This Data Protection Addendum has been pre‐signed on behalf of Steam Data Suite. To complete this Addendum, please fill in your details and sign in the relevant signature blocks and send the completed and signed DPA to Steam Data Suite by email to firstname.lastname@example.org.
In all cases where a specific term in an Agreement incorporates the DPA into the Agreement by reference, the DPA shall be deemed executed upon execution of the Agreement and will be legally binding and made an integral part of the Agreement.
In addition to capitalized terms defined elsewhere in this DPA, the following terms shall have the meanings ascribed to them herein.
1.1“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control” for purposes of this definition means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
1.2Data Protection Laws means the data protection or privacy laws in the European Union (“EU”), European Economic Area (“EEA”) and their Member States, including the GDPR.
1.3GDPR" means EU General Data Protection Regulation 2016/679;
1.4Standard Contractual Clauses" means the contractual clauses established by the European Commission concerning the international transfer of Personal Data.
1.5Sub Processor" means any Processor appointed by or on behalf of Steam Data Suite or any Steam Data Suite Affiliate to Process Personal Data on behalf of the Customer in connection with the Agreement; and
1.6The terms, "Commission", "Controller", "Data Subject", "Member State", "Personal Data", "Personal Data Breach", "Processor", "Processing" and "Supervisory Authority" shall have the same meaning as in the GDPR.
2.1The Parties acknowledge and agree that with regard to the Processing of Personal Data, Customer is the Controller and Steam Data Suite is the Processor. Steam Data Suite shall not Process Customer Personal Data other than on the Customer’s documented reasonable and customary instructions, as specified in the Agreement or this DPA, unless such Processing is required by applicable laws to which the Steam Data Suite is subject.
2.2Customer instructs Steam Data Suite (and authorizes Steam Data Suite to instruct each Sub Processor) to (i) Process Customer Personal Data in a manner consistent with the terms of the Agreement and this DPA; and (ii) transfer Customer Personal Data to any country or territory specified in the Agreement or if no such country or territory are specified then to any territory or country, all as reasonably necessary for the provision of the Services and consistent with the Agreement and Section 11 of this DPA.
2.3Customer warrants and represents that its instructions to Process Personal Data shall at all times comply with Data Protection Laws. Customer shall be solely responsible for the legality of the Personal Data and for ensuring it has an appropriate lawful basis to enable the collection and Processing of Personal Data pursuant to the terms of the Agreement and this DPA.
2.4Annex 1 sets forth the details of the Processing of Customer Personal Data, as required by article 28(3) of the GDPR (Details of Processing of Customer Personal Data). In no event shall Customer configure the Services to collect or cause Steam Data Suite to Process Personal Data that is beyond the scope set forth in Annex 1, including, specifically any Restricted Data (as defined in the Agreement).
Steam Data Suite shall take reasonable steps to ensure that access to the Customer Personal Data is limited on a need to know/access basis and that all Steam Data Suite personnel receiving such access are subject to confidentiality undertakings or professional or statutory obligations of confidentiality in connection with their access/use of Customer’s Personal Data.
Steam Data Suite shall, in relation to the Customer Personal Data, implement appropriate technical and organizational measures to ensure an appropriate level of security, including, as appropriate and applicable, the measures referred to in Article 32(1) of the GDPR. In assessing the appropriate level of security, Steam Data Suite shall take into account the risks that are presented by Processing Person Data, in particular risks arising from a Personal Data Breach.
5.1Customer authorizes Steam Data Suite and each Steam Data Suite Affiliate to appoint (and permit each Sub Processor appointed in accordance with this Section 5 to appoint) Sub Processors in accordance with this Section 5 and any restrictions in the Agreement.
5.2The Sub Processors used by Steam Data Suite Affiliate are specified in Annex 1.
5.3team Data Suite may appoint new Sub Processors at any time and shall update the Sub Processors Website upon such appointments. Steam Data Suite shall notify Customer without undue delay upon such appointments. Customer notifies Steam Data Suite in writing of any reasonable objections to the proposed appointment, Steam Data Suite shall not utilize such Sub Processor to Process Customer Personal Data until reasonable steps have been taken to address the objections raised by Customer, and Customer has been provided with a reasonable written explanation of the steps taken. Where such steps are not sufficient to relieve Customer’s reasonable objections then Customer or Steam Data Suite may, by written notice to the other Party, with immediate effect, terminate the Agreement to the extent that it relates to the Services which require the use of the proposed Sub Processor, without bearing liability for such termination.
5.4With respect to each Sub Processor, Steam Data Suite shall: (a) take reasonable steps to ensure that the Sub Processor is committed to provide the level of protection for Personal Data required by the Agreement; (b) ensure that the arrangement between Steam Data Suite and the Sub Processor is governed by a written contract, including terms which, to the extent applicable to the nature of services provided by the Sub Processor, offer a level of protection that, in all material respects, are consistent with the levels set out in this DPA and the Agreement; and (c) remain fully liable to the Customer for the performance of the Sub Processor’s data protection obligations where the Sub Processor fails to fulfill such obligations.
6.1Customer shall be solely responsible for compliance with any statutory obligations concerning requests to exercise Data Subject rights under Data Protection Laws (e.g. for access, rectification or deletion of Customer Personal Data etc.). Taking into account the nature of the Processing, Steam Data Suite shall reasonably assist Customer insofar as feasible, to fulfil Customer's said obligations with respect to such Data Subject requests, as applicable, at Customer’s sole expense.
6.2Steam Data Suite: (a) shall promptly notify Customer if it receives a request from a Data Subject under any Data Protection Law in respect of Customer Personal Data (unless prohibited by applicable law); and (b) shall not respond to that request except on the documented instructions of Customer or as required by applicable laws. Notwithstanding the foregoing, Steam Data Suite shall be permitted to respond (including through automated responses) to any such requests informing the Data Subject that his request has been received and/or with instructions to contact Customer in the event that his request relates to Customer.
7.1Steam Data Suite shall notify Customer, without undue delay, upon Steam Data Suite becoming aware of a Personal Data Breach affecting Customer Personal Data. In such event, Steam Data Suite shall provide Customer with information (to the extent in Steam Data Suite possession) to assist Customer to meet any obligations to inform Data Subjects or Data Protection authorities of the Personal Data Breach under the Data Protection Laws.
7.2t the written request of the Customer, Steam Data Suite shall reasonably cooperate with Customer and take such commercially reasonable steps, as are agreed by the Parties or necessary under Data Protection Laws, to assist in the investigation, mitigation and remediation of each such Personal Data Breach, at Customer’s sole expense.
8.1At the written request of the Customer, Steam Data Suite and each Steam Data Suite Affiliate shall provide reasonable assistance to Customer, at Customer's expense, with any data protection impact assessments or prior consultations with Supervising Authorities or other competent data privacy authorities, as required under any applicable Data Protection Laws. Such assistance shall be solely in relation to Processing of Customer Personal Data by the Steam Data Suite.
9.1Steam Data Suite shall return or make available to Customer the Personal Data per the terms of the Agreement, or if no such terms are provided then immediately prior to termination of the Agreement. Following termination of the Agreement, Personal Data shall be deleted or otherwise made unrecoverable and/or anonymized, other than such copies, as authorized under the Agreement or this DPA, or required, to be retained in accordance with applicable law and/or regulation.
10.1Subject to sections 10.2 and 10.3, Steam Data Suite shall make available to Customer on request such information necessary to demonstrate compliance with this DPA and shall allow for, and contribute to, audits by a reputable auditor mandated by Customer in relation to the Processing of the Customer Personal Data by Steam Data Suite.
10.2Information and audit rights of Steam Data Suite only arise under section 10.1 to the extent that the Agreement does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law.
11.1Steam Data Suite may not transfer or authorize the transfer of Data to countries outside the EU and/or the European Economic Area (EEA) without the prior written consent of the Customer. If personal data processed under this Agreement is transferred from a country within the European Economic Area to a country outside the European Economic Area, the Parties shall ensure that the personal data are adequately protected. To achieve this, the Parties shall, unless agreed otherwise, rely on EU approved standard contractual clauses for the transfer of personal data.
12.1Agreement and Order of Precedence. Nothing in this DPA reduces either Party’s obligations under the Agreement in relation to the collection, use, processing and protection of Personal Data. Any claims brought under this DPA shall be subject to the terms of the Agreement including, without limitation, choice of jurisdiction, governing law and any liability limitations or exclusions. In the event of inconsistencies between the provisions of this DPA and any other agreements between the Parties, including the Agreement and including (except where explicitly agreed otherwise in writing and signed on behalf of the Parties) agreements entered into or purported to be entered into after the date of this DPA, the provisions of this DPA shall prevail. In the event of any conflict or inconsistency between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
12.2Severance. Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall either be: (i) amended as necessary to ensure its validity and enforceability while preserving the Parties’ intentions as closely as possible, or, if this is not possible; (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
IN WITNESS WHEREOF, this DPA is entered into and becomes a binding part of the Agreement with effect from the later date set out below.
|Customer||Steam Data Suite|
||Steam Data Suite
This Annex 1 includes certain details of the Processing of Customer Personal Data and sub-processors as required by Article 28(3) GDPR.
Subject matter and duration of the Processing of Customer Personal Data. The subject matter of the Processing of the Customer Personal Data is to provide attribution and analytics services, as are further described in the Agreement. The duration shall be for the period set forth in the Agreement.
The nature and purpose of the Processing of Customer Personal Data: rendering Services in the nature of an attribution and marketing analytics platform, as further detailed in the Agreement.
The types of Customer Personal Data to be Processed are as follows: The data types that may be processed when using the services:
- “Technical Information": this refers to technical information related to an End User’s device or computer, such as: internet protocol (IP) address, browser type, operating system and other technology on the devices you use to access the Service.
- "Engagement Information”: this refers to information relating to the Customer’s ad campaigns and End User actions, such as: clicks on Customer ads, ad impressions viewed, audiences or segments to which an ad campaign is attributed, the type of ads and the webpage or Application from which such ads were displayed, the webpages on Customer’s website visited by an End User, the URL from the referring website, downloads and installations of Applications, and other interactions, events and actions Customers choose to measure and analyze within their Application or website (e.g. add to cart, in‐app purchases made, clicks, engagement time etc.).
- Any other data types explicitly agreed by the Parties under the Agreement.
For the purpose of clarity, Customer shall not configure the Services to collect any data that is not permitted to be collected pursuant to the terms of the Agreement or that is beyond the scope identified above.
The categories of Data Subject to whom the Customer Personal Data relates are as follow
End users who use or interact with Customer's websites, products, services, advertisements and application services.
The following is an up-to-date list of the names and locations of sub-processors and content delivery networks.
Infrastructure Sub-processors – Service Data Storage and Processing
The following sub-processors are contracted to provide data storage and general infrastructure services that allow Steam Data Suite to provide its Service to Customer.
|TransIP||External third-party service provider acting as data storage and web hosting.|
|Google Analytics||Behavioral analytics, and technical analysis tool.|
|Amazon Web Services, Inc.||External third-party service provider acting as data storage and web hosting.|
Steam Data Suite hereby declares that:
- Steam data Suite has internal data security policies in place. Every employee of Steam Data Suite is obliged to familiarize themselves with the policies before accessing personal data.
- Every employee of Steam Data Suite is obliged to sign an NDA before commencing their work at Steam Data Suite.
- Steam Data Suite uses digital access control to prevent unauthorized people from accessing personal data.
- Steam Data Suite uses outsourced server infrastructure to prevent physical access to personal data.
- Steam Data Suite uses HTTPS encryption between our servers and the customer’s browser.
- Steam Data Suite created periodic backups of its database to prevent data loss.
- Backups are password protected to prevent unauthorized people from accessing its contents.
For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection, the parties HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.
For the purposes of the Clauses:
-‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
-‘the data exporter’ means the controller who transfers the personal data;
-‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
-'the subprocessor’ means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
-‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
-‘technical and organisational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.
- The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
- The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
- The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
- The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.
The data exporter agrees and warrants:
a. that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
b. that it has instructed and throughout the duration of the personal data-processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;
c. that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;
d. that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
e. that it will ensure compliance with the security measures;
f. that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
g. to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
h. to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
i. that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and
j. that it will ensure compliance with Clause 4(a) to (i).
1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.
2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.
3. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.
1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
a. to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
b. to refer the dispute to the courts in the Member State in which the data exporter is established.
2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.
1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5(b).
The Clauses shall be governed by the law of The Netherlands.
The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.
1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses. Where the subprocessor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor’s obligations under such agreement.
2. The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
3. The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.
4. The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5(j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.
1. The parties agree that on the termination of the provision of data-processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
2. The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data-processing facilities for an audit of the measures referred to in paragraph 1.
This Appendix forms part of the Clauses.
Defined terms used in this Appendix 1 shall have the meaning given to them in the Agreement (including the DPA).
-Data exporter The data exporter is the legal entity specified as "Customer" in the DPA.
-Data importer The data importer is Steam Data Suite
-Data subjects Please see Annex 1 of the DPA, which describes the data subjects.
-Categories of data Please see Annex 1 of the DPA, which describes the categories of data.
-Special categories of data (if appropriate) The parties do not anticipate the transfer of special categories of data.
-Purposes of Processing Steam Data Suite shall process personal data as necessary to provide the Subscription Services to data exporter in accordance with the Agreement.
-Processing operations Please see Annex 1 of the DPA, which describes the processing operations.
This Appendix forms part of the Clauses.
Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):
Please see Annex 2 of the DPA, which describes the technical and organisational security measures implemented by Steam Data Suite.