Data Processing Addendum
LAST UPDATED:
THIS DATA PROCESSING ADDENDUM (this “DPA”) forms part of the Agreement by and between MH Sub I, LLC (“Company”) and You (“Affiliate Partner”) as identified in the Agreement or Order form (the “Agreement”) and will be effective on the later of (i) the effective date of the Agreement; or (ii) the date Affiliate Partner processes any Company Personal Data (defined below). All capitalized terms not defined in this DPA have the meanings set forth in the Agreement.
WHEREAS, Affiliate Partner collects Personal Data from data subjects in connection with its business activities;
WHEREAS, Affiliate Partner transfers certain Personal Data to Company for Company’s own business purposes;
WHEREAS, the Parties wish to document their respective roles and responsibilities with respect to such Personal Data and to comply with applicable Data Protection Laws;
NOW, THEREFORE, in consideration of the mutual covenants set forth herein, the Parties agree as follows:
1. DEFINITIONS
1.1 “Applicable Data Protection Laws” means all applicable laws, regulations, and binding guidance relating to privacy, data protection, and electronic communications, including without limitation: (a) the General Data Protection Regulation (EU) 2016/679 (“GDPR”); (b) the UK GDPR and UK Data Protection Act 2018; (c) the California Consumer Privacy Act and California Privacy Rights Act (collectively, “CCPA”); (d) other U.S. state privacy laws; and (e) other applicable national, federal, state, provincial, or local laws.
1.2 “Controller” has the meaning given in the GDPR and equivalent terms under other Applicable Data Protection Laws (e.g., “business” under CCPA).
1.3 “Data Subject” means an identified or identifiable natural person to whom Personal Data relates.
1.4 “EEA” means the European Economic Area.
1.5 “Personal Data” means any information relating to an identified or identifiable natural person that is transferred from Affiliate Partner to Company pursuant to the Agreement, including but not limited to: names, email addresses, phone numbers, postal addresses, IP addresses, unique identifiers, demographic information, and any other data that constitutes personal data, personal information, or personally identifiable information under Applicable Data Protection Laws.
1.6 “Processing” has the meaning given in Applicable Data Protection Laws and includes any operation performed on Personal Data, including collection, recording, organization, structuring, storage, use, disclosure, transfer, deletion, or destruction.
1.7 “Processor” has the meaning given in Applicable Data Protection Laws and equivalent terms (e.g., “service provider” under CCPA).
1.8 “Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
1.9 “Transfer” means the transmission, provision, or making available of Personal Data by Affiliate Partner to Company, including by upload, API, file transfer, email, or any other method.
2. ROLES AND RESPONSIBILITIES
2.1 Controller Status Prior to Transfer.
The Parties acknowledge and agree that, prior to the Transfer of Personal Data to Company, Affiliate Partner acts as the Controller of such Personal Data. During this period, Affiliate Partner shall be solely responsible for:
(a) Compliance with all Applicable Data Protection Laws applicable to its collection and Processing of Personal Data;
(b) Providing all required notices and disclosures to Data Subjects, including clear identification of Company as a recipient of Personal Data and the purposes for which Company will Process such data;
(c) Obtaining all necessary consents, authorizations, or other lawful bases required for Affiliate Partner’s Processing and for the Transfer of Personal Data to Company;
(d) Ensuring the accuracy and lawfulness of all Personal Data prior to Transfer;
(e) Responding to Data Subject requests, complaints, and inquiries relating to Processing that occurred prior to Transfer;
(f) Implementing appropriate technical and organizational security measures to protect Personal Data in Affiliate Partner’s possession; and
(g) Maintaining records of Processing activities as required by Applicable Data Protection Laws.
2.2 Controller Status After Transfer.
The Parties acknowledge and agree that, upon and following Transfer of Personal Data to Company, Company acts as an independent Controller of such Personal Data for its own purposes. Following Transfer, Company shall be solely responsible for:
(a) Compliance with all Applicable Data Protection Laws applicable to its Processing of the Personal Data;
(b) Determining the purposes and means of Processing the Personal Data;
(c) Providing any supplemental notices to Data Subjects as required by law (Company may rely on notices provided by Affiliate Partner at the point of collection, provided such notices adequately describe Company’s Processing);
(d) Responding to Data Subject requests relating to Company’s Processing;
(e) Implementing appropriate technical and organizational security measures to protect Personal Data in Company’s possession;
(f) Maintaining records of Processing activities as required by Applicable Data Protection Laws; and
(g) Ensuring that any onward disclosure or sharing of Personal Data complies with Applicable Data Protection Laws.
2.3 Independent Controllers.
The Parties acknowledge that they act as independent Controllers and not as joint controllers. Each Party independently determines the purposes and means of its own Processing. Neither Party acts as a Processor on behalf of the other Party with respect to the Personal Data transferred under this DPA, unless otherwise expressly agreed in a separate written agreement.
2.4 Point of Transfer.
For purposes of this DPA, the Transfer shall be deemed complete when Personal Data has been transmitted by Affiliate Partner and received and is accessible by Company (the “Transfer Date”). Prior to the Transfer Date, Affiliate Partner is the Controller; on and after the Transfer Date, Company is the Controller.
3. AFFILIATE PARTNER OBLIGATIONS
3.1 Lawfulness of Transfer.
Affiliate Partner represents, warrants, and covenants that:
(a) All Personal Data Transferred to Company has been collected and Processed lawfully and in compliance with all Applicable Data Protection Laws;
(b) Affiliate Partner has provided Data Subjects with clear, conspicuous, and legally adequate notice that:
(i) identifies Company as a recipient or category of recipient of Personal Data;
(ii) describes the purposes for which Company will Process the Personal Data;
(iii) describes the categories of Personal Data being shared;
(iv) informs Data Subjects of their rights under Applicable Data Protection Laws, including
the right to opt-out, access, delete, or correct Personal Data, as applicable; and
(v) includes a link to or copy of Company’s privacy notice, if required by Applicable Data
Protection Laws
(c) Affiliate Partner has obtained all necessary consents, authorizations, or has established another lawful basis (e.g., legitimate interest, contract performance) for the Transfer and Company’s Processing, as required by Applicable Data Protection Laws;
(d) The Transfer and Company’s intended Processing do not violate any Data Subject’s rights or any restrictions or objections communicated by Data Subjects;
(e) Affiliate Partner has not received any notice, complaint, or inquiry from a Data Subject, regulator, or other third party that would prohibit or restrict the Transfer;
(f) Affiliate Partner has the right and authority to Transfer the Personal Data to Company without violating any agreement, law, regulation, court order, or other obligation; and
(g) The Personal Data Transferred does not include any data of children under the applicable age of digital consent (e.g., under 16 in the EEA, under 13 in the U.S. under COPPA) unless Affiliate Partner has obtained verifiable parental consent and has disclosed this fact to Company in writing prior to Transfer.
3.2 Consent and Notice Records.
Upon Company’s request, Affiliate Partner shall provide Company with:
(a) Copies of the privacy notices, consent language, and other disclosures provided to Data Subjects at the point of collection;
(b) Evidence of consents or other lawful bases for Processing and Transfer (including timestamps, IP addresses, methods of consent capture, and confirmation records);
(c) Documentation demonstrating compliance with Applicable Data Protection Laws; and
(d) Any other information reasonably necessary for Company to verify Affiliate Partner’s compliance with this DPA and Applicable Data Protection Laws.
Such records shall be retained by Affiliate Partner for the longer of (i) the period required by Applicable Data Protection Laws, or (ii) three (3) years following the Transfer Date.
3.3 Data Minimization and Accuracy.
Affiliate Partner shall:
(a) Transfer only Personal Data that is adequate, relevant, and limited to what is necessary for the purposes communicated to Data Subjects and agreed with Company;
(b) Ensure that all Personal Data is accurate, complete, and up-to-date as of the Transfer Date; and
(c) Promptly notify Company of any inaccuracies, corrections, deletions, or opt-outs communicated by Data Subjects prior to or promptly after Transfer.
3.4 Prohibited Data.
Affiliate Partner shall not Transfer to Company:
(a) Special categories of Personal Data (e.g., racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, sex life or sexual orientation) unless expressly agreed in writing by Company in advance and lawful bases and additional safeguards are in place;
(b) Personal Data of individuals who have opted out, objected to, or withdrawn consent for such Transfer or for Company’s Processing, unless required by law; or
(c) Personal Data obtained unlawfully, fraudulently, or in violation of any applicable law or agreement.
4. COMPANY OBLIGATIONS
4.1 Lawfulness of Processing.
Company represents, warrants, and covenants that:
(a) Company will Process the Personal Data only for the purposes disclosed to Data Subjects (either directly by Company or via Affiliate Partner’s notices) and in compliance with all Applicable Data Protection Laws;
(b) Company will not Process Personal Data in a manner incompatible with the purposes for which it was collected and Transferred, unless Company obtains a new lawful basis (e.g., separate consent from Data Subjects);
(c) Company will implement and maintain a privacy notice that accurately describes its data practices and is accessible to Data Subjects; and
(d) Company will establish and maintain appropriate lawful bases for its Processing.
4.2 Purpose Limitation.
Company shall Process Personal Data only for the following purposes (the “Permitted Purposes”):
(a) To provide products, services, or information requested by Data Subjects;
(b) To send marketing and promotional communications in accordance with applicable law and Data Subject preferences;
(c) To analyze and improve Company’s products, services, and customer experience;
(d) To detect, prevent, and respond to fraud, security incidents, and illegal activity;
(e) To comply with legal obligations, court orders, and law enforcement requests; and
(f) For other purposes consistent with the notices provided to Data Subjects or as permitted or required by Applicable Data Protection Laws.
Company shall not use the Personal Data for purposes materially different from the Permitted Purposes without (i) providing Data Subjects with notice and an opportunity to opt-out or object, or (ii) obtaining Data Subject consent, as required by Applicable Data Protection Laws.
4.3 Retention and Deletion.
Company shall:
(a) Retain Personal Data only for as long as necessary to fulfill the Permitted Purposes or as required by Applicable Data Protection Laws;
(b) Establish and document retention periods and deletion procedures;
(c) Securely delete or anonymize Personal Data when no longer needed for a business purpose, unless retention is required by law;
5. DATA SUBJECT RIGHTS
5.1 Affiliate Partner Responsibilities (Pre-Transfer).
Affiliate Partner shall respond to and fulfill all Data Subject requests (access, rectification, erasure, restriction, portability, objection, withdrawal of consent, opt-out) relating to Processing that occurred prior to the Transfer Date.
5.2 Company Responsibilities (Post-Transfer).
Company shall respond to and fulfill all Data Subject requests relating to Company’s Processing following the Transfer Date, in accordance with Applicable Data Protection Laws and within the timeframes required by law.
5.3 Cooperation.
If either Party receives a Data Subject request that relates to the other Party’s Processing, the receiving Party shall:
(a) Promptly forward the request to the other Party;
(b) Not respond to the request on behalf of the other Party without that Party’s prior written authorization; and
(c) Reasonably cooperate and assist the other Party in responding to the request, including by providing relevant information in the receiving Party’s possession.
5.4 Opt-Outs and Objections.
Each Party shall maintain mechanisms for Data Subjects to exercise opt-out, objection, and consent withdrawal rights. Affiliate Partner shall not Transfer Personal Data of any Data Subject who has opted out of such Transfer or Company’s Processing. If Company receives an opt-out or objection applicable to Affiliate Partner’s Processing, Company shall promptly notify Affiliate Partner. If Affiliate Partner receives an opt-out or objection applicable to Company’s Processing, Affiliate Partner shall promptly notify Company, and Company shall honor such opt-out or objection in accordance with Applicable Data Protection Laws.
6. SECURITY
6.1 Security Measures.
Each Party shall implement and maintain appropriate technical and organizational measures to protect Personal Data against Security Incidents, including:
(a) Regular security testing, monitoring, and logging;
(b) Employee training on data protection and security;
(c) Incident response and business continuity plans;
(d) Vendor and subcontractor management (including due diligence and contractual safeguards); and
(e) Physical and environmental security controls.
The measures implemented shall be appropriate to the risk presented by the Processing and the nature of the Personal Data, taking into account the state of the art, costs of implementation, and the likelihood and severity of risks to Data Subject rights and freedoms.
6.2 Security Incident Notification.
Each Party shall notify the other Party without undue delay, and in any event within seventy-two (72) hours (or such shorter period as required by Applicable Data Protection Laws or reasonably requested by the other Party), after becoming aware of a Security Incident affecting Personal Data for which the other Party is or may be the Controller. Such notification shall include (to the extent known at the time of notification):
(a) A description of the nature of the Security Incident, including the categories and approximate number of Data Subjects and Personal Data records affected;
(b) The name and contact details of the notifying Party’s point of contact for further information;
(c) A description of the likely consequences of the Security Incident;
(d) A description of measures taken or proposed to address the Security Incident and mitigate its potential adverse effects; and
(e) Any other information reasonably requested by the other Party or required by Applicable Data Protection Laws.
Each Party shall cooperate with the other Party and with regulatory authorities in investigating and responding to Security Incidents, and shall take prompt action to mitigate harm.
6.3 Security Audits.
Upon reasonable written notice (at least thirty (30) days in advance), and no more than once per calendar year (unless required by a regulator or in response to a Security Incident), each Party may audit or engage a qualified third-party auditor to audit the other Party’s compliance with the security obligations in this Section 6. Audits shall be conducted during normal business hours, shall not unreasonably interfere with the audited Party’s operations, and shall be subject to reasonable confidentiality obligations. The auditing Party shall bear its own costs unless the audit reveals material non-compliance, in which case the audited Party shall reimburse the reasonable costs of the audit.
7. SUBPROCESSORS AND ONWARD TRANSFERS
7.1 Company’s Use of Subprocessors.
Company may engage third-party service providers, processors, or sub-processors (“Subprocessors”) to Process Personal Data on Company’s behalf, provided that:
Company imposes on each Subprocessor contractual obligations including with respect to security, confidentiality, and Applicable Data Protection Laws.
7.2 Onward Disclosure as Controller.
Company may disclose Personal Data to third parties where Company acts as a Controller (not a Processor), including:
(a) To Company’s affiliates, subsidiaries, and corporate family members for the Permitted Purposes;
(b) To service providers, vendors, and business partners that Process Personal Data on Company’s behalf or as independent Controllers;
(c) In connection with a merger, acquisition, sale of assets, or other corporate transaction, provided that the recipient agrees to protect Personal Data in accordance with this DPA and Applicable Data Protection Laws;
(d) To comply with legal obligations, court orders, law enforcement requests, or to protect Company’s rights and property; or
(e) With Data Subject consent or as otherwise permitted or required by Applicable Data Protection Laws.
All such disclosures shall comply with Applicable Data Protection Laws and, where applicable, with the notices provided to Data Subjects.
8. REGULATORY COOPERATION AND INQUIRIES
8.1 Data Protection Impact Assessments (DPIAs).
If required by Applicable Data Protection Laws, each Party shall conduct and document Data Protection Impact Assessments for its Processing. Each Party shall, upon reasonable request, provide the other Party with information reasonably necessary for the other Party to conduct its own DPIA.
8.2 Cooperation with Supervisory Authorities.
Each Party shall cooperate with competent supervisory authorities and comply with any binding decisions, orders, or guidance issued by such authorities. If a supervisory authority orders suspension or prohibition of a Transfer, the affected Party shall promptly notify the other Party, and the Parties shall work together in good faith to implement alternative solutions or, if necessary, suspend or terminate the Transfer.
9. REPRESENTATIONS AND WARRANTIES
9.1 Mutual Representations and Warranties.
Each Party represents and warrants to the other that:
(a) It has the legal right and authority to enter into this DPA and perform its obligations hereunder;
(b) It will comply with all Applicable Data Protection Laws applicable to its role as Controller;
(c) It has implemented and maintains appropriate technical and organizational measures to protect Personal Data;
(d) It has appointed (where required by law) a data protection officer or privacy officer and has designated representatives in relevant jurisdictions; and
(e) As of the Effective Date, it is not subject to any order, investigation, or enforcement action by a regulatory authority that would prohibit or restrict its Processing of Personal Data under this DPA.
9.2 Affiliate Partner-Specific Warranties.
Affiliate Partner further represents and warrants that:
(a) All Personal Data Transferred to Company has been collected and Processed lawfully and in compliance with all Applicable Data Protection Laws;
(b) Affiliate Partner has provided Data Subjects with adequate notice and has obtained all necessary consents or established other lawful bases for the Transfer and Company’s Processing;
(c) The Transfer and Company’s Processing do not violate any Data Subject rights, opt-outs, objections, or restrictions; and
(d) Affiliate Partner has the right to Transfer the Personal Data to Company without violating any law, regulation, agreement, or other obligation.
10. TERM AND TERMINATION
10.1 Term.
This DPA shall commence on the Effective Date and shall continue for so long as Affiliate Partner Transfers Personal Data to Company or Company Processes Personal Data Transferred by Affiliate Partner, unless earlier terminated in accordance with this Section 11.
10.2 Termination for Breach.
Either Party may terminate this DPA immediately upon written notice if the other Party materially breaches this DPA and fails to cure such breach within thirty (30) days of receiving written notice thereof (or such shorter period as may be required by Applicable Data Protection Laws or a regulatory authority).
10.3 Termination of Underlying Agreement.
If the Agreement is terminated or expires, this DPA shall remain in effect with respect to any Personal Data Transferred prior to such termination or expiration until such Personal Data is returned, deleted, or anonymized in accordance with Section 11.4.
11.4 Effect of Termination.
Upon termination of this DPA or upon Affiliate Partner’s written request:
(a) Affiliate Partner shall immediately cease Transferring Personal Data to Company;
(b) Company shall, at Affiliate Partner’s election (specified in writing):
(i) Securely delete or anonymize all Personal Data Transferred by Affiliate Partner (and provide written certification of such deletion or anonymization within thirty (30) days); or(ii) Return all Personal Data to Affiliate Partner in a commonly used, machine-readable format;(c) Each Party shall return or destroy all Confidential Information of the other Party (subject to any retention required by law or the Agreement);
(d) The provisions of Sections 5.2 (Company’s obligations to respond to Data Subject requests relating to Company’s Processing), 6 (Security), 8 (Regulatory Cooperation), 9 (Representations and Warranties), and 11.4 (Effect of Termination) shall survive termination to the extent necessary to address matters arising from Processing that occurred prior to termination or as required by Applicable Data Protection Laws; and
(e) Notwithstanding the foregoing, Company may retain Personal Data to the extent and for the period required by Applicable Data Protection Laws, provided that Company continues to protect such Personal Data in accordance with this DPA and Applicable Data Protection Laws and Processes it only to the extent necessary to comply with such legal obligations.
12. GENERAL PROVISIONS
12.1 Relationship to Agreement.
This DPA supplements the Agreement. In the event of any conflict between this DPA and the Agreement with respect to the Processing of Personal Data, this DPA shall prevail. For all other matters, the Agreement shall govern.
12.2 Amendments.
This DPA may be amended only by written agreement signed by both Parties; provided, however, that if Applicable Data Protection Laws or regulatory guidance require modifications to this DPA, either Party may propose such modifications in writing, and the Parties shall negotiate in good faith to implement the required changes. If the Parties cannot agree on required modifications within thirty (30) days, either Party may terminate this DPA upon written notice.
12.3 Severability.
If any provision of this DPA is held to be invalid, illegal, or unenforceable, the remaining provisions shall remain in full force and effect, and the invalid provision shall be modified to the minimum extent necessary to make it valid and enforceable while preserving the Parties’ intent. If such modification is not possible, the Parties shall negotiate in good faith to replace the invalid provision with a valid provision that achieves the intended purpose.
12.6 Entire Agreement.
This DPA, together with the Agreement and any exhibits or annexes hereto, constitutes the entire agreement between the Parties with respect to the Processing of Personal Data and supersedes all prior or contemporaneous understandings or agreements, whether written or oral, regarding such subject matter.
12.7 Counterparts and Electronic Signatures.
This DPA may be executed in counterparts, each of which shall be deemed an original and all of which together shall constitute one and the same instrument. Electronic signatures shall have the same legal force and effect as original signatures.