Data Protection Addendum

Data Protection Addendum

This Data Protection Addendum (“DPA”) amends the current version of the Complex Marketplace Agreement (the “Agreement”) and is entered into by and between Commerce Media Holdings, LLC d/b/a Complex (“Complex”) and the person or entity agreeing to the Agreement (“you” or “Brand”).  This DPA applies to and takes precedence over that document and any associated contractual document between the parties, such as an order form, statement of work, or data protection addendum thereunder, to the extent of any conflict.  Capitalized terms used and not defined herein shall have the meaning given such terms in the Agreement.

Brand and Complex agree as follows:

1. Definitions. For purposes of this DPA:
   • “Controller”, “processor”, “data subject”, and “supervisory authority” shall have the meanings ascribed to them in Data Protection Laws. “Controller” is deemed to include a “business” as defined in the CCPA, “processor” is deemed to include a “service provider” as defined in the CCPA, and “data subject” is deemed to include a “consumer” as defined in U.S. Privacy Laws.
   • “Data Protection Laws” means all applicable laws, regulations and other legal requirements of any jurisdiction relating to privacy, data security, communications secrecy, Personal Data Breach notification and the Processing of Personal Data, including but not limited to the following: the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”); the UK GDPR (as defined in the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019/419) and the UK Data Protection Act 2018 (together being “UK Data Protection Law”); the Swiss Federal Act on Data Protection (“FADP”); the California Consumer Privacy Act (as amended by the California Privacy Rights Act, and together with related regulations when effective, the “CCPA”); the Virginia Consumer Data Protection Act, the Colorado Privacy Act; the Connecticut Data Privacy Act; and any other U.S. state or federal laws governing personal information or personal data (collectively, the “US Privacy Laws”).
   • “EEA” means the European Economic Area, which constitutes the member states of the European Union and Norway, Iceland, and Lichtenstein.
   • “Personal Data” means any information relating to an identified or identifiable individual or that is defined as “personally identifiable information,” “personal information,” or “personal data,” or any analogous term under Data Protection Laws that is Processed in connection with the Agreement.
   • “Personal Data Breach” means the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.  
   • “Process” and “Processing” mean any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
   • “Information Security Addendum” means the addendum attached to the Agreement covering security requirements applicable to Brand.
   • “Standard Contractual Clauses” means one or both of the following, as the context requires:
     • the “EU SCCs,” defined as the clauses issued pursuant to the EU Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at http://data.europa.eu/eli/dec_impl/2021/914/oj and completed as described in the “Data Transfers” section below.
     • the “UK Addendum,”  defined as the United Kingdom Information Commissioner’s International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B1.0 of which is available at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf),and completed as described in the “Data Transfers” section below.
   • “Sub-processor” means any Brand Affiliate or third party processor engaged by Brand for the Processing of Personal Data.
2. Roles of the Parties. 
   • Brand as a Processor. Brand shall Process Personal Data as a Processor to Complex to fulfill orders of Brand products purchased by consumers (“Customers”) in accordance with the Complex Marketplace Agreement.
   • Brand as an Independent Controller. Brand shall Process Personal Data received by Brand through the Data Feature (as set forth in Section 5.5 of the Agreement) as an Independent Controller to market to Customers who have consented to receive such marketing, as set disclosed in Brand’s Privacy Policy and to the extent permitted by applicable law.
3. Compliance; Party Obligations. Each Party shall be individually and separately responsible for complying with its obligations that apply to it (whether as a Controller or Processor) pursuant to any applicable Data Protection Law. 

• Where Brand acts as a Processor of Personal Data, it shall:
  • Process Personal Data solely: (1) to fulfill its obligations to Complex under the Agreement, including this DPA; (2) on Complex’s behalf; and (3) in compliance with Data Protection Law.  
  • ensure that the persons it authorizes to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. 

• taking into account the nature of the Processing, assist Complex by implementing appropriate technical and organizational measures to assist Complex in responding to request(s) from data subjects exercising their rights under Data Protection Law. Further, any such data subject request received by Brand will be referred to Complex promptly.
• provide reasonable assistance to and cooperation with Complex for Complex’s consultation with regulatory authorities in relation to the Processing or proposed Processing of Personal Data, and promptly notify Complex of (i) data subject requests regarding their Personal Data; (ii) any third-party complaints regarding the Processing of Personal Data; or (iii) any government requests for access to or information about Brand’s Processing of Personal Data on Complex’s behalf, unless prohibited by Data Protection Law. Brand will provide Complex with reasonable cooperation and assistance in relation to any such request. If Brand is prohibited by applicable Data Protection Law from disclosing the details of a government request to Complex, Brand shall inform Complex that it can no longer comply with Complex’s instructions under this DPA without providing more details and await Complex’s further instructions. Brand shall use all reasonable and available legal mechanisms to challenge any demands for data access through national security process that it receives, as well as any non-disclosure provisions attached thereto.
• provide reasonable assistance to and cooperation with Complex for Complex’s performance of a data protection impact assessment of Processing or proposed processing of Personal Data when required by applicable Data Protection Law, and at Complex’s reasonable expense.
• promptly notify Complex if it determines that (i) it can no longer meet its obligations under this DPA or applicable Data Protection Law; or (ii) in its opinion, an instruction from Complex infringes applicable Data Protection Law.
• at Complex’s direction, and in any event upon termination or expiration of the Agreement, except to the extent required by Data Protection Laws, promptly return to Complex or, if so directed by Complex, destroy and certify the destruction of any and all Personal Data and direct its representatives and Sub-processors to do the same. 
• to the extent that US Privacy Laws apply to such data, Brand:
  1. shall not “sell” Personal Data or “share” or “process” Personal Data for “targeted advertising purposes”, as such terms are defined in the applicable US Privacy Laws; 
  2. shall comply with any applicable restrictions under applicable US Privacy Laws on combining the Personal Data with personal data that Brand receives from, or on behalf of, another person or persons, or that Brand collects from any other interaction between it and a data subject; 
  3. shall provide the same level of protection for the Personal Data subject to US Privacy Laws as is required of a “business” or “controller” under applicable US Privacy Laws; 
  4. shall not retain, use, or disclose Personal Data for any purpose other than for the business purposes specified in the Agreement; 
  5. shall permit Complex to take reasonable and appropriate steps to ensure that Brand uses the Personal Data in a manner consistent with Complex’s obligations under the US Privacy Laws and, upon notice from Complex, to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data; and 
  6. certifies that it understands the restrictions and obligations set forth in this DPA, including in this Section 3.a., and that it will comply with them.
• Where Brand acts as a Controller of Personal Data Processed under the Agreement:
• Brand shall limit the collection, transfer, and Processing of Personal Data to what is reasonably necessary a) for the limited purpose of marketing to Customers, where such Customers have provided consent, b) to comply with Applicable Law, or c) as otherwise agreed to, in writing, by the Parties; 
• Brand shall ensure that it has an appropriate legal basis for the collection, transfer, and Processing of Personal Data;
• If required by an applicable Data Protection Law, Brand shall obtain the necessary consent for such collection, transfer, and Processing;
• Complex retains the right to take to take reasonable and appropriate steps to ensure that Brand Processes Personal Data subject to US Privacy Laws in a manner consistent with Complex’s obligations under the US Privacy Laws and Complex may take reasonable measures to stop and remediate unauthorized use of such Personal Data; and
• Brand shall implement and maintain reasonable security procedures, as appropriate to the level of sensitivity and confidentiality applicable to such Personal Data, as set forth in Annex B to this DPA.  
• Complex hereby provides a general authorization for Brand, where Brand acts as a Processor, to engage and use Sub-processors to Process Personal Data on Brand’s behalf in connection with the Agreement. Brand shall ensure that any Sub-processor is bound by a written agreement that imposes data protection obligations no less protective than those set forth in this DPA, including appropriate confidentiality, security, and data protection obligations. Brand shall remain fully responsible to Complex for the performance of each Sub-processor’s obligations under this DPA. Brand shall maintain an up-to-date list of its Sub-processors, which shall be provided to Complex upon request. Brand shall provide Complex with reasonable advance notice of any material changes to its Sub-processors.Complex may object to a new Sub-processor on reasonable data protection grounds by providing written notice to Brand within a reasonable period after receiving notice of the change. In the event of such objection, the Parties shall cooperate in good faith to resolve Complex’s concerns. If the Parties are unable to resolve the objection, Brand may, at its option, either (i) not engage the objected-to Sub-processor for Processing of Complex Personal Data, or (ii) terminate the affected Processing upon reasonable notice.
• Information Security. 
• Each Party shall implement and maintain appropriate technical, physical, and administrative security controls to protect and safeguard the Personal Data under its control against accidental, unauthorized or unlawful access, use, disclosure, loss, destruction, or damage. Brand shall maintain the controls specified in Appendix A.
• With respect to Personal Data for which the Parties act as independent Controllers, each Party shall be independently responsible for notifying data subjects and regulatory authorities of a data breach affecting the confidentiality, integrity, or availability of Personal Data within its custody and control, or within the custody and control of that Party’s processor or subprocessor, provided that each Party shall provide commercially reasonable assistance to the other in order to facilitate the data breach notifications described in this paragraph.
• With respect to Personal Data for which Brand acts as a Processor, Brand shall notify Complex within 48 hours of any Personal Data Breach of such Personal Data in its custody or control (or within the custody and control of a subprocessor) and will assist Complex with its Personal Data Breach-related obligations, including without limitation, by:
• Taking commercially reasonable steps to mitigate the effects of the Personal Data Breach and reduce the risk to individuals whose Personal Data was involved; and
• Providing Complex with the following information, to the extent known: 
  1. The nature of the Personal Data Breach, including, where possible, how the Personal Data Breach occurred, the categories and approximate number of data subjects concerned, and the categories and approximate number of Personal Data  records concerned.
  2. The likely consequences of the Personal Data Breach; and
  3. Measures taken or proposed to be taken by Brand to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
• Providing timely updates of material developments in connection with the Personal Data Breach; 

• Not making announcements or filings that identify Complex (including to Regulators and/or affected Data Subjects) in relation to the Personal Data Breach without first consulting Complex and obtaining their prior written approval (provided that such approval shall not be unreasonably withheld or delayed).

1. Audit. Where Brand acts as a Processor, it will make readily available to Complex all information reasonably necessary to demonstrate Complex’s compliance with this DPA and Data Protection Laws, and will allow for and contribute to audits, including inspections, conducted by Complex or another auditor mutually agreed upon by the parties. Brand will cooperate with Complex to remedy any noncompliance identified during an audit. 
2. Data Transfers. Each Party shall protect all Personal Data it receives from a third country in a manner no less stringent than required by applicable law of the country in which the Personal Data originated. To the extent Personal Data shared or transferred by one Party to the other Party in connection with this Agreement originates in the EEA, Switzerland, Singapore, or the UK via a Restricted Transfer, or is otherwise subject to the GDPR or UK GDPR the Parties shall comply with the following:
   • European Transfers. In the event a Party exports any Personal Data from the EEA or that is otherwise subject to the GDPR to a Third Country, the Parties shall comply with the EU SCCs which are hereby incorporated into, and form an integral part of, this DPA, subject to the following: (i) the EU Standard Contractual Clauses shall be governed by the Module One clauses (Transfer controller to controller) for all Personal Data Processed by Brand as a Data Controller, and Module Two (Transfer controller to processor) for all Personal Data that Brand Processes as a Processor; (ii) Clause 7 (Optional – Docking Clause) of the EU SCCs shall be deemed incorporated herein and applicable to the Parties and third parties; (iii) for purposes of Clause 11 (Redress) of the EU SCCs, the Parties agree that the optional wording shall not be incorporated therein; (iv) for purposes of Clause 13 of the EU SCCs (Supervision), the competent supervisory authority shall be the Irish Data Protection Authority; (v) for purposes of Clause 17 (Governing law) of the EU SCCs, the Parties agree that the EU SCCs shall be governed by the law of Ireland and Clause 17, “Option 1” shall apply accordingly; (vi) for purposes of Clause 18 (Choice of forum and jurisdiction) of the EU SCCs, the Parties agree that any dispute arising from the EU SCCs shall be resolved by the Courts of Ireland and Clause 18(b) shall apply accordingly; (vii) Annex A-I of this DPA shall be incorporated into Annex I of the EU SCCs; and (viii) Annex A-II of this DPA shall be incorporated into Annex II of the EU SCCs.
   • Swiss Transfers. In the event a Party exports any Personal Data from Switzerland, the Parties shall comply with the EU SCCs, as set forth in Section 6.a., subject to the following: (i) references to “Regulation (EU) 2016/679” or “that Regulation” in the EU SCCs are to be understood as references to the Swiss Federal Act on Data Protection (FADP); (ii) references to specific Article(s) of “Regulation (EU) 2016/679” are to be understood as references to the equivalent Article or provision of the Swiss FADP; (iii) the term “member state” in the EU SCCs shall not be interpreted in such a manner as to exclude data subjects in Switzerland from enforcing their rights in Switzerland, in accordance with Clause 18(c), provided Switzerland is their habitual residence; (iv) the “competent supervisory authority” under Part C of Annex II of the EU SCCs is the Swiss Federal Data Protection and Information Commissioner; (v) the applicable law for contractual claims under Clause 17 in the EU SCCs is Swiss law; and (vi) in relation to Clause 18(a), any disputes arising from the EU SCCs shall be resolved by the courts of Switzerland. 
   • UK Transfers. In the event a Party exports any Personal Data from the United Kingdom or that is otherwise subject to the UK GDPR to a Third Country, the Parties shall comply with the EU SCCs, as updated and amended by the UK Addendum, provided that the UK Addendum shall be supplemented and completed, as appropriate, with the data processing descriptions and Party responsibilities, clause options, and similar criteria set forth in Section 6.a. and the annexes attached hereto. For the purposes of supplementing and completing the UK Addendum, the Parties agree that any dispensation with the adopted format shall not adversely affect the appropriateness of the safeguards provided therein. For the avoidance of doubt, with respect to Personal Data transfers subject to the UK GDPR, in the event of a conflict between the EU SCCs and the UK Addendum, the terms and hierarchy set forth in the UK Addendum shall supersede and control with respect to such Personal Data transfers subject to the UK GDPR only. In the event that the version of the UK Addendum incorporated by this Agreement is subsequently varied, revoked or otherwise replaced in circumstances where Brand expects to incur consequential increases in costs or risk and provided that Brand has undertaken reasonable efforts to mitigate any such increases, then Brand may terminate its agreement with Complex, upon providing reasonable notice of the same to Complex in writing.
   • Onward Transfers. A Party shall not transfer such Personal Data from the EEA, Switzerland, or the United Kingdom to any Third Country, except to the extent such transfer is in accordance with an applicable Data Protection Law.

Annex A

Annexes A-I and A-II to the EU SCCs

ANNEX I

A.   LIST OF PARTIES

MODULE ONE: Transfer controller to controller
MODULE TWO: Transfer controller to processor

Complex’s role is Controller.

Brand acts as Complex’s Processor in the situations described in Section 2.a. of the DPA. In those situations, Complex is the exporter and Brand is the importer.  

Brand acts as an independent Controller in the situations described in Section 2.b. of the DPA.  In those situations, Complex is the exporter and Brand is the importer.

Data exporter(s): [Identity and contact details of the data importer(s), including any contact person with responsibility for data protection]

1. Name: Commercia Media Holdings, LLC d/b/a Complex

Address: as set forth in the Agreement

Contact person’s name, position and contact details: as set forth in the Agreement

Activities relevant to the data transferred under these Clauses: Brand’s participation in the Complex Marketplace

Signature and date: The Parties are deemed to have signed this Annex I by signing the Agreement.

Role (controller/processor): Controller

Data importer(s): [Identity and contact details of the data importer(s), including any contact person with responsibility for data protection]

1. Name: Brand

Address: As set forth in the Agreement

Contact person’s name, position and contact details: As set forth in the Agreement

Activities relevant to the data transferred under these Clauses: Fulfill orders placed pursuant to the Agreement; market to Customer with the Customer’s consent as set forth in Section 2.b.

Signature and date: The Parties are deemed to have signed this Annex I by signing the Agreement.

Role (controller/processor): As set forth in Section 2 of the DPA

B.   DESCRIPTION OF TRANSFER

MODULE TWO: Transfer controller to processor

Categories of data subjects whose personal data is transferred: Complex marketplace Customers

Categories of personal data transferred: Contact details, purchase information

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:  None

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): On a continuous basis.

Nature of the processing: Receipt, transmission, analysis, display, and storage of data.

Purpose(s) of the data transfer and further processing:  

• For Personal Data Transferred to Brand as a Processor: Order fulfillment  
• For Personal Data Transferred to Brand as a Controller: Marketing to Customers that purchase Brand merchandise on the Complex Marketplace

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:   

• For Personal Data Transferred to Brand as a Processor: For as long as necessary to fulfill the order and for the time period thereafter required by applicable law 
• For Personal Data Transferred to Brand as a Controller: As set forth in the Brand’s privacy policy, unless the data subject revokes consent

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: As long as necessary to fulfill the purpose of processing.

C.   COMPETENT SUPERVISORY AUTHORITY

MODULE TWO: Transfer controller to processor

Identify the competent supervisory authority/ies in accordance with Clause 13:

The parties shall follow the rules for identifying such authority under Clause 13 and, to the extent legally permissible, select the Irish Data Protection Commission.

ANNEX B – TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

1. Information Security Policies. Brand will maintain written information security policies, standards and procedures addressing administrative, technical, and physical security controls and procedures. These policies, standards, and procedures shall be kept up to date, and revised whenever relevant changes are made to the information systems that use or store Personal Data. 
2. Physical Security. Brand will maintain commercially reasonable security systems at all Brand sites at which an information system that uses or stores Personal Data is located that include reasonably restricting access to such locations, and implementing measures to detect, prevent, and respond to intrusions.
3. Organizational Security. Brand will maintain information security policies and procedures addressing acceptable data use standards, data classification, and incident response protocols.
4. Network Security. Brand maintains commercially reasonable information security policies and procedures addressing network security.
5. Access Control.  Brand agrees that: (1) only authorized Brand staff can grant, modify, or revoke access to Personal Data; (2) only those Brand personnel that require access to Personal Data will be granted such access; and (3) it will implement commercially reasonable physical and technical safeguards to create and protect passwords.
6. Virus and Malware Controls. Brand protects Personal Data from malicious code and will install and maintain anti-virus and malware protection software on any system that handles Personal Data.
7. Personnel. Brand has implemented and maintains a security awareness program to train personnel with access to Personal Data about their security obligations. Personnel shall follow established security policies and procedures. Disciplinary process is applied if Personnel fail to adhere to relevant policies and procedures.
8. Business Continuity. Brand implements disaster recovery and business resumption plans that are kept up to date and revised on a regular basis. Brand also adjusts its Information Security Program in light of new laws and circumstances, including as Brand’s business and Processing change.
9. Subcontracting. Brand shall perform security due diligence on all Sub-Processors that will process Personal Data, and shall contractually require such subcontractors to adhere to security measures no less stringent than those set forth in this Addendum.
10. Data return/deletion. Upon termination or expiration of the Agreement, or upon Complex’s written request, Brand will promptly (a) return to Complex all Personal Data that Brand Processed as a Processor in its possession or control in a reasonably usable format, or (b) securely delete or destroy such Personal Data, including any copies, except to the extent retention is required by applicable law. Brand may retain Personal Data solely in routine backup or archival systems to the extent it is infeasible to remove, provided such copies remain subject to the confidentiality and security obligations in the Agreement and this Addendum and are not accessed except as required for backup, archival, or legal purposes.