Data Processing Agreement
Grenis Media Inc (“Grenis Media”) and the counterparty agreeing to these terms (“Customer”) have entered into an agreement for the provision of the Processor Services (as amended from time to time, the “Agreement”)
These Grenis Media Data Processing Terms (including the appendices) are entered into by Grenis Media and Customer and supplement the Agreement. These Data Processing Terms will be effective, and replace any previously applicable terms relating to their subject matter (including any data processing amendment or data processing addendum relating to the Processor Services), from the Terms Effective Date.
If you are accepting these Data Processing Terms on behalf of Customer, you warrant that (a) you have full legal authority to bind Customer to these Data Processing Terms; (b) you have read and understand these Data Processing Terms; and (c) you agree, on behalf of Customer, to these Data Processing Terms. If you do not have the legal authority to bind Customer, please do not accept these Data Processing Terms.
These Data Processing Terms reflect the parties’ agreement on the terms governing the processing and security of Customer Personal Data in connection with the Data Protection Law.
2. Definitions and Interpretation
In these Data Processing Terms:
“Affiliate” means an entity that directly or indirectly controls, is controlled by, or is under common control with, a party.
“Grenis Media Entity” means Grenis Media Inc. a Canadian incorporated organization with its address at 3-384 Connie Crescent Concord Ontario Canada L4K5W6.
“Grenis Media” means Grenis Media Entity and its Affiliates engaged in the processing of Customer Personal Data in connection with the subscribed Services.
“Covered Affiliate” means any of Customer’s Affiliate(s) which (a) is subject to the Data Protection Laws, and (b) is permitted to use the Services pursuant to the Agreement between Customer and Grenis Media, but has not signed its own Order Form with Grenis Media and is not a “Customer” as defined under the Agreement.
“Customer Personal Data” means personal data that is processed by Grenis Media on behalf of Customer in Grenis Media’s provision of the Processor Services.
“Data Incident” means a breach of Grenis Media’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data on systems managed by or otherwise controlled by Grenis Media. “Data Incidents” will not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
“Data Protection Law” means, as applicable: (a) the GDPR; and/or (b) the Federal Data Protection Act of 19 June 1992 (Switzerland).
“EEA” means the European Economic Area.
“EU Data Protection Laws” means laws and regulations of the European Union, the European Economic Area and their member states, Switzerland and the United Kingdom, applicable to the processing of Personal Data under the Agreement, including European Directives 95/46/EC and any legislation and/or regulation which amends, replaces or re-enacts it (including the GDPR).
“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
“Notification Email Address” means the email address (if any) designated by Customer, via the user interface of the Processor Services or such other means provided by Grenis Media, to receive certain notifications from Grenis Media relating to these Data Processing Terms.
“Processor Services” means the applicable services used to deliver the contract:
See Appendix 3 for service providers.
“Security Measures” has the meaning given in Section 7 (Grenis Media’s Security Measures).
“Standard Contractual Clauses” means the agreement executed by and between Customer and Grenis Media Inc. , pursuant to the European Commission’s decision on Standard Contractual Clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection.
“Sub-processors” means third parties authorized under these Data Processing Terms to have logical access to and process Customer Personal Data in order to provide parts of the Processor Services and any related technical support.
“Term” means the period from the Terms Effective Date until the end of Grenis Media’s provision of the Services under the Agreement.
“Terms Effective Date” means, as applicable: the date a service contract is accepted or the parties otherwise agreed to these Data Processing Terms.
The terms “controller”, “data subject”, “personal data”, “processing”, “processor” and “supervisory authority” as used in these Data Processing Terms shall have the same meaning as in GDPR, and cognate terms be construed accordingly.
Any phrase introduced by the terms “including”, “include” or any similar expression will be construed as illustrative and will not limit the sense of the words preceding those terms. Any examples in these Data Processing Terms are illustrative and not the sole examples of a particular
Any reference to a legal framework, statute or other legislative enactment is a reference to it as amended or re-enacted from time to time.
3. Duration of these Data Processing Terms
These Data Processing Terms will take effect on the Terms Effective Date and, notwithstanding expiry of the Term, remain in effect until, and automatically expire upon, deletion of all Customer Personal Data by Grenis Media as described in these Data Processing Terms.
4. Application of these Data Processing Terms
Application of Data Protection These Data Processing Terms will only apply to the extent that the Data Protection Law applies to the processing of Customer Personal Data, including if:
- the processing is in the context of the activities of an establishment of Customer in the EEA; and/or
- Customer Personal Data is personal data relating to data subjects who are in the EEA and the processing relates to the offering to them of goods or services or the monitoring of their behavior.
4.1 Application to Processor
These Data Processing Terms will only apply to the Processor Services for which the parties agreed to these Data Processing Terms (for example: (a) if the Agreement incorporates these Data Processing Terms by reference or the Processor Services that are the subject of the Agreement).
5. Processing of Data
The parties acknowledge and agree that:
- Appendix 1 describes the subject matter and details of the processing of Customer Personal Data;
- Grenis Media is a processor of Customer Personal Data under the Data Protection Law;
- Customer is a controller or processor, as applicable, of Customer Personal Data under the Data Protection Law; and
- Each party will comply with the obligations applicable to it under the Data Protection Law with respect to the processing of Customer Personal information.
5.1 Authorization by Third Party Controller
If Customer is a processor, Customer warrants to Grenis Media that Customer’s instructions and actions with respect to Customer Personal Data, including its appointment of Grenis Media as another processor, have been authorized by the relevant.
5.2 Customer’s Instructions
By entering into these Data Processing Terms, Customer instructs Grenis Media to process Customer Personal Data only in accordance with applicable law:
- to provide the Processor Services and any related technical support;
- as further specified via Customer’s use of the Processor Services (including in the settings and other functionality of the Processor Services) and any related technical support;
- as documented in the form of the Agreement, including these Data Processing Terms; and
- as further documented in any other written instructions given by Customer and acknowledged by Grenis Media as constituting instructions for purposes of these Data Processing
5.3 Grenis Media’s Compliance
Grenis Media will comply with the instructions described in Section 5.2 (Customer’s Instructions) (including with regard to data transfers) unless EU or EU Member State law prohibits processing of Customer Personal Data, in which case Grenis Media will inform the Customer.
As of the Agreement Effective Date and for the duration of the period Grenis Media provides the Services:
- Grenis Media will, without undue delay, notify Customer, to the extent legally permitted, if Grenis Media receives a request from a data subject to exercise the data subject’s right of access, right to rectification, restriction of processing, erasure, data portability, objection to the processing, or its right not to be subject to an automated individual decision making (“Data Subject Request”); and
- If Grenis Media receives any request from a data subject in relation to Customer Personal Data, Grenis Media will advise the data subject to submit his or her request to Customer and Customer will be responsible for responding to any such request including, where necessary, by using the functionality of the Services.
- Taking into account the nature of the processing, Grenis Media will assist Customer by appropriate technical and organizational measures, insofar as it is possible, for the fulfilment of Customer’s obligation to respond to a Data Subject Request under EU Data Protection Laws. In addition, to the extent Customer, in its use of the Services, does not have the ability to address a Data Subject Request, Grenis Media shall, upon Customer’s written request, provide Customer with reasonable cooperation and assistance to facilitate Customer’s response to such Data Subject Request, to the extent Grenis Media is legally permitted to do so and the response to such Data Subject Request is required under EU Data Protection Laws. To the extent legally permitted, Customer shall be responsible for any costs arising from Grenis Media’s provision of such assistance.
6. Data Deletion
If the functionality of the Processor Services does not include the option for Customer to delete Customer Personal Data, then Grenis Media will comply with:
- any reasonable request from Customer to facilitate such deletion, insofar as this is possible taking into account the nature and functionality of the Processor Services and unless EU or EU Member State law requires storage; and
- the data retention practices in the Data Protection Law.
7. Data Security
Grenis Media will implement and maintain technical and organizational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access as described in Appendix 2 (the “Security Measures”). As described in Appendix 2, the Security Measures include measures:
- to encrypt personal data;
- to help ensure the ongoing confidentiality, integrity, availability and resilience of Grenis Media’s systems and services;
- to help restore timely access to personal data following an incident; and
- for regular testing of effectiveness
Grenis Media may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Processor Services.
7.1 Security Measures
Grenis Media will take appropriate steps to ensure compliance with the Security Measures by its employees, contractors and Sub-processors to the extent applicable to their scope of performance, including ensuring that all persons authorized to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
7.2 Data Incidents.
- Incident Notification
If Grenis Media becomes aware of a Data Incident, Grenis Media will: (i) notify Customer of the Data Incident promptly and without undue delay; and (ii) promptly take reasonable steps to minimize harm and secure Customer Personal Data.
- Details of Data
Notifications made under Section 7.2.a (Incident Notification) will describe, to the extent possible, details of the Data Incident, including steps taken to mitigate the potential risks and steps Grenis Media recommends Customer take to address the Data Incident.
- Delivery of Notification
Grenis Media will deliver its notification of any Data Incident to the Notification Email Address or, at Grenis Media’s discretion (including if Customer has not provided a Notification Email Address), by other direct communication (for example, by phone call or an in-person meeting). Customer is solely responsible for providing the Notification Email Address and ensuring that the Notification Email Address is current and
- Third Party
Customer is solely responsible for complying with incident notification laws applicable to Customer and fulfilling any third-party notification obligations related to any Data Incident.
- No Acknowledgement of Fault by Grenis Media
Grenis Media’s notification of or response to a Data Incident under this Section 7.2 (Data Incidents) will not be construed as an acknowledgement by Grenis Media of any fault or liability with respect to the Data Incident.
7.3 Customer’s Security Assessment
Customer acknowledges and agrees that (taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing of Customer Personal Data as well as the risks to individuals) the Security Measures implemented and maintained by Grenis Media provide a level of security appropriate to the risk in respect of Customer Personal Data.
8. Sub-processors Engagement
Customer specifically authorizes the engagement of Grenis Media’s Affiliates as Sub-processors (“Grenis Media Affiliate Sub-processors”). In addition, Customer generally authorizes the engagement of any other third parties as Sub-processors (“Third Party Sub-processors”).
8.1 Requirements for Sub-processor Engagement.
When engaging any Sub-processor, Grenis Media will ensure via a written contract that:
- the Sub-processor only accesses and uses Customer Personal Data to the extent required to perform the obligations subcontracted to it, and does so in accordance with the Agreement (including these Data Processing Terms); and
- if the GDPR applies to the processing of Customer Personal Data, the data protection obligations set out in Article 28(3) of the GDPR are imposed on the Sub-processor; and
- Remain fully liable for all obligations subcontracted to, and all acts and omissions of, the Sub-processor.
9. Transfer of Personal Data outside of the EEA
Grenis Media makes the Standard Contractual Clauses available as a transfer mechanism for any transfer of Personal Data under this DPA from the European Union, the EEA and/or their member states, Switzerland and the United Kingdom to countries which do not ensure an adequate level of data protection within the meaning of EU Data Protection Laws of the foregoing territories, to the extent such transfers are subject to such Data Protection Laws.
9.1 Data Exporters
The Standard Contractual Clauses and the additional terms specified in this Section 9 (Transfer of Personal Data Outside of the EEA) apply to:
- the legal entity that has executed the Standard Contractual Clauses as a data exporter and its Covered Affiliates and
- all Affiliates of Customer established within the EEA, Switzerland and the United Kingdom, which have signed Agreements for Services. For the purpose of the Standard Contractual Clauses and this Section 9, all these entities shall be deemed “data exporters”.
9.2 Customer Instruction
For the purposes of Standard Contractual duties, the following is deemed an instruction by the Customer to process Personal Data:
- to provide the Services;
- as further specified via Customer’s use of the Services (including the Services’ user interface dashboard and other functionality of the Services);
- as documented in the Agreement (including this DPA and any Order Form that requires processing of Personal Data);
- as further documented in any other written instructions given by Customer (which may be specific instructions or instructions of a general nature as set out in this DPA, the Agreement or as otherwise notified by Customer to Grenis Media from time to time), where such instructions are consistent with the terms of the Agreement.
Notwithstanding anything else in the Agreement, the total liability of either party towards the other party under or in connection with these Data Processing Terms will be limited to the contractual total.
11. Relationship with the Agreement
If there is any conflict or inconsistency between the terms of these Data Processing Terms and the Agreement terms of service, the terms of these Data Processing Terms will govern.
Appendix 1: Subject Matter and Details of the Data Processing
Grenis Media’s provision of the Processor Services and any related technical support to Customer.
Duration of the Processing
The Term plus the period from expiry of the Term until deletion of all Customer Personal Data by Grenis Media in accordance with these Data Processing Terms.
Nature and Purpose of the Processing
Grenis Media will process (including, as applicable to the Processor Services and the instructions described in Section 5.2 (Customer’s Instructions), collecting, recording, organizing, structuring, storing, altering, retrieving, using, disclosing, combining, erasing and destroying) Customer Personal Data for the purpose of providing the Processor Services and any related technical support to Customer in accordance with these Data Processing Terms.
Appendix 2: Security Measures
Grenis Media may update or modify such Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security.
- Personnel Security
Grenis Media personnel are required to conduct themselves in a manner consistent with the company’s guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards.
Personnel are required to execute a confidentiality agreement and must acknowledge receipt of, and compliance with, Grenis Media’s confidentiality and privacy policies. Personnel handling Customer Personal Data are required to complete additional requirements appropriate to their role. Grenis Media’s personnel will not process Customer Personal Data without authorization.
- Sub-processor Security
Before onboarding Sub-processors, Grenis Media conducts an audit of the security and privacy practices of Sub-processors to ensure Sub-processors provide a level of security and privacy appropriate to their access to data and the scope of the services they are engaged to provide.
Appendix 3: Service Information
The following services are eligible to be in scope of the Data Processing Terms:
Sub-Processor Data Management Policies:
Processor Data Management Policies may update or modify from time to time. Provided that such updates and modifications do not result in the degradation of the overall security of the Processor Services, no formal notification is sent to the Customer. Policies listed are for reference only and may be changed from time to time.
Google https://business.safety.google/adsprocessorterms/ LiveRamp https://liveramp.com/legal/dpa/ Simpli.fi https://simpli.fi/terms-and-conditions/ https://simpli.fi/wp-content/uploads/2020/10/Simplifi-Data-Protection-Addendum.pdf Facebook https://www.facebook.com/legal/Workplace_GDPR_Addendum LinkedIn https://www.linkedin.com/legal/l/dpa