Data Processing Addendum

Effective Date: May 25, 2018.

Except where otherwise negotiated in writing, this Data Processing Addendum (“DPA”) forms part of the Terms of Service Agreement (“Agreement”) for the use of the Simply Voting online voting system (“Services”) owned and operated by Simply Voting Inc. (“Simply Voting”) for the Processing of Personal Data, including EU Personal Data.

In consideration of the mutual obligations set out herein, Simply Voting and Customer, collectively (“the Parties”) hereby agree that the terms and conditions set forth below shall be added as an addendum to the Agreement to govern processing by Simply Voting of any EU Personal Data that is subject to the European Union (“EU”) General Data Protection Regulation 2016/679 (“GDPR”) and similar laws, which require certain data protection and privacy obligations to be covered contractually.

To the extent that any terms or conditions set forth in any other agreement between the Parties, including agreements entered into after the date of this DPA, conflict with any terms or conditions of this DPA, it is expressly understood and agreed that the terms and conditions set forth in this DPA will apply rather than the conflicting terms and conditions in any other written agreement, unless the Parties explicitly agree otherwise in writing. The Parties will not agree, under any circumstance, to providing less protection to EU Personal Data than is required by all applicable laws, regulations, directives, rules, standards, and frameworks.

Effective Period. This DPA will be effective beginning May 25, 2018, and will remain effective for as long as Simply Voting and any Sub-Processor to which Simply Voting has disclosed any EU Personal Data retains any EU Personal Data received from Customer.
Definitions.
1. For purposes of this DPA, the following terms will have the following meanings:
  1. Controller: The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
  2. Customer: The legal entity or individual who accepted Simply Voting’s Agreement, which includes this DPA.
  3. Data Protection Impact Assessment (“DPIA”): A process designed to describe the Processing, to assess the necessity and proportionality of the Processing, and to help manage the risks to the rights and freedoms of natural persons resulting from the Processing of Personal Data (by assessing them and determining measures to address them).
  4. Data Subject: An identified or identifiable natural person whose Personal Data is being Processed.
  5. EU Personal Data: Any information relating to an identified or identifiable natural person located in the EU.
  6. Personal Data: Any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
  7. Personal Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
  8. Processing: Any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
  9. Processor: A natural or legal person, public authority, agency, or other body which Processes Personal Data on behalf of the Controller.
  10. Sub-Processor: A Sub-Processor retained by a Processor to assist with Processing activities.
2. Any Capitalized, data protection terms used in this DPA, which are not specifically defined in this DPA, will have the meaning ascribed to them in the GDPR.
EU Personal Data Protection Compliance.
1. The Parties’ General Compliance Obligations. In connection with the Services covered by the Agreement and this DPA, Simply Voting and Customer will comply with all applicable provisions of the GDPR on and after May 25, 2018, as well as all applicable Member State laws and regulations.
2. Details of Processing. Pursuant to Article 28 of the GDPR, the details of the processing covered by the Agreement and this DPA are set forth in the Appendix (“Appendix: Details of Processing”) attached to this DPA.
3. Customer Obligations and Authorization of Processing.
  1. The Parties agree that Customer is the Controller, and Simply Voting is the Processor. Customer is and shall remain responsible for compliance with all requirements imposed on Controllers, including but not limited to confirming the lawful basis for all processing activities conducted by Simply Voting on Customer’s behalf and obtaining consent from data subjects, where required.
  2. Customer authorizes Simply Voting to collect and process the EU Personal Data needed to perform the Services for which Customer is contracting with Simply Voting in the Agreement.
  3. Customer agrees to limit any EU Personal Data it transfers to Simply Voting or to which Simply Voting is otherwise given access for processing to only EU Personal Data needed by Simply Voting to fulfill its obligations under the Agreement.
  4. Customer authorizes the transfer, processing and storage of EU Personal Data outside the European Economic Area (EEA) in order to fulfill the purpose of the Services.
  5. Customer grants a general authorization to Simply Voting to engage or replace Sub-Processors to perform part of the Services, provided that Simply Voting respects all requirements set forth in the GDPR for the appointment of Sub-Processors.
  6. Customer hereby consents to Simply Voting’s engagement of Sub-Processors in connection with the processing of the Personal Data. Upon written request, Simply Voting will make the list of applicable Sub-Processors available to Customer. Customer may reasonably object to any new Sub-Processor, in which case Simply Voting will use reasonable efforts to make a change in the Services or recommend a commercially reasonable change to avoid processing by such Sub-Processor. If Simply Voting is unable to provide an alternative, Customer may terminate the affected Services. Simply Voting will enter into written agreements with each Sub-Processor containing reasonable provisions relating to the implementation of technical and organizational measures in compliance with the GDPR. Simply Voting will remain liable for acts and omissions of its Sub-Processors in connection with the provision of the Services.
4. Simply Voting’s EU Personal Data Protection Obligations.
  1. Simply Voting’s Processing of EU Personal Data on Customer’s behalf will be conducted in accordance with documented instructions received from Customer. Simply Voting will promptly inform Customer if, in Simply Voting’s opinion, an instruction from Customer infringes on the GDPR or other Member State data protection provisions.
  2. Simply Voting will only provide access rights to EU Personal Data to associates who have committed themselves to confidentiality.
  3. Simply Voting has implemented appropriate technical and organizational measures in accordance with Article 32 of the GDPR.
  4. Simply Voting will abide by the requirements set forth in the GDPR for the appointment of Sub-Processors.
  5. Simply Voting has implemented measures to assist Customer in responding to data subject requests to exercise their data subject rights.
  6. After becoming aware of any Personal Data Breach involving EU Personal Data received from Customer or collected on Customer’s behalf, Simply Voting will notify Customer without undue delay.
  7. Simply Voting will assist Customer in complying with its GDPR obligations relating to the Services concerning the security of processing, notification of an EU Personal Data Breach, Data Protection Impact Assessments (DPIAs), and prior consultations.
  8. Depending on Customer’s asserted choice, Simply Voting will either delete or return all EU Personal Data to Customer after the end of the provision of Services unless EU or Member State law requires storage of the EU Personal Data.
  9. Upon written request, Simply Voting will provide Customer with information needed to demonstrate compliance with the obligations of Article 28 of the GDPR, and will permit and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer.
Right to Terminate Agreement. In the event of any breach of this DPA by Customer, Simply Voting has the right to terminate the Services and Agreement without penalty to Simply Voting upon written notice to Customer.
Indemnification. Customer will fully indemnify, hold harmless and defend Simply Voting, its affiliates, and their respective officers, directors, employees, agents and contractors (collectively, “Indemnified Parties”) from and against any and all claims, demands, actions, suits, damages, liabilities, losses, settlements, judgments, regulatory investigations, enforcement actions, administrative penalties, fees, fines, costs, and expenses (including but not limited to reasonable attorney’s fees and costs) (each a “Claim”) any of them suffer as a result of a breach by Customer or its employees, representatives, agents, or contractors of any of Customer’s obligations set forth in this DPA; a Personal Data Breach caused by any act, omission or negligence of Customer or its employees, representatives, agents, or contractors; or Customer’s, or its employees’, representatives’, agents’, or contractors’ violation or breach of the GDPR or any other applicable data protection or privacy law, regulation, directive, rule, standard, or framework, including but not limited to violation or breach of the rights of a data subject and violations relating to Customer’s use of Simply Voting’s products and/or services. Simply Voting reserves the right to assume the exclusive defense and control of any matter subject to indemnification at the expense of Customer, and in such case, Customer agrees to cooperate with Simply Voting in the defense of any such Claim.
Severability. If any provision of this DPA is, to any extent, invalid or unenforceable, all other provisions of the DPA will remain in full force and effect. To the extent permitted and possible, the invalid or unenforceable provision will be deemed replaced by a term that is valid and enforceable and that comes closest to expressing the intention of such invalid or unenforceable term. If this is not permissible or not possible, then the DPA will be construed as if the invalid or unenforceable provision were not included in the DPA.
No Limitation on Simply Voting’s Rights or Remedies. Nothing in this DPA will limit Simply Voting’s rights or remedies under the Agreement or at law.
Governing Laws/Jurisdiction. The Parties to this DPA submit to the choice of jurisdiction set forth in the Agreement with respect to any disputes or claims arising under this DPA. The Parties further stipulate that any and all disputes concerning the construction and interpretation of this DPA and/or the Parties’ obligations under this DPA will be handled in accordance with pertinent provisions governing disputes or claims that are set forth in the Agreement.

Appendix: Details of Processing

Subject Matter:

The subject matter of the data processing under this DPA is the provision of the Services and any related technical support to the Customer.

Duration of Processing:

Personal Data will be processed for the duration of the Agreement, in accordance with its terms, except as otherwise required by applicable law.

Nature and Purpose of Processing:

Simply Voting will Process Personal Data as necessary to perform the Services pursuant to the Agreement, as further specified in the Services documentation, and as further instructed by Customer in its use of the Services.

Categories of Data Subjects:

Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:

Customer’s users
Customer’s members
Customer’s employees
Customer’s students
Customer’s affiliates
Customer’s residents
Customer’s partners
Customer’s shareholders
Customer’s customers
Customer’s participants

Categories of Personal Data:

Contact information (e.g., name, email address, mailing address, organization name, cellphone number)
Electoral information (e.g. ID, password, voting segment, vote weight)
Usage information (e.g. IP address, browser type, navigation activity, votes)