Last Updated: March 13, 2022
This Data Processing Addendum (“Addendum”) forms part of the BehaviorSales’s Terms of Service or other written or electronic agreement (“Agreement”) between (i) Behavior Sales Inc (“BehaviorSales”) and (ii) You (“Client”), each being a “Party” and together the “Parties”, including any written or electronic service orders, purchase orders or other order forms (each an “Order Form”) entered into between BehaviorSales and Client, pursuant to which BehaviorSales provides Services (as defined in the Agreement) to the Client.
The purpose of this Addendum is to reflect the parties’ agreement with regard to the transfer and processing of any Personal Data that is entitled to protection under the EU Data Protection Laws, US EEOC, OFCCP, FCRA regulations or data partner policies, in the course of providing the Services.
1.1 In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
- “Controller” means the Customer.
- “Customer Data” means any information, data, or materials received by BehaviorSales from Customer and its end users in connection with the use of the Services.
- “Data Subject” means the natural person to whom Personal Data relates.
- “Addendum Effective Date” means, as applicable, (a) May 25, 2018, if Customer has been availing the Services prior to such date; or (b) the date from which the Customer avails the Services if such date is on or after May 25, 2018.
- “GDPR” means the European Union’s General Data Protection Regulation 2016/679.
- “Instructions” means the written, documented instructions, issued by the Controller to the Processor with regard to the processing of Personal Data (including, but not limited to, depersonalizing, blocking, or deletion).
- “Client Personal Data” means any Personal Data Processed by BehaviorSales (i) on behalf of Client (including for the sake of clarity, any Client Affiliate), or (ii) otherwise Processed by BehaviorSales, in each case pursuant to or in connection with instructions given by Client in writing, consistent with the Terms;
- “Controller to Processor SCCs” means the Standard Contractual Clauses (processors) for the purposes of Article 26(2) of Directive 95/46/EC set out in Decision 2010/87/EC as the same are revised or updated from time to time by the European Commission;
- “Data Protection Laws” means (i) Directive 95/46/EC and, from May 25, 2018, Regulation (EU) 2016/679 (“GDPR”) together with applicable legislation implementing or supplementing the same or otherwise relating to the processing of Personal Data of natural persons, and (ii) to the extent not included in sub-clause (i), the Data Protection Act 1998 of the United Kingdom, as amended from time to time, and including any substantially similar legislation that replaces the DPA 1998;
- “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
- “Processing” means any operation or set of operations which is performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of Personal Data.
- “Processor” means BehaviorSales.
- “Standard Contractual Clauses” means the clauses attached hereto as Exhibit 1.
- Terms not defined but used herein shall have the meanings assigned to them in the Agreement or the GDPR, as the case may be.
3. Roles of the Parties
The Parties acknowledge and agree that with regard to the Processing of Client Personal Data, and as more fully described in Annex 1 hereto, Client acts as a Controller or Processor, and BehaviorSales acts as a Processor or Other Processor (as defined in section 5.2.4 below).
The Parties expressly agree that Client shall be solely responsible for ensuring timely communications to Client’s Affiliates or the relevant Controller(s) who receive the Services, insofar as such communications may be required or useful in light of applicable Data Protection Laws to enable Client’s Affiliates or the relevant Controller(s) to comply with such Laws.
4. Description of Personal Data Processing
In Annex 1 to this Addendum, the Parties have mutually set out their understanding of the details of the Processing of the Client Personal Data to be Processed by BehaviorSales pursuant to this Addendum, as required by Article 28(3) of the GDPR. Either Party may make reasonable amendments to Annex 1 by written notice to the other Party and as reasonably necessary to meet those requirements. Annex 1 does not create any obligation or rights for any Party.
5. Data Processing Terms
5.1 Client shall comply with all applicable Data Protection Laws in connection with the performance of this Addendum. As between the Parties, Client shall be solely responsible for compliance with applicable Data Protection Laws regarding the collection of and transfer to BehaviorSales of Client Personal Data. Client agrees not to provide BehaviorSales with any data concerning a natural person’s health, religion, or any special categories of data as defined in Article 9 of the GDPR. Client shall be solely responsible for compliance with applicable Data Protection Laws and ensure that the Client has obtained a Data Subject’s express opt-in consent for accessing personal data for the given Data Subject. In case the Data Subject has not provided express opt-in consent, Client certifies that the personal data including any Data Subject IDs has been provided directly by the Data Subject that the Data Subject would reasonably expect to be used for that purpose, or has been obtained from a public, generally-available resource (such as a directory of members of a professional association, publicly available bio of or tweets by the Data Subject, etc.). Additionally, for Data Subjects covered by GDPR, the Client certifies that accessing is necessary for the purposes of the legitimate interests pursued by the Client, as per Article 6 of the GDPR.
5.2 BehaviorSales shall comply with all applicable Data Protection Laws in the Processing of Client Personal Data and BehaviorSales shall:
5.2.1 process the Client Personal Data relating to the categories of Data Subjects for the purposes of the Terms and for the specific purposes in each case as set out in Annex 1 to this Addendum and otherwise solely on the documented instructions of Client, for the purposes of providing the Services and as otherwise necessary to perform its obligations under the Terms including with regard to transfers of Client Personal Data to a third country outside the European Union or an international organization (unless required by Union or Member State law to which BehaviorSales is subject, in which case BehaviorSales shall inform Client of that legal requirement before such Processing, unless that law prohibits such information on important grounds of public interest); BehaviorSales shall immediately inform Client if, in BehaviorSales’s opinion, an instruction infringes applicable Data Protection Laws;
5.2.2 ensure that persons authorized to process the Client Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
5.2.3 implement and maintain the technical and organizational measures set out in the Terms and, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, implement any further appropriate technical and organizational measures necessary to ensure a level of security appropriate to the risk of the Processing of Client Personal Data in accordance with Article 32 of the GDPR, and specifically:
(a) pseudonymization and encryption of Client Personal Data;
(b) ensuring ongoing confidentiality, integrity, availability, and resilience of processing systems and services that process Client Personal Data;
(c) restoring availability and access to Client Personal Data in a timely manner in the event of a physical or technical incident; and
(d) regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing of the Client’s Personal Data.
Any amendment to such agreed measures that is necessitated by Client shall be dealt with via an agreed change control process between BehaviorSales and Client;
5.2.4 Client (on behalf of the relevant Controller(s), as applicable), hereby expressly and specifically authorizes BehaviorSales to engage another Processor to Process the Client Personal Data (“Other Processor”), and specifically the Other Processors listed in Annex 2 hereto, subject to BehaviorSales’s:
(a) notifying Client of any intended changes to its use of Other Processors listed in Annex 2 by emailing notice of the intended change to Client;
(b) including data protection obligations in its contract with each Other Processor that is materially the same as those set out in this Addendum; and
(c) remaining liable to the Client for any failure by each Other Processor to fulfill its obligations in relation to the Processing of the Client’s Personal Data.
In relation to any notice received under section 5.2.4 a., the Client shall have a period of 30 (thirty) days from the date of the notice to inform BehaviorSales in writing of any reasonable objection to the use of that Other Processor. The parties will then, for a period of no more than 30 (thirty) days from the date of the Client’s objection, work together in good faith to attempt to find a commercially reasonable solution for the Client which avoids the use of the objected-to Other Processor. Where no such solution can be found, either Party may (notwithstanding anything to the contrary in the Terms) terminate the relevant Services immediately on written notice to the other Party, without damages, penalty, or indemnification whatsoever;
5.2.5 to the extent legally permissible, promptly notify Client of any communication from a Data Subject regarding the Processing of Client Personal Data, or any other communication (including from a Supervisory Authority) relating to any obligation under the applicable Data Protection Laws in respect of the Client Personal Data and, taking into account the nature of the Processing, assist Client (or the relevant Controller) by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Client’s, Client’s Affiliates’ or the relevant Controller(s)’ obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III GDPR; Client agrees to pay BehaviorSalesfor time and for out of pocket expenses incurred by BehaviorSales in connection with the performance of its obligations under this Section 5.2.5;
5.2.6 upon BehaviorSales’s becoming aware of a Personal Data Breach involving Client Personal Data, notify Client without undue delay, of any Personal Data Breach involving Client Personal Data, such notice to include all information reasonably required by Client (or the relevant Controller) to comply with its obligations under the applicable Data Protection Laws;
5.2.7 to the extent required by the applicable Data Protection Laws, provide reasonable assistance to Client, Client’s Affiliates’ or the relevant Controller(s)’ with its obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of the Processing and information available to BehaviorSales; Client agrees to pay BehaviorSales for time and for out of pocket expenses incurred by BehaviorSales in connection with any assistance provided in connection with Articles 35 and 36 of the GDPR;
5.2.8 cease Processing the Client Personal Data upon the termination or expiry of the Terms, and an the option of Client, Client’s Affiliates, or the relevant Controller(s) either return or delete (including by ensuring such data is in non-readable format) all copies of the Client Personal Data Processed by BehaviorSales, unless (and solely to the extent and for such period as) Union or Member State law requires the storage of the Personal Data. Notwithstanding the foregoing or anything to the contrary contained herein, BehaviorSales may retain Personal Data and shall have no obligation to return Personal Data to the extent required by applicable laws or regulations obligations. Any such Personal Data retained shall remain subject to the obligations of confidentiality set forth in the Terms; and
5.2.9 make available to Client all information necessary to demonstrate compliance with this Addendum and allow for and contribute to audits, including inspections, by Client, or an auditor mandated by Client. For the purposes of demonstrating compliance with this Addendum under section 5.2.9, the Parties agree that once per year during the term of the Terms, BehaviorSales will provide to Client, on reasonable notice, responses to cybersecurity and other assessments. Client agrees to pay BehaviorSales for time and for out-of-pocket expenses incurred by BehaviorSales in connection with assistance provided in connection with such audits, responses to cybersecurity, and other assessments.
The provisions of this Addendum are supplemental to the provisions of the Terms. In the event of any inconsistency between the provisions of this Addendum and the provisions of the Terms, the provisions of this Addendum shall prevail.
To the extent permissible by law, Client shall indemnify and hold harmless BehaviorSales against all (i) losses, (ii) third-party claims, (iii) administrative fines, and (iv) costs and expenses (including, without limitation, reasonable legal, investigatory and consultancy fees and expenses) reasonably incurred in relation to (i), (ii) or iii), suffered by BehaviorSales and that arise from any breach by Client of this Addendum or of its obligations under applicable Data Protection Laws.
The Parties agree that, if any section or sub-section of this Addendum is held by any court or competent authority to be unlawful or unenforceable, it shall not invalidate or render unenforceable any other section of this Addendum.
If you would not like your profile to be available as part of the BehaviorSales BehaviorSales product or service, you can opt-out by sending a mail to email@example.com with “Opt-out request” in the subject line. You should provide a list of all email IDs, phone numbers and/or social handles or usernames, or profile links that should not be available as part of the BehaviorSales product or service.
Annex 1: Description of Processing of Client Personal Data
This Annex includes certain details of the Processing of Client Personal Data as required by Article 28(3) GDPR and, as applicable, Controller to Processor SCC.
Subject matter and duration of the Processing of the Personal Data
The subject matter and duration of the Processing of the Client’s Personal Data are set out in Section 1 of the Terms.
The nature and purpose of the Processing of the Personal Data
The nature and purpose of the Processing of the Client’s Personal Data are set out in Section 1 of the Terms.
The categories of Data Subject to whom the Client’s Personal Data relates
Client current and prospective customers, current and prospective employees, vendors, and business partners
The types of Client Personal Data to be Processed
Name, Date of Birth, Age, Education, Email, Gender, Image, Job, Language, Phone, Location, Related person, Related URL, User ID, Username, Personality, Behavior, Social Activity, Social Connections, Public Content
Special categories of data
The obligations and rights of the Client
The obligations and rights of the Client are set out in the Terms and this Addendum.
Data exporter (as applicable)
The data exporter is: Client of BehaviorSales that uses the Services
Data importer (as applicable)
The data importer is: BehaviorSales, a company that provides services to the Client, which requires receiving the Client’s query data
Processing operations (as applicable)
The personal data transferred will be subject to the following basic processing activities: The provision of BehaviorSales Services to the Client. In order to provide people data, BehaviorSales receives identifying Personal Data to permit BehaviorSales to query, cleanse, standardize, enrich, predict, (when required) send to additional data feed providers, and store the query information.
Annex 2: Other Processors
Name of Other Processor: Amazon
Processing Description: Network, Infrastructure, and Storage through its Azure Cloud
Name of Other Processor: Pipl
Processing Description: Search and Lookup through its Search APIs
Name of Other Processor: Full Contact
Processing Description: Search and Lookup through its Person APIs