Automate loyalty programs for your café, coffee house or restaurant
Your personal loyalty wallet. Download on Google Play!
Data processing addendum
Note to copy:
The Fenlora Data Processing Addendum is made available at https://fenlora.com/legal/dpa/.
For Customers that would like to receive a signed copy of the Fenlora Data Processing Addendum, we have made this copy available to you. This copy includes signatures on the Data Processing Addendum version last modified June 10, 2024 . Fenlora and its affiliates do not accept any changes to be made in this copy unless agreed by the Parties and made in writing.
Please note that we update the Data Processing Agreement as we describe in the ‘Amendments’ article below. Current Data Processing Agreement terms are available at “https://fenlora.com/legal/dpa/”.
If you have any questions, please contact your Fenlora representative
This Data Processing Addendum (“DPA”) forms part of the Master Subscription Agreement or other written or electronic agreements between Fenlora and Customer (the “Agreement”) for the purchase of online services from Fenlora (identified either as “Services” or otherwise in the applicable agreement, and hereinafter defined as “Services”) to reflect the parties’ agreement with regard to the Processing of Personal Data.
By signing the Agreement, Customer enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws and Regulations, in the name and on behalf of its Authorized Affiliates, if and to the extent Fenlora processes Personal Data for which such Authorized Affiliates qualify as the Controller. For the purposes of this DPA only, and except where indicated otherwise, the term "Customer" shall include Customer and Authorized Affiliates. All capitalized terms not defined herein shall have the meaning set forth in the Agreement.
In the course of providing the Services to Customer pursuant to the Agreement, Fenlora may Process Personal Data on behalf of Customer, and the Parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith. For the avoidance of doubt, each reference to the DPA in this DPA means this DPA including its Schedules.
The Fenlora Data Processing Addendum is made available at https://fenlora.com/legal/dpa/.
For Customers that would like to receive a signed copy of the Fenlora Data Processing Addendum, we have made this copy available to you. This copy includes signatures on the Data Processing Addendum version last modified June 10, 2024 . Fenlora and its affiliates do not accept any changes to be made in this copy unless agreed by the Parties and made in writing.
Please note that we update the Data Processing Agreement as we describe in the ‘Amendments’ article below. Current Data Processing Agreement terms are available at “https://fenlora.com/legal/dpa/”.
If you have any questions, please contact your Fenlora representative
This Data Processing Addendum (“DPA”) forms part of the Master Subscription Agreement or other written or electronic agreements between Fenlora and Customer (the “Agreement”) for the purchase of online services from Fenlora (identified either as “Services” or otherwise in the applicable agreement, and hereinafter defined as “Services”) to reflect the parties’ agreement with regard to the Processing of Personal Data.
By signing the Agreement, Customer enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws and Regulations, in the name and on behalf of its Authorized Affiliates, if and to the extent Fenlora processes Personal Data for which such Authorized Affiliates qualify as the Controller. For the purposes of this DPA only, and except where indicated otherwise, the term "Customer" shall include Customer and Authorized Affiliates. All capitalized terms not defined herein shall have the meaning set forth in the Agreement.
In the course of providing the Services to Customer pursuant to the Agreement, Fenlora may Process Personal Data on behalf of Customer, and the Parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith. For the avoidance of doubt, each reference to the DPA in this DPA means this DPA including its Schedules.
DATA PROCESSING TERMS
- DEFINITIONS
“Fenlora Affiliate” means any companies in which the Fenlora is a shareholder and/or has a say in its management.
“CPRA” means the California Privacy Rights Act 2020, and its implementing regulations, as the same may be amended from time to time.
“Controller” means the entity which determines the purposes and means of the Processing of Personal Data.
“Customer Data” shall mean all electronic data or information submitted by or on behalf of Customer to, or collected from the Customer Application by the Fenlora Services.
“Data Protection Laws and Regulations” means all laws and regulations, including GDPR, and CPRA, applicable to a Party in its use or provision of the Services, in connection with the Processing of Personal Data under the Agreement.
“Data Subject” means the identified or identifiable natural person to whom Personal Data relates.
“Data Subject Right” means any right afforded to a Data Subject under Data Protection Laws and Regulations, including the rights to access, rectify, restrict the Processing of Personal Data, erasure (including the right to be forgotten), data portability, objecting to the Processing, or to not be subject to an automated individual decision making.
“Documentation” means any printed or digital document, Fenlora Academy content, presentation, information or document shared in relation to Fenlora products and services and Fenlora's data processing activities.
“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
“Personal Data” means any information relating to an identified or identifiable natural person where such data is Customer Data.
“Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Processor” means the entity which Processes Personal Data on behalf of the Controller.
“Personal Data Breach” means a security breach leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data, transmitted, stored or otherwise Processed by Fenlora or its Sub-processors of which Fenlora becomes aware.
“Security, Privacy and Architecture Datasheet” means the Security, Privacy and Architecture Datasheet for the Fenlora Services, as updated from time to time.
“Standard Contractual Clauses” or “SCC” means the agreement by and between Customer and Fenlora, pursuant to the European Commission’s decision on Standard Contractual Clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection, a copy of which can be found at https://www.fenlora.com/legal.
“Sub-processor” means any Processor engaged by Fenlora or its Affiliates engaged in the Processing of Personal Data.
2. PROCESSING OF PERSONAL DATA
2.1.Details of the Processing. The parties acknowledge and agree that with regard to the Processing of Personal Data, Customer is the Controller, Fenlora is the Processor and that Fenlora or its Affiliates engaged in the Processing of Personal Data will engage Sub-processors pursuant to the requirements set forth in Schedule 2 “Sub-processors” below. The subject- matter of Processing of Personal Data by Fenlora is the performance of the Services pursuant to the Agreement. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Schedule 3 (Details of the Processing) to this DPA.
2.2.Customer’s Processing of Personal Data. Customer shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws and Regulations. For the avoidance of doubt, Customer’s instructions for the Processing of Personal Data shall comply with Data Protection Laws and Regulations. Customer is responsible for all actions taken by Customer or its Users in the Customer’s Account(s) and for Users’ compliance with this Agreement. Customer shall provide adequate notice and obtain valid consent for the use of tracking technologies used by the Fenlora Services in creating End User profiles which, if Customer is established in the EEA or if Customer uses the Fenlora Services in relation to EEA residents, must comply with arts. 13 and 7 GDPR. This DPA and the Agreement are, at the time of signature of the Agreement, Customer’s complete and final documented instructions to Fenlora for the Processing of Personal Data, and Customer’s configuration of the Services shall constitute an additional instruction to Fenlora. Any additional or alternate instructions must be agreed upon separately. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired the Personal Data.
2.3.Fenlora’s Processing of Personal Data. Fenlora shall treat Personal Data as Confidential Information and shall only Process Personal Data on behalf of Customer and in accordance with Customer’s documented instructions for the following purposes: (i) Processing in accordance with the Agreement and applicable Order Form(s); (ii) Processing initiated by Customer’s Users in their use of the Services; (iii) Processing to comply with other documented reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Agreement and (iv) Processing when it sells services based on the given intellectual property right; on the grounds of data transfers to be made in order to provide the service to the main owner of the right . Fenlora will Process Personal Data in compliance with applicable Data Protection Laws and Regulations, provided however that Fenlora shall not be in violation of this contractual obligation in the event that Fenlora's Processing of Personal Data in non-compliance with applicable Data Protection Laws and Regulations is due to Customer.
2.1.Details of the Processing. The parties acknowledge and agree that with regard to the Processing of Personal Data, Customer is the Controller, Fenlora is the Processor and that Fenlora or its Affiliates engaged in the Processing of Personal Data will engage Sub-processors pursuant to the requirements set forth in Schedule 2 “Sub-processors” below. The subject- matter of Processing of Personal Data by Fenlora is the performance of the Services pursuant to the Agreement. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Schedule 3 (Details of the Processing) to this DPA.
2.2.Customer’s Processing of Personal Data. Customer shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws and Regulations. For the avoidance of doubt, Customer’s instructions for the Processing of Personal Data shall comply with Data Protection Laws and Regulations. Customer is responsible for all actions taken by Customer or its Users in the Customer’s Account(s) and for Users’ compliance with this Agreement. Customer shall provide adequate notice and obtain valid consent for the use of tracking technologies used by the Fenlora Services in creating End User profiles which, if Customer is established in the EEA or if Customer uses the Fenlora Services in relation to EEA residents, must comply with arts. 13 and 7 GDPR. This DPA and the Agreement are, at the time of signature of the Agreement, Customer’s complete and final documented instructions to Fenlora for the Processing of Personal Data, and Customer’s configuration of the Services shall constitute an additional instruction to Fenlora. Any additional or alternate instructions must be agreed upon separately. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired the Personal Data.
2.3.Fenlora’s Processing of Personal Data. Fenlora shall treat Personal Data as Confidential Information and shall only Process Personal Data on behalf of Customer and in accordance with Customer’s documented instructions for the following purposes: (i) Processing in accordance with the Agreement and applicable Order Form(s); (ii) Processing initiated by Customer’s Users in their use of the Services; (iii) Processing to comply with other documented reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Agreement and (iv) Processing when it sells services based on the given intellectual property right; on the grounds of data transfers to be made in order to provide the service to the main owner of the right . Fenlora will Process Personal Data in compliance with applicable Data Protection Laws and Regulations, provided however that Fenlora shall not be in violation of this contractual obligation in the event that Fenlora's Processing of Personal Data in non-compliance with applicable Data Protection Laws and Regulations is due to Customer.
3.RIGHTS OF DATA SUBJECTS
3.1.Data Subject Requests. Fenlora shall, to the extent legally permitted and to the extent Fenlora has been able to identify that the request comes from a Data Subject whose Personal Data was submitted to the Services by Customer, promptly notify Customer if Fenlora receives a request from a Data Subject in relation to the exercise of any Data Subject Right (“Data Subject Request”). Fenlora will confirm to the Data Subject that it has passed the request to the Customer, but Fenlora shall not handle or execute the Data Subject Request.
3.2.Taking into account the nature of the Processing, Fenlora shall assist Customer by providing appropriate and necessary technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to a Data Subject
Request under Data Protection Laws and Regulations.
3.1.Data Subject Requests. Fenlora shall, to the extent legally permitted and to the extent Fenlora has been able to identify that the request comes from a Data Subject whose Personal Data was submitted to the Services by Customer, promptly notify Customer if Fenlora receives a request from a Data Subject in relation to the exercise of any Data Subject Right (“Data Subject Request”). Fenlora will confirm to the Data Subject that it has passed the request to the Customer, but Fenlora shall not handle or execute the Data Subject Request.
3.2.Taking into account the nature of the Processing, Fenlora shall assist Customer by providing appropriate and necessary technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to a Data Subject
Request under Data Protection Laws and Regulations.
4.Fenlora PERSONNEL
4.1.Confidentiality. Fenlora shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. Fenlora shall ensure that such confidentiality obligations survive the termination of the personnel engagement.
4.2.Reliability. Fenlora shall take commercially reasonable steps to ensure the reliability of any Fenlora personnel engaged in the Processing of Personal Data.
4.3.Limitation of Access. Fenlora shall ensure that Fenlora’s access to Personal Data is limited to those personnel performing Services in accordance with the Agreement.
4.4.Data Protection Officer. Fenlora has appointed a data protection officer for Fenlora and its Affiliates. The appointed person can be reached at privacy@fenlora.com.
4.1.Confidentiality. Fenlora shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. Fenlora shall ensure that such confidentiality obligations survive the termination of the personnel engagement.
4.2.Reliability. Fenlora shall take commercially reasonable steps to ensure the reliability of any Fenlora personnel engaged in the Processing of Personal Data.
4.3.Limitation of Access. Fenlora shall ensure that Fenlora’s access to Personal Data is limited to those personnel performing Services in accordance with the Agreement.
4.4.Data Protection Officer. Fenlora has appointed a data protection officer for Fenlora and its Affiliates. The appointed person can be reached at privacy@fenlora.com.
5.SUB-PROCESSORS
5.1.Appointment of Sub-processors. Customer acknowledges and agrees that (a) Fenlora’s Affiliates may be retained as Sub-processors; and (b) Fenlora and Fenlora’s Affiliates respectively may engage third-party Sub-processors in connection with the provision of the Services. Fenlora or a Fenlora’ Affiliates has entered into a written agreement with each Sub-processor containing data protection obligations not less protective than those in this DPA with respect to the protection of Personal Data to the extent applicable to the nature of the product or/and services provided by such Sub-processor.
5.2.List of Current Sub-processors and Notification of New Sub-processors. Attached hereto as Schedule 2 is a current list of Sub-processors for the Services. Such Sub-processors list shall include the identities of those Sub-processors, their country of location as well as the type of processing they perform. Fenlora will notify Customer of a new Sub-processor(s) before authorizing any new Sub-processor(s) to Process Personal Data in connection with the provision of the applicable Services.
5.3.Objection Right for New Sub-processors. Customer may object to Fenlora’s use of a new Sub-processor by notifying Fenlora promptly in writing within ten (10) business days after receipt of Fenlora’s notice in accordance with Schedule 2. In the event Customer objects to a new Sub-processor, as permitted in the preceding sentence, Fenlora will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s configuration or use of the Services to avoid Processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening Customer. If Fenlora is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Customer may terminate the applicable Order Form(s) with respect only to those Services which cannot be provided by Fenlora without the use of the objected-to new Sub-processor, by providing written notice to Fenlora. Fenlora will refund to Customer any prepaid fees covering the remainder of the term of such Order Form(s) following the effective date of termination with respect to such terminated Services, without imposing a penalty for such termination on Customer.
5.4.Liability for Sub-processors. Fenlora shall be liable for the acts and omissions of its Sub-processors to the same extent Fenlora would be liable if performing the services of each Sub-processor directly under the terms of this DPA.
5.1.Appointment of Sub-processors. Customer acknowledges and agrees that (a) Fenlora’s Affiliates may be retained as Sub-processors; and (b) Fenlora and Fenlora’s Affiliates respectively may engage third-party Sub-processors in connection with the provision of the Services. Fenlora or a Fenlora’ Affiliates has entered into a written agreement with each Sub-processor containing data protection obligations not less protective than those in this DPA with respect to the protection of Personal Data to the extent applicable to the nature of the product or/and services provided by such Sub-processor.
5.2.List of Current Sub-processors and Notification of New Sub-processors. Attached hereto as Schedule 2 is a current list of Sub-processors for the Services. Such Sub-processors list shall include the identities of those Sub-processors, their country of location as well as the type of processing they perform. Fenlora will notify Customer of a new Sub-processor(s) before authorizing any new Sub-processor(s) to Process Personal Data in connection with the provision of the applicable Services.
5.3.Objection Right for New Sub-processors. Customer may object to Fenlora’s use of a new Sub-processor by notifying Fenlora promptly in writing within ten (10) business days after receipt of Fenlora’s notice in accordance with Schedule 2. In the event Customer objects to a new Sub-processor, as permitted in the preceding sentence, Fenlora will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s configuration or use of the Services to avoid Processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening Customer. If Fenlora is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Customer may terminate the applicable Order Form(s) with respect only to those Services which cannot be provided by Fenlora without the use of the objected-to new Sub-processor, by providing written notice to Fenlora. Fenlora will refund to Customer any prepaid fees covering the remainder of the term of such Order Form(s) following the effective date of termination with respect to such terminated Services, without imposing a penalty for such termination on Customer.
5.4.Liability for Sub-processors. Fenlora shall be liable for the acts and omissions of its Sub-processors to the same extent Fenlora would be liable if performing the services of each Sub-processor directly under the terms of this DPA.
6.SECURITY
6.1.Controls for the Protection of Customer Data. Fenlora shall maintain appropriate technical and organizational measures for protection of the security (including protection against Personal Data Breach), confidentiality and integrity of Customer Data, as set forth in the Security, Privacy and Architecture Datasheet attached hereto as Schedule 1. Fenlora regularly monitors compliance with these measures. Customer is responsible for reviewing the information made available by Fenlora relating to data security and making an independent determination as to whether the Services meet Customer’s requirements and legal obligations under Data Protection Laws and Regulations. Customer acknowledges that the security measures described within the Security, Privacy and Architecture Datasheet are subject to technical progress and development and that Fenlora may update or modify such document from time to time provided that such updates and modifications do not result in a material decrease of the overall security of the Services during a subscription term.
6.2.Customer Data Incident Management and Notification. Fenlora maintains security incident management policies and procedures specified in the Security, Privacy and Architecture Datasheet and shall notify Customer without undue delay after becoming aware of a Personal Data Breach. Fenlora shall provide information to Customer necessary to enable Customer to comply
with its obligations under Data Protection Laws and Regulations in relation to such Personal Data Breach. The content of such communication to Customer will (i) include the nature of Processing and the information available to Fenlora, and (ii) take into account that under applicable Data Protection Laws and Regulations, Customer may need to notify regulators or individuals of the following:
(a) a description of the nature of the Personal Data Breach including, where possible, the categories and approximate number of individuals concerned and the categories and approximate number of Personal Data records concerned; (b) a description of the likely consequences of the Personal Data Breach; and (c) a description of the measures taken or proposed to be taken to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects. Fenlora shall make commercially reasonable efforts to identify the cause of such Personal Data Breach and take those steps as Fenlora deems necessary and reasonable in order to remediate the cause of such Personal Data Breach to the extent the remediation is within Fenlora’s reasonable control. The obligation to remediate the cause of a Personal Data Breach shall not apply to Personal Data Breaches that are caused by Customer or Customer’s Users.
6.3.Third-Party Certifications and Audits. Fenlora has obtained the third-party certifications and audits set forth in the Security, Privacy and Architecture Datasheet. Upon Customer’s written request at reasonable intervals, and subject to the confidentiality obligations set forth in the Agreement, Fenlora shall make available to Customer (or Customer’s independent, third-party auditor that is not a competitor of Fenlora and that is subject to confidentiality obligations substantially similar to those set forth in the Agreement) a copy of Fenlora’s then most recent third-party audits or certifications, as applicable, that Fenlora makes available to its customers generally.
6.1.Controls for the Protection of Customer Data. Fenlora shall maintain appropriate technical and organizational measures for protection of the security (including protection against Personal Data Breach), confidentiality and integrity of Customer Data, as set forth in the Security, Privacy and Architecture Datasheet attached hereto as Schedule 1. Fenlora regularly monitors compliance with these measures. Customer is responsible for reviewing the information made available by Fenlora relating to data security and making an independent determination as to whether the Services meet Customer’s requirements and legal obligations under Data Protection Laws and Regulations. Customer acknowledges that the security measures described within the Security, Privacy and Architecture Datasheet are subject to technical progress and development and that Fenlora may update or modify such document from time to time provided that such updates and modifications do not result in a material decrease of the overall security of the Services during a subscription term.
6.2.Customer Data Incident Management and Notification. Fenlora maintains security incident management policies and procedures specified in the Security, Privacy and Architecture Datasheet and shall notify Customer without undue delay after becoming aware of a Personal Data Breach. Fenlora shall provide information to Customer necessary to enable Customer to comply
with its obligations under Data Protection Laws and Regulations in relation to such Personal Data Breach. The content of such communication to Customer will (i) include the nature of Processing and the information available to Fenlora, and (ii) take into account that under applicable Data Protection Laws and Regulations, Customer may need to notify regulators or individuals of the following:
(a) a description of the nature of the Personal Data Breach including, where possible, the categories and approximate number of individuals concerned and the categories and approximate number of Personal Data records concerned; (b) a description of the likely consequences of the Personal Data Breach; and (c) a description of the measures taken or proposed to be taken to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects. Fenlora shall make commercially reasonable efforts to identify the cause of such Personal Data Breach and take those steps as Fenlora deems necessary and reasonable in order to remediate the cause of such Personal Data Breach to the extent the remediation is within Fenlora’s reasonable control. The obligation to remediate the cause of a Personal Data Breach shall not apply to Personal Data Breaches that are caused by Customer or Customer’s Users.
6.3.Third-Party Certifications and Audits. Fenlora has obtained the third-party certifications and audits set forth in the Security, Privacy and Architecture Datasheet. Upon Customer’s written request at reasonable intervals, and subject to the confidentiality obligations set forth in the Agreement, Fenlora shall make available to Customer (or Customer’s independent, third-party auditor that is not a competitor of Fenlora and that is subject to confidentiality obligations substantially similar to those set forth in the Agreement) a copy of Fenlora’s then most recent third-party audits or certifications, as applicable, that Fenlora makes available to its customers generally.
7.RETURN AND DELETION OF CUSTOMER DATA
Fenlora shall return Customer Data by enabling Customer to export its Customer Data as set forth in the Agreement and shall delete Customer Data, in accordance with this DPA, the Agreement, applicable laws and the Documentation.
Fenlora shall return Customer Data by enabling Customer to export its Customer Data as set forth in the Agreement and shall delete Customer Data, in accordance with this DPA, the Agreement, applicable laws and the Documentation.
8.AFFILIATES
8.1.Relationship between Fenlora and Customer’s Authorized Affiliates. The parties acknowledge and agree that, by executing the Agreement, the Customer enters into this DPA on behalf of itself and, as applicable, in the name and on behalf of its Authorized Affiliates, thereby establishing an independent DPA between Fenlora and each such Authorized Affiliate, subject to the provisions of the Agreement and this Section 8 and Section 9. Each Authorized Affiliate agrees to be bound by the obligations under this DPA and, to the extent applicable, the Agreement. For sake of clarity, an Authorized Affiliate is not and does not become a party to the Agreement and is only a party to this DPA. All access to and use of the Services by Authorized Affiliates must comply with the terms and conditions of the Agreement and any violation of the terms and conditions of the Agreement by an Authorized Affiliate shall be deemed a violation by Customer.
8.2.Communication. The Customer that is the contracting party to the Agreement shall remain responsible for coordinating all communication with Fenlora under this DPA and be entitled to make and receive any communication in relation to this DPA on behalf of its Affiliates and Authorized Affiliates.
8.3.Data Controller Rights of Affiliates and Authorized Affiliates. Any Affiliate or Authorized Affiliate shall, to the extent required under applicable Data Protection Laws and Regulations, be entitled to exercise the rights and seek remedies under this DPA, subject to the following:
Except where applicable Data Protection Laws and Regulations require the Affiliate or Authorized Affiliate to exercise a right or seek any remedy under this DPA against Fenlora directly by itself, the parties agree that:
solely the Customer that is the contracting party to the Agreement shall exercise any such right (including any Audit right) or seek any such remedy on behalf of such Affiliate or Authorized Affiliate,
the Customer that is the contracting party to the Agreement shall exercise any such rights under this DPA not separately for each Affiliate or Authorized Affiliate individually but in a combined manner for all of its Affiliate and Authorized Affiliates together, and
when carrying out an on-site Audit, take all reasonable measures to limit any impact on Fenlora and its Sub- Processors by combining, to the extent reasonably possible, several Audit requests carried out on behalf of different Affiliate and Authorized Affiliates in one single Audit.
For the purpose of this Section 8.3, an Affiliate signing an Order Form with Fenlora is not deemed “Customer”.
8.1.Relationship between Fenlora and Customer’s Authorized Affiliates. The parties acknowledge and agree that, by executing the Agreement, the Customer enters into this DPA on behalf of itself and, as applicable, in the name and on behalf of its Authorized Affiliates, thereby establishing an independent DPA between Fenlora and each such Authorized Affiliate, subject to the provisions of the Agreement and this Section 8 and Section 9. Each Authorized Affiliate agrees to be bound by the obligations under this DPA and, to the extent applicable, the Agreement. For sake of clarity, an Authorized Affiliate is not and does not become a party to the Agreement and is only a party to this DPA. All access to and use of the Services by Authorized Affiliates must comply with the terms and conditions of the Agreement and any violation of the terms and conditions of the Agreement by an Authorized Affiliate shall be deemed a violation by Customer.
8.2.Communication. The Customer that is the contracting party to the Agreement shall remain responsible for coordinating all communication with Fenlora under this DPA and be entitled to make and receive any communication in relation to this DPA on behalf of its Affiliates and Authorized Affiliates.
8.3.Data Controller Rights of Affiliates and Authorized Affiliates. Any Affiliate or Authorized Affiliate shall, to the extent required under applicable Data Protection Laws and Regulations, be entitled to exercise the rights and seek remedies under this DPA, subject to the following:
Except where applicable Data Protection Laws and Regulations require the Affiliate or Authorized Affiliate to exercise a right or seek any remedy under this DPA against Fenlora directly by itself, the parties agree that:
solely the Customer that is the contracting party to the Agreement shall exercise any such right (including any Audit right) or seek any such remedy on behalf of such Affiliate or Authorized Affiliate,
the Customer that is the contracting party to the Agreement shall exercise any such rights under this DPA not separately for each Affiliate or Authorized Affiliate individually but in a combined manner for all of its Affiliate and Authorized Affiliates together, and
when carrying out an on-site Audit, take all reasonable measures to limit any impact on Fenlora and its Sub- Processors by combining, to the extent reasonably possible, several Audit requests carried out on behalf of different Affiliate and Authorized Affiliates in one single Audit.
For the purpose of this Section 8.3, an Affiliate signing an Order Form with Fenlora is not deemed “Customer”.
9.1.LIMITATION OF LIABILITY
Each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, and all DPAs between Authorized Affiliates, Fenlora and Fenlora’s Affiliates, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and all DPAs together.
Each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, and all DPAs between Authorized Affiliates, Fenlora and Fenlora’s Affiliates, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and all DPAs together.
10.EUROPEAN SPECIFIC PROVISIONS
10.1.Data Protection Impact Assessment. Upon Customer’s request, Fenlora shall provide Customer with reasonable cooperation and assistance needed to fulfill Customer’s obligation under the GDPR to carry out a data protection impact assessment related to Customer’s use of the Services, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to Fenlora. Fenlora shall provide reasonable assistance to Customer in the cooperation or prior consultation with the Supervisory Authority (as defined in the GDPR) in the performance of its tasks relating to this Section 10.1 of this DPA, to the extent required under the GDPR.
10.2.Infringing instructions. Fenlora shall immediately inform the Customer if, in its opinion, an instruction infringes GDPR.
10.3.European audit right. Where Customer or an Affiliate or an Authorized Affiliate is subject to the privacy laws of the European Union, Switzerland, the European Economic Area and/or their member states and the United Kingdom, Fenlora shall allow for and contribute to audits and inspections (“Audits”) conducted by Customer (or Customer’s independent, third-party auditor that is not a competitor of Fenlora and that is subject to confidentiality obligations substantially similar to those set forth in the Agreement), by providing any information regarding Fenlora’s compliance with the obligations set forth in this DPA in the form of a copy of Fenlora’s then most recent third-party audits or certifications, as applicable, that Fenlora makes available to its customers generally. Where Customer wishes to perform an on-site Audit, Customer may do so up to one (1) time per year, with at least three (3) week’s advance written notice, unless otherwise required by Customer’s, or its Affiliate’s or Authorized Affiliate’s regulators or law applicable to either of them. If Customer requests an on-site Audit, the following terms shall apply: (a) such Audit shall be limited to facilities operated by Fenlora, (b) such Audit shall not exceed one (1) business day; (c) before the commencement of any such Audit, Customer and Fenlora shall mutually agree upon the scope, cost and timing of the Audit; and (d) Customer shall promptly notify Fenlora with information regarding any non-compliance discovered during the course of an Audit.
10.4.Transfer mechanism(s) for data transfers. As of the Effective Date of this DPA, with regard to any transfers of Personal Data under this DPA from the European Union, Switzerland, the European Economic Area and/or their member states and the United Kingdom to countries which do not ensure an adequate level of data protection within the meaning of Data Protection Laws and Regulations of the foregoing territories, to the extent such transfers are subject to such Data Protection Laws and Regulations, Fenlora makes available the following transfer mechanism(s) which shall apply, in the order of precedence as set out below, if applicable:
i. Any valid transfer mechanism pursuant to Chapter V “Transfers of personal data to third countries or international organizations” of the GDPR permitting transfer of EU Personal Data outside the EU to which Fenlora would subscribe, certify or participate in.
ii.The Standard Contractual Clauses, in accordance with the following terms:
10.1.Data Protection Impact Assessment. Upon Customer’s request, Fenlora shall provide Customer with reasonable cooperation and assistance needed to fulfill Customer’s obligation under the GDPR to carry out a data protection impact assessment related to Customer’s use of the Services, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to Fenlora. Fenlora shall provide reasonable assistance to Customer in the cooperation or prior consultation with the Supervisory Authority (as defined in the GDPR) in the performance of its tasks relating to this Section 10.1 of this DPA, to the extent required under the GDPR.
10.2.Infringing instructions. Fenlora shall immediately inform the Customer if, in its opinion, an instruction infringes GDPR.
10.3.European audit right. Where Customer or an Affiliate or an Authorized Affiliate is subject to the privacy laws of the European Union, Switzerland, the European Economic Area and/or their member states and the United Kingdom, Fenlora shall allow for and contribute to audits and inspections (“Audits”) conducted by Customer (or Customer’s independent, third-party auditor that is not a competitor of Fenlora and that is subject to confidentiality obligations substantially similar to those set forth in the Agreement), by providing any information regarding Fenlora’s compliance with the obligations set forth in this DPA in the form of a copy of Fenlora’s then most recent third-party audits or certifications, as applicable, that Fenlora makes available to its customers generally. Where Customer wishes to perform an on-site Audit, Customer may do so up to one (1) time per year, with at least three (3) week’s advance written notice, unless otherwise required by Customer’s, or its Affiliate’s or Authorized Affiliate’s regulators or law applicable to either of them. If Customer requests an on-site Audit, the following terms shall apply: (a) such Audit shall be limited to facilities operated by Fenlora, (b) such Audit shall not exceed one (1) business day; (c) before the commencement of any such Audit, Customer and Fenlora shall mutually agree upon the scope, cost and timing of the Audit; and (d) Customer shall promptly notify Fenlora with information regarding any non-compliance discovered during the course of an Audit.
10.4.Transfer mechanism(s) for data transfers. As of the Effective Date of this DPA, with regard to any transfers of Personal Data under this DPA from the European Union, Switzerland, the European Economic Area and/or their member states and the United Kingdom to countries which do not ensure an adequate level of data protection within the meaning of Data Protection Laws and Regulations of the foregoing territories, to the extent such transfers are subject to such Data Protection Laws and Regulations, Fenlora makes available the following transfer mechanism(s) which shall apply, in the order of precedence as set out below, if applicable:
i. Any valid transfer mechanism pursuant to Chapter V “Transfers of personal data to third countries or international organizations” of the GDPR permitting transfer of EU Personal Data outside the EU to which Fenlora would subscribe, certify or participate in.
ii.The Standard Contractual Clauses, in accordance with the following terms:
- For purposes of the SCC, when and as applicable, Customer and any applicable Authorized Affiliates are each the data exporter, and Customer’s signing of this DPA or an Agreement referencing this DPA, or a Customer’s Affiliate signing an Order Form under an Agreement referencing this DPA, shall be treated as signing of the SCC and their appendices. Fenlora’s signature of this DPA or an Agreement referencing this DPA shall be treated as signing of the SCC and their appendices. In the event of any conflict or inconsistency between this DPA and the SCC, the SCC shall prevail.
- Schedule 2 of this DPA represents Customer’s express consent regarding existing and new Sub-processors.
11.AMENDMENTS
Notwithstanding anything else to the contrary in the Agreement we reserve the right to make any updates and changes to this DPA and the terms that apply in the ‘Amendment; No Waiver’ section of the Master Terms will apply.
Notwithstanding anything else to the contrary in the Agreement we reserve the right to make any updates and changes to this DPA and the terms that apply in the ‘Amendment; No Waiver’ section of the Master Terms will apply.
12.SEVERABILITY
If any individual provisions of this DPA are determined to be invalid or unenforceable, the validity and enforceability of the other provisions of this DPA will not be affected.
If any individual provisions of this DPA are determined to be invalid or unenforceable, the validity and enforceability of the other provisions of this DPA will not be affected.
13.California Privacy Rights Act of 2020
If any individual provisions of this DPA are determined to be invalid or unenforceable, the validity and enforceability of the other provisions of this DPA will not be affected.
If any individual provisions of this DPA are determined to be invalid or unenforceable, the validity and enforceability of the other provisions of this DPA will not be affected.