This Global Data Processing Addendum (“Addendum”), effective as of the Addendum Effective Date (as defined below), specifically amends the global data protection obligations of GumGum, Inc. (“GumGum”) as a Service Provider to the business or entity (herein referred to as “Customer”) to whom GumGum has entered into a Services Agreement (the “Main Agreement”), whereby GumGum processes Customer’s Personal Information. This Addendum is between GumGum and the Customer entity that either subscribed to GumGum’s Terms of Use or if applicable, as identified on the signature page below, on its behalf and on behalf of Customer Affiliates (as defined below).
This Addendum applies to the Processing of Personal Information carried out by GumGum in connection with GumGum’s services (the “Services”) provided to Customer and its applicable Affiliates and shall survive the termination or expiration of the Main Agreement for so long as GumGum or its subcontractors Process the Personal Data.
1. 優先順位と解釈
本補足契約およびその付属書類の条項が、本契約またはそれに付随するデータ保護に関する補足契約の他の条項と矛盾する場合、当事者は、各当事者が適用法に基づきその義務を履行できるよう、本補足契約、その付属書類、および本契約の条項を解釈することを意図する。
2. 処理の範囲および目的;保存期間
GumGum will Process all Personal Data solely to fulfill its obligations to Customer under the Main Agreement, including this Addendum, and on Customer’s behalf, and for no other purposes, unless otherwise required by Applicable Data Protection Laws to which GumGum is subject. In such case, GumGum will inform Customer of that legal requirement before Processing, unless that law prohibits Customer from providing such information on important grounds of public interest within the meaning of Applicable Data Protection Laws.
Without limiting the foregoing, Customer directs GumGum to Process Personal Data in accordance with Customer’s written instructions, as may be provided by Customer to GumGum from time to time, and in the following manner:
Subject matter, nature, and purpose of Processing- GumGum will process data solely to provide Customer with services and to fulfill its purposes under the Main Agreement, which may include any lawful processing or business purposes as provided for under Applicable Data Protection Laws.
Categories of Personal Data typically subject to Processing under the Main Agreement- All types of Personal Data, except for special categories of data, as that term is defined under the GDPR. Customer represents and warrants to GumGum that Customer shall not transfer or otherwise provide to GumGum any Personal Data that may constitute special categories of personal data.
Typical categories of Data Subjects- As set forth in Appendix 2 (download here).
Anticipated duration of Processing- For the term of the Main Agreement or to the extent that GumGum continues to Process Personal Data, whichever is longer.
GumGum will not:
主契約で許可されている場合を除き、いかなる目的であれ個人データを販売すること。本項において、「販売」とは、CCPAに規定される意味を有するものとします。
Process Personal Data for any purpose other than for the specific purposes set forth herein. For the avoidance of doubt, GumGum will not Process Personal Data outside of the direct business relationship between Customer and GumGum.
Attempt to link, identify, or otherwise create a relationship between Personal Data and non-Personal Data or any other data without the express authorization of Customer.
Information that has been de-identified is not Personal Data. GumGum may de-identify Personal Data only if it:
- 当該情報に関連する可能性のあるデータ主体を再特定できないよう、技術的な安全措置を講じている;
- 当該情報の再識別を明確に禁止する業務プロセスを導入しており、かつ;および
- 当該情報の再特定を試みることは一切ありません。
3. GumGum’s Compliance with Laws
GumGum will only Process Personal Data as set forth in this Addendum and in compliance with Applicable Data Protection Laws.
GumGum hereby certifies that it understands its restrictions and obligations set forth in this Addendum and will comply with them.
4. Personal Data Processing Requirements
GumGum will:
- Ensure that the persons it authorizes to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and that such persons are aware of the procedures that GumGum has put in place and receive appropriate training on data protection and security.
- Upon written request of Customer, assist Customer in the fulfillment of Customer’s obligations to respond to verifiable requests by Data Subjects (or their representatives) for exercising their rights under Data Privacy Laws, such as rights to access or delete Personal Data.
- Promptly notify Customer of (i) any third-party or Data Subject requests or complaints regarding the Processing of Personal Data or (ii) any government or Data Subject requests for access to or information about GumGum’s Processing of Personal Data on Customer’s behalf, unless prohibited by Data Privacy Laws. If GumGum receives a third-party, Data Subject, or governmental request, GumGum will await written instructions from Customer on how, if at all, to assist in responding to the request. GumGum will provide Customer with reasonable cooperation and assistance in relation to any such request.
- Provide reasonable assistance to and cooperation with Customer for Customer’s performance of a data protection impact assessment of Processing or proposed Processing of Personal Data.
- Provide reasonable assistance to and cooperation with Customer for Customer’s consultation with regulatory authorities in relation to the Processing or proposed Processing of Personal Data, including complying with any obligation applicable to GumGum under Data Privacy Laws to consult with a regulatory authority in relation to GumGum’s Processing or proposed Processing of Personal Data.
5. セキュリティ対策およびインシデント報告;監査権限
Security Safeguards. GumGum will implement and maintain appropriate administrative, technical, physical, and organizational measures to protect Personal Data to assure the following:
- GumGum will comply with the obligations related to security breach that is directly applicable to it under data privacy laws. GumGum will implement and maintain technical and organizational security measures to adequately protect each Customer Affiliate’s Personal Information against the risks inherent in the (a) Processing of Personal Information for the purposes identified in the Main Agreement, and (b) unauthorized or unlawful Processing and destruction, damage, misuse and loss. GumGum will implement and maintain reasonable security procedures and practices appropriate to the nature of the Personal Information it Processes.
- GumGum shall assist Customer in response to requests from data protection authorities relating to the Processing of Personal Information in connection with the Main Agreement. In the event that any such request is made directly to GumGum, GumGum shall not respond to such communication directly without the Customer’s prior authorization, unless legally compelled to do so. If GumGum is required to respond to such a request, GumGum shall promptly notify Customer and provide it with a copy of the request unless legally prohibited from doing so.
- GumGum will promptly and without undue delay and in any case no later than twenty-four (24) hours after becoming aware, inform Customer in the event of: (a) any serious interruption of GumGum’s Processing operations; (b) any unauthorized acquisition, loss, access, or use of Personal Information; or (c) any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosures of, or access to Personal Information (altogether, a “Security Incident”).
Audits. Without prejudice to the Main Agreement, GumGum will provide and make available to Customer such information and assistance as may be required to facilitate audits, and any other information necessary to complete a data protection impact assessment or confirm compliance with any provision of this Addendum, the Main Agreement and all Applicable Data Protection. For the avoidance of doubt, this provision will not require GumGum to provide Customer with access to the confidential information of GumGum’s other customers or other confidential or proprietary information belonging to GumGum.
6. データの削除
Upon termination or expiration of the Main Agreement, at Customer’s request or as pursuant to Applicable Data Protection Laws, GumGum shall return to Customer a complete copy of the Personal Information it Processed in connection with the Main Agreement, in a form and format reasonably agreed upon by the parties. Following Customer’s confirmation that it received this copy, GumGum shall securely dispose of all Personal Information remaining in its possession or control.
7. 下請業者
Customer acknowledges and agrees that GumGum may use GumGum Affiliates and/or subcontractors to Process Personal Data in accordance with the provisions within this Addendum and Applicable Data Protection Laws. GumGum shall provide Customer with a current list of subcontractors upon Customer’s request.
Where GumGum sub-contracts any of its rights or obligations concerning Personal Data, including to any affiliate, GumGum will (i) take steps to select and retain subcontractors that are capable of maintaining appropriate privacy and security measures to protect Personal Data consistent with Applicable Data Protection Laws, and (ii) enter into a written agreement with each subcontractor that imposes obligations on the subcontractor that are no less restrictive than those imposed on GumGum under this Addendum.
8. 補償
In addition to any indemnity obligations of GumGum pursuant to the Main Agreement, GumGum shall be liable for and shall indemnify Customer against any and all claims, actions, liabilities, losses, damages and expenses (including legal expenses) incurred by the Customer resulting from a violation of this Addendum directly by GumGum or GumGum’s subcontractors and assignees, including without limitation those arising out of any third-party demand, claim or action, including by a data protection authority, or any material breach of contract, negligence, fraud, willful misconduct, breach of statutory duty or non-compliance with any applicable data protection laws and regulations by GumGum. For the avoidance of doubt, the parties acknowledge and agree that the terms of this indemnification provision do not supersede, but rather are in addition to and are in no way inconsistent with any indemnification provision of the Main Agreement.
9. 責任の制限
GumGum’s liability arising out of or related to this Addendum is subject to the provisions on limitation of liability stated in the Main Agreement. In addition, Customer is responsible for its own liability and obligations of compliance with respect to all Applicable Data Protection Laws, and GumGum bears no liability for Customer’s breach with these laws, except as set forth in this Addendum.
10. 準拠法
Unless otherwise required by the Standard Contractual Clauses as defined under GDPR, or other data transfer requirements, this Addendum will be subject to the governing law identified in the Agreement without giving effect to conflict of laws principles.
11. 定義
「付則の発効日」とは 、2020年1月1日、または本契約に定められた発効日のうち、いずれか遅い方を指す 。
“Affiliates” means a company, person, or entity that is owned or controlled by or is under common ownership or control with a party.
Ownership shall mean direct or indirect ownership of more than 50% of the shares in a company or entity, and control shall mean any power to appoint persons to the board of directors of a company or entity.
「適用されるデータ保護法」とは 、個人データの処理およびプライバシーに関連する、あらゆる関連法域における適用されるすべてのデータ保護法および規制を意味し、 これには、カリフォルニア州下院の議会法案第375号(民法第3編第4部に関連するプライバシーに関する第1.81.5編 (第1798.100条から始まる)を追加する法案、および2018年6月28日にカリフォルニア州知事により承認された、プライバシーに関する民法第3編第4部に追加された条項を含むが、これらに限定されない。 (カリフォルニア州消費者プライバシー法、「CCPA」)、および個人データの処理および当該データの自由な移動に関する自然人の保護に関する欧州議会および理事会規則2016/679(一般データ保護規則、「GDPR」)を含みますが、これらに限定されません。
「データ管理者(以下「管理者」という)」とは、(a) 単独または他者と共同して、個人情報の処理の目的および手段を決定する個人または団体、または (b) CCPAで定義される「対象事業者」をいう。
「データ処理者」または「処理者」とは 、データ管理者に代わって個人情報を処理する個人または法人をいう 。
「データ主体」とは、 (a) 欧州経済領域(「EEA」)に所在する、またはその権利がGDPRによって保護されている、特定された、または特定可能な自然人、(b) CCPAで定義される「消費者」、または(c) 関連するデータ保護法の適用対象となることを意図された、その他の保護対象分類に該当する個人をいう 。
“Personal Data” or “Personal Information” shall mean (a) any information relating to an identified or identifiable natural person and (b) any information defined as “personally identifiable information,” “personal information,” “personal data,” or similar terms as defined under applicable laws or regulations, limited to that Personal Information GumGum Processes in connection with Services provided to a Customer.
「処理」または「処理行為」とは、(a) 管理者に代わって個人データを処理する自然人または法人、または (b) CCPA で定義される「サービスプロバイダー」を意味し、自動的な手段によるか否かを問わず、個人情報に対して行われる操作または一連の操作に適用される。
「販売」または「販売すること」とは、CCPAで定義される意味を有するものとします。
「サブ処理者」とは、 (a) 処理者、または処理者の他のサブ処理者によって委託され、データ管理者の指示に従い、かつデータ管理者へのサービス提供に関する主契約に関連して、個人データの移転後にデータ管理者に代わって実施される処理活動のみに供される個人データを受け取ることに同意する処理者、または (b) CCPAで定義される「サービスプロバイダー」をいう 。
To download a complete copy of GumGum's Global Data Processing Addendum for Clients, please click here.