GDPR & Data Processing
This CAAB Data Processing Agreement (“DPA”) shall apply to all of your (“User’s“) agreements (“Agreements”) with CAAB. and its affiliates and/or subsidiaries (“CAAB”) to the extent that CAAB processes (i) as User’s processor any personal data from the European Economic Area, the United Kingdom and Switzerland; or (ii) as User’s service provider any personal information of California consumers (collectively, “User Data”).
- Terms used in this DPA but not defined herein (whether or not capitalized) shall have the meanings assigned to such terms in (i) the General Data Protection Regulation (2016/679) (“GDPR”), including any subordinate or implementing legislation, and (ii) the California Consumer Privacy Act of 2018, as amended, Cal. Civ. Code 1798.100 et seq. (“CCPA”), as applicable (collectively, “Applicable Data Protection Laws”). In the event of any conflict between the Applicable Data Protection Laws, the most restrictive law applicable to the User shall govern.
- “User” or “You” means the controller or business that entered into this DPA with CAAB.
3. Processing of Personal Data on behalf of Controller/Business.
4. Controller/Business Obligations and Representations.
User sets forth the details, including the purpose, the means and the ways in which CAAB shall process User Data, as required by Applicable Data Protection Laws in Appendix A (Details of Processing of Processed Personal Data), attached hereto, and User represents and warrants that:
- It complies with personal data security and other obligations prescribed by Applicable Data Protection Laws for controller/businesses, and that the provision of User Data to CAAB complies with Applicable Data Protection Laws;
- It only processes personal data/personal information that has been collected in accordance with the Applicable Data Protection Laws;
- It has in place procedures in case individuals/consumers whose personal data/personal information is collected, wish to exercise their rights in accordance with the Applicable Data Protection Laws;
- It shall provide to CAAB as a processor/service provider, or otherwise have CAAB (or anyone on its behalf) process such User Data which is explicitly permitted under CAAB’s PN (“Permitted User Data“). Solely controller/business shall be liable for any data which is made available to processor/service provider in excess of the Permitted User Data (“Non-Permitted Data”). CAAB’s obligations under the Terms shall not apply to any such Non-Permitted Data;
- It is and will remain duly and effectively authorized to give the instruction set out herein and any additional instructions as provided pursuant to the Terms, at all relevant times and at least for as long as the Terms are in effect and for any additional period during which CAAB is lawfully processing personal data/personal information.
5. Processor/Service Provider Obligations.
- CAAB carries out the processing of User Data on User’s behalf;
- Pursuant to the provisions of Article 28 of the GDPR, CAAB represents and warrants that it will:
process User Data solely on User’s behalf and in compliance with User’s instructions (including relating to international data transfers), including instructions in this DPA and all Terms, unless required to do so by EU or applicable Member State law;
- implement appropriate technical and organizational measures to provide an appropriate level of security, including, as appropriate and applicable, the measures referred to in Article 32(1) of the GDPR;
- take reasonable steps to ensure that access to the processed User Data is limited on a need to know/access basis, and that all CAAB personnel receiving such access are subject to confidentiality undertakings or professional or statutory obligations of confidentiality in connection with their access/use of User Data.
- it shall provide reasonable assistance to controller/business with any data protection impact assessments or prior consultations with supervising authorities in relation to processing of User Data by the processor/service provider, as required under any Applicable Data Protection Laws, at the written request of the controller/business, and at controller’s/business’ sole expense.
- Pursuant to the provisions of Article 28 of the GDPR, CAAB represents and warrants that it will:
- Pursuant to the CCPA, CAAB represents and warrants that:
- CAAB is acting solely as a service provider with respect to User Data for the purposes of the Contracted Business Purpose;
- CAAB shall not retain, use or disclose User Data for any purpose other than for the specific purpose of performing the services specified in the Terms and if a law requires CAAB to disclose personal information for a purpose unrelated to the Contracted Business Purpose, CAAB must first inform the User of the legal requirement and give the User an opportunity to object or challenge the requirement, unless the law prohibits such notice;
- If and to the extent that the CCPA permits, CAAB may de-identify or aggregate User Data as part of performing the services specified in the Terms. CAAB will not attempt to or actually re-identify any previously aggregated, de-identified, or anonymized data;
- CAAB will limit personal information collection, use, retention, and disclosure to activities reasonably necessary and proportionate to achieve the Contracted Business Purposes or another compatible operational purpose.
- Controller/business authorizes processor/service provider to appoint sub-processors in accordance with the provision of the Terms. Any subcontractor used must qualify as a service provider under the Applicable Data Protection Laws. Without derogating from the generality of the foregoing, processor/service provider cannot make any disclosures to the subcontractor that the CCPA would treat as a sale.
- Processor/service provider may continue to use those sub-processors already engaged by processor/service provider as of the date of this DPA. Controller/business acknowledges and agrees that as of the date of this DPA processor/service provider uses certain sub-processors; a list of such sub-processors will be provided upon request.
- Processor/service provider may appoint new sub-processors and shall give reasonable notice of the appointment of any new sub-processor. Controller’s/business’ continued use of the applicable services after such notification constitutes controller’s/business’ acceptance of the new sub-processor.
- CAAB remains fully liable to the User for the subcontractor’s performance of its agreement obligations.
7. Data Subjects’ Rights.
- Controller/business shall be solely responsible for compliance with any statutory obligations concerning requests to exercise data subject rights under Applicable Data Protection Laws (e.g., for access, rectification, deletion of processed User Data, etc.). Processor/service provider shall reasonably endeavor to assist controller/business insofar as feasible, to fulfil controller’s/business’ said obligations with respect to such data subject requests, as applicable, at controller’s/business’ sole reasonable expense.
- Processor/service provider shall (i) without undue delay notify controller/business if it receives a request from a data subject under any Applicable Data Protection Laws in respect of Processed Personal Data; and (ii) not respond to that request, except on the written instructions of controller/business or as required by Applicable Data Protection Laws, in which case processor/service provider shall, to the extent permitted by Applicable Data Protection Laws, inform controller/business of that legal requirement before it responds to the request.
8. Personal Data Breach.
- Processor/service provider shall notify controller/business without undue delay upon processor/service provider becoming aware of any personal data breach within the meaning of Applicable Data Protection Laws relating to User Data which may require a notification to be made to a supervisory authority or data subject under Applicable Data Protection Laws “Personal Data Breach“.
- At the written request of the controller/business and at controller’s/business’ sole expense, processor/service provider shall provide reasonable co-operation and assistance to User in respect of User’s obligations regarding the investigation of any Personal Data Breach and the notification to the supervisory authority and data subjects in respect of such a Personal Data Breach; provided, however, that CAAB shall, at its own expense, use reasonable efforts to contain and remedy any Personal Data Breach caused by CAAB (or its agents, representatives, or subcontractors) without undue delay and prevent any further Personal Data Breach, including, but not limited to taking any and all reasonable action necessary to comply with Applicable Data Protection Laws.
9. Deletion or Return of Processed Personal Data.
- Subject to the terms hereof, processor/service provider shall within up to sixty (60) days, unless a sooner time period is required by Applicable Data Protection Laws, return and then destroy the User Data, except such copies as authorized including under this DPA or required to be retained in accordance with Applicable Data Protection Laws.
- Processor/service provider may retain User Data only to the extent authorized or required by Applicable Data Protection Laws, provided that processor/service provider shall ensure the confidentiality of such User Data and shall ensure that it is only processed for such legal purpose(s). The provisions of this DPA shall govern any such retained User Data.
- Upon controller’s/business’ prior written request, processor/service provider shall provide written certification to controller/business that it has complied with this Section 9.
10. Audit Rights.
- Subject to the terms hereof, and not more than once in each calendar year, processor/service provider shall make available to a reputable auditor mandated by controller/business in coordination with processor/service provider, at the reasonable cost of the controller/business upon prior written request, within normal business hours at processor/service provider premises, such information necessary and relevant to reasonably demonstrate compliance with this DPA, and shall allow for audits by such reputable auditor mandated by the controller/business in relation to the processing of the User Data by the processor/service provider, provided that such third-party auditor shall be subject to confidentiality obligations.
- Controller/business shall use (and ensure that each of its mandated auditors use) its best efforts to avoid causing (or, if it cannot avoid, to minimize) any damage, injury or disruption to the processor’s/service provider’s premises, equipment, personnel and business while its personnel are on those premises in the course of such an audit or inspection.
11. General Terms.
- Governing Law and Jurisdiction. All disputes with respect to this DPA shall be determined in accordance with the laws of the State of Israel and shall be handled at a competent court in Tel Aviv-Yafo.
- Conflict. In the event of any conflict or inconsistency between this DPA and any other agreements between the parties, including agreements entered into after the date of this DPA, the provisions of this DPA shall prevail.
- Changes in Applicable Data Protection Laws. Controller/business may by at least forty-five (45) calendar days’ prior written notice to processor/service provider, request in writing any changes to this DPA, if they are required, as a result of any change in any Applicable Data Protection Law, regarding the lawfulness of the processing of User Data. If controller/business provides its modification request, processor/service provider shall make commercially reasonable efforts to accommodate such modification request, and controller/business shall not unreasonably withhold or delay agreement to any consequential changes to this DPA to protect the processor/service provider against any additional risks, and/or to indemnify and compensate processor/service provider for any further costs associated with the changes made hereunder.
- Severance. Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall either be (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
Details of Processing of Processed Personal Data
(As required by Article 28(3) of the GDPR)
- The subject matter and duration of the processing of processed personal data are set forth in the Terms.
- The types of processed personal data to be processed are as detailed in the PN.
- The categories of data subjects to whom the processed personal data relates to are as follows: natural persons who are end users of the Controller’s or any other third parties’ services.
- The obligations and rights of Controller are as set forth herein and in the GDPR.