This Data Processing Agreement (hereinafter, the “DPA”) is entered into by and between Sonalife Limited (hereinafter, “Sonalife” or the “Company”) and the party that electronically accepts or otherwise agrees or opts-in to this DPA, for instance by signing an order form (the “Customer”), it being specified that using the Sonalife Connect platform (hereafter the “Platform”) constitutes acceptance of this DPA.
In the context of EU Regulation 2016/679 (GDPR), the present DPA aims to determine the rights and obligations of the Parties, as defined by the Data Protection Legislation, as defined herein.
It is expressly understood that the present DPA forms an integral part of the contract regarding the provision of the Platform (hereafter, the “Contract”).
ARTICLE 1 – DEFINITIONS
The terms used in the present DPA and having a capital first letter, whether singular or plural, shall have the following meaning:
“Personal Data”: means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
“Data Subject”: means an individual who is the subject of Personal Data.
“Data Protection Legislation“: means the GDPR as well as any legislation and/or regulation implementing or created pursuant to the GDPR and the e-Privacy Legislation, or which amends, replaces, re-enacts or consolidates any of them, and all other national applicable laws relating to processing of personal data and privacy that may exist under applicable law.
“GDPR“: (the General Data Protection Regulation): means Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, and its European and national implementing laws.
“User”: means any Administrator or End-User.
“Customer Contact Email”: means the address email of the Customer that is communicated to Sonalife for the purpose of notifying relevant information regarding the Processing carried out by the Sonalife.
ARTICLE 2 – PROCESSING OF DATA
The Data is collected and processed as follows:
2.1 The Personal Data of Users
The Customer acknowledges that it determines the means and purpose of the processing of Personal Data in accordance with the applicable Data Protection Legislation. Accordingly the Users’ Personal Data which is processed through the use of the Platform, and the collection thereof, is the sole responsibility of the Customer.
2.2 The processing of Users’ Personal Data by Sonalife
The Customer is informed that its User’s Personal Data is processed by Sonalife for the sole purpose of executing the Contract and for the provision of the Platform. The Customer acknowledges that if the Customer or its Users do not provide the required Personal Data, the Customer and its Users may not be able to utilise the full functionality of the Platform.
The Customer is informed that Sonalife carries out statistical analyses, as well as measurements of audience, visits, and effective uses of the Platform, but only after anonymising the Users’ Personal Data (“Aggregated Data”). This Aggregated Data will be used by Sonalife to optimise and improve the Platform. The Customer guarantees to accurately describe this use of Personal Data by Sonalife to the Users of the Platform.
2.3 The Obligations of the Customer as data controller
For purposes of this DPA the Customer (and any of its Affiliates permitted to use the Platform), is the data controller. Customer shall at all times be liable for its Affiliates’ compliance with this DPA and all acts and omissions by a Customer Affiliate are considered acts and omissions of Customer. Customer acknowledges Sonalife is reliant on Customer’s representations regarding the extent to which Customer is entitled to Process Personal Data.
As data controller, the Customer explicitly agrees that it shall:
(i) Have a valid legal basis to collect and process Users’ Personal Data prior to transferring to Sonalife.
(ii) Collect the Users’ Personal Data only for specified, explicit and legitimate purposes and not further process or collect in a manner that is incompatible with those purposes;
(iii) Keep a record of the processing of Personal Data carried out through the Platform;
(iv) Put in place all necessary and appropriate technical and organisational measures in order to ensure the safety of the processing that is carried out, and to guarantee the protection of the rights of the persons concerned by the processing and meet the requirements of the Data Protection Legislation;
(viii) Guarantee all rights regarding the access, portability, erasure, rectification, opposition, and limitation of the Personal Data of the Users collected during the use of the Platform; if the Customer requires Sonalife’s assistance to do so, the Customer commits to notify Sonalife of any request to exercise any of the above mentioned rights without delay;
(ix) Notify Sonalife and the appropriate supervisory authority of any known or suspected security breach within 48 hours after becoming aware of the breach;
In the event that the Customer collects Personal Data directly from the Users, the Customer, as data controller, commits to providing the Users with the following information:
(i) The information regarding the identity of the Customer;
(ii) The purpose of the Personal Data processing;
(iii) The recipient of the Personal Data: Sonalife, as well as its sub-processors;
(iv) The Personal Data conservation period
(v) The existence of their rights regarding the access, rectification, erasure and portability of the Personal Data, or any limitation or opposition to the processing of such data;
(vi) Where applicable, the right to withdraw their consent regarding the processing;
(vii) The right for the Users to lodge a complaint with the competent supervisory authority, if they consider that their rights have not been respected;
Customer is solely responsible for determining the adequacy of the security measures within the Platform in relation to the Personal Data Processed and the nature thereof, including performing any data protection impact assessments.
Customer represents and warrants that it has collected all necessary consents and authorisations from the Users in order for Sonalife to process User Personal Data in order to provide the services set out in the Contract.
The Customer agreed to communicate the Customer Contact Email to Sonalife.
2.4 Obligations of Sonalife as data processor
For the purposes of this DPA Sonalife is the data processor. Customer appoints Sonalife to process Personal Data on behalf of Customer as described in the Contract and in accordance with the documented data processing instructions issued in accordance with this DPA (“Instructions). Sonalife shall only process Personal Data in accordance with Customer’s Instructions and to the extent necessary for providing the Platform as described in the Contract. Customer may submit Personal Data to the Platform, the extent of which is determined and controlled by Customer in its sole discretion and is further described in Annex 1.
2.5 Data breach
Sonalife shall ensure that technical measures are in place enabling the detection of personal data breaches (as defined by the GDPR) and for the Customer to be informed of breaches within a reasonable timeframe.
In the event a personal data breach occurs or has occurred, Sonalife shall notify the Customer by email without undue delay upon becoming aware of the breach, using the Customer Contact Email.
Without prejudice to the legal obligations of Sonalife, the Customer shall be responsible for the notification of the breach to the competent authority(ies) and/or the affected individuals. Sonalife shall assist the Customer with the notification of the breach to the competent authority(ies) and/or the affected individuals. Sonalife shall treat all questions/requests of the Customer concerning the breach as a priority.
In the event of a breach, Sonalife shall take all measures reasonably possible, given the circumstances, to limit the negative impact of the breach as much as possible.
2.6 Appropriate technical and organisational measures
At the outset of the Processing, Sonalife has ensured the appropriate technical and organisational measures in relation to the security of the processing, as well as the respect of the rights of the persons involved and the requirements of the GDPR. Without prejudice to Customer’s obligation to determine the adequacy of the security measures under Section 2.3 above, Sonalife shall maintain appropriate technical and organisational safeguards to protect the security, confidentiality, and integrity of Personal Data, as described in the Contract. Such measures are designed to protect Personal Data from loss, alteration, unauthorised access, acquisition, use, disclosure, or accidental or unlawful destruction.
2.7 Sub-processors of Sonalife
The Customer hereby consents to the Processing of Personal Data by the sub-processors listed at https://sonalife.ie/privacy-policy/.
The Customer gives a general authorisation to Sonalife to make any modification, change, addition or replacement of these sub-processors, in which case Sonalife will notify the Customer of this modification, change, addition or replacement, using the Customer Contact Email. Sonalife shall use best efforts to ensure such sub-processor has entered into a written agreement requiring the sub-processor abide by terms no less protective than those provided in this DPA.
The Customer has 10 days from the notification date to object this change, in which case Sonalife will, at its choice:
• select another sub-processor; or
• refrain from modifying, changing, adding or replacing the sub-processor;
• maintain the modification, change, addition or replacement, in which case the Customer may terminate the Contract with 30 days’ notice, without further liability to either party. In such case, this termination will not have the effects of a “Termination for Cause” as set forth in Section 11 of the Contract.
Each sub-processor is contractually subject to obligations no less protective than those Sonalife is subject to toward the Customer under this DPA.
2.8 International Personal Data transfer
Sonalife may not transfer any Personal Data outside the EEA unless one of the following conditions is fulfilled:
• The country the Personal Data is transferred to is recognised by the European Commission as ensuring an adequate level of personal data protection; or
• Where required under Data Protection Laws, Sonalife shall require sub-processors to abide by (a) the Standard Contractual Clauses for data processors established in third countries; or (b) another lawful mechanism for the transfer of Personal Data as approved by the European Commission.
2.9 Personal Data Retention period
Sonalife hereby informs the Customer that it deletes the Personal Data of the Users in line with the GDPR following the termination of the Contract, notwithstanding any deletion request directly from Users. Upon formal written request within 30 days from the end of the contractual relationship, with acknowledgement of receipt, Sonalife commits to return or delete as requested, all Personal Data belonging to the Customer that remains in possession of Sonalife in accordance with the terms of this DPA in a standard format within a reasonable time following such request.
2.10 The Customer’s responsibility
The Customer remains solely responsible for the Personal Data it collects and Processes as data controller, and for the Processing carried out during the use of the Platform. The Customer commits to proceed with the collection and the processing of the Users’ Personal Data in accordance with the Data Protection Legislation.
The Customer acknowledges that certain categories of Personal Data so called, “sensitive” Persoanl Data, pursuant to the Data Protection Legislation, cannot be collected or processed without the prior explicit consent of the data subjects, or any other formality provided for by the applicable Data Protection Legislation (authorisation request, impact assessment, etc.). The Customer commits to never collect or process sensitive Personal Data outside of what is permitted by Data Protection Legislation. Accordingly, Sonalife disclaims any liability regarding the collection or processing of sensitive Personal Data. The Customer acknowledges and agrees that any potential sensitive Personal Data is subject to the same technical and organisational security measures as those Sonalife ensures for non-sensitive Personal Data.
Sonalife, as data processor, disclaims any liability regarding the quality, accuracy, relevance, and the legality of the Personal Data. Except as provided herein, Sonalife cannot be held liable in the event that collection or Processing of Personal Data is not in accordance with Data Protection Legislation.
The Customer defends and indemnifies Sonalife and its licensors, against any and all harm incurred to Sonalife as a result of any action of a User or any third party in relation to any of Customers commitments or responsibilities in this Section 2.10 and/or any violation of any of Customer’s obligations as data controller pursuant to this DPA or the Data Protection Legislation.
ANNEX 1. OVERVIEW OF PERSONAL DATA PROCESSING
A. Duration of the Processing
For the duration of the contractual relationship between the Parties, including the period covering the Data Retention clause of the Contract.
B. Nature and purpose of the Processing
Personal Data will be processed for all purposes necessary for providing the services set out and otherwise agreed to in the Contract.
C. Type of Personal Data Processed
Personal identification data (first name, last name, gender, ID/profile photograph, date of birth, language spoken, nationality, email, phone, address);
• Electronic identification data (IP addresses, cookies);
• Academic curriculum and results;
• Professional experience;
• Current job;
• Professional qualifications and certificates;
• Hobbies and areas of interest;
• Location data;
• More generally, any personal information submitted or posted by a User
D. Categories of Data Subjects
Controller’s Users including but not necessarily limited to Controller’s community members, employees, contractors, collaborators, customers, prospects, suppliers and sub-processors.