NetLine ("NetLine") is required to demonstrate accountability for compliance with data protection laws (including the General Data Protection Regulation ("GDPR") by our clients. We ask you to please confirm your compliance with your legal obligations to NetLine by signing and returning to us this Data Protection Agreement ("DPA").
References in this document to "Supplier", "you", or "your" shall refer to the entity that is acting in the capacity of a service provider/supplier/vendor to NetLine.
Supplier agrees to the following:
- You will comply with obligations under all Applicable Laws including GDPR with respect to the Processing of Personal Data.
- You confirm and can evidence that you have appropriate security measures in place to protect Personal Data, including appropriate technical and organizational measures, to protect against unauthorized or unlawful Processing and against accidental loss, destruction or damage.
- You will take reasonable steps to ensure the reliability of any employees, affiliates, or agents ("Personnel") engaged in the Processing of Personal Data.
- You confirm that any Personal Data to which you have access will be accessible only to your Personnel who: (i) need to have access (ii) have been trained on appropriate handling of Personal Data; and (iii) are subject to contractual obligations of privacy, security, and confidentiality in respect of such Personal Data.
- You confirm you will not transfer, Personal Data out of the country in which it is provided to you, except (a) between member states of the European Economic Area ("EEA"); or (b). if you transfer Personal Data outside of the EEA, you will promptly enter into an agreement with the relevant parties on appropriate EU Model Clauses or any other transfer mechanism required to facilitate a transfer.
- You confirm that you will have a Data Protection Officer (or a designated employee) who will be responsible for ensuring the lawful management of Personal Data and all related issues and who will be available to help NetLine, in a timely manner, should there be any inquiries received from Data Subjects or any competent data protection or privacy authority, in relation to Personal Data Processed by you. You confirm, you will give NetLine such assistance and information as it may reasonably request, in a timely manner, to assist NetLine to comply with its obligations under GDPR.
- You confirm that you are a Supplier that helps NetLine collect Personal Data and you have in place and can evidence, mechanisms for obtaining appropriate consent to such collection of Personal Data by means and for the purposes used by NetLine and its clients; and include a clear and unambiguous link to an easy-to-use mechanism that provides the Data Subject the ability to opt out.
- You confirm that if you facilitate the provision to NetLine of Personal Data from digital properties, processes, databases, customer lists and other relevant mediums operated by third parties you shall have in place legally enforceable obligations with such third parties requiring them to obtain appropriate consent and to enable you to provide evidence of such consent to NetLine, for the means and for the purposes required for NetLine's use of such Personal Data.
- You confirm that you are a data provider to NetLine and you have proof of appropriate consent (where applicable) of any Data Subject, whose Personal Data you share with NetLine and in all cases, such Data Subjects were provided with a clear and unambiguous option to an easy-to-use mechanism to opt-out, including where applicable the ability for a Data Subject to opt out of Interest-Based Advertising.
- You will ensure that you have a privacy notice that complies with Applicable Laws.
- You confirm that in the event of a Personal Data Breach which involves NetLine Personal Data you will: (i) promptly take all necessary and appropriate corrective action to remedy the underlying causes of the Personal Data Breach and make reasonable commercial efforts to ensure that such Personal Data Breach will not recur; (ii) notify NetLine without delay, and in any event within twenty-four (24) hours, providing reasonable detail of the Personal Data Breach and likely impact on Data Subjects; and (iii) take any action required by Applicable Law and/or at the reasonable request of NetLine.
- You confirm you have the means and will take all reasonable action to allow NetLine and its clients to comply with reasonable requests from Data Subjects (in relation their rights under Article 12-22 of GDPR) in the event that they have shared their Personal Data with you.
- You confirm you will not share any sensitive/special categories of Personal Data, as defined in Article 9 and 10 of GDPR, with NetLine unless expressly agreed in writing.
- You confirm that you will cooperate fully with any reasonable requests for information from NetLine and/or NetLine clients about your Processing of Personal Data. To the extent necessary to enable all parties to comply with their obligations under Applicable Laws you will permit NetLine and/or NetLine clients to conduct an audit of your compliance with this DPA and Applicable Laws.
Applicable Laws means, as in effect from time to time, all provisions of constitutions, statutes, national implementing legislation, rules, regulations and orders of governmental bodies or regulatory agencies applicable anywhere in the world relating to data security, data protection and/or privacy (including, to the extent applicable, the EU General Data Protection Regulation 2016/679 and the EU Directive 2002/58/EC concerning the protection of privacy in the electronic communications sector ).
GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
NetLine Personal Data means any Personal Data collected or received by you for and on behalf of NetLine or its clients, whether received from Data Subjects, third parties or NetLine;
EU Model Clauses means the standard contractual clauses approved by European Commission for the transfer of Personal Data to Processors or Controllers established in third countries (but which shall exclude any contractual clauses designated by the European Commission as optional in that decision), as amended or replaced from time to time by the European Commission;
The terms "controller", "data subject", "personal data", "processing", "processor", and "supervisory authority" as used in these Data Processing Terms have the meanings given in the GDPR.
Supplier agrees that this DPA shall take effect immediately.