TransparentBusiness’ Data Processing Addendum

effective as of August 01, 2018

Processing personal data in a secure, fair, and transparent way is extremely important to us at TransparentBusiness. As part of this effort, we process personal data in accordance with the EU’s General Data Protection Regulation (“GDPR”) and applicable data privacy laws and acts of the United States of North America.

To better protect individuals’ personal data, we are providing these terms to govern the handling by TransparentBusiness of personal data (the “Data Processing Addendum” or “DPA”). This DPA amends and supplements applicable terms and policies and requires no further action on your part.

If you do not agree with any of the terms and conditions of this DPA, you should immediately discontinue any interaction with the TransparentBusiness Service sand its websites.

To better understand what terms and conditions apply to the TransparentBusiness Services, kindly visit our Terms of Service, available online.

1. Definitions

Due to the importance of the new Data Privacy Regulations, both new and previously existing, it is of uttermost importance that the parties hereto comprehend what exactly this DPA intends to protect and set out. All the parties involved herein are expected to be compliant of the laws which apply to Data Subjects in general, and to make reasonable efforts to protect the data they control and process. TransparentBusiness has set out these definitions to improve the understanding of the scope of this DPA.

“TransparentBusiness”, “we”, “us”, or “our” refers to the provider of the TransparentBusiness website and services, (collectively referred to as the “TransparentBusiness Services.”).

“You” or “Customer” refers to the individual or company, agent or other type of intermediaries that sign up to request and/or use the TransparentBusiness Services representing or intermediating between TransparentBusiness and their clients or service end-users.

“Controller” is given the same meaning as in the GDPR, which we summarize as the party that determines the purposes and means of the processing of personal data – the customer is the controller with respect to consumer personal data. Each party may be the controller of personal data it processes about the other’s personnel. In this case Controller is the “Customer” of TransparentBusiness., also referred to herein as “You” and “your”.

“Processor” is the party that processes personal data on behalf of the controller – TransparentBusiness is the processor of the personal data we process about your consumers.

“Party” refers to TransparentBusiness and/or the Customer depending on the context.

“Personnel” shall be used herein to refer to individuals and/or consultants engaged by TransparentBusiness or by the Customer as an employee or independent contractors, as may be applicable, and provide services to either of the involved parties. Such Personnel may also fall under the category of Data Subjects in some cases, as their personal data may be shared between the parties or to end-users of the Customer.

“Data Subjects” refers to those individuals residing in the EU who are consumers or users of a TransparentBusiness Customer’s goods or services (also “consumers”), as well as any personnel who reside in the EU.

“Personal Data” is given the same meaning as in the GDPR which we summarize here as: any data relating directly or indirectly to an identifiable data subject. Personal data does not include any data that is anonymized, aggregated, de- identified and/or compiled on a generic basis and which does not name or identify a specific individual, directly or indirectly. “Processing” is given the same meaning as in the GDPR, which we summarize as including: collecting, recording, using, storing, amending, adapting, disclosing, transferring or transmitting, structuring, using, combining, deleting or destroying, personal data (“Process” and “Processed” shall have similar meanings).

“Incident” means: (a) a complaint or a request with respect to the exercise of an individual’s rights under the GDPR; (b) an investigation into or seizure of the personal data by government officials, or a specific indication that such an investigation or seizure is imminent; or (c) any breach of the security and/or confidentiality as set out in this DPA leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, the personal data, or any indication of such breach having taken place or being about to take place.

“End-Users” or “Clients” are the Controller’s or Customer’s users and potential Data Subjects from whom TransparentBusiness may process the personal data of, subject to the needs and requirements of the Controller.

2. Applicability

The applicability of this DPA shall be limited to the cases where the Controller or their respective Data Subjects which are based in the EEA members states or in Switzerland and where TransparentBusiness acts as the Processor of another party, which is the Controller of such data. Controller hereby accepts that any information or personal data of Controller’s Data Subjects sent to Processor which is not considered as part of the TransparentBusiness Services, and releases Processor of all liabilities for the processing of such data.

3. Covenants in relation to personal data

3.1 Both parties mutually agree that any personal data which is shared between them under the scope of this agreement shall be given treatment which is equal to the treatment given to information which is confidential or sensitive to them.

3.2 Both parties mutually agree to remain compliant with all applicable data privacy laws which apply to them and their own Data Subjects.

3.3 At all times the disclosing party shall remain the exclusive property of the party which is disclosing, and we hereby state that the Customer shall remain the controller at all times and shall have absolute authority and power over the Customer’s personal data.

3.4 TransparentBusiness is to process customer’s personal data limited to the minimum possible and what is specifically necessary for the provision of the TransparentBusiness Services, and compatible with what is set out in the Terms of Service and the Privacy and Cookie policies. Furthermore, TransparentBusiness states the that

  • I. TransparentBusiness is to maintain reasonable protection of the gathered and processed personal data and implement adequate measures and software to correctly guard such data and prevent that the data is deleted, lost, destructed, damaged or unlawfully accessed, used or processed;
  • II. TransparentBusiness compromises not to change, publish, delete, modify or disclose any data which TransparentBusiness processing is, to any other third-party whatsoever, unless that this is specifically necessary for the provision of the services as per the Terms of Service and the Privacy and cookie policies, and provided that such third-party has a similar or higher level of compliance with applicable data privacy laws;
  • III. The disclosure of personal data to each party’s Personnel shall be kept to the minimum and only to comply with the provision of any TransparentBusiness Services;
  • IV. The only personal data which is to be processed by TransparentBusiness shall be data strictly necessary to perform any obligations under the Terms of Service or by means of a similar or deriving engagement by Customer, always compatible with any and all applicable legislation.

3.5 In case Customer decides to terminate or otherwise delete their account or to stop or cancel any pending engagement with TransparentBusiness, we shall destroy, delete or make anonymous any shared or uploaded or otherwise gathered personal data of the Customer’s clients and/or end-users. This may take approximately 90 days, depending on the situation and the termination or cancellation itself. In case the account of a Customer was terminated by us as a result of violation of the Terms of Service or other covenants, policies, treaties or agreements, TransparentBusiness shall have the sole right to keep parts of the information as may strictly be required by regulations or specific legal interest, always in strict compatibility with any applicable laws.

3.6 Both parties mutually agree and acknowledge to each other that as a result of the TransparentBusiness Services, Customer may result in possession of personal data which is of the Personnel of TransparentBusiness, and TransparentBusiness hereby states to have gathered all required authorizations and consents of the data subject of such personal data, as is established by applicable law, in order to disclose that personal data to Customer, and for Customer to process it.

3.7 The parties hereto agree that Customer shall take care to collect all necessary agreements, authorizations and consents for Customer to be legally able to share and disclose personal data collected of their Data Subjects for TransparentBusiness to be able to provide any TransparentBusiness Services.

3.8 Always within the limitations established by applicable law, Customer shall be the party in charge of obtaining consent of the Personal Data sent to TransparentBusiness or otherwise collected by commission by Customer, and that consent is given without limitation and within the boundaries of legality. This shall also count towards personal data collected or obtained through third parties, which are expected by TransparentBusiness to remain compliant with all legal requirements. In case any Data Subject were to withdraw or revoke their consent, Customer shall be the sole responsible party for communicating this to TransparentBusiness or to communicate any particular request under any applicable privacy data laws, and TransparentBusiness shall react within a reasonable amount of time to comply with the communicated request.

3.9 Customer states to understand that by interpretation and application of the relevant data privacy laws, Customer shall be responsible, as a Controller, for the following:

  • I. To determine the validity, legitimacy and lawfulness of processing of personal data; this shall be done by making protection impact assessments and accounting to individuals, authorities and regulators, including without limitation, any Data Protection Authorities;
  • II. Try to make sure or engage in reasonable strategies to verify parental consent when data of people under the age of sixteen (16) may be collected;
  • III. Engaging in reasonable efforts so that data subjects of the Customer’s jurisdiction -and other jurisdictions, when applicable- are sent privacy statements and notices related to their privacy rights and mechanisms which explain clearly how they can access to such rights;
  • IV. Answering to questions, demands, requirements and requests of data subjects regarding their data, their rights and the processing activities, including the requests to change their data, correct it, or deletion; also the right to receive a readable copy in a friendly format;
  • V. Develop and implement internal policies and measures to demonstrate that the processing and use of the data will be compatible and in accordance with this DPA;
  • VI. Sending notices to data subjects, authorities and other type of regulators about incidents that occur, and that may be required by applicable law;

3.10 It is the intention of TransparentBusiness to aid Customer by means of developing administrative, organizational and technical means to comply with any data privacy requirements and the Customers obligations with applicable data privacy regulations, as long as such means are reasonable and commercially possible, including the requests to Customer to comply with data subject’s rightful requests.

3.11 TransparentBusiness is committed to grant access to Customer to reasonable information to attest to the compliance of the company’s obligations and may procure copies of previous reports to this goal, and technical accuracy regarding TransparentBusiness security measures. Audits are not an independent right held by Customer or any of its clients or end-users.

4. Description of Processing Activities.

TransparentBusiness shall process the data for the Controller pursuant to the provision of the TransparentBusiness Services. The Services may require us to use the Personal Data of the data subjects of the Controller, pursuant to the Controller’s requirements, such as sending messages through emails or by other means. TransparentBusiness is to process data such as email addresses and mobile phone numbers and information relevant to the provisions of its services, such as names and other personal features.

5. Incident Management

5.1 When either party becomes aware of an incident that impacts the processing of personal data, it shall promptly notify the other about the incident and shall reasonably cooperate in order to enable the other party to perform a thorough investigation into the incident, to formulate a correct response, and to take suitable further steps in respect of the incident.

5.2 Both parties shall at all times have in place written procedures which enable them to promptly respond to the other about an incident. Where the incident is reasonably likely to require a data breach notification under applicable laws, the party responsible for the incident shall notify the other no later than forty-eight (48) hours of them becoming aware of such incident.

5.3 Any notifications made under this section shall be made to security@transparentbusiness.com (when made to TransparentBusiness) and to our point of contact with you (when made to the customer), and shall contain: (i) a description of the nature of the incident, including, where possible, the categories and approximate number of individuals concerned and the categories and approximate number of records concerned; (ii) the name and contact details of the point of contact where more information can be obtained; (iii) a description of the likely consequences of the incident; and (iv) a description of the measures taken or proposed to be taken to address the incident including, where appropriate, measures to mitigate its possible adverse effects.

6. Security of Personal Data

The Personal Data which is being processed by TransparentBusiness is subject to reasonable security measures. These measures may vary from time to time without ever negatively impacting the security of the Personal Data. Unless obligated by law or legal authority, TransparentBusiness are committed to only allow the processing of the data of authorized personnel. No unnecessary processing or access shall be allowed by TransparentBusiness to the best of TransparentBusiness’ possibilities.

Additionally, TransparentBusiness may from time to time engage with internal and/or external auditors to revise the security measures in place to protect the Personal Data and other parts of the Services and the Website itself.

7. Transfer of Data

The Controller hereby specifically authorizes TransparentBusiness to transfer Personal Data of out of the country where such data was originated and stored and transferred to different countries, not in the jurisdiction of the EU and/or EEA. We will always use servers and services which have an adequate level of protection for the transfers, always pursuant to applicable laws and regulations.

8. Liability and Indemnity

Each party indemnifies the other and holds them harmless against all claims, actions, third party claims, losses, damages and expenses incurred by the indemnified party and arising directly or indirectly out of or in connection with a breach of this DPA.

The liability of any party in breach of this DPA shall be assumed by the breaching party, unless determined differently in applicable law.

9. Duration and Termination

9.1 This DPA shall come into effect on May 25, 2018 and shall continue until it is changed or terminated in accordance with the Terms of Service.

9.2 Termination or expiration of this DPA shall not discharge the parties from the confidentiality obligations herein.

10. Contacting us

Questions regarding this Privacy Statement or the information practices of TransparentBusiness’ Web site should be directed to TransparentBusiness Privacy by mailing TransparentBusiness Privacy, One World Trade Center, Suite 8500, New York City, NY 10007