Data Processing Addendum

This Data Processing Addendum (the “DPA”), entered into by the Linkdex customer identified on the applicable Order Form for Linkdex services (“Customer”) and Analytics SEO Limited (trading as "Linkdex" and/or “Authoritas”), governs the processing of personal data that Customer uploads or otherwise provides Linkdex in connection with the services and the processing of any personal data that Linkdex uploads or otherwise provide to Customer in connection with the services.

This DPA is incor­po­rat­ed into the rel­e­vant Linkdex Terms of Ser­vice attached to or incor­po­rat­ed by ref­er­ence into the Order Form pre­vi­ous­ly exe­cut­ed by Cus­tomer, referred to gener­i­cal­ly in this DPA as the “Linkdex Con­tract”. Col­lec­tive­ly, the DPA (includ­ing the SCCs, as defined here­in), the Linkdex Con­tract, and the applic­a­ble Order Form are referred to in this DPA as the “Agree­ment”. In the event of any con­flict or incon­sis­ten­cy between any of the terms of the Agree­ment, the pro­vi­sions of the fol­low­ing doc­u­ments (in order of prece­dence) shall pre­vail: (a) the SCCs; (b) this DPA; © the Linkdex Con­tract; and (d) the applic­a­ble Order Form to the Linkdex Con­tract. Except as specif­i­cal­ly amend­ed in this DPA, the Linkdex Con­tract and applic­a­ble Order Form remain unchanged and in full force and effect.

1. DEFINITIONS

Con­troller-to-Con­troller SCCs” means the Stan­dard Con­trac­tu­al Claus­es (Con­troller to Con­troller Trans­fers – Set II) in the Annex to the Euro­pean Com­mis­sion Deci­sion of Decem­ber 27, 2004, as may be amend­ed or replaced from time to time by the Euro­pean Com­mis­sion.

Con­troller-to-Proces­sor SCCs” means the Stan­dard Con­trac­tu­al Claus­es (Proces­sors) in the Annex to the Euro­pean Com­mis­sion Deci­sion of Feb­ru­ary 5, 2010, as may be amend­ed or replaced from time to time by the Euro­pean Com­mis­sion.

Cus­tomer Per­son­al Data” means Per­son­al Data (i) that Cus­tomer uploads or oth­er­wise pro­vides Linkdex in con­nec­tion with its use of Linkdex’ ser­vices or (ii) for which Cus­tomer is oth­er­wise a data con­troller.

Data Con­troller” means Cus­tomer.

Data Proces­sor” means Linkdex.

Data Pro­tec­tion Require­ments” means the Direc­tive, the Gen­er­al Data Pro­tec­tion Reg­u­la­tion, Local Data Pro­tec­tion Laws, any sub­or­di­nate leg­is­la­tion and reg­u­la­tion imple­ment­ing the Gen­er­al Data Pro­tec­tion Reg­u­la­tion, and all Pri­va­cy Laws.

Direc­tive” means the EU Data Pro­tec­tion Direc­tive 95/46/EC (as amend­ed).

EU Per­son­al Data” means Per­son­al Data the shar­ing of which pur­suant to this Agree­ment is reg­u­lat­ed by the Direc­tive, the Gen­er­al Data Pro­tec­tion Reg­u­la­tion and Local Data Pro­tec­tion Laws.

Gen­er­al Data Pro­tec­tion Reg­u­la­tion” means the Euro­pean Union Reg­u­la­tion on the pro­tec­tion of indi­vid­u­als with regard to the pro­cess­ing of per­son­al data and on the free move­ment of such data, and repeal­ing Direc­tive 95/46/EC.

Local Data Pro­tec­tion Laws” means any sub­or­di­nate leg­is­la­tion and reg­u­la­tion imple­ment­ing the Direc­tive or the Gen­er­al Data Pro­tec­tion Reg­u­la­tion which may apply to the Agree­ment.

Per­son­al Data” means infor­ma­tion about an indi­vid­ual that (a) can be used to iden­ti­fy, con­tact or locate a spe­cif­ic indi­vid­ual; (b) can be com­bined with oth­er infor­ma­tion that can be used to iden­ti­fy, con­tact or locate a spe­cif­ic indi­vid­ual; or © is defined as “per­son­al data” or “per­son­al infor­ma­tion” by applic­a­ble laws or reg­u­la­tions relat­ing to the col­lec­tion, use, stor­age or dis­clo­sure of infor­ma­tion about an iden­ti­fi­able indi­vid­ual.

Per­son­al Data Breach” means any acci­den­tal or unlaw­ful destruc­tion, loss, alter­ation, unau­tho­rised dis­clo­sure of, or access to Cus­tomer Per­son­al Data.

Pri­va­cy Laws” means all applic­a­ble laws, reg­u­la­tions, and oth­er legal require­ments relat­ing to (a) pri­va­cy, data secu­ri­ty, con­sumer pro­tec­tion, mar­ket­ing, pro­mo­tion, and text mes­sag­ing, email, and oth­er com­mu­ni­ca­tions; and (b) the use, col­lec­tion, reten­tion, stor­age, secu­ri­ty, dis­clo­sure, trans­fer, dis­pos­al, and oth­er pro­cess­ing of any Per­son­al Data.

Process” and its cog­nates mean any oper­a­tion or set of oper­a­tions which is per­formed on Per­son­al Data or on sets of Per­son­al Data, whether or not by auto­mat­ed means, such as col­lec­tion, record­ing, organ­i­sa­tion, struc­tur­ing, stor­age, adap­ta­tion or alter­ation, retrieval, con­sul­ta­tion, use, dis­clo­sure by trans­mis­sion, dis­sem­i­na­tion or oth­er­wise mak­ing avail­able, align­ment or com­bi­na­tion, restric­tion, era­sure or destruc­tion.

SCCs” means all Con­troller-to-Proces­sor SCCs and Con­troller-to-Con­troller SCCs entered into between the par­ties under the Agree­ment.

Sub­proces­sor” means any enti­ty which pro­vides pro­cess­ing ser­vices to Linkdex in fur­ther­ance of Linkdex’ pro­cess­ing on behalf of Cus­tomer.

Super­vi­so­ry Author­i­ty” means an inde­pen­dent pub­lic author­i­ty which is estab­lished by a Euro­pean Union mem­ber state pur­suant to Arti­cle 51 of the Gen­er­al Data Pro­tec­tion Reg­u­la­tion.

2. NATURE OF DATA PROCESSING

Each par­ty agrees to process Per­son­al Data received under the Agree­ment only for the pur­pos­es set forth in the Agree­ment. For the avoid­ance of doubt, the cat­e­gories of Per­son­al Data processed and the cat­e­gories of data sub­jects sub­ject to this DPA are described in Sched­ule A to this DPA.

3. COMPLIANCE WITH LAWS

The par­ties shall each com­ply with their respec­tive oblig­a­tions under all applic­a­ble Data Pro­tec­tion Require­ments.

4. CUSTOMER OBLIGATIONS

Cus­tomer agrees to:

4.1    Pro­vide instruc­tions to Linkdex and deter­mine the pur­pos­es and gen­er­al means of Linkdex’ pro­cess­ing of Cus­tomer Per­son­al Data in accor­dance with the Agree­ment; and

4.2    Com­ply with its pro­tec­tion, secu­ri­ty and oth­er oblig­a­tions with respect to Cus­tomer Per­son­al Data pre­scribed by Data Pro­tec­tion Require­ments for data con­trollers by: (a) estab­lish­ing and main­tain­ing a pro­ce­dure for the exer­cise of the rights of the indi­vid­u­als whose Cus­tomer Per­son­al Data are processed on behalf of Cus­tomer; (b) pro­cess­ing only data that has been law­ful­ly and valid­ly col­lect­ed and ensur­ing that such data will be rel­e­vant and pro­por­tion­ate to the respec­tive uses; and © ensur­ing com­pli­ance with the pro­vi­sions of this Agree­ment by its per­son­nel or by any third-par­ty access­ing or using Cus­tomer Per­son­al Data on its behalf.

5. LINKDEX OBLIGATIONS

5.1    Pro­cess­ing Require­ments. Linkdex will:

  1. Process Cus­tomer Per­son­al Data (i) only for the pur­pose of pro­vid­ing, sup­port­ing and com­mu­ni­cat­ing with you about Linkdex’ ser­vices (includ­ing to pro­vide insights, report­ing and oth­er gen­er­al indus­try relat­ed com­mu­ni­ca­tions), using appro­pri­ate tech­ni­cal and organ­i­sa­tion­al secu­ri­ty mea­sures; and (ii) in com­pli­ance with the instruc­tions received from Cus­tomer. Linkdex will not use or process the Cus­tomer Per­son­al Data for any oth­er pur­pose;
  2.     Inform Cus­tomer prompt­ly if, in Linkdex’ opin­ion, an instruc­tion from Cus­tomer vio­lates applic­a­ble Data Pro­tec­tion Require­ments;
  3.  If Linkdex is col­lect­ing Cus­tomer Per­son­al Data from indi­vid­u­als on behalf of Cus­tomer, fol­low Customer’s instruc­tions regard­ing such Cus­tomer Per­son­al Data col­lec­tion (includ­ing with regard to the pro­vi­sion of notice and exer­cise of choice);
  4. Take com­mer­cial­ly rea­son­able steps to ensure that (i) per­sons employed by it and (ii) oth­er per­sons engaged to per­form on Linkdex’ behalf com­ply with the terms of the Agree­ment;
  5. Ensure that its employ­ees, autho­rised agents and any Sub­proces­sors are required to com­ply with and acknowl­edge and respect the con­fi­den­tial­i­ty of the Cus­tomer Per­son­al Data, includ­ing after the end of their respec­tive employ­ment, con­tract or assign­ment;
  6. If it intends to engage Sub­proces­sors (in addi­tion to the list of cur­rent Linkdex Sub­proces­sors) to help it sat­is­fy its oblig­a­tions in accor­dance with this DPA or to del­e­gate all or part of the pro­cess­ing activ­i­ties to such Sub­proces­sors, to noti­fy Cus­tomer of such sub­con­tract­ing; (ii) remain liable to Cus­tomer for the Sub­proces­sors’ acts and omis­sions with regard to data pro­tec­tion where such Sub­proces­sors act on Linkdex’ instruc­tions; and (iii) enter into con­trac­tu­al arrange­ments with such Sub­proces­sors bind­ing them to pro­vide the same lev­el of data pro­tec­tion and infor­ma­tion secu­ri­ty to that pro­vid­ed for here­in;
  7. Upon request, pro­vide Cus­tomer with a sum­ma­ry of Linkdex’ pri­va­cy and secu­ri­ty poli­cies; and

5.2    Notice to Cus­tomer. Linkdex will inform Cus­tomer if Linkdex becomes aware of:

  1. Any non-com­pli­ance by Linkdex or its employ­ees with Sec­tions 5–8 of this DPA or the Data Pro­tec­tion Require­ments relat­ing to the pro­tec­tion of Cus­tomer Per­son­al Data processed under this DPA;
  2. Any legal­ly bind­ing request for dis­clo­sure of Cus­tomer Per­son­al Data by a law enforce­ment author­i­ty, unless Linkdex is oth­er­wise for­bid­den by law to inform Cus­tomer, for exam­ple, to pre­serve the con­fi­den­tial­i­ty of an inves­ti­ga­tion by law enforce­ment author­i­ties;
  3. Any notice, inquiry or inves­ti­ga­tion by a Super­vi­so­ry Author­i­ty with respect to Cus­tomer Per­son­al Data; or
  4. Any com­plaint or request (in par­tic­u­lar, requests for access to, rec­ti­fi­ca­tion or block­ing of Cus­tomer Per­son­al Data) received direct­ly from data sub­jects of Cus­tomer. Linkdex shall not respond to any such com­plaint or request with­out Customer’s pri­or writ­ten con­sent except to con­firm that such request relates to Cus­tomer to which Cus­tomer here­by agrees.

5.3    Assis­tance to Cus­tomer. Linkdex will pro­vide rea­son­able assis­tance to Cus­tomer regard­ing:

  1. Any requests from Cus­tomer data sub­jects in respect of access to or the rec­ti­fi­ca­tion, era­sure, restric­tion, porta­bil­i­ty, block­ing or dele­tion of Cus­tomer Per­son­al Data that Linkdex process­es for Cus­tomer. In the event that a data sub­ject sends such a request direct­ly to Linkdex, Linkdex will prompt­ly send such request to Cus­tomer;
  2. The inves­ti­ga­tion of Per­son­al Data Breach­es and the noti­fi­ca­tion to the Super­vi­so­ry Author­i­ty and Customer’s data sub­jects regard­ing such Per­son­al Data Breach­es; and
  3. Where appro­pri­ate, the prepa­ra­tion of data pro­tec­tion impact assess­ments and, where nec­es­sary, car­ry­ing out con­sul­ta­tions with any Super­vi­so­ry Author­i­ty.

5.4    Required Pro­cess­ing. If Linkdex is required by Data Pro­tec­tion Require­ments to process any Cus­tomer Per­son­al Data for a rea­son oth­er than pro­vid­ing the ser­vices described in the Agree­ment, Linkdex will inform Cus­tomer of this require­ment in advance of any pro­cess­ing, unless Linkdex is legal­ly pro­hib­it­ed from inform­ing Cus­tomer of such pro­cess­ing (e.g., as a result of secre­cy require­ments that may exist under applic­a­ble EU mem­ber state laws).

5.5    Secu­ri­ty. Linkdex will:

  1. Main­tain appro­pri­ate orga­ni­za­tion­al and tech­ni­cal secu­ri­ty mea­sures (includ­ing with respect to per­son­nel, facil­i­ties, hard­ware and soft­ware, stor­age and net­works, access con­trols, mon­i­tor­ing and log­ging, vul­ner­a­bil­i­ty and breach detec­tion and inci­dent response) to pro­tect against unau­tho­rized or acci­den­tal access, loss, alter­ation, dis­clo­sure or destruc­tion of Cus­tomer Per­son­al Data;
  2. Be respon­si­ble for the suf­fi­cien­cy of the secu­ri­ty, pri­va­cy, and con­fi­den­tial­i­ty safe­guards of all Linkdex per­son­nel with respect to Cus­tomer Per­son­al Data and liable for any fail­ure by such Linkdex per­son­nel to meet the terms of this DPA;
  3. Take rea­son­able steps to con­firm that all Linkdex per­son­nel are pro­tect­ing the secu­ri­ty, pri­va­cy and con­fi­den­tial­i­ty of Cus­tomer Per­son­al Data con­sis­tent with the require­ments of this DPA; and
  4. Noti­fy Cus­tomer of any Per­son­al Data Breach by Linkdex, its Sub­proces­sors, or any oth­er third-par­ties act­ing on Linkdex’ behalf with­out undue delay and in any event with­in 48 hours of becom­ing aware of a Per­son­al Data Breach.

6. AUDIT

If a Super­vi­so­ry Author­i­ty requires an audit of the data pro­cess­ing facil­i­ties from which Linkdex process­es Cus­tomer Per­son­al Data in order to ascer­tain or mon­i­tor Customer’s com­pli­ance with Data Pro­tec­tion Require­ments, Linkdex will coop­er­ate with such audit. Cus­tomer is respon­si­ble for all costs and fees relat­ed to such audit, includ­ing all rea­son­able costs and fees for any and all time Linkdex expends for any such audit, in addi­tion to the rates for ser­vices per­formed by Linkdex.

7. DATA TRANSFERS

For trans­fers of EU Per­son­al Data to Linkdex for pro­cess­ing by Linkdex in a juris­dic­tion oth­er than a juris­dic­tion in the EU, the EEA, or the Euro­pean Com­mis­sion-approved coun­tries pro­vid­ing ‘ade­quate’ data pro­tec­tion, Linkdex agrees it will (a) pro­vide at least the same lev­el of pri­va­cy pro­tec­tion for EU Per­son­al Data as required under the U.S.-EU and U.S.-Swiss Pri­va­cy Shield frame­works; or (b) use the stan­dard form of the Con­troller-to-Proces­sor SCCs. If data trans­fers under Sec­tion 7 of this DPA rely on Con­troller-to-Proces­sor SCCs to enable the law­ful trans­fer of EU Per­son­al Data, as set forth in the pre­ced­ing sen­tence, the par­ties agree that data sub­jects for whom Linkdex process­es EU Per­son­al Data are third-par­ty ben­e­fi­cia­ries under the Con­troller-to-Proces­sor SCCs. If Linkdex is unable or becomes unable to com­ply with these require­ments, then EU Per­son­al Data will be processed and used exclu­sive­ly with­in the ter­ri­to­ry of a mem­ber state of the Euro­pean Union and any move­ment of EU Per­son­al Data to a non-EU coun­try requires the pri­or writ­ten con­sent of Cus­tomer. Linkdex shall prompt­ly noti­fy Cus­tomer of any inabil­i­ty by Linkdex to com­ply with the pro­vi­sions of this Sec­tion 7.

8. DATA RETURN AND DELETION

The par­ties agree that on the ter­mi­na­tion of the data pro­cess­ing ser­vices or upon Customer’s rea­son­able request, Linkdex shall, and shall cause any Sub­proces­sors to, at the choice of Cus­tomer, return all the Cus­tomer Per­son­al Data and copies of such data to Cus­tomer or secure­ly destroy them and con­firm to Cus­tomer that it has tak­en such mea­sures, unless Data Pro­tec­tion Require­ments pre­vent Linkdex from return­ing or destroy­ing all or part of the Cus­tomer Per­son­al Data dis­closed. In such case, Linkdex agrees to pre­serve the con­fi­den­tial­i­ty of the Cus­tomer Per­son­al Data retained by it and that it will only active­ly process such Cus­tomer Per­son­al Data after such date in order to com­ply with applic­a­ble laws.

9. CONTROLLER-TO-CONTROLLER SCENARIOS

Each par­ty will, to the extent that it, along with the oth­er par­ty, acts as data con­troller, as the term is defined in applic­a­ble Data Pro­tec­tion Require­ments, with respect to Per­son­al Data, rea­son­ably coop­er­ate with the oth­er par­ty to enable the exer­cise of data pro­tec­tion rights as set forth in the Gen­er­al Data Pro­tec­tion Reg­u­la­tion and in oth­er Data Pro­tec­tion Require­ments. Where both par­ties each act as data con­troller with respect to Per­son­al Data, and the trans­fer of data between the par­ties results in a trans­fer of EU Per­son­al Data to a juris­dic­tion oth­er than a juris­dic­tion in the EU, the EEA, or the Euro­pean Com­mis­sion-approved coun­tries pro­vid­ing ‘ade­quate’ data pro­tec­tion, each par­ty agrees it will (a) pro­vide at least the same lev­el of pri­va­cy pro­tec­tion for EU Per­son­al Data as required under the U.S.-EU and U.S.-Swiss Pri­va­cy Shield frame­works; or (b) use the Con­troller-to-Con­troller SCCs, which are incor­po­rat­ed here­in by ref­er­ence.  If data trans­fers under this DPA rely on Con­troller-to-Con­troller SCCs to enable the law­ful trans­fer of Per­son­al Data, as set forth in the pre­ced­ing sen­tence, the par­ties agree that the fol­low­ing terms apply: (i) Data sub­jects for whom a Cus­tomer process­es EU Per­son­al Data are third-par­ty ben­e­fi­cia­ries under the Con­troller-to-Con­troller SCCs; (ii) Sched­ule A to this DPA shall apply as Annex B of the Con­troller-to-Con­troller SCCs; and (iii) for pur­pose of Sec­tion II(h), the data importer will process the EU Per­son­al Data, at its option, in accor­dance with “the rel­e­vant pro­vi­sions of any Com­mis­sion deci­sion pur­suant to Arti­cle 25(6) of Direc­tive 95/46/EC, where the data importer com­plies with the rel­e­vant pro­vi­sions of such an autho­ri­sa­tion or deci­sion and is based in a coun­try to which such an autho­ri­sa­tion or deci­sion per­tains, but is not cov­ered by such autho­ri­sa­tion or deci­sion for the pur­pos­es of the transfer(s) of the per­son­al data.” The par­ties acknowl­edge and agree that each is act­ing inde­pen­dent­ly as Data Con­troller with respect of Per­son­al Infor­ma­tion and the par­ties are not joint con­trollers as defined in the Gen­er­al Data Pro­tec­tion Reg­u­la­tion.

10. THIRD PARTY DATA PROCESSORS

Cus­tomer acknowl­edges that in the pro­vi­sion of some ser­vices, Linkdex, on receipt of instruc­tions from Cus­tomer, may trans­fer Cus­tomer Per­son­al Data to and oth­er­wise inter­act with third par­ty data proces­sors. Cus­tomer agrees that if and to the extent such trans­fers occur, Cus­tomer is respon­si­ble for enter­ing into sep­a­rate con­trac­tu­al arrange­ments with such third par­ty data proces­sors bind­ing them to com­ply with oblig­a­tions in accor­dance with Data Pro­tec­tion Require­ments. For the avoid­ance of doubt, such third par­ty data proces­sors are not Sub­proces­sors.

11. TERM

This DPA shall remain in effect as long as Linkdex car­ries out Per­son­al Data pro­cess­ing oper­a­tions on behalf of Cus­tomer or until the ter­mi­na­tion of the Linkdex Con­tract (and all Per­son­al Data has been returned or delet­ed in accor­dance with Sec­tion 8 above).

12. GOVERNING LAW, JURISDICTION, AND VENUE

Notwith­stand­ing any­thing in the Agree­ment to the con­trary, this DPA shall be gov­erned by the laws of Eng­land, and any action or pro­ceed­ing relat­ed to this DPA (includ­ing those aris­ing from non con­trac­tu­al dis­putes or claims) will be brought in Eng­land.

SCHEDULE A

ANNEX B – DESCRIPTION OF THE TRANSFER

  1. Data Sub­jects. The per­son­al data trans­ferred con­cern the fol­low­ing cat­e­gories of data sub­jects:

Depend­ing on the ser­vices used by the data exporter:

  • employ­ees of the data exporter; and
  • third par­ties that have, or may have, a com­mer­cial rela­tion­ship with the data exporter (e.g. cus­tomers, cor­po­rate sub­scribers and con­trac­tors).
  1. Pur­pos­es of the Trans­fer. The trans­fer is made for the fol­low­ing pur­pos­es:

The trans­fer is intend­ed to enable the data exporter to deter­mine the pur­pos­es and means of the pro­cess­ing of per­son­al data obtained through data importer’s prod­ucts to sup­port the busi­ness prac­tices of the data exporter.

  1. Cat­e­gories of Data. The per­son­al data trans­ferred con­cern the fol­low­ing cat­e­gories of data:

The data trans­ferred is the per­son­al data pro­vid­ed by the data exporter to the data importer in con­nec­tion with its use of Linkdex’ online search engine opti­mi­sa­tion and con­tent mar­ket­ing ser­vices, referred to as Cus­tomer Per­son­al Data in the Linkdex Sub­scrip­tion Agree­ment. Such per­son­al data may include first name, last name, email address, con­tact infor­ma­tion and IP address.

  1. Recip­i­ents. The per­son­al data trans­ferred may be dis­closed only to the fol­low­ing recip­i­ents or cat­e­gories of recip­i­ents:

Employ­ees and oth­er rep­re­sen­ta­tives of the data importer who have a legit­i­mate busi­ness pur­pose for the pro­cess­ing of such per­son­al data.

  1. Sen­si­tive Data (if appro­pri­ate). The per­son­al data trans­ferred con­cern the fol­low­ing cat­e­gories of sen­si­tive data:

None.

  1. Data Pro­tec­tion Reg­is­tra­tion Infor­ma­tion of Data Exporter (where applic­a­ble).

None.

  1. Addi­tion­al Use­ful Infor­ma­tion (stor­age lim­its and oth­er rel­e­vant infor­ma­tion).

The per­son­al data trans­ferred between the par­ties may only be retained for the peri­od of time per­mit­ted under the Agree­ment. The par­ties agree that each par­ty will, to the extent that it, along with the oth­er par­ty, acts as a data con­troller with respect to Per­son­al Data, rea­son­ably coop­er­ate with the oth­er par­ty to enable the exer­cise of data pro­tec­tion rights as set forth in the Data Pro­tec­tion Require­ments.

  1. Con­tact Infor­ma­tion. Con­tact points for data pro­tec­tion enquiries:

Data importer: Sig­na­to­ry to the Agree­ment between the par­ties

Data exporter: Sig­na­to­ry to the Agree­ment between the par­ties