Data Processing Addendum
This Data Processing Addendum ("DPA") is incorporated into, and is subject to the terms and conditions of, the Agreement between Healthy Bag and the customer entity that is a party to the Agreement ("Customer" or "you").
All capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement. For the avoidance of doubt, all references to the "Agreement" shall include this DPA (including the SCCs (where applicable), as defined herein).
"Affiliate" means an entity that directly or indirectly Controls, is Controlled by or is under common Control with an entity.
"Control" means an ownership, voting or similar interest representing fifty percent (50%) or more of the total interests then outstanding of the entity in question. The term "Controlled" shall be construed accordingly.
"Customer Data" means any personal data that Healthy Bag processes on behalf of Customer via the Service, as more particularly described in this DPA.
"Data Protection Laws" means all data protection laws and regulations applicable to a party's processing of Customer Data under the Agreement, including, where applicable, EU Data Protection Law and Non-EU Data Protection Laws.
"EU Data Protection Law" means all data protection laws and regulations applicable to Europe, including (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) ("GDPR"); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; (iii) applicable national implementations of (i) and (ii); and (iii) in respect of the United Kingdom ("UK") any applicable national legislation that replaces or converts in domestic law the GDPR or any other law relating to data and privacy as a consequence of the UK leaving the European Union).
"Europe" means, for the purposes of this DPA, the European Union, the European Economic Area and/or their member states, Switzerland and the United Kingdom
“Non-EU Data Protection Laws” means the California Consumer Privacy Act (“CCPA”); the Canadian Personal Information Protection and Electronic Documents Act (“PIPEDA”); the Brazilian General Data Protection Law ("LGPD"), Federal Law no. 13,709/2018; and the Privacy Act 1988 (Cth) of Australia, as amended ("Australian Privacy Law").
"Privacy Shield" means the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield Framework self-certification program operated by the U.S. Department of Commerce.
"Privacy Shield Principles" means the Privacy Shield Principles (as supplemented by the Supplemental Principles).
"SCCs" means the standard contractual clauses for processors as approved by the European Commission or Swiss Federal Data Protection Authority (as applicable).
"Security Incident" means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, or alteration of, or unauthorized disclosure of or access to, Customer Data on systems managed or otherwise controlled by Healthy Bag.
"Sensitive Data" means (a) social security number, tax file number, passport number, driver's license number, or similar identifier (or any portion thereof); (b) credit or debit card number (other than the truncated (last four digits) of a credit or debit card); (c) employment, financial, credit, genetic, biometric or health information; (d) racial, ethnic, political or religious affiliation, trade union membership, information about sexual life or sexual orientation, or criminal record; (e) account passwords; or (f) other information that falls within the definition of "special categories of data" under applicable Data Protection Laws.
The terms "personal data", "controller", "data subject", "processor" and "processing" shall have the meaning given to them under applicable Data Protection Laws or if not defined thereunder, the GDPR, and "process", "processes" and "processed", with respect to any Customer data, shall be interpreted accordingly.
2. Roles and Responsibilities
2.1 Parties’ roles. If EU Data Protection Law or the LGPD applies to either party's processing of Customer Data, the parties acknowledge and agree that with regard to the processing of Customer Data, Customer is the controller and Healthy Bag is a processor acting on behalf of Customer. For the avoidance of doubt, this DPA shall not apply to instances where Healthy Bag is the controller.
2.2 Purpose limitation. Healthy Bag shall process Customer Data only in accordance with Customer’s documented lawful instructions as set forth in this DPA, as necessary to comply with applicable law, or as otherwise agreed in writing ("Permitted Purposes"). The parties agree that the Agreement sets out Customer’s complete and final instructions to Healthy Bag in relation to the processing of Customer Data, and processing outside the scope of these instructions (if any) shall require prior written agreement between the parties.
2.3 Prohibited data. Customer will not provide (or cause to be provided) any Sensitive Data to Healthy Bag for processing under the Agreement, and Healthy Bag will have no liability whatsoever for Sensitive Data, whether in connection with a Security Incident or otherwise. For the avoidance of doubt, this DPA will not apply to Sensitive Data.
2.4 Customer compliance. Customer represents and warrants that (i) it has complied, and will continue to comply, with all applicable laws, including Data Protection Laws, in respect of its processing of Customer Data and any processing instructions it issues to Healthy Bag; and (ii) it has provided, and will continue to provide, all notice and has obtained, and will continue to obtain, all consents and rights necessary under Data Protection Laws for Healthy Bag to process Customer Data for the purposes described in the Agreement. Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Data and the means by which Customer acquired Customer Data. Without prejudice to the generality of the foregoing, Customer agrees that it shall be responsible for complying with all laws (including Data Protection Laws) applicable to any Campaigns (as defined in the Agreement) or other content created, sent or managed through the Service, including those relating to obtaining consents (where required) to send emails, the content of the emails and its email deployment practices.
2.5 Lawfulness of Customer's instructions. Customer will ensure that Healthy Bag's processing of the Customer Data in accordance with Customer’s instructions will not cause Healthy Bag to violate any applicable law, regulation, or rule, including, without limitation, Data Protection Laws. Healthy Bag shall promptly notify Customer in writing, unless prohibited from doing so under EU Data Protection Laws, if it becomes aware or believes that any data processing instruction from Customer violates the GDPR or any UK implementation of the GDPR.
3.1 Security Measures. Healthy Bag shall implement and maintain appropriate technical and organizational security measures that are designed to protect Customer Data from Security Incidents and designed to preserve the security and confidentiality of Customer Data in accordance with Healthy Bag security standards.
3.2 Confidentiality of processing. Healthy Bag shall ensure that any person who is authorized by Healthy Bag to process Customer Data (including its staff, agents and subcontractors) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).
3.3 Updates to Security Measures. Customer is responsible for reviewing the information made available by Healthy Bag relating to data security and making an independent determination as to whether the Service meets Customer’s requirements and legal obligations under Data Protection Laws. Customer acknowledges that the Security Measures are subject to technical progress and development and that Healthy Bag may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Service provided to Customer.
3.4 Security Incident response. Upon becoming aware of a Security Incident, Healthy Bag shall: (i) notify Customer without undue delay, and where feasible, in any event no later than 48 hours from becoming aware of the Security Incident; (ii) provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by Customer; and (iii) promptly take reasonable steps to contain and investigate any Security Incident. Healthy Bag's notification of or response to a Security Incident under this Section 4.4 shall not be construed as an acknowledgment by Healthy Bag of any fault or liability with respect to the Security Incident.
3.5 Customer responsibilities. Notwithstanding the above, Customer agrees that except as provided by this DPA, Customer is responsible for its secure use of the Service, including securing its account authentication credentials, protecting the security of Customer Data when in transit to and from the Service, and taking any appropriate steps to securely encrypt or backup any Customer Data uploaded to the Service.
4. Return or Deletion of Data
Deletion or return on termination. Upon termination or expiration of the Agreement, Healthy Bag shall (at Customer's election) delete or return to Customer all Customer Data (including copies) in its possession or control, except that this requirement shall not apply to the extent Healthy Bag is required by applicable law to retain some or all of the Customer Data, or to Customer Data it has archived on back-up systems, which Customer Data Healthy Bag shall securely isolate, protect from any further processing and eventually delete in accordance with Healthy Bag's deletion policies, except to the extent required by applicable law.
5. Limitation of Liability
5.1 Each party’s and all of its Affiliates’ liability taken together in the aggregate arising out of or related to this DPA (including the SCCs) shall be subject to the exclusions and limitations of liability set forth in the Agreement.
5.2 Any claims made against Mailchimp or its Affiliates under or in connection with this DPA (including, where applicable, the SCCs) shall be brought solely by the Customer entity that is a party to the Agreement.
10.3 In no event shall any party limit its liability with respect to any individual's data protection rights under this DPA or otherwise.
6. Relationship with the Agreement
6.1 This DPA shall remain in effect for as long as Healthy Bag carries out Customer Data processing operations on behalf of Customer or until termination of the Agreement (and all Customer Data has been returned or deleted in accordance with Section 7 above).
6.2 The parties agree that this DPA shall replace any existing data processing agreement or similar document that the parties may have previously entered into in connection with the Service.
6.4 Except for any changes made by this DPA, the Agreement remains unchanged and in full force and effect.
6.5 No one other than a party to this DPA, its successors and permitted assignees shall have any right to enforce any of its terms.
6.6 This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by applicable Data Protection Laws.
Updated September 21, 2020