DATA PROCESSING AGREEMENT
This Data Processing Agreement (the “DPA”) is a binding agreement between Administrateur immobilier numérique Wazo Inc. (“Wazo”) and User and governs the Processing of Personal Information of an Individual. This DPA is complementary to Wazo’s Terms of Service (“Terms”), to which it is attached.
When used in this DPA, capitalized terms and expressions have the corresponding meanings assigned to them by the DPA and capitalized terms used in this DPA, but not define in the DPA, have the meaning set forth in the Terms:
1.1. “Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Information transmitted, stored or otherwise processed;
1.2. “Controller” means the User, or any other natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Information;
1.3. “Data Protection and Privacy Laws” means all applicable laws, enactments, rules, regulations, orders, regulatory policies, pertaining to data privacy, data security and/or the protection of Personal Information;
1.4. “Personal Information” means any information relating to an identified or identifiable natural person (“Individual”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
1.5. “Processing” means any operation or set of operations which is performed on Personal Information or on sets of Personal Information, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
1.6. “Processor” means Wazo, or any other natural or legal person public authority, agency or other body which processes Personal Information on behalf of the Controller;
1.7. “Pseudonymisation” means the Processing of Personal Information in such a manner that the Personal Information can no longer be attributed to a specific Individual without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the Personal Information are not attributed to an identified or identifiable natural person;
1.8. “Service” means the services provided by Wazo as set forth in the Terms.
1.9. “User” means the natural person or the company using Wazo’ Services as set forth in the Terms.
2. Mutual Acknowledgments and Agreements.
The parties acknowledge and agree as set out in this Section 2 in respect to each of the following:
2.1. Wazo as Processor. Wazo processes Personal Information on behalf of User, which acts as a Controller by determining, alone or jointly with others, the purposes and means of the Processing of such Personal Information.
2.2. Contract Governing the Carrying-out of Processing. The carrying-out of Processing by Processor is governed by this DPA which sets out the subject-matter and duration of the Processing, the nature and purpose of the Processing, the type of Personal Information and categories of Individuals and the obligations and rights of User as Controller, and include certain specific terms designed to ensure that Processing carried out by Processor meets all the requirements of privacy laws when applicable.
2.3. Governing law. This DPA is governed by and made under the laws and regulations of the Province of Quebec, Canada.
2.4. Conflict of Terms. If there is any inconsistency between the provisions of this DPA and those of the Terms, this DPA shall prevail.
2.5. Duration. The duration of the Processing by Processor on behalf of Controller shall be for the duration of the User’s right to use the Service and until all Personal Information for which User is the sole Controller is deleted or returned in accordance with Controller’s instructions or the conditions of the Terms.
2.6. Nature and Purpose. The nature and purpose of the Processing shall be to provide the Service to Controller pursuant to the Terms and other documentation provided by Wazo to User.
2.7. Type of Personal Information. The types of Personal Information processed by the Service include those relating to:
- Contact Information (name, address, phone number, email address);
- Billing information;
- Accounting information;
- Information related to estates
2.8. Categories of Individuals. Processing of Personal Information by Processor on behalf of Controller is for the following categories of Individuals:
- Any Individual who is using the Service;
- Any Individual that may be linked to any estates; and
- The Controller, or any individual acting on its behalf.
3. Obligations and Responsibilities of Controller
3.1. Compliance with Data Protection and Privacy Laws. Controller shall, in its use of the Service, process Personal Information, and provide instructions for the Processing of Personal Information, in accordance with the requirements of all applicable Data Protection and Privacy Laws.
3.2. Accuracy, Quality, Legality and Means. Controller has sole responsibility for the accuracy, quality, and legality of Personal Information and the means by which Controller acquired Personal Information.
3.3. Independent Determination. Controller is solely responsible for making an independent determination as to whether the technical and organizational measures of the Service meet Controller’s requirements (including any security obligations under applicable data protection laws and regulations, as the case may be).
3.4. Security Practices and Policies. Controller acknowledges and agrees that, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of the Processing of its Personal Information as well as the risks to Individuals, the security practices and policies implemented and maintained by Processor provide a level of security appropriate to the risk with respect to Personal Information for which User is the Controller.
3.5. Privacy Protections and Security Measures. Controller is responsible for implementing and maintaining privacy protections and security measures for components that Controller provides or controls if any.
3.6. Indemnification for Violation of Individual’s Rights. If an Individual brings a claim directly against Processor for a violation of his Individual’s rights, Controller will indemnify Processor for any damages caused to Processor by such a claim, to the extent that Processor has notified Controller about the claim and given Controller the opportunity to cooperate with Processor in the defense and settlement of the claim.
4. Obligations and Responsibilities of Processor
4.1. Documented Instructions. Processor will process the Personal Information only as described in the Terms, including with regard to transfers of Personal Information to a third country, unless required to do so by a law to which Processor is subject; in such a case, Processor shall inform Controller of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.
4.2. Confidentiality. Processor will ensure that persons authorized to process the Personal Information have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
4.3. Security. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of Individuals, Processor will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including as appropriate:
- the Pseudonymisation and encryption of Personal Information;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services;
- the ability to restore the availability and access to Personal Information in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing; and
- steps to ensure that any person acting under the authority of Processor who has access to Personal Information does not process them except on instructions from Controller, unless he or she is required to do so by law.
4.4. Engaging Another Processor. This paragraph 4.4 constitutes a general prior written authorization from Controller allowing Processor to recruit any other Processor. Processor will respect the following conditions for engaging another Processor, namely that:
- Processor will inform Controller of any intended changes concerning the addition or replacement of other processors; and
- where Processor engages another Processor for carrying out specific Processing activities on behalf of Controller, the same data protection obligations as set out in this Addendum between Controller and Processor will be imposed on that other processor, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the Processing will meet the requirements of the laws and regulations to such Processing.
4.5. Requests for Exercising Individual’s Rights. Taking into account the nature of the Processing, Processor will assist Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising the rights granted to Individuals by applicable laws, which may include:
- Transparent information, communication and modalities for the exercise of the rights of the Individual;
- Information to be provided where Personal Information are collected from the Individual;
- Information to be provided where Personal Information have not been obtained from the Individual;
- Access by the Individual;
- Erasure (“right to be forgotten”);
- Restriction of Processing;
- Notification obligation regarding rectification or erasure of Personal Information or restriction of Processing;
- Data portability;
- Right to op-out of sales;
- Right against discrimination;
- Right to object; and
- Right not to be subject to a decision based solely on automated Processing.
Processor will make available to Controller (in a manner consistent with the functionality of the Service and Wazo’s role as a Processor) Personal Information of Individuals and the ability to fulfill Individual requests to exercise their rights. If Processor receives a request from an Individual to exercise one or more of its rights in connection with the Service, Processor will redirect the Individual to make its request directly to Controller. Controller will be responsible for responding to any such request including, where necessary, by using the functionality of the Service.
4.6. Assistance of Controller. Taking into account the nature of Processing and the information available, Processor will assist Controller in ensuring compliance with applicable Data Protection and Privacy Laws, which may pertain to:
- Security of Processing;
- Notification of a Breach to a privacy commissioner or other competent regulatory authority;
- Communication of a Breach to the Individual;
- Data protection impact assessment; and
- Consultation with a competent regulatory authority prior to Processing where a data protection impact assessment indicates that the Processing would result in a high risk in the absence of measures taken by the Controller to mitigate the risk.
4.7. Breach. Processor will notify Controller without undue delay after becoming aware of a Breach. Such notification will at least:
- describe the nature of the Breach including where possible, the categories and approximate number of Individuals concerned and the categories and approximate number of Personal Information records concerned;
- communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
- describe the likely consequences and/or the risks of the Breach; and
- describe the measures taken or proposed to be taken by the Processor to address the Breach and protect the Personal Information, including, where appropriate, measures to reverse or mitigate its possible adverse effects.
Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.
4.8. Deletion or Return all Personal Information. Processor will, at the choice of Controller, delete or return all the Personal Information to Controller after the end of the provision of services relating to Processing, and delete existing copies unless applicable laws or regulations require storage of the Personal Information;
- Information to Demonstrate Compliance. Processor will make available to Controller all information necessary to demonstrate compliance with privacy laws and allow for and contribute to audits, including inspections, conducted by Controller or another auditor mandated by Controller.
4.10. Aggregate and Anonymized Data. Notwithstanding the provisions of this DPA, Processor may use, reproduce, sell, publicize, or otherwise exploit Aggregate & Anonymized Data in any way, in its sole discretion