Data Processing Annex
Effective 25 May 2018
1.1. THIS DATA PROCESSING ANNEX (hereinafter the “DPA”) is an amendment to the Frosmo General Terms and Conditions (the “Terms”). The Terms are an integral part of the service or subscription agreement (the “Agreement”) signed between the Customer and Frosmo Ltd (the “Parties”).
1.2. This DPA defines the data protection and data security of the personal data of the Customer that is processed by Frosmo as required by the General Data Protection Regulation of the European Union (“GDPR”).
1.3. This DPA replaces the entire section 10 of the Terms and is hereby incorporated as part of the Terms.
1.4. This DPA shall not be applied if the Parties have signed a separate data processing agreement.
1.5. In case of any discrepancy between this DPA, the Terms and the Agreement or any other appendices, the documents shall prevail in the following order: (i) this DPA, (ii) the Agreement and (iii) the Terms.
2. General Rights and Obligations
2.1. The terms “controller”, “processor”, “processing”, “personal data” and “personal data breach” shall be understood as defined in the applicable data protection legislation, including without limitation in the GDPR.
2.2. To the extent the Customer Data contains personal data, the Customer shall act as a data controller under the applicable data protection laws and regulations. As the controller, the Customer shall acquire all permits, consents, and authorizations necessary for the Services; provide necessary information to the data subjects, notifications to the relevant authorities; and draft and maintain a record of processing activities under its responsibility. The Customer shall ensure that the personal data it provides to Frosmo or allows Frosmo to collect from Customer Applications (i.e. Customers’ websites) is accurate and correct.
2.3. As the processor, Frosmo is entitled to process the Customer’s personal data only in compliance with this DPA, the Agreement, the Terms and the Customer’s reasonable written instructions and applicable laws and only as is necessary to provide the Services. Frosmo maintains a service description or other record of all categories of processing activities carried out on behalf of the Customer as required by the GDPR. If the Customer’s written instructions regarding the processing of personal data increase the costs of Frosmo, Frosmo is entitled to charge Customer for this in accordance with its then current price list.
2.4. Frosmo shall immediately inform the Customer if, in its opinion, the Customer’s instruction is against applicable data protection laws.
2.5. Frosmo is entitled to use anonymous, aggregated or statistical information derived from the Services to analyse and develop its services. Such anonymous data shall not be identifiable to the Customer or data subjects.
2.6. After the processing of personal data under the Agreement has expired Frosmo shall delete or return to Customer all personal data in its possession as agreed by the Parties (in Section 9 of the Terms). Frosmo is entitled to charge Customer for this work in accordance with its then current price list.
3. Confidentiality and Data Security
3.1. Frosmo shall ensure that all persons authorised to process personal data are bound by a confidentiality obligation.
3.2. To ensure data security Frosmo shall (in compliance with article 32a of the GDPR) taking into account the risks, maintain and implement appropriate technical and organizational measures as described in Frosmo’s Data privacy description and Security overview, as amended from time-to-time by Frosmo, in line with prevalent industry practices as well as other data security measures agreed in writing with the Customer.
4. Other Obligations of Frosmo Related to Personal Data of Customer
4.1. Frosmo shall promptly forward to the Customer any request from a data subject relating to, for example, data subject’s rights to access, modify, correct, delete, or block his or her personal data, as well as any complaint about the processing of the Customer’s personal data.
4.2. If permitted by applicable laws, Frosmo shall direct all inquiries from data protection or other authorities to the Customer.
4.3. Frosmo shall without undue delay notify the Customer if it becomes aware of any personal data breach.
4.4. Frosmo shall at the Customer’s written request and at the Customer’s cost assist the Customer in complying with the Customer’s obligations under applicable data protection or privacy laws and regulations.
5. Use of Subcontractors Related to Processing of Personal Data
5.1. Frosmo may use sub-processors to process the personal data of the Customer in the performance of the agreed Services. Such use shall be under written contract. Frosmo shall ensure the sub-processors comply with this DPA, the Agreement and the Terms. Frosmo is liable for its sub-processor’s actions as for its own.
5.2. Frosmo will inform the Customer in advance on any sub-processors it intends to use for processing personal data in the agreed Services. The Customer may object to the use of any new sub-processor. If the Parties cannot agree on the use of a sub-processor, the Customer may terminate the corresponding Agreement.
5.3. Frosmo and its sub-processors shall not without the Customer’s written consent transfer personal data outside EU/EEA into a territory that has not been recognized by the European Commission as ensuring an adequate level of data protection. If such transfer is consented by the Customer, Frosmo shall use appropriate mechanisms to ensure the adequate level of data protection, such as the Privacy Shield certification in case of transfers to US or EU standard contractual clauses.
5.4. If the Parties agree on the use of services of Google, Facebook, Twitter or other named third party as a part of Services, such use and processing of personal data shall be solely subject to the contract terms and conditions of such third party. Frosmo shall not be liable for any breach of data protection or damage caused by such third party.
6. Audits Related to Processing of Personal Data
6.1. Frosmo may engage independent external auditors to audit that the processing of personal data in its systems and Services complies with its data protection obligations. To prove compliance with its obligations, Frosmo will provide the report to the Customer. To the extent not covered by the independent audit reports, the Customer or an external auditor mandated by the Customer may audit Frosmo’s compliance with the data protection obligations under the Agreement and these Terms. Frosmo’s competitors shall not be qualified to audit Frosmo’s performance.
6.2. The Parties shall agree on the time and other details of the audit at least 14 business days before the audit. The audit shall be conducted so that the time, work, costs and the harm caused to Frosmo’s business is minimized (including but not limited to any harm to Frosmo’s customers, partners and vendors). Frosmo’s confidentiality obligations towards third parties shall be respected. All the Customer’s representatives or external auditors participating in the audit shall sign customary confidentiality agreements.
6.3. Frosmo shall correct reported deficiencies without undue delay. If the audit reveals material deficiencies in Frosmo’s performance, Frosmo shall bear its own costs for the audit. Otherwise all costs of the audit shall be covered by the Customer.
7. Liability for Damage and Administrative Fines
7.1. If a data subject has suffered material or non-material damage as a result of an infringement of GDPR or this DPA, Frosmo shall be liable for the damage caused by processing of personal data only where it has not complied with obligations of GDPR specifically directed to processors or with this DPA.
7.2. Each Party shall pay only the part of administrative fines imposed or damages ordered which corresponds to its part of the responsibility for the damage, as finally decided by the relevant supervisory authority or competent court authorized to impose such fines or damages.
7.3. The Customer shall indemnify Frosmo against any loss or damage, which Frosmo may sustain or incur as a result of any breach by the Customer of the data protection provisions stated in this DPA.
7.4. Otherwise the liabilities of the Parties are defined in Section 13 of the Terms.
8. Details of Processing of Personal Data as part of Frosmo’s Services
The Parties confirm the following details regarding the processing of personal data in connection with the Services:
a) Categories of data subjects: users or visitors of Customer websites.
b) Nature and purpose of processing of personal data: to deliver the Services to the Customer.
c) Service term / duration of processing of personal data: As long as the Customer acquires the Services from Frosmo and a reasonable period thereafter to comply with Section 9.3 of the Terms.
d) Permitted sub-processors of Frosmo: Hetzner Online AG, Hetzner Finland Oy and Amazon Web Services, Inc.
e) Types of personal data processed: Customer may submit personal data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to, the following types of personal data:
Server logs (“raw data” not collected through the Frosmo platform and not used for profiling or targeting), for example page requests, metadata (for example, timestamps) and IP addresses.
Visitor data, including:
- Background data (information about the visitor not related to a specific website), for example, visitor’s geolocation (on country/region/city level), visitor’s IP address, visitor’s device (mobile, desktop, tablet) and visitor’s browser
- Behavior data (visitor’s actions on the website), for example, when the visitor has visited the site, amount of time the visitor has spent on the site or a specific page, whether this is the visitor’s first visit on the site, how many times the visitor has visited the site, pages the visitor has viewed, products the visitor has viewed and which content modifications the visitor has seen or clicked.
- Conversion and transaction data (actions on the website related to purchases and other conversions), for example, conversions the visitor completes on the site (for example, purchases, subscriptions, reservations), products the visitor has purchased, whether the visitor is logged in, whether the visitor is a paying user and products the visitor has added in their shopping cart.
- Account data (only collected if separately agreed with the customer in writing and for the purpose of transferring the data to marketing automation platforms, content management systems, or other third-party applications controlled by the customer), for example, name, username, email address, postal address, subscription type and wallet balance (on egaming sites).
f) Sensitive personal data (if applicable): the Customer shall not send or use the Services to process any sensitive personal data.