DATA PROCESSING ADDENDUM
Last modified: September 7, 2023
This Data Processing Agreement (this “DPA”) is between Constant Contact (as defined below), and the Constant Contact customer or trialer agreeing to the Constant Contact Terms of Service (the “Terms of Service”) (such customer or trialer, the “Customer”). This DPA supplements and forms part of the Terms of Service. If a term is capitalized in this DPA but not defined, it has the meaning given to it in the Terms of Service. This DPA governs the terms under which Constant Contact will Process Customer Personal Data (each as defined below) on behalf of Customer. In the event of any conflict or discrepancy between the Terms of Service and this DPA, this DPA shall prevail. In the event of any conflict or discrepancy between this DPA and the Standard Contractual Clauses, as applicable, the Standard Contractual Clauses shall prevail.
The parties to this DPA hereby agree to be bound by the terms and conditions herein, as applicable, with effect from the date Customer accepted the Terms of Service (the “Effective Date”). Constant Contact may amend this DPA from time to time due to changes in Data Protection Laws or as otherwise determined by Constant Contact in its commercially reasonable discretion. Any amendment will only become effective upon notification to Customer (by email or by posting on Constant Contact’s website) and, if Customer does not agree to any such amendment, it should stop using the Services and contact Constant Contact to cancel Customer’s account.
Under the Terms of Service, Customer has engaged Constant Contact to provide Services to Customer. As a result of its providing the Services to Customer, Constant Contact will store and process certain personal information of Customer as described below:
- Definitions. For purposes of this DPA, the following capitalized terms shall have the meanings indicated below. Whenever the words "include", "includes" or “including" are used in this DPA, they shall be deemed to be followed by the words "without limitation".
“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
“Constant Contact” means Constant Contact, Inc. or its applicable subsidiaries as specified in the “Contracting Entity” section of the Terms of Service.
“Controller” means the natural or legal person, public authority, agency or other body that, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. The definition of Controller includes “Business” as that term is defined by the CCPA.
“Customer Personal Data” means Personal Data provided by Customer to Constant Contact for Processing on behalf of Customer pursuant to the Terms of Service.
“Data Protection Laws” means, with respect to a party, all laws and regulations of the relevant jurisdictions that apply to such party’s performance of obligations and exercise of rights under this DPA, including the Regulation (EU) 2016/679 of 27 April 2016, General Data Protection Regulation (the “GDPR”), the California Consumer Privacy Act (the “CCPA”), as amended by the California Privacy Rights Act (the “CPRA”), Brazil’s Lei Geral de Proteção de Dados Pessoais (“LGPD”), and other U.S. federal or state data privacy and data protection laws, and related implementing regulations.
“Data Subject” means the identified or identifiable person to whom Personal Data relates. The definition of Data Subject includes “Consumer” as that term is defined by the CCPA.
“Personal Data” means any information relating to a Data Subject.
“Process”, “Processed” or “Processing” means any operation or set of operations that is or are performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Processor” means a natural or legal person, public authority, agency or other body that Processes Customer Personal Data on behalf of the Controller. The definition of Processor includes “Service Provider” as that term is defined by the CCPA.
“Standard Contractual Clauses” means the standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, and implemented by the European Commission decision 2021/914, dated 4 June 2021, as currently set out at https://eurlex.europa.eu/eli/dec_impl/2021/914/oj.
“Sub-processor” means any Processor engaged by Constant Contact or its Affiliates in connection with provision of the Services.
- Processing of Personal Data
(a) Roles of the Parties. The parties acknowledge and agree that with regard to Processing of Personal Data, Customer is either a Controller or a Processor and that Constant Contact is a Processor.
(b) Customer Obligations. Customer shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws, including that it shall have (i)obtained any necessary consents or provided any necessary notices, including notices to Data Subjects of the use of Constant Contact as Processor (including where Customer is a Processor, by ensuring that the ultimate Controller does so), and (ii) a legitimate ground to disclose Customer Personal Data to Constant Contact and enable the Processing of Customer Personal Data by Constant Contact as set out in this DPA and as contemplated by the Terms of Service. Customer’s instructions for the Processing of Personal Data shall comply with Data Protection Laws. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data. Customer acknowledges and agrees that its use of the Services will not violate the rights of any Data Subject, including those that have opted-out from marketing or other disclosures of Personal Data, to the extent applicable under Data Protection Laws.
(c) Constant Contact’s Processing of Personal Data. Constant Contact shall Process Personal Data on behalf of and only in accordance with Customer’s documented instructions for the following purposes: (i) Processing in accordance with the Terms of Service; (ii) Processing initiated by individuals in their use of the Services (including any configuration of or use of any settings, features, or options in the Services by any individual acting on behalf of Customer); and (iii) Processing to comply with other documented reasonable instructions provided by Customer where such instructions are consistent with this DPA and the Terms of Service. If Constant Contact becomes aware that any instruction by Customer violates Data Protection Laws, Constant Contact agrees to inform Customer of its inability to comply as soon as reasonably practicable at the email address provided by Customer to Constant Contact. Constant Contact shall not be liable for any claim brought by Customer or a Data Subject arising from any action or omission by Constant Contact to the extent that such action or omission resulted from Customer’s instructions or breach of this DPA.
(d) Details of Processing. The subject matter of the Processing of Personal Data under this DPA is the provision of Services pursuant to the Terms of Service. The duration of the Processing, the nature and purpose of the Processing, the categories of Data Subjects and the types of Personal Data Processed pursuant to this DPA are set forth on Annex I attached hereto. - Constant Contact Personnel. Constant Contact shall ensure that its personnel who are authorized to Process Customer Personal Data have received appropriate training on their responsibilities and are subject to confidentiality obligations.
- Security. Constant Contact shall implement and maintain during the term of this DPA appropriate technical and organizational security measures to protect the security of Customer Personal Data as further detailed in Constant Contact’s Security Policy.
- Data Subject Rights. Upon receipt by Constant Contact of a written request from an individual seeking to exercise any of their rights under Data Protection Laws related to Customer Personal Data, Customer authorizes Constant Contact to direct such individual to Customer. Taking into account the nature of the Processing, Constant Contact shall, at Customer’s expense, assist Customer by appropriate technical and organizational measures, for the fulfillment of Customer’s obligation to respond to requests by Data Subjects to exercise their rights under Data Protection Laws (including, as applicable, the data subject access right, the right to rectification and erasure, the right to the restriction of processing, the right to data portability and the right to object to processing). Constant Contact shall carry out a request from Customer to amend or correct any of Customer Personal Data to the extent necessary to allow Customer to comply with its responsibilities under Data Protection Laws. Further, Constant Contact shall carry out a request from Customer to block, transfer or delete any of Customer Personal Data to the extent necessary to allow Customer to comply with its responsibilities as a Controller, in each case unless otherwise permitted or required by Data Protection Laws.
- Cooperation. Taking into account the nature of the Processing under the Terms of Service and the information available to Constant Contact, Constant Contact shall, insofar as commercially practicable and at Customer’s expense, assist Customer in carrying out its obligations under Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators. Constant Contact shall promptly notify Customer about any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data, as required by Data Protection Laws.
- Return and Deletion of Customer Personal Data. Upon termination of the Processing of Customer Personal Data by Constant Contact and at the written request of Customer, Constant Contact shall either (i) delete all Customer Personal Data, or (ii) return all Customer Personal Data to Customer and delete existing copies, in each case unless otherwise permitted or required by Data Protection Laws.
- Audits. Customer may request that Constant Contact provide a certification or summary of an audit report that demonstrates compliance with its obligations under this DPA or Data Protection Laws. If such information is not reasonably sufficient to prove Constant Contact’s compliance with Data Protection Laws, Constant Contact shall, subject to reasonable advance notice and during normal business hours, permit Customer or an independent third party authorized by Customer and that is not a competitor of Constant Contact, to carry out the audits and inspections of the processing of Customer Personal Data by the Constant Contact. Constant Contact may require the third to enter into a confidentiality agreement before permitting it to carry out an audit or inspection. Constant Contact shall not be responsible for any costs or expenses relating in connection with any audit or inspection contemplated by this Section 8. The auditing party shall bear its own costs in relation to such an audit. The obligations set forth in this Section 8 shall only apply to Constant Contact to the extent required by Data Protection Laws.
- International Data Transfers.
(a) It is acknowledged and agreed by Customer that Constant Contact, in providing the Services under the Terms of Service, transfers Customer Personal Data to its servers in the United States and anywhere else in the world where Constant Contact, its Affiliates and its Sub-processors maintain data processing operations.
(b) Privacy Frameworks. Constant Contact participates in and has certified its compliance with the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework and the Swiss-U.S. Data Privacy Framework (together, the “Frameworks” or the “Privacy Frameworks”). Constant Contact is committed to subjecting all Personal Data received from the EEA, UK and Switzerland, respectively, in accordance with the applicable Privacy Framework, and to the applicable Privacy Framework’s principles. To learn more about the Privacy Frameworks, and to view Constant Contact’s certifications, visit the U.S. Department of Commerce at https://www.dataprivacyframework.gov/s/participant-search.
(c) Standard Contractual Clauses.(i) The parties acknowledge and agree that all transfers of Customer Personal Data will be under the Privacy Frameworks , and to the extent the Privacy Frameworks are deemed not to be a valid transfer mechanism, then all transfers of Customer Personal Data will be under the Standard Contractual Clauses and the relevant UK Addendum to the clauses. If Customer acts as a Controller, then Module 2 of the Standard Contractual Clauses shall apply. If Customer acts as a Processor for Customer Personal Data, then Module 3 of the Standard Contractual Clauses shall apply. The following terms in this Section shall apply to the Standard Contractual Clauses:
(1) Annexes I, II and III to this DPA shall be deemed automatically incorporated into Annexes I, II and III of the Standard Contractual Clauses;
(2) Section 1, Clause 7 of the Standard Contractual Clauses is intentionally omitted;
(3) For the purposes of Section 2, Clauses 8.9(c) and (d) of the Standard Contractual Clauses, audits will be performed in accordance with Section 8 of this DPA;
(4) For the purposes of Section 2, Clause 9 of the Standard Contractual Clauses, Customer consents to Constant Contact appointing Sub-processors in accordance with Section 12 of this DPA;
(5) For the purposes of Section 2, Clause 17, the governing law shall be the laws of the Republic of Ireland; and
(6) For purposes of Section 2, Clause 18, the courts shall be the courts of the Republic of Ireland.(ii) With respect to transfers to which the UK Data Protection Laws apply, the Standard Contractual Clauses shall apply and shall be deemed amended as specified by the UK Addendum attached hereto as Annex IV.
(iii) For data transfers governed by Swiss data protection laws, general and specific references in the Standard Contractual Clauses to “GDPR” or “EU” or “Member State Law” shall have the same meaning as the equivalent reference in Swiss data protection laws. - Indemnification. Customer agrees that it will indemnify and hold harmless Constant Contact and its Affiliates on demand from and against all claims, liabilities, costs, expenses, loss or damage (including consequential losses, loss of profit and loss of reputation and all interest, penalties and legal and other professional costs and expenses) incurred by Constant Contact arising directly or indirectly from a breach of this DPA or any Data Protection Laws.
- Sub-Processing
(a) Customer acknowledges and agrees that Constant Contact may retain an Affiliate or third party subcontractor as Sub-processors. Constant Contact has entered into a written agreement with each Sub-processor containing, in substance, data protection obligations no less protective than those in this DPA with respect to the protection of Customer Personal Data to the extent applicable to the nature of the services provided by such Sub-processor.
(b) Constant Contact shall maintain a list of its Sub-processors at https://www.constantcontact.com/legal/privacy/third-party-data, which will be updated from time to time to reflect any change in Sub-processors. - Termination. Termination of this DPA shall be governed by the Terms of Service, mutatis mutandis.
- Law and Jurisdiction
This DPA and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by and construed in all respects in accordance with the laws of the Commonwealth of Massachusetts and each party hereby submits to the jurisdiction of the federal or state courts located in Boston, Massachusetts.
ANNEX I
A. LIST OF PARTIES
Data exporter(s): The data exporter is Customer. Customer acts as a Controller or Processor.
Data importer(s): The data importer is Constant Contact, which acts as a Processor.
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred: Customer Personal Data transferred concerns Customer’s customers, contacts, prospective customers, and website visitors.
Categories of personal data transferred: As applicable, name, contact information (e.g., email address, phone number, physical address), geographical data, device identification data, information from connected accounts authorized by Customer, and other Customer Personal Data processed pursuant to the Terms of Service. Depending on how Customer uses the Services, the following information could be inferred from Customer’s usage: business network and experience, educational data, financial data, and interests.
Sensitive data transferred (if applicable): The parties do not anticipate special categories of data being processed. Depending on how Customer uses the Services, some sensitive data may be inferred from Customer’s Usage.
The frequency of the transfer: Personal Data will be transferred on a continuous basis.
Nature of the processing: Customer determines the types of data they submit to Constant Contact to process on their behalf in the course of using the Services pursuant to the Terms of Service.
Purpose(s) of the data transfer and further processing: Personal Data shall be processed to provide the Services to Customer.
The period for which the personal data will be retained: Data Processing will be for the term of the Terms of Service and for a reasonable period of time after the termination of the Terms of Service.
For transfers to (sub-) processors: Constant Contact may engage Sub-processors to provide parts of the Services in compliance with the parties’ agreement.
C. COMPETENT SUPERVISORY AUTHORITY
Irish Data Protection Commission.
ANNEX II
TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
The details of the technical organizational measures applicable to the Services being provided by Constant Contact to Customer can be found at https://www.constantcontact.com/legal/security.
ANNEX III
LIST OF SUB-PROCESSORS
Customer has authorized the use of the Sub-processors detailed at https://www.constantcontact.com/legal/privacy/third-party-data, which are applicable to the Services being provided to Customer.
ANNEX III
UK ADDENDUM
International Data Transfer Addendum Addendum to the EU Commission Standard Contractual Clauses
For purposes of this UK Addendum to Schedule 1 (the “UK Addendum”), capitalized terms used but not defined herein shall have the meaning set forth in either Addendum or the UK Data Protection Act 2018, as applicable.
This UK Addendum has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract.
Part 1: Tables
Table 1: Parties
Start date | Effective Date as defined in the attached Data Processing Addendum (“DPA”). |
The Parties | Exporter (who sends the Restricted Transfer) | Importer (who receives the Restricted Transfer) |
Parties’ details | Full legal name: Customer | Full legal name: See definition of Constant Contact in Terms of Service; |
Key Contact | Full Name (optional): Customer | Full Name (optional): |
Signature (if required for the purposes of Section 2) | Exporter is deemed to have signed this UK Addendum as of Effective Date as defined in the DPA. | Importer is deemed to have signed this UK Addendum as of the Effective Date as defined in the DPA. |
Table 2: Selected SCCs, Modules and Selected Clauses
Addendum EU SCCs | ☒ The version of the Approved EU SCCs which this Addendum is appended to, detailed below, |
Table 3: Appendix Information
“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:
Annex 1A: List of Parties: See Table 1 of this UK Addendum
Annex 1B: Description of Transfer: See Annex 1B of the Standard Contractual Clauses
Annex II: Technical and organizational measures including technical and organizational measures to ensure the security of the data: See Annex II of the Standard Contractual Clauses
Annex III: List of Sub processors (Modules 2 only): See Annex III of the Standard Contractual Clauses
Table 4: Ending this Addendum when the Approved Addendum Changes
Ending this Addendum when the Approved Addendum changes | Which Parties may end this Addendum as set out in Section 19: |
Part 2: Mandatory Clauses
Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses.