Marketro LLC DATA PROCESSING TERMS
Marketro LLC and the counterparty agreeing to these terms (“Customer”) have entered into an agreement for the provision of the Services (as amended from time to time, the “Agreement”).
These Marketro LLC Data Processing Terms (including the appendices, “Data Processing Terms”) are entered into by Marketro LLC and Customer and supplement the Agreement. These Data Processing Terms will be effective, and replace any previously applicable terms relating to their subject matter, from the Terms Effective Date.
If you are accepting these Data Processing Terms on behalf of Customer, you warrant that: (a) you have full legal authority to bind Customer to these Data Processing Terms; (b) you have read and understand these Data Processing Terms; and (c) you agree, on behalf of Customer, to these Data Processing Terms. If you do not have the legal authority to bind Customer, please do not accept these Data Processing Terms.
These Data Processing Terms sets out the additional terms, requirements and conditions on which Marketro LLC will process Personal Data when providing Services under the Agreement. These Terms contains the mandatory clauses required by Article 28(3) of the General Data Protection Regulation ((EU) 2016/679) for contracts between controllers and processors.
By agreeing to these Terms, Customer enters into them on its own behalf and on behalf of its Affiliates, if and to the extent Marketro LLC Processes Personal Data for which such Affiliates qualify as Controller.
DEFINITIONS
“Affiliate” shall mean, as to any entity, any other entity that, directly or indirectly, controls, is controlled by or is under common control with such entity.
“GDPR” means the EU General Data Protection Regulation ((EU) 2016/679)) of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
“Controller” shall mean the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Information.
‘Customer Personal Information” shall mean the Personal Data which Marketro LLC is Processing as Processor on behalf of Customer in order to provide the Services.
“Data Protection Laws” shall mean all data protection and privacy laws applicable to the respective party in its role in the processing of Personal Data under the Agreement, including, where applicable, EU Data Protection Law.
“EU Data Protection Law” shall mean (i) the GDPR, and any equivalent or replacement law in any Member State and all and any regulations made under those acts or regulations; (ii) the guidelines, recommendations, best practice opinions, directions, decisions, and codes of conduct issued, adopted or approved by the European Commission, the European Data Protection Board, and/or any supervisory authority or data protection authority from time to time in relation to the GDPR; and (iii) any judgments of any relevant court of law relating to the processing of personal data, data privacy, and data security..
“EU Standard Contractual Clauses” shall mean the Standard Contractual Clauses for the Transfer of Personal Data to Processors Established in Third Countries set forth in the Commission Decision 2010/87/EC of 5 February 2010, as well as under any new laws, rules, regulations, and/or contracts that that replace, supersede, or are required to be implemented in connection with the Standard Contractual Clauses.
“Member State” shall mean a country that is a member of the European Union or of the European Economic Area.
“Personal Data” shall mean any information relating to an identified or identifiable natural person (“Data Subject”), which information is subject to Data Protection Legislation; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier such as an IP or MAC Address or Mobile ID, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Personal Data Breach” shall mean a suspected or actual breach of the Marketro LLC technical and organizational measures leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
“Privacy Shield” shall mean the Privacy Shield Principles (as supplemented by the Supplemental Principles) contained in Annex II to the European Commission Decision C(2016)4176 of 12 July 2016 (as may be amended, superseded or replaced).
“Process” or “Processing” shall mean the collection, recording, organization, alteration, use, access, disclosure, copying, transfer, storage, deletion, combination, destruction, disposal or other use of Personal Data by the Processor on behalf of Customer.
“Processor” shall mean a natural or legal person, public authority, agency or other body which processes Personal Information on behalf of the Controller.
“Services” shall mean the services provided by Marketro LLC as described in the Agreement.
“Sub-processor” means any subcontractor engaged by Marketro LLC for the Processing of Customer Personal Data in accordance with Section 8.1.
“Supervisory Authority” shall mean an independent public authority which is established by a Member State pursuant to Data Protection Legislation.
“Term” shall mean the period from the Terms Effective Date until the end of Marketro LLC’s provision of the Services under the Agreement.
“Terms Effective Date” shall mean the date on which Customer clicked to accept or the parties otherwise agreed to these Data Processing Terms.
“Transfer” shall mean the access by, transfer or delivery to, or disclosure of Personal Data to a person, entity or system located in a country or jurisdiction other than the country or jurisdiction where the Personal Data originated from.
DATA PROCESSING
2.1 These Data Processing Terms will take effect on the Terms Effective Date and, notwithstanding expiry of the Term, remain in effect until, and automatically expire upon, deletion of all Customer Personal Data by Marketro LLC as described in these Data Processing Terms.
2.2 These Data Processing Terms apply if and to the extent Marketro LLC is Processing Customer Personal Information. In this context, Marketro LLC will act as a “Processor” to the Customer, who may act as “Controller” or “Processor” with respect to Customer Personal Data.
2.3 Annex 1 (Processing Details) sets out:
(a) the nature, purposes, and subject matter of the Processing;
(b) the duration of the Processing;
(c) the categories of Data Subjects; and
(d) the types of Customer Personal Data.
2.4 Marketro LLC will Process Customer’s Personal Data for the sole purpose of providing the Services according to Customer’s written instructions. The Parties agree that the Agreement and these Data Processing Terms constitute Customer’s complete and final documented instructions to Marketro LLC in relation to the Processing of Customer’s Personal Data. Additional instructions outside the scope of the Agreement or these Data Processing Terms (if any) require prior written agreement between Marketro LLC and Customer, including agreement on any additional fees payable by Customer for carrying out such instructions. Customer shall ensure that its instructions comply with all laws, rules and regulations applicable in relation to Customer’s Personal Data, and that the Processing of Customer’s Personal Data in accordance with Customer’s instructions will not cause Marketro LLC to be in breach of EU Data Protection Law.
2.5 Marketro LLC will not access or use Customer’s Personal Data, except as necessary to maintain or provide the Services, or as necessary to comply with the law or a binding order of a governmental body.
2.6 Customer agrees that (i) it will comply with its obligations under Data Protection Laws in respect of its Processing of Customer’s Personal Data, including any obligations specific to its role as a Controller and/or Processor (as applicable); and (ii) it has provided notice and obtained (or will obtain) all consents and rights necessary under Data Protection Laws for Marketro LLC to Process Customer’s Personal Data and provide the Services pursuant to the Agreement and these Data Processing Terms. If Customer is itself a Processor, Customer warrants to Marketro LLC that Customer’s instructions and actions with respect to that Customer Personal Data, including its appointment of Marketro LLC as another Processor, have been authorized by the relevant Controller.
TECHNICAL AND ORGANIZATIONAL MEASURES
Marketro LLC will implement and maintain technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the Processing as well as the risk of varying likelihood and severity for the rights and freedoms of individuals.
Customer is responsible for making an independent determination as to whether the technical and organizational measures implemented by Marketro LLC meet Customer’s requirements and legal obligations under GDPR. Customer acknowledges that the Marketro LLC technical and organizational measures are subject to technical progress and further development and that Marketro LLC may update or modify the Marketro LLC technical and organizational measures from time to time provided that such updates and modifications do not result in a material degradation of the overall security of the Services provided to Customer under the Agreement.
Customer agrees that, without prejudice to Marketro LLC’s obligations under Section 3.1: (a) Customer is responsible for its use of the Services, including making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of Customer’s Personal Data, securing its account authentication credentials, managing its data back-up strategies, and protecting the security of Customer’s Personal Data when in transit to and from the Services and taking any appropriate steps to securely encrypt or backup any Customer’s Personal Data uploaded to the Services; and (b) Marketro LLC has no obligation to protect Customer’s Personal Data that Customer elects to store or transfer outside of Marketro LLC’s and its Sub-processors’ systems (for example, offline or on premise storage).
DATA SUBJECT RIGHTS AND REQUESTS
4.1 Marketro LLC shall rectify, erase, allow the portability of or otherwise Process Customer’s Personal Data and take any other measures in relation to requests from Data Subjects in relation to their rights under applicable EU Data Protection Law only in accordance with and subject to Customer’s written instructions.
4.2 To the extent permitted by applicable Data Protection Legislation, Marketro LLC will inform Customer without undue delay of requests from Data Subjects exercising their rights thereunder that are addressed directly to Marketro LLC regarding Customer’s Personal Data. If Customer is obliged to provide information regarding Customer’s Personal Data to third parties (e.g., Data Subjects or any Supervisory Authority), Marketro LLC shall use best efforts to assist Customer in doing so by providing all required information.
4.3 Customer agrees that, without prejudice to Marketro LLC’s obligations under Sections 4.1 and 4.2 above, Customer is solely responsible for dealing with Data Subject requests.
4.4 If a law enforcement agency sends Marketro LLC a demand for Customer’s Personal Data (e.g., a subpoena or court order), Marketro LLC will redirect the law enforcement agency to request that data directly from Customer. As part of this effort, Marketro LLC may provide Customer’s contact information to the law enforcement agency. If compelled to disclose Customer’s Personal Data to a law enforcement agency, then Marketro LLC will give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy to the extent Marketro LLC is legally permitted to do so.
4.5 Customer acknowledges that Marketro LLC is required under the GDPR to: (a) collect and maintain written records of certain information, including the name and contact details of each Processor and/or Controller on behalf of which Marketro LLC is acting and, where applicable, of such Processor’s or Controller's local representative and data protection officer. and (b) make such information available to the Supervisory Authorities. Accordingly, if GDPR applies to the Processing of Customer’s Personal Data, Customer will, where requested, provide such information to Marketro LLC via the Services or other means provided by Marketro LLC, and will ensure that all information provided is kept accurate and up-to-date.
CONFIDENTIALITY
5.1 Without prejudice to any existing contractual arrangements between the Parties, Marketro LLC shall treat all Customers’ Personal Data as strictly confidential and is shall inform all its employees, agents and/or approved Sub-processors engaged in Processing the Customer’s Personal Data of the confidential nature of the data. Marketro LLC shall ensure that all such persons or parties have signed an appropriate confidentiality agreement, are otherwise bound to a duty of confidentiality, or are under an appropriate statutory obligation of confidentiality.
5.2 Marketro LLC will not disclose Customer’s Personal Data to any third party, unless authorized by Customer or required by mandatory law. If a government or Supervisory Authority demands access to Customer’s Personal Data, Marketro LLC will notify Customer prior to disclosure unless prohibited by law.
INFORMATION AND AUDIT
Marketro LLC shall also provide written responses (on a confidential basis) to all reasonable requests for information made by Customer related to its Processing of Customer’s Personal Data, including responses to information security and audit questionnaires that are necessary to confirm Marketro LLC’s compliance with these Data Processing Terms, provided that Customer shall not exercise this right more than once per year.
Customer agrees to exercise any right it may have to conduct an audit or inspection of Marketro LLC’s technical and organization measures, including under the EU Standard Contractual Clauses if they apply, by instructing Marketro LLC to carry out such audit.
RETURNING OR DELETING CUSTOMER’S PERSONAL DATA
Upon termination or expiration of the Agreement, or anytime upon Customer’s written request, Marketro LLC shall promptly return or delete all copies of Customer’s Personal Data. Marketro LLC shall not be required to return or delete Customer’s Personal Data to the extent (i) Marketro LLC is required by applicable law or order of a governmental or regulatory body to retain all or some of Customer’s Personal Data, or (ii) Customer has not paid all amounts due under the Agreement.
SUB-PROCESSORS
Customer agrees that Marketro LLC may engage Sub-processors to Process Customer’s Personal Data on Customer’s behalf. Customer hereby consents to Marketro LLC continuing to use any of Marketro LLC’s Affiliates and all Sub-processors already engaged by Marketro LLC as at the date of these Data Processing Terms (a full list is available on request by contacting the Marketro LLC’s helpdesk at http://support.marketro.com/support/solutions/13000002971. Customer shall promptly take any reasonable action required or appropriate to facilitate or support any transfer of Customer’s Personal Data to approved Sub-processors (e.g. updating registrations with Supervisory Authorities).
Marketro LLC shall notify Customer of any new Sub-processor Marketro LLC wishes to appoint to carry out Processing activities on behalf of Customer. If, within two (2) weeks of receipt of any such notice, Customer notifies Marketro LLC in writing of any objections to the proposed appointment for legitimate reasons, Marketro LLC shall work with Customer in good faith to take reasonable measures to address the objections raised by Customer, and where such measures cannot be agreed within three (3) weeks from Marketro LLC’s receipt of Customer’s notice, Customer may by written notice to Marketro LLC with immediate effect terminate the Agreement to the extent that it relates to the Services which require the use of the proposed Sub-processor. “Legitimate reasons” shall be deemed given if there is an indication based on objective facts which reasonably support the assumption that the engagement of the Sub-processor would breach applicable law or this DPA.
Where Marketro LLC engages a Sub-processor to carry out specific Processing activities on behalf of Customer, Marketro LLC shall enter into a written agreement with the Sub-processor which includes terms which offer the same level of protection for Customer’s Personal Data as those set out in this DPA.
Notwithstanding any approval by Customer within the meaning of Section 8.1, Marketro LLC shall remain fully liable vis-à-vis Customer for the performance of any such Sub-processor that fails to fulfil its data protection obligations under these Data Processing Terms and/or any applicable Data Protection Laws.
TRANSFERS of PERSONAL INFORMATION
To the extent that Marketro LLC Processes any Customer’s Personal Data in a country that is neither a Member State nor considered by the European Commission to have adequate level of protection for personal information, Marketro LLC will (i) enter into EU Standard Contractual Clauses with Customer, unless Marketro LLC can demonstrate adherence to one of the other statutory Transfer mechanisms approved by the European Commission, such as the Privacy Shield.
To the extent that Customer or Marketro LLC are relying on a specific statutory mechanism to normalize international Personal Data Transfers that is subsequently modified, revoked, or held in a court of competent jurisdiction to be invalid, Customer and Marketro LLC agree to cooperate in good faith to promptly terminate the Transfer or to pursue a suitable alternative mechanism that can lawfully support the transfer.
For the purposes of Section 9.2, Marketro LLC and Customer agree that incorporation of the EU Standard Contractual Clauses or Privacy Shield into these Data Processing Terms shall act as a legally-binding execution.
INFORMATION OBLIGATIONS AND PERSONAL DATA BREACH
If Marketro LLC becomes aware of a Personal Data Breach that impacts the Processing of the Customer’s Personal Data that is the subject of the Agreement and is reasonably likely to require a data breach notification by Customer under EU Data Protection Law, Marketro LLC will without undue delay: (a) notify Customer of the Personal Data Breach; and (b) take reasonable steps to minimize any damage resulting from the Personal Data Breach.
To assist Customer in relation to any Personal Data Breach notifications Customer is required to make under the EU Data Protection Law, Marketro LLC will include in the notification under Section 10.1(a) such information about the Personal Data Breach as Marketro LLC is reasonably able to disclose to Customer, taking into account the nature of the Services, the information available to Marketro LLC, and any restrictions on disclosing the information, such as confidentiality.
Customer agrees that:
An unsuccessful Personal Data Breach will not be subject to this Section 10. An unsuccessful Personal Data Breach is one that results in no unauthorized access to Customer’s Personal Data or to any of Marketro LLC’s equipment or facilities storing Customer’s Personal Data, and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond headers) or similar incidents; and
Marketro LLC’s obligation to report or respond to a Personal Data Breach under this Section 10 is not and will not be construed as an acknowledgment by Marketro LLC of any fault or liability of Marketro LLC with respect to the Personal Data Breach.
Notification of Personal Data Breaches, if any, will be delivered to one or more of Customer’s administrators by any means Marketro LLC selects, including via email. It is Customer’s sole responsibility to ensure Customer’s administrators maintain accurate contact information on Marketro LLC’s systems, and secure transmission at all times.
Customer acknowledges that Marketro LLC will not assess the contents of Customer’s Personal Data in order to identify information subject to any specific legal requirements. Customer is solely responsible for complying with the data breach notification obligations applicable to Customer under EU Data Protection Law and fulfilling any third-party notification obligations related to any Personal Data Breach.
11. LIABILITY
11.1 The liability of each Party under these Data Processing terms shall be subject to the exclusions and limitations of liability set out in the Agreement. Customer agrees that any regulatory penalties incurred by Marketro LLC in relation to the Customer’s Personal Data that arise as a result of, or in connection with, Customer’s failure to comply with its obligations under these Data Processing Terms and EU Data Protection Law shall count towards and reduce Marketro LLC’s liability under the Agreement as if it were liability to Customer under the Agreement.
12. GENERAL
12.1 If any provision of these Data Processing Terms is ineffective or void, this shall not affect the remaining provisions. The parties shall replace the ineffective or void provision with a lawful provision that reflects the business purpose of the ineffective or void provision. In case a necessary provision is missing, the parties shall add an appropriate one in good faith.
12.2 In the event of any inconsistency between the provisions of Data Processing Terms and the provisions of the Agreement, the provisions of Data Processing Terms shall prevail.
12.3 These Data Processing Terms will be governed and construed in accordance with the governing law and applicable jurisdiction provisions of the Agreement, unless required by applicable Data Protection Law.
Except as otherwise detailed herein, the terms and conditions of the Agreement shall remain unchanged and in full force and effect.
Marketro LLC Data Processing Terms, Version 1.0
May 25, 2018
Annex 1 Subject Matter and Details of the Data Processing
Subject Matter
Marketro LLC’s provision of the Services and any related technical support to Customer.
Duration of the Processing
The Term plus the period from expiry of the Term until deletion of all Customer Personal Data by Marketro LLC in accordance with these Data Processing Terms.
Nature and Purpose of the Processing
Marketro LLC will Process (including, as applicable to the Services and the instructions described in Section 2.4 (Customer’s Instructions), collecting, recording, organizing, structuring, storing, altering, retrieving, using, disclosing, combining, erasing and destroying) Customer Personal Data for the purpose of providing the Services and any related technical support to Customer in accordance with these Data Processing Terms.
Types of Personal Data
Customer Personal Data may include your name, address, telephone number, email address, or any screen name or user name you may use, and other relevant information related to processing need for Marketro LLC software to perform it's function.
Categories of Data Subjects
Customer Personal Data will concern the following categories of data subjects:
Data Subjects about whom Marketro LLC collects Personal Data in its provision of the Services; and/or
Data Subjects about whom personal data is transferred to Marketro LLC in connection with the Services by, at the direction of, or on behalf of Customer.