Last update: July 16, 2024
1. Definitions
“Standard Contractual Clauses (“SCCs”)” means Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as currently set out at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj.
“International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (“UK Addendum”)” means International Data Transfer Addendum to the EU Commission Standard Contractual Clauses that has been issued by the Information Commissioner for Parties making Restricted Transfers in the meaning of the UK GDPR, as currently set out at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf.
“General Data Protection Regulation (“GDPR”)” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
“Controller”, “processor”, “data subject”, “personal data”, and “processing” have the meanings given in the GDPR and Other Data Protection Laws and Regulations.
“Client Data” means personal data that the Client acting as a data controller provides to the Company acting as a data processor in connection with the services provided by the Company or any other personal data with respect to which the Client is a data controller and the Company is a data processor.
“End User Data” means personal data that the Client, acting as a data processor (“Data Processor 1”), processes on behalf of the respective data controller and provides to the Company acting as subprocessor (“Data Processor 2”).
“Other Data Protection Laws and Regulations” means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, the United Kingdom, the United States and its states, applicable to the processing of personal data, such as the UK and US Data Protection Laws, or other applicable laws and regulations.
“Subprocessor” means any entity which provides processing services to the Company in furtherance of the Company’s processing on behalf of the Client or the respective data controller.
“Public Authority” means a government agency or law enforcement authority, including judicial authorities.
“Supervisory Authority” means an independent public authority to be responsible for monitoring the application of data protection legislation.
2. Roles
During the provision of services, Gatherly and the Client may have different roles under the GDPR and Other Data Protection Laws and Regulations. Thus, certain provisions of this DPA are applicable only in specific cases, as described below. The Client acknowledges and agrees that with regard to data processing under this DPA, the Client and Gatherly have the roles under the GDPR and the Other Data Protection Laws and Regulations specified in this Section of the DPA. This DPA shall not apply to situations where we act as a controller in accordance with our Privacy Policy.
When Gatherly processes the Client Data provided by the Client or to which it may otherwise have access under this DPA (for example, data about the Client’s customers, end users etc.), Gatherly acts as a data processor, and the Client acts as a data controller under the GDPR and the Other Data Protection Laws and Regulations. In this case, Sections 1, 2, 3.1., 4.1.1., 4.2.1., 5, 6, 7, and 8.1 of this DPA shall apply.
When Gatherly processes End User Data to which it may have access (for example, data about the end users of the Client’s customers), the Client acts as a data processor (“Data Processor 1”), and Gatherly acts as a subprocessor (“Data Processor 2”) under the GDPR and the Other Data Protection Laws and Regulations. In this case, Sections 1, 2, 3.2., 4.1.2., 4.2.2., 5, 6, 7, and 8.2. of this DPA shall apply.
3. Instructions
3.1. When the Client acts as a data controller
The Parties agree that this DPA and the Agreement between the Parties constitute the Client’s complete and final documented instructions regarding the processing of the Client Data on the Client’s behalf (the “Instructions”) when the Client acts as a data controller, and Gatherly acts as a data processor under the GDPR and Other Data Protection Laws and Regulations. Any additional or alternate instructions must be consistent with the terms and conditions of this DPA and the Agreement between the Parties.
3.2. When the Client acts as a data processor
When Client acts as a Data Processor 1, and Gatherly acts as a Data Processor 2 under the GDPR and Other Data Protection Laws and Regulations, the Parties agree that the service agreement and data processing agreement between the Client as a data processor and the respective data controller constitute the data controller’s complete and final documented instructions regarding the Gatherly’s processing of End User Data on the data controller’s behalf (the “Instructions”). Any additional or alternate instructions must be consistent with the terms and conditions of this DPA and the Agreement between the Parties.
DATA PROCESSING AGREEMENT
This Data Processing Agreement (the “DPA”) supplements the Terms & Conditions concluded between you (“Client”, “you”, “your”) and Gatherly Virtual Events, Inc. (“Gatherly”, “Company”, “we”, “us”, “our”) for provision of Gatherly Services, and/or is incorporated into the other written or electronic agreement between us regarding the provision of Gatherly Services (including the service level agreement). The Terms & Conditions and/or the other agreement between us regarding the provision of Gatherly Services (depending on which is applicable) are referred to as the “Agreement” for the purposes of this DPA. In the event of any conflict or inconsistency between any of the terms of the Agreement, the provisions of DPA shall prevail.
This DPA governs the processing of Personal Data that the Client provides to Gatherly in connection with the provision of Gatherly Services or any Personal Data that Gatherly obtains in connection with the performance of the Services. Further in this text, you and we individually are referred to as a “Party” and collectively as the “Parties”. For the purpose of ensuring compliance with the Data Protection Laws and Regulations, the Parties have entered into this DPA which forms an integral part of the Agreement.
4. Obligations
4.1. Gatherly Obligations
4.1.1. When acting as a data processor
4.1.1.1. General Obligations
With regard to the processing of the Client Data, Gatherly shall:
(i) process the Client Data only for established purposes, using appropriate technical and organizational security measures, and in compliance with the instructions received from the Client subject to Section 3.1 of this DPA;
(ii) inform the Client if Gatherly cannot comply with its obligations under this DPA, in which case the Client may terminate the agreement between the Parties or take any other reasonable actions, including suspending data processing operations;
(iii) inform the Client if, at Gatherly’s discretion, the Client’s Instruction may be in violation of the provisions of the GDPR or Other Data Protection Laws and Regulations;
(iv) follow the Client’s instructions regarding the collection of the Client Data (including with regard to the provision of notice and exercise of choice) in case Gatherly is obtaining the Client Data from data subjects on behalf of the Client under the agreement between the Parties;
(v) take reasonable steps to ensure that any subprocessor to whom Gatherly authorizes access to the Client Data on its behalf complies with respective provisions of the Agreement between the Parties and this DPA;
(vi) make available to the Client all information necessary to demonstrate compliance with Gatherly’s obligations under this DPA, the GDPR and Other Data Protection Laws and Regulations.
4.1.1.2. Notices to the Client.
Upon becoming aware, Gatherly shall inform the Client of any legally binding request for disclosure of the Client Data by a Public Authority, unless Gatherly is otherwise forbidden by law to inform the Client, for instance, to preserve the confidentiality of investigation by a Public Authority. Gatherly will inform the Client if it becomes aware of any notice, inquiry, or investigation by a Supervisory Authority with respect to the processing of the Client Data under this DPA or the Agreement.
4.1.1.3. Security Measures.
Gatherly shall implement and maintain appropriate technical and organizational measures to protect the Client Data from personal data breaches (the “Security Incidents”) in accordance with Gatherly’s security standards set out in Schedule 2 of this DPA. The Client acknowledges that security measures are subject to technical progress so that Gatherly may modify or update Schedule 2 at its discretion, provided that such modification or update does not result in a material degradation in the security measures offered by Schedule 2 of this DPA at the time of signing this DPA.
4.1.1.4. Security Incident.
Upon becoming aware of a Security Incident, Gatherly shall:
(i) notify the Client without undue delay after it becomes aware of the Security Incident;
(ii) provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by the Client, including the nature of the Security Incident, the categories and approximate number of data subjects and personal data records concerned (where possible), the likely consequences, measures taken or proposed to be taken by the Client to address the Security Incident (including, where appropriate, measures to mitigate its possible adverse effects), and the contact details of the DPO or other contact point where more information can be obtained;
(iii) promptly take reasonable steps to contain and investigate any Security Incident so that the Client can notify competent authorities and/or affected data subjects of the Security Incident. Gatherly’s notification of or response to a Security Incident shall not be construed as an acknowledgement by Gatherly of any fault or liability regarding the Security Incident.
4.1.1.5. Confidentiality.
Gatherly will not access, use, or disclose to any third party any Client Data, except, in each case, as necessary to maintain or as necessary to comply with contractual and legal obligations or binding order of a public body (such as a subpoena or court order). Gatherly shall ensure that any employee/contractor to whom it authorizes access to the Client Data on its behalf (if applicable) is subject to appropriate confidentiality contractual or statutory duty obligations with respect to the Client Data, including after the end of their respective employment or termination or expiration of the contract.
4.1.1.6. Return or Deletion of the Client Data.
At the choice of the Client, Gatherly shall, and shall cause any subprocessors to, delete or return all the personal data to the Client after the end of the provision of services relating to processing and delete existing copies unless the GDPR or Other Data Protection Laws and Regulations (whichever is applicable) require the storage of the personal data.
4.1.1.7. Reasonable Assistance.
Gatherly agreed to provide reasonable assistance to the Client regarding:
(i) any request from a data subject in respect of access to or the rectification, erasure, restriction, portability, blocking or deletion of the Client Data that Gatherly processes on behalf of the Client. In the event that a data subject sends such a request directly to Gatherly, Section 5 of this DPA shall apply;
(ii) the investigation of Security Incidents and communication of necessary notifications regarding such Security Incidents subject to Section 4.1.1.4 of this DPA;
(iii) preparation of data protection impact assessments and, where necessary, consultation of the Client with the Supervisory Authority under Articles 35 and 36 of the GDPR.
4.1.1.8. Audit and Certification.
4.1.1.8.1. Supervisory Authority Audit.
If a Supervisory Authority requires an audit of the data processing facilities from which the Company processes the Client Data to ascertain or monitor the Client’s compliance with the GDPR or Other Data Protection Laws and Regulations, the Company will cooperate with such audit. The Client is responsible for all costs and fees related to such audit, including all reasonable costs and fees for any and all time the Company expends for any such audit, in addition to the rates for services performed by the Company.
4.1.1.8.2. Audits.
The Client may, prior to the commencement of processing and at regular intervals after that, audit the technical and organizational measures taken by the Company. If the Client is the controller with respect to the personal data processed by the Company on its behalf, upon reasonable and timely advance agreement, during regular business hours and without interruption to the Company’s business operations, the Company may provide the Client with all information necessary to demonstrate compliance with its obligations laid down in the Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Client or another auditor mandated by the Client with respect to such processing.
The Company shall, upon the Client’s written request and within a reasonable period, provide the Client with all information necessary for such audit, to the extent that such information is within the Company's control and the Company is not precluded from disclosing it by applicable law, a duty of confidentiality, or any other obligation owed to a third party.
4.1.2. When acting as a Data Processor 2
Notwithstanding any Gatherly’s obligations specified in this Section, Gatherly, acting as a subprocessor, assumes all of the obligations under Article 28 of the GDPR set forth in the data processing agreement between the respective data controller (e.g., the Client’s customer) and data processor (namely, the Client) that apply to the Client that acts as a data processor on behalf of the controller.
4.2. Client’s Obligations
4.2.1. When acting as a data controller
Within the scope of the DPA, when the Client acts as a data controller, the Client shall be responsible for complying with all requirements that apply to the Client as a data controller under the GDPR and Other Data Protection Laws and Regulations. The Client represents and warrants that the Client shall be responsible for:
(i) the accuracy, quality, integrity, confidentiality and security of collected Client Data;
(ii) complying with all necessary transparency, lawfulness, fairness and other requirements under GDPR and Other Data Protection Laws and Regulations for the collection and use of personal data by:
-
establishing and maintaining the procedure for the exercise of the rights of the data subjects whose personal data are processed on behalf of the Client;
-
providing Gatherly only with personal data that has been lawfully and validly obtained and ensuring that such personal data will be relevant and proportionate to the respective uses;
-
ensuring compliance with the provisions of this DPA and the Agreement by the Client’s personnel or by any third-party accessing or using the Client Data on the Client’s behalf.
(iii) ensuring that the Client’s Instructions to Gatherly regarding the processing of the Client Data comply with the GDPR and Other Data Protection Laws and Regulations, including complying with principles of data minimisation, purpose and storage limitation; and
(iv) complying with all applicable laws, rules, and regulations (including the GDPR and Other Data Protection Laws and Regulations) in respect to any Instructions the Client issues to Gatherly.
4.2.2. When acting as a Data Processor 1
Within the scope of the DPA, when the Client acts as a Data Processor 1, the Client shall be responsible for complying with all requirements that apply to the Client as a data processor under the GDPR and Other Data Protection Laws and Regulations.
With regard to the processing of the End User Data, the Client shall:
(i) process End User Data using appropriate technical and organizational security measures and in compliance with the Instructions received from a data controller regarding the data processing agreement between the data controller and the Client and Section 3.2. of this DPA;
(ii) inform the data controller if, in the Client’s opinion, the data controller’s Instructions may be in violation of the provisions of the GDPR and Other Data Protection Laws and Regulations;
(iii) inform the data controller if the Client cannot comply with its obligations under this DPA, in which case the data controller may terminate the agreement or take any other reasonable actions, including suspending data processing operations;
(iv) follow the data controller’s instructions regarding the processing of the End User Data, in case the Client is obtaining the End User Data from data subjects on behalf of the data controller under the service agreement and data processing agreement between the Client and the data controller;
(v) take reasonable steps to ensure that any employee/contractor to whom the Client authorizes access to the End User Data on its behalf complies with respective provisions of the data processing agreement;
(vi) make available to the data controller all information necessary to demonstrate compliance with the Client’s obligations under the data processing agreement between the Client and the data controller, the GDPR and Other Data Protection Laws and Regulations.
The Client shall comply with all other obligations which are established in the contract with the respective data controller.
Subprocessor
Purpose
Location
Transfer mechanism
Intercom R&D Unlimited Company (Intercom)
to communicate with Clients via chat.
an Irish company with an office at 124 St Stephen's Green, Dublin 2, DC02 C628, Republic of Ireland
Sumo Group, Inc. (TidyCal)
to book an online meeting with a Gatherly team member to discuss an upcoming online event.
a CRM system to manage data.
to process the payments.
HubSpot Canada Inc. (HubSpot)
Stripe, Inc. (Stripe)
An American company with an office at 1305 E. 6th St #3 Austin, TX 78702
A Canadian company with an office at Two Canal Park, Cambridge, MA 02141, U.S.A.
An American company with an office at 354 Oyster Point Boulevard, South San Francisco, California, 94080
Intuit Ltd. (QuickBooks)
to conduct accounting activities.
An American company with an office at 675 Ponce deLeon Ave NE, Suite 5000, Atlanta, Georgia, 30308
Contact
Intercom Privacy Team – legal@intercom.io
Pipedrive Inc. (Pipedrive)
ZenLeads Inc. (Apollo)
Wix.com Ltd. (Wix)
a CRM system to manage data.
to conduct marketing activities.
An American company with an office at 530 5th Avenue, Suite 802
New York, NY 10036
An American company with an office at 599 2nd Street San Francisco, CA 94107
to maintain our Website
An American company with an office at 500 Terry A. Francois Boulevard, 6th Floor, San Francisco, CA, 94158
5. Data Subject Request
In the event that a data subject contacts Gatherly with regard to the exercise of their rights under the GDPR and Other Data Protection Laws and Regulations (in particular, requests for access to, rectification or blocking of the Client Data or End User Data, whichever is applicable), Gatherly shall:
-
when acting as a data processor, notify the Client of such request;
-
when acting as a Data Processor 2, notify the Client and, where appropriate, the data controller of such request.
Gatherly, when acting as a data processor or a Data Processor 2, will use all reasonable efforts to forward such requests to the relevant party indicated in this Section.
If Gatherly is legally required or authorized by the Client or respective data controller (whichever is applicable) to respond to such a request, it shall immediately notify the Client or the data controller, considering who acts as a data controller, and provide the Client or the data controller with a copy of the request unless Gatherly is legally prohibited from doing so.
6. Subprocessors
The Client agrees that Gatherly may engage Subprocessors to fulfill our obligations regarding the provision of Gatherly Services under the Agreement. The current list of Subprocessors is set forth below in Schedule 3 of this DPA.
If authorization for the engagement of Subprocessors is required by applicable Data Protection Laws and Regulations, the Client hereby grants Gatherly prior, general authorization to engage Subprocessors for processing personal data, provided that Gatherly enters into a data processing agreement with each Subprocessor containing data protection obligations relevant to the nature of the processing provided by such Subprocessor no less protective than those in this DPA.
If authorization for the engagement of Subprocessors is required by applicable Data Protection Laws and Regulations, the Client may object to Gatherly’s engagement of a new Subprocessor by providing written notice to the Company within ten (10) business days of Gatherly’s notice regarding the new Subprocessor. If the Client objects to a new Subprocessor involved in providing Gatherly’s services, the Client’s only remedy is to stop using Gatherly’s services.
7. Applicable Law
The law applicable to this DPA is the law specified in the Agreement between Gatherly and the Client unless otherwise required by the GDPR or Other Data Protection Laws and Regulations.
8. Data Transfers
8.1. Transfers of the Client Data
The Parties agree that when the processing of the Client Data constitutes a transfer from the Client as a data controller to Gatherly as a data processor under the GDPR and Other Data Protection Laws and Regulations and appropriate safeguards are required, such processing will be subject to the Standard Contractual Clauses and/or UK Addendum which are deemed to be incorporated into and form part of this DPA as further described in subsections 8.1.1. and 8.1.2. of this DPA. If and to the extent the EU SCCs and/or UK Addendum, as applicable, conflict with any provision of the DPA, the EU SCCs and UK Addendum shall prevail to the extent of such conflict.
8.1.1. Transfers under GDPR
When the processing of the Client Data constitutes a “transfer” under the GDPR and in other cases under this DPA, Standard Contractual Clauses shall apply. When the Client acts as a data controller and Gatherly acts as a data processor, Module Two of the EU SCCs shall apply.
For the purpose of the EU SCCs, when the Client acts as a data controller, and Gatherly acts as a data processor, the Client is a “data exporter” and Gatherly is a “data importer”.
The relevant provisions contained in the EU SCCs are incorporated by reference and are an integral part of this DPA. Clauses and annexes of the EU SCCs deemed to be completed are as follows:
(i) in Clause 7, the optional docking clause shall not apply;
(ii) in Clause 9, Option 2 (General Written Authorization) shall apply. For the purpose of Clause 9(a), the time period for informing the data exporter in advance of any intended changes to subprocessors list through the addition or replacement of subprocessors shall be 10 days.
(iii) in Clause 11, the optional provision shall not apply;
(iv) in Clause 13 a particular option shall apply depending on the specific case;
(v) in Clause 17 option 1 shall apply . The Parties agree that this shall be the law of the Republic of Ireland;
(vi) in Clause 18(b), disputes shall be resolved by the courts of the Republic of Ireland;
(vii) Annex I of the EU SCCs is deemed completed with the information set out in Schedule 1 of this DPA;
(viii) Annex II of the EU SCCs is deemed completed with the information set out in Schedule 2 of this DPA;
8.1.2. Transfers under UK Data Protection Laws
The UK Addendum shall apply when processing Client Data on behalf of the Client in connection with Services, which constitutes a “restricted transfer” under UK Data Protection Laws.
When the Client acts as a data controller, and Gatherly acts as a data processor, Module Two of the EU SCCs shall apply, as completed in subsection 8.1.1. of this DPA.
For the purpose of the UK Addendum, when the Client acts as a data controller, and Gatherly acts as a data processor, the Client is a “data exporter,” and Gatherly is a “data importer.” The relevant provisions contained in the UK Addendum are incorporated by reference and are an integral part of this DPA. Tables in the UK Addendum deemed to be completed as follows:
(i) Table 1 in Part 1 is deemed completed with the information set out in Schedule 1 of this DPA. When the Client acts as a data exporter, the official registration number (or similar identifier) of the exporter is contained in the Agreement, and the official registration number of the data importer is [756262952R0001].
(ii) Table 2 in Part 1 is deemed completed accordingly with the information set out in subsection 8.1.1. of this DPA;
(iii) Table 3 in Part 1 is deemed completed with the information set out in Schedules 1, 2 and 3 (if applicable) of this DPA;
(iv) in Table 4 in Part 1, neither party may end this Addendum as set out in Section 19 of the UK Addendum.
8.2. Transfers of the End User Data
The Parties agree that when the processing of the End User Data constitutes a transfer from the Client as a data processor (Data Processor 1) to Gatherly as a Data Processor 2 under the GDPR and Other Data Protection Laws and Regulations and appropriate safeguards are required, such processing will be subject to the Standard Contractual Clauses and/or UK Addendum which are deemed to be incorporated into and form part of this DPA as further described in subsections 8.2.1 and 8.2.2 of this DPA. If and to the extent the EU SCCs and/or UK Addendum, as applicable, conflict with any provision of the DPA, the EU SCCs and UK Addendum shall prevail to the extent of such conflict.
8.2.1. Transfers under GDPR
When the processing of the End User Data constitutes a “transfer” under the GDPR and in other cases under this DPA, Standard Contractual Clauses shall apply. When the Client acts as a processor, and Gatherly acts as a Data Processor 2, Module Three of the EU SCCs shall apply.
For the purpose of the EU SCCs, when the Client acts as a processor, and Gatherly acts as a Data Processor 2, the Client is a “data exporter,” and Gatherly is a “data importer.”
The relevant provisions contained in the EU SCCs are incorporated by reference and are an integral part of this DPA. Clauses and annexes of the EU SCCs deemed to be completed are as follows:
(i) in Clause 7, the optional docking clause shall not apply;
(ii) in Clause 9, Option 2 (General Written Authorization) shall apply. For the purpose of Clause 9(a), the time period for informing the data controller in advance of any intended changes to sub-processors list through the addition or replacement of sub-processors shall be 10 days.
(iii) in Clause 11, the optional provision shall not apply;
(iv) in Clause 13, a particular option shall apply depending on the specific case;;
(v) in Clause 17, option 1 shall apply . The EU SCCs shall be governed by the law of the Republic of Ireland;
(vi) in Clause 18(b), disputes shall be resolved by the courts of the Republic of Ireland;
(vii) Annex I of the EU SCCs is deemed completed with the information set out in Schedule 1 of this DPA;
(viii) Annex II of the EU SCCs is deemed completed with the information set out in Schedule 2 and 2 of this DPA;
8.2.2. Transfers under UK Data Protection Laws
The UK Addendum shall apply when processing End User Data on behalf in connection with Services, which constitutes a “restricted transfer” under UK Data Protection Laws.
When the Client acts as a data processor, and Gatherly acts as a Data Processor 2, Module Three of the EU SCCs shall apply, as completed in subsection 8.2.1. of this DPA.
For the purpose of the UK Addendum, when the Client acts as a data processor, and Gatherly acts as a Data Processor 2, the Client is a “data exporter”, and Gatherly is a “data importer”. The relevant provisions contained in the UK Addendum are incorporated by reference and are an integral part of this DPA. Tables in the UK Addendum deemed to be completed as follows:
(i) Table 1 in Part 1 is deemed completed with the information set out in Schedule 1 of this DPA. When the Client acts as a data exporter, the official registration number (or similar identifier) of the exporter is contained in the Agreement, and the official registration number of the data importer is [756262952R0001].
(ii) Table 2 in Part 1 is deemed completed accordingly with the information set out in subsection 8.2.1. of this DPA;
(iii) Table 3 in Part 1 is deemed completed with the information set out in Schedules 1, 2 and 3 (if applicable) of this DPA;
(iv) in Table 4 in Part 1, neither party may end this Addendum as set out in Section 19 of the UK Addendum.
9. DPA Duration
This DPA shall remain in effect until the Agreement between the Parties is terminated.
SCHEDULE 1 - DESCRIPTION OF PROCESSING
A. LIST OF PARTIES
Data exporter
Name: Client, also referred to as “you” in the DPA.
Address: the relevant information is contained in the Agreement.
Contact person’s name, position and contact details: the relevant information is contained in the Agreement.
Activities relevant to the data transferred under these Clauses:
1) if the Data exporter is the controller and the Data importer is the processor:
-
data processing in the context of the provision of services by Gatherly to the Client, such as provision of online virtual events under the Agreement between the Parties.
2) if the Data exporter is Data Processor 1 and the Data importer is the Data Processor 2:
-
data processing in the context of the provision of services by Gatherly to the Client, such as provision of online virtual events under the Agreement between the Parties.
Signature and date: By entering into the Agreement, the data exporter is deemed to have signed the EU SCCs incorporated herein, including Annexes, as of the effective date of the Agreement.
Role: controller or processor (Data Processor 1), depending on the case listed in this DPA.
Data importer
Name: Gatherly Virtual Events, Inc.
Address: 154-6 Foundry Ave. Toronto, ON, Canada. M6H 0A4.
Contact person’s name, position and contact details: the relevant information: Adib Shadid, President, adib@gatherly.io.
Activities relevant to the data transferred under these Clauses:
1) if the Data exporter is the controller and the Data importer is the processor:
-
data processing in the context of the provision of services by Gatherly to the Client, such as provision of online virtual events under the Agreement between the Parties.
2) if the Data exporter is Data Processor 1 and the Data importer is the Data Processor 2:
-
data processing in the context of the provision of services by Gatherly to the Client, such as provision of online virtual events under the Agreement between the Parties.
Signature and date: By entering into the Agreement, the data exporter is deemed to have signed the EU SCCs incorporated herein, including Annexes, as of the effective date of the Agreement.
Role: processor or subprocessor (Data Processor 2), depending on the case listed in this DPA.
B. DESCRIPTION OF TRANSFER
1. Categories of data subjects whose personal data is transferred:
1) if the Data exporter is the controller and the Data importer is the processor:
-
Clients, potential clients, employees of the Client;
-
Other data subjects whose personal data is provided by the Client.
2) if the Data exporter is Data Processor 1 and the Data importer is the Data Processor 2:
-
Clients, potential clients, employees of the Client;
-
Other data subjects whose personal data is provided by the Client.
2. Categories of personal data transferred:
1) if the Data exporter is the controller and the Data importer is the processor:
-
Client Data can include any information the Client may provide to the Company., including:
-
other personal data, the transfer and processing of which is agreed upon under the Agreement between the Parties.
2) if the Data exporter is Data Processor 1 and the Data importer is the Data Processor 2:
-
Client Data can include any information the Client may provide to the Company., including:
-
other personal data, the transfer and processing of which is agreed upon under the Agreement between the Parties.
3. Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved:
The data importer does not obtain access to the special categories of data (sensitive data).
The data importer takes technical and organizational measures, which are listed in Schedule 2, to protect personal data, including sensitive personal data, if any is transferred.
4. The frequency of the transfer:
The personal data is transferred on a continuous basis.
5. Nature of the processing:
Personal data processing consists of the following: collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, alignment or combination, restriction, erasure or destruction.
6. Purpose(s) of the data transfer and further processing:
The purpose of the data processing under these Clauses depends on the role each Party plays in the processing operations.
If the Data exporter acts as the data controller and the Data importer acts as the data processor, the main purpose of the data transfer and further processing is to provide the services by the Data importer to the Data exporter based on the Agreement signed between the Parties.
If the Data exporter acts as the processor and the Data importer acts as the Data Processor №2, the main purpose of the data transfer and further processing is to provide the services by the Data importer to the Data exporter based on the Agreement signed between the Parties.
7. The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:
The personal data shall be stored for the duration of this DPA concluded between the Data importer and the Data exporter unless otherwise agreed in writing or the Data importer is required by applicable law to retain some or all of the transferred personal data.
8. For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:
subject matter: the performance of services
nature: collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, alignment or combination, restriction, erasure or destruction.
duration: the performance of the services for the Data importer by the subprocessor under the service agreement concluded between the Data importer and subprocessor.
C. COMPETENT SUPERVISORY AUTHORITY
In accordance with Clause 13, the competent supervisory authority under these Clauses is Irish Data Protection Commission.
SCHEDULE 3 - LIST OF Subprocessors
To deliver the Gatherly Services, Gatherly may use the following Subprocessors to process Client Data.
SCHEDULE 2 - TECHNICAL AND ORGANIZATIONAL MEASURES
TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Description of the technical and organizational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing and the risks for the rights and freedoms of natural persons:
-
The Data importer is committed to preserving the confidentiality, integrity, availability, and resilience of all personal data in question throughout the Data importer's processing activities and ensuring that personal data are protected against loss and destruction by implementing appropriate internal information security policies and procedures.
-
The Data importer has implemented measures designed to ensure that personal data, in the event of a physical or technical incident, may be restored in a timely manner.
-
The Data importer has implemented measures designed to protect the confidentiality and integrity of personal data during data transfers.
-
The Data importer has implemented measures designed to prevent the unauthorized input of personal data and the unauthorized inspection, modification or deletion of stored personal data.
-
The Data importer undertakes various technical security measures to protect data, including virtual machines, secure logins, antivirus and firewall software, regular training for staff, network monitoring, etc.
-
The Data importer receives regular training regarding the security of personal data processing.
Technical and organizational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a subprocessor, to the data exporter:
-
The transfer of personal data to a third party (the (sub-) processor) is only made if a corresponding contract exists and only for specific purposes. Such a contract shall contain the same or similar security measures as specified in Schedule 2 and the subprocessor shall provide the level of protection of personal data which is not the lesser than the one provided under this DPA. The data importer provides that an adequate level of data protection exists at the target location or organization in accordance with the European Union's data protection requirements, e.g. by employing agreements based on the EU SCCs.