Data Processing Agreement V2

This Data Processing Agreement (“DPA”) forms part of the Service Agreement or other written or electronic agreement between Prezly and the Customer for the purchase of online services from Prezly (“Agreement”) to reflect the parties’ agreement with regard to the Processing of Personal Data.

You can find additional information regarding GDPR & Prezly, and more information about our security practices in our Trust Center.

Executing a DPA does not change any of our practices concerning the protection of your privacy and your data. Everyone using our service gets the same high standards of privacy and security.

1. The organisation or company that subscribes to the Services, and whose details shall be provided to Prezly upon subscribing (hereinafter “Customer” or “Data Controller”);

AND

2. Prezly BV, a company incorporated in Belgium, with company registration number BE0829.855.487, with its registered office at Tiensevest 100/001, 3000 Leuven, Belgium and its wholly-owned subsidiaries (hereinafter “Prezly” or “Data Processor”); 

Each also a “Party” and together the “Parties”.

2.1 The Parties have entered into an agreement by virtue of which the Data Processor will provide communication and PR-services to the Data Controller through a dedicated online platform (hereinafter “Agreement).

2.2 Under the Agreement, Data Processor may have access to and/or otherwise process Personal Data on behalf of the Data Controller, even if only occasional or incidental.

In this data processing agreement (hereinafter “Data Processing Agreement” or “DPA”), the Parties wish to determine their respective rights and obligations as to the processing of such personal data, in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter “GDPR”).

2.3 The Parties agree that this DPA will replace any existing data processing addendum or agreement that the Parties may have previously entered into in connection with the Agreement.

2.4 Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA will prevail.

3.1 In this DPA, the following definitions will be used:

The terms “Personal Data”, “Data Controller”, “Data Processor”, “Data Subject” and “Processing” shall for the purposes of this DPA be given the same meaning as defined in the GDPR, applied to the specific situation of the Agreement.

The term “Privacy Policy” refers to the Prezly’s legal and binding statement that discloses all of the ways in which it gathers, uses, discloses and manages Personal Data. The latest version of the Privacy Policy is always available at www.prezly.com/legal.

The term “Services” means ​ the communication and PR-services that Prezly provides to its customers through a dedicated online platform.

The term “Third Country” means a country that isn’t a member state of the EU, the European Economic Area or the countries which the European Commission has found to guarantee an adequate level of data protection. 

3.2 Any other terms used with capital letters but not defined in this DPA will have the same meaning as in the Agreement.

4.1 The Data Processor shall process the Personal Data on behalf of the Data Controller, as further detailed in Appendix 1 to this DPA.

4.2 The Data Processor shall process Personal Data under this DPA only on behalf of and in accordance with the explicit instructions of the Data Controller. The Data Processor acknowledges and agrees that it does not have any power of control over the purposes and the means for the Processing of Personal Data. ​ 

4.3 The Data Controller shall provide the Data Processor with clear written instructions regarding the Processing of Personal Data. Should no instructions have been issued by the Data Controller, then this DPA and the Agreement itself, as well as the Privacy Policy, shall be deemed to constitute the Data Controller’s instructions to the Data Processor for the Processing of Personal Data.

4.4 Should the Data Processor be of the opinion that any of the instructions are unlawful under any applicable law, it shall inform the Data Controller thereof in writing without any undue delay. ​ The Parties shall discuss and agree on measures to take to amend the instructions in such a way as to render them lawful under applicable law. 

4.5 When handling any Personal Data under this DPA, both Parties engage to act in strict compliance with any and all relevant national and international data protection laws and regulations, including GDPR.

5.1 When Processing Personal Data on behalf of the Data Controller, the Data Processor shall comply with any and all relevant national and international data protection laws and regulations, including GDPR, ​ and such other security requirements as set out in the Privacy Policy.

5.2 The Data Processor may process Personal Data for the sole purpose of and only for as long as this is necessary for the execution of the Agreement. ​ The Data Processor shall not process more Personal Data than is necessary for such purpose. ​ 

5.3 The Data Processor shall take appropriate technical, organizational and security measures to safeguard Data Controller’s Personal Data against ​ access, use, modification or Processing and against accidental loss, alteration or destruction of, or damage to the Data Controller’s Personal Data and will ensure that such measures are no less rigorous than those maintained by the Data Processor in respect of its own Personal Data of a similar nature or than those referenced in the Privacy Policy. ​ 

5.4 The Data Processor shall ensure that any personnel, contractor or sub-processor entrusted with Processing Controller’s Personal Data shall have signed appropriate confidentiality obligations, are properly instructed to perform their duties in a manner helping to ensure compliance to the terms of this DPA and have been duly instructed to apply the applicable data security and confidentiality standards. 

5.5 The Data Processor shall promptly notify the Data Controller and refer any request to the Data Controller: 

1. If the Data Processor, or one of its sub-processors, becomes aware or suspicious of a Personal Data breach or any other irregularity in processing Data Controller’s Personal Data. ​ Such notification shall be made no longer than 36 hours after becoming aware of the breach. 

Information provided to the Data Controller upon such notification shall, to the extent such information is available to the Data Processor, include: 

• a description of the nature of the Personal Data breach including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concerned; 
• a description of the likely consequences of the Personal Data breach; and 
• a description of the measures taken or proposed to be taken by the Data Processor to address the Personal Data breach, including, where appropriate, measures to mitigate its possible adverse effects. In addition, the Data Processor shall without undue delay inform the Data Controller of the circumstances giving rise to the Personal Data breach, and any other related information reasonably requested by the Data Controller and available to the Data Processor. 

1. In the event of a legally binding request for disclosure of Personal Data by a law enforcement authority unless prohibited under applicable law; and 
2. If a request is received by the Data Processor from Data Subjects regarding the Processing of their Personal Data or any of their related rights, by a supervisory authority or a third party. 

5.6 Unless given prior express instruction by the Data Controller, or if it is required under mandatory legislation, the Data Processor may not disclose any Data Controller’s Personal Data or any information relating to the processing of the Data Controller’s Personal Data to any third party but should instead refer such third party to the Data Controller.

5.7 Where so requested by the Data Controller, the Data Processor shall provide reasonable assistance to the Data Controller, at no extra costs:

1. In carrying out any prior consultations with the competent data protection authorities which the Data Controller considers to be required or recommended; ​ 
2. In proving to the competent data protection authorities that the Data Controller and/or the Data Processor comply with their obligations under any and all applicable laws and regulations; and
3. In fully cooperating with the data protection authorities in case of an investigation into Processing of Personal Data by the Data Controller and/or the Data Processor.

6.1 The Data Controller will not provide (or cause to be provided) any sensitive Personal Data to the Data Processor for processing under the Agreement or this DPA. ​ 

6.2 The Data Controller shall be responsible for ensuring that it has complied, and will continue to comply, with all applicable laws relating to privacy and data protection, including the GDPR, in its use or provision of the Services and its own processing of Personal Data (except as otherwise required by applicable law). ​ The Data Controller shall be responsible for ensuring that it has, and will continue to have, the right to transfer, or provide access to, the Personal Data to the Data Processor for processing in accordance with the terms of the Agreement and this DPA. 

7.1 To the extent possible with regard to the nature of the Processing, the Data Processor shall ensure that it has the technical and organizational measures in place to enable the Data Controller to meet its obligations regarding the Data Subject’s rights under Chapter 3 of the GDPR. 

7.2 Where the Data Controller, based upon applicable data protection law or following a request from a Data Subject, is obliged to: 

1. Provide information about the Processing of the information pertaining to a requesting individual (such as excerpts of the information collected);
2. Rectify, erase or block information collected and pertaining to a requesting individual;
3. Transfer information collected and pertaining to a requesting individual to a third party designated by the requesting individual; or
4. Perform a data protection impact assessment in accordance with Article 35 in the Act;

the Data Processor shall promptly and at no extra cost assist the Data Controller therewith. 

Where the required information can be retrieved by the Data Controller itself from the systems of the Data Processor through the access methods made available by the Data Processor to the Data Controller, the Data Controller may retrieve such information by itself using the reporting features available for such purpose in the systems of the Data Processor.

8.1 The Data Processor may only transfer the Data Controller’s Personal Data to Third Countries with the Data Controller’s prior written consent. However, with this DPA the Data Controller explicitly agrees with the transfer of Personal Data outside the EU by the sub-processors, as set out in Article 9 below. 

8.2 In any case, when transferring Personal Data to Third Countries, the Data Processor shall enter into sufficient contractual arrangements with required parties (including the Data Controller itself or any of the Data Controller’s affiliates) for the safe transfer of the Data Controller’s Personal Data from the approved jurisdictions to any Third Countries, including as required by the European Commission under the standard contractual clauses. As an alternative to entering into the standard contractual clauses, the Data Processor may rely upon an alternative framework permitting the lawful transfer of the Data Controller’s Personal Data outside of the approved jurisdictions, provided that such framework is in compliance with the GDPR and applicable legislation.

9.1 The Data Controller agrees that the Data Processor may engage third party sub-processors to process Data Controller’s Personal Data on the Data Controller's behalf. A list of the sub-processors currently engaged by the Data Processor is available upon request. The Data Processor shall be notified by the Data Controller in advance in writing of any new sub-processor being appointed. 

9.2 The Customer may object in writing to the appointment of an additional sub-processor, on reasonable grounds only, within five (5) calendar days after receipt of the Data Processor’s notice. In the event that the Data Controller objects on reasonable grounds relating to the protection of the Personal Data, then the Parties shall discuss commercially reasonable alternative solutions in good faith. 

9.3 Where a sub-processor is engaged by the Data Processor as described in this Article 9, the Data Processor shall: 

1. Restrict the sub-processor’s access to Personal Data only to what is necessary to perform the subcontracted services; 
2. Impose on such sub-processors data protection terms that protect the Personal Data to the same standard provided for by this DPA; and 
3. Remain liable for any breach of the DPA caused by a sub-processor.

9.4 A full, up-to-date list of Prezly’s sub-processors can be found on the Prezly Trust Center.

10.1 Once every calendar year, the Data Controller has the right to, by itself or through a recognized, independent auditor with proven experience and procedures who is not a competitor of the Data Processor, perform an audit of the Data Processor’s Processing of the Data Controller’s Personal Data under this DPA and the GDPR. ​ 

10.2 The Data Controller shall give prior written notice to the Data Processor of any such audit at least twenty (20) calendar days in advance. The audit shall be performed during normal working days and business hours and any interference with the normal business of the Data Processor must be avoided. 

10.3 The Data Processor shall provide reasonable assistance during such audit and provide the auditors with all information and documentation requested. ​ ​

10.4 The Data Processor shall procure that an audit in accordance with Articles 10.1 and 10.2 may be performed in relation to any sub-processor of the Data Processor.

10.5 Should the audit reveal any material non-compliance on behalf of the Data Processor in Processing the Data Controller’s Personal Data, the costs of the audit shall be borne by the Data Processor.

11.1 The Data Processor warrants that: 

1. It is in compliance with the GDPR, in particular Article 28, and it shall provide to the Data Controller all such information as requested by the Data Controller for the Data Processor to substantiate and verify its compliance with the GDPR; 
2. It has taken appropriate technical and organizational measures in such a manner that the Processing will meet the requirements set out in the GDPR; and 
3. It has the required expert knowledge, reliability and resources to fulfill and to adhere to the terms and conditions of this DPA.

12.1 Each Party’s liability for breach of this DPA, the liability between the Parties and the limitation of any liability shall be as set out in this Article 12 and in Article 82 on the GDPR. Any limitations of liability in the Agreement shall not apply to the Processing of Personal Data under this DPA. 

12.2 In the event a Data Subject or any third party direct any claims towards the Data Controller based on the Data Processor’s Processing of Personal Data, the Data Processor shall hold the Data Controller harmless for such claims if they result from the Data Processor’s failure to comply with this DPA or Data Controller’s instructions, but only to the extent of the claim being attributable to such failure. 

12.3 The Data Controller is, in addition to compensation for breach of the obligations that may follow from the Agreement, entitled to compensation for damages from the Data Processor if the Processing of Personal Data that forms the basis of the damages has been performed by or by means of the Data Processor contrary to this DPA or Data Controller’s instructions.

13.1 This DPA shall be valid as of the date of its due signature by both Parties, and be valid for as long as the Data Processor is Processing any Data Controller’s Personal Data under the Agreement. 

13.2 Each Party is entitled to terminate this DPA if the other Party materially fails its obligations arising from this DPA and such default is not remedied within thirty (30) days after receiving written notice from the other Party requiring the default to be remedied. ​ In such a case, the Data Processor must also immediately terminate the Processing of the Data Controller’s Personal Data under the Agreement. ​ 

13.3 Upon expiry of the Agreement or this DPA, for whatever reason, the Data Processor shall return the Data Controller’s Personal Data to the Data Controller, or to the extent this is not possible and with Data Controller’s acceptance, confirm the destruction of such Personal Data. No Data Controller’s Personal Data shall remain with the Data Processor after the expiry of this DPA, except to the extent the Data Processor is required under law or regulation to keep any such data.

14.1 Any amendments or addenda to this DPA shall be made in writing and be executed by duly authorized representatives of the Parties. 

14.2 The failure of either Party to exercise in any respect any right provided for in this DPA will not be deemed a waiver of any further rights hereunder. ​ Any waiver of rights must be explicit and in writing.

14.3 If any provision of this DPA is found to be unenforceable or invalid, that provision will be limited or eliminated to the minimum extent necessary so that this DPA will otherwise remain in full force and effect and enforceable.

15.1 This DPA shall be construed in accordance with and governed by the laws of Belgium regardless of its choice of legal principles. 

15.2 The exclusive place of jurisdiction shall be Leuven, Belgium.

The subject matter: Providing the Data Processor’s services to the Data Controller under the Agreement involves the Processing of Personal Data of the Data Controller.

The duration: Set out in Article 13 of this DPA.

As the entity providing and maintaining the Prezly Platform, Prezly may have access to the Personal Data that the Customer or Users have put into the Platform or are generated by the Platform upon the Customers’ or Users’ request. ​ For example, Customer uses the Prezly Platform to publish and distribute press releases to the press contacts of the Customer. ​ Prezly may have access to Personal Data of these press contacts and the analytics relating to the emailing campaign.

Non sensitive categories of personal data: identification information, contact information: email address(es) and phone number(s), address information, profession and employment, professional interest areas, social media profile links, behavioral data with regards to email analytics (clicks, opens, unsubscribes, bounces), contact preference notes

● Customers and Users of the Services

● Press contacts of Customers stored in the Platform

Prezly Main Datacenter: AWS Dublin, Ireland (EU-WEST-1)

All technical and organizational measure as well as our certifications can be requested in our Trust Center.