Data Processing Addendum

Last Updated on February 2, 2024

Data Processing Addendum

Last Updated on February 2, 2024
  1. Background
    1. This Data Processing Addendum specifies the terms on which 24i will process certain Personal Information for the provision of the Subscription Services, the Platform Services, and/or the Licensed Software to the Client ("DPA). This DPA becomes effective on the Signature Date of an Order Form and/or a Statement of Work by Client, and with such signature, Client agrees and acknowledges that any and all terms and conditions set forth in this DPA, in conjunction with the overarching GTCs and the applicable Order Form and/or Statement of Work, constitutes each a legally binding contractual relationship established between Client and 24i, which creates enforceable rights and obligations for the Parties.
    2. All capitalised terms and words in this DPA shall have the meanings set forth in Annex I to the DPA - Definitions. Capitalised terms used but not defined in this DPA shall have the meanings assigned to such terms in the GTCs.
  1. Data Processing obligations
    1. The Parties agree and acknowledge that in the provision of the Subscription Services, the Platform Services, and/or the Licensed Software by 24i to Client, 24i shall process Personal Information as the Data Processor, and shall only process the type(s) of personal data, and only in respect of the categories of data subjects and types of processing, set out in Annex II to the DPA - Details of Personal Information Processed).
    2. Client hereby represents and warrants that it acknowledges and agrees that it is the Data Controller and shall comply with the applicable Data Protection Legislation; and ensure that any instructions it issues to 24i shall comply with the applicable Data Protection Legislation;
    3. 24i hereby represents and warrants that it shall:
      1. comply with Data Protection Legislation in accordance with its obligations as a Data Processor;
      2. process the Personal Data solely in accordance with the Permitted Purpose, the Data Protection Legislation (to the extent it applies to processing under this Data Processing Addendum), in order to provide the Services in accordance with the terms of this Data Processing Addendum and any other written instructions of Client that are agreed between the parties from time to time;
      3. take reasonable steps to ensure it does not do, cause or permit anything to be done which may result in a breach by Client of the Data Protection Legislation in connection with the processing of Personal Data;
      4. ensure that it has appropriate technical and organisational measures in place against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data;
      5. notify Client without undue delay (and in any event within 48 (forty eight) hours) after discovering any Security Breach; provide full details of the Security Breach and the consequences of the Security Breach; and not make any notifications to any regulatory, supervisory or government body, or to any data subjects about the Security Breach without Client's prior written consent (not to be unreasonably withheld or delayed);
      6. ensure that only 24i's Personnel who are strictly required to process Personal Data have access to it;
      7. take reasonable steps to ensure that 24i's Personnel who have access to Personal Data are subject to written (or statutory) obligations to maintain the confidentiality of personal data;
      8. make available to Client all information necessary to demonstrate compliance with its obligations under this Data Processing Addendum, and allow Client to review a written report prepared about 24i's processing activities related to data handled on the Client's behalf pursuant to this Data Processing Addendum;
      9. notify Client as soon as reasonably practicable upon receiving any notice, complaint or communication from any regulatory, supervisory or government body which relates to the processing of the Personal Data and co-operate with and provide commercially reasonable assistance to Client in connection with such notice, complaint or communication;
      10. notify Client as soon as reasonably practicable if it receives a Request, and provide commercially reasonable assistance to Client in connection with such Request and Client shall be responsible for any reasonable costs arising from 24i's provision of such assistance;
      11. not disclose the Personal Data to any data subject, or to a third party other than at the request of Client or as expressly provided for in this Data Processing Addendum;
      12. except as set out in clause 2.4, not transfer the Personal Data outside the permitted region without the prior written consent of Client; and
      13. provide such other information and commercially reasonable assistance as Client may reasonably require to enable Client to comply with Client's obligations under the Data Protection Legislation (including articles 32 to 36 of the GDPR) in respect of Personal Data.
      14. provide to Client on Client’s request, and in a portable format, a copy of all Personal Data held by it in relation to the Services.
    4. Where Client consents to the transfer of the Personal Data outside the Permitted Region pursuant to clause 2.4(l) and in the case (i) the applicable adequate protection for the transfer ceases to be valid due to any reason out of 24i's control, then 24i shall cease all data transfers affected by such change and shall ensure that all Personal Data previously transferred shall be returned or deleted within a reasonable period.
  1. Appointment of sub-contractors, client's rights of audit
    1. Client generally agrees that 24i may engage a third party including any advisers, contractors, or auditors (such third party referred to in this Data Processing Addendum as a "Sub-Processor") to process Personal Data.
    2. If Client requests, 24i will inform Client of the name, address, and role of each Sub-Processor it uses to process Personal Data.
    3. Where 24i engages a new Sub-Processor, 24i shall inform Client of the engagement by sending an email notification to Client. Client must promptly notify 24i if it objects to any nominated Sub-Processor, and 24i will take such steps as are reasonably necessary to address any Client concerns.
    4. 24i shall ensure that its contract with each Sub-Processor shall impose obligations on the Sub-Processor that are equivalent to the obligations to which 24i is subject to under this Data Processing Addendum.
    5. Any sub-contracting or transfer of Personal Data pursuant to this clause 3 shall not relieve 24i of any of its liabilities, responsibilities and obligations to Client under this Data Processing Addendum and 24i shall remain fully liable for the acts and omissions of its Sub-Processors.
    6. During the term of the Agreement and for one year after its termination, upon prior reasonable notice, Client may, through an independent auditing firm visit the 24i’s premises in order to verify 24i’s compliance with this Data Processing Addendum, provided that the audit firm agrees to confidentiality terms appropriate to such inspection. The costs of any such audit shall be paid by the Client.
  1. Commencement and duration, cessation
    1. This Data Processing Addendum shall take effect from the date of commencement of the Agreement and shall continue in force until the expiry or earlier termination of the Agreement (at which point this Data Processing Addendum shall automatically terminate without the need for further notice).
    2. Upon taking effect, this Data Processing Addendum shall be deemed to be governed by and form part of the Agreement and replace any equivalent or other data processing provisions in the Agreement.
    3. To the extent that the provisions of this Data Processing Addendum conflict with the provisions of the Agreement, this Data Processing Addendum shall prevail.
    4. Upon termination of the Agreement to which this Data Processing Addendum applies, 24i shall: (i) within 30 days, if so requested by Client, provide to Client a computer-readable copy of the Personal Data; and (ii) cease to process the Personal Data; and (iii) delete or render unreadable all copies of the Personal data in its possession and control; and (iv) procure the same as (i), (ii) and (iii) in respect of any Sub-Processors.
  1. Counterparts
    1. This Data Processing Addendum may be executed in any number of counterparts or duplicates, each of which, when executed and delivered, shall be an original, and such counterparts or duplicates together shall constitute one and the same instrument.
  1. Entire agreement
    1. This Data Processing Addendum is the entire agreement between the parties on the subject matter contained herein and supersedes all representations, communications and prior agreements (oral or written).
    2. Each party acknowledges that upon entering into this Data Processing Addendum, it does not rely, and has not relied, upon any representation (negligent or innocent), statement or warranty made or agreed to by any person (whether a party to this Data Processing Addendum or not) except those expressly repeated in this Data Processing Addendum.
    3. This clause 6 shall not apply to any statement, representation, or warranty made fraudulently, or to any provision of this Data Processing Addendum which was induced by fraud for which the remedies available shall be all those available under the laws of the Netherlands.
  1. Third party rights
    1. Except as set out in clause 2.1 above, a person who is not a party to this Data Processing Addendum has no right to rely upon or enforce any term of this Data Processing Addendum.

Annex I to the DPA - Definitions

In this DPA, unless otherwise specified, words denoting the singular shall include the plural and vice versa and words denoting any gender shall include all genders. References to a person shall include an individual, partnership, corporate body, and unincorporated association. References to any Party shall include its personal representatives, lawful successor in title, and permitted assigns. The words “include”, “including” and “includes” shall be deemed to be followed by the words “without limitation".

Capitalised terms used but not defined in this DPA shall have the meanings assigned to such terms in the Annex I to the GTCs.

Data Processing Addendum or DPA

means this Data Processing Agreement (including any annex to it and any document in agreed form);

Data Protection Legislation

means any laws and regulations in any relevant jurisdiction relating to privacy or the use or processing of data relating to natural persons, including: (a) the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulations) ("GDPR"); (b) the California Consumer Privacy Act of 2018 (“CCPA”), and/or such applicable national laws enacting the aforementioned regulations and (c) any laws or regulations ratifying, implementing, adopting, supplementing or replacing GDPR and/or CCPA; in each case, to the extent in force, and as such are updated, amended or replaced from time to time;

"data subject", "data controller", "personal data", "processing" and "process"

shall have the meaning set out in the applicable Data Protection Legislation;

Permitted Purpose

means the purposes for which 24i is permitted to process Personal Data as more particularly described in Annex II (Details of Personal Data Processed);

Personal Information

means personal data which is processed by 24i pursuant to this Data Processing Addendum, as more particularly described in Annex II (Details of Personal Data Processed);

Request

means a request from a data subject to exercise any of their rights under the Data Protection Legislation in respect of the Personal Data;

Security Breach

means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data, transmitted, stored or otherwise processed;

Sub-Processor

has the meaning given to it in Section 3.1 of this DPA.

Annex II to the DPA - Details of Personal Data Processed)

  1. Categories of Personal Data
    The categories of personal data which are processed pursuant to this Data Processing Addendum shall include (but shall not be limited to):
    • E-mail address (anonymised);
    • IP address (internal + external) (anonymised);
    • Client (End-User) number (anonymised);
    • Behaviour regarding viewing (anonymised).
  1. Categories of data subjects
    The categories of data subjects whose personal data is processed pursuant to this Data Processing Addendum means:
    • Subscribers and Users of the Services delivered by 24i to Client pursuant to the Agreement.
  1. Permitted Purpose
    The processing activities to be carried out by 24i pursuant to this Data Processing Addendum are to process the Personal Data strictly for the purposes of performing the Services anticipated by the Agreement into which this Data Processing Addendum is incorporated.
  1. List of sub processors
    The following are sub-24is of 24i and are Sub-processors in respect of the noted data:
    • AWS