DATA PROTECTION AGREEMENT
This Data Processing Addendum (“DPA”) forms an integral part of the main agreement (“Agreement”) between Kueez Entertainment Ltd. or its Affiliates ("Company") and the counterparty agreeing to those terms (“Customer;” each a “Party” and together the “Parties”) and applies to the extent that Company processes Personal Data on behalf of the Customer, in the course of its performance of its obligations under the Agreement. This DPA is entered into by the Parties and supplements the Agreement and any future related documents and business engagements between Parties. This DPA will be effective, and replaces any previously applicable terms relating to its subject matter, from the effective date of the Agreement.
If you are accepting this DPA on behalf of Customer, you warrant that: (a) you have full legal authority to bind Customer to this DPA; (b) you have read and understand this DPA; and (c) you agree, on behalf of Customer, to this DPA.
1.Introduction
1.1 This DPA reflect the Parties’ agreement on the processing of Personal Data in connection with the Data Protection Laws.
1.2 Any ambiguity in this DPA shall be resolved to permit the parties to comply with all Data Protection Laws.
1.3 In the event and to the extent that the Data Protection Laws impose stricter obligations on the Parties than under this DPA, the Data Protection Laws shall prevail.
2. Definitions and Interpretation
2.1 In this DPA:
2.1.1 “Affiliate” means an entity that directly or indirectly controls, is controlled by, or is under common control with, a Party.
2.1.2 “Approved Jurisdiction” means a member state of the European Economic Area, or other jurisdiction approved as having adequate legal protections for data by the European Commission currently found here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en.
2.1.3 “Data Protection Laws” means any and all applicable domestic and foreign laws, rules, directives and regulations, on any local, provincial, state, federal or national level, pertaining to data privacy, data security or the protection of Personal Data, including the Privacy and Electronic Communications Directive 2002/58/EC (and respective local implementing laws) concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), UK's Privacy and Electronic Communications Regulations 2003 (PECR), Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”), Data Protection Act 2018 and the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 ("UK GDPR"), the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., as amended by the California Privacy Rights Act of 2020, and the regulations enacted thereunder (collectively: "CCPA"), the Virginia Consumer Data Protection Act, Va. Civ. Code § 59.1 ("VCDPA") (the CCPA and the VCDPA are hereinafter collectively referred to as "US Data Protection Laws"); and any amendments or replacements to the foregoing.
2.1.4 “Data Subject” means an individual to whom Personal Data relates.
2.1.5 “European Economic Area” or “EEA” consists of the member states of the European Union including Iceland, Liechtenstein and Norway.
2.1.6 “Personal Data” means any personally identifiable information, including “personal data” or “personal information” (as these terms are defined under the applicable Data Protection Laws) that is processed by a Party under the Agreement or in connection with any services provided therein.
2.1.7 “Security Incident” shall mean any accidental or unlawful use, destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data. For the avoidance of doubt, any Personal Data Breach (as defined under the GDPR) will comprise a Security Incident
2.1.8 “Special Categories of Data“ means personal data as defined under Article 9 of the GDPR and where applicable, sensitive personal information under §1798.140 of the CCPA or § 59.1-575 of the VCDPA.
2.1.9 “Standard Contractual Clauses" means (a) where the GDPR applies – the applicable Module of the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council from June 4th 2021; and (b) with respect to data transfers to which the UK GDPR applies - the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, which entered into force on 21 March, 2022, as available here: https://ico.org.uk/media/for-organisations/documents/4019483/international-data-transfer-addendum.pdf ("UK Addendum"); both (a) or (b) above, as applicable, are incorporated herein by reference.
2.1.10 The terms “controller”, “processing” and “processor” as used in this DPA have the meanings given to them in Data Protection Laws. Where applicable, a controller shall be deemed a “Business“ and a processor shall be deemed to be a “Service Provider“ or a "Contractor", as these terms are defined in the CCPA.
2.1.11 Any reference to a legal framework, statute or other legislative enactment is a reference to it as amended or re-enacted from time to time.
3. Application of this DPA
3.1 This DPA will only apply to the extent all of the following conditions are met:
3.1.1 Company processes Personal Data that is made available by the Customer in connection with the Agreement;
3.1.2 The Data Protection Laws apply to the processing of Personal Data.
3.2 This DPA will only apply to the services for which the Parties agreed to in the Agreement, which incorporates this DPA by reference.
4. Roles and Restrictions on Processing
4.1 Independent Controllers. Each Party:
(a) is an independent controller of Personal Data under the Data Protection Laws;
(b) will individually determine the purposes and means of its processing of Personal Data; and
(c) will comply with the obligations applicable to it under the Data Protection Laws with respect to the processing of Personal Data.
4.2 Restrictions on Processing. Section 4.1 will not affect any restrictions on either Party’s rights to use or otherwise process Personal Data under the Agreement.
4.3 Sharing of Personal Data. In performing its obligations under the Agreement, a Party may provide Personal Data to the other Party. Each Party shall process Personal Data only for (i) the purposes set forth in the Agreement or as (ii) otherwise agreed to in writing by the Parties, provided such processing strictly complies with (a) the Data Protection Laws, and (b) its obligations under this Agreement (the “Permitted Purposes”). Neither Party shall share any Personal Data with the other Party that (i) allows Data Subjects to be directly identified (for example by reference to their name and e-mail address); or (ii) that contains Personal Data relating to children under 16 years.
4.4 Lawful grounds and transparency. Each Party shall maintain a publicly-accessible privacy policy on its mobile apps and websites that is available via a prominent link that satisfies transparency disclosure requirements of the Data Protection Laws. Each Party warrants and represents that it has provided Data Subjects with appropriate transparency regarding data collection and use, as well as all required notices, and obtained any and all consents or permissions necessary under the Data Protection Laws. It is hereby clarified that Customer is the initial Controller of Personal Data. Where Customer relies on consent as its legal basis to process Personal Data, it shall ensure that it obtains a proper affirmative act of consent from Data Subjects in accordance with the Data Protection Laws in order for itself and Company to process such Personal Data as set out herein. Customer acknowledges that Company and its advertisers use cookies and similar tracking technologies in order to provide the services under the Agreement, including for the purpose of cross-site or cross-device advertising. Customer shall ensure that appropriate notice and consent mechanisms are displayed and implemented on all applicable Customer properties with respect to the foregoing. Both Parties will cooperate in good faith in order to identify the information disclosure requirements and each Party hereby permits the other Party to identify it in the other Party’s privacy policy, and to provide a link to the other Party’s privacy policy in its privacy policy.
4.5 Data Subject Rights. It is agreed that where either Party receives a request from a Data Subject in respect of Personal Data controlled by such Party, then such Party shall be responsible to exercise the request, in accordance with Data Protection Laws.
4.6 Mutual Assistance. Each Party shall provide the other Party with such:
4.6.1 Assistance as the other Party may reasonably request from time to time to enable it to comply with its obligations under the Data Protection Laws including (without limitation) with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or other regulators; and
4.6.2 Information as it may reasonably request in order to: (a) monitor the technical and organizational measures being taken to ensure compliance with the Data Protection Laws, or (b) satisfy any legal or regulatory requirements, including information reporting, disclosure and other related obligations to any regulatory authority from time to time.
4.7 Resolution of Disputes with Data Subjects or Supervisory Authorities. If either Party is the subject of a claim by a Data Subject or a supervisory authority, or receives a notice or complaint from a supervisory authority relating to its respective processing activities (a “DP Claim”), it shall promptly inform the other Party of the DP Claim and provide the other Party with such information as it may reasonably request regarding the DP Claim. Where the DP Claim concerns the respective processing activities of one Party only, then that Party shall assume sole responsibility for disputing or settling the DP Claim. Where the DP Claim concerns the respective processing activities of both Parties, then the Parties shall use all reasonable endeavors to cooperate with a view to disputing or settling the DP Claim in a timely manner; provided always that neither Party shall make any admission or offer of settlement or compromise without using all reasonable endeavors to consult with the other Party in advance.
5. Personal Data Transfers
5.1 Transfers of Personal Data Out of the European Economic Area. Either Party may transfer Personal Data outside the European Economic Area or UK, provided it complies with applicable provisions regarding the transfer of Personal Data to third countries under the Data Protection Laws (such as where the transfer of Personal Data is to an Approved Jurisdiction or through the use of Standard Contractual Clauses, or other applicable frameworks).
5.2 If the Parties processes Personal Data outside the EEA or an Approved Jurisdiction, then the Parties shall be deemed to enter into the Standard Contractual Clauses and the UK Addendum, as applicable, subject to any amendments contained in Annex I, in which event: (i) the Standard Contractual Clauses and the UK Addendum are incorporated herein by reference; and (ii) the Customer shall be considered the data exporter and Company shall be considered the data importer (as these terms are defined therein).
6. Protection of Personal Data.
The Parties will provide a level of protection for Personal Data that is at least equivalent to that required under the Data Protection Laws. Both Parties shall implement appropriate technical and organizational measures to protect the Personal Data. If a Party suffers a confirmed Security Incident, such Party shall notify the other Party without undue delay and the Parties shall cooperate in good faith to agree on such measures as may be necessary to mitigate or remedy the effects of the Security Incident.
7. Indemnification
Customer will indemnify and hold Company and its partners harmless from any cost, charge, damages, expenses or losses incurred as a result of Customer’s breach of any of the provisions of this DPA.
8. Priority
If there is any conflict or inconsistency between the terms of this DPA and the remainder of the Agreement, then the terms of this DPA will govern. Subject to the amendments in this DPA, the Agreement remains in full force and effect.
9. Changes to this DPA.
9.1 Customer acknowledges and agrees that Company may amend this DPA as may be required from time-to-time, by posting the amended DPA to its website and any amendments to the DPA are effective as of the date of posting. Where such change may have a material adverse impact on Customer, as reasonably determined by Company, then Company will use commercially reasonable efforts to inform Customer at least 30 days (or such shorter period as may be required to comply with applicable law, applicable regulation, a court order or guidance issued by a governmental regulator or agency) before the change will take effect. Customer’s continued use of the Services after the amended DPA is posted or notice is given, constitutes Customer's agreement to and acceptance of the amended DPA.
9.2 If any of the Data Protection Laws are superseded by new or modified Data Protection Laws (including any decisions or interpretations by a relevant court or governmental authority relating thereto), the new or modified Data Protection Laws shall be deemed to be incorporated into this DPA, and each Party will promptly begin complying with such Data Protection Laws in respect of its respective processing activities.
By signing on an applicable IO, the Parties acknowledge that they have read and understood the terms of this DPA and agree to be legally bound by.
Annex I – SCC
1. If Customer is a controller – the Parties shall be deemed to enter into the Controller to Controller Standard Contractual Clauses (Module One). If Customer is a processor – the Parties shall be deemed to enter into the Processor to Controller Standard Contractual Clauses (Module Four).
2. This Annex I sets out the Parties' agreed interpretation of their respective obligations under the Standard Contractual Clauses.
3. The Parties agree that for the purpose of transfer of Personal Data between the Customer (Data Exporter) and the Company (Data Importer), the following shall apply:
3.1. Clause 7 of the Standard Contractual Clauses shall not be applicable.
3.2. In Clause 11, data subjects shall not be able to lodge a complaint with an independent dispute resolution body.
3.3. In Clause 17, the Parties agree that the clauses shall be governed by the law of the State of Ireland.
3.4. In Clause 18 the Parties choose the courts of Dublin.
4. To the extent the UK Addendum applies, the following shall apply as well:
4.1. All the information provided under the Standard Contractual Clauses shall apply to the UK Addendum with the necessary changes per the requirement of the UK Addendum. Annexes 1A, 1B and 2 to the UK Addendum shall be replaced with Annexes I–III below, respectively.
4.2. In Table 4 of the UK Addendum, either party may terminate the agreement in accordance with section 19 of the UK Addendum.
5. The Parties shall complete Annexes I–II below, which are incorporated into the Standard Contractual Clauses by reference.
Annex II – Description of processing activities
A. Identification of Parties
"Data Exporter": the Customer;
"Data Importer": the Company.
B. Description of Transfer
Categories of data subject: | ☐ Customer and/or partner's end-users ☐ Customer's employees ☐ Customer's customers ☐ Other: ________ |
Categories of Personal Data | ☐ Contact information (name, age, gender, address, telephone number, email address etc.) ☐ Financial and payment data (e.g. credit card number, bank account, transactions) ☐ Governmental IDs (passport, driver's license) ☐ Device identifiers and internet or electronic network activity (IP addresses, GAID/IDFA, browsing history, timestamps) ☐ Geo-location information ☐ Other: ________ |
Special Categories of Data | ☐ None ☐ Genetic or biometric data ☐ Health data ☐ Racial or ethnic origin ☐ Political opinions, religious or philosophical beliefs ☐Trade union membership ☐ Sex life or sexual orientation
If the CCPA is applicable: ☐Race, ethnicity, religious or philosophical beliefs. ☐Genetic or biometric data ☐Health information ☐Sex life or sexual orientation ☐Union membership ☐Content of nonpublic communication (mail, email, and text messages) ☐Government identifier ☐Precise geolocation ☐Financial account and login information
If the VCDPA is applicable: ☐ Racial or ethnic origin ☐Religious beliefs ☐Genetic or biometric data ☐Mental or physical health ☐Sexual orientation ☐Citizenship or immigration status ☐Known child ☐Precise geolocation |
Nature of Processing | ☐ Collection ☐ Recording ☐ Organization or structuring ☐ Storage ☐ Adaptation or alteration ☐ Retrieval ☐ Consultation ☐ Disclosure, dissemination or otherwise making available ☐ Analysis ☐ Erasure or destruction |
Frequency of Transfer | ☐ One-off ☐ Continuous ☐ N/A ☐ Other: ________
|
Purpose of the transfer and further processing | As defined in the Agreement. The parties may mutually agree in writing to amend this Annex I. |
Retention period | Personal Data will be retained for the term of the Agreement. |
Annex III – Technical and Organizational Measures
This Annex III forms part of the DPA and describes the technical and organizational security measures implemented by the data importer.
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Company shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: