Member Jungle Data Processing Addendum
Effective Date: October 21, 2021
In consideration of the mutual obligations set out herein, Member Jungle and Customer, collectively (“the Parties”) hereby agree that the terms and conditions set forth below shall be added as an addendum to the Agreement to govern processing by Member Jungle of any UK Personal Data that is subject to the United Kingdom (“UK”) General Data Protection Regulation (“GDPR” or "UK GDPR") and similar laws, which require certain data protection and privacy obligations to be covered contractually.
To the extent that any terms or conditions set forth in any other agreement between the Parties, including agreements entered into after the date of this DPA, conflict with any terms or conditions of this DPA, it is expressly understood and agreed that the terms and conditions set forth in this DPA will apply rather than the conflicting terms and conditions in any other written agreement, unless the Parties explicitly agree otherwise in writing. The Parties will not agree, under any circumstance, to providing less protection to UK Personal Data than is required by all applicable laws, regulations, directives, rules, standards, and frameworks.
- Effective Period. This DPA will be effective beginning October 21, 2021, and will remain effective for as long as Member Jungle and any Sub-Processor to which Member Jungle has disclosed any UK Personal Data retains any UK Personal Data received from Customer.
- For purposes of this DPA, the following terms will have the following meanings:
- Controller: The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
- Customer: The legal entity or individual who accepted Member Jungle’s Agreement, which includes this DPA.
- Data Protection Impact Assessment (“DPIA”): A process designed to describe the Processing, to assess the necessity and proportionality of the Processing, and to help manage the risks to the rights and freedoms of natural persons resulting from the Processing of Personal Data (by assessing them and determining measures to address them).
- Data Subject: An identified or identifiable natural person whose Personal Data is being Processed.
- UK Personal Data: Any information relating to an identified or identifiable natural person located in the UK.
- Personal Data: Any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
- Personal Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
- Processing: Any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
- Processor: A natural or legal person, public authority, agency, or other body which Processes Personal Data on behalf of the Controller.
- Sub-Processor: A Sub-Processor retained by a Processor to assist with Processing activities.
- Any Capitalized, data protection terms used in this DPA, which are not specifically defined in this DPA, will have the meaning ascribed to them in the GDPR.
- For purposes of this DPA, the following terms will have the following meanings:
- UK Personal Data Protection Compliance.
- The Parties’ General Compliance Obligations. In connection with the Services covered by the Agreement and this DPA, Member Jungle and Customer will comply with all applicable provisions of the GDPR on and after October 21, 2021 as well as all applicable Member State laws and regulations.
- Details of Processing. Pursuant to Article 28 of the GDPR, the details of the processing covered by the Agreement and this DPA are set forth in the Appendix (“Appendix: Details of Processing”) attached to this DPA.
- Customer Obligations and Authorization of Processing.
- The Parties agree that Customer is the Controller, and Member Jungle is the Processor. Customer is and shall remain responsible for compliance with all requirements imposed on Controllers, including but not limited to confirming the lawful basis for all processing activities conducted by Member Jungle on Customer’s behalf and obtaining consent from data subjects, where required.
- Customer authorizes Member Jungle to collect and process the UK Personal Data needed to perform the Services for which Customer is contracting with Member Jungle in the Agreement.
- Customer agrees to limit any UK Personal Data it transfers to Member Jungle or to which Member Jungle is otherwise given access for processing to only UK Personal Data needed by Member Jungle to fulfill its obligations under the Agreement.
- Customer authorizes the transfer, processing and storage of UK Personal Data outside the United Kingdomin order to fulfill the purpose of the Services.
- Customer grants a general authorization to Member Jungle to engage or replace Sub-Processors to perform part of the Service, provided that Member Jungle respects all requirements set forth in the GDPR for the appointment of Sub-Processors.
- Customer hereby consents to Member Jungle’s engagement of Sub-Processors in connection with the processing of the Personal Data. Upon written request, Member Jungle will make the list of applicable Sub-Processors available to Customer. Customer may reasonably object to any new Sub-Processor, in which case Member Jungle will use reasonable efforts to make a change in the Service or recommend a commercially reasonable change to avoid processing by such Sub-Processor. If Member Jungle is unable to provide an alternative, Customer may terminate the affected Services. Member Jungle will enter into written agreements with each Sub-Processor containing reasonable provisions relating to the implementation of technical and organizational measures in compliance with the GDPR. Member Jungle will remain liable for acts and omissions of its Sub-Processors in connection with the provision of the Services.
- Member Jungle’s UK Personal Data Protection Obligations.
- Member Jungle’s Processing of UK Personal Data on Customer’s behalf will be conducted in accordance with documented instructions received from Customer. Member Jungle will promptly inform Customer if, in Member Jungle’s opinion, an instruction from Customer infringes on the GDPR or other Member State data protection provisions.
- Member Jungle will only provide access rights to UK Personal Data to associates who have committed themselves to confidentiality.
- Member Jungle has implemented appropriate technical and organizational measures in accordance with Article 32 of the GDPR.
- Member Jungle will abide by the requirements set forth in the GDPR for the appointment of Sub-Processors.
- Member Jungle has implemented measures to assist Customer in responding to data subject requests to exercise their data subject rights.
- After becoming aware of any Personal Data Breach involving UK Personal Data received from Customer or collected on Customer’s behalf, Member Jungle will notify Customer without undue delay.
- Member Jungle will assist Customer in complying with its GDPR obligations relating to the Services concerning the security of processing, notification of an UK Personal Data Breach, Data Protection Impact Assessments (DPIAs), and prior consultations.
- Depending on Customer’s asserted choice, Member Jungle will either delete or return all UK Personal Data to Customer after the end of the provision of Services unless UK law requires storage of the UK Personal Data.
- Upon written request, Member Jungle will provide Customer with information needed to demonstrate compliance with the obligations of Article 28 of the GDPR, and will permit and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer.
- Right to Terminate Agreement. In the event of any breach of this DPA by Customer, Member Jungle has the right to terminate the Services and Agreement without penalty to Member Jungle upon written notice to Customer.
- Indemnification. Customer will fully indemnify, hold harmless and defend Member Jungle, its affiliates, and their respective officers, directors, employees, agents and contractors (collectively, “Indemnified Parties”) from and against any and all claims, demands, actions, suits, damages, liabilities, losses, settlements, judgments, regulatory investigations, enforcement actions, administrative penalties, fees, fines, costs, and expenses (including but not limited to reasonable attorney’s fees and costs) (each a “Claim”) any of them suffer as a result of a breach by Customer or its employees, representatives, agents, or contractors of any of Customer’s obligations set forth in this DPA; a Personal Data Breach caused by any act, omission or negligence of Customer or its employees, representatives, agents, or contractors; or Customer’s, or its employees’, representatives’, agents’, or contractors’ violation or breach of the GDPR or any other applicable data protection or privacy law, regulation, directive, rule, standard, or framework, including but not limited to violation or breach of the rights of a data subject and violations relating to Customer’s use of Member Jungle’s products and/or services. Member Jungle reserves the right to assume the exclusive defense and control of any matter subject to indemnification at the expense of Customer, and in such case, Customer agrees to cooperate with Member Jungle in the defense of any such Claim.
- Severability. If any provision of this DPA is, to any extent, invalid or unenforceable, all other provisions of the DPA will remain in full force and effect. To the extent permitted and possible, the invalid or unenforceable provision will be deemed replaced by a term that is valid and enforceable and that comes closest to expressing the intention of such invalid or unenforceable term. If this is not permissible or not possible, then the DPA will be construed as if the invalid or unenforceable provision were not included in the DPA.
- No Limitation on Member Jungle’s Rights or Remedies. Nothing in this DPA will limit Member Jungle’s rights or remedies under the Agreement or at law.
- Governing Laws/Jurisdiction. The Parties to this DPA submit to the choice of jurisdiction set forth in the Agreement with respect to any disputes or claims arising under this DPA. The Parties further stipulate that any and all disputes concerning the construction and interpretation of this DPA and/or the Parties’ obligations under this DPA will be handled in accordance with pertinent provisions governing disputes or claims that are set forth in the Agreement.
Appendix: Details of Processing
Subject Matter and Duration of Processing:
The subject matter and duration of the Processing of UK Personal Data are set forth in the Agreement and this DPA.
Nature and Purpose of Processing:
- Membership management
- Online Store
- Event registration
- Online payments
- Email and contact database
- Website Content Management System
- Mobile solutions
Categories of Data Subjects:
- Customers' members
- Customers' contacts
Categories of Personal Data:
- Contact information (e.g., name, organization name, phone number, email address, physical address)
- Payment information (e.g. billing address, billing contact)