Data Processing Agreement — Tracknow LTD
Updated: December 10, 2024
This Data Processing Agreement (“Agreement”) forms part of the Contract for Services (“Principal Agreement”) between the Company (acting as Data Controller) and Tracknow LTD (acting as Data Processor).
Whereas
The Company acts as a Data Controller.
The Company wishes to subcontract certain Services, which imply the processing of personal data, to the Data Processor.
The Parties seek to implement a data processing agreement that complies with applicable law, including the EU General Data Protection Regulation (GDPR).
The Parties wish to lay down their respective rights and obligations in this Agreement.
1. Definitions and Interpretation
Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the meanings set out below. Terms such as “Controller”, “Processor”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR.
Agreement: this Data Processing Agreement and all Schedules.
Company Personal Data: any Personal Data processed by a Contracted Processor on behalf of Company under the Principal Agreement.
Contracted Processor: a Subprocessor.
Data Protection Laws: EU Data Protection Laws and, where applicable, the data protection or privacy laws of other countries.
GDPR: Regulation (EU) 2016/679.
EEA: European Economic Area.
Data Transfer: transfer of Company Personal Data outside the EEA in circumstances restricted by Data Protection Laws.
Services: affiliate tracking software services provided by Tracknow LTD.
Subprocessor: any third party appointed to process Personal Data on behalf of the Company.
2. Purpose, Nature, Duration, and Scope of Processing
Purpose: Personal Data is processed for the purpose of providing and improving the affiliate tracking software services of Tracknow LTD.
Nature: Processing includes collection, storage, transmission, analysis, and deletion of personal data in connection with the Services.
Duration: Personal Data shall be processed for the duration of the Principal Agreement, unless otherwise required by law.
Types of Personal Data: Identification data (e.g., name, email, phone number), login/account details, IP addresses, usage logs, and financial/payment-related information (if applicable).
Categories of Data Subjects: Customers, affiliates, website users, and end-users of the Company’s services.
3. Processing of Company Personal Data
Processor shall comply with all applicable Data Protection Laws in the processing of Company Personal Data and only process such data on documented instructions of the Company.
The Company instructs the Processor to process Company Personal Data for the purposes of providing the Services.
4. Processor Personnel
The Processor shall ensure access to Company Personal Data is limited to authorized personnel subject to confidentiality obligations.
5. Security
The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in line with Article 32(1) of the GDPR.
6. Subprocessing
The Company authorizes the Processor to use affiliates and third-party Subprocessors, provided equivalent safeguards are applied and contracts are in place.
7. Data Subject Rights
The Processor shall assist the Company in responding to Data Subject requests and will not respond independently without Company instruction unless required by law.
8. Personal Data Breach
The Processor shall notify the Company without undue delay upon becoming aware of a Personal Data Breach and cooperate in investigations and remediation.
9. Data Protection Impact Assessment & Assistance
The Processor shall provide reasonable assistance to the Company in connection with data protection impact assessments and prior consultations required under Articles 35 and 36 GDPR.
The Processor shall also assist the Company with compliance obligations under Articles 32 to 36 GDPR, taking into account the nature of the processing and information available.
10. Deletion or Return of Company Personal Data
Upon cessation of Services, the Processor shall delete or return all Company Personal Data without undue delay and, in any case, within 10 business days unless retention is required by law.
11. Audit Rights
The Processor shall make available all necessary information to demonstrate compliance and allow audits as required by Data Protection Laws.
12. Data Transfers
The Company may transfer Personal Data outside the EEA where necessary to provide the Services. Where such transfers occur to countries without an adequacy decision, the Processor shall implement Standard Contractual Clauses (SCCs) or other legally recognized transfer mechanisms.
13. Record-Keeping
The Processor shall maintain records of all categories of processing activities carried out on behalf of the Company, as required under Article 30(2) GDPR.
14. Liability and Indemnity
Each Party’s liability under this Agreement shall be subject to the limitations and exclusions of liability set out in the Principal Agreement, except where prohibited by Data Protection Laws.
15. General Terms
Confidentiality: Each Party shall keep this Agreement and any confidential information received from the other strictly confidential, except as required by law or where information is already public.
Notices: All notices under this Agreement must be in writing and delivered by post, personal delivery, or email to the Parties’ last notified business address or email address.
16. Governing Law and Jurisdiction
The governing law and forum for disputes under this DPA shall follow the Principal Agreement, unless otherwise required by applicable law.
17. Survival
Provisions which by their nature should survive termination shall remain in full force and effect, including but not limited to confidentiality, liability, and governing law.
