DATA PROTECTION ADDENDUM
Last Updated: September 12, 2022
This Data Protection Addendum ("Addendum") forms part of the agreement between Customer and Genius Referrals covering Customer's use of the Services (as defined below) ("Agreement").
I. Introduction
1. Definitions
I. Introduction
1. Definitions
- "Applicable Data Protection Law" means all laws and regulations applicable to Genius Referrals' processing of personal data under the Agreement.
- "controller" means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
- "Customer Account Data" means personal data that relates to Customer's relationship with Genius Referrals, including the names or contact information of individuals authorized by Customer to access Customer's account, and billing information of individuals that Customer has associated with its account. Customer Account Data also includes any personal data Genius Referrals may need to collect for the purpose of identity verification (including providing the Multi-Factor Authentication Services, as defined below), or as part of its legal obligation to retain Subscriber Records (as defined below).
- "Customer Content" means (a) personal data exchanged as a result of using the Services (as defined below), such as email bodies, email recipients, text message bodies, voice and video media, images, email bodies, email recipients, sound, and, where applicable, details Customer submits to the Services from its designated software applications and services and (b) data stored on Customer's behalf such as audits within the Services.
- "Customer Data" has the meaning given in the Agreement. Customer Data includes Customer Account Data, Customer Usage Data, Customer Content, and Sensitive Data, each as defined in this Addendum.
- "Customer Usage Data" means statistics and data (i) provided to or collected by Genius Referrals in connection with Customer's use of the Genius Referrals services, and (ii) relating to a Customer's account activity, including the browsing, accessing and/or purchasing of Customer Services or other information collected from or about or otherwise regarding Customer, whether in individual or aggregate form, that is sufficient to personally identify a Customer.
- "Multi-Factor Authentication Services" means the provision of a portion of the Services under which Customer adds an additional factor for verification of Customer's end users' identity in connection with such end users' use of Customer's referral program.
- "personal data" means any information relating to an identified or identifiable natural person ("data subject"). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- "processor" means the entity which processes personal data on behalf of the controller.
- "processing" (and "process") means any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
- "Security Incident" means a confirmed or reasonably suspected accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data.
- "Sensitive Data" means (a) social security number, passport number, driver's license number, or similar identifier (or any portion thereof); (b) credit or debit card number (other than the truncated (last four digits) of a credit or debit card), financial information, banking account numbers or passwords; (c) employment, financial, genetic, biometric or health information; (d) racial, ethnic, political or religious affiliation, trade union membership, or information about sexual life or sexual orientation; (e) account passwords, mother's maiden name, or date of birth; (f) criminal history; or (g) any other information or combinations of information that falls within the definition of "special categories of data" under GDPR (as defined below) or any other applicable law or regulation relating to privacy and data protection.
- "Services" means the products and services provided by Genius Referrals or its Affiliates, as applicable, that are (a) used by Customer, including, without limitation, products and services that are on a trial basis or otherwise free of charge or (b) ordered by Customer under an order form.
- "Subscriber Records" means Customer Account Data containing proof of identification and proof of physical address necessary for Genius Referrals to verify Customer identity.
- "sub-processor" means (a) Genius Referrals, when Genius Referrals is processing Customer Content and where Customer is a processor of such Customer Content or (b) any third-party processor engaged by Genius Referrals to process Customer Content in order to provide the Services to Customer.
- "Third Party Request" means any request, correspondence, inquiry, or complaint from a data subject, regulatory authority, or third party.
- "Genius Referrals Privacy Notice" means the privacy notice for the Services, the current version of which is available at https://geniusreferrals.com/legal/privacy.
II. Controller and Processor
2. Relationship
2.1 Genius Referrals as a Processor. Customer and Genius Referrals agree that with regard to the processing of Customer Content, Customer may act either as a controller or processor, and Genius Referrals is a processor. Genius Referrals will process Customer Content in accordance with Customer's instructions as set forth in Section 5 (Customer Instructions).
2.2 Genius Referrals as a Controller of Customer Account Data. Customer and Genius Referrals acknowledge that, with regard to the processing of Customer Account Data, Customer is a controller, and Genius Referrals is an independent controller, not a joint controller with Customer. Genius Referrals will process Customer Account Data as a controller in order to (a) manage the relationship with Customer; (b) carry out Genius Referrals' core business operations, such as accounting and filing taxes; (c) detect, prevent, or investigate security incidents, fraud, and other abuse or misuse of the Services; (d) perform identity verification; and (e) as otherwise permitted under Applicable Data Protection Law and in accordance with this Addendum, the Agreement, and the Genius Referrals Privacy Notice.
2.3 Genius Referrals as a Controller of Customer Usage Data. The parties acknowledge that, with regard to the processing of Customer Usage Data, Customer may act either as a controller or processor and Genius Referrals is an independent controller, not a joint controller with Customer. Genius Referrals will process Customer Usage Data as a controller in order to carry out the necessary functions as a referral marketing platform, such as: (a) Genius Referrals' accounting, tax, billing, audit, and compliance purposes; (b) to provide, optimize, and maintain the Services, platform and security; (c) to investigate fraud, spam, wrongful or unlawful use of the Services; (d) as required by applicable law or regulation; or (e) as otherwise permitted under Applicable Data Protection Law and in accordance with this Addendum, the Agreement, and the Genius Referrals Privacy Notice.
3. Purpose Limitation. Genius Referrals will process personal data in order to provide the Services in accordance with the Agreement. Schedule 1 (Details of Processing) of this Addendum further specifies the nature and purpose of the processing, the processing activities, the duration of the processing, the types of personal data and categories of data subjects.
4. Compliance. Customer is responsible for ensuring that (a) it has complied, and will continue to comply, with Applicable Data Protection Law in its use of the Services and its own processing of personal data and (b) it has, and will continue to have, the right to transfer, or provide access to, personal data to Genius Referrals for processing in accordance with the terms of the Agreement and this Addendum.
2. Relationship
2.1 Genius Referrals as a Processor. Customer and Genius Referrals agree that with regard to the processing of Customer Content, Customer may act either as a controller or processor, and Genius Referrals is a processor. Genius Referrals will process Customer Content in accordance with Customer's instructions as set forth in Section 5 (Customer Instructions).
2.2 Genius Referrals as a Controller of Customer Account Data. Customer and Genius Referrals acknowledge that, with regard to the processing of Customer Account Data, Customer is a controller, and Genius Referrals is an independent controller, not a joint controller with Customer. Genius Referrals will process Customer Account Data as a controller in order to (a) manage the relationship with Customer; (b) carry out Genius Referrals' core business operations, such as accounting and filing taxes; (c) detect, prevent, or investigate security incidents, fraud, and other abuse or misuse of the Services; (d) perform identity verification; and (e) as otherwise permitted under Applicable Data Protection Law and in accordance with this Addendum, the Agreement, and the Genius Referrals Privacy Notice.
2.3 Genius Referrals as a Controller of Customer Usage Data. The parties acknowledge that, with regard to the processing of Customer Usage Data, Customer may act either as a controller or processor and Genius Referrals is an independent controller, not a joint controller with Customer. Genius Referrals will process Customer Usage Data as a controller in order to carry out the necessary functions as a referral marketing platform, such as: (a) Genius Referrals' accounting, tax, billing, audit, and compliance purposes; (b) to provide, optimize, and maintain the Services, platform and security; (c) to investigate fraud, spam, wrongful or unlawful use of the Services; (d) as required by applicable law or regulation; or (e) as otherwise permitted under Applicable Data Protection Law and in accordance with this Addendum, the Agreement, and the Genius Referrals Privacy Notice.
3. Purpose Limitation. Genius Referrals will process personal data in order to provide the Services in accordance with the Agreement. Schedule 1 (Details of Processing) of this Addendum further specifies the nature and purpose of the processing, the processing activities, the duration of the processing, the types of personal data and categories of data subjects.
4. Compliance. Customer is responsible for ensuring that (a) it has complied, and will continue to comply, with Applicable Data Protection Law in its use of the Services and its own processing of personal data and (b) it has, and will continue to have, the right to transfer, or provide access to, personal data to Genius Referrals for processing in accordance with the terms of the Agreement and this Addendum.
III. Genius Referrals as a Processor – Processing Customer Content
5. Customer Instructions. Customer appoints Genius Referrals as a processor to process Customer Content on behalf of, and in accordance with, Customer's instructions (a) as set forth in the Agreement, this Addendum, and as otherwise necessary to provide the Services to Customer, and which includes investigating security incidents and preventing spam, fraudulent activity, and violations of the Genius Referrals Acceptable Use Policy, the current version of which is available at https://geniusreferrals.com/legal/aup, and detecting and preventing network exploits or abuse; (b) as necessary to comply with applicable law or regulation, including Applicable Data Protection Law; and (c) as otherwise agreed in writing between Customer and Genius Referrals ("Permitted Purposes").
5.1 Lawfulness of Instructions. Customer will ensure that its instructions comply with Applicable Data Protection Law. Customer acknowledges that Genius Referrals is neither responsible for determining which laws or regulations are applicable to Customer's business nor whether Genius Referrals' provision of the Services meets or will meet the requirements of such laws or regulations. Customer will ensure that Genius Referrals' processing of Customer Content, when done in accordance with Customer's instructions, will not cause Genius Referrals to violate any applicable law or regulation, including Applicable Data Protection Law. Genius Referrals will inform Customer if it becomes aware, or reasonably believes, that Customer's instructions violate any applicable law or regulation, including Applicable Data Protection Law.
5.2 Additional Instructions. Additional instructions outside the scope of the Agreement or this Addendum will be agreed to in writing between Customer and Genius Referrals, including any additional fees that may be payable by Customer to Genius Referrals for carrying out such additional instructions.
6. Confidentiality
6.1 Responding to Third Party Requests. In the event any Third Party Request is made directly to Genius Referrals in connection with Genius Referrals' processing of Customer Content, Genius Referrals will promptly inform Customer and provide details of the same, to the extent legally permitted. Genius Referrals will not respond to any Third Party Request without Customer's prior consent, except as legally required to do so or to confirm that such Third Party Request relates to Customer.
6.2 Confidentiality Obligations of Genius Referrals Personnel. Genius Referrals will ensure that any person it authorizes to process Customer Content has agreed to protect personal data in accordance with Genius Referrals' confidentiality obligations in the Agreement.
7. Sub-processors
7.1 Authorization for Onward Sub-processing. Customer provides a general authorization for Genius Referrals to engage onward sub-processors that is conditioned on the following requirements:
(a) Genius Referrals will restrict the onward sub-processor's access to Customer Content only to what is strictly necessary to provide the Services, and Genius Referrals will prohibit the sub-processor from processing the personal data for any other purpose;
(b) Genius Referrals agrees to impose contractual data protection obligations, including appropriate technical and organizational measures to protect personal data, on any sub-processor it appoints that require such sub-processor to protect Customer Content to the standard required by Applicable Data Protection Law, including the requirements set forth in Schedule 4 (Jurisdiction Specific Terms) of this Addendum; and
(c) Genius Referrals will remain liable for any breach of this Addendum that is caused by an act, error, or omission of its sub-processors.
7.2 Current Sub-processors. Customer consents to Genius Referrals engaging third party sub-processors to process Customer Content within the Services for the Permitted Purposes provided that Genius Referrals maintains an up-to-date list of its sub-processors at https://geniusreferrals.com/legal/sub-processors. With respect to changes in infrastructure providers, Genius Referrals will endeavor to give written notice sixty (60) days prior to any change, but in any event will give written notice no less than thirty (30) days prior to any such change. With respect to Genius Referrals' other sub-processors, Genius Referrals will endeavor to give written notice thirty (30) days prior to any change, but will give written notice no less than ten (10) days prior to any such change.
7.3 Objection Right for new Sub-processors. Customer may object to Genius Referrals appointment or replacement of a sub-processor prior to its appointment or replacement, provided such objection is in writing and based on reasonable grounds relating to data protection. In such an event, Customer and Genius Referrals agree to discuss commercially reasonable alternative solutions in good faith. If Customer and Genius Referrals cannot reach a resolution within ninety (90) days from the date of Genius Referrals' receipt of Customer’s written objection, Customer may discontinue the use of the affected Services by providing written notice to Genius Referrals. Such discontinuation will be without prejudice to any fees incurred by Customer prior to the discontinuation of the affected Services. If no objection has been raised prior to Genius Referrals replacing or appointing a new sub-processor, Genius Referrals will deem Customer to have authorized the new sub-processor.
8. Data Subject Rights. Genius Referrals provides Customer with a number of self-service features via the Services, including the ability to delete, obtain a copy of, or restrict use of Customer Content. Customer may use such self-service features to assist in complying with its obligations under Applicable Data Protection Law with respect to responding to Third Party Requests from data subjects via the Services at no additional cost. Upon Customer's request, Genius Referrals will provide reasonable additional and timely assistance to Customer in complying with Customer's data protection obligations with respect to data subject rights under Applicable Data Protection Law to the extent Customer does not have the ability to resolve a Third Party Request from a data subject through self-service features made available via the Services.
9. Impact Assessments and Consultations. Genius Referrals will provide reasonable cooperation to Customer in connection with any data protection impact assessment (at Customer's expense only if such reasonable cooperation will require Genius Referrals to assign significant resources to that effort) or consultations with regulatory authorities that may be required in accordance with Applicable Data Protection Law.
10. Return or Deletion of Customer Content. Genius Referrals will, in accordance with Section 3 (Duration of the Processing) of Schedule 1 (Details of Processing) of this Addendum, delete or return to Customer any Customer Content stored within the Services.
10.1 Extension of Addendum. Upon termination of the Agreement, Genius Referrals may retain Customer Content in storage for the time periods set forth in Schedule 1 (Details of Processing) of this Addendum, provided that Genius Referrals will ensure that Customer Content (a) is processed only as necessary for the Permitted Purposes and (b) remains protected in accordance with the terms of the Agreement, this Addendum, and Applicable Data Protection Law.
10.2 Retention Required by Law. Notwithstanding anything to the contrary in this Section 10, Genius Referrals may retain Customer Content, or any portion of it, if required by applicable law or regulation, including Applicable Data Protection Law, provided such Customer Content remains protected in accordance with the terms of the Agreement, this Addendum, and Applicable Data Protection Law.
5. Customer Instructions. Customer appoints Genius Referrals as a processor to process Customer Content on behalf of, and in accordance with, Customer's instructions (a) as set forth in the Agreement, this Addendum, and as otherwise necessary to provide the Services to Customer, and which includes investigating security incidents and preventing spam, fraudulent activity, and violations of the Genius Referrals Acceptable Use Policy, the current version of which is available at https://geniusreferrals.com/legal/aup, and detecting and preventing network exploits or abuse; (b) as necessary to comply with applicable law or regulation, including Applicable Data Protection Law; and (c) as otherwise agreed in writing between Customer and Genius Referrals ("Permitted Purposes").
5.1 Lawfulness of Instructions. Customer will ensure that its instructions comply with Applicable Data Protection Law. Customer acknowledges that Genius Referrals is neither responsible for determining which laws or regulations are applicable to Customer's business nor whether Genius Referrals' provision of the Services meets or will meet the requirements of such laws or regulations. Customer will ensure that Genius Referrals' processing of Customer Content, when done in accordance with Customer's instructions, will not cause Genius Referrals to violate any applicable law or regulation, including Applicable Data Protection Law. Genius Referrals will inform Customer if it becomes aware, or reasonably believes, that Customer's instructions violate any applicable law or regulation, including Applicable Data Protection Law.
5.2 Additional Instructions. Additional instructions outside the scope of the Agreement or this Addendum will be agreed to in writing between Customer and Genius Referrals, including any additional fees that may be payable by Customer to Genius Referrals for carrying out such additional instructions.
6. Confidentiality
6.1 Responding to Third Party Requests. In the event any Third Party Request is made directly to Genius Referrals in connection with Genius Referrals' processing of Customer Content, Genius Referrals will promptly inform Customer and provide details of the same, to the extent legally permitted. Genius Referrals will not respond to any Third Party Request without Customer's prior consent, except as legally required to do so or to confirm that such Third Party Request relates to Customer.
6.2 Confidentiality Obligations of Genius Referrals Personnel. Genius Referrals will ensure that any person it authorizes to process Customer Content has agreed to protect personal data in accordance with Genius Referrals' confidentiality obligations in the Agreement.
7. Sub-processors
7.1 Authorization for Onward Sub-processing. Customer provides a general authorization for Genius Referrals to engage onward sub-processors that is conditioned on the following requirements:
(a) Genius Referrals will restrict the onward sub-processor's access to Customer Content only to what is strictly necessary to provide the Services, and Genius Referrals will prohibit the sub-processor from processing the personal data for any other purpose;
(b) Genius Referrals agrees to impose contractual data protection obligations, including appropriate technical and organizational measures to protect personal data, on any sub-processor it appoints that require such sub-processor to protect Customer Content to the standard required by Applicable Data Protection Law, including the requirements set forth in Schedule 4 (Jurisdiction Specific Terms) of this Addendum; and
(c) Genius Referrals will remain liable for any breach of this Addendum that is caused by an act, error, or omission of its sub-processors.
7.2 Current Sub-processors. Customer consents to Genius Referrals engaging third party sub-processors to process Customer Content within the Services for the Permitted Purposes provided that Genius Referrals maintains an up-to-date list of its sub-processors at https://geniusreferrals.com/legal/sub-processors. With respect to changes in infrastructure providers, Genius Referrals will endeavor to give written notice sixty (60) days prior to any change, but in any event will give written notice no less than thirty (30) days prior to any such change. With respect to Genius Referrals' other sub-processors, Genius Referrals will endeavor to give written notice thirty (30) days prior to any change, but will give written notice no less than ten (10) days prior to any such change.
7.3 Objection Right for new Sub-processors. Customer may object to Genius Referrals appointment or replacement of a sub-processor prior to its appointment or replacement, provided such objection is in writing and based on reasonable grounds relating to data protection. In such an event, Customer and Genius Referrals agree to discuss commercially reasonable alternative solutions in good faith. If Customer and Genius Referrals cannot reach a resolution within ninety (90) days from the date of Genius Referrals' receipt of Customer’s written objection, Customer may discontinue the use of the affected Services by providing written notice to Genius Referrals. Such discontinuation will be without prejudice to any fees incurred by Customer prior to the discontinuation of the affected Services. If no objection has been raised prior to Genius Referrals replacing or appointing a new sub-processor, Genius Referrals will deem Customer to have authorized the new sub-processor.
8. Data Subject Rights. Genius Referrals provides Customer with a number of self-service features via the Services, including the ability to delete, obtain a copy of, or restrict use of Customer Content. Customer may use such self-service features to assist in complying with its obligations under Applicable Data Protection Law with respect to responding to Third Party Requests from data subjects via the Services at no additional cost. Upon Customer's request, Genius Referrals will provide reasonable additional and timely assistance to Customer in complying with Customer's data protection obligations with respect to data subject rights under Applicable Data Protection Law to the extent Customer does not have the ability to resolve a Third Party Request from a data subject through self-service features made available via the Services.
9. Impact Assessments and Consultations. Genius Referrals will provide reasonable cooperation to Customer in connection with any data protection impact assessment (at Customer's expense only if such reasonable cooperation will require Genius Referrals to assign significant resources to that effort) or consultations with regulatory authorities that may be required in accordance with Applicable Data Protection Law.
10. Return or Deletion of Customer Content. Genius Referrals will, in accordance with Section 3 (Duration of the Processing) of Schedule 1 (Details of Processing) of this Addendum, delete or return to Customer any Customer Content stored within the Services.
10.1 Extension of Addendum. Upon termination of the Agreement, Genius Referrals may retain Customer Content in storage for the time periods set forth in Schedule 1 (Details of Processing) of this Addendum, provided that Genius Referrals will ensure that Customer Content (a) is processed only as necessary for the Permitted Purposes and (b) remains protected in accordance with the terms of the Agreement, this Addendum, and Applicable Data Protection Law.
10.2 Retention Required by Law. Notwithstanding anything to the contrary in this Section 10, Genius Referrals may retain Customer Content, or any portion of it, if required by applicable law or regulation, including Applicable Data Protection Law, provided such Customer Content remains protected in accordance with the terms of the Agreement, this Addendum, and Applicable Data Protection Law.
IV. Security and Audits
11. Security
11.1 Security Measures. Genius Referrals has implemented and will maintain the technical and organizational security measures as set forth in the Agreement. Additional information about Genius Referrals' technical and organizational security measures to protect Customer Data is set forth in Schedule 2 (Technical and Organizational Security Measures) of this Addendum.
11.2 Determination of Security Requirements. Customer acknowledges the Services include certain features and functionalities that Customer may elect to use which impact the security of Customer Data processed by Customer's use of the Services, such as, but not limited to, availability of multi-factor authentication on Customer’s account, or optional Transport Layer Security (TLS) encryption. Customer is responsible for reviewing the information Genius Referrals makes available regarding its data security, including its audit reports, and making an independent determination as to whether the Services meet the Customer's requirements and legal obligations, including its obligations under Applicable Data Protection Law. Customer is further responsible for properly configuring the Services and using features and functionalities made available by Genius Referrals to maintain appropriate security in light of the nature of Customer Data processed as a result of Customer's use of the Services.
11.3 Security Incident Notification. Genius Referrals will provide notification of a Security Incident in the following manner:
(a) Genius Referrals will, to the extent permitted by applicable law or regulation, notify Customer without undue delay, but in no event later than seventy-two (72) hours after Genius Referrals' discovery of a Security Incident impacting Customer Data of which Genius Referrals is a processor;
(b) Genius Referrals will, to the extent permitted and required by applicable law or regulation, notify Customer without undue delay of any Security Incident involving Customer Data of which Genius Referrals is a controller; and
(c) Genius Referrals will notify Customer of any Security Incident via email to the email address(es) designated by Customer in Customer's account.
Genius Referrals will make reasonable efforts to identify a Security Incident, and to the extent a Security Incident is caused by Genius Referrals' violation of this Addendum, remediate the cause of such Security Incident. Genius Referrals will provide reasonable assistance to Customer in the event that Customer is required under Applicable Data Protection Law to notify a regulatory authority or any data subjects impacted by a Security Incident.
12. Audits. Customer and Genius Referrals acknowledge that Customer must be able to assess Genius Referrals' compliance with its obligations under Applicable Data Protection Law and this Addendum, insofar as Genius Referrals is acting as a processor on behalf of Customer.
12.1 Genius Referrals' Audit Program. Genius Referrals uses external auditors to verify the adequacy of its security measures with respect to its processing of Customer Content. Such audits are performed at least once annually at Genius Referrals' expense by independent third-party security professionals at Genius Referrals' selection and result in the generation of a confidential audit report ("Audit Report").
12.2 Customer Audit. Upon Customer's written request at reasonable intervals, and subject to reasonable confidentiality controls, Genius Referrals will make available to Customer a copy of Genius Referrals' most recent Audit Report. Customer agrees that any audit rights granted by Applicable Data Protection Law will be satisfied by these Audit Reports. To the extent that Genius Referrals' provision of an Audit Report does not provide sufficient information or Customer is required to respond to a regulatory authority audit, Customer agrees to a mutually agreed-upon audit plan with Genius Referrals that: (a) ensures the use of an independent third party; (b) provides written notice to Genius Referrals in a timely fashion; (c) requests access only during business hours; (d) accepts billing to Customer at Genius Referrals' then-current rates; (e) occurs no more than once annually; (f) restricts its findings to only data relevant to Customer; and (g) obligates Customer, to the extent permitted by law or regulation, to keep confidential any information gathered that, by its nature, should be confidential.
11. Security
11.1 Security Measures. Genius Referrals has implemented and will maintain the technical and organizational security measures as set forth in the Agreement. Additional information about Genius Referrals' technical and organizational security measures to protect Customer Data is set forth in Schedule 2 (Technical and Organizational Security Measures) of this Addendum.
11.2 Determination of Security Requirements. Customer acknowledges the Services include certain features and functionalities that Customer may elect to use which impact the security of Customer Data processed by Customer's use of the Services, such as, but not limited to, availability of multi-factor authentication on Customer’s account, or optional Transport Layer Security (TLS) encryption. Customer is responsible for reviewing the information Genius Referrals makes available regarding its data security, including its audit reports, and making an independent determination as to whether the Services meet the Customer's requirements and legal obligations, including its obligations under Applicable Data Protection Law. Customer is further responsible for properly configuring the Services and using features and functionalities made available by Genius Referrals to maintain appropriate security in light of the nature of Customer Data processed as a result of Customer's use of the Services.
11.3 Security Incident Notification. Genius Referrals will provide notification of a Security Incident in the following manner:
(a) Genius Referrals will, to the extent permitted by applicable law or regulation, notify Customer without undue delay, but in no event later than seventy-two (72) hours after Genius Referrals' discovery of a Security Incident impacting Customer Data of which Genius Referrals is a processor;
(b) Genius Referrals will, to the extent permitted and required by applicable law or regulation, notify Customer without undue delay of any Security Incident involving Customer Data of which Genius Referrals is a controller; and
(c) Genius Referrals will notify Customer of any Security Incident via email to the email address(es) designated by Customer in Customer's account.
Genius Referrals will make reasonable efforts to identify a Security Incident, and to the extent a Security Incident is caused by Genius Referrals' violation of this Addendum, remediate the cause of such Security Incident. Genius Referrals will provide reasonable assistance to Customer in the event that Customer is required under Applicable Data Protection Law to notify a regulatory authority or any data subjects impacted by a Security Incident.
12. Audits. Customer and Genius Referrals acknowledge that Customer must be able to assess Genius Referrals' compliance with its obligations under Applicable Data Protection Law and this Addendum, insofar as Genius Referrals is acting as a processor on behalf of Customer.
12.1 Genius Referrals' Audit Program. Genius Referrals uses external auditors to verify the adequacy of its security measures with respect to its processing of Customer Content. Such audits are performed at least once annually at Genius Referrals' expense by independent third-party security professionals at Genius Referrals' selection and result in the generation of a confidential audit report ("Audit Report").
12.2 Customer Audit. Upon Customer's written request at reasonable intervals, and subject to reasonable confidentiality controls, Genius Referrals will make available to Customer a copy of Genius Referrals' most recent Audit Report. Customer agrees that any audit rights granted by Applicable Data Protection Law will be satisfied by these Audit Reports. To the extent that Genius Referrals' provision of an Audit Report does not provide sufficient information or Customer is required to respond to a regulatory authority audit, Customer agrees to a mutually agreed-upon audit plan with Genius Referrals that: (a) ensures the use of an independent third party; (b) provides written notice to Genius Referrals in a timely fashion; (c) requests access only during business hours; (d) accepts billing to Customer at Genius Referrals' then-current rates; (e) occurs no more than once annually; (f) restricts its findings to only data relevant to Customer; and (g) obligates Customer, to the extent permitted by law or regulation, to keep confidential any information gathered that, by its nature, should be confidential.
V. International Provisions
13. Jurisdiction Specific Terms. To the extent Genius Referrals processes personal data originating from and protected by Applicable Data Protection Law in one of the jurisdictions listed in Schedule 4 (Jurisdiction Specific Terms) of this Addendum, the terms specified in Schedule 4 with respect to the applicable jurisdiction(s) apply in addition to the terms of this Addendum.
14. Cross Border Data Transfer Mechanisms. To the extent Customer's use of the Services requires an onward transfer mechanism to lawfully transfer personal data from a jurisdiction (i.e., the European Economic Area, the United Kingdom, Switzerland, Guernsey, Jersey, or any other jurisdiction listed in Schedule 4 (Jurisdiction Specific Terms) of this Addendum) to Genius Referrals located outside of that jurisdiction ("Transfer Mechanism"), the terms set forth in Schedule 3 (Cross Border Transfer Mechanisms) of this Addendum will apply.
13. Jurisdiction Specific Terms. To the extent Genius Referrals processes personal data originating from and protected by Applicable Data Protection Law in one of the jurisdictions listed in Schedule 4 (Jurisdiction Specific Terms) of this Addendum, the terms specified in Schedule 4 with respect to the applicable jurisdiction(s) apply in addition to the terms of this Addendum.
14. Cross Border Data Transfer Mechanisms. To the extent Customer's use of the Services requires an onward transfer mechanism to lawfully transfer personal data from a jurisdiction (i.e., the European Economic Area, the United Kingdom, Switzerland, Guernsey, Jersey, or any other jurisdiction listed in Schedule 4 (Jurisdiction Specific Terms) of this Addendum) to Genius Referrals located outside of that jurisdiction ("Transfer Mechanism"), the terms set forth in Schedule 3 (Cross Border Transfer Mechanisms) of this Addendum will apply.
VI. Miscellaneous
15. Cooperation and Data Subject Rights. In the event that either party receives (a) any request from a data subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure, and data portability, as applicable) or (b) any Third Party Request relating to the processing of Customer Account Data or Customer Usage Data conducted by the other party, such party will promptly inform such other party in writing. Customer and Genius Referrals agree to cooperate, in good faith, as necessary to respond to any Third Party Request and fulfill their respective obligations under Applicable Data Protection Law.
16. Conflict. In the event of any conflict or inconsistency among the following documents, the order of precedence will be: (1) the applicable terms set forth in Schedule 4 (Jurisdiction Specific Terms) of this Addendum; (2) the terms of this Addendum outside of Schedule 4 (Jurisdiction Specific Terms); (3) the Agreement; and (4) the Genius Referrals Privacy Notice. Any claims brought in connection with this Addendum will be subject to the terms and conditions, including, without limitation, the exclusions and limitations set forth in the Agreement.
17. Updates. Genius Referrals may update the terms of this Addendum from time to time; provided, however, Genius Referrals will provide at least thirty (30) days prior written notice to Customer when an update is required as a result of (a) changes in Applicable Data Protection Law; (b) a merger, acquisition, or other similar transaction; or (c) the release of new products or services or material changes to any of the existing Services. The then-current terms of this Addendum are available at https://geniusreferrals.com/legal/data-protection-addendum.
15. Cooperation and Data Subject Rights. In the event that either party receives (a) any request from a data subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure, and data portability, as applicable) or (b) any Third Party Request relating to the processing of Customer Account Data or Customer Usage Data conducted by the other party, such party will promptly inform such other party in writing. Customer and Genius Referrals agree to cooperate, in good faith, as necessary to respond to any Third Party Request and fulfill their respective obligations under Applicable Data Protection Law.
16. Conflict. In the event of any conflict or inconsistency among the following documents, the order of precedence will be: (1) the applicable terms set forth in Schedule 4 (Jurisdiction Specific Terms) of this Addendum; (2) the terms of this Addendum outside of Schedule 4 (Jurisdiction Specific Terms); (3) the Agreement; and (4) the Genius Referrals Privacy Notice. Any claims brought in connection with this Addendum will be subject to the terms and conditions, including, without limitation, the exclusions and limitations set forth in the Agreement.
17. Updates. Genius Referrals may update the terms of this Addendum from time to time; provided, however, Genius Referrals will provide at least thirty (30) days prior written notice to Customer when an update is required as a result of (a) changes in Applicable Data Protection Law; (b) a merger, acquisition, or other similar transaction; or (c) the release of new products or services or material changes to any of the existing Services. The then-current terms of this Addendum are available at https://geniusreferrals.com/legal/data-protection-addendum.
Schedule 1
Details of Processing
1. Nature and Purpose of the Processing. Genius Referrals will process personal data as necessary to provide the Services under the Agreement. Genius Referral does not sell Customer's personal data or Customer end users' personal data and does not share such end users' information with third parties for compensation or for those third parties' own business interests.
1.1 Customer Content. Genius Referral will process Customer Content as a processor in accordance with Customer's instructions as set forth in Section 5 (Customer Instructions) of this Addendum.
1.2 Customer Account Data. Genius Referral will process Customer Account Data as a controller for the purposes set forth in Section 2.2 (Genius Referral as a Controller of Customer Account Data) of this Addendum.
1.3 Customer Usage Data. Genius Referral will process Customer Usage Data as a controller for the purposes set forth in Section 2.3 (Genius Referral as a Controller of Customer Usage Data) of this Addendum.
2. Processing Activities
2.1 Customer Content. Personal data contained in Customer Content will be subject to the following basic processing activities:
(a) the provision of referral marketing products and services, primarily offered in the form of websites, tracking and conversion scripts, webhooks, and application programming interfaces, to Customer, including transmittal to or from Customer’s software applications or; services and designated third parties as directed by Customer. Genius Referrals will also provide Customer with analytic reports regarding the activity of the websites, tracking, conversion, webhooks, and applications programming interfaces. Storage of personal data on Genius Referrals' network;
(b) the provision of products and services which allow the delivery of payouts on behalf of Customer to its recipients. Genius Referrals will also provide Customer with analytic reports regarding the payouts it sends on Customer's behalf. Storage of personal data on Genius Referrals' network;
(c) the provision of products and services which allow the transmission and delivery of email and SMS communications on behalf of Customer to its recipients. Genius Referrals will also provide Customer with analytic reports regarding the email communications it sends on Customer's behalf. Storage of personal data on Genius Referrals' network; and
(d) the provision of products and services which allows Customer to integrate, manage and control its data relating to end users. Storage of personal data on Genius Referrals' network.
2.2 Customer Account Data. Personal data contained in Customer Account Data will be subject to the processing activities of providing the Services.
2.3 Customer Usage Data. Personal data contained in Customer Usage Data will be subject to the processing activities of providing the Services.
3. Duration of the Processing. The period for which personal data will be retained and the criteria used to determine that period is as follows:
3.1 Customer Content. Prior to the termination of the Agreement, (x) Genius Referrals will process stored Customer Content for the Permitted Purposes until Customer elects to delete such Customer Content via the Services and (y) Customer agrees that it is solely responsible for deleting Customer Content via the Services. Upon termination of the Agreement, Genius Referrals will (i) provide Customer thirty (30) days after the termination effective date to obtain a copy of any stored Customer Content via the Services; (ii) automatically delete any stored Customer Content thirty (30) days after the termination effective date; and (iii) automatically delete any stored Customer Content on Genius Referrals' back-up systems sixty (60) days after the termination effective date. Any Customer Content archived on Genius Referrals' back-up systems will be securely isolated and protected from any further processing, except as otherwise required by applicable law or regulation.
3.2 Customer Account Data. Genius Referrals will process Customer Account Data as long as required (a) to provide the Services to Customer; (b) for Genius Referrals' legitimate business needs; or (c) by applicable law or regulation. Customer Account Data will be stored in accordance with the Genius Referrals Privacy Notice.
3.3 Customer Usage Data. Upon termination of the Agreement, Genius Referrals may retain, use, and disclose Customer Usage Data for the purposes set forth in Section 1.3 (Customer Usage Data) of this Schedule 1, subject to the confidentiality obligations set forth in the Agreement. Genius Referrals will anonymize or delete Customer Usage Data when Genius Referrals no longer requires it for the purposes set forth in Section 1.3 (Customer Usage Data) of this Schedule 1.
4. Categories of Data Subjects
4.1 Customer Content. Customer's end users.
4.2 Customer Account Data. Customer's employees and individuals authorized by Customer to access Customer's Genius Referrals account or make use of the Multi-Factor Authentication Services.
4.3 Customer Usage Data. Customer's end users.
5. Categories of Personal Data. Genius Referrals processes personal data contained in Customer Account Data, Customer Content, and Customer Usage Data.
6. Sensitive Data or Special Categories of Data
6.1 Customer Content. Sensitive Data may, from time to time, be processed via the Services where Customer or its end users choose to include Sensitive Data within the referral programs using the Services. Customer is responsible for ensuring that suitable safeguards are in place prior to transmitting or processing, or prior to permitting Customer's end users to transmit or process, any Sensitive Data via the Services.
1. Nature and Purpose of the Processing. Genius Referrals will process personal data as necessary to provide the Services under the Agreement. Genius Referral does not sell Customer's personal data or Customer end users' personal data and does not share such end users' information with third parties for compensation or for those third parties' own business interests.
1.1 Customer Content. Genius Referral will process Customer Content as a processor in accordance with Customer's instructions as set forth in Section 5 (Customer Instructions) of this Addendum.
1.2 Customer Account Data. Genius Referral will process Customer Account Data as a controller for the purposes set forth in Section 2.2 (Genius Referral as a Controller of Customer Account Data) of this Addendum.
1.3 Customer Usage Data. Genius Referral will process Customer Usage Data as a controller for the purposes set forth in Section 2.3 (Genius Referral as a Controller of Customer Usage Data) of this Addendum.
2. Processing Activities
2.1 Customer Content. Personal data contained in Customer Content will be subject to the following basic processing activities:
(a) the provision of referral marketing products and services, primarily offered in the form of websites, tracking and conversion scripts, webhooks, and application programming interfaces, to Customer, including transmittal to or from Customer’s software applications or; services and designated third parties as directed by Customer. Genius Referrals will also provide Customer with analytic reports regarding the activity of the websites, tracking, conversion, webhooks, and applications programming interfaces. Storage of personal data on Genius Referrals' network;
(b) the provision of products and services which allow the delivery of payouts on behalf of Customer to its recipients. Genius Referrals will also provide Customer with analytic reports regarding the payouts it sends on Customer's behalf. Storage of personal data on Genius Referrals' network;
(c) the provision of products and services which allow the transmission and delivery of email and SMS communications on behalf of Customer to its recipients. Genius Referrals will also provide Customer with analytic reports regarding the email communications it sends on Customer's behalf. Storage of personal data on Genius Referrals' network; and
(d) the provision of products and services which allows Customer to integrate, manage and control its data relating to end users. Storage of personal data on Genius Referrals' network.
2.2 Customer Account Data. Personal data contained in Customer Account Data will be subject to the processing activities of providing the Services.
2.3 Customer Usage Data. Personal data contained in Customer Usage Data will be subject to the processing activities of providing the Services.
3. Duration of the Processing. The period for which personal data will be retained and the criteria used to determine that period is as follows:
3.1 Customer Content. Prior to the termination of the Agreement, (x) Genius Referrals will process stored Customer Content for the Permitted Purposes until Customer elects to delete such Customer Content via the Services and (y) Customer agrees that it is solely responsible for deleting Customer Content via the Services. Upon termination of the Agreement, Genius Referrals will (i) provide Customer thirty (30) days after the termination effective date to obtain a copy of any stored Customer Content via the Services; (ii) automatically delete any stored Customer Content thirty (30) days after the termination effective date; and (iii) automatically delete any stored Customer Content on Genius Referrals' back-up systems sixty (60) days after the termination effective date. Any Customer Content archived on Genius Referrals' back-up systems will be securely isolated and protected from any further processing, except as otherwise required by applicable law or regulation.
3.2 Customer Account Data. Genius Referrals will process Customer Account Data as long as required (a) to provide the Services to Customer; (b) for Genius Referrals' legitimate business needs; or (c) by applicable law or regulation. Customer Account Data will be stored in accordance with the Genius Referrals Privacy Notice.
3.3 Customer Usage Data. Upon termination of the Agreement, Genius Referrals may retain, use, and disclose Customer Usage Data for the purposes set forth in Section 1.3 (Customer Usage Data) of this Schedule 1, subject to the confidentiality obligations set forth in the Agreement. Genius Referrals will anonymize or delete Customer Usage Data when Genius Referrals no longer requires it for the purposes set forth in Section 1.3 (Customer Usage Data) of this Schedule 1.
4. Categories of Data Subjects
4.1 Customer Content. Customer's end users.
4.2 Customer Account Data. Customer's employees and individuals authorized by Customer to access Customer's Genius Referrals account or make use of the Multi-Factor Authentication Services.
4.3 Customer Usage Data. Customer's end users.
5. Categories of Personal Data. Genius Referrals processes personal data contained in Customer Account Data, Customer Content, and Customer Usage Data.
6. Sensitive Data or Special Categories of Data
6.1 Customer Content. Sensitive Data may, from time to time, be processed via the Services where Customer or its end users choose to include Sensitive Data within the referral programs using the Services. Customer is responsible for ensuring that suitable safeguards are in place prior to transmitting or processing, or prior to permitting Customer's end users to transmit or process, any Sensitive Data via the Services.
Schedule 2
Technical and Organizational Security Measures
The full text of Genius Referrals' technical and organizational security measures to protect Customer Data is available at https://geniusreferrals.com/legal/security-overview ("Security Overview").
Where applicable, this Schedule 2 will serve as Annex II to the EU Standard Contractual Clauses. The following table provides more information regarding the technical and organizational security measures set forth below.
The full text of Genius Referrals' technical and organizational security measures to protect Customer Data is available at https://geniusreferrals.com/legal/security-overview ("Security Overview").
Where applicable, this Schedule 2 will serve as Annex II to the EU Standard Contractual Clauses. The following table provides more information regarding the technical and organizational security measures set forth below.
Schedule 3
Cross Border Data Transfer Mechanisms
1. Definitions
2. Cross Border Data Transfer Mechanisms.
2.1 Order of Precedence. In the event the Services are covered by more than one Transfer Mechanism, the transfer of Personal Data will be subject to a single Transfer Mechanism in accordance with the following order of precedence: (a) the applicable Standard Contractual Clauses as set forth in Section 2.2 (EU Standard Contractual Clauses) or Section 2.3 (UK International Data Transfer Agreement) of this Schedule 3; and, if (a) is not applicable, then (b) other applicable data Transfer Mechanisms permitted under Applicable Data Protection Law.
2.2 EU Standard Contractual Clauses. Customer and Genius Referrals agree that the EU Standard Contractual Clauses will apply to Personal Data that is transferred via the Services from the European Economic Area or Switzerland, Guernsey, or Jersey, either directly or via onward transfer, to any country or recipient outside the European Economic Area or Switzerland, Guernsey, or Jersey that is not recognized by the European Commission (or, in the case of transfers from Switzerland, the competent authority for Switzerland) as providing an adequate level of protection for Personal Data. For data transfers from the European Economic Area that are subject to the EU Standard Contractual Clauses, the EU Standard Contractual Clauses will be deemed entered into (and incorporated into this Addendum by this reference) and completed as follows:
(a) Module One (Controller to Controller) of the EU Standard Contractual Clauses will apply where (i) Genius Referrals is processing Customer Account Data and (ii) Customer is a controller of Customer Usage Data and Genius Referrals is processing Customer Usage Data.
(b) Module Two (Controller to Processor) of the EU Standard Contractual Clauses will apply where Customer is a controller of Personal Data and Genius Referrals is processing Personal Data.
(c) Module Three (Processor to Processor) of the EU Standard Contractual Clauses will apply where Customer is a processor of Personal Data and Genius Referrals is processing Personal Data.
(d) Module Four (Processor to Processor) of the EU Standard Contractual Clauses will apply where Customer is a processor of Customer Usage Data and Genius Referrals processes Customer Usage Data.
(e) For each Module, where applicable:
(i) in Clause 7 of the EU Standard Contractual Clauses, the optional docking clause will not apply;
(ii) in Clause 9 of the EU Standard Contractual Clauses, Option 2 will apply and the time period for prior notice of subprocessor changes will be as set forth in Section 7.2 (Current Sub-processors) of this Addendum;
(iii) in Clause 11 of the EU Standard Contractual Clauses, the optional language will not apply;
(iv) in Clause 17 (Option 1), the EU Standard Contractual Clauses will be governed by Irish law;
(v) in Clause 18(b) of the EU Standard Contractual Clauses, disputes will be resolved before the courts of Ireland;
(vi) in Annex I, Part A of the EU Standard Contractual Clauses:
Data Exporter: Customer.
Contact Details: The email address(es) designated by Customer in Customer’s account via its notification preferences.
Data Exporter Role: The Data Exporter’s role is set forth in Section 2 (Processing of Personal Data) of this DPA.
Signature and Date: By entering into the Master Services Agreement, Data Exporter is deemed to have signed these EU Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date of the Agreement.
Data Importer: HLA Solutions Group LLC d/b/a Genius Referrals
Contact details: Genius Referrals Privacy Team - privacy@geniusreferrals.com
Data Importer Role: The Data Importer's role is set forth in Section 2 (Relationship) of this Addendum.
Signature and Date: By entering into the Agreement, Data Importer is deemed to have signed these EU Standard Contractual Clauses, incorporated herein, including their Annexes, as of the effective date of the Agreement;
(vii) in Annex I, Part B of the EU Standard Contractual Clauses:
The categories of data subjects are set forth in Section 4 of Schedule 1 (Details of Processing) of this Addendum.
The Sensitive Data transferred is set forth in Section 6 of Schedule 1 (Details of Processing) of this Addendum.
The frequency of the transfer is a continuous basis for the duration of the Agreement.
The nature of the processing is set forth in Section 1 of Schedule 1 (Details of Processing) of this Addendum.
The purpose of the processing is set forth in Section 1 of Schedule 1 (Details of Processing) of this Addendum.
The period for which the personal data will be retained is set forth in Section 3 of Schedule 1 (Details of Processing) of this Addendum.
For transfers to sub-processors, the subject matter, nature, and duration of the processing is set forth at https://geniusreferrals.com/legal/sub-processors;
(viii) in Annex I, Part C of the EU Standard Contractual Clauses: The Irish Data Protection Commission will be the competent supervisory authority.
(ix) Schedule 2 (Technical and Organizational Security Measures) of this Addendum serves as Annex II of the EU Standard Contractual Clauses.
2.3 UK International Data Transfer Agreement. Customer and Genius Referrals agree that the UK International Data Transfer Agreement will apply to personal data that is transferred via the Services from the United Kingdom, either directly or via onward transfer, to any country or recipient outside of the United Kingdom that is not (a) recognized by the competent United Kingdom regulatory authority or governmental body for the United Kingdom as providing an adequate level of protection for personal data. For data transfers from the United Kingdom that are subject to the UK International Data Transfer Agreement, the UK International Data Transfer Agreement will be deemed entered into, and incorporated into this Addendum by this reference, and completed as follows:
(a) In Table 1 of the UK International Data Transfer Agreement, Customer's and Genius Referral details and key contact information are set forth in Section 2.2 (e)(vi) of this Schedule 3.
(b) In Table 2 of the UK International Data Transfer Agreement, information about the version of the Approved EU SCCs, modules, and selected clauses, which the UK International Data Transfer Agreement is appended to, are set forth in Section 2.2 (EU Standard Contractual Clauses) of this Schedule 3.
(c) In Table 3 of the UK International Data Transfer Agreement:
(i) The list of Parties is set forth in Section 2.2(e)(vi) of this Schedule 3.
(ii) The description of the transfer is set forth in Section 1 (Nature and Purpose of the Processing) of Schedule 1 (Details of the Processing).
(iii) Annex II is located in Schedule 2 (Technical and Organizational Security Measures) of this Addendum.
(iv) The list of sub-processors is available at https://geniusreferrals.com/legal/sub-processors; and
(d) In Table 4 of the UK International Data Transfer Agreement, both the Importer and the exporter may end the UK International Data Transfer Agreement in accordance with the terms of the UK International Data Transfer Agreement.
2.6 Conflict. To the extent there is any conflict or inconsistency between the EU Standard Contractual Clauses or UK International Data Transfer Agreement and any other terms in this Addendum, including Schedule 4 (Jurisdiction Specific Terms), the Agreement, or the Genius Referrals Privacy Notice, the provisions of the EU Standard Contractual Clauses or UK International Data Transfer Agreement, as applicable, will prevail.
1. Definitions
- "EC" means the European Commission
- "EEA" means the European Economic Area
- "EU Standard Contractual Clauses" means the Standard Contractual Clauses approved by the European Commission in decision 2021/914.
- "UK International Data Transfer Agreement" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner, Version B1.0, in force 21 March 2022.
2. Cross Border Data Transfer Mechanisms.
2.1 Order of Precedence. In the event the Services are covered by more than one Transfer Mechanism, the transfer of Personal Data will be subject to a single Transfer Mechanism in accordance with the following order of precedence: (a) the applicable Standard Contractual Clauses as set forth in Section 2.2 (EU Standard Contractual Clauses) or Section 2.3 (UK International Data Transfer Agreement) of this Schedule 3; and, if (a) is not applicable, then (b) other applicable data Transfer Mechanisms permitted under Applicable Data Protection Law.
2.2 EU Standard Contractual Clauses. Customer and Genius Referrals agree that the EU Standard Contractual Clauses will apply to Personal Data that is transferred via the Services from the European Economic Area or Switzerland, Guernsey, or Jersey, either directly or via onward transfer, to any country or recipient outside the European Economic Area or Switzerland, Guernsey, or Jersey that is not recognized by the European Commission (or, in the case of transfers from Switzerland, the competent authority for Switzerland) as providing an adequate level of protection for Personal Data. For data transfers from the European Economic Area that are subject to the EU Standard Contractual Clauses, the EU Standard Contractual Clauses will be deemed entered into (and incorporated into this Addendum by this reference) and completed as follows:
(a) Module One (Controller to Controller) of the EU Standard Contractual Clauses will apply where (i) Genius Referrals is processing Customer Account Data and (ii) Customer is a controller of Customer Usage Data and Genius Referrals is processing Customer Usage Data.
(b) Module Two (Controller to Processor) of the EU Standard Contractual Clauses will apply where Customer is a controller of Personal Data and Genius Referrals is processing Personal Data.
(c) Module Three (Processor to Processor) of the EU Standard Contractual Clauses will apply where Customer is a processor of Personal Data and Genius Referrals is processing Personal Data.
(d) Module Four (Processor to Processor) of the EU Standard Contractual Clauses will apply where Customer is a processor of Customer Usage Data and Genius Referrals processes Customer Usage Data.
(e) For each Module, where applicable:
(i) in Clause 7 of the EU Standard Contractual Clauses, the optional docking clause will not apply;
(ii) in Clause 9 of the EU Standard Contractual Clauses, Option 2 will apply and the time period for prior notice of subprocessor changes will be as set forth in Section 7.2 (Current Sub-processors) of this Addendum;
(iii) in Clause 11 of the EU Standard Contractual Clauses, the optional language will not apply;
(iv) in Clause 17 (Option 1), the EU Standard Contractual Clauses will be governed by Irish law;
(v) in Clause 18(b) of the EU Standard Contractual Clauses, disputes will be resolved before the courts of Ireland;
(vi) in Annex I, Part A of the EU Standard Contractual Clauses:
Data Exporter: Customer.
Contact Details: The email address(es) designated by Customer in Customer’s account via its notification preferences.
Data Exporter Role: The Data Exporter’s role is set forth in Section 2 (Processing of Personal Data) of this DPA.
Signature and Date: By entering into the Master Services Agreement, Data Exporter is deemed to have signed these EU Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date of the Agreement.
Data Importer: HLA Solutions Group LLC d/b/a Genius Referrals
Contact details: Genius Referrals Privacy Team - privacy@geniusreferrals.com
Data Importer Role: The Data Importer's role is set forth in Section 2 (Relationship) of this Addendum.
Signature and Date: By entering into the Agreement, Data Importer is deemed to have signed these EU Standard Contractual Clauses, incorporated herein, including their Annexes, as of the effective date of the Agreement;
(vii) in Annex I, Part B of the EU Standard Contractual Clauses:
The categories of data subjects are set forth in Section 4 of Schedule 1 (Details of Processing) of this Addendum.
The Sensitive Data transferred is set forth in Section 6 of Schedule 1 (Details of Processing) of this Addendum.
The frequency of the transfer is a continuous basis for the duration of the Agreement.
The nature of the processing is set forth in Section 1 of Schedule 1 (Details of Processing) of this Addendum.
The purpose of the processing is set forth in Section 1 of Schedule 1 (Details of Processing) of this Addendum.
The period for which the personal data will be retained is set forth in Section 3 of Schedule 1 (Details of Processing) of this Addendum.
For transfers to sub-processors, the subject matter, nature, and duration of the processing is set forth at https://geniusreferrals.com/legal/sub-processors;
(viii) in Annex I, Part C of the EU Standard Contractual Clauses: The Irish Data Protection Commission will be the competent supervisory authority.
(ix) Schedule 2 (Technical and Organizational Security Measures) of this Addendum serves as Annex II of the EU Standard Contractual Clauses.
2.3 UK International Data Transfer Agreement. Customer and Genius Referrals agree that the UK International Data Transfer Agreement will apply to personal data that is transferred via the Services from the United Kingdom, either directly or via onward transfer, to any country or recipient outside of the United Kingdom that is not (a) recognized by the competent United Kingdom regulatory authority or governmental body for the United Kingdom as providing an adequate level of protection for personal data. For data transfers from the United Kingdom that are subject to the UK International Data Transfer Agreement, the UK International Data Transfer Agreement will be deemed entered into, and incorporated into this Addendum by this reference, and completed as follows:
(a) In Table 1 of the UK International Data Transfer Agreement, Customer's and Genius Referral details and key contact information are set forth in Section 2.2 (e)(vi) of this Schedule 3.
(b) In Table 2 of the UK International Data Transfer Agreement, information about the version of the Approved EU SCCs, modules, and selected clauses, which the UK International Data Transfer Agreement is appended to, are set forth in Section 2.2 (EU Standard Contractual Clauses) of this Schedule 3.
(c) In Table 3 of the UK International Data Transfer Agreement:
(i) The list of Parties is set forth in Section 2.2(e)(vi) of this Schedule 3.
(ii) The description of the transfer is set forth in Section 1 (Nature and Purpose of the Processing) of Schedule 1 (Details of the Processing).
(iii) Annex II is located in Schedule 2 (Technical and Organizational Security Measures) of this Addendum.
(iv) The list of sub-processors is available at https://geniusreferrals.com/legal/sub-processors; and
(d) In Table 4 of the UK International Data Transfer Agreement, both the Importer and the exporter may end the UK International Data Transfer Agreement in accordance with the terms of the UK International Data Transfer Agreement.
2.6 Conflict. To the extent there is any conflict or inconsistency between the EU Standard Contractual Clauses or UK International Data Transfer Agreement and any other terms in this Addendum, including Schedule 4 (Jurisdiction Specific Terms), the Agreement, or the Genius Referrals Privacy Notice, the provisions of the EU Standard Contractual Clauses or UK International Data Transfer Agreement, as applicable, will prevail.
Schedule 4
Jurisdiction Specific Terms
1. Australia:
1.1 The definition of "Applicable Data Protection Law" includes the Australian Privacy Principles and the Australian Privacy Act (1988).
1.2 The definition of "personal data" includes "Personal Information" as defined under Applicable Data Protection Law.
1.3 The definition of "Sensitive Data" includes "Sensitive Information" as defined under Applicable Data Protection Law.
2. Brazil:
2.1 The definition of "Applicable Data Protection Law" includes the Lei Geral de Proteção de Dados (General Personal Data Protection Act).
2.2 The definition of "Security Incident" includes a security incident that may result in any relevant risk or damage to data subjects.
2.3 The definition of "processor" includes "operator" as defined under Applicable Data Protection Law.
3. Canada:
3.1 The definition of "Applicable Data Protection Law" includes the Federal Personal Information Protection and Electronic Documents Act.
3.2 Genius Referrals' sub-processors, as set forth in Section 7 (Sub-processors) of this Addendum, are third parties under Applicable Data Protection Law, with whom Genius Referrals has entered into a written contract that includes terms substantially similar to this Addendum. Genius Referrals has conducted appropriate due diligence on its sub-processors.
3.3 Genius Referrals will implement technical and organizational measures as set forth in Section 11 (Security) of this Addendum.
4. European Economic Area (EEA):
4.1 The definition of "Applicable Data Protection Law" includes the General Data Protection Regulation (EU 2016/679) ("GDPR").
4.2 When Genius Referrals engages a sub-processor under Section 7.1 (Authorization for Onward Sub-processing) of this Addendum, it will:
(a) require any appointed sub-processor to protect the Customer Content to the standard required by Applicable Data Protection Law, such as including the same data protection obligations referred to in Article 28(3) of the GDPR, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR, and
(b) require any appointed sub-processor to (i) agree in writing to only process personal data in a country that the European Union has declared to have an “adequate” level of protection or (ii) only process personal data on terms equivalent to the EU Standard Contractual Clauses or pursuant to a Binding Corporate Rules approval granted by competent European Union data protection authorities.
4.3 Notwithstanding anything to the contrary in this Addendum or in the Agreement (including, without limitation, either party's indemnification obligations), neither party will be responsible for any GDPR fines issued or levied under Article 83 of the GDPR against the other party by a regulatory authority or governmental body in connection with such other party’s violation of the GDPR.
4.4 Customer acknowledges that Genius Referrals, as a controller, may be required under Applicable Data Protection Law to notify a regulatory authority of Security Incidents involving Customer Usage Data. If a regulatory authority requires Genius Referrals to notify impacted data subjects with whom Genius Referrals does not have a direct relationship (e.g., Customer's end users), Genius Referrals will notify Customer of this requirement. Customer will provide reasonable assistance to Genius Referrals to notify the impacted data subjects.
5. Israel:
5.1 The definition of "Applicable Data Protection Law" includes the Protection of Privacy Law.
5.2 The definition of "controller" includes "Database Owner" as defined under Applicable Data Protection Law.
5.3 The definition of "processor" includes “Holder” as defined under Applicable Data Protection Law.
5.4 Genius Referrals will require that any personnel authorized to process Customer Content comply with the principle of data secrecy and have been duly instructed about Applicable Data Protection Law. Such personnel sign confidentiality agreements with Genius Referrals in accordance with Section 6 (Confidentiality) of this Addendum.
5.5 Genius Referrals must take sufficient steps to ensure the privacy of data subjects by implementing and maintaining the security measures as specified in Section 11 (Security) of this Addendum and complying with the terms of the Agreement.
5.6 Genius Referrals must ensure that the personal data will not be transferred to a sub-processor unless such sub-processor has executed an agreement with Genius Referrals pursuant to Section 7.1 (Authorization for Onward Sub-processing) of this Addendum.
6. Japan:
6.1 The definition of "Applicable Data Protection Law" includes the Act on the Protection of Personal Information ("APPI").
6.2 The definition of "personal data" includes information about a specific individual applicable under Section 2(1) of the APPI, which Customer entrusts to Genius Referrals during Genius Referrals' provision of the Services to Customer.
6.3 Genius Referrals agrees it has and will maintain a privacy program conforming to the standards prescribed by rules of the Personal Information Protection Commission concerning the handling of personal data pursuant to the provisions of Chapter 4 of the APPI. Accordingly:
(a) Genius Referrals will (i) process personal data as necessary to provide the Services to Customer in accordance with the Agreement and as set forth in Schedule 1 (Details of the Processing) of this Addendum ("Purpose of Use") and (ii) not process personal data for any purpose other than the Purpose of Use without Customer's consent;
(b) Genius Referrals will implement and maintain measures appropriate and necessary to prevent unauthorized disclosure and loss of personal data and for the secure management of personal data in accordance with the APPI as set forth in Section 11 (Security) of this Addendum;
(c) Genius Referrals will notify Customer for (i) a failure to comply with Section 6.3(a) of this Schedule 4 or (ii) Genius Referrals' discovery of a Security Incident impacting Customer Data, in either case, in accordance with Section 11.3 (Security Incident Notification). Genius Referrals will provide reasonable assistance to Customer in the event that Customer is required to notify a regulatory authority or any data subjects impacted by a Security Incident;
(d) Genius Referrals will ensure that any of its employees who have access to personal data (i) have executed employee agreements requiring them to keep such personal data confidential and (ii) who violate confidentiality will be subject to disciplinary action and possible termination; (iii) carry out appropriate employee supervision and training for the secure management of personal data; and (iv) limit the number of authorized personnel, including Genius Referrals' employees, who have access to personal data and control such access such that it is only permitted for the time period necessary for the Purpose of Use;
(e) Genius Referrals will not disclose personal data to any third party, except as Customer has authorized Genius Referrals to do so in the Agreement. When engaging sub-processors, Genius Referrals will comply with the obligations in Section 7 (Sub-processors) of this Addendum to ensure that procedures are in place to maintain the confidentiality and security of personal data;
(f) Genius Referrals will keep records of the handling of personal data entrusted to it by, and performed for, Customer;
(g) Genius Referrals will promptly notify Customer of any Third Party Request and not respond to such Third Party Request without Customer's prior consent, except as legally required to do so or to confirm that such Third Party Request relates to Customer. To the extent Customer does not have the ability to resolve a Third Party Request from a data subject through the self-service features made available via the Services, then, upon Customer's request, Genius Referrals will provide reasonable cooperation and support to assist Customer in resolving such Third Party Request from a data subject in accordance with Section 8 (Data Subject Rights) of this Addendum;
(h) Unless prohibited by applicable law or regulation, Genius Referrals will promptly notify Customer of any Third Party Request that requires Genius Referrals to disclose personal data on order or disposition of any governmental authority or court of law. Genius Referrals will limit any personal data provided to the minimum extent required and strictly for the required purpose;
(i) Customer may assess Genius Referrals' compliance with its obligations under Applicable Data Protection Law and as set forth in Section 12 (Audits) of this Addendum. In addition, Genius Referrals will respond to any Customer inquiries or questionnaires relating to Genius Referrals' processing of personal data under the Agreement in good faith and within a reasonable period of time. Customer may direct APPI-related inquiries to privacy@geniusreferrals.com. Genius Referrals will identify its Chief Privacy Officer upon written request;
(j) Genius Referrals will provide reasonable cooperation to Customer upon written request, where Customer is reporting to the Personal Information Protection Commission or other regulatory authorities; and
(k) Genius Referrals' primary processing facilities are located in the United States of America. Genius Referrals will notify customer of any Processing Location change and provide Customer the opportunity to object in accordance with, respectively, Section.
7.2 (Current Sub-processors and Notification of Sub-process or Changes) and Section 7.3 (Objection Right for new Sub-processors) of this Addendum. Where Genius Referrals processes personal data in a country other than Japan, Genius Referrals will ensure it complies with its privacy program as described in this Addendum. Genius Referrals will promptly notify Customer of any changes in applicable law and regulation that may materially affect Genius Referrals' obligations with respect to the processing of personal data, and in such case, Customer may, at its discretion, suspend the transfer of personal data.
6.4 The following data subject consent terms apply:
(a) Customer entrusts Genius Referrals with personal data for the Purpose of Use. Customer agrees that Genius Referrals is not a "third party" as the term is used in the APPI provisions that restrict the provision of personal data to third parties. As such, the requirement to obtain data subject consent in advance for domestic transfers within Japan do not apply;
(b) Customer agrees that Genius Referrals privacy program set forth in Section 6.3 of this Schedule 3 meets the equivalent standards prescribed by the Personal Information Protection Commission and the APPI. As such, the APPI restrictions on the provision of personal data to third parties in foreign countries outside of Japan, which require data subject consent in advance of such international transfers do not apply. Customer may take the necessary actions set forth in Section 6.3(h) of this Schedule 3 to ensure continuous implementation of Genius Referrals privacy program and respond to Third Party Requests from data subjects.
7. Mexico:
7.1 The definition of "Applicable Data Protection Law" includes the Federal Law for the Protection of Personal Data Held by Private Parties and its Regulations.
7.2 When acting as a processor, Genius Referrals will:
(a) treat personal data in accordance with Customer's instructions set forth in Section 5 (Customer Instructions) of this Addendum;
(b) process personal data only to the extent necessary to provide the Services;
(c) implement security measures in accordance with Applicable Data Protection Law and Section 11 (Security) of this Addendum;
(d) keep confidentiality regarding the personal data processed in accordance with the Agreement;
(e) delete all personal data upon termination of the Agreement in accordance with Section 10 (Return or Deletion of Customer Content) of this Addendum; and
(f) only transfer personal data to sub-processors in accordance with Section 7 (Sub-processors) of this Addendum.
8. Singapore:
8.1 The definition of “Applicable Data Protection Law” includes the Personal Data Protection Act 2012 ("PDPA").
8.2 Genius Referrals will process personal data to a standard of protection in accordance with the PDPA by implementing adequate technical and organizational measures as set forth in Section 11 (Security) of this Addendum and complying with the terms of the Agreement.
9. Switzerland:
9.1 The definition of "Applicable Data Protection Law" includes the Swiss Federal Act on Data Protection, as revised ("FADP").
9.2 When Genius Referrals engages a sub-processor under Section 7.1 (Authorization for Onward Sub-processing) of this Addendum, it will:
(a) require any appointed sub-processor to protect the Customer Content to the standard required by Applicable Data Protection Law, such as including the same data protection obligations referred to in Article 28(3) of the GDPR, in particular, providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR, and
(b) require any appointed sub-processor to (i) agree in writing to only process personal data in a country that Switzerland has declared to have an "adequate" level of protection or (ii) only process personal data on terms equivalent to the EU Standard Contractual Clauses or pursuant to a Binding Corporate Rules approval granted by competent European Union data protection authorities.
9.3 To the extent that personal data transfers from Switzerland are subject to the EU Standard Contractual Clauses in accordance with Section 2.2 of Schedule 3 (Cross Border Data Transfer Mechanisms), the following amendments will apply to the EU Standard Contractual Clauses:
(a) references to “EU Member State” and "Member State" will be interpreted to include Switzerland, and
(b) insofar as the transfer or onward transfers are subject to the FADP:
(i) references to "Regulation (EU) 2016/679" are to be interpreted as references to the FADP;
(ii) the "competent supervisory authority" in Annex I, Part C will be the Swiss Federal Data Protection and Information Commissioner;
(iii) in Clause 17 (Option 1), the EU Standard Contractual Clauses will be governed by the laws of Switzerland; and
(iv) in Clause 18(b) of the EU Standard Contractual Clauses, disputes will be resolved before the courts of Switzerland.
10. United Kingdom (UK):
10.1 References in this Addendum to "GDPR" will be deemed references to the corresponding laws and regulations of the United Kingdom, including, without limitation, the UK GDPR and Data Protection Act 2018.
10.2 When Genius Referrals engages a sub-processor under Section 7.1 (Authorization for Onward Sub-processing) of this Addendum, it will:
(a) require any appointed sub-processor to protect the Customer Content to the standard required by Applicable Data Protection Law, such as including the same data protection obligations referred to in Article 28(3) of the GDPR, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR, and
(b) require any appointed sub-processor to (i) agree in writing to only process personal data in a country that the United Kingdom has declared to have an "adequate" level of protection or (ii) only process personal data on terms equivalent to the UK International Data Transfer Agreement or pursuant to a Binding Corporate Rules approval granted by competent United Kingdom data protection authorities.
10.3 Notwithstanding anything to the contrary in this Addendum or in the Agreement (including, without limitation, either party's indemnification obligations), neither party will be responsible for any UK GDPR fines issued or levied under Article 83 of the UK GDPR against the other party by a regulatory authority or governmental body in connection with such other party’s violation of the UK GDPR.
10.4 Customer acknowledges that Genius Referrals, as a controller, may be required under Applicable Data Protection Law to notify a regulatory authority of Security Incidents involving Customer Usage Data. If a regulatory authority requires Genius Referrals to notify impacted data subjects with whom Genius Referrals does not have a direct relationship (e.g., Customer's end users), Genius Referrals will notify Customer of this requirement. Customer will provide reasonable assistance to Genius Referrals to notify the impacted data subjects.
11. United States of America:
11.1 "US State Privacy Laws" mean all state laws relating to the protection and processing of personal data in effect in the United States of America, which may include, without limitation, the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA"), the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, and the Utah Consumer Privacy Act.
11.2 The definition of "Applicable Data Protection Law" includes US State Privacy Laws.
11.3 The following terms apply where Genius Referrals processes personal data subject to the CCPA:
(a) The term "personal information", as used in this Section 11.3, will have the meaning provided in the CCPA;
(b) Genius Referrals is a service provider when processing Customer Content. Genius Referrals will process any personal information contained in Customer Content only for the business purposes set forth in the Agreement, including the purpose of processing and processing activities set forth in this Addendum ("Purpose"). As a service provider, Genius Referrals will not sell or share Customer Content or retain, use, or disclose Customer Content (i) for any purpose other than the Purpose, including retaining, using, or disclosing Customer Content for a commercial purpose other than the Purpose, or as otherwise permitted by the CCPA; or (ii) outside of the direct business relationship between Customer and Genius Referrals;
(c) Genius Referrals will (i) comply with obligations applicable to it as a service provider under the CCPA and (ii) provide personal information with the same level of privacy protection as is required by the CCPA. Customer is responsible for ensuring that it has complied, and will continue to comply, with the requirements of the CCPA in its use of the Services and its own processing of personal information;
(d) Customer will have the right to take reasonable and appropriate steps to help ensure that Genius Referrals uses personal information in a manner consistent with Customer’s obligations under the CCPA;
(e) Genius Referrals will notify Customer if it makes a determination that it can no longer meet its obligations as a service provider under the CCPA;
(f) Upon notice, Customer will have the right to take reasonable and appropriate steps in accordance with the Agreement to stop and remediate unauthorized use of personal information;
(g) Genius Referrals will provide reasonable additional and timely assistance to assist Customer in complying with its obligations with respect to consumer requests as set forth in the Agreement;
(h) For any sub-processor used by Genius Referrals to process personal information subject to the CCPA, Genius Referrals will ensure that Genius Referrals' agreement with such sub-processor complies with the CCPA, including, without limitation, the contractual requirements for service providers and contractors;
(i) Genius Referrals will not combine Customer Content that it receives from, or on behalf of, Customer, with personal information that it receives from, or on behalf of, another person or persons, or collects from its own interaction with the consumer, unless such combination is required to perform any business purpose as permitted by the CCPA, including any regulations thereto, or by regulations adopted by the California Privacy Protection Agency; and
(j) Genius Referrals certifies that it understands and will comply with its obligations under the CCPA.
11.4 Genius Referrals acknowledges and confirms that it does not receive Customer Content as consideration for any Services provided to Customer.
1. Australia:
1.1 The definition of "Applicable Data Protection Law" includes the Australian Privacy Principles and the Australian Privacy Act (1988).
1.2 The definition of "personal data" includes "Personal Information" as defined under Applicable Data Protection Law.
1.3 The definition of "Sensitive Data" includes "Sensitive Information" as defined under Applicable Data Protection Law.
2. Brazil:
2.1 The definition of "Applicable Data Protection Law" includes the Lei Geral de Proteção de Dados (General Personal Data Protection Act).
2.2 The definition of "Security Incident" includes a security incident that may result in any relevant risk or damage to data subjects.
2.3 The definition of "processor" includes "operator" as defined under Applicable Data Protection Law.
3. Canada:
3.1 The definition of "Applicable Data Protection Law" includes the Federal Personal Information Protection and Electronic Documents Act.
3.2 Genius Referrals' sub-processors, as set forth in Section 7 (Sub-processors) of this Addendum, are third parties under Applicable Data Protection Law, with whom Genius Referrals has entered into a written contract that includes terms substantially similar to this Addendum. Genius Referrals has conducted appropriate due diligence on its sub-processors.
3.3 Genius Referrals will implement technical and organizational measures as set forth in Section 11 (Security) of this Addendum.
4. European Economic Area (EEA):
4.1 The definition of "Applicable Data Protection Law" includes the General Data Protection Regulation (EU 2016/679) ("GDPR").
4.2 When Genius Referrals engages a sub-processor under Section 7.1 (Authorization for Onward Sub-processing) of this Addendum, it will:
(a) require any appointed sub-processor to protect the Customer Content to the standard required by Applicable Data Protection Law, such as including the same data protection obligations referred to in Article 28(3) of the GDPR, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR, and
(b) require any appointed sub-processor to (i) agree in writing to only process personal data in a country that the European Union has declared to have an “adequate” level of protection or (ii) only process personal data on terms equivalent to the EU Standard Contractual Clauses or pursuant to a Binding Corporate Rules approval granted by competent European Union data protection authorities.
4.3 Notwithstanding anything to the contrary in this Addendum or in the Agreement (including, without limitation, either party's indemnification obligations), neither party will be responsible for any GDPR fines issued or levied under Article 83 of the GDPR against the other party by a regulatory authority or governmental body in connection with such other party’s violation of the GDPR.
4.4 Customer acknowledges that Genius Referrals, as a controller, may be required under Applicable Data Protection Law to notify a regulatory authority of Security Incidents involving Customer Usage Data. If a regulatory authority requires Genius Referrals to notify impacted data subjects with whom Genius Referrals does not have a direct relationship (e.g., Customer's end users), Genius Referrals will notify Customer of this requirement. Customer will provide reasonable assistance to Genius Referrals to notify the impacted data subjects.
5. Israel:
5.1 The definition of "Applicable Data Protection Law" includes the Protection of Privacy Law.
5.2 The definition of "controller" includes "Database Owner" as defined under Applicable Data Protection Law.
5.3 The definition of "processor" includes “Holder” as defined under Applicable Data Protection Law.
5.4 Genius Referrals will require that any personnel authorized to process Customer Content comply with the principle of data secrecy and have been duly instructed about Applicable Data Protection Law. Such personnel sign confidentiality agreements with Genius Referrals in accordance with Section 6 (Confidentiality) of this Addendum.
5.5 Genius Referrals must take sufficient steps to ensure the privacy of data subjects by implementing and maintaining the security measures as specified in Section 11 (Security) of this Addendum and complying with the terms of the Agreement.
5.6 Genius Referrals must ensure that the personal data will not be transferred to a sub-processor unless such sub-processor has executed an agreement with Genius Referrals pursuant to Section 7.1 (Authorization for Onward Sub-processing) of this Addendum.
6. Japan:
6.1 The definition of "Applicable Data Protection Law" includes the Act on the Protection of Personal Information ("APPI").
6.2 The definition of "personal data" includes information about a specific individual applicable under Section 2(1) of the APPI, which Customer entrusts to Genius Referrals during Genius Referrals' provision of the Services to Customer.
6.3 Genius Referrals agrees it has and will maintain a privacy program conforming to the standards prescribed by rules of the Personal Information Protection Commission concerning the handling of personal data pursuant to the provisions of Chapter 4 of the APPI. Accordingly:
(a) Genius Referrals will (i) process personal data as necessary to provide the Services to Customer in accordance with the Agreement and as set forth in Schedule 1 (Details of the Processing) of this Addendum ("Purpose of Use") and (ii) not process personal data for any purpose other than the Purpose of Use without Customer's consent;
(b) Genius Referrals will implement and maintain measures appropriate and necessary to prevent unauthorized disclosure and loss of personal data and for the secure management of personal data in accordance with the APPI as set forth in Section 11 (Security) of this Addendum;
(c) Genius Referrals will notify Customer for (i) a failure to comply with Section 6.3(a) of this Schedule 4 or (ii) Genius Referrals' discovery of a Security Incident impacting Customer Data, in either case, in accordance with Section 11.3 (Security Incident Notification). Genius Referrals will provide reasonable assistance to Customer in the event that Customer is required to notify a regulatory authority or any data subjects impacted by a Security Incident;
(d) Genius Referrals will ensure that any of its employees who have access to personal data (i) have executed employee agreements requiring them to keep such personal data confidential and (ii) who violate confidentiality will be subject to disciplinary action and possible termination; (iii) carry out appropriate employee supervision and training for the secure management of personal data; and (iv) limit the number of authorized personnel, including Genius Referrals' employees, who have access to personal data and control such access such that it is only permitted for the time period necessary for the Purpose of Use;
(e) Genius Referrals will not disclose personal data to any third party, except as Customer has authorized Genius Referrals to do so in the Agreement. When engaging sub-processors, Genius Referrals will comply with the obligations in Section 7 (Sub-processors) of this Addendum to ensure that procedures are in place to maintain the confidentiality and security of personal data;
(f) Genius Referrals will keep records of the handling of personal data entrusted to it by, and performed for, Customer;
(g) Genius Referrals will promptly notify Customer of any Third Party Request and not respond to such Third Party Request without Customer's prior consent, except as legally required to do so or to confirm that such Third Party Request relates to Customer. To the extent Customer does not have the ability to resolve a Third Party Request from a data subject through the self-service features made available via the Services, then, upon Customer's request, Genius Referrals will provide reasonable cooperation and support to assist Customer in resolving such Third Party Request from a data subject in accordance with Section 8 (Data Subject Rights) of this Addendum;
(h) Unless prohibited by applicable law or regulation, Genius Referrals will promptly notify Customer of any Third Party Request that requires Genius Referrals to disclose personal data on order or disposition of any governmental authority or court of law. Genius Referrals will limit any personal data provided to the minimum extent required and strictly for the required purpose;
(i) Customer may assess Genius Referrals' compliance with its obligations under Applicable Data Protection Law and as set forth in Section 12 (Audits) of this Addendum. In addition, Genius Referrals will respond to any Customer inquiries or questionnaires relating to Genius Referrals' processing of personal data under the Agreement in good faith and within a reasonable period of time. Customer may direct APPI-related inquiries to privacy@geniusreferrals.com. Genius Referrals will identify its Chief Privacy Officer upon written request;
(j) Genius Referrals will provide reasonable cooperation to Customer upon written request, where Customer is reporting to the Personal Information Protection Commission or other regulatory authorities; and
(k) Genius Referrals' primary processing facilities are located in the United States of America. Genius Referrals will notify customer of any Processing Location change and provide Customer the opportunity to object in accordance with, respectively, Section.
7.2 (Current Sub-processors and Notification of Sub-process or Changes) and Section 7.3 (Objection Right for new Sub-processors) of this Addendum. Where Genius Referrals processes personal data in a country other than Japan, Genius Referrals will ensure it complies with its privacy program as described in this Addendum. Genius Referrals will promptly notify Customer of any changes in applicable law and regulation that may materially affect Genius Referrals' obligations with respect to the processing of personal data, and in such case, Customer may, at its discretion, suspend the transfer of personal data.
6.4 The following data subject consent terms apply:
(a) Customer entrusts Genius Referrals with personal data for the Purpose of Use. Customer agrees that Genius Referrals is not a "third party" as the term is used in the APPI provisions that restrict the provision of personal data to third parties. As such, the requirement to obtain data subject consent in advance for domestic transfers within Japan do not apply;
(b) Customer agrees that Genius Referrals privacy program set forth in Section 6.3 of this Schedule 3 meets the equivalent standards prescribed by the Personal Information Protection Commission and the APPI. As such, the APPI restrictions on the provision of personal data to third parties in foreign countries outside of Japan, which require data subject consent in advance of such international transfers do not apply. Customer may take the necessary actions set forth in Section 6.3(h) of this Schedule 3 to ensure continuous implementation of Genius Referrals privacy program and respond to Third Party Requests from data subjects.
7. Mexico:
7.1 The definition of "Applicable Data Protection Law" includes the Federal Law for the Protection of Personal Data Held by Private Parties and its Regulations.
7.2 When acting as a processor, Genius Referrals will:
(a) treat personal data in accordance with Customer's instructions set forth in Section 5 (Customer Instructions) of this Addendum;
(b) process personal data only to the extent necessary to provide the Services;
(c) implement security measures in accordance with Applicable Data Protection Law and Section 11 (Security) of this Addendum;
(d) keep confidentiality regarding the personal data processed in accordance with the Agreement;
(e) delete all personal data upon termination of the Agreement in accordance with Section 10 (Return or Deletion of Customer Content) of this Addendum; and
(f) only transfer personal data to sub-processors in accordance with Section 7 (Sub-processors) of this Addendum.
8. Singapore:
8.1 The definition of “Applicable Data Protection Law” includes the Personal Data Protection Act 2012 ("PDPA").
8.2 Genius Referrals will process personal data to a standard of protection in accordance with the PDPA by implementing adequate technical and organizational measures as set forth in Section 11 (Security) of this Addendum and complying with the terms of the Agreement.
9. Switzerland:
9.1 The definition of "Applicable Data Protection Law" includes the Swiss Federal Act on Data Protection, as revised ("FADP").
9.2 When Genius Referrals engages a sub-processor under Section 7.1 (Authorization for Onward Sub-processing) of this Addendum, it will:
(a) require any appointed sub-processor to protect the Customer Content to the standard required by Applicable Data Protection Law, such as including the same data protection obligations referred to in Article 28(3) of the GDPR, in particular, providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR, and
(b) require any appointed sub-processor to (i) agree in writing to only process personal data in a country that Switzerland has declared to have an "adequate" level of protection or (ii) only process personal data on terms equivalent to the EU Standard Contractual Clauses or pursuant to a Binding Corporate Rules approval granted by competent European Union data protection authorities.
9.3 To the extent that personal data transfers from Switzerland are subject to the EU Standard Contractual Clauses in accordance with Section 2.2 of Schedule 3 (Cross Border Data Transfer Mechanisms), the following amendments will apply to the EU Standard Contractual Clauses:
(a) references to “EU Member State” and "Member State" will be interpreted to include Switzerland, and
(b) insofar as the transfer or onward transfers are subject to the FADP:
(i) references to "Regulation (EU) 2016/679" are to be interpreted as references to the FADP;
(ii) the "competent supervisory authority" in Annex I, Part C will be the Swiss Federal Data Protection and Information Commissioner;
(iii) in Clause 17 (Option 1), the EU Standard Contractual Clauses will be governed by the laws of Switzerland; and
(iv) in Clause 18(b) of the EU Standard Contractual Clauses, disputes will be resolved before the courts of Switzerland.
10. United Kingdom (UK):
10.1 References in this Addendum to "GDPR" will be deemed references to the corresponding laws and regulations of the United Kingdom, including, without limitation, the UK GDPR and Data Protection Act 2018.
10.2 When Genius Referrals engages a sub-processor under Section 7.1 (Authorization for Onward Sub-processing) of this Addendum, it will:
(a) require any appointed sub-processor to protect the Customer Content to the standard required by Applicable Data Protection Law, such as including the same data protection obligations referred to in Article 28(3) of the GDPR, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR, and
(b) require any appointed sub-processor to (i) agree in writing to only process personal data in a country that the United Kingdom has declared to have an "adequate" level of protection or (ii) only process personal data on terms equivalent to the UK International Data Transfer Agreement or pursuant to a Binding Corporate Rules approval granted by competent United Kingdom data protection authorities.
10.3 Notwithstanding anything to the contrary in this Addendum or in the Agreement (including, without limitation, either party's indemnification obligations), neither party will be responsible for any UK GDPR fines issued or levied under Article 83 of the UK GDPR against the other party by a regulatory authority or governmental body in connection with such other party’s violation of the UK GDPR.
10.4 Customer acknowledges that Genius Referrals, as a controller, may be required under Applicable Data Protection Law to notify a regulatory authority of Security Incidents involving Customer Usage Data. If a regulatory authority requires Genius Referrals to notify impacted data subjects with whom Genius Referrals does not have a direct relationship (e.g., Customer's end users), Genius Referrals will notify Customer of this requirement. Customer will provide reasonable assistance to Genius Referrals to notify the impacted data subjects.
11. United States of America:
11.1 "US State Privacy Laws" mean all state laws relating to the protection and processing of personal data in effect in the United States of America, which may include, without limitation, the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA"), the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, and the Utah Consumer Privacy Act.
11.2 The definition of "Applicable Data Protection Law" includes US State Privacy Laws.
11.3 The following terms apply where Genius Referrals processes personal data subject to the CCPA:
(a) The term "personal information", as used in this Section 11.3, will have the meaning provided in the CCPA;
(b) Genius Referrals is a service provider when processing Customer Content. Genius Referrals will process any personal information contained in Customer Content only for the business purposes set forth in the Agreement, including the purpose of processing and processing activities set forth in this Addendum ("Purpose"). As a service provider, Genius Referrals will not sell or share Customer Content or retain, use, or disclose Customer Content (i) for any purpose other than the Purpose, including retaining, using, or disclosing Customer Content for a commercial purpose other than the Purpose, or as otherwise permitted by the CCPA; or (ii) outside of the direct business relationship between Customer and Genius Referrals;
(c) Genius Referrals will (i) comply with obligations applicable to it as a service provider under the CCPA and (ii) provide personal information with the same level of privacy protection as is required by the CCPA. Customer is responsible for ensuring that it has complied, and will continue to comply, with the requirements of the CCPA in its use of the Services and its own processing of personal information;
(d) Customer will have the right to take reasonable and appropriate steps to help ensure that Genius Referrals uses personal information in a manner consistent with Customer’s obligations under the CCPA;
(e) Genius Referrals will notify Customer if it makes a determination that it can no longer meet its obligations as a service provider under the CCPA;
(f) Upon notice, Customer will have the right to take reasonable and appropriate steps in accordance with the Agreement to stop and remediate unauthorized use of personal information;
(g) Genius Referrals will provide reasonable additional and timely assistance to assist Customer in complying with its obligations with respect to consumer requests as set forth in the Agreement;
(h) For any sub-processor used by Genius Referrals to process personal information subject to the CCPA, Genius Referrals will ensure that Genius Referrals' agreement with such sub-processor complies with the CCPA, including, without limitation, the contractual requirements for service providers and contractors;
(i) Genius Referrals will not combine Customer Content that it receives from, or on behalf of, Customer, with personal information that it receives from, or on behalf of, another person or persons, or collects from its own interaction with the consumer, unless such combination is required to perform any business purpose as permitted by the CCPA, including any regulations thereto, or by regulations adopted by the California Privacy Protection Agency; and
(j) Genius Referrals certifies that it understands and will comply with its obligations under the CCPA.
11.4 Genius Referrals acknowledges and confirms that it does not receive Customer Content as consideration for any Services provided to Customer.