Last Updated: May 24th, 2018
Customer on behalf of itself, and for the benefit of its Affiliates ("Customer"), has contracted with Hockeystick.co Inc. ("Hockeystick"), to perform certain processing functions on behalf of the Customer pursuant to a services agreement entered into between them ("Services Agreement"), including the processing of Personal Data (as defined in the Definitions section below).
The purpose of this Agreement is to ensure that Hockeystick provides the services under the Services Agreement ("Services") to Customer in a manner that complies with the Data Protection Legislation (again, as defined below).
In consideration of the continued relationship and the duties stated herein, the parties agree as follows:
1.1 The type of Personal Data processed pursuant to this Agreement, including the subject matter, duration, nature and purpose of the processing, and the categories of data subjects, is as described in Annex 1.
1.2 Each of Hockeystick and Customer warrants that it has complied with (and shall procure that any of its staff and/or subcontractors comply), and undertakes that it shall continue to comply at all times with the Data Protection Legislation.
1.3 In respect of the parties' rights and obligations under this Agreement regarding the Personal Data, the parties hereby acknowledge and agree that Customer is the Data Controller and Hockeystick is the Data Processor and accordingly Hockeystick agrees that it shall process all Personal Data in accordance with its obligations pursuant to this Agreement.
1.4 Each of Hockeystick and Customer shall notify to each other an individual within its organization authorized to respond from time to time to enquiries regarding the Personal Data and each of Hockeystick and Customer shall deal with such enquiries promptly.
1.5 With respect to any Personal Data processed pursuant to this Agreement by Hockeystick for and on behalf of Customer, Hockeystick warrants and undertakes that it shall:
(a) only process the Personal Data in order to provide the Services and shall act only in accordance with this Agreement and Customer's written instructions issued from time to time. If Applicable Law requires it to process Protected Data other than in accordance with the Processing Instructions, Hockeystick shall notify the Customer of any such requirement before processing the Protected Data (unless Applicable Law prohibits such information on important grounds of public interest); and
(b) shall inform the Customer if Hockeystick becomes aware of a Processing Instruction that, in Hockeystick's opinion, infringes Data Protection Laws.
(c) implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks that are presented by the processing, in particular protection against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise processed pursuant to this Agreement.
(d) take all reasonable steps to ensure that only authorized personnel have access to such Personal Data and that any persons whom it authorizes to have access to the Personal Data will respect and maintain all due confidentiality;
(e) ensure that all Hockeystick personnel authorized to process Protected Data are provided with appropriate training in relation to the Data Protection Laws and Hockeystick (and Customer's as applicable) data protection procedures.
(f) hold all Personal Data separately from any other data held by Hockeystick and ensure that it is readily identifiable as the Customer's Personal Data;
(g) maintain, written records of all categories of processing activities carried out on behalf of the Customer;
(h) not engage any sub-processors in the performance of the Services without the prior written consent of Customer and otherwise in accordance with Clause 1.6 at all times;
(i) immediately notify Customer of any actual or suspected incident of unauthorized or accidental disclosure of or access to any Personal Data or other breach of this Agreement by any of its staff, sub-processors or any other identified or unidentified third party (a "Security Breach");
(j) promptly provide Customer with full cooperation and assistance in respect of the Security Breach and all information in Hockeystick's possession concerning the Security Breach, including the following:
(i) the probable cause and consequences of the breach;
(ii) the categories of Personal Data involved;
(iii) a summary of the probable consequences for the relevant data subjects;
(iv) a summary of the unauthorized recipients of the Personal Data; and
(v) the measures taken by Hockeystick to mitigate any damage;
(k) where applicable in respect of any Personal Data processed pursuant to this Agreement, provide full cooperation and assistance to Customer at Customer’s cost in ensuring compliance with:
(i) Customer's obligations to respond to requests from any data subject(s) seeking to exercise its/their rights under Chapter III of the GDPR, including by notifying Customer of any written subject access requests Hockeystick receives relating to Customer's obligations under the Data Protection Legislation within ten Business Days; and
(ii) Customer's obligations set out under Articles 32 – 36 of the GDPR to:
(A) ensure the security of the processing;
(B) notify the relevant supervisory authority, and any data subject(s), where relevant, of any breaches relating to Personal Data;
(C) carry out any data protection impact assessments ("DPIA") of the impact of the processing on the protection of Personal Data; and
(D) consult the relevant supervisory authority prior to any processing where a DPIA indicates that the processing would result in a high risk in the absence of measures taken by Customer to mitigate the risk.
1.6 Hockeystick will ensure that any person it engages to provide the services on its behalf in connection with this Agreement does so only on the basis of a written contract which imposes on such person terms equivalent to those imposed on Hockeystick in this Agreement (the "Relevant Terms"). Hockeystick shall procure the performance by such person of the Relevant Terms and shall be directly liable to Customer for any breach by such person of any of the Relevant Terms.
1.7 Hockeystick agrees that Customer is entitled to monitor Hockeystick's compliance with the Data Protection Legislation and its obligations under this Agreement at any time during regular business hours at Customer’s cost. Hockeystick agrees to provide Customer with all information that is necessary to conduct these monitoring procedures within the time period specified by Customer. If Customer believes that an on-site audit is necessary, Hockeystick agrees to give Customer access to Hockeystick's premises (subject to any reasonable confidentiality and security measures at a mutually acceptable time), and to any stored Personal Data and data processing programs it has on-site. Customer is entitled to have the audit carried out by a third party reasonably acceptable to Hockeystick and subject to such third party entering into such confidentiality agreement as my be reasonably required by Hockeystick.
1.8 If, in the performance of this Agreement, Hockeystick transfers any Personal Data received from or on behalf of Customer to any third party (which shall include without limitation any affiliates of Hockeystick) where such third party is located outside the European Economic Area, Hockeystick shall in advance of any such transfer seek the written instructions of Customer, which may include:
(a) the requirement for Hockeystick to execute or procure that the third party execute Standard Contractual Clauses for transfers from Data Controllers to Data Processors approved by the Commission pursuant to Decision 2010/87/EU, as amended by Commission Implementing Decision (EU) 2016/2297;
(b) the requirement for the third party to be certified under the Privacy Shield framework; or
(c) the existence of any other specifically approved safeguard for data transfers (as recognized under the Data Protection Legislation) and/or a European Commission finding of adequacy.
1.9 Hockeystick shall, at the Customer's election and on written request, either delete or return all the Protected Data to the Customer in such form as the Customer reasonably requests within a reasonable time after the earlier of:
(a) the end of the provision of the relevant Services related to processing; or
(b) once processing by Hockeystick of any Protected Data is no longer required for the purpose of Hockeystick's performance of its relevant obligations under this Agreement,
and delete existing copies (unless storage of any data is required by Applicable Law and, if so, Hockeystick shall inform the Customer of any such requirement).
1.10 (a) any condition or warranty which might otherwise be implied into or incorporated in the Agreement, whether by statute, common law or otherwise, is expressly excluded from the Agreement to the maximum extent permitted by law;
(b) Hockeystick's maximum aggregate liability to Customer under the Agreement shall in no circumstances exceed an amount equal to the fees paid under this Agreement in the 12 month period preceding the event giving rise to the claim from Customer to Hockeystick;
(c) Hockeystick shall not be liable for: (i) any loss or damage suffered by Customer arising out of any act, omission, misrepresentation or error made by or on behalf of Customer; or (ii) any delay in or omission of publication or transmission or any error in any press or other publication unless such delay, omission or error is due to its own default or neglect.
1.11 This Agreement is without prejudice to the rights and obligations of the parties under the Services Agreement which shall continue to have full force and effect. In the event of any conflict between the terms of this Agreement and the terms of the Services Agreement, the terms of this Agreement shall prevail so far as the subject matter concerns the processing of Personal Data.
1.12 This Agreement shall be governed by and construed in accordance with the laws of Province of Ontario and federal laws of Canada applicable therein and each of the parties agrees to submit to the non-exclusive jurisdiction of the courts of Toronto, Ontario, Canada in respect of any claim or matter arising under this Agreement.
Capitalized terms used in this Agreement shall have the following meanings:
2.1 Applicable Law means as applicable and binding on Customer, Hockeystick and/or the Services stated in the Agreement:
(a) any law, statute, regulation, by-law or subordinate legislation in force from time to time to which a party is subject and/or in any jurisdiction that the Services are provided to or in respect of;
(b) the common law and laws of equity as applicable to the parties from time to time;
(c) any binding court order, judgment or decree; or
(d) any applicable direction, policy, rule or order that is binding on a party and that is made or given by any regulatory body having jurisdiction over a party or any of that party’s assets, resources or business;
2.2 "Data Controller" has the meaning set out in the Data Protection Legislation;
2.3 "Data Processor" has the meaning set out in the Data Protection Legislation;
2.4 "Data Protection Legislation" means all privacy laws applicable to any Personal Data processed under or in connection with this Agreement, including, without limitation, the Data Protection Directive 95/46/EC (as the same may be superseded by the General Data Protection Regulation 2016/679 (the "GDPR")), the Privacy and Electronic Communications Directive 2002/58/EC and all national legislation implementing or supplementing the foregoing and all associated codes of practice and other guidance issued by any applicable data protection authority, all as amended, re-enacted and/or replaced and in force from time to time;
2.5 "Personal Data" has the meaning set out in the Data Protection Legislation and relates only to personal data of which Customer is the Data Controller and in relation to which the Suppler is providing the Services under the Services Agreement;
2.6 "process" and other derivations such as "processed" and "processing" means any use of or processing applied to any Personal Data and includes "processing" as defined in the Data Protection Legislation;
2.7 "protected data" means Personal Data received from or on behalf of Customer in connection with the performance of Hockeystick's obligations under this Agreement;
For the purposes of Clause 1.1, the parties set out below a description of the Personal Data being processed under the terms of the Agreement and further details required pursuant to the GDPR.
1. TYPES OF PERSONAL DATA: title, first name, last name, address, email address.
2. DURATION OF PROCESSING: until the earliest of (i) expiry/termination of the Services Agreement; or (ii) the date upon which processing is no longer necessary for the purposes of either party performing its obligations under the Services Agreement (to the extent applicable.
3. NATURE OF PROCESSING: collection, analysis, storage, duplication, deletion and disclosure to the extent required for the purpose set out below.
4. PURPOSE OF PROCESSING: necessary for the provision of the Services.
5. CATEGORIES OF DATA SUBJECT: employees of Customer.