This Data Processing Addendum (“DPA”) amends and forms part of the Subscription Services Agreement (the “Agreement”) between Vessel management LLC, MMV (“Company”) and Customer. This DPA prevails over any conflicting term of the Agreement but does not otherwise modify the Agreement.
1. Definitions
1.1. In this DPA:
a)“Controller”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processing”, “Processor”, and “Supervisory Authority” have the meaning given to them in the GDPR;
b)“Customer Personal Data” means any Customer Data that constitutes Personal Data, the Processing of which is subject to Data Protection Law, for which Customer is the Controller, and which is Processed by Company to provide the Services;
c) “Data Protection Law” means General Data Protection Regulation (EU) 2016/679 (“GDPR”) and e-Privacy Directive 2002/58/EC (as amended by Directive 2009/136/EC), and their national implementations in the European Economic Area (“EEA”), Switzerland and the United Kingdom, each as applicable, and as may be amended or replaced from time to time; and the Health Insurance Portability and Accountability Act (“HIPPA”), the California Consumer Privacy Act (“CCPA”) or any other laws, rules or regulations applicable to the Processing or protection of Customer Personal Data.
d)“Data Subject Rights” means Data Subjects’ rights to information, access, rectification, erasure, restriction, portability, objection, and not to be subject to automated individual decision-making in accordance with Data Protection Law;
e)“Personal Data” means any information relating to: (i) an identified or identifiable natural person and (ii) an identified or identifiable legal entity (where such information is protected similarly as personal data or personally identifiable information under applicable Data Protection Laws), which is provided as Customer Data.Restricted Transfer means: (i) where the EU GDPR applies, a transfer of Personal Data via the Services from the EEA either directly or via onward transfer, to any country or recipient outside of the EEA not subject to an adequacy determination by the European Commission; and (ii) where the UK GDPR applies, a transfer of Personal Data via the Services from the United Kingdom either directly or via onward transfer, to any country or recipient outside of the UK not based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018; and (iii) a transfer of Personal Data via the Services from Switzerland either directly or via onward transfer, to any country or recipient outside of the EEA and/or Switzerland not subject to an adequacy determination by the European Commission.
f) “Services” means the services provided by Company to Customer under the Agreement.
g)“Sub-processor” means a Processor engaged by Company to Process Customer Personal Data; and
h) “Standard Contractual Clauses” (i) where the EU GDPR applies, the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries and published at https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=EN (EU SCCs); (ii) where the UK GDPR applies standard data protection clauses adopted pursuant to Article 46(2)(c) or (d) of the UK GDPR (UK SCCs); and (iii) where Personal Data is transferred from Switzerland to outside of Switzerland or the EEA, the EU SCCs as amended in accordance with guidance from the Swiss Data Protection Authority (Swiss SCCs).
1.2. Capitalized Agreement used but not defined herein have the meaning given to them in the Agreement.
2. Scope and Applicability
2.1 This DPA applies to Processing of Customer Personal Data by Company to provide the Services.
2.2 The subject matter, nature and purpose of the Processing, the types of Customer Personal Data and categories of Data Subjects are set out in Appendix 2.
2.3 Customer is a Controller and appoints Company as a Processor on behalf of Customer. Customer is responsible for compliance with the requirements of Data Protection Law applicable to Controllers.
2.4 Company as a Processor is responsible for compliance with the requirements of Data Protection Law applicable to Processors.
2.5 Customer acknowledges that Company may Process Customer Personal Data relating to the operation, support, or use of the Services for its own business purposes, such as billing, account management, data analysis, benchmarking, technical support, product development, and compliance with law. Company is the Controller for such Processing and will Process such data in accordance with Data Protection Law.
3. Instructions
3.1. Company will Process Customer Personal Data to provide the Services and in accordance with Customer’s documented instructions.
3.2. The Controller’s instructions are documented in this DPA, the Agreement, and any applicable statement of work.
3.3. Customer may reasonably issue additional instructions as necessary to comply with Data Protection Law. Company may charge a reasonable fee to comply with any additional instructions and will use commercially reasonable efforts to comply with such additional instructions.
3.4. Unless prohibited by applicable law, Company will inform Customer if Company is subject to a legal obligation that requires Company to Process Customer Personal Data in contravention of Customer’s documented instructions.
4. Confidentiality
4.1 All Customer Personal Data provided to Company by Customer or obtained by the Company in the course of its work with Customer is strictly confidential and may not be copied, disclosed, or processed in any way except as required to provide the Services.
5. Security and Personal Data Breaches
5.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Company will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, which measures are set forth in Appendix 3.
5.2. Customer acknowledges that the security measures in Appendix 3 are appropriate in relation to the risks associated with Customer’s intended Processing.
5.3. Company will notify Customer without undue delay and no later than 72 hours after becoming aware of a Personal Data Breach involving Customer Personal Data. If Company’s notification is delayed, it will be accompanied by reasons for the delay.
6. Sub-Processing
6.1. Customer hereby authorizes Company to engage Sub-processors. A list of Company’s current Sub-processors is included in Appendix 1.
6.2. Company will enter into a written agreement with Sub-processors which imposes the same obligations as required by Data Protection Law.
6.3. Company will notify Customer prior to any intended change to Sub-processors. Customer may object to the addition of a Sub-processor based on reasonable grounds relating to a potential or actual violation of Data Protection Law by providing written notice detailing the grounds of such objection within thirty (30) days following Company’s notification of the intended change. Customer and Company will work together in good faith to address Customer’s objection. If Company chooses to retain the Sub-processor, Company will inform Customer at least thirty (30) days before authorizing the Sub-processor to Process Customer Personal Data, and Customer may immediately discontinue using the relevant parts of the Services and may terminate the relevant parts of the Services within thirty (30) days.
7. Assistance
7.1. Taking into account the nature of the Processing, and the information available to Company, Company will assist Customer, including, as appropriate, by implementing technical and organizational measures, with the fulfilment of Customer’s own obligations under Data Protection Law to comply with requests to exercise Data Subject Rights; conduct data protection impact assessments, and prior consultations with Supervisory Authorities; and notify a Personal Data Breach.
7.2. Company will maintain records of Processing of Customer Personal Data in accordance with Data Protection Law.
7.3. Company may charge a reasonable fee for assistance under this Section 7.
8. Audit, Inspection and Compliance
8.1. Upon reasonable request, Company must make available to Customer all information necessary to demonstrate compliance with the obligations of this DPA and allow for and contribute to audits, including inspections, as mandated by a Supervisory Authority or reasonably requested no more than once a year by Customer and performed by an independent auditor as agreed upon by Customer and Company. The Audit shall only extend to those documents relevant and material to the Processing of Customer Personal Data and shall be conducted during normal business hours and in a manner that causes minimal disruption.
8.2. Company will inform Customer if Company believes that Customer’s instruction under Section 8.1 infringes Data Protection Law. Company may suspend the audit or inspection, or withhold requested information until Company has modified or confirmed the lawfulness of the instructions in writing.
8.3. Company and Customer each bear their own costs related to an audit.
9. RESTRICTED Transfers
a. The parties agree that, when the transfer of Personal Data from Customer to Company or from Company to a Sub-processor is a Restricted Transfer, it will be subject to the applicable Standard Contractual Clauses.
b. The parties agree that the EU SCCs apply to Restricted Transfers from the EEA. The EU SCCs are deemed entered into (and incorporated into this DPA by reference) and completed as follows:
i. Module Two (Controller to Processor) applies where Customer is a Controller of Customer Data and Company is processing Customer Data;
ii. Module Three (Processor to Processor) applies where Company is a Processor of Customer Data and Company uses a Sub-processor to process Customer Data;
iii. Module Four (Processor to Controller) does not apply;
iv. in Clause 7 of the EU SSCs, the optional docking clause will not apply;
v. in Clause 9 of the EU SSCs, Option 2 applies, and the time period for notice of Sub-processors must be as set out in Section 6.3 of this DPA;
vi. in Clause 11 of the EU SSCs, the optional language does not apply;
vii. in Clause 17 of the EU SSCs, Option 1 applies, the EU SCCs are governed by Irish law, and for the Swiss SCCs, Swiss law;
viii. in Clause 18(b) of the EU SSCs, disputes must be resolved by: the courts of Ireland for the EU SCCs, and the courts of Switzerland for the Swiss SCCs;
ix. Annex I of the EU SCCs are deemed completed with the information set out in Appendix 2 of this DPA; and
x. Annex II of the EU SCCs are deemed completed with the information set out in Appendix 3 of this DPA.
c. The parties agree that the EU SCCs as amended in clause 9(b) above, shall be adjusted as set out below where the FDPA applies to any Restricted Transfer:
i. The Swiss Federal Data Protection and Information Commissioner (FDPIC) shall be the sole Supervisory Authority for Restricted Transfers exclusively subject to the FDPA;
ii. The term ’member state’ must not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs;
iii. Where Restricted Transfers are exclusively subject to the FDPA, all references to the GDPR in the EU SCCs are to be understood to be references to the FDPA;
iv. Where Restricted Transfers are subject to both the FDPA and the EU GDPR, all references to the GDPR in the EU SCCs are to be understood to be references to the FDPA insofar as the Restricted Transfers are subject to the FDPA; and
v. The Swiss SCCs also protect the Personal Data of legal entities until the entry into force of the revised FDPA.
d. The parties agree that the UK SCCs apply to Restricted Transfers from the UK and the UK SCCs are deemed entered into (and incorporated into this DPA by reference), completed as follows: (i) Appendix 1 of the UK SCCs are deemed completed with the information set out in Appendix 2 of this DPA; and (ii) Appendix 2 of the UK SCCs are deemed completed with the information set out in Appendix 3 of this DPA.
e. If any provision of this DPA contradicts any Standard Contractual Clauses, the provisions of the applicable Standard Contractual Clauses prevail over this DPA.
10. Notifications
10.1 Customer will send all notifications under this DPA to support@managemyvessel.com
11. Termination and return or deletion
11.1. This DPA is terminated upon the termination of the Agreement.
11.2. Customer may request return of Customer Personal Data up to ninety (90) days after termination of the Agreement. Unless required or permitted by applicable law, Company will delete all remaining copies of Customer Personal Data within one hundred eighty (180) days after returning Customer Personal Data to Customer.
12. MODIFICATION OF THIS DPA
12.1. This DPA may only be modified by a written amendment signed by both Company and Customer.
13. Invalidity and Severability
If any provision of this DPA is found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, then the invalidity or unenforceability of such provision does not affect any other provision of this DPA, and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.
14. Liability
a. The limitations of liability in the Agreement apply to all claims related to or arising under this DPA.
15. GENERAL.
a. This DPA sets out the entire understanding of the parties, and supersedes all prior and contemporaneous agreements and understandings, with regards to the subject matter. No modification or waiver of any term in this DPA is effective unless both parties sign it.
b. Should a provision of this DPA be invalid or become invalid, then the legal effect of the other provisions will be unaffected. A valid provision is deemed to have been agreed upon, which comes closest to what the parties intended commercially and will replace the invalid provision. The same will apply to any omissions.
c. To the extent of any conflict or inconsistency, the following order of precedent applies: the applicable Standard Contractual Clauses, followed by the Agreement, and then this DPA, provided that, in all instances the disclaimer of damages and limitation of liability in the Agreement applies. Subject to the amendments in this DPA, the Agreement remains in full force and effect.
Appendix 1
Subprocessors
| # | Name | Description |
| This is intentionally left blank as no sub processors | ||
Appendix 2
Description of the Processing
1. Data Subjects
Data Processed concern the following categories of Data Subjects:
| # | Category |
| 1 | Employees of Customer, including current employees, temporary staff, interns, and contractors and consultants who perform services for Customer. |
| 2 | Owners, Owners Reps, Owners Office, Guests |
| 3 | Yacht Crew, next of kin |
| 4 | Industry contacts |
2. Categories of Customer Personal Data
The Customer Personal Data Processed concern the following categories of data:
| # | Category |
| 1 | Identification data: name, surname, username, photograph |
| 2 | Contact data: address, phone number, email address |
| 3 | Demographic data: Initials, Age/Date of Birth, place of birth, nationality, marital status, residential status |
| 4 | Government identification: passport, visa, social security number, medical records number |
| 5 | Professional data: qualification, training, CV |
| 6 | Economic and financial data: salary, payroll number, social security number, bank details (name, address, telephone, beneficiary name, beneficiary address, ABA/routing number, bank account number, bank sort code, IBAN, swift code, currency) |
| 7 | Legal data: fraud, bribery |
| 8 | Technical data: IP address, user ID |
| 9 | Next of Kin: name, relationship, email, phone, address |
3. Sensitive data
The Customer Personal Data Processed concern the following special categories of data:
| # | Category |
| 1 | Medical: Emergency contacts, doctor contact, dentist contact, allergies, medical issues, current medications, medical history/major operations/procedures, medical insurance, medical insurance, medical power of attorney (name, phone), immunization records, prophylaxis treatment. |
| 2 | Nationality may reveal race, ethnicity.
|
4.Processing operations
The Customer Personal Data will be subject to the following basic Processing activities:
| # | Operation |
| 1. | The processing is an internet-based software service for vessel management |
| 2. | Storage and hosting takes place in Denver Colorado, and Las Vegas, Nevada – both are Tier III Datacenters. See the explanation about tiering levels below. Tier III: Concurrently Maintainable
|
| 3. | Access via individual account and complex/strong passwords. |
| 4. | Account and data security controls. All passwords are stored encrypted with Multi Factor Authentication protection. Accounts are audited periodically. |
| 5. | Data is encrypted in transport, transit, and at rest according to NIST standards |
| 6 | Multiple redundancies, backups and disaster recovery, e.g. use of VM’s real-time replication, distributed file system in real time, and database replications between geographically distanced locations. |
Appendix 3
Security Measures
Company shall implement appropriate technical and organizational measures to ensure a level appropriate to the risks that are presented by the data processing in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal transmitted, stored or otherwise processed.
- the pseudonymization and encryption of personal data
- the ability to ensure the ongoing confidentiality, integrity and availability and resilience of processing systems and services, including the restoration of any lost, corrupted or unusable personal data using its backup and/or disaster recovery procedures at no cost to the Data Controller
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
- Appropriate record keeping of all processing undertaken under the Agreement of this Agreement.
The Company shall ensure that each of its employees, agents or subcontractors are made aware of its obligations with regard to the security and protection of the Data and shall require that they enter into binding obligations with the Data Processor in order to maintain the levels of security, protection and confidentiality provided for in this Agreement. All such individuals used by it to provide the services as describe above and as defined in the Agreement shall undergo training in the law of data protection and in the care and handling of personal data and have a valid enhanced DBS check/disclosure (where appropriate).
The Company shall not divulge the Data whether directly or indirectly to any person, firm or company without the express consent of the Data Controller except to those of its employees, agents and subcontractors who are engaged in the processing of the Data and are subject to the binding obligations referred to in this Agreement above.
Comments
0 comments
Article is closed for comments.