This Data Processor Addendum - GDPR (this “Addendum”) forms part of the Master Subscription Agreement (the “Agreement”) between CREWHU, LLC (“CrewHu,” “we,” “our,” and “us”) and our customers (“you” or “your”) with respect to the collection, processing and destruction of personal data of certain Users obtained by us in connection with our Services and protected by GDPR. Capitalized terms used herein and not otherwise defined, shall have the meanings set forth in the Agreement.
We agree to comply with the European Union General Data Protection Regulation, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”).
3.1 In connection with our delivery of Services to you, we will process certain categories and types of your, your employees’, and your customers’ personal data on your behalf.
3.2 “Personal Data” includes “any information relating to an identified or identifiable natural person” as set forth in GDPR, article 4(1)(1) (the “Personal Data”). The categories and types of Personal Data processed by us on your behalf are listed in Appendix A. We only perform processing activities that are necessary and relevant to perform the Services. The parties shall update Appendix A whenever changes occur that necessitates an update.
3.3 We shall have and maintain a register of processing activities in accordance with GDPR, article 32 (2).
4.1 We may only act and process the Personal Data in accordance with the documented instruction from you (the “Instruction”). The Instruction at the time of entering into this Addendum is that we may only process the Personal Data for purposes of delivering the Services in accordance with the Agreement.
4.2 You warrant, represent, and guarantee that the Personal Data transferred to us is collected and processed by you in accordance with applicable law, including GDPR and the legislative requirements in respect to consent and lawfulness of processing.
4.3 We will give you notice without undue delay if we consider the Instruction to be in conflict with GDPR.
5.1.1. We shall treat all the Personal Data as strictly confidential information. The Personal Data may not be copied, transferred or otherwise processed in conflict with the Instruction, unless otherwise agreed to in writing by you.
5.1.2. We shall not share, sell, rent, or lease the Personal Data to third parties, government agencies, or company at any time unless compelled to do so by law.
5.1.3. Our employees are required to treat all the Personal Data under this Addendum with strict confidentiality.
5.2 We shall implement the appropriate technical and organizational measures as set out in this Addendum and in accordance with GDPR, article 32. These include:
5.2.1. SSL with 256-bit encryption
5.2.2. Fully secured server infrastructure, with dedicated servers, automated backups, and routinely updated security patches
5.2.3. Privacy Shield standards for Data Transfers via Amazon Web Services.
5.3 We shall ensure that access to the Personal Data is restricted to only the employees to whom it is necessary and relevant to process the Personal Data in order for us to perform our obligations under the Agreement and this Addendum.
5.4 We shall also ensure that our employees only process the Personal Data in accordance with the Instruction.
5.5 If our assistance is necessary and relevant, we shall assist you in preparing data protection impact assessments in accordance with GDPR, article 35, along with any prior consultation in accordance with GDPR, article 36.
5.6 Rights of Data Subjects
5.6.1 If you receive a request from a data subject for the exercise of the data subject’s rights under GDPR and the correct and legitimate reply to such a request necessitates our assistance, we shall assist you by providing the necessary information and documentation. We shall be given 30 days to assist you with such requests in accordance with GDPR and/or applicable law.
5.6.2 If we receive a request from a data subject for the exercise of the data subject’s rights under GDPR and such request is related to your Personal Data, we must immediately forward the request to you and must refrain from responding to the person directly.
5.7 Personal Data Breaches
5.7.1 We shall give you notice without undue delay and no later than 72 hours if a breach of the data security occurs, that can lead to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to, personal data transmitted, stored or otherwise processed regarding the Personal Data processed on your behalf (a “Personal Data Breach”).
5.7.2 We shall have and maintain a register of all Personal Data Breaches. The register shall at a minimum include the following:
A description of the nature of the Personal Data Breach, including, if possible, the categories and the approximate number of affected Data Subjects and the categories and the approximate number of affected registrations of personal data.
A description of the likely as well as actually occurred consequences of the Personal Data Breach.
A description of the measures that we have taken or propose to take to address the Personal Data Breach, including, where appropriate, measures taken to mitigate its adverse effects.
5.7.3 The register of Personal Data Breaches shall be provided to you in copy if so requested in writing by you or the relevant Data Protection Authority.
5.8 Documentation of Compliance
5.8.1 After your written request, we shall provide documentation substantiating that:
We comply with our obligations under this Addendum and the instruction; and
We comply with the GDPR in respect of the processing of your Personal Data.
5.8.2 Our documentation of compliance shall be provided within reasonable time following your written request.
5.9 Location of Personal Data
5.9.1 Personal Data is processed by us on our Amazon Web Services (AWS) based Infrastructure.
5.9.2 Any transfers of the Personal Data to any third countries or international organizations shall only be done to the extent such transfer is permitted and done in accordance with GDPR.
6.1 We are given general authorization to engage third-parties to process the Personal Data (“Sub-Processors”) without obtaining any further written, specific authorization from you, provided that we notify you in writing about the identity of a potential Sub-Processor (and its processors, if any) before any agreements are made with the relevant Sub-Processors and before the relevant Sub-Processor processes any of the Personal Data. If you wish to object to the relevant Sub-Processor, you shall give notice hereof in writing within seven (7) calendar days from receiving the notification from us. Absence of any objections from you shall be deemed a consent to the relevant Sub-Processor.
6.2 We shall conclude a written sub-processor agreement with any Sub-Processors. Such an agreement shall at minimum provide the same data protection obligations as the ones applicable to us, including the obligations under this Addendum. We shall on an ongoing basis monitor and verify our Sub-Processors’ compliance with GDPR. Documentation of such monitoring and control shall be provided to you if so requested in writing.
6.3 We are accountable to you for any Sub-Processor in the same way as for our own actions and omissions.
6.4 At the time of entering into this Addendum, we are using the Sub-Processors listed in Appendix B. If we initiate sub-processing with a new Sub-Processor, such new Sub-Processor shall be added to the list in Appendix B.
7.1 You shall remunerate us based on time spent to perform the obligations under section 5.5, 5.6, 5.7 and 5.8 of this Addendum based on our hourly rates.
7.2 We are also entitled to remuneration for any time and material used to adapt and change the processing activities in order to comply with any changes to your Instruction, including implementation costs and additional costs required to deliver the Services due to the change in the Instruction. we are exempted from liability for non-performance with the Agreement if the performance of the obligations under the Agreement would be in conflict with any changed Instruction or if contractual delivery in accordance with the changed Instruction is impossible. This could for instance be the case; (i) if the changes to the Instruction cannot technically, practically or legally be implemented; (ii) where you explicitly require that the changes to the Instruction shall be applicable before the changes can be implemented; and (iii) in the period of time until the Agreement is changed to reflect the new Instruction and commercial terms hereof.
7.3 If changes to GDPR, including new guidance or court rulings, result in additional costs to us, you shall indemnify us for such additional costs.
8.1 Except with respect to your indemnification obligations under Section 8.2 below, the limitation of liability provisions of the Agreement are applicable to any and all claims and damages arising under this Addendum.
8.2 You shall be responsible for any breach of this Addendum, including without limitation, your obligation to comply with GDPR, and shall indemnify and hold us harmless from and against any and all liabilities, claims, causes of action, costs and expenses (including attorneys’ fees and expenses) arising out of the breach of this Addendum and/or any failure to comply with GDPR, by you or your representatives.
10.1 Our authorization to process Personal Data on your behalf shall terminate upon the termination of this Addendum or the Agreement, whichever is earlier. Notwithstanding the foregoing, we may continue processing the Personal Data for up to three (3) months after the termination of the Addendum or the Agreement to the extent necessary to comply with GDPR or applicable law and doing so shall be deemed permitted under the Instruction. During such period, we are authorized to include the Personal Data in our backup.
10.2 Following the termination of this Addendum and upon your written request, we and our Sub-Processors shall return the Personal Data processed under this Addendum to you, provided that you are not already in possession of the Personal Data. We agree to anonymize or delete all the Personal Data and provide you documentation for such anonymization or deletion within a reasonable time following such termination and upon your written request.
We process the following types of Personal Data about the following categories of data subjects on your behalf in connection with our delivery of Services:
The following Sub-Processors shall be considered approved by you at the time of entering into this Addendum: