DATA PROCESSING AGREEMENT
This Data Processing Agreement is concluded between Sightcorp B.V., a private company with limited liability established and existing under the laws of the Netherlands, having its registered office and principal place of business in (1098 XH) Amsterdam, at Science Park 400, registered with the Chamber of Commerce in the Netherlands, under number 58300880 (hereinafter referred to as “Sightcorp”), and the Customer as defined in the Agreement.
Customer and Sightcorp each a “Party” jointly referred to as “Parties”,
- Sightcorp’s activities and services include the provision of face analysis technology to customers;
- Sightcorp and Customer concluded an agreement regarding the use of Sightcorp’s services and products, of which this Data Processing Agreement is a part;
- Where the personal data processing is concerned, Customer classifies as a controller within the meaning of Section 4(7) of the General Data Protection Regulation (Algemene Verordening Gegevensbescherming) (“GDPR”) and/or a processor within the meaning of Section 4(8) GDPR;
- In the context of using the service of Customer by a client of Customer, that client decides whether, and if yes, which data are processed, for which purpose and in which way. Where the personal data processing is concerned, the client of Customer classifies as a controller within the meaning of Section 4(7) of the GDPR;
- Where the personal data processing is concerned, Sightcorp qualifies as a processor within the meaning of Section 4(8) GDPR in the event Customer qualifies as a controller and/or as a sub processor in the event Customer qualifies as a processor;
- In accordance with the provisions of Section 28(3) GDPR, Parties wish to document a number of conditions in the present Data Processing Agreement which apply to their relationship in the context of the aforesaid activities on behalf of – and for the benefit of Customer.
Declare that they have agreed as follows:
Article 1 Definitions
- In this Data Processing Agreement, capitalized words and expressions, whether in single or plural, have the meaning specified as set out below:
Annex: appendix to this Data Processing Agreement which forms an integral part of it;
Agreement: the agreement concluded between Customer and the Sightcorp with in respect of the use by Customer of Sightcorp’s services and products;
Data Processing Agreement: the present (sub) data processing agreement;
Personal Data: all information relating to an identified or identifiable natural person as referred to in Section 4(1) GDPR;
Personal Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed, as referred to in Section 4(12) GDPR;
Process: as well as conjugations of this verb: the processing of Personal Data as referred to in Section 4(2) GDPR;
Sub Processor: the sub-contractor hired by Processor that Processes Personal Data in the context of this Data Processing Agreement on behalf of Customer, as referred to in Section 28(4) GDPR.
- The provisions of the Agreement apply in full to this Data Processing Agreement. In case provisions with regard to the Processing of Personal Data are included in the Agreement, the provisions of this Data Processing Agreement prevail.
- The provisions of this Data Processing Agreement only apply to Customers of F.A.C.E. API and/or or Dashboard, and Customers to whom Sightcorp will provide support services.
Article 2 Purpose of the Personal Data Processing
2.1 Customer and Sightcorp have concluded the present Data Processing Agreement for the Processing of Personal Data in the context of the Agreement. An overview of the type of Personal Data, categories of data subjects and the purposes of Processing, is included in Annex 1.
2.2 Sightcorp is solely responsible for the Processing of Personal Data under this Data Processing Agreement, in accordance with the legitimate instructions of Customer and under the express (final) responsibility of Customer. For all other Processing of Personal Data, including but not limited to the collection of Personal Data by the Customer, Processing for purposes not reported to Sightcorp by Customer, Processing by third parties and/or for other purposes, Sightcorp is not responsible or liable. Responsibility and liability for these Processing activities rest exclusively with Customer.
2.3 Customer is responsible and liable for the processing of Personal Data in relation to the Agreement and guarantees that Processing is in compliance with all applicable legislation and does not infringe any rights of third parties. Customer will indemnify and hold harmless Sightcorp against any and all claims of third parties, those of the data protection authority in particular, resulting in any way from not complying with this guarantee.
2.4 Sightcorp undertakes to Process Personal Data only for the purpose of the activities referred to in this Data Processing Agreement and/or the Agreement. Sightcorp will not use the Personal Data which it Processes under this Data Processing Agreement for its own or third-party purposes in any way without Customer’s express written consent, unless a legal provision requires Sightcorp to do so. In such case, Sightcorp shall immediately inform Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.
Article 3 Technical and organisational security measures
3.1 Sightcorp will implement (or arrange the implementation of) appropriate technical and organisational measures to ensure a level of security appropriate to the risk. These measures will guarantee an appropriate level of security, taking into account the state of the art and the costs of implementation, in view of the risks entailed by Personal Data Processing and the nature of the data to be protected. Sightcorp will in any case take measures to protect Personal Data against accidental or unlawful destruction, accidental or deliberate loss, forgery, unauthorized distribution or access, or any other form of unlawful Processing.
3.2 Sightcorp will provide a document which describes the appropriate technical and organizational measures to be taken by Sightcorp. This document will be attached to this Data Processing Agreement as Annex 2. Customer acknowledges having taken cognizance of the relevant measures and by signing this Data Processing Agreement, the Customer agrees with the measures taken by Sightcorp.
Article 4 Confidentiality
4.1 Sightcorp will require the employees that are involved in the execution of the Agreement to sign a confidentiality statement – whether or not included in the employment agreement with those employees – which in any case states that these employees must keep strict confidentiality regarding the Personal Data.
Article 5 Personal Data Processing outside Europe
5.1 Sightcorp will only be permitted to transfer Personal Data outside the European Economic Area if this is done in compliance with the applicable statutory obligations.
Article 6 Sub Processors
6.1 Sightcorp is entitled to outsource the implementation of the Processing on the Customer’s instructions to Sub Processors, either wholly or in part, which parties are described in Annex 3. In case Sightcorp wishes to enable other Sub Processors, Sightcorp will inform Customer of any intended changes concerning the addition or replacement of other Sub Processors. Customer will to object to such changes within 5 working days.
6.2. Where Sightcorp engages a Sub Processor for carrying out specific processing activities on behalf of Customer, the same data protection obligations as set out in this Data Processing Agreement shall be imposed on that Sub Processor, in particular providing sufficient guarantees to implement appropriate technical and organisational measures.
Article 7 Liability
7.1 With regard to the liability and indemnification obligations of Sightcorp under this Data Processing Agreement the stipulation in the Agreement regarding the limitation of liability applies.
7.2. Without prejudice to article 7.1 of this Data Processing Agreement, Sightcorp is solely liable for damages suffered by Customer and/or third party claims as a result of any Processing, in the event the specific obligations of Sightcorp under the GDPR are not complied with or in case Sightcorp acted in violence of the legitimate instructions of the Customer.
Article 8 Personal Data Breach
8.1 Sightcorp will notify Customer without undue delay, but in any case within 24 hours, taking into account in particular the nature and gravity of the breach and its consequences and adverse effects for the data subject of a Personal Data Breach and will take all reasonable measures to prevent or limit (further) violation of the GDPR.
8.2 Sightcorp will, insofar as reasonable, provide all reasonable cooperation requested by Customer in order for Customer to comply with its legal obligations relating to the identified incident.
8.3. Sightcorp will, insofar as reasonable, assist Customer with Customer’s notification obligation relating to the Personal Data to the Data Protection Authority and/or the data subject, as meant in Section 33(3) and 34(1) GDPR. Sightcorp is never held to report a Personal Data Breach with the Data Protection Authority and/or the data subject.
8.4. Sightcorp will not be responsible and/or liable for the (timely and correctly) notification obligation to the relevant supervisor and/or data subjects, as meant in Section 33 and 34 GDPR.
Article 9 Audit
9.1 When so requested by Customer, Sightcorp will enable Customer, or experts (including external experts) designated by Customer, to inspect and audit the implementation of this Data Processing and, in particular, the security measures taken by Sightcorp, at most once per calendar year, subject to a reasonable notice and with permission of Sightcorp, to adequately monitor compliance with what has been agreed between the Parties. Such an audit will at all times be carried out in a manner that has as little effect as possible on the normal business operations of Sightcorp. Customer will bear al the costs of this audit.
9.2 The audit in Article 9.1 of this Data Processing Agreement, will only take place of Customer has requested and assessed similar audit reports availably at Sightcorp and Customer provides reasonable argument that justify an audit initiated by Customer. Such an audit is justified when similar audit reports present at Sightcorp give no or insufficient information about compliance with this Data Processing Agreement.
9.3 In case Sightcorp is of the opinion that an instruction relating to the provisions of this Article 9 infringes the GDPR or other applicable data protection legislation, Sightcorp will inform the Customer immediately.
9.4 Sightcorp is entitled to charge any possible costs that relate to the provisions of this Article 9 with Customer.
Article 10 Cooperation
10.1 Sightcorp will, taking into account the nature of the Processing and insofar as reasonably possible, provide all reasonable cooperation to Customer in fulfilling its obligation pursuant to the GDPR to respond to requests for exercising rights of data subjects, in particular the right of access (Section 15 GDPR), rectification (Section 16 GDPR), erasure (Section 17 GDPR), restriction (Section 18 GDPR), data portability (Section 20 GDPR) and the right to object (Section 21 and 22 GDPR). Sightcorp will forward a complaint or request from a data subject with regard to the Processing of Personal Data to the Customer as soon as possible, as Customer is responsible for handling the request.
10.2. Sightcorp will, taking into account the nature of Processing, the information available to Sightcorp and insofar as reasonably possible, provide all reasonable cooperation to Customer in fulfilling its obligation pursuant to the GDPR to carry out a data protection impact assessment (Section 35 and 36 GDPR).
10.3 Sightcorp is entitled to charge any costs associated with the cooperation as referred to in this Article 10 with Customer.
Article 11 Termination and miscellaneous
10.1 With regard to the termination under this Data Processing Agreement the specific provisions of the Agreement apply. Without prejudice to the specific provisions of the Agreement, Sightcorp will, at the first request of Customer, delete or return all the Personal Data, and delete all existing copies, unless Sightcorp is legally required to store (part of) the Personal Data.
10.2. Customer will adequately inform Sightcorp about the (statutory) retention periods that apply to the Processing of Personal Data by Sightcorp.
10.3. The obligations laid down in this Data Processing Agreement which, by their nature, are designed to continue after termination will remain in force also after the termination of this Data Processing Agreement.
10.4. The choice of law and competent court comply with the applicable provisions of the Agreement.
ANNEX 1 OVERVIEW PERSONAL DATA
Subject matter and duration of the Processing of Company Personal Data
- The subject matter and duration of the Processing of the Personal Data are set out in the Agreement and this Data Processing Agreement.
The categories of Personal Data
- Facial features (such as eye locations, face rotation, age, gender, mood, facial expressions, attention span, clothing colours).
The categories of Data Subject to whom the Personal Data relates
- Client of Customer, visitors, passers-by
The nature and purpose of the Processing of Personal Data
- Applies only to Customers to whom Sightcorp will provide support related to Crowdsight Toolkit Providing support with regard to CrowdSight Toolkit with which Customer obtains real-time insights into audience’s spontaneous behaviour, interest, and demographic profile.
- Applies only to Customers to whom Sightcorp will provide support related to Crowdsight SDK: Providing support with regard to Crowdsight SDK with which Customer tracks multiple people at once and at a far distance, in different real-life environments to analyse the demographical profiles of the shopping audience and the converted customer.
- Applies only to F.A.C.E. API Customers: Using face analysis functionalities in an online application to get access to face information present in images (F.A.C.E. API)
- Applies only to Customers of Dashboard: Transforming analysed data about viewer engagement, attention, mood and audience demographics into graphs and charts to get insights on the audience’s mood and engagement response (Dashboard)
The obligations and rights of Customer
- The obligations and rights of Customer are set out in the Agreement and this Data Processing Agreement.
ANNEX 2 SPECIFICATION OF THE SECURITY MEASURES
[Please specify Sightcorp’s security measures ]
ANNEX 3 OVERVIEW SUB PROCESSORS
|Amazon Web Services, Inc||EU||Data processing agreement (art. 28(3) GDPR)|
* possible appropriate safeguards in accordance with the GDPR are:
- data processing agreement (art. 28(3) GDPR), in the event the sub processor is located in the EEA.
- transfers on the basis of an adequacy decision of the European Commission (art. 45 GDPR);
- transfers to organisations that are certified under the EU-US Privacy Shield;
- binding corporate rules (art. 46 and 47 GDPR);
- standard data protection clauses adopted by the European Commission (art 46 GDPR);
Please include the relevant security policy