(Version 06/09/2024)
1. DEFINITIONS
1.1. For the purposes of this DPA:
“Personal Data“, “Special Categories of Data“, “Process/Processing“, “Controller“, “Processor“, “Data Subject“, “Personal Data Breach” and “Supervisory Authority” shall have the same meaning as (i) in Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter, “GDPR“) or (ii) in Brazilian Federal Law No. 13. 709, dated August 14, 2018, the General Data Protection Law (“LGPD”), as applicable to the processing of data by Blip.
“Subprocessor” means any processor engaged by Blip, which agrees to receive from Blip, or from any other subprocessor of Blip, European or Brazilian Personal Data exclusively intended for processing activities to be carried out on behalf of Customer and in accordance with its instructions, the terms of this DPA and the terms of the written subcontract.
2. GENERAL RULES ON DATA PROCESSING
2.1. In the development of the activities related to the application of the Agreement, the Parties will observe the legal regime of protection of Personal Data, endeavoring to proceed with the Processing of Personal Data that may prove necessary, in strict and rigorous compliance with the applicable local laws, such as the GDPR and LGPD (hereinafter, the “Applicable Data Protection Legislation“), and ensuring that its employees, agents, consultants, subcontractors and/or service providers also comply with the Applicable Data Protection Legislation.
2.2. For the purposes of the Agreement, of which this DPA is an integral part, the CUSTOMER is considered a controller and BLIP is considered the processor of the Personal Data provided by the CUSTOMER and transmitted on the Blip Platform.
2.3. The details of the particular Personal Data Processing activities to be carried out by BLIP in the name and on behalf of the CUSTOMER under this DPA, with a reference to the Sensitive Personal Data (if applicable), shall be further specified in the Agreement entered into between the Parties, which shall become an integral part of this DPA.
3. OBLIGATIONS OF THE CONTROLLER
3.1. The CONTROLLER ‘s obligations are:
a) to process Personal Data in accordance with the provisions of the Applicable Data Protection Legislation, and to comply with the principles set forth therein, including, without limitation, the principles of accountability, data protection by design and by default, data minimization, data integrity and confidentiality, storage limitation, accuracy, purpose limitation, lawfulness, fairness and transparency.
b) to guarantee the existence of a legal basis provided for the Applicable Data Protection Legislation.
c) to provide instructions and rules for the processing of Personal Data by the PROCESSOR, respecting both the technical limits of the Blip Platform and those set forth in the Applicable Data Protection Legislation.
d) to manage the access of its employees, contractors or agents to the Blip Platform, observing the appropriate security rules, being responsible for all their acts, as well as requests made by them to the PROCESSOR.
e) to be responsible, if the CONTROLLER uses a third-party payment method or any other platform integrated into the Blip Platform, for sharing Personal Data, and hold the PROCESSOR harmless from any non-compliance with the Applicable Data Protection Legislation or incident involving such third parties.
f) to conduct any data protection impact assessment or regulatory consultation that may be legally required in respect of the Personal Data.
g) to adopt the appropriate safeguards when transferring Personal Data to countries located outside the European Union.
4. PROCESSOR’S OBLIGATIONS
4.1. The PROCESSOR ‘s obligations are to:
a) process Personal Data in the course and for the purposes of complying with the obligations under the Agreement, and following the CONTROLLER’s documented instructions within the technical capacity of the Blip Platform, including with regard to transfers of personal data to a third country or an international organization, unless required to do so by applicable laws to which the PROCESSOR is subject. In such a case, the PROCESSOR shall inform the CONTROLLER of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
b) inform the CONTROLLER about the receipt of:
- any instruction which, in its opinion, infringes applicable laws, including without limitation, the Applicable Data Protection Legislation; and
- any notice, complaint, communication or request from either the Data Subjects, or supervisory authorities in relation to any Personal Data processed in accordance with the terms of this DPA.
c) at the expense of the CONTROLLER, and taking into account the nature of the Processing, provide the CONTROLLER with cooperation and assistance in relation to any complaint, communication or request received from a Data Subject, insofar as this is possible.
d) at the expense of the CONTROLLER, and taking into account the nature of Processing and the information available to the PROCESSOR, provide the CONTROLLER with cooperation and assistance in relation to the implementation of security measures, and any data protection impact assessment or regulatory consultation that may be legally required in respect of the Personal Data.
e) make available to the CONTROLLER all the information necessary to demonstrate compliance with the obligations hereunder and allow for and contribute to audits and inspections, conducted by the CONTROLLER or another auditor mandated by the CONTROLLER, which shall be undertaken upon at least 15 (fifteen) days’ notice through questionnaires or by the PROCESSOR providing a standard security certificate following market standards. Prior to the undertaking of any audit or inspections, the CONTROLLER will execute a non-disclosure agreement and will maintain any information on the PROCESSOR obtained therefrom confidential.
f) ensure that persons authorised to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
4.2. The Parties agree that upon termination of this DPA, where requested in writing, the PROCESSOR shall, at the choice of the CONTROLLER, return all Personal Data and any copies thereof or securely destroy all Personal Data within thirty (30) natural days of the request, unless a law to which the PROCESSOR, or a Subprocessor, is subject to prevents it from returning or destroying all or part of the Personal Data in which case the PROCESSOR or the Subprocessor can retain such Person Data for a period necessary to comply with such obligations, or to protect itself against legal actions.
5. PERSONAL DATA BREACH
5.1. In the event of a Personal Data Breach that affects the Personal Data processed within the scope of this DPA, the PROCESSOR shall notify the CONTROLLER in the shortest possible time from the moment of unequivocal knowledge of such Personal Data Breach and in 72 hours at the latest.
5.2. The PROCESSOR shall provide the CONTROLLER, at the expense of the CONTROLLER, with cooperation and assistance in relation to any notifications that may be required as a consequence of the Personal Data Breach to the authorities and/or the data subjects.
6. SUBPROCESSORS
6.1. The CONTROLLER acknowledges and authorizes that for the execution of this DPA, the PROCESSOR may engage subprocessors with which it may share the Personal Data received from the CONTROLLER for the sole purpose of providing the services under the Agreement. The PROCESSOR must keep an up-to-date list of all the Subprocessors and must send it to the CONTROLLER upon request.
6.2. The Subprocessors shall be subject to a written agreement which imposes similar obligations as those imposed on the PROCESSOR under this DPA.
7. INFORMATION SECURITY
7.1. The PROCESSOR shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk represented by the processing, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the concerned processing activities as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. The abbreviated list of the security measures adopted by the PROCESSOR shall be specified in the Agreement entered into between the Parties.
7.2. The CONTROLLER acknowledges and agrees that in order to carry out any tests and evaluations, whether automated or manual, such as (i) security, including but not limited to vulnerability analysis and/or (ii) intrusion (or Pentest) in the PROCESSOR’s products, services or infrastructure, the CONTROLLER must submit a prior reasoned request for formal written authorization from the PROCESSOR, with the PROCESSOR being entitled to deny the requested authorization if there is any risk of damage to the Platform.
7.3. If the CONTROLLER identifies, in its environment or in its interaction with the Blip Platform, any security incident that jeopardizes (i) the security, integrity and stability of the Blip Platform or (ii) any of the Services provided by the PROCESSOR or its infrastructure, such as, but not limited to, attacks involving ransomware, compromise or denial of service, the CONTROLLER shall immediately notify the PROCESSOR, with a detailed description of what happened and provide the necessary assistance in order to analyze such incident and mitigate its consequences.
8. PROCESSING NECESSARY FOR THE IMPROVEMENT OF THE BLIP PLATFORM
8.1. The CONTROLLER authorizes the PROCESSOR to process the Personal Data necessary for the performance of the Agreement, for the design, implementation of improvements and development of the Blip Platform and the PROCESSOR ‘s activities, with the aim of offering the CONTROLLER ‘s customers an efficient service and communication experience, optimized and customized. In regard with such communication, the CONTROLLER shall:
a) When the Applicable Data Protection Legislation is the GDPR, inform the Data Subjects about the Processing of their Personal Data referred to in this paragraph in compliance with the articles 13 and 14 of the GDPR without the PROCESSOR having to take any additional action in terms of information vis-à-vis the data subjects.
b) Have a valid lawful basis to transfer the Personal Data to the PROCESSOR to the extent and under the terms described in the present clause, in accordance with the provisions of articles 6 and 7 of the GDPR or articles 7 and 11 of the LGPD, whichever is applicable.
c) Cooperate in good faith and provide such reasonable assistance as PROCESSOR may require to comply with its data protection obligations under this clause.
9. INTERNATIONAL DATA TRANSFER
9.1. This clause shall apply only in the event that the Agreement falls under the jurisdiction of the GDPR and provides for the storage of data by the PROCESSOR outside the European Economic Area (“EEA”), as set forth in the GDPR.
9.2. The Parties acknowledge that for the purpose of international transfers of personal data from the EEA to countries outside the EEA, as required by applicable data protection laws, including the General Data Protection Regulation (GDPR), the standard contractual clauses for the transfer of personal data to third countries, as published by the European Commission (available at this Link) (“Standard Contractual Clauses”), shall be incorporated into this Data Processing Agreement (DPA) as an integral part thereof.
9.3. The Parties agree to comply with and adhere to the obligations, rights, and remedies set forth in the Standard Contractual Clauses as if fully set forth herein. The Standard Contractual Clauses shall apply to any transfer of personal data from the European Union (EU) or the EEA to any third country or an international organization.
10. LIABILITY
10.1 The PROCESSOR shall only be liable for any deficiency caused by its failure adequately to perform the services in accordance with this DPA. The PROCESSOR´s total aggregate liability arising out of, or in connection with, this DPA shall not exceed 100% of the contract price under the Agreement for the last twelve (12) months.
