Raydiant Europe Data Processing Agreement

RAYDIANT EUROPE DATA PROCESSING AGREEMENT

Raydiant Europe Data Processing Agreement

This Data Processing Agreement is concluded between Raydiant Europe B.V., a private company with limited liability established and existing under the laws of the Netherlands, having its registered office and principal place of business in (1098 XH) Amsterdam, at Science Park 400, registered with the Chamber of Commerce in the Netherlands, under number 58300880 (hereinafter referred to as “Raydiant Europe”), and the Customer as defined in the Agreement.

Customer and Raydiant Europe each a “Party” jointly referred to as “Parties”,

1. Definitions   

1.1 In this Data Processing Agreement, capitalized words and expressions, whether in single or plural, have the meaning specified as set out below:

Annex:appendix to this Data Processing Agreement which forms an integral part of it;

Agreement:the agreement concluded between Customer and the Raydiant Europe with partnership in respect;

Data Processing Agreement: the present agreement;

Personal Data:all information relating to an identified or identifiable natural person as referred to in Section 4(1) GDPR;

Personal Data Breach:a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed, as referred to in Section 4(12) GDPR;

Process:as well as conjugations of this verb: the processing of Personal Data as referred to in Section 4(2) GDPR;

Sub-Processor:the sub-contractor hired by Raydiant Europe that Processes Personal Data in the context of this Data Processing Agreement on behalf of Customer, as referred to in Section 28(4) GDPR.

1.2 The provisions of the Agreement apply in full to this Data Processing Agreement. 

2. Purpose of the Personal Data Processing

2.1 Parties agree that where the Processing of Personal Data is concerned, Raydiant Europe acts as a processor within the meaning of Article 4(8) under the GDPR and Customer as the controller within the meaning of Article 4(7) under the GDPR or the processor. 

2.2 Customer and Raydiant Europe have concluded the present Data Processing Agreement for the Processing of Personal Data in the context of the Agreement. An overview of the type of Personal Data, categories of data subjects and the purposes of Processing, is included in Annex A.

2.3 Raydiant Europe is solely responsible for the Processing of Personal Data under this Data Processing Agreement, in accordance with the legitimate instructions of Customer and under the express (final) responsibility of Customer. For all other Processing of Personal Data, including but not limited to the collection of Personal Data by the Customer, Processing for purposes not reported to Raydiant Europe by Customer, Processing by third parties and/or for other purposes, Raydiant Europe is not responsible or liable. Responsibility and liability for these Processing activities rest exclusively with Customer.

2.4 Customer is responsible and liable for the processing of Personal Data in relation to the Agreement and guarantees that Processing is in compliance with all applicable legislation and does not infringe any rights of third parties. Customer will indemnify and hold harmless Raydiant Europe against any and all claims of third parties, those of the data protection authority in particular, resulting in any way from not complying with this guarantee.

2.5 Raydiant Europe undertakes to Process Personal Data only for the purpose of the activities referred to in this Data Processing Agreement and/or the Agreement. Raydiant Europe will not use the Personal Data which it Processes under this Data Processing Agreement for its own or third-party purposes in any way without Customer’s express written consent, unless a legal provision requires Raydiant Europe to do so. In such case, Raydiant Europe shall immediately inform Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.

3. Technical and organizational security measures

3.1 Raydiant Europe will implement (or arrange the implementation of) appropriate technical and organizational measures to ensure a level of security appropriate to the risk. These measures will guarantee an appropriate level of security, taking into account the state of the art and the costs of implementation, in view of the risks entailed by Personal Data Processing and the nature of the data to be protected. Raydiant Europe will in any case take measures to protect Personal Data against accidental or unlawful destruction, accidental or deliberate loss, forgery, unauthorized distribution or access, or any other form of unlawful Processing.

3.2 Raydiant Europe will provide a document in Annex C which describes the appropriate technical and organizational measures to be taken by Raydiant Europe. Customer acknowledges having taken cognizance of the relevant measures and by signing this Data Processing Agreement, the Customer agrees with the measures taken by Raydiant Europe.

4. Confidentiality

4.1 Raydiant Europe will require the employees that are involved in the execution of the Agreement to sign a confidentiality statement – whether or not included in the employment agreement with those employees – which in any case states that these employees must keep strict confidentiality regarding the Personal Data.

5. Sub-Processors

5.1 Raydiant Europe has Customer’s general authorisation for the engagement of Sub-Processors as stated in Annex B. Raydiant Europe shall specifically inform in writing Customer of any intended changes of that list through the addition or replacement of Sub-Processors, thereby giving Customer at least five working days to be able to object to such changes prior to the engagement of the concerned Sub-Processor(s). Raydiant Europe shall provide the controller with the information necessary to enable the controller to exercise the right to object.

5.2 Where Raydiant Europe engages a Sub-Processor for carrying out specific Processing activities on behalf of Customer, the same data protection obligations as set out in this Data Processing Agreement shall be imposed on that Sub Processor, in particular providing sufficient guarantees to implement appropriate technical and organisational measures.

5.3 Raydiant Europe shall remain fully responsible to Customer, in accordance with the Agreement, for the performance of the Sub-Processor’s obligations in accordance with its contract with Raydiant Europe.

6. International transfers

6.1 Raydiant Europe will only be permitted to transfer Personal Data outside the European Economic Area if this is done in compliance with the applicable statutory obligations.

6.2 Customer agrees that where Raydiant Europe engages a Sub-Processor in accordance with Article 5 for carrying out specific Processing activities (on behalf of Customer) and those Processing activities involve a transfer of Personal Data within the meaning of Chapter V of Regulation (EU) 2016/679, Raydiant Europe and the Sub-Processor can ensure compliance with Chapter V of Regulation (EU) 2016/679 by using standard contractual clauses adopted by the Commission in accordance with of Article 46(2) of Regulation (EU) 2016/679.

7. Liability

7.1 With regard to any liability and indemnification obligations of Raydiant Europe under this Data Processing Agreement the stipulation in the Agreement regarding the limitation of liability applies.

7,2 Without prejudice to article 7.1 of this Data Processing Agreement, Raydiant Europe is solely liable for damages suffered by Customer and/or for third party claims as a result of any Processing, in the event the specific obligations of Raydiant Europe under the GDPR are not complied with or in case Raydiant Europe acted in breach of the legitimate instructions of the Customer.

8. Personal Data Breach

8.1 Raydiant Europe will notify Customer without undue delay of a Personal Data Breach and will take all reasonable measures to prevent or limit (further) violation of the GDPR.

8.2 Raydiant Europe will provide all reasonable cooperation requested by Customer in order for Customer to comply with its legal obligations relating to the identified Personal Data Breach.

8.3 Raydiant Europe will, insofar as reasonable, assist Customer with Customer’s notification obligation relating to the Personal Data to the Data Protection Authority and/or the data subject, as meant in Section 33(3) and 34(1) GDPR. Raydiant Europe is never held to report a Personal Data Breach with the Data Protection Authority and/or the data subject.

8.4 Raydiant Europe will not be responsible and/or liable for the (timely and correctly) notification obligation to the relevant supervisor and/or data subjects, as meant in Section 33 and 34 GDPR.

9. Audit

9.1 When so requested by Customer, Raydiant Europe will enable Customer, or experts (including external experts) designated by Customer, to inspect and audit the implementation of this Data Processing and, in particular, the security measures taken by Raydiant Europe, at most once per calendar year, subject to a reasonable notice and with permission of Raydiant Europe, to adequately monitor compliance with what has been agreed between the Parties. Such an audit will at all times be carried out in a manner that has as little effect as possible on the normal business operations of Raydiant Europe. Customer will bear all the costs of this audit.

9..2 The audit in Article 9.1 of this Data Processing Agreement, will only take place if Customer has requested and assessed similar audit reports availably at Raydiant Europe and Customer provides reasonable argument that justify an audit initiated by Customer. Such an audit is justified when similar audit reports present at Raydiant Europe give no or insufficient information about compliance with this Data Processing Agreement.

9.3 In case Raydiant Europe is of the opinion that an instruction relating to the provisions of this Article 9 infringes the GDPR or other applicable data protection legislation, Raydiant Europe will inform the Customer immediately.

9.4 Raydiant Europe is entitled to charge any possible costs that relate to the provisions of this Article 9 with Customer.

10. Assistance to Customer

10.1 Raydiant Europe will, taking into account the nature of the Processing and insofar as reasonably possible, provide cooperation to Customer in fulfilling its obligation pursuant to the GDPR to respond to requests for exercising rights of data subjects, in particular the right of access (Section 15 GDPR), rectification (Section 16 GDPR), erasure (Section 17 GDPR), restriction (Section 18 GDPR), data portability (Section 20 GDPR) and the right to object (Section 21 and 22 GDPR). Raydiant Europe will forward a complaint or request from a data subject with regard to the Processing of Personal Data to the Customer as soon as possible, as Customer is responsible for handling the request.

10.2 Raydiant Europe will, taking into account the nature of Processing, the information available to Raydiant Europe and insofar as reasonably possible, provide all reasonable cooperation to Customer in fulfilling its obligation pursuant to the GDPR to carry out a data protection impact assessment (Section 35 and 36 GDPR).

10.3 Raydiant Europe is entitled to charge any costs associated with the cooperation as referred to in this Article 10 with Customer.

11. Termination

11.1 Following termination of the Agreement, Raydiant Europe shall, at the choice of Customer, delete all Personal Data Processed on behalf of Customer and confirm to Customer that it has done so, or, insofar as possible, return all the Personal Data to Customer and delete existing copies unless Union or Member State law requires storage of the Personal Data. Until the data is deleted or returned, Raydiant Europe shall continue to ensure compliance with this Data Processing Agreement.

ANNEX A – DESCRIPTION OF THE PROCESSING

Subject matter and duration of the Processing of Company Personal Data

• The subject matter and duration of the Processing of the Personal Data are set out in the Agreement and Data Processing Agreement between the Parties.

The categories of Personal Data

• Facial features (such as eye locations, face location and rotation, age, gender, mood, facial expressions, gaze and attention span), the face prints (also referred to as "embeddings") derived from facial features, and aggregated statistics.

The categories of Data Subject to whom the Personal Data relates

• Client of Customer, visitors, passers-by

The nature and purpose of the Processing of Personal Data

• Providing the software technology, dashboard and optional support with which Customer obtains real-time insights into audience’s spontaneous behaviour, interest, and anonymized approximated demographic profile.

The obligations and rights of Customer

• The obligations and rights of Customer are set out in the Agreement and this Data Processing Agreement.

   ANNEX B – SUB-PROCESSORS