Corsearch Data Protection Agreement
Corsearch B.V. a private limited company registered in the Netherlands with KVK 54875625 of Naritaweg 116, 1043 CA Amsterdam, the Netherlands (“Corsearch”); and (“Customer”).
This Data Protection Agreement (“DPA”) forms part of Corsearch Master Services Agreement or other written agreement entered into between Corsearch and the Customer (the “Agreement”).
1. Definitions
The following words when appearing with a capital letter, have the meaning set forth below. Any capitalised terms used but not defined herein have the meanings set forth in the Agreement.
“Customer Personal Data” means any personal data as described in Schedule A, processed for or on behalf of Customer under or in connection with the Agreement, including in the provision of the Services, but excluding any User Data.
“Data Breach” means any accidental or unlawful destruction, loss, alteration, loss of control over, unauthorised disclosure of or access to Customer Personal Data suffered by Corsearch or any Subprocessor of which Corsearch becomes aware during the Term, except when such breach is caused by Customer or any User.
“Data Protection Laws” means all applicable laws and regulations related to data protection that are applicable to the processing of Customer Personal Data under the Agreement including but not limited to EU General Data Protection Regulation 2016/679 (“GDPR”), the GDPR as enacted by the United Kingdom (“UK GDPR”), the California Consumer Privacy Act of 2018 (“CCPA”) including as modified by the California Privacy Rights Act of 2020 and its implementing regulations (“CPRA”), and the Personal Information Protection Law of the People’s Republic of China (“PIPL”) in each case to the extent in force, and as updated, amended or replaced from time to time.
“International Transfer” means a transfer of Customer Personal Data between the Parties, from the European Economic Area (“EEA”), the United Kingdom, and/or Switzerland to a third country which is not determined to provide adequate protection for Customer Personal Data under the Data Protection Laws.
“Privacy Request” means, in respect of Customer Personal Data: (i) a validated request from a data subject to exercise any of its rights under the Data Protection Laws; or (ii) any complaint, notice or other communication from a data subject or supervisory authority, government authority or judicial body;
“SCCs” means the contractual clauses annexed to the European Commission’s Implementing Decision (EU) 2021/914 of 4 June 2021, as adopted, amended or replaced by the European Commission ; and/or , the UK International data transfer addendum to the European Commission’s standard contractual clauses for international data transfers, as adopted, amended or updated by the UK’s Information Commissioner’s Office, Parliament or Secretary of State(as applicable).
“Sub-processor” means any third party which is engaged by Corsearch to carry out processing activities in respect of Customer Personal Data.
“User Data” means the personal data relating to Users, processed by Corsearch for its own purposes, including: (a) providing and ensuring the security of the Services; (b) granting Customer and its Users access to Customer Personal Data; and (c) processing account information and invoicing; and (d) communicating with Customer in order to comply with its obligations under the Agreement.
“adequacy decision”, “controller”, “data subject”, “process”/“processing” (and any other derivations thereof), “processor”, “third country”, “business”, “consumer”, “personal data”, “sell” “share”, “sensitive personal data”, “service provider” and “supervisory authority” each have the meanings specified in Data Protection Laws.
2. General Terms
2.1. Roles. With respect to each Party’s processing of Customer Personal Data, the Parties agree that Customer acts as the controller and Corsearch acts as the processor, provided, however, the parties acknowledge and agree that Corsearch will be an independent controller in relation to the processing of User Data.
2.2 Compliance with laws. In its processing of Customer Personal Data, each Party will comply with the Data Protection Laws governing such Customer Personal Data whilst in its control.
2.3 Customer Obligations. Customer, for the duration of the processing of Customer Personal Data, will:
2.3.1 determine the purposes and means of the processing of Customer Personal Data;
2.3.2 ensure that its instructions to Corsearch to process Customer Personal Data are and will be lawful;
2.3.3 be entitled to transfer the User Data to Corsearch; and
2.3.4 not disclose any Sensitive Personal Data to Corsearch.
3. Details of the Processing
3.1 Schedule A sets out the purposes and duration of processing, the types of personal data, categories of data subjects and nature of the processing. If Schedule A requires updating at any time during the Term, the Parties will work together in good faith to mutually agree upon an updated Schedule A in writing.
3.2 Corsearch will process Customer Personal Data:
3.2.1 solely to the extent necessary and for the limited purpose of fulfilling its obligations under the Agreement; and
3.2.2 in accordance with the lawful documented instructions of Customer, unless Corsearch is otherwise required to do so to comply with any Data Protection Laws, in which case, Corsearch will provide notice to Customer of such legal requirement, unless prohibited to do so by law.
3.3 Corsearch will immediately inform Customer if, in its reasonable opinion, an instruction from Customer in relation to the processing of Customer Personal Data infringes Data Protection Laws. In such event, Corsearch will not be in breach of the Agreement or liable in any way for its failure to carry out such processing.
4. Data Security and Data Breaches
4.1 Corsearch will ensure that all persons who process Customer Personal Data:
4.1.1 have committed themselves to confidentiality or are otherwise under an appropriate statutory obligation of confidentiality, each at least as protective of Customer Personal Data as the Agreement and this DPA;
4.1.2 to Corsearch’s commercially reasonable endeavours, have sufficient skills and training in the handling of Customer Personal Data; and
4.1.3 comply with the Data Protection Laws.
4.2 Corsearch will, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, implement and maintain appropriate technical and organizational measures, as detailed here. Corsearch will review and may update such technical and organizational measures from time to time, provided that any such updates will not materially decrease the overall level of security of the Customer Personal Data.
4.3 If a Data Breach occurs Corsearch will:
4.3.1. notify Customer without undue delay (and in any event within 72 hours) after becoming aware of such Data Breach;
4.3.2. provide all reasonably necessary information, where information is not available in its entirety in phases without undue further delay, including at least:
a. the nature of the Data Breach including where possible, the categories and approximate number of data subjects and personal data records concerned;
b. the name and contact details of the contact point for more information;
c. the likely consequences of the Data Breach;
d. describe the measures taken to address the Data Breach, including, where appropriate, measures to mitigate its possible adverse effects;
4.3.3. provide cooperation and assistance reasonably requested by Customer to comply with its obligations under the Data Protection Laws;
4.3.4. take such steps reasonable to remediate the cause of and mitigate the impact of the Data Breach; and
4.3.5. except to the extent required by relevant Data Protection Laws, not make any notification to any third party (including any supervisory authority or data subject) in relation to the Data Breach.
4.4 Customer agrees to coordinate with Corsearch in good faith regarding the content of any public statements and/or any required notices to the affected data subjects and/or relevant supervisory authorities Customer makes, in each case if it specifically refers to Corsearch, Corsearch’s employees, any Sub-processor and/or the Services, regarding any Data Breach.
5. Privacy Requests
5.1 If Corsearch receives a Privacy Request in respect of Customer Personal Data, Corsearch shall, to the extent legally permissible, (i) notify the Customer promptly following identification of the Customer as the relevant data controller; (ii) refuse the request and instruct the third party to make such request directly to Customer, and (iii) provide the third party with Customer’s contact information, without responding to such request.
5.2 If Corsearch is compelled to address such a Privacy Request, Corsearch will (where relevant) make commercially reasonable attempts to ensure that the disclosed information is proportionate and limited to the minimum amount strictly necessary for the purpose of complying with such request.
5.3 Taking into account the nature of the processing, Corsearch will provide reasonable cooperation and assistance to enable Customer to respond to or fulfill (as the case may be) a Privacy Request.
6. Data Protection Impact Assessments and Prior Consultations
Taking into account the nature of the processing and the information available to Corsearch, Corsearch will provide reasonably requested assistance to Customer to enable Customer to comply with its obligations, in respect of Customer Personal Data, to conduct data protection impact assessments and/or consult with supervisory authorities under the Data Protection Laws.
7. Sub-processors
7.1 Customer hereby provides Corsearch with a general written authorization to engage any Sub-processor(s), either directly or by any Corsearch Affiliate, that Corsearch deems necessary for the provision of the Services, including all such Sub-processors engaged by Corsearch as at the Commencement Date. Corsearch’s current Sub-processors are listed here.
7.2 Corsearch will impose each Sub-processor data protection obligations that are of no lesser degree of protection than those set forth in this DPA.
7.3 Corsearch will remain responsible and liable to Customer for the performance of each Sub-processor’s obligations.
7.4 Corsearch will provide Customer with at least 30 days’ written notice of any intended changes concerning the addition or replacement of Sub-processors. Corsearch provides Customer, via the aforementioned link, with a mechanism to subscribe to receive updates to the list of Sub-processors, to which Customer will subscribe to receive such notifications.
7.5 Customer may object to the appointment of any Sub-processor if that Sub-processor has objectively caused or is likely to cause a risk to the security and safe handling of Customer Personal Data or to Customer’s ability to comply with Data Protection Laws. Otherwise, Customer will not unreasonably object to the appointment of any such new Sub-processor by and if Customer does not object in writing to the appointment of any such new Sub-processor in accordance with this clause, Customer will be deemed to have approved such appointment.
7.6 If within ten (10) days of Customer’s receipt of the notice, Customer reasonably objects in writing to Corsearch to the appointment of such new Sub-processor, Parties will work together in good faith to determine a mutually agreeable resolution to address such objection, including where possible, by Corsearch continuing to provide the Services without the involvement of such new Sub-processor. If the Parties do not reach a mutually agreeable resolution and Corsearch is reasonably unable to continue to provide the Services without the involvement of such new Sub-processor, each Party will have the right to terminate the relevant portion of the Services to which such new Sub-processor is intended to relate (if not possible, the Agreement as a whole) immediately on written notice to the other Party. Nothing in this Clause will relieve Customer of any fee payment obligations in respect of the Services rendered by Corsearch and received by Customer until the date of termination hereunder.
8. International Transfers
8.1 Corsearch may, as necessary to provide the Services, transfer Customer Personal Data to its Affiliates, and/or Sub-processors outside the EEA, provided such transfer (and any subsequent processing) is carried out in accordance with the Data Protection Laws.
8.2 Where Customer Personal Data is transferred to a third country and such transfer constitutes an International Transfer under Data Protection Laws, Corsearch will enter into the relevant SCCs, with Customer and each of its Affiliates and Sub-processors, as applicable. The SCCs executed by the Parties, as set forth here, are incorporated into this DPA, and through this DPA or by using the Services. If any SCCs the Parties rely on are updated or otherwise invalidated, Parties agree that such new or updated SCCs as may be prescribed by Data Protection Laws will apply between the Parties without need to amend this DPA. Corsearch reserves the right to make such changes which Parties are legally required to implement at the foregoing link.
8.3 In the event of a conflict between this DPA and the applicable SCCs, the terms of the applicable SCCs will prevail.
9. Data Retention and Deletion
9.1 Following expiry or termination of the Agreement for any reason, Corsearch may retain the Customer Personal Data for up to 30 days. Thereafter, unless retention is required by Data Protection Laws, Corsearch shall promptly delete Customer Personal Data, which will not include copies of personal data processed on behalf of another customer of Corsearch, processed by Corsearch and/or any Sub-processor.
9.2 Provided Customer gives Corsearch at least 30 days’ prior written notice, Corsearch shall return all existing copies of the Customer Personal Data to the Customer.
10. Audit
Customer or any third-party auditor that Customer instructs which is bound by reasonable confidentiality obligations, may audit Corsearch’s compliance with this DPA, by and through:
a. requiring Corsearch the completion of Customer’s security assessment questionnaire; and/or
b. to the extent applicable and available to Corsearch, requesting copies of appropriate information, records, certifications and audit reports issued by reputable independent third parties, provided that there have been no material changes to the controls used by Corsearch since the certification or audit report was issued.
11. Data Protection Laws Specific Provisions
11.1 CCPA / CRPA. This Section applies solely if Customer Personal Data is subject to the CCPA / CPRA:
11.2.1. the following definitions will be further interpreted to refer to the corresponding definition under the CCPA: “Customer” means “Business”; “Corsearch” means “Service Provider” and “personal data” means “Personal Information”.
11.2.2. Corsearch will not (a) sell or share Customer Personal Data or disclose Customer Personal Data for targeted advertising or profiling purposes, (b) retain, use or disclose Customer Personal Data for any purpose (including a commercial purpose) other than for providing the Services under the Agreement, or as otherwise permitted under the CCPA (c) save for the purpose of performing the Services under the Agreement, retain, use or disclose Customer Personal Data outside of the direct business relationship between Customer and Corsearch, or (d) combine Customer Personal Data with Personal Information received from another source.
11.2 PIPL. This Section applies solely if Customer Personal Data is subject to the PIPL:
12.2.1. the following definitions will be further interpreted to refer the corresponding definition under the PIPL: “Personal Data” means “Personal Information”; “Customer” means “Personal Information Processor”; “Corsearch” means “Entrusted Party”; and “Sensitive Data” means the personal information that is likely to result in damages to the personal dignity of any natural person or damages to his or her personal or property safety once divulged or misappropriated, including the personal information regarding biometric identification, religious belief, specific identity, medical health, financial account and whereabouts and tracks, as well as the personal information of minors under the age of 14.
11.2.2. Under this Agreement, Corsearch solely processes Personal Information which has been made public by the data subjects themselves.
11.2.3. International Transfers are deemed cross-border Personal Information transfers under the PIPL and Corsearch is responsible for implementing adequate and applicable measures, as defined under this DPA and Data Protection Laws, to ensure that such transfers are made in compliance with the PIPL.
SCHEDULE A – SCOPE OF PROCESSING
| Purpose of Processing | Providing Services to Customer in accordance with the Agreement. |
| Nature of Processing | Receiving data, including collection, accessing, retrieval, recording and data entry; Holding data, including storage, organisation and structuring; Using data, including analysing and testing; Updating data, including correcting and rectifying; Enabling access to data by Customer and Users; and Returning the data to Customer (and if requested erasing or destroying data). |
| Categories of Data Subjects | Sellers and advertisers of potential counterfeits of Customer’s products/services and/or potential infringers of Customer’s Intellectual Property Rights. |
| Categories of Personal Data | Publicly available information relating to, and as published by the data subjects or otherwise accessible from public register, or where not publicly available, as provided by Customer, including (where applicable and if available): – names; – contact details (including phone numbers, addresses and email addresses); – IP addresses; – bank account numbers; – social media accounts linked to the data subjects and related user names and posts; and – website information (including, where applicable, domain registrant information). |
| Data Retention Periods | For the duration of the Agreement. Where available and applicable, Corsearch Platform(s) retention periods, as set forth under the Agreement, will apply. |
| Frequency of Processing (and/or Transfer) | On a continuous basis. |