Data Processing Addendum


This Data Processing Addendum (“DPA”) forms part of the agreement (mirrored in the “Terms of Service”) between the Corporate Client (which acts as the “Controller”) and LEİRA BİLİŞİM TİCARET LİMİTED ŞİRKETİ (that acts as the “Processor”), both also herein onwards referred to as the “Parties”, for the provision of TrackZero platform “Services” as set forth therein (the “Services”).

Effective from the date when the Corporate Client starts using the “Services” (via its Logged In users), the terms of this DPA shall apply to Personal Data (as defined below) that the “Processor” processes in the course of providing the “Services” under the Agreement. the “Controller’s” continued engagement of the “Processor” is conditioned upon the “Processor’s” agreement to the terms and conditions of this DPA.

The “Parties” agree as follows:

 

Affiliate” means that an entity that (i) controls, (ii) is controlled by, or (iii) is under common control with the “Processor” or the “Controller”. An entity will be deemed to control another entity if it has the power to direct or cause direction of the management or policies of such entity, whether through the ownership or voting securities, by contract, or otherwise.

 

Data Privacy Laws” means Directive 2002/58/EC, the General Data Protection Regulation 2016/679 (“GDPR”), and any legislation and/or regulation implementing or made pursuant to them, or which amends, replaces, supplements, re-enacts or consolidates any of them and all other applicable laws relating to the Processing of Personal Data and privacy that may exist in a relevant jurisdiction including, where applicable, the guidance and codes of practice issued by supervisory authorities.

 

Model Clauses” means the standard contractual clauses as adopted by the European Commission decision of 5 February 2010, published under document number C(2010) 593 2010/87/EU and available at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en (as amended or updated from time to time).

Relevant Country” means all countries other than those within the European Economic Area and countries, territories or specified sectors in respect of which a valid adequacy decision has been issued by the European Commission or adequacy determined in another valid method under applicable Data Privacy Laws.

1.         Data Protection

 

1.1.     For the purposes of this DPA, the terms the “Controller”, “Data Subjects”, “Personal Data”, “Processing,” (and “Process” shall be construed accordingly), “Personal Data Breach” and “Supervisory Authority” shall have the meaning given to them by applicable Data Privacy Laws.

 

1.2.     The “Controller” undertakes to comply with all applicable Data Privacy Laws and shall not knowingly cause the “Processor” to breach the ruling and requirements under such Laws.

 

1.3.     The “Processor” will only Process the “Controller” Personal Data on documented instructions from the “Controller” (which includes the actions taken on TrackZero by the “Controller’s” users), and will not otherwise Process the “Controller” Personal Data unless required to do so by law, in which case, where legally permitted, the “Processor” shall inform the “Controller” of such legal requirement before Processing.

 

1.4.     The subject-matter of the data Processing is the performance of the “Services” and the Processing will be carried out until the date that the “Processor” ceases to provide the “Services” to the “Controller”. The obligations and rights of the “Controller” are as set out in the “Terms of Service”. Schedule 1 of this DPA sets out the nature and purpose of the processing, the types of Personal Data the “Processor” Processes and the categories of Data Subjects whose Personal Data is Processed.

 

1.5.     The “Parties” will implement appropriate technical and organizational security measures in line with industry best practices (including ensuring that its personnel who are authorized to process the Personal Data have committed themselves to appropriate confidentiality obligations and shall take steps to ensure the reliability and competence of the personnel who have access to the Personal Data) to ensure a level of security appropriate to the risks that are presented by the Processing of the Personal Data including as a minimum, those measures contained in applicable Data Privacy Laws (such as, but not limited to, encryption, penetration testing and pseudonymization) as well as measures set out in Schedule 2 of this DPA fulfilling the following: access control to premises, facilities, data and systems as well as availability, disclosure, job, input and segregation control. The technical and organizational measures are Subject to technical progress and further development. The “Parties” may amend the technical and organizational measures, provided that the new measures do not fall short of the level of security provided by the current measures in place.

 

1.6.     In case of a suspected Personal Data Breach which may affect the Personal Data under Processing and has not originated on the “Controller” or its users’ actions while using the “Services”, the “Processor” will:

 

1.6.1. take action immediately at the “Processor’s” own expense, to investigate the suspected Personal Data Breach and to identify, prevent and mitigate the effects of the suspected Personal Data Breach to remedy the Personal Data Breach;

 

1.6.2. notify the “Controller’” within 36 hours of becoming aware of such Personal Data Breach and provide the “Controller” with a detailed description of the Personal Data Breach including:

 

1.6.2.1.         the likely impact of the Personal Data Breach;

1.6.2.2.         the categories and approximate number of Data Subjects affected and their country of residence and the categories and approximate number of records affected;

1.6.2.3.         the risk posed by the Security Breach to Data Subjects;

1.6.2.4.         the measures taken or proposed to be taken by the “Processor” to address the Personal Data Breach; and

1.6.2.5.         provide timely updates to this information and any other information the “Controller” may reasonably request relating to the Personal Data Breach.

 

1.6.3.  not release or publish any filing, communication, notice, press release or report concerning the Personal Data Breach without the “Controller’s” prior written approval (except where required to do so by law or the lives or physical integrity of natural persons may be at risk).

 

1.7.     the “Processor” will (at no additional cost) provide such information and assistance to the “Controller” as it may reasonably require (and within timescales reasonably specified) to allow the “Controller” to comply with its obligations under applicable Data Privacy Laws, including assisting the “Controller” to: (i) comply with its own legal obligations;

 

1.8.     the “Processor” will promptly, at the choice of the “Controller”, securely delete or return all the “Controller” Personal Data after termination of the “Services” and confirm in signed writing that this has been completed, unless otherwise provided by law.

 

1.9.     the “Controller” acknowledges and agrees that the “Processor” may retain appropriate Affiliates and other suitable third parties as “Sub-Processors” in connection with the provision of the “Services”, having imposed on such “Sub-Processor’s” in a written agreement, the same data protection obligations as are imposed on the “Processor” under this DPA. the “Processor” will be liable to the “Controller” for performance of such obligations by the “Sub-Processor’s”. A list of “Sub-Processor’s” approved in writing as at the date of this DPA has been made available to the “Controller” as of the date hereof. the “Processor” may change this list by not less than thirty (30) days’ notice in writing thereby giving the “Controller” the opportunity to object to such changes.

 

1.10.  the “Controller” acknowledges that as part of the “Services” the “Controller” Personal Data may located in or accessed from the US or another Relevant Country. Where this involves the “Processor” or its Affiliates, the following Clauses apply:

1.10.1.   Where the “Processor” processes Personal Data in the course of providing the “Services” that originates from the EEA, UK, and/or Switzerland, the “Processor” agrees to comply with (and shall ensure any “Sub-Processor” complies with) the provisions of the Model Clauses that are applicable to data importers, which are incorporated by reference and form an integral part of the Agreement. The “Processor” acknowledges that the “Controller” will be the data exporter.

1.10.2.   the “Controller” agrees to grant third party beneficiary rights to Data Subjects as set out in Clause 3 of the Model Clauses, provided that the “Processor’s” liability shall be limited to the “Processor’s” own Processing operations;

1.10.3.   the “Controller” agrees that it’s obligations under the Model Clauses shall be governed by the laws of the Member States (or the UK as applicable) in which the “Controller” is established;

1.10.4.   the “Parties” agree that for the purposes of clause 5(h) and 11 of the Model Clauses, the “Controller” consents to the “Processor” “Sub-contracting its Processing operations in accordance with the provisions set out in Clause 1.11 of this DPA;

1.10.5.   the “Parties” agree that any rights of audit, pursuant to clause 5(f) and 12 (2) of the Model Clauses, will be exercised in accordance with Clause1.9 of this DPA; and

1.10.6.   the “Parties” agree that, Schedules 1 and 2 of this DPA will take the place of Appendices 1 and 2 of the Model Clauses respectively.

1.10.7.   It is not the intention of either party, nor the effect of this DPA, to contradict or restrict any of the provisions set forth in the Model Clauses. Accordingly, if and to the extent the Model Clauses conflicts with any provision of this DPA, the Model Clauses shall prevail. In no event does the DPA restrict or limit the rights of any Data Subject or of any competent supervisory authority.

 

 

2.         MISCELLANEOUS

 

2.1.   The obligations set forth herein shall survive so long as the “Processor” and/or its “Sub-Processors” process the “Controller” Personal Data.

 

2.2.   Any failure by the “Processor” to comply with any of the provisions of this DPA or applicable Data Privacy Laws shall be considered a material breach of the Agreement.

 

2.3.   The terms of this DPA supersede and extinguish any and all terms relating to data protection or Personal Data in the Agreement. In the event of any conflict or inconsistency between the provisions of the Agreement and this DPA, the provisions of this DPA shall prevail. Save as specifically modified and amended in this DPA, all of the terms, provisions and requirements contained in the Agreement shall remain in full force and effect and govern this DPA.


 

SCHEDULE 1

DATA PROCESSING INFORMATION

 

Data Subjects

The Personal Data transferred concern the following categories of Data Subjects:

Employees/ collaborators and or Customers of the “Controller”

Categories of data

The Personal Data transferred concern the following categories of data:

Contact Data; Customer feedback data on the “Controller’s” Service/ Products; Customer’s usage of the “Controller’s” services and website/ tools, plus any other categories that the “Controller” submits to the “Services” via its users’ input.

 

Processing operations

The Personal Data transferred will be Subject to the following basic processing activities:

Hosting and processing in the sense of both enabling communications, and the performance of analytics by the “Services” over Personal Data, which constitutes “Profiling” activities as determined under the GDPR.


SCHEDULE 2

SECURITY MEASURES

1.             Access control of processing areas

the “Parties” hereby commit to having implement suitable measures in order to prevent unauthorized persons from gaining access to the data processing equipment used to process the Personal Data. This is accomplished by:

Having performed a Corporate DPIA as determined under article 35 of the GDPR based on market best standards (e.g. ISO 27001 and ISO 27701; ISO 19000; SOC2; other…); raised existing non-compliance points and having defined, documented and implemented adequate mitigation actions

 

2.             Access control to data processing systems

the “Parties” hereby commit to having implemented suitable measures to prevent its data processing activities from being used by unauthorized persons. This is accomplished by:

Technological Mechanisms as well as Policies have been set in place to mitigate any potential risk of having the Personal Data under Processing’ Security and Confidentiality compromised by allowing unauthorized 3rd parties access to it.

 

3.             Access control to use specific areas of data processing systems

the “Controller” ensures that the natural persons who acts as its users before the “Services” are only able to access the data within scope and to the extent covered by their respective access permission (authorization) and that the Personal Data cannot be read, copied or modified or removed without authorization. This is accomplished by:

Having stratified users and attributed access permissions as per user profile based on needed professional activities that contribute to the delivery of the “Services”, plus having set in place operational and technological safeguards.

 

4.             Transmission control

the “Processor” has implemented suitable measures to prevent the Personal Data from being read, copied, altered or deleted by unauthorized parties during the transmission thereof or during the transport of the data media and to ensure that it is possible to check and establish to which bodies the transfer of Personal Data by means of data transmission facilities is envisaged.

 

5.             Instructional control

the “Controller” ensures that Personal Data may only be processed in accordance with the “Terms of Service”. This is accomplished by the “Controller’s” users having clearly defined roles within the scope of the “Services” and observing by the legal requirements while accessing the Personal Data under Processing.