This Data Processing Agreement (“DPA”) is an addendum to the agreement or general terms (“Terms of Service”) regulating the service provided to ______________ (“Data Controller”) by Empathy Systems Corporation SL (“Data Processor”). The following clauses are applicable whenever the intended use of Empathy Systems Corporation SL triggers the application of the European Union's General Data Protection regulation (“GDPR”) and/or is subject to the California Privacy Protection Act (“CCPA”).
“Privacy Laws” means all privacy and data protection laws, rules, regulations, decrees, orders and other government requirements applicable to the processing of personal data under this DPA.
The terms “personal data”, “personal information”, “processing”, “controller”, “processor”, “service provider”, “data subject”, “personal data”, “personal data breach” and “data breach” will have the meanings ascribed to them in the applicable Privacy Laws.
"The Product" refers to a cloud-based software provided by Empathy Systems Corporation SL.
"Data processor" or “service provider” refers to Empathy Systems Corporation SL.
“Buyer” or "Data Controller" refers to the company identified in this agreement as such, having entered into a contract to either deploy the Product on one or various websites or use the Product to store, process, analyze, visualize or retrieve structured or unstructured data pertaining to its own current or potential customers.
The subject matter of processing is the personal data collected in the context of the Product. In particular, Beautiful Consent will request and store the following categories of data:
If the Product is deployed and used as designed, the Data Controller will not be able to engage in cross-site tracking or device fingerprinting, or to collect any information related to a data subject's health, sex life, sexual orientation, racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. As a result, the Product will not be storing or processing such data.
The Product relies on cookies to remember each individual's choices on a given device. These have a lifespan of six months, after which the consent action will have to be renewed.
Empathy Systems Corporation SL has developed information security risk management policies to reasonably ensure the confidentiality, integrity, and availability of the data processed by the Product. These include sub-processor audits (see Sub-processors for further details), certifications, infrastructure, availability and disaster resistance, technical security controls, and administrative security controls.
To the extent that Empathy Systems Corporation SL is processing personal data on behalf of the Data Controller, Empathy Systems Corporation SL shall:
Process the personal data only on documented instructions from the Data Controller, including with regard to transfers of personal data to a third country or an international organization;
Empathy Systems Corporation SL has the Data Controller’s general authorization to engage other processors for the processing of personal data in accordance with this DPA. In particular, the Data Processor will use Amazon Web Services as a hosting provider. The same data protection obligations set out in this DPA have been extended to such sub-processor by way of contract, providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the Privacy Laws.
To the extent that Empathy Systems Corporation SL is processing personal data on behalf of the Data Controller, Empathy Systems Corporation SL shall, to the extent legally permitted, promptly notify the Data Controller of any data subject requests Empathy Systems Corporation SL receives, and the Data Controller authorizes Empathy Systems Corporation SL to redirect such requests to the Data Controller to respond directly.
To the extent legally permitted, the Data Controller shall be responsible for any reasonable costs arising from Empathy Systems Corporation SL providing assistance to the Data Controller in responding to such requests.
Empathy Systems Corporation SL shall ensure that, to the extent that any personal data originating from the Data Controller’s country is transferred by Empathy Systems Corporation SL to another country, such transfer shall be subject to appropriate safeguards in accordance with the Privacy Laws.
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the parties shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
In assessing the appropriate level of security, account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.
To the extent that Empathy Systems Corporation SL is processing personal data on behalf of the Data Controller, Empathy Systems Corporation SL shall take steps to ensure that any natural person acting under the authority of Empathy Systems Corporation SL who has access to such personal data does not process it except on instructions from the Data Controller, unless he or she is required to do so by applicable law.
To the extent that Empathy Systems Corporation SL is processing personal data on behalf of the Data Controller, Empathy Systems Corporation SL shall notify the Data Controller without undue delay after becoming aware of a personal data breach and shall reasonably respond to the Data Controller’s requests for further information to assist the Data Controller in fulfilling its obligations under the Privacy Laws.