Data Processing Addendum (DPA)

This Data Processing Addendum ("DPA"), forms part of the Global Canine Registry Terms of Service between Global Canine Registry, LLC. ("GCR") and the undersigned customer of GCR ("Customer") and shall be effective on the date Customer accepts this DPA ("Effective Date"). All capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement.

1. Definitions

"Affiliate" means an entity that directly or indirectly Controls, is Controlled by or is under common Control with GCR.

"Agreement" means GCR's Global Canine Registry Terms of Service or any other document which govern the provision of the Services to Customer, as such terms may be updated by GCR from time to time.

"Control" means an ownership, voting or similar interest representing fifty percent (50%) or more of the total interests then outstanding of the entity in question. The term "Controlled" shall be construed accordingly.

"Customer Data" means any Personal Data that originates from the EEA and/or that is otherwise subject to Data Protection Laws, which GCR Processes on behalf of Customer as a Data Processor in the course of providing Services, as more particularly described in this DPA.

"Data Breach" means any breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Data Processed by GCR or a Sub-processor.

"Data Controller" means an entity that determines the purposes and means of the Processing of Personal Data.

"Data Processor" means an entity that Processes Personal Data on behalf of a Data Controller.

"Data Protection Laws" means all data protection and privacy laws applicable to the Processing of Personal Data under the Agreement, including, where applicable, GDPR.

"EEA" means, for the purposes of this DPA, the European Economic Area, United Kingdom and Switzerland.

"GDPR" means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) and any Member State law implementing the same.

"Personal Data" means any information relating to an identified or identifiable natural person.

"Processing" has the meaning given to it in the GDPR and "process", "processes" and "processed" shall be interpreted accordingly.

"Services" means any product or service provided by GCR to Customer pursuant to the Agreement.

"Standard Contractual Clauses" means the contractual language approved by 2010/87/EU Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (notified under document C(2010) 593).

"Sub-processor" means any Data Processor engaged by GCR to assist in fulfilling its obligations with respect to providing the Services pursuant to the Agreement or this DPA. Sub-processors may include third parties or Affiliates.

2. Relationship with the Agreement

2.1 The parties agree that DPA shall replace any existing DPA or other contractual provisions pertaining to the subject matter contained herein the parties may have previously entered into in connection with the Services.

2.2 Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict.

2.3 Any claims brought under or in connection with this DPA shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Agreement.

2.4 Any claims against GCR or its Affiliates regarding matters addressed by this DPA shall be brought solely against the entity that is a party to the Agreement. In no event shall any party limit its liability with respect to any individual's data protection rights under this DPA or otherwise. Customer shall indemnify GCR or its Affiliates, as applicable against any and all such claims or costs of any kind that exceed the exclusions and limitations set forth in the Agreement.

2.5 Except as may be otherwise provided pursuant to GCR's compliance with applicable data transfer mechanisms addressed in Section 6, no one other than a party to this DPA, its successors and permitted assignees shall have any right to enforce any of its terms.

2.6 This DPA shall be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by applicable Data Protection Laws.

3. Roles and Scope of Processing

3.1 Role of the Parties. As between GCR and Customer, Customer is the Data Controller of Customer Data, and GCR is the Processor of Customer Data. GCR shall Process Customer Data only as a Data Processor acting at Customer's direction.

3.2. Customer Processing of Customer Data. Customer agrees that (i) it shall comply with its obligations as a Data Controller under Data Protection Laws in respect of its Processing of Customer Data and any Processing instructions it issues to GCR; and (ii) it has provided notice and obtained (or shall obtain) all consents and rights necessary under Data Protection Laws for GCR to Process Customer Data and provide the Services pursuant to the Agreement and this DPA.

3.3 GCR Processing of Customer Data. GCR shall Process Customer Data only for the purposes described in this DPA or in accordance with Customer's documented lawful instructions. Customer acknowledges that GCR shall have a right to Process Customer Data in order to provide Services to Customer, fulfill its obligations under the Agreement and this DPA, and for legitimate purposes relating to the operation, support and/or use of the Services such as billing, account management, technical support, product development, and sales and marketing.

3.4 Tracking Technologies. Customer acknowledges that in connection with the performance of the Services, GCR may employ the use of cookies, unique identifiers, web beacons and similar tracking technologies. Customer shall maintain appropriate notice, consent, opt-in and opt-out mechanisms as required by Data Protection Laws, including Directive 2002/58/EC and applicable national implementations, as may be amended, superseded or replaced, to enable GCR to deploy these technologies lawfully on, and collect data from, the devices of individuals accessing and/or using the Services or who otherwise engage with or communicate via the Services in accordance with and as described in the GCR's privacy policy or similar, applicable privacy statements.

4. Sub-processing

4.1 Authorized Sub-processors. Customer agrees that this DPA constitutes Customer's written authorization for GCR to engage Sub-processors to Process Customer Data on Customer's behalf. The Sub-processors currently engaged by GCR and authorized by Customer will be provided to Customer by GCR. GCR shall notify Customer in writing if it intends to add or replace Sub-processors. Customer may object in writing within five (5) calendar days of such notice, provided that such objection is based on reasonable, documented grounds relating to data protection. Customer's failure to timely respond or to document the basis of the objection will constitute Customer's authorization of the proposed changes. In the event of a timely, reasonable and documented objection, the parties shall discuss Customer's concerns in good faith with a view to achieving resolution.

4.2 Sub-processor Obligations. GCR shall: (i) take commercially reasonable measures to ensure that Sub-processors have the requisite capabilities to Process Customer Data in accordance with this DPA; (ii) enter into a written agreement with the Sub-processor imposing data protection terms that require the Sub-processor to protect the Customer Data to the standard required by Data Protection Laws; and (iii) remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-processor that cause GCR to breach any of its obligations under this DPA.

5. Security

5.1 Security Measures. GCR shall implement and maintain appropriate technical and organizational security measures designed to protect Customer Data from Data Breaches, to help ensure the ongoing confidentiality, integrity, and availability of the Customer Data and Processing systems, in accordance with GCR's security standards. The specific security measures applicable to Customer Data, regardless of the transfer mechanism relied upon as provided by Section 6, are further described in Appendix 2 (all collectively "Security Measures").

5.2 Updates to Security Measures. Customer acknowledges that the Security Measures are subject to technical progress and development and that GCR may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services purchased by the Customer.

5.3 Customer Responsibilities. Notwithstanding the above, Customer agrees that except as provided by this DPA, Customer is responsible for its secure use of the Services, including securing its account authentication credentials, protecting the security of Customer Data when in transit to and from the Services and taking any appropriate steps to securely encrypt or backup any Customer Data uploaded to the Services.

5.4 Confidentiality of Data Processing. GCR shall ensure that any person who is authorized by GCR to Process Customer Data (including its staff, agents and subcontractors) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).

5.5 Data Breach Response. GCR shall notify Customer without undue delay and, where feasible, no later than 48 hours after becoming aware, of any Data Breach. GCR shall make reasonable efforts to identify the cause of the Data Breach and shall undertake such steps as GCR deems necessary and reasonable in order to remediate the cause of such Data Breach. GCR shall provide information related to the Data Breach to Customer in a timely fashion and as reasonably necessary for Customer to maintain compliance with Data Protection Laws. The obligations herein shall not apply to incidents that are caused by Customer, including Customer's employees or agents.

5.6 Reports and Audits. Customer acknowledges that GCR is regularly audited against SSAE 16 or its successor standards by independent third party auditors and internal auditors, respectively. Upon request, GCR shall supply (on a confidential basis) a summary copy of its audit report(s) ("Report") to Customer, so that Customer can verify GCR's compliance with the audit standards against which it has been assessed, and this DPA.]

6. International Transfers

6.1 Data Transfers. GCR may Process Customer Data anywhere in the world where GCR or its Sub-processors maintain data Processing operations. GCR shall at all times provide an adequate level of protection for the Customer Data Processed, in accordance with the requirements of Data Protection Laws. The parties agree that this DPA and the data transfer methods required by this Section 6 constitute appropriate safeguards to transfer Customer Data to a third country pursuant to Article 46 of GDPR.

7. Return or Deletion of Data.

Upon termination or expiration of the Agreement, GCR shall (at Customer's election) delete or return, if feasible, to Customer all Customer Data remaining in its possession or control, save that this requirement shall not apply: (i) to the extent GCR is required by applicable law to retain some or all of the Customer Data; (ii) if GCR is reasonably required to retain some or all of the Customer Data for limited operational and compliance purposes; or (iii) to Customer Data GCR has archived on back-up systems. In all such cases, GCR shall maintain the Customer Data securely and protect from any further Processing. The terms of this DPA shall survive for so long as GCR continues to retain any Customer Data.

8. Cooperation

8.1 Data Protection Authority Inquiries. GCR shall (at Customer's expense) provide commercially reasonable cooperation to assist Customer in its response to any requests from data protection authorities with authority relating to the Processing of Personal Data under the Agreement and this DPA. In the event that any such request is made directly to GCR, GCR shall not respond to such communication directly without Customer's prior authorization, unless legally compelled to do so. If GCR is required to respond to such a request, GCR shall promptly notify Customer and provide it with a copy of the request unless legally prohibited from doing so.

8.2 Individual Rights and Requests. To the extent Customer does not have the ability to independently correct, amend, or delete Customer Data, or block or restrict Processing of Customer Data, then at Customer's written direction and to the extent required by Data Protection Laws, GCR shall comply with any commercially reasonable request by Customer to facilitate such actions. To the extent legally permitted, Customer shall be responsible for any costs arising from GCR's or its Sub-processors' provision of such assistance. GCR shall, to the extent legally permitted, promptly notify Customer if it receives a request from an individual data subject for access to, correction, amendment or deletion of that person's Personal Data, or a request to restrict Processing. GCR shall provide Customer with commercially reasonable cooperation and assistance in relation to handling of a data subject's request, to the extent legally permitted and to the extent Customer does not have the ability to address the request independently. To the extent legally permitted, Customer shall be responsible for any costs arising from GCR's provision of such assistance.

8.3 Assessments and Data Protection Impact Assessments. GCR shall provide written responses (on a confidential basis) to all commercially reasonable requests for information made by Customer regarding Processing of Customer Data, including responses to information security reviews, that are reasonably necessary to confirm GCR's compliance with this DPA. Customer shall not exercise this right more than once per year, including with respect to any support required to perform a data protection impact assessment.

8.4 Law Enforcement Requests. If a law enforcement agency sends GCR a demand for Customer Data (for example, through a subpoena or court order), GCR may attempt to redirect the law enforcement agency to request that data directly from Customer. As part of this effort, GCR may provide Customer's basic contact information to the law enforcement agency. If compelled to disclose Customer Data to a law enforcement agency, then GCR shall give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy unless GCR is legally prohibited from doing so.

Appendix 1 to the Standard Contractual Clauses

Data exporter

The data exporter is: Customer, which purchases services from GCR pursuant to the Agreement and authorizes GCR to Process Customer Data for purposes of providing the services.

Data importer

The data importer is: GCR, which Processes Customer Data upon the instruction of the data exporter in accordance with the terms of the Agreement and the DPA.

Data subjects

The personal data transferred concern the following categories of data subjects: The data exporter may transmit Customer Data using GCR's service, and the extent of this transmittal is determined by data exporter in its sole discretion such that data subjects may include, but may not be limited to, natural persons who are prospective customers, customers, resellers, referrers, business partners, vendors, employees, contractors, agents, or advisors of data exporter, or natural persons authorized to use the services by data exporter.

Categories of data

The personal data transferred concern the following categories of data: The data exporter may transmit Customer Data using GCR's service, and the extent of this transmittal is determined by data exporter in its sole discretion such that categories of data may include, but may not be limited to, names, titles, position, employer, contact information (email, phone, fax, physical address, etc.), and data indicating geographic location (e.g., IP address).

Special categories of data

The personal data transferred concern the following special categories of data: The data exporter may transmit Customer Data using GCR's service, and the extent of this transmittal is determined by data exporter in its sole discretion such that sensitive personal data may be included, such as racial or ethnic origin, political opinion, religious or philosophical beliefs, trade union membership, and data concerning a person's health or sex life.

Processing operations

The personal data transferred will be subject to the following basic processing activities: Processing will be undertaken to the extent necessary for GCR to provide services to data exporter and as otherwise authorized by the Agreement or the DPA.

Appendix 2 to the Standard Contractual Clauses

Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c): GCR has implemented and shall maintain a security program that includes appropriate administrative, physical, and technical safeguards designed to protect Customer Data from Data Breaches and to help ensure the ongoing confidentiality, integrity, and availability of the Customer Data and Processing systems. These safeguards include:

  • Authentication measures, including secure methods of assigning, selecting, and storing access credentials, measures designed to restrict access to active users, and blocking access after a reasonable number of failed authentication attempts.

  • Secure access controls, including measures designed to limit access to personal information based on need-to-know, supported by appropriate policies, procedures and controls to facilitate access authorization, establishment, modification, and termination.

  • Use of appropriate encryption technologies.

  • Appropriate monitoring systems and other technical security measures intended to prevent and detect security breaches such as firewall protection, antivirus protection, security patch management, logging of access to or disclosure of personal information, and intrusion detection.

  • Appropriate physical security to safeguard facilities and records containing personal information from unauthorized physical access, tampering or theft, such as facility access controls.

  • Training and awareness programs designed to ensure workforce members are aware of and adhere to the security procedures and practices.

  • Data back-up and disaster recovery procedures intended to permit continued provision of service in an emergency or disaster.

  • Periodic assessment of threats and vulnerabilities to personal information and the effectiveness of the security procedures and practices implemented to comply with GDPR.