1. DEFINITIONS
“Customer” or “Company” means the MotionPoint customer (or if the customer is an agency, its client) for whom MotionPoint is providing Services;
“Customer Personal Data” or “Personal Information” means the Personal Data, if any, obtained by MotionPoint in the course of providing Services to Customer;
“Data Controller” (or Controller), “Data Processor” (or Processor) “Data Subject”, “Personal Data”, “Processing”, and “Sensitive Personal Data” (or special categories of Personal Data) all have the meanings given to those terms in “Data Protection Laws” (and related terms such as “Process” and “Processed” shall have corresponding meanings);
“Data Protection Laws” means any applicable laws and regulations relating to the privacy, data security or protection of information about individuals, as applicable to the Customer, MotionPoint, and/or the Services provided pursuant to this Agreement, including, without limitation, the California Consumer Privacy Act of 2018 (CCPA), and, when Customer Personal Data relates to Personal Data of Data Subjects in the EU or Switzerland, the Data Protection Act 1998, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2426/2003) and any laws or regulations implementing Council Directives 95/46/EC or 2002/58/EC; the GDPR and/or any corresponding or equivalent national laws or regulations; and any judicial or administrative interpretation of any of the above, and any guidance, guidelines, codes of practice, approved codes of conduct or approved certification mechanisms issued by any relevant Supervisory Authority;
“Data Subject” shall have the meaning given to "data subject” in Data Protection Laws;
“Data Subject Request” means a request made by a Data Subject to exercise any rights of Data Subjects under Data Protection Laws;
“DP Losses” means all liabilities and amounts, including all:
a. costs (including legal costs), claims, demands, actions, settlements, ex-gratia payments, charges, procedures, expenses, losses and damages (including relating to material or non-material damage, which includes emotional distress);
b. loss or damage to reputation, brand or goodwill;
c. to the extent permitted by applicable laws and regulations:
i. administrative fines, penalties, sanctions, liabilities or other remedies imposed by a Supervisory Authority;
ii. compensation paid to a Data Subject; and
iii. the costs of compliance with investigations by a Supervisory Authority.
“DPIA” means a data protection impact assessment or privacy impact assessment (as defined or used in Data Protection Laws, including relevant guidance from Supervisory Authorities);
“GDPR” means the Regulation of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
“Model Clauses” means the standard contractual clauses annex to the EU Commission Decision 2010/87/EU of 5 February 2010 for the transfer of personal data to processors established in Countries outside the EEA without adequate data protection protections;
“Standard Contractual Clauses” means the standard data protection clauses for the transfer of personal data to processors established in third countries set forth in European Commission Decision 2010/87/EU of 5 February 2010, as amended by Commission Implementing Decision (EU) 2016/2297 of 16 December 2016;
“Security Breach” means a breach of security or other action or inaction leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data;
“Service Provider” means a legal entity that Processes Personal Data on behalf of Customer and to which Customer discloses Personal Information for a Business Purpose. “Business Purpose” means the use of Personal Data for Customer’s operational purposes, including MotionPoint’s performance of the Services on behalf of Customer pursuant to this Agreement. The parties acknowledge and agree that MotionPoint’s Processing of Personal Data is reasonably necessary and proportionate to perform such Services for Customer, and that such Services are compatible with the context in which the Personal Data is collected;
“Sell” means the exchange of Personal Data for monetary or other valuable consideration, or as otherwise defined in state or federal law, as applicable; “Sub-Processor” means another Data Processor engaged by MotionPoint for carrying out processing activities in respect of Customer Personal Data on behalf of MotionPoint; and “Supervisory Authority” means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Data Protection Laws.
2. COMPLIANCE
Each Party shall comply with Data Protection Laws as they relate to Customer Personal Data Processed under this Agreement. MotionPoint shall notify Customer if MotionPoint makes a determination that it can no longer meet its obligations under applicable Data Protection Laws.
3. DATA PROCESSING DETAILS.
3.1 In respect of Customer Personal Data processed under this Agreement, MotionPoint is a Data Processor and the Customer is a Data Controller. MotionPoint certifies that it understands the restrictions of this Section
3 and will comply with them.
3.2 The Customer Personal Data shall be Processed for the Term of this Agreement (subject to any legal obligations on MotionPoint to keep Customer Personal Data longer).
3.3 The Customer Personal Data may consist of:
3.3.1 the following data types: personal details, contact details, family details, lifestyle and social circumstances, financial or payment details, employment information, marketing information, data analytics, images or video, device identifiers, personal profiles, order details, log in details, user testimonials, contact form details, preference details and all other information submitted by end users (including physical or mental health data, genetic data, biometric data, racial or ethnic group information and religious or philosophical beliefs information, where relevant) through Deployed Digital Properties.
3.3.2 Personal Data Processed in respect of individuals who are end users of Customer’s Deployed Digital Properties whose Personal Data is processed to provide Services under this Agreement.
3.3.3 The Customer Personal Data is Processed for the purposes of providing the Services to the Customer under this Agreement. MotionPoint agrees that it is acting solely as a Service Provider with respect to Personal Data, and Customer shall have the exclusive authority to determine the purposes for and means of Processing the Personal Data.
3.4. MotionPoint shall not Sell Personal Data.
3.5. MotionPoint shall not collect, retain, use, disclose, or otherwise Process Personal Data: 1) for any purpose (including a commercial purpose) other than for the specific purpose of performing the services, obligations, or actions for the benefit of Customer that are specified in this Agreement; or 2) outside of the direct business relationship between MotionPoint and Customer.
4. DATA PROCESSING INSTRUCTIONS
MotionPoint shall process Personal Data only for the purposes of providing the Services under this Agreement. The parties agree that Personal Data forms no part of the consideration for this Agreement.
5. SUPPLIER PERSONNEL AND SUB PROCESSORS
5.1 MotionPoint shall ensure all MotionPoint personnel who Process Customer Personal Data have signed agreements requiring them to keep Personal Data confidential.
5.2 The Customer consents to the use of all Sub-Processors engaged by MotionPoint for provision of Services to customers at the time of this Agreement.
5.3 Where MotionPoint appoints a new Sub-Processor to carry out Processing of Customer Personal Data, during the term of this Agreement, the Customer shall be provided with reasonable notice of such Sub-Processor and the right to object to such appointment on reasonable data protection grounds within 30 days of receiving notice of the appointment.
5.4 MotionPoint shall ensure all Sub-processors Processing Customer Personal Data enter into written agreements that impose the same obligations on the Sub-processor as are imposed on MotionPoint as a Processor under this Processing Schedule, as applicable to the Sub-Processor’s role.
5.5 MotionPoint shall remain fully liable to the Customer for the performance of the Sub-Processor’s data protection obligations under the written agreement in section 5.4 of this Processing Schedule, in the event the Sub-Processor fails to fulfil those obligations.
5.6 Where the Customer exercises the right to object as set out in section 5.3 of this Processing Schedule, MotionPoint reserves the right to terminate this Agreement on giving the Customer reasonable notice of such termination.
5.7 MotionPoint shall not combine the personal information that its provider receives from, or on behalf of, Customer with personal information that it receives from, or on behalf of, another person or persons, or collects from its own interaction with the consumer, unless expressly permitted by applicable Data Protection Laws.
6. DATA TRANSFERS
6.1 In provision of the Services to the Customer, MotionPoint may transfer Customer Personal Data to countries outside the EEA.
6.2 Transfer of Customer Personal Data outside the EEA are subject to MotionPoint putting in place adequate safeguards under Data Protection Law for such transfers and notifying the Customer of the safeguards in place prior to any such transfer. These safeguards include the Standard Contractual Clauses.
7. SECURITY AND DATA BREACH NOTIFICATION.
7.1 MotionPoint shall implement and maintain appropriate technical and organizational measures in relation to the processing of Customer Personal Data to ensure a level of security appropriate to the risk of accidental, unauthorized or unlawful access, disclosure, alteration, loss, or destruction of Customer Personal Data.
7.2 MotionPoint shall notify the Customer without undue delay after becoming aware of any Security Breach and provide the Customer with reasonable assistance in complying with its Security Breach notification obligations under Data Protection Laws.
7.3 Customer may, upon notice, take reasonable and appropriate steps to stop and remediate unauthorized use of personal information.
8. ASSISTANCE
To the extent related to its Processing of Customer Personal Data, MotionPoint shall where applicable:
8.1 Forward to the Customer any requests received from Data Subjects of Customer Personal Data exercising Data Subject Rights under Data Protection Laws;
8.2 Provide the Customer reasonable assistance (at Customer’s expense) with any requests received from Data Subjects of Customer Personal Data exercising Data Subject Rights under Data Protection Laws;
8.3 Provide the Customer with reasonable assistance (at Customer’s expense) to enable the Customer to conduct any DPIA and consultations with (or notifications to) relevant regulatory authorities that it is required to undertake under Data Protection Laws;
8.4 Provide the Customer with reasonable assistance (at Customer’s expense) in complying with its obligation to implement and maintain appropriate technical and organizational security measures in relation to the processing of Customer Personal Data.
9. DELETION OR RETURN OF DATA
Upon termination or expiry of this Agreement, MotionPoint shall (at Customer’s request) destroy or return to the Customer all Customer Personal Data in its possession or control, and delete existing copies (subject to any legal obligations on MotionPoint to keep Customer Personal Data longer).
10. INFORMATION REQUESTS AND AUDITS
10.1 MotionPoint shall allow for audits conducted by the Customer or a representative mandated by the Customer for the purpose of demonstrating MotionPoint’s compliance with its obligations under this Processing Schedule. This is subject to the Customer giving MotionPoint reasonable advanced written notice of such planned audit and ensuring any auditor is subject to binding obligations of confidentiality and that such audit or inspection is undertaken so as to cause minimal disruption to the MotionPoint’s business. The audit right under this section 10.1 is restricted to once per year at the expense of the Customer.
10.2 MotionPoint shall (at Customer’s request) provide the Customer with necessary information to demonstrate MotionPoint’s compliance with the obligations under this Processing Schedule.
10.3 Customer may, at its own expense, take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Data.