Last updated: November 9th, 2021
This Data Processing Agreement (“DPA”) is entered into between ProWebGroup OU (“Brizy”) and Customer (jointly “the Parties”), and forms a part of the Services Agreement between the Parties, and reflects the Parties’ agreement with regard to the Processing of Personal Data in accordance with the requirements of Data Protection Laws.
By signing this DPA, Customer enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws, in the name and on behalf of its Authorized Affiliates, if and to the extent Brizy processes Personal Data for which such Authorized Affiliates qualify as the Controller. For the purposes of this DPA only, and except where indicated otherwise, the term "Customer" shall include Customer and Authorized Affiliates.
This DPA is effective on the date that it has been duly executed by both Parties (“Effective Date”), and amends, supersedes, and replaces any prior data processing agreements that the Parties may have been entered into. Any modifications to the terms of this DPA (whether handwritten or otherwise) will render this DPA ineffective unless Brizy has separately agreed to those modifications in writing.
1.1. Affiliate - means any entity that directly or indirectly controls, is controlled by or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
1.2. Authorised Affiliate - means Customer's Affiliate(s) which (a) are subject to Data Protection Laws; (b) are permitted to use the Services pursuant to the Agreement between Customer and Brizy; and (c) have not signed their own Services Agreement with Brizy and are not "Customers" as defined under this DPA.
1.3. CCPA - means the California Consumer Privacy Act of 2018 (California Civil Code sections 1798.100 - 1798.199) and its accompanying regulations.
1.4. Controller - means the entity that determines the purposes and means of the Processing of Personal Data. For purposes of this DPA, Customer is the Controller. For the purposes of this DPA, all references to Controller shall also mean “business” as defined in the CCPA for CCPA purposes.
1.5. Covered Services or Services - means the services that are ordered by the Customer from Brizy involving the Processing of Personal Data on behalf of the Customer.
1.6. Customer - means the entity that signed the Services Agreement and that determines the purposes and means of Processing of Personal Data. The Customer is considered the “Controller” of the Personal Data provided pursuant to this DPA.
1.7. Data Breach - means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer’s Personal Data transmitted, stored, or otherwise Processed.
1.8. Data Protection Laws - means any applicable law, statute, law, regulation or order by governmental authority of competent jurisdiction, or any judgment, decision, decree, injunction, writ, order, subpoena, or like action of any court, arbitrator or other government entity, and at all times during the term of the Services Agreement, including the laws of the European Union, the UK Data Protection Act 2018, the GDPR, and the CCPA, all as amended or replaced from time to time, and any other foreign or domestic laws to the extent that they are applicable to a party in the course of its performance of the Services Agreement.
1.9. Data Subject - means either: 1) the individual within the European Economic Area and the United Kingdom to whom Personal Data relates for GDPR purposes, or 2) a “consumer,” as such term is defined in the CCPA for CCPA purposes
1.10. GDPR - means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
1.11. Personal Data - means either: 1) data about a specific natural person within the European Economic Area or the United Kingdom from which that person is identified or identifiable, as defined in GDPR or 2) “personal information” as defined in the CCPA for CCPA purposes, which is provided by or on behalf of Customer and Processed by Brizy pursuant to the Services Agreement.
1.12. Processing - means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
1.13. Processor - means the entity which Processes Personal Data on behalf of the Controller. For purposes of this DPA, Brizy, including its Affiliates, is the Processor. For the purposes of this DPA, all references to Processor shall also mean “service provider” as defined in the CCPA for CCPA purposes.
1.14. Regulator - means any supervisory authority with authority under Data Protection Laws over all or any part of the provision or receipt of the Services or the Processing of Personal Data.
1.15. Services Agreement - means any services agreement including, but not limited to, Brizy’s online terms (available at https://www.brizy.io/terms-and-conditions) between Brizy and Customer under which Covered Services are provided by Brizy to Customer.
1.16. Standard Contractual Clauses - means the annex found in the European Commission decision of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (available as of August 1, 2021 at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj).
1.17. Sub-processor - means any Processor engaged by Brizy to Process Personal Data on behalf of Brizy.
This DPA supplements the Services Agreement and in the event of any conflict between the terms of this DPA and the terms of the Services Agreement, the terms of this DPA prevail with regard to the specific subject matter of this DPA.
3.1. Roles of the Parties - The Parties acknowledge and agree that Brizy will Process the Personal Data in the capacity of a Processor and that Customer will be the Controller of the Personal Data.
3.2. DPO - The Parties, to the extent required by the GDPR, will each designate a data protection officer (a “DPO”) and provide their contact details to the other Party where required by Data Protection Laws.
4.1. Instructions - Customer warrants that the instructions it provides to Brizy pursuant to this DPA will comply with Data Protection Laws.
4.2. Data Subject and Regulator Requests - Customer shall be responsible for communications and leading any efforts to comply with all requests made by Data Subjects under Data Protection Laws and all communications from Regulators that relate to the Personal Data, in accordance with Data Protection Laws. To the extent such requests or communications require Brizy’s assistance, Customer shall immediately notify Brizy in writing of the Data Subject’s or Regulator’s request.
4.3. Notice, Consent, and Other Authorizations - Customer agrees that the Personal Data it collects shall be in accordance with Data Protection Laws, including all legally required consents, bases of processing, approvals, and authorizations. Upon Brizy’s request, Customer shall provide all information necessary to demonstrate compliance with these requirements
5.1. The following table sets out the details of Processing:
Purposes the Personal Data shall be processed
Description of the categories of the data subjects
Description of the categories of Personal Data
Description of special categories of Personal Data
6.1. Scope of Processing - Brizy will Process the Personal Data on documented instructions from Customer in such manner as is necessary for the provision of Services under the Service Agreement, except as may be required to comply with any legal obligation to which Brizy is subject. Brizy may make reasonable efforts to inform customers if, in its opinion, the execution of an instruction relating to the Processing of Personal Data could infringe on any Data Protection Laws. In the event Brizy must Process or cease Processing Personal Data for the purpose of complying with a legal obligation, Brizy will inform the Customer of that legal requirement before Processing or ceasing to Process, unless prohibited by the law.
6.2. Disclosure to Third Parties - Except as expressly provided in this DPA, Brizy will not disclose Personal Data to any third party without Customer’s consent. If requested or required by a competent governmental authority to disclose the Personal Data, to the extent legally permissible and practicable, Brizy will provide Customer with sufficient prior written notice in order to permit Customer the opportunity to oppose any such disclosure.
6.3. GDPR Articles 32-36 - Taking into account the nature of the Processing and the information available to Brizy, Brizy will provide reasonable assistance to Customer in complying with its obligations under GDPR Articles 32-36, which address obligations with regard to security, breach notifications, data protection impact assessments, and prior consultation.
7.1. Scope - Brizy will maintain records of its Processing activities carried out on behalf of Customer and will make available to Customer the information reasonably necessary to demonstrate its compliance with the obligations set out in this DPA. Brizy may limit the scope of information made available to Customer if Customer is a Brizy competitor, provided that such limitation does not violate Data Protection Laws or the Standard Contractual Clauses. Customer’s inspection rights under this DPA do not extend to Brizy’s employee payroll, personnel records or any portions of its sites, books, documents, records, or other information that do not relate to the Services or to the extent they pertain to third parties
7.2. Process - Subject to thirty (30) days prior written notice from Customer and at the Customer's additional expense (including all reasonable costs and fees for any and all time Brizy expends on such audit, in addition to the rates for services performed by Brizy), Brizy and Customer shall mutually agree to appoint a third-party auditor to verify that Brizy is in compliance with the obligations under this DPA. In no event shall the Parties agree to a third-party auditor that is a competitor to Brizy. Audits and inspections will be carried out at mutually agreed times during regular business hours. Customers shall be entitled to exercise this audit right no more than once every twelve (12) months. Customers shall not be entitled to an on-site audit of Brizy’s premises without demonstrating a compelling need for such an on-site audit. The Parties shall mutually agree upon the duration of the audit.
7.3. Confidentiality - All information obtained during any such request for information or audit will be considered Brizy’s confidential information under the Services Agreement and this DPA. The results of the inspection and all information reviewed during such inspection will be deemed Brizy’s confidential information. The third party auditor may only disclose to Customer specific violations of this DPA if any, and the basis for such findings, and shall not disclose any of the records or information reviewed during the inspection.
Customer hereby gives its general authorisation for Brizy to engage new Sub-processors in connection with the processing of the Personal Data as set forth in clause 9 of the Standard Contractual Clauses. A list of Brizy’s current Sub-processors is located at https://www.brizy.io/privacy-policy#subprocessors. Customers must sign up at the aforementioned URL to receive email notifications concerning the addition of new Sub-processors. Customers may reasonably object to the addition of any new Sub-processor within 15 calendar days of receiving such email notification, in which case Brizy will use reasonable efforts to make a change in the Service or recommend a commercially reasonable change to avoid processing by such Sub-processor. If Brizy is unable to provide an alternative, Customer may terminate the Services and shall pay Brizy any fees or expenses not yet paid for all services provided pursuant to any Services Agreement. If Customer fails to sign up for these email notifications, Customer shall be deemed to have waived its right to object to the newly added Subprocessor(s).
9.1. Transfer - Customer acknowledges that Brizy may, without Customer’s prior written consent, transfer the Personal Data to a foreign jurisdiction provided such transfer is either (i) to a country or territory which has been formally recognized by the European Commission as affording the Personal Data an adequate level of protection or (ii) the transfer is otherwise safeguarded by mechanisms, such as Standard Contractual Clauses and other certification instruments, recognized and approved by the European Commission from time to time.
9.2. Standard Contractual Clauses - If Customer’s use of the Services involves Customer’s transfer of Personal Data from the United Kingdom or European Economic Area to Brizy, or if entering into the Standard Contractual Clauses set forth in the Appendix to this DPA with Brizy would otherwise help Customer satisfy a legal obligation relating to the international transfer of Personal Data, then (i) by entering into this DPA, the Parties are deemed to be signing such Standard Contractual Clauses, including each of its applicable Annexes and (ii) such Standard Contractual Clauses form part of this DPA and take precedence over any other provisions of this DPA to the extent of any conflict.
To the extent that the CCPA applies, Brizy agrees it will not: (a) sell California Data Subjects’ Personal Data (as “sell” is defined in the CCPA); (b) retain, use, or disclose California Data Subjects’ Personal Data for a commercial purpose other than providing the services specified in the Services Agreement; (c) retain, use, or disclose California Data Subjects’ Personal Data outside of the direct business relationship between Processor and Customer. Brizy certifies that it understands these restrictions set out in this section and will comply with them.
Termination or expiration of this DPA shall not discharge the Parties from their obligations that by their nature may reasonably be deemed to survive the termination or expiration of this DPA
Any claims brought under this DPA will be subject to the same terms and conditions, including the exclusions and limitations of liability, as are set out in the Services Agreement.
Any provision of this DPA that is prohibited or unenforceable in any jurisdiction shall, as to such jurisdiction, be ineffective to the extent of such prohibition or unenforceability without invaliding the remaining provisions hereof, and any such prohibition or unenforceability in any jurisdiction shall not invalidate or render unenforceable such provision in any other jurisdiction. The Parties will attempt in good faith to agree upon a valid and enforceable provision that is a reasonable substitute and shall incorporate such substitute provision into this Agreement.