Data Processing Addendum

This chat4business ltd Data Processing Addendum (“DPA”) is between chat4business ltd and the customer that is party to the Agreement, as defined below (“Customer” and, together with chat4business ltd, each a “Party” and collectively the “Parties”). This DPA prevails over any conflicting term of the Agreement to the extent necessary to resolve the conflict.

  1. Definitions.

(a) “Agreement” means the written or electronic agreement between chat4business ltd and Customer that governs the provision of data to Customer, as the same may be updated from time to time.

(b) “Controller” means the natural or legal person that, alone or jointly with others, determines the purpose and means of processing Personal Data.

(c) “Data Protection Laws” means all applicable worldwide legislation relating to data protection and privacy which applies to the respective party in the role of the Processing Personal Data in question under the Agreement, including without limitation European Data Protection Laws and other applicable U.S. federal and state privacy laws, in each case as amended, repealed, consolidated or replaced from time to time.

(d) “Data Processor”, “Data Subject”,“Subprocessor”, and “Supervisory Authority” shall be interpreted in accordance with applicable Data Protection Laws;

(e) “Europe” means the European Union, the European Economic Area and/or their member states, Switzerland and the United Kingdom.

(f) “European Data” means Personal Data that is subject to the protection of European Data Protection Laws.

(g) “European Data Protection Laws” means Data Protection Laws applicable in Europe, including: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; and (iii) applicable national implementations of (i) and (ii); or (iv) GDPR as it forms parts of the United Kingdom domestic law by virtue of Section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”); and (v) Swiss Federal Data Protection Act and its Ordinance (“Swiss DPA”); in each case, as may be amended, superseded or replaced.

(h) “Personal Data” as used in this DPA, means information relating to an identifiable or identified Data Subject who visits or engages in transactions through your store, which chat4business ltd Processes as a Data Processor in the course of providing you with the Services. Personal Data includes, for example, name, contact information, identification number, location data, online identifier, IP address, as defined in the Data Protection Laws.

(i) “Processing” means any operation or set of operations performed, whether by manual or automated means, on Personal Data or on sets of Personal Data, such as the collection, use, sale, storage, retention, disclosure, analysis, deletion, or modification of Personal Data and includes the actions of a Controller directing a Processor to process Personal Data. “Process” has a correlative meaning.

(j) “UK Addendum” means the International Data Transfer Addendum issued by the UK Information Commissioner under section 119A(1) of the Date Protection Act 2018 currently found at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf, as may be amended, superseded, or replaced.

  1. Scope.

The purpose of this DPA is to ensure compliance with the Data Protection Laws and European Data Protection Laws, as laid out in this DPA and the Agreement. The purposes, methods, and duration of the Personal Data Processing; the categories of Personal Data Processed; retention periods; and protection measures are laid out in this DPA and its Annexes.

  1. Roles.

(a) chat4business ltd is the Processor.

(b) Customer is the Controller.

(c) chat4business ltd will only Process Personal Data on behalf of Customer in accordance with this DPA and other written instructions of Customer and may not Process Personal Data for purposes or using methods other than those included in Customer’s written instructions, including this DPA.

(d) Customer instructs chat4business ltd to Process Personal Data as a Processor as outlined in this DPA and in compliance with Data Protection Laws.

  1. Obligations of Customer.

Customer represents and warrants that it will comply with Data Protection Laws and only instruct chat4business ltd to Process Personal Data to the extent such Processing is lawful according to Data Protection Laws.

  1. Obligations of chat4business ltd.

(a) Taking into account the nature of Processing and the information available to chat4business ltd, chat4business ltd will take reasonable measures to safeguard the security of the Personal Data it Processes as a Processor on behalf of Customer.

(b) Taking into account the nature of Processing and the information available to chat4business ltd, and insofar as reasonably practical, chat4business ltd will assist Customer in fulfilling Customer’s obligations under Data Protection Laws by appropriate technical and organizational measures.
chat4business ltd will notify Customer without undue delay after becoming aware of a Personal Data breach involving Personal Data Processed by chat4business ltd on behalf of Customer.

(c) chat4business ltd will not sell or share Personal Data except as instructed by Customer.

(d) chat4business ltd will not retain, use, or disclose Personal Data it processes on Customer’s behalf for any purpose other than those listed in Annex I to this DPA.

(f) chat4business ltd will not retain, use, or disclose Personal Data it processes on Customer’s behalf outside of the direct business relationship between chat4business ltd and Customer.

(g) chat4business ltd will not combine the Personal Data it processes on Customer’s behalf with Personal Data it receives from or on behalf of another person or persons, or collects from its own interaction with the Data Subject, provided that chat4business ltd may combine Personal Data as permitted by Data Protection Laws.

(h) In the event chat4business ltd determines that it can no longer meet its obligations under Data Protection Laws, chat4business ltd will notify Customer of such determination without undue delay.

  1. Audit.

chat4business ltd will allow and contribute to any audits by the Supervisory Authority.

  1. Data Retention.

Upon termination of the Agreement or this DPA, or if the Agreement or this DPA does not take effect, is void, or has been cancelled, chat4business ltd, at Customer’s direction, will return the Personal Data it Processes on behalf of Customer to Customer or delete it, and may not retain such Personal Data, unless otherwise required by law.

  1. Confidentiality.

(a) Strict Confidence. chat4business ltd will keep Personal Data, and all information relating to its Processing, in strict confidence. chat4business ltd will ensure that all personnel authorized to Process Personal Data are subject to a contractual or statutory obligation of confidentiality.

(b) Nondisclosure. chat4business ltd will not disclose Personal Data Processed on behalf of Customer to any third party without the consent of Customer, or as otherwise provided in this DPA.

  1. Use of Subprocessors.

(a) Identified Subprocessors. Customer authorizes chat4business ltd to engage the Subprocessors listed in Annex II to this DPA to Process Personal Data on behalf of Customer.

(b) Additional Subprocessors. Customer further authorizes chat4business ltd to engage other Subprocessors to Process Personal Data on behalf of Customer after reasonably notifying Customer at least ten (10) days in advance of such engagements.

(c) Appointment Rights. Customer may object in writing to the engagement of a Subprocessor prior to the engagement of the Subprocessor. chat4business ltd will provide Customer with the information necessary to enable Customer to exercise its right to object.

(d) Subprocessors’ Obligations. If chat4business ltd engages a Subprocessor to Process Personal Data in accordance with this DPA, chat4business ltd must enter into a written agreement with the Subprocessor that imposes the same obligations on the Subprocessor as are imposed on chat4business ltd under this DPA.

  1. Additional Provisions for European Data.

This Section 10 will apply only with respect to European Data.

(a) When Processing European Data in accordance with Customer’s instructions, Customer is acting as the Controller of European Data (either as the Controller, or as a Processor on behalf of another Controller) and chat4business ltd is the Processor under the Agreement.

(b) If chat4business ltd believes that Customer’s instructions infringe European Data Protection Laws (where applicable), chat4business ltd will inform Customer without delay.

(c) To the extent that the required information is reasonably available to chat4business ltd, and Customer does not otherwise have access to the required information, chat4business ltd will provide reasonable assistance to Customer with any data protection impact assessments, and prior consultations with supervisory authorities (for example, the French Data Protection Agency (CNIL), the Berlin Data Protection Authority (BlnBDI) and the UK Information Commissioner’s Office (ICO)) or other competent data privacy authorities to the extent required by European Data Protection Laws.

(d) Transfer Mechanisms for Data Transfers.

(i) chat4business ltd will not transfer European Data to any country or recipient not recognized as providing an adequate level of protection for Personal Data (within the meaning of applicable European Data Protection Laws), unless it first takes all such measures as are necessary to ensure the transfer is in compliance with applicable European Data Protection Laws. Such measures may include (without limitation) (i) transferring such data to a recipient that is covered by a suitable framework or other legally adequate transfer mechanism recognized by the relevant authorities or courts as providing an adequate level of protection for Personal Data; (ii) to a recipient that has achieved binding corporate rules authorization in accordance with European Data Protection Laws; or (iii) to a recipient that has executed the “Standard Contractual Clauses” in each case as adopted or approved in accordance with applicable European Data Protection Laws.

(ii) Customer acknowledges that in connection with the performance of the Subscription Services, chat4business ltd is a recipient of European Data in the United States. To the extent that chat4business ltd receives European Data in the United States, chat4business ltd will comply with the following:

(1) In relation to European Data that is subject to the GDPR (i) Customer is the “data exporter” and chat4business ltd is the “data importer”; (ii) the Module Two terms apply to the extent the Customer is a Controller of European Data and the Module Three terms apply to the extent the Customer is a Processor of European Data; (iii) in Clause 7, the optional docking clause applies; (iv) in Clause 9, Option 2 applies and changes to Sub-Processors will be notified in accordance with the Sub-Processors section of this DPA; (v) in Clause 11, the optional language is deleted; (vi) in Clauses 17 and 18, the parties agree that the governing law and forum for disputes for the Standard Contractual Clauses will be determined in accordance with the Contracting Entity; Applicable Law; Notice section of the Jurisdiction Specific Terms or, if such section does not specify an EU Member State, the Republic of Ireland (without reference to conflicts of law principles); (vii) the Annexes of the Standard Contractual Clauses will be deemed completed with the information set out in the Annexes of this DPA; (viii) the supervisory authority that will act as competent supervisory authority will be determined in accordance with GDPR; and (ix) if and to the extent the Standard Contractual Clauses conflict with any provision of this DPA the Standard Contractual Clauses will prevail to the extent of such conflict.

(2) In relation to European Data that is subject to the UK GDPR, the Standard Contractual Clauses will apply in accordance with sub-section (a) and the following modifications (i) the Standard Contractual Clauses will be modified and interpreted in accordance with the UK Addendum, which will be incorporated by reference and form an integral part of the Agreement; (ii) Tables 1, 2 and 3 of the UK Addendum will be deemed completed with the information set out in the Annexes of this DPA and Table 4 will be deemed completed by selecting “neither party”; and (iii) any conflict between the terms of the Standard Contractual Clauses and the UK Addendum will be resolved in accordance with Section 10 and Section 11 of the UK Addendum.

(3) In relation to European Data that is subject to the Swiss DPA, the Standard Contractual Clauses will apply in accordance with sub-section (a) and the following modifications (i) references to “Regulation (EU) 2016/679” will be interpreted as references to the Swiss DPA; (ii) references to “EU”, “Union” and “Member State law” will be interpreted as references to Swiss law; and (iii) references to the “competent supervisory authority” and “competent courts” will be replaced with the “the Swiss Federal Data Protection and Information Commissioner” and the “relevant courts in Switzerland”.

(4) Customer agrees that by complying with our obligations under the Sub-Processors section of this DPA, chat4business ltd fulfils its obligations under Section 9 of the Standard Contractual Clauses. For the purposes of Clause 9(c) of the Standard Contractual Clauses, Customer acknowledges that chat4business ltd may be restricted from disclosing Sub-Processor agreements but chat4business ltd will use reasonable efforts to require any Sub-Processor chat4business ltd appoint to permit it to disclose the Sub-Processor agreement to Customer and will provide (on a confidential basis) all information chat4business ltd reasonably can. Customer also acknowledge and agree that Customer will exercise Customer’s audit rights under Clause 8.9 of the Standard Contractual Clauses by instructing chat4business ltd to comply with the measures described in the Demonstration of Compliance section of this DPA.

(5) If chat4business ltd cannot comply with its obligations under the Standard Contractual Clauses or is breach of any warranties under the Standard Contractual Clauses or UK Addendum (as applicable) for any reason, and Customer intends to suspend the transfer of European Data to chat4business ltd or terminate the Standard Contractual Clauses, or UK Addendum, Customer agrees to provide chat4business ltd with reasonable notice to enable chat4business ltd to cure such non-compliance and reasonably cooperate with chat4business ltd to identify what additional safeguards, if any, may be implemented to remedy such non-compliance. If chat4business ltd has not or cannot cure the non-compliance, Customer may suspend or terminate the affected part of the service in accordance with the Agreement without liability to either party (but without prejudice to any fees Customer has incurred prior to such suspension or termination).

(iii) In the event that chat4business ltd is required to adopt an alternative transfer mechanism for European Data, in addition to or other than the mechanisms described in sub-section (ii) above, such alternative transfer mechanism will apply automatically instead of the mechanisms described in this DPA (but only to the extent such alternative transfer mechanism complies with European Data Protection Laws), and Customer agrees to execute such other documents or take such action as may be reasonably necessary to give legal effect such alternative transfer mechanism.

  1. Miscellaneous

(a) Notice. chat4business ltd will make all notifications, including security-related notifications, required under this DPA as contemplated in the Agreement. Should you require further information, you can make a request to compliance@chat4business ltd.

(b) Modifications. This DPA may be modified from time to time, at chat4business ltd’s sole discretion. chat4business ltd encourages visitors to frequently check this page for any changes to its DPA. Your continued use of the chat4business ltd services and use of the Site will constitute your acceptance of such change.

(c) Governing Law. The terms of this DPA shall be governed by and interpreted in accordance with the laws of the State of Nevada and the laws of the United States applicable therein, without regard to principles of conflicts of laws. The parties irrevocably and unconditionally submit to the exclusive jurisdiction of the courts of the State of Nevada with respect to any dispute or claim arising out of or in connection with this DPA.

(d) Liability. For avoidance of doubt and to the extent allowed by applicable law, any and all liability under this DPA, including limitations thereof, will be governed by the relevant provisions of the Agreement. You acknowledge and agree that chat4business ltd may amend this DPA from time to time by posting the relevant amended and restated DPA on chat4business ltd’s website, available at https://www.chat4business ltd/terms-of-service/ (https://www.chat4business ltd/terms-of-service/) and such amendments to the DPA are effective as of the date of posting. Your continued use of the Services after the amended DPA is posted to chat4business ltd’s website constitutes your agreement to, and acceptance of, the amended DPA. If you do not agree to any changes to the DPA, do not continue to use the Service

(e) Invalidity and Severability. If any provision of this DPA is found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, then the invalidity or unenforceability of such provision will not affect any other provision of this DPA, and al provisions not affected by such invalidity or unenforceability will remain in full force and effect.

(f) Term. The term of this DPA shall be the same as that of the Agreement.

ANNEX I
Description of Processing

Description of Processing

  1. Purpose(s) for Processing:
  2. Customer will provide Personal Data to chat4business ltd to enable chat4business ltd to provide the services contemplated under the Agreement.
  3. Method(s) of Processing:
  4. chat4business ltd will use Personal Data provided by Customer.
  5. Categories of Personal Data Processed:
  6. Name, email address, date of birth, address, phone number.