DATA PROCESSING ADDENDUM
This Data Processing Addendum (“Addendum”) applies to the Services provided pursuant to the MyWiFi Networks Platform License Agreement (the “Terms”) to which this Addendum is attached (the “Agreement”) between MyWiFi Networks, a division of Guest Networks Inc. (“MyWiFi”) and you (“Channel Partner”). This Addendum is hereby incorporated into and made a part of the Agreement.
1. Purpose And Application
This Addendum is the parties’ agreement with respect to the Processing by MyWiFi of Personal Data under the Agreement. The terms of this Addendum apply where the GDPR applies to the Processing of Personal Data.
The terms of this Addendum shall be in force on the date of the Agreement; or, (b) upon registration for an account with MyWiFi.
Capitalized terms used but not defined in this Addendum have the meanings set out in the Agreement. In this Addendum, unless stated otherwise:
“Authorized Personnel” has the meaning given to the term in Section 4.1.2.
“Controller” means the entity which determines the purposes and means of the Processing of Personal Data.
“End User Data” has the meaning given to the term in the Agreement.
“Data Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of, or access to, Personal Data.
“Data Protection Laws” or “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
“Personal Data” means End User Data that is information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Processing” means any operation or set of operations which is performed upon or with respect to Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, erasure or destruction.
“Processor” means the natural or legal person which Processes Personal Data on behalf of the Controller.
“Restricted Transfer” means the transfer of any Personal Data to which the GDPR applies to any country or organisation, where such transfer would not be permitted by the GDPR in the absence of some legal basis permitted by the GDPR.
“Services” means the Services set out in the Terms.
“Subprocessor” means a third-party who Processes End User Data on behalf of the Processor in order to provide portions of the Services.
3. Processing of Personal Data
3.1 Roles and Responsibilities
3.1.1 Where the GDPR applies to the Processing of Personal Data by MyWiFi, Channel Partner is, for all purposes and with respect to all Data Protection Laws, the Controller of the Personal Data and MyWiFi is the Processor of the Personal Data, except only when Channel Partner acts as a Processor of Personal Data on behalf of a third party who is the Controller of same, in which case MyWiFi shall be only a Subprocessor. Where MyWiFi is a Subprocessor, Channel Partner represents and warrants that it has all necessary authority of the relevant Controller to engage MyWiFi as a Subprocessor. Notwithstanding anything to the contrary, in all cases, Channel Partner acknowledges, agrees and represents that MyWiFi shall not be the Controller of Personal Data.
3.1.2 MyWiFi shall only comply with Data Protection Laws to the extent they apply to MyWiFi’s Processing of Personal Data on behalf of Channel Partner. Channel Partner shall comply with all Data Protection Laws applicable to Personal Data. For clarity, Channel Partner shall obtain all required consent from the data subjects of Personal Data for MyWiFi to Process Personal Data and shall comply with all obligations under Data Protection Laws as a Controller of Personal Data and all similar obligations.
3.1.3 In the provision of some services, MyWiFi, on receipt of instructions from Channel Partner, may transfer Personal Data to and otherwise interact with third-party data Processors. Channel Partner agrees that if and to the extent such transfers occur, Channel Partner is responsible for entering into separate contractual arrangements with such third-party data Processors binding them to comply with obligations in accordance with Data Protection Requirements. For avoidance of doubt, such third-party data Processors are not Subprocessors.
3.2 Scope of Processing
3.2.1 Channel Partner instructs MyWiFi to process Personal Data: (a) to provide the Services; (b) as set out in the Agreement, including this Addendum; (c) as specified by Channel Partner’s use of the Services; and, (d) as further documented in any other of Channel Partner’s written instructions that are acknowledged by MyWiFi as being instructions for the purposes of the Agreement.
3.2.2 Channel Partner’s instructions for MyWiFi’s Processing of Personal Data shall comply with all Data Protection Laws. Channel Partner shall not instruct MyWiFi to undertake any Restricted Transfer.
3.2.3 Notwithstanding Section 3.2.1 above, MyWiFi may Process Personal Data where required by any applicable law to which MyWiFi is subject, in which case MyWiFi shall (to the extent permitted by law) inform Channel Partner of that legal requirement before carrying out the Processing.
3.2.4 The nature and purpose of MyWiFi’s Processing of Personal Data shall be to provide the Services pursuant to the Agreement. The type of Personal Data, the categories of data subjects, and the obligation and rights of Channel Partner are set out in the Agreement, including in this Addendum.
4.1 Security Measures
4.1.1 MyWiFi has taken, and Channel Partner shall take, taking into account the costs of implementation, and the nature, scope, context and purposes of Processing, the appropriate technical and organizational measures to ensure a level of security for the Personal Data, within their respective possession, which is appropriate to the risks to the applicable individual data subjects that may result from the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the Personal Data.
4.1.2 MyWiFi shall cause that access to Personal Data within the possession of MyWiFi is limited to those individuals who need access in order to meet MyWiFi’s obligations under the Agreement (together the “Authorized Personnel”).
4.1.3 All Authorized Personnel are or will be trained in the handling of Personal Data, informed of the confidential nature of the Personal Data, and will be bound by appropriate confidentiality obligations when accessing it, and they will not Process Personal Data except pursuant to the instructions of Channel Partner.
4.2 Data Incident
4.2.1 On becoming aware of a Data Incident, MyWiFi will: (a) notify Channel Partner of the Data Incident without undue delay; (b) make reasonable efforts to identify the cause of such Data Incident; and, (c) where the Data Incident was not caused by Channel Partner or any User, take those steps that MyWiFi deems necessary and reasonable in order to remediate the cause of the Data Incident to the extent the cause of the Data Incident is in MyWiFi’s reasonable control.
5.1.1 MyWiFi shall not engage Subprocessors (excluding independent contractors) without prior specific or general written authorization of Channel Partner and will require such Subprocessors to be bound by provisions substantially similar to those in this Addendum, as applicable. A list of MyWiFi’s current Subprocessors are set out in Appendix A and Channel Partner hereby authorizes MyWiFi to use such Subprocessors.
5.1.2 MyWiFi may, at its discretion, choose to engage additional third-parties as Subprocessors generally. If MyWiFi chooses to engage Subprocessors generally, MyWiFi will inform Channel Partner of any new Subprocessors at least 30 days prior to authorizing the Subprocessor to Process Personal Data and Channel Partner may object to the new Subprocessor by providing MyWiFi written notice within 15 days of receipt of such notice. If Channel Partner objects to the new Subprocessor under this Section 5.1.2: (i) MyWiFi will, in its sole discretion, provide the Services without the new Subprocessor Processing any Personal Data; or, (ii) Channel Partner may terminate the Services which require the new Subprocessor.
6.1 GDPR Audits
6.1.1 Where the Processing of Personal Data is subject to the GDPR, at Channel Partner’s sole expense, MyWiFi shall make available to Channel Partner such of MyWiFi’s information as is reasonably necessary to demonstrate compliance with the obligations in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by Channel Partner or another auditor mandated by Channel Partner.
7. Deletion and Return of PErsonal Data
7.1.1 At the end of the Services and at the choice of Channel Partner, MyWiFi shall delete or return all the Personal Data to Channel Partner, and delete all Personal Data unless prohibited by Data Protection Laws.
8. Rights of Data Subjects
8.1.1 MyWiFi shall, at Channel Partner’s sole expense, fulfill data subject requests to access, rectify, and restrict processing of Personal Data in a manner consistent with Data Protection Laws, the functionality of the Services, and MyWiFi’s role as a Processor.
9. Impact Assessment
9.1.1 Where the Processing of Personal Data is subject to the GDPR, at Channel Partner’s sole expense, MyWiFi will provide reasonable assistance to Channel Partner in its obligations to comply with its obligations to conduct privacy impact assessments and consult with regulatory bodies in relation to any Processing of Personal Data undertaken under this Agreement.
10.1.1 Channel Partner shall fully indemnify and keep indemnified and defend at its own expense MyWiFi against all liability, losses, claims, costs and reasonable expenses, including legal fees, which MyWiFi may incur, or for which MyWiFi may become liable to the extent arising from any Processing of Personal Data in accordance with the instructions of the Channel Partner, any Channel Partner breach of this Addendum or any Data Protection Laws, or any of Channel Partner’s acts or omissions in respect of its obligations as a Controller of Personal Data.
APPENDIX A: MyWiFi Subprocessors
MyWiFi uses the following sub-processors to assist in providing Services on behalf of MyWiFi Channel Partners:
· Amazon Web Services (Data Hosting) - https://aws.amazon.com/compliance/eu-data-protection/
· Sendgrid - Email service provider - https://www.sendgrid.com/resource/general-data-protection-regulation/
· Twilio (SMS service provider) - https://www.twilio.com/gdpr
· Google, Inc. (Map APIs and analytics) - https://cloud.google.com/security/gdpr/
· Facebook, Inc. (Social network) - https://www.facebook.com/business/gdpr
· Zapier, Inc. (Web app automation) - https://zapier.com/help/gdpr/
· Periscope Data (Data analytics) - https://www.periscopedata.com/gdpr
· Segment (Analytics management) - https://segment.com/docs/legal/privacy/
· FullStory (User analytics) - https://help.fullstory.com/gdpr
· BugSnag (Error reporting) - https://www.bugsnag.com/security/
· Logentries.com, Inc. (System logging) - https://docs.logentries.com/docs/security/
· Recurly (Credit card processing) - https://recurly.com/legal/
· Stripe (Payments) - https://stripe.com/ca/privacy
· PayPal (Payments) - https://www.paypal.com/gdpr
· Intercom Inc. (Live chat) - https://docs.intercom.com/privacy
· Active Campaign (CRM) - https://www.activecampaign.com/gdpr
· Close.io (CRM) - https://close.io/gdpr/
· ClickFunnels (Website marketing) - https://signup.clickfunnels.com/gdpr-policy
· Typeform (Data forms) - https://admin.typeform.com/to/dwk6gt
· FirstPromoter (Affiliate software) - https://firstpromoter.com/gdpr
· Shopify, Inc. (Online store) - https://help.shopify.com/manual/your-account/GDPR
· Whiplash Merchandising (Shipping) - https://docs.getwhiplash.com/pages/gdpr-and-data-privacy
More information MyWiFi’s Privacy & Compliance can be found at: http://support.mywifi.io/privacy-and-compliance
Any questions regarding this Data Processing Addendum should be sent to: firstname.lastname@example.org
Last Updated: May 25, 2018