Data Processing Addendum
This Data Processing Addendum (“DPA”) shall apply if and only to the extent Collaborne BV. dba NEXT (“NEXT”) collects or otherwise processes Personal Data on behalf of Customer in connection with performance of its obligations under the NEXT Terms of Service, Master Cloud Agreement or other NEXT agreement which references this policy (“Agreement”) entered into by the parties and as described in Annex A to this DPA, attached hereto and incorporated by reference herein. The parties agree that this DPA shall be incorporated into and form part of the Agreement and subject to the provisions therein, including limitations of liability. Terms defined in the Agreement shall have the same meaning when used in this DPA, unless defined otherwise herein.
1. Definitions and interpretation
“Business” has the meaning given to it in the CCPA.
“Conflicting Processing Obligation” means an obligation on NEXT under applicable law, court order, subpoena, or other mandatory request by a court or governmental authority of competent jurisdiction to disclose or otherwise process Personal Data other than as instructed by Customer.
“Controller” means the entity which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
“Data Protection Legislation” means all data protection and privacy legislation applicable to the parties, which for the avoidance of doubt shall include the EU General Data Protection Regulation 2016/679 (“GDPR”) and the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. (“CCPA”).
“Data Subject” means a natural person whose Personal Data are Processed by NEXT in accordance with the context of the Agreement.
“EU Commission Model Clauses” means standard contractual clauses, as approved by the European Commission in Commission Decision 2010/87/EU of 5th February 2010, which are incorporated herein by reference.
“Personal Data Incident” means the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or exfiltration of, or access to, Personal Data.
“Personal Data” means any Customer Data (i) relating to an identified or identifiable individual, within the meaning of the GDPR (regardless of whether the GDPR applies) and (ii) constituting “personal information” as such term is defined in the CCPA.
“Process” and “Processing” mean any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Processor” means the entity which Processes Personal Data on Controller’s behalf. Processor is also a Service Provider.
“Service Provider” has the meaning given to in the CCPA.2.
2. Roles and Ownership of Personal Data
2.1 For the purposes of processing Personal Data that is Customer Data under the Agreement, Customer (or a Customer Affiliate on whose behalf Customer is authorized to instruct NEXT) shall be regarded as a Controller and NEXT shall be regarded as a Processor.
2.2 For purposes of Personal Data constituting “personal information” under the CCPA, Customer is a Business and NEXT is a Service Provider. Customer’s transfer of Personal Data to NEXT is not a sale, and NEXT provides no monetary or other valuable consideration to Customer in exchange for Personal Data.
2.3 NEXT acknowledges that, between the parties, all rights, title and interest in the Personal Data in Customer Data processed under the Agreement is vested solely in Customer or a Customer Affiliate, as the case may be.
2.4 If Customer is acting on behalf of another Controller (or on behalf of intermediaries such as other Processors of the Controller), then, to the extent legally permissible: (a) Customer will serve as the sole point of contact for NEXT with regard to any such third parties; (b) NEXT need not interact directly with any such third party (other than through regular provision of the Service to the extent required by the Agreement); and (c) where NEXT would otherwise be required to provide information, assistance, cooperation, or anything else to such third party, NEXT may provide it solely to Customer. Notwithstanding the foregoing, NEXT is entitled to follow the instructions of such third party with respect to such third party’s Personal Data instead of Customer’s instructions if NEXT reasonably believes this is legally required under the circumstances.
3. Special Undertakings of Customer
Customer undertakes to:
3.1 Comply with all applicable requirements of the Data Protection Legislation;
3.2 Advise NEXT of any requirements under Data Protection Legislation applicable to Customer Data other than those provided in the GDPR or CCPA;
3.3 Ensure that there is a legal ground for processing the Personal Data as envisioned under the Agreement;
3.4 Not instruct NEXT to Process Personal Data in violation of Data Protection Legislation. NEXT has no obligation to monitor the compliance of Customer’s use of the Service with applicable Law, including Data Protection Legislation, though NEXT will promptly inform Customer if, in NEXT's opinion, an instruction from Customer infringes Data Protection Legislation.
3.5 Provide NEXT with instructions regarding NEXT's processing of Personal Data as set out in this DPA and in any additional documented instructions provided by Customer, if applicable.
4. Special Undertakings of NEXT
NEXT undertakes to:
4.1 Comply with all applicable requirements of the GDPR, CCPA, and if and to the extent agreed between Customer and NEXT in writing, Data Protection Legislation in other jurisdictions to the extent Customer and NEXT have agreed such legislation is applicable and the Service is able to comply;
4.2 Only process the Personal Data in accordance with instructions from Customer unless obligated to do otherwise by applicable Law. In such case, NEXT will inform Customer of that legal requirement before the Processing unless legally prohibited from doing so. Without limiting the foregoing: (a) NEXT will not collect, retain, use, disclose, or otherwise Process the Personal Data in a manner inconsistent with NEXT's role as Customer’s Service Provider (regardless of whether the CCPA applies); (b) NEXT will not “sell” the Personal Data, as such term is defined in the CCPA; and (c) NEXT hereby certifies that it understands the restrictions and obligations set forth in this DPA and that it will comply with them. The Agreement, including this DPA, along with Customer’s configuration of any settings or options in the Service (as Customer may be able to modify from time to time), constitute Customer’s complete and final instructions to NEXT regarding the Processing of Personal Data, including for purposes of the EU Commission Model Clauses;
4.3 Ensure that: (a) only employees which must have access to the Personal Data in order to meet NEXT’s obligations under the Agreement have access to the Personal Data, (b) such employees have received appropriate training and instructions regarding processing of Personal Data, and (c) such employees are subject to written agreements of confidentiality or are under an appropriate statutory obligation of confidentiality regarding Customer Data and other Customer Confidential Information;
4.4 Ensure that it has in place appropriate technical and organizational measures, without prejudice to NEXT’s right to make future replacements or updates to the measures that do not lower the level of protection of Personal Data, to protection against unauthorized or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, in each case as described in the Security Policy.;
4.5 As applicable to the Service, reasonably assist Customer in responding (at Customer’s expense) to any request from a Data Subject (including “verifiable consumer requests”, as such term is defined in the CCPA), relating to the Processing of Personal Data under the Agreement;
4.6 Upon becoming aware of a Personal Data Incident, NEXT shall use reasonable efforts to notify Customer without undue delay and shall provide timely information relating to the Personal Data Incident as it becomes known or as is reasonably requested by Customer;
4.7 Taking into account the nature of the Processing and the information available to NEXT, NEXT will provide reasonable assistance to and cooperation with Customer for Customer’s performance of any legally required data protection impact assessment of the Processing or proposed Processing of the Personal Data involving NEXT, and with related consultation with supervisory authorities, by providing Customer with any publicly available documentation for the relevant Service or by complying with Section 9 (Audit Rights). Additional support for data protection impact assessments or relations with regulators may be available and would require mutual agreement on fees, the scope of NEXT involvement, and any other terms that the parties deem appropriate;
4.8 Maintain complete and accurate records and information to demonstrate its compliance with this DPA; and
4.9 Make available to Customer the information necessary to demonstrate compliance with NEXT’s obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by Customer or another third party mandated by it, as set forth in Section 9 (Audit Rights). NEXT shall promptly inform Customer if, in its opinion, Customer’s instructions infringe Data Protection Legislation.
5. Conflicting Processing Obligations
If NEXT is faced with a Conflicting Processing Obligation, NEXT shall (a) inform Customer of that Conflicting Process Obligation before processing the Personal Data in accordance therewith, unless such information is prohibited by applicable Laws; (b) give Customer reasonable opportunity to take any steps it considers necessary to protect the integrity of the Personal Data and the rights of the relevant Data Subjects and (c) provide any assistance reasonably requested by Customer to take such steps.
Customer hereby consents to NEXT’s appointment of certain third-party processors of Personal Data under this Agreement (“Subprocessors”). NEXT’s current Subprocessors are listed here. NEXT confirms that it: (a) has entered (or, for future appointments, will enter) into a written agreement with each Subprocessor incorporating terms which are substantially similar to those set out in this DPA; and (b) will inform Customer of any intended changes concerning the addition or replacement of other Subprocessors, thereby giving Customer the opportunity to object to such changes. Customer’s sole recourse if it objects to a Subprocessor will be to terminate Customer’s subscription to the Service. Following such termination, Customer will be entitled to a refund of unused prepaid fees only if (a) NEXT breached its obligation to maintain the requisite contract provisions with the Subprocessor, or (b) the Agreement otherwise provides for a refund.
7 Transfer of Personal Data Outside of the EU/EEA
7.1 NEXT may not transfer Personal Data to, or process such data in, a location outside of the EEA without Customer’s prior written consent, except in compliance with Sections 7.2 and 7.3 below (in each case a “Transfer”).
7.2 Without prejudice to the foregoing, Customer consents to Transfers where NEXT has implemented a Transfer solution compliant with Data Protection Legislation, which for example may include: (a) where such transfer is subject to an adequacy decision by the European Commission; (b) the EU Commission Model Clauses for the transfer of Personal Data to Processors established in third countries; (c) another appropriate safeguard pursuant to Article 46 of the GDPR applies; or (d) a derogation pursuant to Article 49 of the GDPR applies.
7.3 Customer will comply with all applicable Law, including Data Protection Legislation, relevant to use of the Service, including by obtaining any consents and providing any notices required under Data Protection Legislation for NEXT to provide the Service. Customer will ensure that Customer and Users are entitled to transfer the Personal Data to NEXT so that NEXT and its Subprocessors may lawfully Process the Personal Data in accordance with this DPA.
7.4 EU Commission Model Clauses. For purposes of the EU Commission Model Clauses: (1) the audit rights in Section 9 (Audit Rights) will satisfy Section 5(f) of the EU Commission Model Clauses, (2) the Subprocessor authorization and procedures in Section 6 (Subprocessors) serves as consent for subprocessing under Section 5(h) of the EU Commission Model Clauses (and NEXT may disclose copies of subprocessing agreements with redacted commercial information for purposes of Section 5(j) of the EU Commission Model Clauses) and (3) instructions referenced in Section 4.2 are Customer’s instructions for purposes of the EU Commission Model Clauses.
8. Obligation to Rectify, Update and Restrict Processing of Personal Data
During the term of the Agreement, NEXT will: (a) ensure that the Personal Data is, where necessary, kept up to date in accordance with Customer’s instructions; and (b) restrict the processing of Personal Data identified by Customer so that except for storage and changes made by Users or upon instructions from Customer, it is not subject to further processing operations and cannot be changed.
9. Audit Rights
On written request from Customer, NEXT shall provide written responses (on a confidential basis) to all reasonable requests for information made by Customer related to its processing of Personal Data, including responses to information security and audit questionnaires that are strictly necessary to confirm NEXT’s compliance with this DPA, provided that Customer shall not exercise this right more than once in any 12 month rolling period. Notwithstanding the foregoing, Customer may also exercise such audit right in the event Customer is expressly requested or required to provide this information to a data protection authority, or NEXT has experienced a Personal Data Incident, or other reasonably similar basis.
10. General Terms
10.1 Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict, as it relates to the subject matter of this DPA.
10.2 This DPA shall be deemed a part of and incorporated into the Agreement so that references in the Agreement to "Agreement" shall be interpreted to include this DPA.
10.3 This DPA will be governed by and construed in accordance with in accordance with governing law and jurisdiction provisions in the Agreement unless required otherwise by Data Protection Legislation, in which case this DPA will be governed by the laws of the Netherlands.
10.4 In the event of inconsistencies between this DPA and the EU Commission Model Clauses, this DPA shall prevail to the extent this DPA offers a stronger privacy protection for data subjects. Otherwise the EU Commission Model Clauses shall apply.
ANNEX A: DESCRIPTION OF DATA PROCESSING
The data processing activities carried out by NEXT under the Agreement may be described as follows: