Case Study

Iconic Red Umbrella Precipitates Trademark Infringement Suit

Read

Blog

Iconic Red Umbrella Precipitates Trademark Infringement Suit

Read
How we do it

Case Study

Iconic Red Umbrella Precipitates Trademark Infringement Suit

Read

Blog

Iconic Red Umbrella Precipitates Trademark Infringement Suit

Read
How we do it

Case Study

Iconic Red Umbrella Precipitates Trademark Infringement Suit

Read

Blog

Iconic Red Umbrella Precipitates Trademark Infringement Suit

Read
How we do it

[Will be completed alongside Content Library]

Content Library

Featured Content

Iconic Red Umbrella Precipitates Trademark Infringement Suit

  • Brand Protection
How we do it

Press release

Iconic Red Umbrella Precipitates Trademark Infringement Suit

Read

Company news

Iconic Red Umbrella Precipitates Trademark Infringement Suit

Read

Speak to one of our experts

Find out how Corsearch can help you establish, monitor, and protect your brand with confidence.

Corsearch expert analysts
  • Instantly identify IP opportunities and threats
  • Harness expertise and advanced AI to reduce cost
  • Act fast using reliable data and intuitive dashboards
  • Report effectively on the revenue you’re protecting

Corsearch is trusted by:

  • Corsearch client - Decathlon
  • Corsearch Client - Mondelez
  • Corsearch Client - Unilever
  • Corsearch customer - Brother

Brand Protection – Data Protection Terms

  1. Definitions

1.1       Any capitalised terms used but not defined herein have the meanings set forth in the Agreement (including the License and Service Agreement and Corsearch’s Terms & Conditions).

1.2       The following words and expressions have the following meanings in these Data Protection Terms:

(a)        “Affiliate” means any entity which directly or indirectly controls, is controlled by, or is under common control with a Party.  “Control” for the purpose of this definition means the direct or indirect ownership or control of more than 50% of the voting interests of the relevant entity;

(b)       “Corsearch Platform” mean Corsearch’s proprietary platform, wherein sits the ZERO platform, through which: (i) Corsearch provides and the Customer receives the Services; and (ii) Corsearch provides the Customer access to the Data;

(c)        “Data” means the types of Personal Data relating to the categories of data subjects as determined by the Customer and as described in Schedule A hereto, in each case to the extent processed by or on behalf of Corsearch for or on behalf of the Customer under or in connection with the Agreement, including in the provision the Services;

(d)       “Data Breach” means any personal data breach in respect of the Data suffered by Corsearch or any Subprocessor of which Corsearch becomes aware during the Term, except to the extent that such breach is caused by the Customer or any User;

(e)        “Data Protection Laws” means all applicable laws and regulations related to data protection, privacy and/or the processing of Personal Data to which either Party, as applicable, is subject in connection with their respective processing of the Data, including the GDPR, and all national or Member State legislation that implements, amends, transposes or provides for any derogations in respect of such laws;

(f)        “Data Subject Request” means a lawful request from or on behalf of a data subject in respect of the Data to exercise such data subject’s rights provided in the Data Protection Laws with respect to their Personal Data, including pursuant to Chapter III of the GDPR, such as rights of access, rectification, erasure, restriction and objection;

(g)        “EEA” means the European Economic Area;

(h)       “EU” means the European Union;

(i)         “GDPR” means the EU General Data Protection Regulation 2016/679;

(j)         “Member State” means the United Kingdom and any applicable member state of the EU and EEA;

(k)        “Processor Standard Clauses” has the meaning specified in Clause 9.2;

(l)         “Subprocessor” means any third party, including any Corsearch Affiliate: (i) who is engaged by Corsearch or by any Corsearch Affiliate to carry out specific processing activities in respect of the Data; or (ii) to whom Corsearch or any Corsearch Affiliate subcontracts any of its obligations under or in connection with these Data Protection Terms;

(m)      “User” has the meaning given to term “Authorized Person” in Corsearch’s Terms & Conditions;

(n)       “User Personal Data” means the Personal Data relating to Users, as required, determined and processed by Corsearch for its own purposes, including in order to: (i) provide and ensure the security of the Services; (ii) grant the Customer and its Users access to the Data; and (iii) communicate with the Customer in order to comply with its obligations under the License and Service Agreement; and

(o)       “controller”, “data subject”, “international organisation”, “process”/“processing” (and any other derivations thereof), “processor”, “personal data breach”, “third country”, “special categories of personal data” and “supervisory authority” each have the meanings specified in the GDPR and “data importer” has the meaning specified in Processor Standard Clauses.

  1. General

2.1       Roles:  With respect to each Party’s processing of the Data, the Parties agree that: (a) the Customer is and will at all times remain the controller; and (b) Corsearch is and will all times remain the Customer’s processor. Notwithstanding the foregoing, the Customer acknowledges and agrees that Corsearch will be an independent controller in relation to the User Personal Data.

2.2       General Compliance.  In its respective processing of the Data, each Party shall comply with, and assumes responsibility and liability under its respective obligations pursuant to, the Data Protection Laws.  Corsearch shall at all times comply with its obligations under the Data Protection Laws regarding its processing of the User Personal Data.

  1. Customer Obligations.

3.1       The Customer shall process the Data at all times in accordance with the Data Protection Laws and represents and warrants to Corsearch that:

(a)        it is responsible for determining the types of Personal Data and categories of data subjects comprised within the Data;

(b)       it is responsible for establishing and has established a valid and lawful legal basis for its (and, solely in accordance with these Data Protection Terms, Corsearch’s) processing of the Data and the associated purposes for such processing, in each case in accordance with the Data Protection Laws;

(c)        its instructions to Corsearch to process the Data are and will be lawful; and

(d)       where applicable, it is entitled to transfer the User Personal Data to Corsearch and all such transfers of the User Personal Data from or on behalf of the Customer to Corsearch will be carried out lawfully and in accordance with the Data Protection Laws.

3.2       Customer shall ensure that each User is made aware of Corsearch’s applicable privacy practices regarding User Personal Data, as described the Corsearch Privacy Policy as shown on its website.

3.3       Subject at all times to Corsearch’s compliance with its obligations under these Data Protection Terms and to the limitations of liability specified in the Agreement, the Customer shall hold Corsearch harmless from any liability or losses suffered by Corsearch or any Corsearch Affiliate arising directly or indirectly from: (i) any processing of the Data by the Customer in breach of its obligations under these Data Protection Terms or the Data Protection Laws; and/or (ii) any breach of the Customer’s warranties in Clause 3.1.

  1. Subject Matter, Duration and Nature of the Data and Processing

4.1       The Customer agrees that the purposes of processing, the types of Personal Data and categories of data subjects and nature of the processing in relation to the Data are set out in Schedule A hereto.  To the extent that Schedule A requires updating at any time during the Term, including to ensure either or both Parties’ continued compliance with the Data Protection Laws, the Parties shall work together in good faith to update Schedule A accordingly, provided, however, no amendment to Schedule A may be made without the prior written approval of Corsearch.

4.2       The duration of Corsearch’s processing of the Data will be the same as the Term (or, if shorter, until expiry of the relevant Services to which its processing of the Data relates), provided, however, Corsearch acknowledges and agrees that its obligations under these Data Protection Terms with respect to the Data will apply to Corsearch for so long as Corsearch or any Subprocessor processes the Data under or in connection with the Agreement.

4.3       Subject to the remainder of this Clause 4, Corsearch shall (and shall ensure that each person it authorises to process the Data, including each Subprocessor, will) process the Data:

(a)        in accordance with the Data Protection Laws;

(b)       solely to the extent necessary and in such manner as is necessary in connection with the provision of the Services; and

(c)        in accordance with the lawful documented instructions of the Customer, unless Corsearch is otherwise required to do so to comply with any applicable EU or Member State law or other relevant Data Protection Law (in which case, Corsearch shall provide prior notice to the Customer of such legal requirement, unless that law prohibits such disclosure on important grounds of public interest).

4.4       The Customer acknowledges and agrees that its instructions with respect to Corsearch’s processing of the Data are set out in the Agreement (including these Data Protection Terms) and that any additional instructions regarding the processing of the Data agreed between the Parties may be subject to additional fees, in particular to the extent that such instructions are outside the scope of the Services or are not otherwise explicitly covered in the Agreement.

4.5       Corsearch shall immediately inform the Customer if, in its opinion, an instruction from the Customer in relation to the processing of the Data infringes the Data Protection Laws or any applicable EU or Member State data protection provisions, provided, however, the Customer acknowledges and agrees that CBP is not responsible or liable for providing the Customer with any form of legal advice.

4.6       Other than expressly set out in these Data Protection Terms, Corsearch is not and will not be liable to the Customer or any other third party for any processing of the Data not contemplated by the Agreement or these Data Protection Terms, including without limitation:

(a)        any collection or other direct processing of the Data by the Customer or any Customer Affiliate;

(b)       processing of the Data by Users and other third parties (other than Subprocessors); and/or

(c)        processing of the Data for purposes not communicated to and agreed by Corsearch.

  1. Security and Data Breaches

5.1       Corsearch shall ensure that all persons it authorises to process the Data for or on behalf of Corsearch in the provision of the Services (including its employees and Subprocessors) have committed themselves to confidentiality or are otherwise under an appropriate statuary obligation of confidentiality.

5.2       Corsearch shall take reasonable commercially reasonable steps to ensure the reliability of those of its employees and Subprocessors and use all reasonable endeavours to ensure that such persons have sufficient skills and training in the handling of Personal Data and comply with the Data Protection Laws.

5.3       Having regard to the nature of the Data, Corsearch shall implement (and maintain throughout the Term) appropriate technical and organizational measures to secure the Data and take all measures in this regard as required pursuant to Article 32 of the GDPR, including the measures described in Appendix 2 of the Processor Standard Clauses.  To the extent that the Customer requires Corsearch to implement any additional technical and organisational security measures in respect of the Data that: (a) are specific to the Customer; and/or (b) differ from Corsearch’s measures in place as at the Commencement Date, Corsearch reserves the right to do so at the Customer’s sole cost and expense.

5.4       At the Customer’s sole cost and expense and taking into account the nature of processing and information available to Corsearch, Corsearch shall provide such assistance as the Customer reasonably requests for the Customer to comply with its obligations pursuant to Article 32 of the GDPR regarding the Data.

5.5       Corsearch shall without undue delay (and in any event within 72 hours) notify the Customer in writing after becoming aware of a confirmed Data Breach.  Taking into account the information available to Corsearch, Corsearch shall use reasonable endeavours to include the following information in such notification:

(a)        a description of the Data Breach including, where possible, the approximate number of data subjects and Personal Data records concerned;

(b)       the likely consequences of the Data Breach;

(c)        the measure(s) taken or proposed to be taken by Corsearch to address the Data Breach including and, where appropriate, to mitigate its possible adverse effects; and

(d)       details of a contact point within Corsearch where the Customer can obtain further information or updates in relation to the Data Breach,

provided, however, in the event that all such information is not available to Corsearch or Corsearch is otherwise unable to provide all such information at the same time, Corsearch is permitted to provide such information in phases without undue further delay.

5.6       Corsearch shall use commercially reasonable endeavours to identify the cause of any Data Breach and take such steps as Corsearch deems necessary and reasonable in the circumstances to remediate the cause of and minimise any damage resulting from such Data Breach, to the extent that such remediation is within Corsearch’s control.

5.7       The Customer acknowledges and agrees that it is solely responsible under the Data Protection Laws for the notification of any Data Breaches to the affected data subjects and/or applicable supervisory authorities.  Without prejudice to the foregoing and taking into account the nature of the processing and the information available to Corsearch, Corsearch shall provide such assistance to the Customer as the Customer reasonably requests in order for the Customer to comply with its obligations under the Data Protection Laws to notify or report Data Breaches, including pursuant to Articles 33 and 34 of the GDPR.

5.8       The Customer agrees to coordinate with Corsearch in good faith regarding the content of any public statements and/or any required notices to the affected data subjects and/or relevant supervisory authorities, in each case which specifically refers to Corsearch, Corsearch’s employees, any Subprocessor and/or the Services, regarding any Data Breach.

  1. Data Subject Requests

6.1       In the event that the Customer receives any Data Subject Requests during the Term (including any such requests forwarded from Corsearch to the Customer pursuant to Clause 6.2), at the Customers sole cost and expense and taking into account the nature of the processing, Corsearch shall assist the Customer by appropriate technical and organizational measures and provide such assistance as the Customer reasonably requests, in each case in so far as this is possible, for the Customer to comply with its related obligations pursuant to the Data Protection Laws, including pursuant to Chapter III of the GDPR.

6.2       In the event that Corsearch (or any Subprocessor) receives a Data Subject Request directly, to the extent that Corsearch is reasonably able to identify that the Customer is the controller of the relevant data subject’s Personal Data (including where the Customer is explicitly named in the Data Subject Request), Corsearch shall use commercially reasonable endeavours to promptly forward the Data Subject Request to the Customer without responding to such request.

6.3       Unless expressly agreed otherwise by Corsearch in writing, Corsearch is not (and will under no circumstances be) required to respond or reply to a Data Subject Request received by the Customer, Corsearch or any Subprocessor.

  1. Data Protection Impact Assessments and Prior Consultations

At the Customer’s sole cost and expense and taking into account the nature of the processing and the information available to Corsearch, Corsearch shall provide such assistance to the Customer as the Customer reasonably requests in order for the Customer to comply with its obligations in respect of the Data to conduct data protection impact assessments and consult with supervisory authorities under the Data Protection Laws, including pursuant to Articles 35 and 36 of the GDPR.

  1. Subprocessors

8.1       Subject to Corsearch’s compliance with the remainder of this Clause 8 and its other relevant obligations in these Data Protection Terms, the Customer hereby provides Corsearch with a general written authorization to engage any Subprocessor(s) that Corsearch deems desirable and necessary in connection with its processing of the Data and/or the provision of the Services, including all such Subprocessors engaged by Corsearch as at the Commencement Date.  The Customer agrees that, subject to Corsearch’s compliance with its other obligations in this Clause 8, any such Subprocessors may be engaged by Corsearch directly or by any Corsearch Affiliate.

8.2       Corsearch shall comply with the requirements for subprocessing set forth in the Data Protection Laws, including to contractually impose on each Subprocessor (or procure the imposition on each Subprocessor of) data protection obligations that are no less protective that those set forth in these Data Protection Terms.

8.3       In the event that any Subprocessor fails to fulfil its data protection obligations, subject to the limitations of liability set forth in the License and Service Agreement, Corsearch shall remain fully liable to the Customer for the performance of each Subprocessor’s obligations.

8.4       Corsearch shall provide the Customer with at least 30 days’ written notice of any intended changes concerning the addition or replacement of Subprocessors hereunder.

8.5       Customer shall not unreasonably object to the appointment of any such new Subprocessor by  or any Corsearch Affiliate and if the Customer does not object in writing to the appointment of any such new Subprocessor in accordance with Clause 8.6, the Customer will be deemed to have approved such appointment.

8.6       If within seven (7) days of the Customer’s receipt of the notice described in Clause 8.4, the Customer reasonably objects in writing to Corsearch to the appointment of such new Subprocessor based on objectively justifiable grounds relating to the ability of such new Subprocessor to adequately protect or process the Data in accordance with these Data Protection Terms or the Data Protection Laws, the Parties shall work together in good faith to determine a mutually agreeable resolution to address such objection, including where possible, by Corsearch continuing to provide the Services without the involvement of such new Subprocessor.  To the extent that the Parties do no reach a mutually agreeable resolution during such seven (7) day period and Corsearch is reasonably unable to continue to provide the Services without the involvement of such new Subprocessor, each Party will have the right to terminate the relevant portion of the Services to which such new Subprocessor is intended to relate (or if this is not possible, the Agreement) immediately on written notice to the other Party.  Nothing in this Clause 8.6 will relieve the Customer of any fee payment obligations in respect of the Services rendered by Corsearch and received the Customer until the date of termination hereunder.

  1. International Transfers

9.1       Without prejudice to its other obligations in these Data Protection Terms, Corsearch may:

(a)        process the Data on or through its and its Affiliates’ and Subprocessors’ systems, including in the EEA, United Kingdom and United States; and

(b)       transfer the Data to its Subprocessors outside the EEA and United Kingdom, provided such transfer (and any subsequent processing) is carried out in accordance with the Data Protection Laws, including:

(i)         where the country or jurisdiction in which the relevant Subprocessor is located has received an adequacy decision from the European Commission or any relevant supervisory authority under the Data Protection Laws;

(ii)        where the relevant Subprocessor is located in the United States and has certified to the EU-US Privacy Shield and remains certified to the EU-US Privacy Shield for the duration of the processing; or

(iii)       through the use of relevant standard contractual clauses approved by the European Commission or any relevant supervisory authority under the Data Protection Laws, including pursuant to the Processor Standard Clauses.

9.2       To the extent that:

(a)        the transfer of the Data from the Customer to Corsearch or any Corsearch Affiliate Subprocessor;

(b)       the transfer of the Data from Corsearch to any Corsearch Affiliate Subprocessor; or

(c)        the processing of the Data by Corsearch or any Corsearch Affiliate Subprocessor on behalf of the Customer,

constitutes a restricted cross-border transfer (or onward transfer) of the Data to a third country or international organization for the purposes of the GDPR, the Parties agree that, unless another adequate safeguard applies in accordance with the GDPR, subject to the remainder of this Clause 9 and any other applicable terms under the License and Service Agreement, all such transfers will be governed by the European Commission-approved controller to processor standard contractual clauses attached hereto at Schedule B (the “Processor Standard Clauses”).  Notwithstanding the foregoing, the Processor Standard Clauses (and any obligations imposed on data importers thereunder) will not apply to the extent that the Data is not directly or indirectly transferred (including via onward transfer) to, or processed by, Corsearch or any Corsearch Affiliate outside the EEA or, subject to Clause 9.3, the United Kingdom.

9.3       Where any Corsearch Affiliates located in the United Kingdom are listed as data importers in appendix 3 of the Processor Standard Clauses, the Processor Standard Clauses will not apply to such Corsearch Affiliates unless and until Article 44 of the GDPR applies to the transfer of Data to such Corsearch Affiliates and such transfer is not otherwise permitted pursuant to Article 45 of the GDPR.  For the avoidance of doubt, the Processor Standard Clauses will only apply to data importers located in the United Kingdom where: (i) the United Kingdom has left the EU; (ii) any applicable transitional period, during which time transfers of Personal Data to the United Kingdom are not restricted under Article 44 of the GDPR, has ended; and (iii) the United Kingdom has not been granted an adequacy decision under the Data Protection Laws by the European Commission or any applicable supervisory authority.

9.4       In the event of a conflict between these Data Protection Terms and the Processor Standard Clauses, the terms of the Processor Standard Clauses will prevail, save that the Customer acknowledges and agrees:

(a)        any breach of the Processor Standard Clauses by any data importer listed therein will be deemed to be a breach of the Processor Standard Clauses by Corsearch and the Customer will accordingly have no direct cause of action and may not make any claim or bring any other cause of action against any Corsearch Affiliate for such breach other than against Corsearch;

(b)       Corsearch’s aggregate liability to the Customer in relation to the Processor Standard Clauses will not under any circumstances exceed the limitations of liability set forth in the Agreement;

(c)        the audits described in clause 5(f) and clause 12(2) of the Processor Standard Clauses will be carried out in accordance with Clause 11 of these Data Protection Terms; and

(d)       copies of any Subprocessor agreements to be provided pursuant to clause 5(j) of the Processor Standard Clauses will only be provided upon the request of the Customer and may have all commercial information and any other unrelated clauses or information redacted by Corsearch.

  1. RETURN OR DELETION

10.1     At the choice of the Customer, Corsearch shall promptly following expiry or termination of the Agreement for any reason delete or return to the Customer (or procure the deletion of or return to the Customer of) all the Data then processed by CBP and/or any Subprocessor, and subject to Clause 10.2, delete (or procure the deletion of) existing copies of such Data, unless applicable EU or Member State law or other relevant data protection law(s) requires storage of such Data.

10.2     The Customer acknowledges and agrees that any obligation on Corsearch to delete (or procure the deletion of) existing copies of the Data under Clause 10.1 shall in no way require Corsearch to delete any copies of Personal Data relating to same data subjects as comprised within the Data, to the extent that such Personal Data was obtained by or on behalf of Corsearch for another customer independently of its provision of the Services to the Customer.

  1. Audit

11.1     Corsearch shall make available to Customer all information necessary to demonstrate compliance with its obligations under these Data Protection Terms, and subject to remainder of this Clause 11, shall allow for and contribute to audits (including inspections) performed by the Customer (or another third-party auditor mandated by the Customer) solely in order to verify Corsearch’s compliance with its obligations as a processor under these Data Protection Terms.

11.2     If a third-party auditor is to conduct the audit or inspection (as applicable) on behalf of the Customer, the third party must be mutually agreed to by Parties (except if such third party is a competent supervisory authority).  Corsearch shall not unreasonably withhold its approval to a third-party auditor requested by the Customer; provided, however, such third party must execute a written confidentiality agreement reasonably acceptable to Corsearch or otherwise be bound by a statutory confidentiality obligation before conducting the audit.

11.3     Regarding any audit or inspection carried out by or on behalf of the Customer pursuant to Clause 11.1:

(a)        such audit or inspection may only be conducted once during each consecutive 12-month period beginning on the Commencement Date during the Term, provided, however, additional audits may be carried out by or on behalf of the Customer solely to the extent that, pursuant to the Data Protection Laws, either:

(i)         the Customer is required by a supervisory authority to conduct such additional audit or inspection; and/or

(ii)        Corsearch suffers a Data Breach requiring the Customer to notify such breach to the affected data subjects and/or any applicable supervisory authority;

(b)       the Customer shall provide Corsearch at least 14 days’ prior notice in writing of its intention to carry out such an audit or inspection.  Such notice must specify at least the proposed date of the audit or inspection, as well as the facilities, documents, information and personnel (if any) that Customer wishes to audit or inspect.  The Parties shall work together in good faith to agree on a final audit plan;

(c)        the audit or inspection will be carried out at the facilities and in respect of the documents and information mutually agreed between the Parties in the final audit plan;

(d)       to the extent that the agreed scope of the audit or inspection can reasonably be addressed by:

(i)         Corsearch completing an information security (or similar) questionnaire, then the Customer shall give preference to Corsearch completing such questionnaire rather than requesting an on-site audit or inspection; or

(ii)        Corsearch providing a SOC, ISO, NIST or similar audit performed by a qualified third-party auditor within 12 months of the Customer’s audit or inspection request and Corsearch certifying in writing that there are no material changes to the controls audited, then the Customer agrees to accept such report in lieu of requesting an audit or inspection;

(e)        subject to the agreed final audit plan, such audit or inspection will take place over not more than one day during Corsearch’s normal business hours and may not unreasonably interfere with or negatively impact Corsearch’s normal business operations and activities;

(f)        for any audits or inspections conducted on Corsearch’s premises, the Customer shall (and shall ensure that any auditor mandated by the Customer will) comply with all applicable Corsearch security, confidentiality, health and safety and other relevant and commercially reasonable requirements;

(g)        the Customer shall provide Corsearch with a copy of any reports generated in relation to any such audit or inspection, unless the Customer is prohibited from doing so under the Data Protection Laws or by a supervisory authority.  Each Party shall treat the contents of any such report(s) as Confidential Information for the purposes of the Agreement.

SCHEDULE A – SCOPE OF PROCESSING

This Schedule A forms an integral part of the Data Protection Terms and must be completed by the Parties.

Purposes of ProcessingThe purposes of the processing to be carried out by the Corsearch as a processor on behalf of Customer in respect of the Data are for the provision of the Services in accordance with the Agreement, including to enable the Customer (and, where applicable, Corsearch on the Customer’s behalf) to investigate and enforce intellectual property and other rights against sellers and advertisers of potential counterfeits of the Customer’s products/services.
Nature of the ProcessingCorsearch may process the Data as necessary for the provision of the Services under the Agreement. Such processing activities may include in relation to the Data (as applicable):receiving data, including collection, accessing, retrieval, recording and data entry;holding data, including storage, organisation and structuring;using data, including analysing and testing;updating data, including correcting and rectifying;protecting data, including restricting, encrypting and securing;enabling access to data by the Customer and Users; andreturning the data to the Customer and erasing or destroying data.
Categories of Personal DataThe Data concerns the following categories of Personal Data, as determined by the Customer:publicly available information relating to, and as published by the data subjects or otherwise accessible from public register, including:names;contact details (including phone numbers, addresses and email addresses);IP addresses;bank account numbers;social media accounts linked to the data subjects and related user names and posts (where applicable and if available);website information (including, where applicable, domain registrant information); andtypes and quantity of products/services advertised, sold or otherwise made available.to the extent deemed to constitute a special category of personal data pursuant to the GDPR or any applicable law:the assertion that the data subject may have committed a criminal offence by virtue of the advertisement, sale or making available of counterfeit products/services.
Categories of Data SubjectsThe Data relates to the following categories of data subjects, as determined by the Customer:sellers and advertisers of potential counterfeits of the Customer’s products/services.

SCHEDULE B – PROCESSOR STANDARD CLAUSES

AS EXECUTED BY THE PARTIES PURSUANT TO THE LICENSE AND SERVICE AGREEMENT BUT FOR FURTHER NEED OF EXECUTION, AS APPLICABLE:

Standard Contractual Clauses (processors)

For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection

Name of the data exporting organization:……………………………………………………………………………….

Address: ……………………………………………………………………………….

Tel.:      ………………………………; fax:     ……………………………….; e-mail: ……………………………….

Other information needed to identify the organization:

……………………………………………………………………………………………………………………………….

(the data exporter)

And

The entities whose names and addresses are set out in Appendix 3 hereto

(each, the data importer)

each a “party”; together “the parties”,

HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.

Clause 1

Definitions

For the purposes of the Clauses:

  • personal data‘, ‘special categories of data‘, ‘process/processing‘, ‘controller‘, ‘processor‘, ‘data subject‘ and ‘supervisory authority‘ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
  • ‘the data exporter‘ means the controller who transfers the personal data;
  • the data importer‘ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
  • the subprocessor‘ means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
  • ‘the applicable data protection law‘ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
  • technical and organisational security measures‘ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

Clause 2

Details of the transfer

The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.

Clause 3

Third-party beneficiary clause

  1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
  2. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
  3. The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
  4. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.

Clause 4

Obligations of the data exporter

The data exporter agrees and warrants:

  • that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
  • that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;
  • that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;
  • that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
  • that it will ensure compliance with the security measures;
  • that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
  • to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
  • to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
  • that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and
  • that it will ensure compliance with Clause 4(a) to (i).

Clause 5

Obligations of the data importer

The data importer agrees and warrants:

  • to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
  • that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
  • that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;
  • that it will promptly notify the data exporter about:
    • any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,
    • any accidental or unauthorised access, and
    • any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;
  • to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
  • at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
  • to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
  • that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;
  • that the processing services by the subprocessor will be carried out in accordance with Clause 11;
  • to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.

Clause 6

Liability

  1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.
  2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.

The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.

  1. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.

Clause 7

Mediation and jurisdiction

  1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
    • to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
    • to refer the dispute to the courts in the Member State in which the data exporter is established.
  2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

Clause 8

Cooperation with supervisory authorities

  1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
  2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
  3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).

Clause 9

Governing Law

The Clauses shall be governed by the laws of the Member State in which the data exporter is established.

Clause 10

Variation of the contract

The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.

Clause 11

Subprocessing

  1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses. Where the subprocessor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor’s obligations under such agreement.
  2. The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
  3. The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.
  4. The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.

Clause 12

Obligation after the termination of personal data processing services

  1. The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
  2. The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.

AS EXECUTED BY THE PARTIES PURSUANT TO THE LICENSE AND SERVICE AGREEMENT BUT FOR FURTHER NEED OF EXECUTION, AS APPLICABLE:

On behalf of the data exporter:

Name (written out in full):………………………………………………………………………………………………….

Position:………………………………………………………………………………………………….

Address:………………………………………………………………………………………………….

Other information necessary in order for the contract to be binding (if any):

Signature……………………………………….

On behalf of the data importer:

Name (written out in full): ………………………………………………………………………………………………….

Position:………………………………………………………………………………………………….

Address: ………………………………………………………………………………………………….

Other information necessary in order for the contract to be binding (if any):

Signature……………………………………….

APPENDIX 1 TO THE STANDARD CONTRACTUAL CLAUSES

This Appendix forms part of the Clauses and must be completed and signed by the parties.

The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.

Data exporter

The data exporter is (please specify briefly your activities relevant to the transfer): the “Customer” as defined in the Agreement, being the owner or licensee of certain intellectual property and other rights in or to certain products and services and which is contracting with Corsearch in order to receive certain brand protection services.

Data importer

The data importer is (please specify briefly activities relevant to the transfer): a non-EEA or UK affiliate of Corsearch, a provider of certain brand protection services, and is contracting with the data exporter in order to provide such services to the data importer.

Data subjects

The personal data transferred concern the following categories of data subjects (please specify):

  • The data subjects are described in Schedule A of the Data Protection Terms.

Categories of data

The personal data transferred concern the following categories of data (please specify):

  • The categories of personal data are described in Schedule A of the Data Protection Terms.

Special categories of data (if appropriate)

The personal data transferred concern the following special categories of data (please specify):

  • The special categories of data are described in Schedule A of the Data Protection Terms.

Processing operations

The personal data transferred will be subject to the following basic processing activities (please specify):

  • The basic processing activities are described in Schedule A of the Data Protection Terms.

AS EXECUTED BY THE PARTIES PURSUANT TO THE LICENSE AND SERVICE AGREEMENT BUT FOR FURTHER NEED OF EXECUTION, AS APPLICABLE:

DATA EXPORTER

Name:                                                      Authorized Signature ………………………………

DATA IMPORTER

Name:                                                     Authorized Signature ………………………………

APPENDIX 2 TO THE STANDARD CONTRACTUAL CLAUSES

This Appendix forms part of the Clauses and must be completed and signed by the parties.

Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):

The data importer maintains an information program comprised of appropriate policies and procedures designed to protect the personal data transferred against personal data breaches, as well as to identify and minimise security risks.  Such information security program includes:

  • network security, including firewalls or functionally equivalent technology to protect the data importer’s internet connection and network infrastructure;
  • access restrictions to the data importer’s premises, systems, devices, data and services, including by data importer employees, contractors and service providers. Access is granted only to those who have a legitimate business need for such access;
  • data importer employees, contractors and service providers are subject to appropriate confidentiality obligations;
  • appropriate secure settings for the data importer’s devices and software to ensure the personal data transferred remains secure as much as reasonably possible;
  • virus/malware protection to protect against external security intrusions;
  • where appropriate, the data employs encryption to protect the personal data transferred when at rest and when in transit;
  • software and device update installation and patching to ensure the data importer’s systems remain current regarding evolving security threats; and
  • regular and secure data backups enabling data restoration in the event of data loss or corruption.
Entity NameJurisdictionAddressContact Details
Corsearch Europe, S.A.BERue Aimé Smekens 15,
1030 Schaerbeek, Belgium.
VAT Number:
BTW BE 0430.166.888.		Diane Plaut
[email protected]
+1 646-899-2806
Corsearch, Inc.US220 West 42nd St.
11th Floor
New York, NY
10036 USA.		Diane Plaut
[email protected]
+1 646-899-2806
Corsearch Intermediate, Inc.US1209 Orange Street
Wilmington, Delaware
19801 USA		Diane Plaut
[email protected]
+1 646-899-2806
Yellow Brand Protection ABSENorrgatan 10, 432 41
Varberg Sweden
Reg. No. 556882-7033		Diane Plaut
[email protected]
+1 646-899-2806
Yellow Brand Protection Shanghai Co., Ltd.CHRoom 368, Unit 302, No.
211 Futebei Road
China, Shanghai Pilot
Free Trade Zone
Shanghai, China		Diane Plaut
[email protected]
+1 646-899-2806
PBP Research, B.V.NENaritaweg 116
1043 CA Amsterdam
Reg. No. 54875625		Diane Plaut
[email protected]
+1 646-899-2806
Corsearch UK LimitedUK3rd Floor, 1 Ashley Road, Altrincham, Chesire, WA14 2DT.Diane Plaut
[email protected]
+1 646-899-2806