Last Updated: June 7th, 2021
PLEASE READ THIS DATA PROCESSING ADDENDUM CAREFULLY.
This Data Processing Addendum ("DPA") outlines the terms to which customer personal data is processed by GemPages (“GemPages”, “us”, or “we”) in compliance with Global Data Protection Legislation. In this agreement “you”, “your” and “Customer” refers to you unless otherwise indicated. If you are entering into this agreement on behalf of a company or other legal entities, you represent that you have the authority to bind such an entity to this agreement, in which case the terms “you” or “your” shall refer to such entity.
For purposes of this Addendum, terms will have the meanings set forth below. Capitalized terms that are used but not otherwise defined in this Addendum shall have the meanings set forth in the Agreement.
This Addendum will take effect on the Addendum Effective Date and, notwithstanding the expiration of the Term, will remain in effect until and automatically expire upon GemPages's deletion of all Customer Personal Data as described in this Addendum.
Customers can use the Services to process Personal Information of their customers or contacts for marketing and related customer relationship management purposes. GemPages stores Personal Information on its servers and processes such Personal Information only for the purposes of, and in accordance with, the instructions of Customers and does not make any decisions itself as to the use, updating, or deletion of Personal Information. If the Global Data Processing Legislation applies to the processing of Customer Personal Data, the parties acknowledge and agree that:
By entering into this Addendum, Customer instructs GemPages to process Customer Personal Data only in accordance with applicable law to provide the Services as authorized by the Agreement, including this Addendum and its Appendices or as further documented in any other written instructions given by Customer and acknowledged in writing by GemPages as constituting instructions for purposes of this Addendum.
GemPages will only process Customer Personal Data in accordance with customer’s instructions unless the applicable personal data to which we are subject requires us to further process Customer Personal Data, in which case GemPages will notify Customer (unless that law prohibits us from doing so on grounds of public interest).
If the Global Data Protection Legislation applies to the processing of Customer Personal Data, the Customer is a processor and notify GemPages of their instructions and actions regarding Customer Personal Data, including its appointment of GemPages as another processor or its consent to GemPages’s onward transfers of Customer Personal Data to its Subprocessors.
Data is deleted or returned upon termination of the Agreement. GemPages shall delete or return to Customer(s) all Customer Data (including copies) in its possession or control, except that this requirement shall not apply to the extent we are required by the applicable law to retain some or all of the Customer Data, or to Customer Data it has archived on back-up systems. In which Customer Data shall securely isolate, protect from any further processing, and eventually delete in accordance with our Data Retention Policy.
GemPages shall implement and maintain appropriate technical and organizational security measures to protect Company Data from Security Incidents and to preserve the security and confidentiality of the Company Data, in accordance with GemPages’ security standards described in Appendix 2.
You acknowledge that the Security Measures are subject to technical progress and development and that GemPages may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services.
GemPages shall ensure that any person who is authorized by you to process Personal Data (including its staff, agents, and subcontractors) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).
Upon becoming aware of an Information Security Incident, GemPages shall notify Customers without undue delay and shall provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by you.
Notwithstanding the above, you agree that except as provided by this DPA, you are responsible for safeguarding and securing your use of our Services, including securing its account authentication credentials, protecting the security of your Personal Information Data when in transit to and from the Services, and taking any appropriate steps to securely encrypt or backup any Customer Generated Data Customer Personal Uploaded to the Services.
During the Agreement, if GemPages receives any request from a Data Subject in relation to Customer Personal Data, GemPages will, at its sole discretion, (i) advise the Customer of the request, (ii) advise the data subject to submit his or her request to Customer, and/or (iii) notify the data subject that his or her request has been forwarded to the Customer. Customers will be responsible for responding to any such request.
GemPages will (taking into account the nature of the processing of Customer Personal Data) provide Customer with self-service functionality through the Services or other reasonable assistance as necessary for Customer to fulfill its obligation under the applicable Global Data Protection Legislation to respond to requests by Data Subject(s), including if applicable, Customer’s obligation to respond to requests for exercising the data subject’s rights set out in Global Data Processing Legislation. Customer shall reimburse GemPages for any such assistance beyond providing self-service features included as part of the Services at GemPages’ then-current professional services rates, which shall be made available to Customer upon request.
GemPages will reasonably assist Customer in complying with its obligations under the applicable Global Data Protection Legislation in respect of data protection impact assessments and prior consultation, including, if applicable, Customer’s obligations pursuant to Articles 35 and 36 of the GDPR, by:
Where required by Applicable Law, we will use commercially reasonable efforts not to transfer any Personal Information from one country to another without Customers’ prior written consent, which Customers shall not unreasonably withhold, and which Customers hereby provides as required for our provision of Services under the Agreement. Where Customers consent to such transfer, the transfer will be in accordance with applicable law.
GemPages may transfer and process Personal Information Data anywhere in the world where GemPages, its Affiliates, or its Sub Processes maintain data Processing operations. GemPages shall at all times provide an adequate level of protection for the Personal Information Data collected, transferred, processed, or retained in accordance with the requirements of the applicable Global Data Processing Legislation.
The parties will comply with the applicable Global Data Protection Law and use the appropriate data transfer mechanism to transfer or access Personal Information internationally. GemPages makes available SCCs enable transfers of Personal Information from the US to other jurisdictions. Customers can exercise their rights and submit a request to enquire about acquired personal information and data under the GDPR by referring to https://gmpg.link/gdpr
Customers agree that GemPages may engage Sub-processors to process Personal Information Data on the Customer's behalf. The Sub-processors currently engaged by GemPages and authorized by Customer are available at https://gempages.net/legal/subprocessors.
GemPages shall enter into a written agreement with each Sub-processor containing data protection obligations that provide at least the same level of protection for Customer Data as those in this DPA, to the extent applicable to the nature of the service provided by such Sub-processor. However, GemPages is not responsible for Sub-processor's compliance with the obligations of this DPA and for any acts or omissions of such Sub-processor that cause us to breach any of its obligations under this DPA.
Customer acknowledges that GemPages is required under the GDPR to (a) collect and maintain records of certain information, including the name and contact details of each processor and/or controller on behalf of which GemPages is acting and, where applicable, of such processor’s or controller's local representative and data protection officer; and (b) make such information available to the supervisory authorities. Accordingly, if the GDPR applies to the processing of Customer Personal Data, Customer will, where requested, provide such information to GemPages, and will ensure that all information provided is kept accurate and up-to-date.
Each party and all of its Affiliates’ liability arising out whether in contract, tort, or any other theory of liability, under or in connection with this Addendum, and other Policies shall be subject to the exclusions and limitations of liability set forth in the Agreement. Any claims made against GemPages or its Affiliates under or in connection shall be brought solely by the Customer entity that is a party to the Agreement.
Customer acknowledges and agrees that GemPages may create and derive anonymized and/or aggregated data that does not identify Customer or any natural person from processing related to the Services to use, publicize or share with third parties such data to improve GemPages’ products and services and for its other legitimate business purposes.
Notwithstanding anything to the contrary in the Agreement, any notices required or permitted to be given by GemPages to Customer may be given (a) to GemPages’ primary points of contact with Customer; and/or (b) to any email provided by Customer for the purpose of providing it with Service-related communications or alerts. Customer is solely responsible for ensuring that such email addresses are valid.
Notwithstanding anything to the contrary in the Agreement, to the extent of any conflict or inconsistency between this Addendum and the remaining terms of the Agreement, this Addendum will govern.
GemPages shall provide the Customer information according to the Agreement and the DPA. GemPages shall process information sent by Customers’ end users identified through Customers’ implementation of the Application Services.
Depending on Customer’s usage of the Service, this could include the data exporter’s personnel, as well as individuals in other categories, such as the data exporter’s customers, service providers, business partners, affiliates, and other end users.
Because we are an Official Shopify App Developer, please refer to the full list of Customer properties from Shopify API.
The Service does not impose a technical restriction on the categories of Personal Information Data Customer may provide as it varies widely from end-users, referrals, to affiliates, and so on.
The Service does not impose a technical restriction on the categories of Personal Information Data Customer may provide.
The subject matter, nature, and purpose of the processing are GemPages’ provision of the Service to Customer as further described in the Agreement.
This involves storing Personal Data, making it available to Customer for modification and transmission, and deleting Personal Data. The processing takes place from the commencement of the Agreement until the deletion of all Personal Data by GemPages in accordance with the DPA.
For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection.
The Parties (Customer as Data Exporter and GemPages as Data Importer):
HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the Data Exporter to the Data Importer of the Personal Data identified in either the Agreement or Annex 1 to the DPA.
For the purposes of the Clauses:
The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.
The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as a third-party beneficiary.
The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
The data subject can enforce against the sub-processor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.
The Parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.
The data exporter agrees and warrants:
(a) to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
(c) that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;
(d) that it will promptly notify the data exporter about:
(e) to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
(f) at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
(g) to make available to the data subject upon request a copy of the Clauses, or any existing contract for sub-processing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
(h) that, in the event of sub-processing, it has previously informed the data exporter and obtained its prior written consent;
(i) that the processing services by the sub-processor will be carried out in accordance with Clause 11;
(j) to send promptly a copy of any sub-processor agreement it concludes under the Clauses to the data exporter.
The Clauses shall be governed by the law of the Member State in which the data exporter is established.
The Clauses shall be governed by the law of the Member State in which the data exporter is established.
The data exporter is the entity identified as “Customer” or “Controller” in the Agreement.
The data importer is Seal Commerce, Inc. (“GemPages”), a company providing hosted business software applications that processes personal data upon the instruction of the data exporter in accordance with the terms of the Agreement.
The personal data transferred concerns the categories of data subjects defined in Annex 1 to the DPA.
The personal data transferred concerns the categories of data defined in Annex 1 to the DPA.
The personal data transferred concerns the special categories of data defined in Annex 1 to the DPA.
The personal data transferred will be subject to the basic processing activities defined in Annex 1 to the DPA.
This Appendix 2 is incorporated into the Addendum, and also forms part of the Standard Contractual Clauses (if such Standard Contractual Clauses are applicable to Customer).
As from the Addendum Effective Date, GemPages will implement and maintain the technical and organizational Security Measures set out at (under construction).