Data Processing Addendum

  1. GDPR. For purposes of this Addendum, Operator is acting as a controller and Marketplacer is acting as a processor. The terms controller, personal data, processor, processing, and pseudonymisation have the definitions set forth in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR).
  2. Processor. Operator agrees that Marketplacer can process information for individuals and companies on Operator’s behalf for the purpose of performing the Services for as long as Operator has an Agreement with Marketplacer. Marketplacer may use another processor (subprocessor) to collect, process or store information received by Marketplacer. A list of Marketplacer’s current subprocessors is maintained at
  3. Instructions. Marketplacer shall process the personal data only on documented instructions from Operator as set out in Section 2, including with regard to transfers of personal data to a third country or an international organization, unless required to do so by Union or Member State law to which Marketplacer is subject; in such a case, Marketplacer shall inform Operator of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
  4. Safeguards. Marketplacer shall ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Marketplacer shall implement appropriate technical and organizational measures to safeguard personal data, which shall meet the requirements of the GDPR (Article 32). Marketplacer may update or modify these measures from time to time provided that such updates or modifications do not result in any material degradation of the security of personal data.
  5. Subprocessor. Marketplacer is permitted to appoint a subprocessor to process personal data provided that:
    1. Marketplacer enters into a written contract with the subprocessor on comparable terms to those set out in this Addendum;
    2. if requested by Marketplacer by notice to, Marketplacer shall inform Operator of any intended changes concerning the addition or replacement of any subprocessor by email to give Operator the opportunity to object to such changes; and
    3. where a subprocessor fails to fulfil its data protection obligations, Marketplacer shall remain fully liable to Operator for the performance of the subprocessor’s obligations.
  6. Subprocessor Objections. If Operator has a reasonable basis to object to Marketplacer’s use of a new subprocessor on grounds of such subprocessor’s non-compliance with this Addendum, Operator shall notify Marketplacer in writing within 15 days after receipt of Marketplacer’s notice under Section 5(c). If Marketplacer does not change the subprocessor Operator objected to within 60 days of receiving Operator’s notice Operator may terminate the Agreement.
  7. Requests. Taking into account the nature of the processing, Marketplacer shall provide commercially reasonable assistance to Operator by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Operator’s obligation to respond to a request from a data subject to exercise the data subject’s right of access, right to rectification, restriction of processing, erasure, data portability, object to the processing or his/her rights not to be subject to an automated individual decision making. To the extent legally permitted, Operator shall be responsible for any costs arising from Marketplacer’s provision of such assistance. Marketplacer shall assist Operator in complying with the obligations of Articles 32 and 36 of the GDPR, taking into account the nature of processing and the information available to Marketplacer.
  8. Deletion of Data. At Operator’s choice and to the extent Marketplacer has any personal data, Marketplacer shall delete or return all personal data to Operator after the end of the provision of Services relating to personal data, and delete existing copies of personal data unless the Union or Member State law requires storage of personal data by Marketplacer.
  9. Compliance. Upon Operator’s written request, Marketplacer shall make available to Operator the information necessary to demonstrate compliance with the obligations set out in the GDPR and allow for and contribute to audits, including inspections, conducted by Operator or another auditor mandated by Operator. Operator agrees to give Marketplacer reasonable notice prior to any audit and minimize any disruption to Marketplacer’s business. Operator agrees to pay all costs associated with such audit.Operator agrees to provide Marketplacer with the results of the audit.
  10. Improper Instructions. Marketplacer shall immediately inform Operator if, in Marketplacer’s opinion, an instruction infringes the GDPR or other Union or Member State data protection provisions.
  11. Security. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Marketplacer shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
    1. the pseudonymisation and encryption of personal data;
    2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
    3.  the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
    4.  a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
  12. Security Assessment. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.
  13. Breach Notification. Marketplacer shall notify Operator without undue delay after becoming aware of a personal data breach. Marketplacer shall provide all information to Operator so that Operator may comply with the notification obligations of GDPR in the event of a personal data breach.