Data Processing Agreement

THIS ADDENDUM (the “Addendum”) is valid with the email confirmation sent out with your order.

This Addendum is supplemental to and forms part of the terms of use available at https://easyonlineads.com/allgemeinegeschaeftsbedingungen (the “Agreement”) between:

1. 4th Wave Marketing Ltd, a company incorporated under the laws of Hong Kong with its registered office at Unit 2A, 17/F, Glenealy Tower, No.1 Glenealy, Central, Hong Kong S.A.R and company registration number 2577229 (the “Service Provider“), acting on its own behalf and as agent for each Service Provider Affiliate; and

2. The customer of this order (the “The Customerr“), acting on its own behalf and as agent for each Customer Affiliate.

Hereinafter individually or collectively referred to as a “Party” or the “Parties”.

Accepting the Data Processing Agreement

You may place orders with us as instructed on our Platform. Accepting the Data Processing Agreement is mandatory to our terms and conditions and is required to legally fulfill your order. Our acceptance of your order will take place when we email you to confirm it, at which point an agreement will come into existence between you and us.

Background

1. The Customer has engaged the Service Provider to provide services as stipulated in the Agreement. In the course of providing such services, the Service Provider may process Personal Data on behalf of the Customer.

2. The Customer and the Service Provider hereby enter into this Addendum to set out their respective responsibilities in respect of the processing of Personal Data as part of the Services.

Agreed terms

1. DEFINITIONS AND INTERPRETATION

1. The following definitions apply in this Addendum:

Applicable Laws:

(a) where a Data Controller is subject to EU Data Protection Laws in respect of (such part of) the Relevant Data, European Union or Member State laws; and

(b) where a Data Controller is subject to any other Data Protection Laws in respect of (such part of) the Relevant Data, any other applicable laws.

Control: the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract, or otherwise.

Customer Affiliate: an entity that owns or Controls, is owned or Controlled by, or is or under common ownership or Control with the Customer. 

Data Controller: the Customer or any Customer Affiliate.

Data Processor: the Service Provider or any Service Provider Affiliate.

Data Protection Laws: EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country.

Data Subject: as defined in paragraph (1) of Article 4 of the GDPR.

Data Subject Request: as defined in Clause 5.1(a) of this Addendum.

EEA: the European Economic Area.

EU Data Protection Laws: EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced, or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR.

GDPR: the EU General Data Protection Regulation 2016/679.

Member State: member state of the European Union.

Personal Data: as defined in paragraph (1) of Article 4 of the GDPR.

Personal Data Breach: as defined in paragraph (12) of Article 4 of the GDPR.

Processing: as defined in paragraph (2) of Article 4 of the GDPR.

Processing Personnel: personnel of a Data Processor engaged in the Processing of the Relevant Data.

Relevant Data: any Personal Data Processed by a Data Processor on behalf of a Data Controller as part of the Services, as further described in Annex 1.

Restricted Transfer: as defined in Clause 10.

Services: the services to be provided or carried out by or on behalf of the Service Provider for any Data Controller pursuant to the Agreement.

Service Provider Affiliate: an entity that owns or Controls, is owned or Controlled by, or is or under common ownership or Control with the Service Provider.

Standard Contractual Clauses: the contractual clauses set out in Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of Personal Data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (notified under document C(2010) 593), as amended from time to time pursuant to Clause 12.1.

Subprocessor: any person appointed by or on behalf of the Service Provider or any Service Provider Affiliate to Process Personal Data on behalf of any Data Controller in connection with the Agreement. For the avoidance of doubt, employees of the Service Provider or any Service Provider Affiliate are not Subprocessors in this Addendum.

Supervisory Authorities: as defined in paragraph (21) of Article 4 of the GDPR, and Supervisory Authority means any one of them.

2. Annexes form part of this Addendum and shall have effect as if set out in full in the body of this Addendum. Any reference to this Addendum includes the annexes.

3. Clause, annex, appendix, and paragraph headings shall not affect interpretation of this Addendum.

4. A reference to a person includes a natural person or a corporate or unincorporated body (whether or not having a separate legal personality).

5. Unless the context otherwise requires, words in the singular include the plural and in the plural include the singular, and a reference to one gender includes a reference to other genders.

6. A reference to writing or written includes fax and email.

7. Unless otherwise specified, any reference in this Addendum to a specific time refers to the time in Hong Kong.

8. References to statutory provisions or enactments shall include references to any amendment, modification, extension, consolidation, replacement, or re-enactment of any such provision or enactment (whether before or after the date of this Agreement), unless any such change imposes upon any Party any liabilities or obligations that are more onerous than as at the date of this Agreement.

2. PROCESSING OF RELEVANT DATA

1. The Data Controller hereby instructs the Data Processor to Process the Relevant Data (in particular, to transfer the Relevant Data to any country or territory) for the following purposes:

1. to enable the Data Controller to use the Services;

2. to comply with documented instructions provided by the Data Controller to the Data Processor (including via electronic communications); and 

3. as otherwise authorised under this Addendum. 

2. Details of the Processing of the Relevant Data are set out in Annex 1. The Customer may from time to time amend Annex 1 by giving notice in writing to the Service Provider.

3. The Data Processor will Process the Relevant Data in accordance with applicable Data Protection Laws and exclusively for the purposes set out in Clause 2.1, unless required under Applicable Laws, in which case the Data Processor will (to the extent permitted by Applicable Laws) inform the relevant Data Controller of such requirement prior to Processing.

4. The Data Processor will notify the Data Controller without undue delay if and when the Data Processor is of the view that an instruction for Processing the Relevant Data given by the Data Controller is not in compliance with Applicable Laws.

5. The Data Processor will implement and maintain appropriate technical and organisational measures to protect the Relevant Data against accidental or unlawful destruction or loss, alteration, or unauthorised disclosure or access, measures which will provide a level of security appropriate to the risk represented by the Processing and the nature of the Relevant Data. Details of such measures are set out in Annex 2. The Service Provider will regularly monitor compliance with these measures and may from time to time amend Annex 2 by giving notice in writing to the Customer.

6. Nothing in this Addendum relieves any Party of its own direct responsibilities and liabilities under applicable Data Protection Laws.

3. PROCESSING PERSONNEL

1. The Data Processor will ensure that the Processing Personnel: 

1. are aware of the confidential nature of the Relevant Data;

2. have received appropriate training on their responsibilities; and

3. have executed written confidentiality agreements. 

2. The Data Processor will ensure that the confidentiality obligations of the Processing Personnel will survive termination of his/her engagement.

3. The Data Processor will take commercially reasonable steps to ensure the reliability of all Processing Personnel.

4. SUBPROCESSING

1. The Data Processor may engage and may continue to engage Subprocessors in connection with the provision of the Services provided that such engagement is permitted under the Agreement and the obligations in Clause 4.2 are complied with. The Data Processor will, upon request by the Data Controller, provide a list to the Data Controller of Subprocessors currently engaged.

2. With respect to each Subprocessor, the Data Processor will:

1. conduct adequate due diligence to ensure the Subprocessor is capable of providing the level of protection to the Relevant Data as required by the Agreement and this Addendum;

2. procure that the Data Processor enters into a written contract with the Subprocessor to ensure that at least the same level of protection will be given to the Relevant Data as that required by the Agreement and this Addendum (including the execution of Standard Contractual Clauses where Restricted Transfer is involved);

3. provide copy of such written contract with the Subprocessor (which may be redacted to remove confidential commercial information not relevant to the requirements of this Addendum) as the Data Controller may request.

3. The engagement of additional Subprocessors, if permitted under the Agreement, is subject to prior consent by the Data Controller and compliance with the obligations in Clause 4.2. For the avoidance of doubt, where the Data Processor has entered into a data processing agreement with the Subprocessor that affords a level of protection equivalent to this Addendum, the consent by the Data Controller is deemed to have been given.

4. The Data Processor will give notice in writing to the proposed engagement of Subprocessor to the Data Controller. Any objection must be raised within five (5) business days, together with detailed grounds for objection. If the grounds for objection are not resolved, the Data Processor must not engage the proposed Subprocessor.

5. Where a Subprocessor fails to fulfill its data protection obligations, the Data Processor remains fully liable to the Data Controller for the performance of the Subprocessor’s obligations.

5. DATA SUBJECT RIGHTS

1. The Data Processor will:

1. promptly notify the Data Controller upon receiving any request from a Data Subject to exercise his/her rights in respect of any Relevant Data under Data Protection Laws (a “Data Subject Request”); and

2. not respond to such request except on documented instructions of the Data Controller or as required by Applicable Laws to which the Data Processor is subject, in which case the Data Processor will (to the extent permitted by Applicable Laws) inform the Data Controller of such legal requirement before the Data Processor responds to such request. 

2. If the Data Controller, in using the Services, is unable to address a Data Subject Request, the Data Processor will, upon the Data Controller’s request and to the extent legally permitted to do so and if the response to such Data Subject Request is required under Data Protection Laws, provide commercially reasonable efforts to assist the Data Controller in responding to such Data Subject Request. Cost for such assistance will be borne by the Data Controller.

3. Taking into account the nature of the Processing of the Relevant Data, the Data Processor will assist the Data Controller by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Data Controller’s obligations to respond to Data Subject Requests.

6. PERSONAL DATA BREACH

1. Upon the Data Processor (or any Subprocessor) becoming aware of a Personal Data Breach affecting the Relevant Data, the Data Processor will:

1. notify the Data Controller without undue delay; and 

2. provide sufficient information to allow the Data Controller to meet its obligations under Data Protection Laws to report or inform Data Subjects of the Personal Data Breach.

2. The Data Processor will cooperate with the Data Controller and take such commercially reasonable steps as directed by the Data Controller to assist in the investigation, mitigation, and remedy of each Personal Data Breach. Cost for such assistance will be borne by the Data Controller.

7. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION

1. Upon the request of a Data Controller, a Data Processor will provide reasonable cooperation and assistance to the Data Controller in data protection impact assessments relating to the Processing of the Relevant Data, provided that the Data Controller does not otherwise have access to the relevant information and to the extent that such information is available to the Data Processor.

2. Upon the request of a Data Controller, a Data Processor will provide reasonable cooperation and assistance to the Data Controller in any prior consultations with Supervisory Authorities (or other competent privacy authorities) relating to the Processing of the Relevant Data.

8. RETURN OR DELETION OF DATA

1. Upon the cessation of the Services, the Data Processor will:

1. at the choice of the Data Controller, return all Relevant Data to the Data Controller or delete all Relevant Data within thirty (30) day(s) from the date of cessation of the Services; and

2. delete all existing copies of the Relevant Data, except that the Data Processor may retain Relevant Data to the extent required by Applicable Laws and only to the extent and for such period as required by Applicable Laws, and provided always that the Data Processor will ensure the confidentiality of the Relevant Data and will ensure that the Relevant Data will only be Processed as necessary for purposes specified in the Applicable Laws.

2. Upon request, the Data Processor will provide written certification to the Data Controller that it (and each Service Provider Affiliate) has fully complied with the obligations under this clause.

9. AUDIT

1. If and when a Data Processor is subject to an audit, inspection, or other oversight measure taken by any Supervisory Authority that relates to the Processing of the Relevant Data, the Data Processor will promptly notify the Data Controller.

2. Upon a Data Controller’s request, with reasonable prior notice and subject to confidentiality obligations, a Data Processor will make available all information necessary to demonstrate the Data Processor’s compliance with the obligations set out in this Addendum, provided that the Data Controller will bear the costs for such audit and will take reasonable steps to avoid or minimise disrupting the Data Processor’s premises, personnel, and business. 

10. RESTRICTED TRANSFERS

Where Relevant Data is transferred from the European Union, the EEA and/or their Member States, Switzerland, or the United Kingdom to countries that do not ensure an adequate level of data protection within the meaning of Data Protection Laws (such transfer referred to as “Restricted Transfer”) as part of the Processing contemplated under this Addendum, each Data Controller (as “data exporter”) shall enter into the Standard Contractual Clauses with the relevant Data Processor (as “data importer”) in respect of the Restricted Transfer. 

11. ORDER OF PRECEDENCE

1. In the event of any conflict or inconsistency between this Addendum and the Standard Contractual Clauses, the Standard Contractual Clauses will prevail.

2. Subject to Clause 11.1, in the event of any conflict or inconsistency between this Addendum and any other agreements between the Parties (including the Agreement), this Addendum will prevail.

12. CHANGES IN DATA PROTECTION LAWS

1. Upon any change in Data Protection Laws, the Data Controller will:

1. amend the Standard Contractual Clauses by giving notice in writing to the Data Processor; and 

2. propose any other variations to this Addendum to address the requirements of any new or amended Data Protection Laws.

2. Upon the proposal of any variations pursuant to Clause 12.1(b), the Parties will negotiate in good faith with a view to agreeing and implementing such variations to address the requirements of any new or amended Data Protection Laws as soon as reasonably practicable.

13. INDEMNIFICATION

1. Subject to Clause 13.2, the parties agree that if one party is held liable for a breach of the terms of this Addendum, the party in breach will indemnify the other party for any cost, charge, damages, expenses or loss suffered or incurred by the other party.

2. Indemnification is contingent upon:

1. the Customer promptly notifying the Service Provider of a claim; and

2. the Service Provider being given the possibility to cooperate with the Customer in the defence and settlement of the claim.

14. AUTHORITY

1. The Service Provider warrants and represents that it is and will at all relevant times remain duly and effectively authorised to enter into this Addendum for and on behalf of each Service Provider Affiliate.

2. The Customer warrants and represents that it is and will at all relevant times remain duly and effectively authorised to enter into this Addendum for and on behalf of each Customer Affiliate. 

15. SEVERANCE

1. If any provision of this Addendum is or becomes invalid, illegal, or unenforceable, it shall be deemed modified to the minimum extent necessary to make it valid, legal, and enforceable. If such modification is not possible, the relevant provision shall be deemed deleted. Any modification to or deletion of a provision under this clause shall not affect the validity and enforceability of the rest of this Addendum.

2. If any provision of this Addendum is invalid, illegal, or unenforceable, the Parties shall negotiate in good faith to amend such provision so that, as amended, it is legal, valid, and enforceable, and, to the greatest extent possible, achieves the intended commercial result of the original provision.

16. FORCE AND EFFECT

1. Save as supplemented or amended by this Addendum, the provisions of the Agreement shall remain in full force and effect and shall be read and construed with this Addendum as one document.

2. All references in the Agreement to the “Agreement” shall be read and construed as references to the Agreement as supplemented and amended by this Addendum. 

17. AMENDMENT OF THIS ADDENDUM

No variation of this Addendum shall be effective unless agreed upon by both parties.

18. COUNTERPARTS

This Addendum may be executed in any number of counterparts, each of which when executed shall constitute a duplicate original, but all the counterparts shall together constitute the one Addendum.

19. GOVERNING LAW AND JURISDICTION

The provisions on governing law and jurisdiction of the Agreement will apply to the provisions of this Addendum.

ANNEX 1

DETAILS OF PROCESSING

Subject matter	:	Personal data of your customers, prospective customers , email subscribers or website visitors.
Duration	:	The period of active service subscription.
Types of data	:	Name, email, phone number, billing and shipping address
Categories of data subject	:	End-users and prospective customers of the Customer
Obligations of the Customer	:	(1) ensure the legality of the means by which Personal Data is collected (2) comply with Applicable Laws in giving instructions for processing Personal Data
Rights of the Customer	:	Deletion of all Personal Data after the end of the Services, unless storage of Personal Data is required by Applicable Laws.

ANNEX 2

TECHNICAL AND ORGANISATIONAL MEASURES

Adoption and enforcement of internal policies and procedures, firewalls and authentication controls to maintain network security, physical access controls, restricted employee and contractor access, physical security protections such as intrusion detection systems, periodic evaluation, and security review.