1. Sport Clamps Inc.
hereinafter referred to as: Controller
hereinafter referred to as: Service Provider
hereinafter jointly referred to as: Parties;
The following terms used in this Data Processing Agreement shall have the meaning hereby assigned to them:
The agreement between the Controller and the Service Provider.
1.2 Data Processing Agreement
This agreement including its recitals and annexes.
1.3 Data Subject
The person to whom Personal Data relates.
1.4 Personal Data
Any personal information relating to an identified or identifiable natural person that the Service Provider processes on behalf of the Controller within the scope of the Agreement.
Any operation or any set of operations relating to Personal Data within the scope of the Agreement, carried out by means of automated processes or otherwise, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by means of transmission, disseminating or otherwise making available, aligning or combining, restriction, erasure or destruction.
The major privacy protection laws at the State and federal level.
1.7 Security Breach
a breach of security that accidentally or unlawfully results in the destruction, loss, alteration or unauthorized disclosure or access to unencrypted personal data transmitted, stored or otherwise processed. This also includes encrypted personal information if the encryption key or security credential was, or is reasonably believed to have been, acquired by an unauthorized person and the person or business that owns or licenses the encrypted information has a reasonable belief that the encryption key or security credential could render that personal information readable or useable.
2. Subject of this Data Processing Agreement
This Data Processing Agreement regulates the Processing of Personal Data by the Service Provider within the scope of the Agreement.
The nature and the purpose of the Processing, the type of Personal Data, and the categories of Data Subjects are set out in Annex 1.
3. Entry into force and duration
This Agreement shall enter into force on the date it is signed by the Parties.
This Data Processing Agreement shall terminate after and insofar as the Service Provider has deleted or returned all Personal Data in accordance with Article 9.
Neither Party may terminate this Data Processing Agreement prematurely.
Parties may only amend this Agreement by mutual consent. Any amendment or modification of this Agreement or additional obligation assumed by either Party in connection with this Agreement will only be binding if evidenced in writing signed by each Party or an authorized representative of each Party.
4. Scope of Processing Authority of the Service Provider
The Service Provider shall process the Personal Data exclusively on the basis of written instructions from the Controller, except in the case of derogating statutory provisions applicable to the Service Provider.
If, in the opinion of the Service Provider, an instruction as referred to in the first paragraph conflicts with a statutory regulation on data protection, it shall inform the Controller thereof prior to the Processing, unless a statutory regulation prohibits such notification.
If the Service Provider is required to provide Personal Data on the basis of a statutory provision, it shall inform the Controller without delay and, if possible, prior to providing the data.
The Service Provider is not allowed to do one of the following:
- Selling the Personal Data.
- Retaining, using, or disclosing the Personal Data for any purpose other than for the specific purpose of performing the services specified in the contract, including retaining, using, or disclosing the Personal Data for a commercial purpose other than providing the services specified in the contract.
- Retaining, using, or disclosing the information outside of the direct business relationship between the Service Provider and the Controller.
5. Security of the Processing
The Service Provider will endeavour to implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the Personal Information from unauthorized access, destruction, use, modification, or disclosure.
Parties recognise that ensuring an appropriate level of security may require additional security measures to be implemented at any time. The Service Provider shall ensure a level of security appropriate to the risk. If and insofar as the Controller explicitly requests this in writing, the Service Provider shall implement additional measures with respect to the security of the Personal Data.
The Service Provider shall not process Personal Data outside the United States of America, unless explicit written consent to do so has been granted by the Controller and subject to derogating statutory obligations.
6. Duty of Confidentiality of Personnel of the Service Provider
The Personal Data is of a confidential nature. The Service Provider is required to maintain the confidentiality of the information and is prohibited from disclosing or using the information other than to carry out the service that is subject of this Data Processing Agreement.
At the request of the Controller, the Service Provider shall demonstrate that its Personnel have undertaken to observe confidentiality. The personal data will only be disclosed to those employees and/or third parties who must necessarily take cognisance of the Personal Data.
This duty of confidentiality shall not apply where the Controller has given express consent to disclose the data to third parties, if disclosure of the data to third parties is logically necessary given the nature of the assignment and the performance of this Data Processing Agreement, or if there is a statutory obligation to disclose the data to a third party.
7. Assistance on account of the rights of the Data Subject
In the event a data subject submits a request to the Service Provider to exercise his/her legal rights, the Service Provider shall forward the request to the Controller, and the Controller shall further handle the request. The Service Provider may inform the data subject accordingly.
The Service Provider shall, to the extent within its power, provide reasonable assistance to the Controller in fulfilling the latter’s obligation to respond to requests of the Data Subject to exercise its rights laid down in the Regulation.
8. Security Breach
The Service Provider shall inform the Controller without unreasonable delay, as soon as it has become aware of a Security Breach.
Information that must at least be provided by the Service Provider shall include:
- The nature of the Personal Data Breach
- The Personal Data and Data Subject
- Likely consequences of the Security Breach
- Measures proposed or implemented by the Service Provider to address the Security Breach, including, where appropriate, measures to mitigate its possible adverse effects.
The Service Provider shall also inform the Controller of further developments concerning the Security Breach after having reported the breach pursuant to the first paragraph.
Each party shall bear their own costs relating to the report to the Data Subject.
9. Returning Personal Data
After expiry of the Agreement, the Service Provider shall, at the discretion of the Controller, arrange for the return of all Personal Data to the Controller or for the erasure of all Personal Data. The Service Provider shall remove all copies, except where otherwise provided by law.
10. Obligation to disclose information
The Service Provider shall provide all information necessary to demonstrate that the obligations arising from this Data Processing Agreement have been and are being fulfilled.
The Controller shall have the right to conduct audits to verify compliance with all points of the Data Processing Agreement and everything directly related to this. This audit shall only take place after the Controller has requested similar audit reports from the Service Provider, reviewed them, and put forward reasonable arguments to justify an audit initiated by the Controller.
Such an audit shall be justified in the event of a concrete suspicion of abuse. The Controller shall communicate the audit to the Service Provider in advance, with due observance of a minimum period of two weeks.
The findings in respect of the audit carried out shall be implemented by the Service Provider as soon as possible.
The costs of the audit as described in paragraph 1 shall be borne by the Service Provider, in the event of non-trivial breaches of the obligations arising from the Data Processing Agreement. Otherwise, the costs shall be borne by the Controller.
11. Other Terms and Conditions
The Service Provider shall be liable towards the Controller for all consequences of the breach of this Data Processing Agreement, and shall indemnify the Controller against all claims by third parties, including any penalties, to the extent attributable to the Processor.
In the event that any of the provisions of this Agreement are held to be invalid or unenforceable in whole or in part, all other provisions will nevertheless continue to be valid and enforceable with the invalid or unenforceable parts severed from the remainder of this Agreement.
Certification as required by Section 1798.40 CCPA:
As the person receiving the personal information I hereby certify that I understand the following restrictions and will comply with them.
This agreement prohibits me from:
- Selling the personal information.
- Retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract, including retaining, using, or disclosing the personal information for a commercial purpose other than providing the services specified in the contract.
- Retaining, using, or disclosing the information outside of the direct business relationship between myself and the business.
This agreement takes effect when all parties have signed it, and its date is the date next to [or below] the signature of the last signer to sign it.
___________ day of ____________
Annex 1: The Processing of Personal Data
Purpose of the processing
Processes of Customer Orders
Within the scope of the Data Processing Agreement, the Service Provider shall process the following Personal data on the instructions of the Controller:
- Name Address City
- Phone number
- Email address
Data subject categories
Personal data of the following groups of persons shall be processed:
Data subject categories
The Controller shall ensure that the purposes, personal data, and categories of data subjects described in this Annex 1 are complete and correct, and shall indemnify the Service Provider against any defects and claims resulting from an incorrect representation by the Controller.