the end of the applicable term of the Application Services, upon Customer’s request, shall securely destroy or return such personal data to Customer;
may transfer personal data from the EEA to the US for the purposes of this DPA pursuant to the EU-US Privacy Shield provided that Drank maintains its certification under the EU-US Privacy Shield;
shall allow Customer and its respective auditors or authorized agents to conduct audits or inspections during the term of the Agreement, which shall include providing reasonable access to the premises, resources and personnel used by Drank in connection with the provision of the Application Services, and provide all reasonable assistance in order to assist Customer in exercising its audit rights under this Clause. The purposes of an audit pursuant to this Clause include to verify that Drank is processing personal data in accordance with its obligations under the DPA and applicable Data Protection Legislation. Notwithstanding the foregoing, such audit shall consist solely of: (i) the provision by Drank of written information (including, without limitation, questionnaires and information about security policies) that may include information relating to subcontractors; and (ii) interviews with Drank’s IT personnel. Such audit may be carried out by Customer or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality. For the avoidance of doubt no access to any part of Drank’s IT system, data hosting sites or centers, or infrastructure will be permitted;
If Drank becomes aware of any accidental, unauthorized or unlawful destruction, loss, alteration, or disclosure of, or access to the personal data that is processed by Drank in the course of providing the Application Services (an “Incident”) under the Agreement it shall without undue delay notify Customer and provide Customer (as soon as possible) with a description of the Incident as well as periodic updates to information about the Incident, including its impact on Customer Content. Drank shall additionally take action to investigate the Incident and reasonably prevent or mitigate the effects of the Incident;
Drank shall provide information requested by Customer to demonstrate compliance with the obligations set out in this DPA.
Details of the Data Processing
Drank shall process information to provide the Application Services pursuant to the Agreement. Drank shall process information sent by Customer’s end users identified through Customer’s implementation of the Application Services. As an example, in a standard programmatic implementation, to utilize the Application Services, Customer may allow the following information to be sent by default as “default properties:”
Types of Personal Data
UTM Parameters (ie. any UTM tags associated with the link a customer clicked to arrive at the domain)
Last Seen (the last time a user was at a Partner location)
Additional detail regarding what information Customer may send to Drank at firstname.lastname@example.org .