Corsearch Data Protection Agreement
This Data Protection Agreement (“DPA”) forms part of Corsearch Master Services Agreement or other written agreement entered into between Corsearch and the Customer (the “Agreement”).
To the extent Corsearch processes Customer Personal Data under the Services, this DPA applies. This DPA does not apply to Trademark Services; Corsearch does not process Personal Data on behalf of the Customer as part of Trademark Services. Corsearch acts as an independent controller within the scope of Trademark Services.
The following words when appearing with a capital letter, have the meaning set forth below. Any capitalised terms used but not defined herein have the meanings set forth in the Agreement.
“Customer Personal Data” means any personal data as described in Schedule A, processed by or on behalf of Corsearch for or on behalf of Customer under or in connection with the Agreement, including in the provision of the Services, but excluding any User Data.
“Data Breach” means any accidental or unlawful destruction, loss, alteration, loss of control over, unauthorised disclosure of or access to Customer Personal Data suffered by Corsearch or any Subprocessor of which Corsearch becomes aware during the Term, except when such breach is caused by Customer or any User.
“Data Protection Laws” means all applicable laws and regulations related to data protection that are applicable to the processing of Customer Personal Data under the Agreement including but not limited to EU General Data Protection Regulation 2016/679 (“GDPR”), the GDPR as enacted by the United Kingdom (“UK GDPR”), the California Consumer Privacy Act of 2018 (“CCPA”) including as modified by the California Privacy Rights Act of 2020 and its implementing regulations (“CPRA”), and the Personal Information Protection Law of the People’s Republic of China (“PIPL”) in each case to the extent in force, and as updated, amended or replaced from time to time.
“Data Subject Request” means a valid request from or on behalf of a data subject in respect of Customer Personal Data.
“International Transfer” means a transfer of Customer Personal Data between the Parties, from the European Economic Area (“EEA”), the United Kingdom of Great Britain and Northern Ireland (“UK”), and/or Switzerland to a third country which is not determined to provide adequate protection for Customer Personal Data under the Data Protection Laws.
“SCCs” means where the GDPR applies, the contractual clauses annexed to the European Commission’s Implementing Decision (EU) 2021/914 of 4 June 2021, as adopted, amended or replaced by the European Commission (“EU SCCs“); and where the UK GDPR applies, the UK International data transfer addendum to the European Commission’s standard contractual clauses for international data transfers, as adopted, amended or updated by the UK’s Information Commissioner’s Office, Parliament or Secretary of State. (“UK SCCs“).
“Sensitive Personal Data” means any personal data related to minors, or revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for unique identification, health-related data, or data concerning an individual’s sex life or sexual orientation.
“Subprocessor” means any third party which is engaged by Corsearch to carry out processing activities in respect of Customer Personal Data.
“User Data” means the personal data relating to Users, processed by Corsearch for its own purposes, including: (a) providing and ensuring the security of the Services; (b) granting Customer and its Users access to Customer Personal Data; (c) processing account information and invoicing; and (d) communicating with Customer in order to comply with its obligations under the Agreement.
“controller”, “data subject”, “process”/“processing” (and any other derivations thereof), “processor”, “third country”, “business”, “consumer”, “personal data”, “sell” “share”, “service provider” and “supervisory authority” each have the meanings specified in Data Protection Laws.
2. General Terms
2.1. Roles. With respect to each Party’s processing of Customer Personal Data, the Parties agree that Customer acts as the controller and Corsearch acts as the processor; provided, however, the parties acknowledge and agree that Corsearch will be an independent controller in relation to the processing of User Data.
2.2 Compliance with laws. In its processing of Customer Personal Data, each Party will comply with the Data Protection Laws governing such Customer Personal Data whilst in its control.
2.3 Customer Obligations. Customer, for the duration of the processing of Customer Personal Data, will:
– determine the purposes and means of the processing of Customer Personal Data;
– ensure that its instructions to Corsearch to process Customer Personal Data are and will be lawful;
– be entitled to transfer the User Data to Corsearch; and
– not disclose any Sensitive Personal Data to Corsearch.
3. Details of the Processing
3.1 Schedule A sets out the purposes and duration of processing, the types of personal data and categories of data subjects and nature of the processing. If Schedule A requires updating at any time during the Term, the Parties will work together in good faith to mutually agree upon an updated Schedule A in writing.
3.2 Corsearch will process Customer Personal Data:
– solely to the extent necessary and for the limited purpose of fulfilling its obligations under the Agreement; and
– in accordance with the lawful documented instructions of Customer, unless Corsearch is otherwise required to do so to comply with any Data Protection Laws, in which case, Corsearch will provide notice to Customer of such legal requirement, unless prohibited to do so by law.
3.3 3.3. Corsearch will immediately inform Customer if, in its reasonable opinion, an instruction from Customer in relation to the processing of Customer Personal Data infringes Data Protection Laws. In such event, Corsearch will not be in breach of the Agreement or liable in any way for its failure to carry out such processing.
4. Data Security and Data Breaches
4.1 Corsearch will ensure that all persons who process Customer Personal Data:
– – have committed themselves to confidentiality or are otherwise under an appropriate statuary obligation of confidentiality, each at least as protective of Customer Personal Data as the Agreement and this DPA;
– to Corsearch’s commercially reasonable endeavours, have sufficient skills and training in the handling of Customer Personal Data; and
– comply with the Data Protection Laws.
4.2 Corsearch will, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, implement and maintain appropriate technical and organizational measures to secure and protect the Customer Personal Data against a Data Breach, as detailed at https://corsearch.com/privacy/technical-and-organisational-measures. Corsearch will review and may update such technical and organizational measures from time to time, provided that any such updates will not materially decrease the overall level of security of the Customer Personal Data.
4.3 If a Data Breach occurs Corsearch will:
4.3.1. notify Customer without undue delay (and in any event within 72 hours) after becoming aware of such Data Breach;
4.3.2. provide all reasonably necessary information, where information is not available in its entirety in phases without undue further delay, including at least:
– the nature of the Data Breach including where possible, the categories and approximate number of data subjects and personal data records concerned;
– the name and contact details of the contact point for more information;
– the likely consequences of the Data Breach;
– describe the measures taken to address the Data Breach, including, where appropriate, measures to mitigate its possible adverse effects;
4.3.3. provide all cooperation and assistance reasonably requested by Customer to comply with its obligations under the Data Protection Laws;
4.3.4. take such steps reasonable to remediate the cause of and mitigate the impact of the Data Breach; and
4.3.5. except to the extent required by relevant Data Protection Laws, not make any notification to any third party (including any supervisory authority or data subject) in relation to the Data Breach.
4.4 Customer agrees to coordinate with Corsearch in good faith regarding the content of any public statements and/or any required notices to the affected data subjects and/or relevant supervisory authorities, in each case if it specifically refers to Corsearch, Corsearch’s employees, any Subprocessor and/or the Services, regarding any Data Breach.
5. Data Subject Requests
5.1 If Corsearch receives a Data Subject Request directly, to the extent that Corsearch is reasonably able to identify that Customer is the controller of the relevant data subject’s personal data, Corsearch will use commercially reasonable endeavours to promptly forward the Data Subject Request to Customer without responding to such request.
5.2 Taking into account the nature of the processing, Corsearch will provide reasonable cooperation and assistance to enable Customer respond to Data Subject Request and to comply with its obligations pursuant to the relevant Data Protection Laws. To the extent legally permitted, Customer will be responsible for any reasonable costs and expenses arising from Corsearch’s assistance.
5.3 Unless expressly agreed otherwise in writing, Corsearch is not and will under no circumstances be required to respond to any Data Subject Request.
6. Governmental or Regulatory Body Requests
6.1 If Corsearch receives a request from a government or a regulatory body, including without limitation a supervisory authority request or a legally binding government access request, relating to Customer Personal Data and/or Corsearch’s processing of Customer Personal Data under this DPA, Corsearch will, unless otherwise legally prohibited, promptly notify the Customer without responding to such request and will redirect the request to Customer.
6.2 If Corsearch is legally prohibited from issuing a notice to Customer or from redirecting the request to Customer, Corsearch will (a) reject such request, unless legally required to comply with it; or (b) will contest the validity of such request if it reasonably determines that the request has no legal merit.
6.3 If Corsearch is compelled to address such a request, Corsearch will make commercially reasonable attempts to secure a waiver to notify Customer and otherwise, ensure that the disclosed information is proportionate and limited to the minimum amount strictly necessary for the purpose of complying with such request.
6.4 Customer will be responsible for all of Corsearch’s costs, including Corsearch’s reasonable legal fees, actually incurred in complying with such request and/or for any reasonable costs and expenses arising from Corsearch’s assistance to Customer.
7. Data Protection Impact Assessments and Prior Consultations
Taking into account the nature of the processing and the information available to Corsearch, Corsearch will provide reasonably requested assistance to Customer to enable Customer to comply with its obligations, in respect of Customer Personal Data, to conduct data protection impact assessments and/or consult with supervisory authorities under the Data Protection Laws.
8.1 Customer hereby provides Corsearch with a general written authorization to engage any Subprocessor(s), either directly or by any Corsearch Affiliate, that Corsearch deems necessary for the provision of the Services, including all such Subprocessors engaged by Corsearch as at the Commencement Date. Corsearch’s current Sub-processors are listed at https://corsearch.com/privacy/subprocessors.
8.2 Corsearch will impose each Subprocessor data protection obligations that are of no lesser degree of protection than those set forth in this DPA.
8.3 Corsearch will remain responsible and liable to Customer for the performance of each Subprocessor’s obligations.
8.4 Corsearch will provide Customer with at least 30 days’ written notice of any intended changes concerning the addition or replacement of Subprocessors. Corsearch provides Customer, via the aforementioned link, with a mechanism to subscribe to receive updates to the list of Sub-processors, to which Customer will subscribe to receive such notifications.
8.5 Customer may object to the appointment of any Subprocessor if that Subprocessor has objectively caused or is likely to cause a risk to the security and safe handling of Customer Personal Data or to Customer’s ability to comply with Data Protection Laws. Otherwise, Customer will not unreasonably object to the appointment of any such new Subprocessor by and if Customer does not object in writing to the appointment of any such new Subprocessor in accordance with this clause, Customer will be deemed to have approved such appointment.
8.6 If within ten (10) days of Customer’s receipt of the notice, Customer reasonably objects in writing to Corsearch to the appointment of such new Subprocessor, Parties will work together in good faith to determine a mutually agreeable resolution to address such objection, including where possible, by Corsearch continuing to provide the Services without the involvement of such new Subprocessor. If the Parties do not reach a mutually agreeable resolution and Corsearch is reasonably unable to continue to provide the Services without the involvement of such new Subprocessor, each Party will have the right to terminate the relevant portion of the Services to which such new Subprocessor is intended to relate (if not possible, the Agreement as a whole) immediately on written notice to the other Party. Nothing in this Clause will relieve Customer of any fee payment obligations in respect of the Services rendered by Corsearch and received by Customer until the date of termination hereunder.
9. International Transfers
9.1 Corsearch may, as necessary to provide the Services, transfer Customer Personal Data to its Affiliates, and/or Subprocessors outside the EEA, provided such transfer (and any subsequent processing) is carried out in accordance with the Data Protection Laws.
9.2 Where Customer Personal Data is transferred to a third country and such transfer constitutes an International Transfer under Data Protection Laws, Corsearch will enter into the relevant SCCs, with Customer and each of its Affiliates and Subprocessors, as applicable. The SCCs executed by the Parties, as set forth at https://corsearch.com/privacy/sccs, are incorporated into this DPA, and through this DPA or by using the Services. If any SCCs the Parties rely on are updated or otherwise invalidated, Parties agree that such new or updated SCCs as may be prescribed by Data Protection Laws will apply between the Parties without need to amend this DPA. Corsearch reserves the right to make such changes which Parties are legally required to implement at the foregoing link.
9.3 In the event of a conflict between this DPA and the applicable SCCs, the terms of the applicable SCCs will prevail.
10. Data Retention and Deletion
Following expiry or termination of the Agreement for any reason, Corsearch will promptly delete (or at the choice of Customer return and delete, provided that Customer will provide Corsearch with at least 30 days prior notice), the existing copies of Customer Personal Data, which will in no event include copies of personal data processed on behalf of another customer of Corsearch, processed by Corsearch and/or any Subprocessor, unless Data Protection Laws requires retention of such Customer Personal Data.
Customer or any third-party auditor that Customer instructs which is bound by reasonable confidentiality obligations, may audit Corsearch’s compliance with this DPA, by and through:
– requiring Corsearch the completion of Customer’s security assessment questionnaire; and/or
– to the extent applicable and available to Corsearch, requesting copies of appropriate information, records, certifications and audit reports issued by reputable independent third parties, provided that there have been no material changes to the controls used by Corsearch since the certification or audit report was issued.
12. Data Protection Laws Specific Provisions
12.1 CCPA / CRPA. This Section applies solely if Customer Personal Data is subject to the CCPA / CRPA:
12.2.1. the following definitions will be further interpreted to refer the corresponding definition under the CCPA: “Customer” means “Business”; “Corsearch” means “Service Provider” and “personal data” means “Personal Information”.
12.2.2. Corsearch will not (a) sell or share Customer Personal Data or disclose Customer Personal Data for targeted advertising or profiling purposes, (b) retain, use or disclose Customer Personal Data for any purpose (including a commercial purpose) other than for providing the Services under the Agreement, or as otherwise permitted under the CCPA (c) save for the purpose of performing the Services under the Agreement, retain, use or disclose Customer Personal Data outside of the direct business relationship between Customer and Corsearch, or (d) combine Customer Personal Data with Personal Information received from another source.
12.2 PIPL. This Section applies solely if Customer Personal Data is subject to the PIPL:
12.2.1. the following definitions will be further interpreted to refer the corresponding definition under the PIPL: “Personal Data” means “Personal Information”; “Customer” means “Personal Information Processor”; “Corsearch” means “Entrusted Party”; and “Sensitive Data” means the personal information that is likely to result in damages to the personal dignity of any natural person or damages to his or her personal or property safety once divulged or misappropriated, including the personal information regarding biometric identification, religious belief, specific identity, medical health, financial account and whereabouts and tracks, as well as the personal information of minors under the age of 14.
12.2.2. Under this Agreement, Corsearch solely processes Personal Information which has been made public by the data subjects themselves.
12.2.3. International Transfers are deemed cross-border Personal Information transfers under the PIPL and Corsearch is responsible for implementing adequate and applicable measures, as defined under this DPA and Data Protection Laws, to ensure that such transfers are made in compliance with the PIPL.
12.2.4. Customer will not disclose any Sensitive Data to Corsearch.
SCHEDULE A – SCOPE OF PROCESSING
|Purpose of Processing
|The purpose of the processing carried out by Corsearch as a processor on behalf of Customer in respect of the Customer Personal Data is the provision of the Services in accordance with the Agreement.
|Nature of Processing
|Receiving data, including collection, accessing, retrieval, recording and data entry;
Holding data, including storage, organisation and structuring;
Using data, including analysing and testing;
Updating data, including correcting and rectifying;
Enabling access to data by Customer and Users; and
Returning the data to Customer (and if requested erasing or destroying data).
|Categories of Data Subjects
|Sellers and advertisers of potential counterfeits of Customer’s products/services and/or potential infringers of Customer’s Intellectual Property Rights.
|Categories of Personal Data
|Publicly available information relating to, and as published by the data subjects or otherwise accessible from public register, including (where applicable and if available):
– contact details (including phone numbers, addresses and email addresses);
– IP addresses;
– bank account numbers;
– social media accounts linked to the data subjects and related user names and posts; and
– website information (including, where applicable, domain registrant information).
|Data Retention Periods
|For the duration of the Agreement. Where available and applicable, Corsearch Platform(s) retention periods, as set forth under the Agreement, will apply.
|Frequency of Processing (and/or Transfer)
|On a continuous basis.