This is an addendum to the Terms of Services
Effective date: May 15, 2018
Throughout this addendum, “Data Recipient” or “you” shall refer to recipient of Personal Data from Branded along with its respective subcontractors and affiliates.
The following DPA constitutes an addendum between you and Branded for all responses to any questions presented in the Survey Offer along with consumer, influencer and audience behavior, or services (referred to as “Services” or in the hereinafter addendum, defined as “Services”, each referencing an Agreement”) and as an agreement to the Addendum(s) to reflect the parties’ agreement with regard to the Processing and protection of Personal Data.
Terms the Data Recipient Agrees to Comply with are as follows:
1. Ensuring Compliance
Branded and you shall remain compliant with any obligations specific to all Applicable Laws including the Processing of Personal Data in connection with the Addendum. If you are a Processor of Personal Data in connection with the Addendum, you must comply with the obligations of a Processor per Article 28 of the GDPR.
Applicable to: Data Provider, Data Recipient
2. Safeguarding
You are able to confirm and prove that you have necessary security measures in place to protect Personal Data. This includes and is not limited to the enforcement of technical measures against any unauthorized use, potential loss, damage or destruction of the Data Subject’s Personal Data.
Applicable to: Data Provider, Data Recipient
3. Data Handling and Processing
You have collected valid authorizations, as necessary, to Process and disclose Personal Data to Branded. The nature of the Personal Data being disclosed and/or shared with Branded shall be laid out in the Addendum. In the instance where you become cognizant of any errors or lack of validity in the Personal Data or in the case the Data Subject has withdrawn authorization or approval, you shall notify Branded.
Applicable to: Data Provider
4. Personnel Administration of Personal Data
You shall enforce measures to ensure that all employees, affiliates, subcontractors, or agents (also known as “Personnel”), whom are involved in the Processing of the Personal Data in connection with the Addendum, are reliable and aware of their duties.
Applicable to: Data Provider, Data Recipient
5. Transfer of Personal Data
In the case you transfer any Personal Data from within the EEA [or Switzerland] to Branded, within the United States of America, you will take all required actions to properly ensure the transfer. This includes notifying the associated Data Subjects of Branded’s certification to the EU-US [and EU-Swiss] Privacy Shield certification. Branded will uphold its certification for the entirety of term, and will notify you of any changes to its certification status.
Applicable to: Data Provider
6. Third-Party Inquiries
You agree to having a Data Protection Officer, or an employee whom shall remain responsible for ensuring the lawful and appropriate administration of Personal Data along with assisting Branded, in a timely manner, with any inquiries surrounding Data Subjects or any competent data protection or privacy authority as they relate to the Processing of Personal Data which you have provided to Branded.
In an effort to assist Branded with remaining compliant with GDPR and in relation to any Personal Data that you provide to Branded, you agree with providing Branded with assistance and information on an as needed basis in a timely manner.
Applicable to: Data Provider, Data Recipient(first paragraph only)
7. Exchange of Personal Data
Per the addendum, in the instance where you receive
Personal Data from and provide Personal Data to Branded,
you and Branded consent to doing so in the capacity of
Controller, for the process of supplying Personal Data to the
other party.
In the case you receive Personal Data from Branded, you
will act in the capacity of a Controller, and:
A. Uphold the ability to Process such Personal Data
for your own business and commercial needs,
subject to the Terms of this Addendum (including,
without limitation, the scope of the license granted)
and per the obligations of Controller laid out in
Article 28 of the GDPR; and
B.Retain the ability to Process Personal Data per the
instructions of Branded and not for the intent of your
own business or commercial purposes; complying with
the Applicable Laws and obligations of a Processor as
laid out in Article 28 of the GDPR.
Applicable to: Data Provider, Data Recipient
8. Consent for Personal Data
You validate that as an operator of a digital property, from which Branded collects Personal Data, you have implemented methods for obtaining appropriate consent for such collection of Personal Data for all intents and purposes specific to those which Branded has laid out in the Addendum and have provided a clear link to an easy-to-use mechanism which would allow the Data Subject the ability to opt out.
Applicable to: Data Provider
You verify that the provision of Branded Personal Data via digital properties and operated by third parties, have implemented legally enforceable obligations in place with the third parties - specifically requesting that they obtain explicit consent which you will be able to provide in evidence to Branded to satisfy the requirements of Branded’s use of such Personal Data, per the Addendum. Similarly, you will be responsible for furnishing third parties with any relevant information laid out in the Addendum and/or made available by Branded in writing.
Applicable to: Data Provider
You can validate that you have the necessary proof of consent of any Data Subject whose Personal Data you expose to Branded and in all those cases the Data Subjects are provided with a clear mechanisms to opt-out.
Applicable to: Data Provider
If you are unsure of the technology Branded uses in relation to Personal Data and how Branded will use Personal Data provided by you, please see our privacy statement at https://surveys.gobranded.com/page/branded-surveys-privacy-policy, our terms of service https://surveys.gobranded.com/page/branded-surveys-terms-of-service or submit a request to Branded for information at compliance@gobranded.com.
Generally, Branded uses Personal Data for purposes related to its measurement of consumer behavior, audiences, and advertising. At minimum, this spans (i) market research, (ii) advertising and modelling, (ii) user experience, analytics and reporting. In such instances, Branded utilizes Personal Data on its own behalf and on behalf of its customers; making the Personal Data subject to the terms of the applicable Addendum
Applicable to: Data Provider
9. Disclosures & Privacy Policy
If you are an operator of a digital property from which Personal Data is collected and provided to Branded, you will comply by having a privacy notice that is in order with the Applicable Laws. Wherever possible you shall name Branded as a party for and/or by whom Personal Data is collected via the avenue of your digital property
Applicable to: Data Provider
In the case you uphold a provision to Branded of Personal Data from digital properties, that are operated by third parties, you will contractually request that your relevant contracting parties have a privacy notice that complies with Applicable Laws for each digital property. Likewise, where possible, you shall require that third parties explicitly state Branded as a party for and/or by whom Personal Data is collected via the third party digital property.
Applicable to: Data Provider
You confirm that all parties obtaining Personal Data from Data Subjects, made available to you via Branded, have a privacy notice that discloses the collection, provision and use of the Personal Data share with Branded. This includes and is not limited to the means of how surrounding data is collected and how protocol for Advertising by Branded is in compliance with Applicable Laws – furnishing the Data Subject with an easy means of opting out (including and where applicable the Data Subject’s ability to opt out of Advertising performed by Branded) through the services provided by Supplier or its data sources.
Applicable to: Data Provider
10. Personal Data Breach
In the instance of a Personal Data Breach, where there may be impact to Personal Data Processed per the Addendum, you will: (i) take all necessary and appropriate corrective measures to resolve any related, underlying causes of the Personal Data Breach; (ii) promptly notify Branded within twenty-four (24) hours and furnish any reasonable detail regarding the nature of the Personal Data Breach along with any related, potential impact to the Personal Data disclosed to Branded; and (iii) assist Branded as necessary to ensure compliance with Applicable Laws.
Correspondingly, Branded will be the final deciding body on if a notifications regarding the nature of the personal Data Breach will be sent to any Supervisory Authorities, Branded’s Data Subjects, customers, service providers, third party partners, employees, and/or the general public along with any corresponding remediation efforts, so long as Branded operates in the capacity of Controller
Applicable to: Data Provider, Data Recipient
11. Rights of Data Subjects
You have the means and will take all necessary measures to allow us to remain in compliance with reasonable requests from Data Subjects (in relation their rights under Articles 12-22 of GDPR) as it pertains to Personal Data Processed, per the Addendum.
Applicable to: Data Provider, Data Recipient
12. Disclosure of Sensitive Personal Data
You will not disclose any sensitive categories of Personal Data, as mentioned in Article 9 and 10 of GDPR, with Branded unless explicitly agreed to in writing.
Applicable to: Data Provider
13. Audit and Compliance
Per the Addendum, you will comply with any reasonable requests for information from Branded and/or Branded clients as they pertain to your Processing of Personal Data. Per Applicable Laws, you ensure that all affiliated parties are in compliance with their specified obligations and are willing and able to allow Branded and/or Branded clients to perform an audit of your compliance as per this DPA and Applicable Laws.
Applicable to: Data Provider, Data Recipient
14. Complying with Data Protection Impact Assessments
As able, you will aid Branded with any data protectionrelated impact assessments along with former consultations with Supervisory Authorities or other competent data privacy governing bodies, which Branded considers to be necessary by Article 35 and/or 36 of the GDPR or per similar conduct spelled out in Applicable Laws and as they pertain to the Processing of Personal Data associated with the Addendum.
Applicable to: Data Provider, Data Recipient
15. Precedence of Agreements
You confirm and concur that the terms and conditions of this DPA shall serve as an add on to the existing Agreement. In the case there is any misalignment between the DPA and an Agreement, the order of precedence remains: (1) DPA; and (2) an Agreement.
Applicable to: Data Provider, Data Recipien
16. Modifications to Applicable Laws
Branded may: (i) by a minimum of at least 30 (thirty) calendar days’ of written notice to you, make any modifications as a result of any updates in, or per determination of a competent authority under the Applicable Law as it relates occurrence of to Controller to Controller disclosures of Personal Data without breach of the associated, Applicable Law; and (ii) suggest any other variations to this DPA which Branded deems to be necessary for addressing the requirements of any Applicable Laws.
Applicable to: Data Provider, Data Recipient
Related Definitions:
Applicable Laws consist of any laws, regulations, and instructions stated or enforced upon by any government entity – albeit domestic or foreign, which incorporates GDPR, Directive 95/46/EC and Directive 2002/58/EC, European Commission decisions and guidance per unique translation to the appropriate domestic legislation per member state of the European Union or other country. This shall include any laws which enforce or complement the GDPR along with any industry with selfregulatory protocol which is specific to the location or region where the Services are provided or received, in compliance with the Processing of Personal Data or the interference along with the recording or oversight of communications.
GDPR is in reference to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 as it relates to the guarding of natural persons per the expectations outlined in the Processing of Personal Data along with the fluid movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation);
Advertising consists of (i) obtaining data via digital avenues or other sources with the intent of profiling and providing advertising based on the identified or inferred preferences of the data subject and (ii) obtaining data about a data subject’s preferences on or in one digital property or source with the intent of profiling and providing advertising based on that data on an alternate digital property;
The terms “Personal Data”, “Personal Data Breach”, “Data Subject”, “Controller”, “Processor”, and “Processing”, and “Supervisory Authorities” retain the same meaning as specified in the
GDPR, and their associated terms shall be specified as such:
As a Data Provider or Data Recipient, you consent to this DPA has taken effect immediately upon submission and serves as a written amendment to the Agreement noted in the table above: