Last modified: September 22, 2022
Declare that they have agreed as follows:
In this Processor’s Addendum, capitalized words and expressions, whether in single or plural, have the meaning specified as set out below:
“Annex” means appendix to this Processor’s Addendum which forms an integral part of it;
“Agreement” means the agreement concluded between the Controller and the Processor with regarding the provision of the Service (as defined in the Agreement);
“Personal Data” means all information relating to an identified or identifiable natural person as referred to in Section 4(1) GDPR;
“Process” means as well as conjugations of this verb: the processing of Personal Data as referred to in Section 4(2) GDPR;
“Processor’s Addendum” means the present addendum;
“Sub Processor” means the sub-contractor hired by the Processor that Processes Personal Data in the context of this Processor’s Addendum on behalf of the Controller, as referred to in Section 28(4) GDPR. All affiliates of Processor will be considered as a Sub Processor.
The provisions of the Agreement apply in full to this Processor’s Addendum. In case provisions with regard to the Processing of Personal Data are included in the Agreement, the provisions of this Processor’s Addendum prevail.
The Controller and the Processor have concluded the present Processing Agreement for the Processing of Personal Data in the context of the Agreement. An overview of the type of Personal Data, categories of data subjects and the purposes of Processing, is included in Annex 1.
The Controller is responsible and liable for the processing of Personal Data in relation to the Agreement and guarantees that Processing is in compliance with all applicable legislation. Controller will indemnify and hold harmless Processor against any and all claims of third parties, those of the data protection authority in particular, resulting in any way from not complying with this guarantee.
The Processor undertakes to Process Personal Data only for the purpose of the activities referred to in this Processor’s Addendum. The Processor guarantees that it will not use the Personal Data which it Processes in the context of this Processor’s Addendum for its own or third-party purposes without the Controller’s express written consent, unless a legal provision requires the Processor to do so. In such case, the Processor shall immediately inform the Controller of that legal requirement before Processing, unless that law prohibits such information on import grounds of public interest.
The Processor will, taking into account the nature of the Processing and insofar as this is reasonable possible, assist the Controller in ensuring compliance with the obligations pursuant to the GDPR to take appropriate technical and organizational measures to ensure a level of security appropriate to the risk. These measures will guarantee an appropriate level of security, taking into account the state of the art and the costs of implementation, in view of the risks entailed by Personal Data Processing and the nature of the data to be protected. The Processor will in any case take measures to protect Personal Data against accidental or unlawful destruction, accidental or deliberate loss, forgery, unauthorized distribution or access, or any other form of unlawful Processing.
Processor will provide a document which describes the appropriate technical and organizational measures to be taken by the Processor. This document will be attached to this Processor’s Addendum as Annex 2. Controller represents it has assessed these technical and organizational measures to be appropriate within the meaning of the law.
The Processor will require the employees that are involved in the execution of the Agreement to sign a confidentiality statement – whether or not included in the employment agreement with those employees – which in any case states that these employees must keep strict confidentiality regarding the Personal Data.
The Processor will only be permitted to transfer Personal Data outside the European Economic Area if this is done in compliance with the applicable statutory obligations, therefore if:
(i) the onward transfer is to a country benefiting from an adequacy decision pursuant to Article 45 GDPR that covers the onward transfer, or:
(ii) the transfer is based on appropriate safeguards pursuant to Articles 46 or 47 GDPR with respect to the processing in question, or:
(iii) the onward transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings, or:
(iv) the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person.
The Processor is entitled to outsource the implementation of the Processing on the Controller’s instructions to Sub-processors, either wholly or in part, which parties are described in Annex 3. In case the Processor wishes to engage Sub-processors, the Processor will inform Controller of any intended changes concerning the addition or replacement of other processors. The Controller will be able to object to such changes within 10 working days. The Processor will respond to the objection within 10 working days.
Processor obligates each Sub-processors to contractually comply with the confidentiality obligations, notification obligations and security measures relating to the Processing of Personal Data, which obligations and measures must at least comply with the provisions of this Processor’s Addendum.
With regard to the sub-processing by the parties described in Annex 3, Controller agrees:
With regard to the liability and indemnification obligations of Processor under this Processor’s Addendum the stipulation in the Agreement regarding the limitation of liability applies.
Without prejudice to article 7.1 of this Processor’s Addendum, Processor is solely liable for damages suffered by Controller and/or third party claims as a result of any Processing, in the event the specific obligations of Processor under the GDPR are not complied with or in case the Processor acted in violence of the legitimate instructions of the Controller.
In the event the Processor becomes aware of any incident that may have a (significant) impact on the protection of Personal Data, i) it will notify the Controller without undue delay and ii) will take all reasonable measures to prevent or limit (further) violation of the GDPR.
The Processor will, insofar as reasonable, provide all reasonable cooperation requested by the Controller in order for Controller to comply with its legal obligations relating to the identified incident.
The Processor will, insofar as reasonable, assist the Controller with the Controller’s notification obligation relating to the Personal Data to the Data Protection Authority and/or the data subject, as meant in Section 33(3) and 34(1) GDPR. Processor is never held to report a personal data breach with the Data Protection Authority and/or the data subject.
Processor will not be responsible and/or liable for the (timely and correctly) notification obligation to the relevant supervisor and/or data subjects, as meant in Section 33 and 34 GDPR.
The Processor will, insofar as reasonably possible, provide all reasonable cooperation to the Controller in fulfilling its obligation pursuant to the GDPR to respond to requests for exercising rights of data subjects, in particular the right of access (Section 15 GDPR), rectification (Section 16 GDPR), erasure (Section 17 GDPR), restriction (Section 18 GDPR), data portability (Section 20 GDPR) and the right to object (Section 21 and 22 GDPR). The Processor will forward a complaint or request from a data subject with regard to the Processing of Personal Data to the Controller as soon as possible, as the Controller is responsible for handling the request. The Processor is entitled to charge any costs associated with the cooperation with the Controller.
The Processor will, insofar as reasonably possible, provide all reasonable cooperation to the Controller in fulfilling its obligation pursuant to the GDPR to carry out a data protection impact assessment (Section 35 and 36 GDPR).
The Processor will provide the Controller with all the information reasonably necessary to demonstrate that the Processor fulfills its obligations under the GDPR. Furthermore, the Processor will – at the request of the Controller – enable and contribute to audits, including inspections by the Controller or an auditor that is authorized by the Controller, provided Parties reach prior written agreement on the cope of such audit. In case the Processor is of the opinion that an instruction relating to the provisions of this paragraph infringes the GDPR or other applicable data protection legislation, the Processor will inform the Controller immediately. The Processor is entitled to charge any possible costs with the Controller.
With regard to the termination under this Processor’s Addendum the specific provisions of the Agreement apply. Without prejudice to the specific provisions of the Agreement, the Processor will, at the first request of the Controller, delete or return all the Personal Data, and delete all existing copies, unless the Processor is legally required to store (part of) the Personal Data.
The Controller will adequately inform the Processor about the (statutory) retention periods that apply to the Processing of Personal Data by the Processor.
The obligations laid down in this Processor’s Addendum which, by their nature, are designed to continue after termination will remain in force also after the termination of this Processor’s Addendum.
The choice of law and competent court comply with the applicable provisions of the Agreement.
TYPE OF PERSONAL DATA:
PaymentInformation ShopperEmailAddress Contact Info Confidential – GDPR
Emailings CustomEmailAddress Contact Info Confidential – GDPR
Emailings EmailTypeCode Contact Info Confidential – GDPR
AirplayAccounts EmailAddress Contact Info Confidential – GDPR
Addresses City Contact Info Confidential – GDPR
Addresses Street Contact Info Confidential – GDPR
Addresses ZipCode Contact Info Confidential – GDPR
Companies EmailAddress Contact Info Confidential – GDPR
PersonArchives Addresses Contact Info Confidential – GDPR
PersonArchives DateOfBirth Date of Birth Confidential – GDPR
PersonArchives EmailAddress Contact Info Confidential – GDPR
PersonArchives Emails Contact Info Confidential – GDPR
PersonArchives ExtraEmailAddressesJson Contact Info Confidential – GDPR
PersonArchives Firstname Name Confidential – GDPR
PersonArchives IpAddress Networking Confidential – GDPR
PersonArchives Lastname Name Confidential – GDPR
PersonArchives PhoneNumbers Contact Info Confidential – GDPR
Persons DateOfBirth Date of Birth Confidential – GDPR
Persons EmailAddress Contact Info Confidential – GDPR
Persons ExtraEmailAddressesJson Contact Info Confidential – GDPR
Persons Firstname Name Confidential – GDPR
Persons IpAddress Networking Confidential – GDPR
Persons Lastname Name Confidential – GDPR
Persons Loyalty ID Contact Info Confidential – GDPR
Persons GenderCode Name Confidential – GDPR
CATEGORIES OF DATA SUBJECTS:
PURPOSES OF PROCESSING:
Google Ireland Ltd