This Data Processing Addendum ("Addendum") sets out the terms that apply as between WERET and Marketing Affiliate when processing EEA personal data in connection with the Marketing Affiliate Program. This Addendum forms part of the Marketing Affiliate Program Agreement. Capitalized terms used in this Addendum shall have the meanings given to them in the Marketing Affiliate Program Agreement (the "Agreement") unless otherwise defined in this Addendum.
(a) "controller," "processor," "data subject," and "processing" (and "process") shall have the meanings given to them in Applicable Data Protection Law; (b) "Applicable Data Protection Law" means any and all applicable privacy and data protection laws and regulations applicable to the Personal Data in question, including, where applicable, EU Data Protection Law (in each case, as may be amended, superseded or replaced from time to time); (c) "EU Data Protection Law" means: (i) the EU General Data Protection Regulation (Regulation 2016/679) ("GDPR"); and (ii) the EU e-Privacy Directive (Directive 2002/58/EC); and (iii) any national data protection laws made under or pursuant to clause (i) or (ii); and (d) "Personal Data" means any information relating to an identified or identifiable natural person to the extent that such information is protected as personal data under Applicable Data Protection Law.
The parties acknowledge that in connection with the Marketing Affiliate Program, each party may provide or make available to the other party Personal Data. Each party shall process such data: (i) for the purposes described the Agreement; and/or (ii) as may otherwise be permitted under Applicable Data Protection Law.
Relationship of the parties
Each party will process the copy of the Personal Data in its possession or control as an independent controller (not as a joint controller with the other party). For the avoidance of doubt and without prejudice to the foregoing, WERET shall be an independent controller of any Personal Data that it receives or shares with Affiliate in connection with the Marketing Affiliate Program.
Compliance with law
Each party shall separately comply with its obligations under Applicable Data Protection Law and this Addendum when processing Personal Data. Neither party shall be responsible for the other party's compliance with Applicable Data Protection Law. In particular, each party shall be individually responsible for ensuring that its processing of the Personal Data is lawful, fair and transparent, and shall make available to data subjects a privacy statement that fulfils the requirements of Applicable Data Protection Law.
Where Applicable Data Protection Law in the European Economic Area ("EEA"), and/or its member states, United Kingdom and/or Switzerland (collectively for the purposes of this Addendum, the "EU'), applies to the Personal Data ("EU Personal Data"), neither party shall process any EU Personal Data (nor permit any EU Personal Data to be processed) in a territory outside of the EU unless it has taken such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Law. To the extent a Marketing Affiliate transfers EU Personal Data to WERET and WERET is located in a territory outside the EU that does not provide adequate protection for Personal Data (as determined by Applicable Data Protection Law), WERET agrees to abide by and process such EU Personal Data in accordance with the Standard Contractual Clauses for Controllers as approved by the European Commission and available at http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32004D0915 (as amended, superseded or updated from time to time) ("Model Clauses"), which are incorporated by reference in, and form an integral part of, this Addendum. WERET agrees that it is a "data importer" and the Marketing Affiliate is the "data exporter" under the Model Clauses (notwithstanding that WERET may be an entity located outside of the EEA).
Each party shall implement and maintain all appropriate technical and organisational measures to protect any copies of the Personal Data in their possession or control from (i) accidental or unlawful destruction, and (ii) loss, alteration, or unauthorised disclosure or access (a "Security Incident") and to preserve the security and confidentiality of such Personal Data. Each party shall notify the other party without undue delay on becoming aware of any breach of EU Data Protection Law/Applicable Data Protection Law.