Expert Data Protection Addendum
This Directly Data Processing Addendum (the “DPA”) supplements, and is incorporated into, the Terms of Service (the “Terms”) between Directly and you as an Expert registered on our Marketplace Platform. The parties agree as follows:
1. Purpose and Scope.
1.1 Except as modified below, the Terms shall remain in full force and effect; if there’s any conflict between this DPA and the Terms or any other agreement between the parties, the provisions of this DPA shall take precedence.
1.2 The European Union General Data Protection Regulation 2016/679 (“GDPR”), which became effective on May 25, 2018, requires all Experts to contractually undertake certain data protection commitments with respect to “Personal Data” (as defined below) they may Process on Directly’s behalf. To ensure compliance with the GDPR, Experts must agree to the terms of this DPA.
All capitalized terms used but not defined in this DPA shall have the meaning given to them in the Terms.
2.1 “Confidential Information” means the definition ascribed in the Terms (see Terms, Section 7, Confidential Information).
2.2 “Data Protection Laws” means (a) any applicable law with respect to any Personal Data to which Directly is subject and (b) European Data Protection Laws.
2.3 “Data Subject Request” means a data subject’s request to exercise that person’s rights under Data Protection Laws in respect of that person’s Personal Data, including, without limitation, the right to access, correct, amend, transfer, obtain a copy of, object to the Processing of, restrict the Processing of or delete such Personal Data.
2.4 “European Data Protection Laws” means the GDPR, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), any national laws or regulations implementing the foregoing Directives, any applicable legislation of European Union Member States passed to implement the foregoing, and any other applicable data protection, privacy or data security laws or regulations in the European Economic Area, United Kingdom, Switzerland, or any other applicable European jurisdiction, in each case, as they may be amended, replaced or supplemented from time to time.
2.5 “Expert” means a natural person who is a party to this DPA.
2.6 “Personal Data” means any information about an identified or identifiable natural person and any other “personal data” governed by applicable Data Protection Laws that Expert Processes in connection with the Expert’s performance of the Services.
2.7 “Privacy Shield” means the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks established respectively by the European Commission and the United States Department of Commerce and the Swiss Administration and the United States Department of Commerce.
2.8 “Process” means any operation or set of operations which is performed on Restricted Information or sets of Restricted Information, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
2.9 “Restricted Information” refers collectively to “Confidential Information” and “Personal Data” of any source and includes any information Processed by Expert in connection with the Expert’s performance of the Services.
2.10 “Security Incident” means a reasonably suspected breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
2.11 “Services” means Expert’s authorized participation, activity and content on and through Directly’s Marketplace Platform, including but not limited to, responses relating to tasks and questions about specific products and services for which the Expert is approved.
3. Your Data Protection Duties.
You acknowledge and agree to the following:
3.1 You will Process Personal Data only in accordance with the Terms, Data Protection Laws and Directly’s written instructions communicated by Directly to you from time to time in writing.
3.2 Without limiting the generality of sub-section 3.1, you agree as follows:
3.2.1 You will keep all Restricted Information in strictest confidence and will not copy, use, store, disclose or otherwise Process any Restricted Information except to perform the Services;
3.2.1 You will take appropriate technical and organizational measures (including but not limited to the Expert Standards (which are incorporated herein and may be updated by Directly from time to time)) to ensure the confidentiality, integrity and availability of any computers or other systems that you use to perform the Services and protect against the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, any Restricted Information transmitted, stored or otherwise Processed;
3.2.2 You will only subcontract, delegate or engage any other individual or entity to assist with performance of the Services with the prior written approval of Directly, and pursuant to the completion of a prior data protection and security audit, the implementation of additional data protection and security safeguards and other such measures as Directly reasonably determines is necessary under applicable law.
3.2.3 You will only subcontract, delegate or engage any other individual or entity to assist with performance of the Services with the prior written approval of Directly, and pursuant to the completion of a prior data protection and security audit, the implementation of additional data protection and security safeguards and other such measures as Directly reasonably determines is necessary under applicable law.
3.2.4 You will make available to Directly all information necessary to demonstrate compliance with the obligations set forth in this DPA and the Data Protection Laws and to allow Directly to conduct audits, including inspections, of your compliance with the obligations set forth in this DPA;
3.2.5 If instructed by Directly, you agree to promptly notify Directly and cooperate to provide the circumstances underlying any receipt or access of Personal Data and to confirm you have promptly and permanently deleted any such Personal Data in your possession, together with any existing copies, unless directed otherwise;
3.2.6 If you receive any request, demand, or inquiry regarding Personal Data (“Personal Data Request”) other than from Directly, including, without limitation, any Data Subject Request or other request received from a regulator or other governmental body, you agree to NOT respond to any such Personal Data Request except in accordance with Directly’s written instructions or as otherwise required by the Data Protection Laws;
3.2.7 You will promptly and without undue delay cooperate, assist, and take such action as Directly may reasonably request to allow Directly to fulfil its obligations to Customers and their Data Subjects or under Data Protection Laws in respect of such a Personal Data Request, including, without limitation, meeting any deadlines imposed by such obligations; You will notify Directly without undue delay and in no event later than 48 hours upon your becoming aware of a Security Incident, and provide Directly with sufficient information to allow it to meet any legal or contractual obligations to report the Security Incident;
3.2.8 You will cooperate with Directly and its authorized agents and representatives to take such reasonable steps as are directed by Directly to assist in the investigation, mitigation and remediation of any Security Incident;
3.2.9 You will provide reasonable assistance to Directly and its Customers with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Directly or its Customer reasonably considers to be required by the Data Protection Laws;
3.2.10 You will immediately inform Directly, in writing, if in your opinion, an instruction violates Data Protection Laws;
4. General Terms.
4.1 The parties to this DPA hereby submit to the choice of jurisdiction stipulated in the Terms with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity.
4.2 This DPA and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in Terms, or if different, the laws required to govern under European Data Protection Laws.
4.3 Directly may amend this DPA from time to time as is reasonably necessary to comply with Data Protection Laws and such amendments shall become binding upon giving Expert notice of such changes.